glupteba | b2708878dad61b995b1e3bfbc751e9c34aeeb8a2375801b9c6ab141c4745ffdc

Analysis

max time kernel
10s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2708878dad61b995b1e3bfbc751e9c34aeeb8a2375801b9c6ab141c4745ffdc.exe
Size

4.2MB
MD5

654f6e4d8591ade35d32cf2f91cdfdf2
SHA1

1626099f8c06fe6d170d154d9305367f66469bbe
SHA256

b2708878dad61b995b1e3bfbc751e9c34aeeb8a2375801b9c6ab141c4745ffdc
SHA512

ae2b31fb228e134a668dcbab0ae1be453cab55229efc3a0cfd271d2a0bff0bb461a8621cd304ef65444bab05cc517d6882eaea0a61d76cef6d6a81a7d903e4e6
SSDEEP

98304:GQsdI15XMGsIqG7jK1nlxDBWJo0zqoXlBjYH:9sdI/M9mGJvBuo02oXlB0

Score

10^/10

glupteba dropper evasion loader upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 16 IoCs

resource	yara_rule
behavioral2/memory/4600-2-0x0000000002E70000-0x000000000375B000-memory.dmp	family_glupteba
behavioral2/memory/4600-3-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/4600-4-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/4600-30-0x0000000002E70000-0x000000000375B000-memory.dmp	family_glupteba
behavioral2/memory/4600-33-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/4600-58-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/1640-62-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/1640-92-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/1640-111-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/1640-140-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/1640-157-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/1184-191-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/1184-256-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/1184-269-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/1184-270-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/1184-272-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2972	netsh.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000232a4-264.dat	upx
behavioral2/files/0x00070000000232a4-266.dat	upx
behavioral2/files/0x00070000000232a4-267.dat	upx
behavioral2/memory/4396-268-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/1260-271-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/1260-275-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/files/0x00060000000232a5-282.dat	upx
behavioral2/files/0x00060000000232a5-283.dat	upx
behavioral2/memory/1260-286-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/2044-288-0x0000000000400000-0x0000000000C25000-memory.dmp	upx
behavioral2/memory/2044-290-0x0000000000400000-0x0000000000C25000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4852	sc.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3824	schtasks.exe
756	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\b2708878dad61b995b1e3bfbc751e9c34aeeb8a2375801b9c6ab141c4745ffdc.exe
"C:\Users\Admin\AppData\Local\Temp\b2708878dad61b995b1e3bfbc751e9c34aeeb8a2375801b9c6ab141c4745ffdc.exe"
1⤵
PID:4600
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  PID:4840
- C:\Users\Admin\AppData\Local\Temp\b2708878dad61b995b1e3bfbc751e9c34aeeb8a2375801b9c6ab141c4745ffdc.exe
  "C:\Users\Admin\AppData\Local\Temp\b2708878dad61b995b1e3bfbc751e9c34aeeb8a2375801b9c6ab141c4745ffdc.exe"
  2⤵
  PID:1640
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:4432
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:3936
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:2972
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:2148
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:3496
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    PID:1184
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:2132
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:1196
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:4108
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:3824
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:352
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      PID:4240
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:756
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      PID:4396
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        
        PID:5080
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        
        PID:4852
  - - C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
      4⤵
      PID:2044
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn "csrss" /f
        5⤵
        
        PID:4572
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn "ScheduledUpdate" /f
        5⤵
        
        PID:1936

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:1260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_di2utcdo.ftz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

Filesize
2.9MB

MD5
d993e138a001e666bcc684b56c3e74a6

SHA1
2a7f2c5c6b8ca33960cff58d6335c4426c02f319

SHA256
1e08b4303d4a07279f8829999b3ecf43db5dd2a5444532a1b733b3a0202a6161

SHA512
014bc62b24cfc99d6ad9b50ffaa31057cecdd6bd0a1d0fd3be82357788d0b086c644b77213dfb52d424163f5029c8a992f62403b73a2cbd16944f449bbc16590

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

Filesize
2.6MB

MD5
6d889e64a932496369f738b67d8862b1

SHA1
1d2d09677bd2e760e70a1a0093ba46713b4de387

SHA256
ec8d9994a909dd8ae1057080a3ac794f3f3b2eb06c046189313f9b990e2cc4ff

SHA512
91b11eb123499178aa716235b51a42da4abf5256cf36aded39cdbf6fb03976270a6bd2669c8067005822e3e20c2e74a613ef9ee9c7e3c1ef2de9dace6106b9bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

Filesize
99KB

MD5
09031a062610d77d685c9934318b4170

SHA1
880f744184e7774f3d14c1bb857e21cc7fe89a6d

SHA256
778bd69af403df3c4e074c31b3850d71bf0e64524bea4272a802ca9520b379dd

SHA512
9a276e1f0f55d35f2bf38eb093464f7065bdd30a660e6d1c62eed5e76d1fb2201567b89d9ae65d2d89dc99b142159e36fb73be8d5e08252a975d50544a7cda27

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
36a947584fd01fa2d81ac882d89501c6

SHA1
59fd0c8df9d5495864dd6b521fafdce0cb836c98

SHA256
8354e00026f1fa59058824e998c9447900ee1a0b80e9483269c30027b1ec80fa

SHA512
d3b42cf1fb6410a2643ea3fc71b809c905c080c38e2830ef6dec25990ba8d5fd3332ce850c45ad717336e0f0736ec3d04176175bc0a150cba6d9cb688f07768f

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
aeaadc7691a3e6cb9bfcb6b9ee2e7a0a

SHA1
9929a00e945ad04762a575e9eb390c724caed66a

SHA256
3a21f7c3716130a0ff141c4aaec76cc9b4ddeb7ad52d9061ff1e43cbfca390a4

SHA512
b7e2a86958ee493cdfbb464a7cc737a2117abd64291b8df361079be5c048edc01d386ffab05075e88e6571d61b0f90762e94dadd4a9740d30586771f1104bd93

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
d2401958a23eb79e0adf701a6f98ab80

SHA1
9be086953b40f36f6f5b0ded74929b2ae495f899

SHA256
ac26fdafbca859a59a70fd3d9b7ee507b00bd088e3e95389e0ec64ed90a0b1c0

SHA512
d59063a760f25bffe6cae0bcc92d74da5d532d9e8fd260394e293da8f16dcfe65c851cb0e18618514cd9e93cce446e2756d69d7fc175f36d8379eed0fa0e3614

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
f8d39bd59238d7ace3b48073384df53a

SHA1
e79d43eede7ffa840314d9dd4321a90d7d0953bf

SHA256
2ff0ec51563d1b702dbb9e562fbca324da1d1845f0191cc1cd1696d05391ea5a

SHA512
1539e7b05387cc5e120dacb8d21913e4c199b448890d41a955af7126bfcf5045b23a8de5a0d4fcb139d699de1f354e3b0a72b0d8a19f86921b20a235ccbdc6d4

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
fc7364222c4b7278211bec6a8f077c0c

SHA1
072abcf2ef039463252ec4730f94430bab704dfd

SHA256
e2ad5cc03de4405c38a747b3909ca006f0832966c1dc43a646079d569b61bd00

SHA512
684c87e3facb9c4c3d10e61bf0c2554079c71f770423f911a6752544fb6fc0de79e9edbac8fd4c2150856a936926b4995d7f24fb6845d607c01bd0521132a7b8

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
654f6e4d8591ade35d32cf2f91cdfdf2

SHA1
1626099f8c06fe6d170d154d9305367f66469bbe

SHA256
b2708878dad61b995b1e3bfbc751e9c34aeeb8a2375801b9c6ab141c4745ffdc

SHA512
ae2b31fb228e134a668dcbab0ae1be453cab55229efc3a0cfd271d2a0bff0bb461a8621cd304ef65444bab05cc517d6882eaea0a61d76cef6d6a81a7d903e4e6

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
654f6e4d8591ade35d32cf2f91cdfdf2

SHA1
1626099f8c06fe6d170d154d9305367f66469bbe

SHA256
b2708878dad61b995b1e3bfbc751e9c34aeeb8a2375801b9c6ab141c4745ffdc

SHA512
ae2b31fb228e134a668dcbab0ae1be453cab55229efc3a0cfd271d2a0bff0bb461a8621cd304ef65444bab05cc517d6882eaea0a61d76cef6d6a81a7d903e4e6

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/1184-274-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1184-287-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1184-269-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1184-270-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1184-285-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1184-272-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1184-256-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1184-276-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1184-191-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1260-271-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1260-275-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1260-286-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1640-111-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1640-61-0x0000000002A10000-0x0000000002E09000-memory.dmp

Filesize
4.0MB

Download
memory/1640-96-0x0000000002A10000-0x0000000002E09000-memory.dmp

Filesize
4.0MB

Download
memory/1640-140-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1640-157-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1640-92-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1640-62-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/2044-290-0x0000000000400000-0x0000000000C25000-memory.dmp

Filesize
8.1MB

Download
memory/2044-288-0x0000000000400000-0x0000000000C25000-memory.dmp

Filesize
8.1MB

Download
memory/2148-107-0x00000000742E0000-0x0000000074A90000-memory.dmp

Filesize
7.7MB

Download
memory/2148-125-0x00000000742E0000-0x0000000074A90000-memory.dmp

Filesize
7.7MB

Download
memory/2148-114-0x0000000070360000-0x00000000706B4000-memory.dmp

Filesize
3.3MB

Download
memory/2148-113-0x00000000701E0000-0x000000007022C000-memory.dmp

Filesize
304KB

Download
memory/2148-112-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/2148-109-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/2148-108-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/3496-127-0x0000000002510000-0x0000000002520000-memory.dmp

Filesize
64KB

Download
memory/3496-128-0x0000000002510000-0x0000000002520000-memory.dmp

Filesize
64KB

Download
memory/3496-126-0x00000000742E0000-0x0000000074A90000-memory.dmp

Filesize
7.7MB

Download
memory/3496-139-0x0000000002510000-0x0000000002520000-memory.dmp

Filesize
64KB

Download
memory/3496-141-0x00000000701E0000-0x000000007022C000-memory.dmp

Filesize
304KB

Download
memory/4396-268-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4432-90-0x00000000071A0000-0x00000000071B1000-memory.dmp

Filesize
68KB

Download
memory/4432-75-0x0000000005780000-0x0000000005AD4000-memory.dmp

Filesize
3.3MB

Download
memory/4432-95-0x00000000742E0000-0x0000000074A90000-memory.dmp

Filesize
7.7MB

Download
memory/4432-63-0x00000000742E0000-0x0000000074A90000-memory.dmp

Filesize
7.7MB

Download
memory/4432-89-0x0000000006E80000-0x0000000006F23000-memory.dmp

Filesize
652KB

Download
memory/4432-78-0x00000000701E0000-0x000000007022C000-memory.dmp

Filesize
304KB

Download
memory/4432-79-0x0000000070360000-0x00000000706B4000-memory.dmp

Filesize
3.3MB

Download
memory/4432-77-0x00000000048F0000-0x0000000004900000-memory.dmp

Filesize
64KB

Download
memory/4432-76-0x0000000005FC0000-0x000000000600C000-memory.dmp

Filesize
304KB

Download
memory/4432-91-0x00000000071F0000-0x0000000007204000-memory.dmp

Filesize
80KB

Download
memory/4432-65-0x00000000048F0000-0x0000000004900000-memory.dmp

Filesize
64KB

Download
memory/4432-64-0x00000000048F0000-0x0000000004900000-memory.dmp

Filesize
64KB

Download
memory/4600-1-0x0000000002A60000-0x0000000002E61000-memory.dmp

Filesize
4.0MB

Download
memory/4600-58-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/4600-2-0x0000000002E70000-0x000000000375B000-memory.dmp

Filesize
8.9MB

Download
memory/4600-3-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/4600-4-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/4600-25-0x0000000002A60000-0x0000000002E61000-memory.dmp

Filesize
4.0MB

Download
memory/4600-30-0x0000000002E70000-0x000000000375B000-memory.dmp

Filesize
8.9MB

Download
memory/4600-33-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/4840-45-0x0000000007D60000-0x0000000007D7E000-memory.dmp

Filesize
120KB

Download
memory/4840-52-0x0000000007F10000-0x0000000007F24000-memory.dmp

Filesize
80KB

Download
memory/4840-34-0x000000007F060000-0x000000007F070000-memory.dmp

Filesize
64KB

Download
memory/4840-47-0x0000000007EA0000-0x0000000007EAA000-memory.dmp

Filesize
40KB

Download
memory/4840-35-0x0000000070260000-0x00000000705B4000-memory.dmp

Filesize
3.3MB

Download
memory/4840-49-0x0000000007EC0000-0x0000000007ED1000-memory.dmp

Filesize
68KB

Download
memory/4840-46-0x0000000007DC0000-0x0000000007E63000-memory.dmp

Filesize
652KB

Download
memory/4840-50-0x0000000074240000-0x00000000749F0000-memory.dmp

Filesize
7.7MB

Download
memory/4840-32-0x00000000700E0000-0x000000007012C000-memory.dmp

Filesize
304KB

Download
memory/4840-31-0x0000000007D80000-0x0000000007DB2000-memory.dmp

Filesize
200KB

Download
memory/4840-51-0x0000000007F00000-0x0000000007F0E000-memory.dmp

Filesize
56KB

Download
memory/4840-29-0x00000000079B0000-0x00000000079CA000-memory.dmp

Filesize
104KB

Download
memory/4840-28-0x0000000008010000-0x000000000868A000-memory.dmp

Filesize
6.5MB

Download
memory/4840-27-0x0000000007910000-0x0000000007986000-memory.dmp

Filesize
472KB

Download
memory/4840-26-0x0000000005500000-0x0000000005510000-memory.dmp

Filesize
64KB

Download
memory/4840-48-0x0000000007F60000-0x0000000007FF6000-memory.dmp

Filesize
600KB

Download
memory/4840-24-0x0000000006D30000-0x0000000006D74000-memory.dmp

Filesize
272KB

Download
memory/4840-23-0x0000000006830000-0x000000000687C000-memory.dmp

Filesize
304KB

Download
memory/4840-22-0x00000000067F0000-0x000000000680E000-memory.dmp

Filesize
120KB

Download
memory/4840-21-0x00000000061B0000-0x0000000006504000-memory.dmp

Filesize
3.3MB

Download
memory/4840-11-0x0000000005A20000-0x0000000005A86000-memory.dmp

Filesize
408KB

Download
memory/4840-10-0x00000000059B0000-0x0000000005A16000-memory.dmp

Filesize
408KB

Download
memory/4840-9-0x0000000005800000-0x0000000005822000-memory.dmp

Filesize
136KB

Download
memory/4840-8-0x0000000005B40000-0x0000000006168000-memory.dmp

Filesize
6.2MB

Download
memory/4840-6-0x0000000003210000-0x0000000003246000-memory.dmp

Filesize
216KB

Download
memory/4840-7-0x0000000005500000-0x0000000005510000-memory.dmp

Filesize
64KB

Download
memory/4840-5-0x0000000074240000-0x00000000749F0000-memory.dmp

Filesize
7.7MB

Download
memory/4840-53-0x0000000008690000-0x00000000086AA000-memory.dmp

Filesize
104KB

Download
memory/4840-54-0x0000000007F50000-0x0000000007F58000-memory.dmp

Filesize
32KB

Download
memory/4840-57-0x0000000074240000-0x00000000749F0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads