glupteba | c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb

Analysis

max time kernel
5s
max time network
134s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
17-05-2024 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe
Size

4.1MB
MD5

5f3d0bee1362c6d0a99faf39ef80c1dd
SHA1

aa6b423c2293a29d08922f9414e7b6f1eb3e21ff
SHA256

c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb
SHA512

fce68dc66174f9872477e5a04aa9dd88fe426ff1298449d8e5e901a035652555f848f7787676a08b06bc2e15758a5eed863fd9a7c708aed5acf3a1b007f835eb
SSDEEP

98304:sQJMl/iXMhTmfDhNRe9xfYVEx7xkD10HZd3scl3XzHAtmo0FM:nb8hTmbBIxHPR3rn3oKM

Score

10^/10

glupteba dropper evasion execution loader upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 18 IoCs

resource	yara_rule
behavioral2/memory/4820-2-0x0000000004CA0000-0x000000000558B000-memory.dmp	family_glupteba
behavioral2/memory/4820-3-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4820-54-0x0000000004CA0000-0x000000000558B000-memory.dmp	family_glupteba
behavioral2/memory/4820-53-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4820-52-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba
behavioral2/memory/4220-126-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba
behavioral2/memory/1952-199-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba
behavioral2/memory/1952-215-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba
behavioral2/memory/1952-216-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba
behavioral2/memory/1952-218-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba
behavioral2/memory/1952-220-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba
behavioral2/memory/1952-223-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba
behavioral2/memory/1952-224-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba
behavioral2/memory/1952-226-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba
behavioral2/memory/1952-228-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba
behavioral2/memory/1952-231-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba
behavioral2/memory/1952-232-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba
behavioral2/memory/1952-234-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3292	netsh.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3292-210-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/3488-213-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/3292-214-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/files/0x000200000002a9de-211.dat	upx
behavioral2/memory/3488-217-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/3488-221-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4416	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4968	powershell.exe
3232	powershell.exe
1856	powershell.exe
4512	powershell.exe
2332	powershell.exe
2096	powershell.exe
4664	powershell.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2992	4820	WerFault.exe	79

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1108	schtasks.exe
1776	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe
"C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe"
1⤵
PID:4820
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4664
- C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe
  "C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe"
  2⤵
  PID:4220
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4968
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:2572
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:3292
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3232
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1856
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    PID:1952
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4512
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:1108
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:1484
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2332
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2096
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      PID:1304
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:1776
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      PID:3292
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        
        PID:5056
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        
        PID:4416
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 868
  2⤵
  - Program crash
  PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4820 -ip 4820
1⤵
PID:3948

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:3488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zgxocvxc.wju.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
ac4917a885cf6050b1a483e4bc4d2ea5

SHA1
b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f

SHA256
e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9

SHA512
092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
3ce9a2fa9ff4e473d0c9db414b72673d

SHA1
53dded869c70dbced70e35608f09283a751f9b9e

SHA256
84a2c098e6b7a0c67c5dd812d11db37b75f4b8c57cbee959abb95655fc722178

SHA512
9242c1a704fdc3905c217ff7452d1bcc1e9db0f97646ff9346ba3be9d94902b24590d2cee513ba8b9c6838f22caa1bc0e3722efdfcd9e27601790ecfa966accb

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
6fdacc69c7dfcfba017b9601f392c285

SHA1
4bbeab916ee19ca96b4409858e5106ba317edc7d

SHA256
d6e44ad6fcc9516a178f1cd8520c8909079eb8dba816e0fed9fe721d0687ace5

SHA512
0197910a4d1786d9f3ff30dd700e8e44c268e520966714d0c27b58da23c5a50c45b688a52e14b7d4a2d975359b0022887dd30521dc6e3c1649ead9102e5fe9c5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
e7becf2147f64e65f3da28e4a62fb5ac

SHA1
f2524db879afc33ce252c63e1002e6848972ba1e

SHA256
87e23c8b27f9b6357d28d3b80c5fd5ddc092df2b90df8362cddf958a37886a45

SHA512
a1119740871dda869fd5b168232c6a7073ed591117fe51603a569e63673a506a125d26f65a4a3db220f85268fe932985ad8d5c0edba09dae78f8a204c2d0ad20

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
4de64960cdb0742af6ddd576a828058f

SHA1
7107ac209e8e33bbbe5a4833980c57d7fceedb33

SHA256
f61b13daa2a9898fc7f81a13bdc9b79f37c1ea63ed2c1d75597bad5ea564011a

SHA512
4c067761e4a07527b90f0cb37446642495e57ccd1c6f4b5a40ceb7babc6dee6751c2befa6deae66fa06fdfa8cb3d8fc63e1fad6af713e755b898970172c8dedf

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
346e53a49127965b937c64c5b4b82cdc

SHA1
79ab249dd12360324dbff84b53d9942cb64fac1b

SHA256
f50575e8047a4d1a9f0bc7d030ba99dca2acfa5019110195a341c7a18646e831

SHA512
79228dea7ea762db50fa386aef9c04aa7eddd1432b21240d5e5d76d7d7da8b9840b637ec782e5277b2a13b31629ce7a7817ede5e84690aa5aa480805091f5e0c

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
5f3d0bee1362c6d0a99faf39ef80c1dd

SHA1
aa6b423c2293a29d08922f9414e7b6f1eb3e21ff

SHA256
c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb

SHA512
fce68dc66174f9872477e5a04aa9dd88fe426ff1298449d8e5e901a035652555f848f7787676a08b06bc2e15758a5eed863fd9a7c708aed5acf3a1b007f835eb

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/1856-110-0x0000000005E40000-0x0000000006197000-memory.dmp

Filesize
3.3MB

Download
memory/1856-113-0x0000000070BE0000-0x0000000070F37000-memory.dmp

Filesize
3.3MB

Download
memory/1856-112-0x0000000070A40000-0x0000000070A8C000-memory.dmp

Filesize
304KB

Download
memory/1952-224-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/1952-215-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/1952-199-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/1952-216-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/1952-218-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/1952-220-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/1952-223-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/1952-226-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/1952-228-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/1952-231-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/1952-232-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/1952-234-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/2096-189-0x00000000708C0000-0x000000007090C000-memory.dmp

Filesize
304KB

Download
memory/2096-187-0x0000000005720000-0x0000000005A77000-memory.dmp

Filesize
3.3MB

Download
memory/2096-190-0x0000000070B10000-0x0000000070E67000-memory.dmp

Filesize
3.3MB

Download
memory/2332-162-0x0000000005A20000-0x0000000005D77000-memory.dmp

Filesize
3.3MB

Download
memory/2332-164-0x0000000005EA0000-0x0000000005EEC000-memory.dmp

Filesize
304KB

Download
memory/2332-166-0x0000000070A60000-0x0000000070DB7000-memory.dmp

Filesize
3.3MB

Download
memory/2332-165-0x00000000708C0000-0x000000007090C000-memory.dmp

Filesize
304KB

Download
memory/2332-175-0x00000000070E0000-0x0000000007184000-memory.dmp

Filesize
656KB

Download
memory/2332-176-0x00000000072C0000-0x00000000072D1000-memory.dmp

Filesize
68KB

Download
memory/2332-177-0x0000000005910000-0x0000000005925000-memory.dmp

Filesize
84KB

Download
memory/3232-91-0x0000000070A40000-0x0000000070A8C000-memory.dmp

Filesize
304KB

Download
memory/3232-89-0x0000000005FE0000-0x0000000006337000-memory.dmp

Filesize
3.3MB

Download
memory/3232-92-0x0000000070C90000-0x0000000070FE7000-memory.dmp

Filesize
3.3MB

Download
memory/3292-214-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3292-210-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3488-221-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3488-217-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3488-213-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4220-126-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/4512-152-0x0000000005A80000-0x0000000005A95000-memory.dmp

Filesize
84KB

Download
memory/4512-150-0x0000000007270000-0x0000000007314000-memory.dmp

Filesize
656KB

Download
memory/4512-141-0x0000000070B40000-0x0000000070E97000-memory.dmp

Filesize
3.3MB

Download
memory/4512-151-0x00000000075A0000-0x00000000075B1000-memory.dmp

Filesize
68KB

Download
memory/4512-140-0x00000000709A0000-0x00000000709EC000-memory.dmp

Filesize
304KB

Download
memory/4512-139-0x0000000006050000-0x000000000609C000-memory.dmp

Filesize
304KB

Download
memory/4512-137-0x0000000005B30000-0x0000000005E87000-memory.dmp

Filesize
3.3MB

Download
memory/4664-47-0x0000000007F80000-0x0000000007F88000-memory.dmp

Filesize
32KB

Download
memory/4664-24-0x0000000007CD0000-0x0000000007D04000-memory.dmp

Filesize
208KB

Download
memory/4664-46-0x0000000007F60000-0x0000000007F7A000-memory.dmp

Filesize
104KB

Download
memory/4664-4-0x00000000746CE000-0x00000000746CF000-memory.dmp

Filesize
4KB

Download
memory/4664-44-0x0000000007F00000-0x0000000007F0E000-memory.dmp

Filesize
56KB

Download
memory/4664-50-0x00000000746C0000-0x0000000074E71000-memory.dmp

Filesize
7.7MB

Download
memory/4664-5-0x00000000053E0000-0x0000000005416000-memory.dmp

Filesize
216KB

Download
memory/4664-6-0x00000000746C0000-0x0000000074E71000-memory.dmp

Filesize
7.7MB

Download
memory/4664-7-0x0000000005B00000-0x000000000612A000-memory.dmp

Filesize
6.2MB

Download
memory/4664-8-0x00000000746C0000-0x0000000074E71000-memory.dmp

Filesize
7.7MB

Download
memory/4664-9-0x00000000059F0000-0x0000000005A12000-memory.dmp

Filesize
136KB

Download
memory/4664-43-0x0000000007EC0000-0x0000000007ED1000-memory.dmp

Filesize
68KB

Download
memory/4664-42-0x0000000007FA0000-0x0000000008036000-memory.dmp

Filesize
600KB

Download
memory/4664-41-0x0000000007E90000-0x0000000007E9A000-memory.dmp

Filesize
40KB

Download
memory/4664-39-0x00000000084A0000-0x0000000008B1A000-memory.dmp

Filesize
6.5MB

Download
memory/4664-40-0x0000000007E50000-0x0000000007E6A000-memory.dmp

Filesize
104KB

Download
memory/4664-38-0x00000000746C0000-0x0000000074E71000-memory.dmp

Filesize
7.7MB

Download
memory/4664-26-0x0000000070AC0000-0x0000000070E17000-memory.dmp

Filesize
3.3MB

Download
memory/4664-36-0x0000000007D10000-0x0000000007D2E000-memory.dmp

Filesize
120KB

Download
memory/4664-37-0x0000000007D30000-0x0000000007DD4000-memory.dmp

Filesize
656KB

Download
memory/4664-27-0x00000000746C0000-0x0000000074E71000-memory.dmp

Filesize
7.7MB

Download
memory/4664-45-0x0000000007F10000-0x0000000007F25000-memory.dmp

Filesize
84KB

Download
memory/4664-25-0x0000000070930000-0x000000007097C000-memory.dmp

Filesize
304KB

Download
memory/4664-23-0x0000000006E30000-0x0000000006E76000-memory.dmp

Filesize
280KB

Download
memory/4664-22-0x00000000068E0000-0x000000000692C000-memory.dmp

Filesize
304KB

Download
memory/4664-11-0x00000000061A0000-0x0000000006206000-memory.dmp

Filesize
408KB

Download
memory/4664-10-0x0000000005A90000-0x0000000005AF6000-memory.dmp

Filesize
408KB

Download
memory/4664-20-0x0000000006390000-0x00000000066E7000-memory.dmp

Filesize
3.3MB

Download
memory/4664-21-0x00000000068C0000-0x00000000068DE000-memory.dmp

Filesize
120KB

Download
memory/4820-54-0x0000000004CA0000-0x000000000558B000-memory.dmp

Filesize
8.9MB

Download
memory/4820-52-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/4820-53-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4820-1-0x00000000048A0000-0x0000000004C9C000-memory.dmp

Filesize
4.0MB

Download
memory/4820-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4820-2-0x0000000004CA0000-0x000000000558B000-memory.dmp

Filesize
8.9MB

Download
memory/4968-66-0x0000000070BC0000-0x0000000070F17000-memory.dmp

Filesize
3.3MB

Download
memory/4968-65-0x0000000070A40000-0x0000000070A8C000-memory.dmp

Filesize
304KB

Download
memory/4968-76-0x0000000006F70000-0x0000000006F81000-memory.dmp

Filesize
68KB

Download
memory/4968-64-0x0000000005A80000-0x0000000005ACC000-memory.dmp

Filesize
304KB

Download
memory/4968-77-0x0000000006FC0000-0x0000000006FD5000-memory.dmp

Filesize
84KB

Download
memory/4968-75-0x0000000006C40000-0x0000000006CE4000-memory.dmp

Filesize
656KB

Download
memory/4968-63-0x0000000005570000-0x00000000058C7000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads