glupteba | 050c7bdef499a3aeecaa3bca43950f540c835b41a4b0d321f916e415ce564bca

Analysis

max time kernel
8s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07-06-2024 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

050c7bdef499a3aeecaa3bca43950f540c835b41a4b0d321f916e415ce564bca.exe
Size

4.1MB
MD5

58aeec23aa477acc489ca29fc8222e5e
SHA1

fd189a7331274779548164e9a5c19f7c82bb287d
SHA256

050c7bdef499a3aeecaa3bca43950f540c835b41a4b0d321f916e415ce564bca
SHA512

4f6ce8c769d27fa6b1b2c640ba22c995eabcec9c530221678d60a356c80c43a9a8eb47bafb16d3dc18f9f4d352fc5cf334d6d0076ac87251ee121a446ffe2176
SSDEEP

98304:mJsMjtvpLhBsrANyl+HA3P3+ZY1+eQIMXjectPnUWuRnMm8CYQO5:mWgDBsKdHAWZM+VzNxnUpRnkRj

Score

10^/10

glupteba dropper evasion execution loader

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 8 IoCs

resource	yara_rule
behavioral2/memory/1616-2-0x0000000004990000-0x000000000527B000-memory.dmp	family_glupteba
behavioral2/memory/1616-3-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/1616-26-0x0000000000400000-0x0000000002958000-memory.dmp	family_glupteba
behavioral2/memory/1616-53-0x0000000004990000-0x000000000527B000-memory.dmp	family_glupteba
behavioral2/memory/1616-104-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3192-103-0x0000000000400000-0x0000000002958000-memory.dmp	family_glupteba
behavioral2/memory/1616-102-0x0000000000400000-0x0000000002958000-memory.dmp	family_glupteba
behavioral2/memory/3192-131-0x0000000000400000-0x0000000002958000-memory.dmp	family_glupteba

Detects Windows executables referencing non-Windows User-Agents 6 IoCs

resource	yara_rule
behavioral2/memory/1616-3-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/1616-26-0x0000000000400000-0x0000000002958000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/1616-104-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/3192-103-0x0000000000400000-0x0000000002958000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/1616-102-0x0000000000400000-0x0000000002958000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/3192-131-0x0000000000400000-0x0000000002958000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects executables Discord URL observed in first stage droppers 6 IoCs

resource	yara_rule
behavioral2/memory/1616-3-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/1616-26-0x0000000000400000-0x0000000002958000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/1616-104-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/3192-103-0x0000000000400000-0x0000000002958000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/1616-102-0x0000000000400000-0x0000000002958000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/3192-131-0x0000000000400000-0x0000000002958000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL

Detects executables containing URLs to raw contents of a Github gist 6 IoCs

resource	yara_rule
behavioral2/memory/1616-3-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/1616-26-0x0000000000400000-0x0000000002958000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/1616-104-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3192-103-0x0000000000400000-0x0000000002958000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/1616-102-0x0000000000400000-0x0000000002958000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3192-131-0x0000000000400000-0x0000000002958000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL

Detects executables containing artifacts associated with disabling Widnows Defender 6 IoCs

resource	yara_rule
behavioral2/memory/1616-3-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral2/memory/1616-26-0x0000000000400000-0x0000000002958000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral2/memory/1616-104-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral2/memory/3192-103-0x0000000000400000-0x0000000002958000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral2/memory/1616-102-0x0000000000400000-0x0000000002958000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral2/memory/3192-131-0x0000000000400000-0x0000000002958000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender

Detects executables referencing many varying, potentially fake Windows User-Agents 6 IoCs

resource	yara_rule
behavioral2/memory/1616-3-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral2/memory/1616-26-0x0000000000400000-0x0000000002958000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral2/memory/1616-104-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral2/memory/3192-103-0x0000000000400000-0x0000000002958000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral2/memory/1616-102-0x0000000000400000-0x0000000002958000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral2/memory/3192-131-0x0000000000400000-0x0000000002958000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2060	netsh.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3440	powershell.exe
4736	powershell.exe
3980	powershell.exe
2072	powershell.exe
544	powershell.exe
5116	powershell.exe
3832	powershell.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4460	schtasks.exe
3644	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\050c7bdef499a3aeecaa3bca43950f540c835b41a4b0d321f916e415ce564bca.exe
"C:\Users\Admin\AppData\Local\Temp\050c7bdef499a3aeecaa3bca43950f540c835b41a4b0d321f916e415ce564bca.exe"
1⤵
PID:1616
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3440
- C:\Users\Admin\AppData\Local\Temp\050c7bdef499a3aeecaa3bca43950f540c835b41a4b0d321f916e415ce564bca.exe
  "C:\Users\Admin\AppData\Local\Temp\050c7bdef499a3aeecaa3bca43950f540c835b41a4b0d321f916e415ce564bca.exe"
  2⤵
  PID:3192
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4736
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:3548
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:2060
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3980
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2072
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    PID:4324
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:544
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:4460
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:3724
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5116
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3832
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      PID:3212
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:3644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ulu43azj.ekm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
46409aeee3041314b60d08c80d499064

SHA1
f11a22170a942bac17ce0fc0c053b21e5ccffdcc

SHA256
5bb930d9b600afe2bcc02e600f74a057dd0a37c01ef0225691fe100f8795482d

SHA512
a5d20c0a25b0f8740568c88a1942cc08a16e59d2e1a0745556f59cf5bc6f1bdc9aeca1ca00cae9eccbb6b39f08fd55dfb35a11cd2ade3f347922d3fd8a126681

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
bd39f3eef855503a06b3fc6b9e075fc0

SHA1
70f818362379f1a31d6517de7db2c5771556ff5e

SHA256
491a423e1b1846985c4b6459ebdde8240ddd204a1376a2fbe8f42d82df70b81d

SHA512
c06fdadd01f19e10a6c9fe0ce598f5971932e4dd87e2d3770b95cc1f1f4b75c2cc66f490efe7faa3000efe6be418bde32780bcee83602aa55d2c728abef105b8

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
2953838a54ab606c572bd47ad7cf324c

SHA1
a22527c9c70ec0bdbcb57e4f51b7fc7ed0cecc89

SHA256
f8cdb7d06d65d4e672ce96ab3545081b7d8ebfdac2744bfa8da84a67372e3e72

SHA512
2ef3b9a4e2e039177df5138e46c6eaaac6d86ddcd9a044e8a9d8e80b7b720f637f953c30343df97b15ccd1cf6a7fae9a186048f2724fa468f6c7471ce2abc29a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
bbdfd608ae077d50aaa74c8b84324506

SHA1
dda0f071f677b81b0b2b94c03949efc11cf315e9

SHA256
cc70503e740de2f69e36d110215ebf61ba8a5e8d9d72839821e4a0a538a1b731

SHA512
d74392be1ffa90897e97aa965b5326800a76116f0e02fdae9ad35f20a457c8141179a23b9d3277355634c8ac7428e476653b55506185aee0dcade4582424cee2

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
11b68c135cb2ab9889bbda626bb98195

SHA1
f70ad2354c268f68a68386c814e8ba4dee53b8f0

SHA256
3128860149fe24779de7ff34c8d4cc9eba332448855771141547b137ac294212

SHA512
15180ab7474da1db05dce0a72cb80a73ca179578644716be52773d2ecf0e34acb5969fdc525299b174f0c3d85fbb0fb99f0bc1d3f81f7298f34047d5e4f50786

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
58aeec23aa477acc489ca29fc8222e5e

SHA1
fd189a7331274779548164e9a5c19f7c82bb287d

SHA256
050c7bdef499a3aeecaa3bca43950f540c835b41a4b0d321f916e415ce564bca

SHA512
4f6ce8c769d27fa6b1b2c640ba22c995eabcec9c530221678d60a356c80c43a9a8eb47bafb16d3dc18f9f4d352fc5cf334d6d0076ac87251ee121a446ffe2176

Download Submit
memory/544-145-0x0000000070D70000-0x0000000070DBC000-memory.dmp

Filesize
304KB

Download
memory/544-146-0x0000000070EF0000-0x0000000071244000-memory.dmp

Filesize
3.3MB

Download
memory/1616-102-0x0000000000400000-0x0000000002958000-memory.dmp

Filesize
37.3MB

Download
memory/1616-52-0x0000000004580000-0x0000000004986000-memory.dmp

Filesize
4.0MB

Download
memory/1616-104-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1616-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1616-1-0x0000000004580000-0x0000000004986000-memory.dmp

Filesize
4.0MB

Download
memory/1616-2-0x0000000004990000-0x000000000527B000-memory.dmp

Filesize
8.9MB

Download
memory/1616-26-0x0000000000400000-0x0000000002958000-memory.dmp

Filesize
37.3MB

Download
memory/1616-53-0x0000000004990000-0x000000000527B000-memory.dmp

Filesize
8.9MB

Download
memory/2072-117-0x00000000714F0000-0x0000000071844000-memory.dmp

Filesize
3.3MB

Download
memory/2072-116-0x0000000070D70000-0x0000000070DBC000-memory.dmp

Filesize
304KB

Download
memory/3192-131-0x0000000000400000-0x0000000002958000-memory.dmp

Filesize
37.3MB

Download
memory/3192-103-0x0000000000400000-0x0000000002958000-memory.dmp

Filesize
37.3MB

Download
memory/3440-40-0x0000000007C30000-0x0000000007CD3000-memory.dmp

Filesize
652KB

Download
memory/3440-20-0x0000000006650000-0x000000000666E000-memory.dmp

Filesize
120KB

Download
memory/3440-43-0x0000000007D30000-0x0000000007D41000-memory.dmp

Filesize
68KB

Download
memory/3440-45-0x0000000007D90000-0x0000000007DA4000-memory.dmp

Filesize
80KB

Download
memory/3440-44-0x0000000007D70000-0x0000000007D7E000-memory.dmp

Filesize
56KB

Download
memory/3440-46-0x0000000007DE0000-0x0000000007DFA000-memory.dmp

Filesize
104KB

Download
memory/3440-47-0x0000000007DD0000-0x0000000007DD8000-memory.dmp

Filesize
32KB

Download
memory/3440-50-0x00000000003D0000-0x000000000043D000-memory.dmp

Filesize
436KB

Download
memory/3440-29-0x0000000070EF0000-0x0000000071244000-memory.dmp

Filesize
3.3MB

Download
memory/3440-39-0x0000000007C10000-0x0000000007C2E000-memory.dmp

Filesize
120KB

Download
memory/3440-4-0x00000000003D0000-0x000000000043D000-memory.dmp

Filesize
436KB

Download
memory/3440-42-0x0000000007E30000-0x0000000007EC6000-memory.dmp

Filesize
600KB

Download
memory/3440-5-0x00000000030A0000-0x00000000030D6000-memory.dmp

Filesize
216KB

Download
memory/3440-6-0x0000000005850000-0x0000000005E78000-memory.dmp

Filesize
6.2MB

Download
memory/3440-9-0x0000000005FE0000-0x0000000006046000-memory.dmp

Filesize
408KB

Download
memory/3440-41-0x0000000007D20000-0x0000000007D2A000-memory.dmp

Filesize
40KB

Download
memory/3440-27-0x0000000007BD0000-0x0000000007C02000-memory.dmp

Filesize
200KB

Download
memory/3440-8-0x0000000005F70000-0x0000000005FD6000-memory.dmp

Filesize
408KB

Download
memory/3440-7-0x00000000057A0000-0x00000000057C2000-memory.dmp

Filesize
136KB

Download
memory/3440-19-0x0000000006150000-0x00000000064A4000-memory.dmp

Filesize
3.3MB

Download
memory/3440-28-0x0000000070D70000-0x0000000070DBC000-memory.dmp

Filesize
304KB

Download
memory/3440-25-0x0000000007A10000-0x0000000007A2A000-memory.dmp

Filesize
104KB

Download
memory/3440-24-0x0000000008070000-0x00000000086EA000-memory.dmp

Filesize
6.5MB

Download
memory/3440-23-0x0000000007970000-0x00000000079E6000-memory.dmp

Filesize
472KB

Download
memory/3440-22-0x0000000006A50000-0x0000000006A94000-memory.dmp

Filesize
272KB

Download
memory/3440-21-0x0000000006690000-0x00000000066DC000-memory.dmp

Filesize
304KB

Download
memory/3832-193-0x0000000005B80000-0x0000000005ED4000-memory.dmp

Filesize
3.3MB

Download
memory/3832-195-0x0000000070C90000-0x0000000070CDC000-memory.dmp

Filesize
304KB

Download
memory/3832-196-0x0000000070E30000-0x0000000071184000-memory.dmp

Filesize
3.3MB

Download
memory/3980-92-0x00000000714F0000-0x0000000071844000-memory.dmp

Filesize
3.3MB

Download
memory/3980-86-0x0000000005D20000-0x0000000006074000-memory.dmp

Filesize
3.3MB

Download
memory/3980-91-0x0000000070D70000-0x0000000070DBC000-memory.dmp

Filesize
304KB

Download
memory/4324-220-0x0000000000400000-0x0000000002958000-memory.dmp

Filesize
37.3MB

Download
memory/4324-214-0x0000000000400000-0x0000000002958000-memory.dmp

Filesize
37.3MB

Download
memory/4324-234-0x0000000000400000-0x0000000002958000-memory.dmp

Filesize
37.3MB

Download
memory/4324-232-0x0000000000400000-0x0000000002958000-memory.dmp

Filesize
37.3MB

Download
memory/4324-230-0x0000000000400000-0x0000000002958000-memory.dmp

Filesize
37.3MB

Download
memory/4324-228-0x0000000000400000-0x0000000002958000-memory.dmp

Filesize
37.3MB

Download
memory/4324-226-0x0000000000400000-0x0000000002958000-memory.dmp

Filesize
37.3MB

Download
memory/4324-224-0x0000000000400000-0x0000000002958000-memory.dmp

Filesize
37.3MB

Download
memory/4324-222-0x0000000000400000-0x0000000002958000-memory.dmp

Filesize
37.3MB

Download
memory/4324-218-0x0000000000400000-0x0000000002958000-memory.dmp

Filesize
37.3MB

Download
memory/4324-216-0x0000000000400000-0x0000000002958000-memory.dmp

Filesize
37.3MB

Download
memory/4324-206-0x0000000000400000-0x0000000002958000-memory.dmp

Filesize
37.3MB

Download
memory/4736-76-0x0000000007130000-0x0000000007144000-memory.dmp

Filesize
80KB

Download
memory/4736-64-0x0000000070EF0000-0x0000000071244000-memory.dmp

Filesize
3.3MB

Download
memory/4736-75-0x00000000070E0000-0x00000000070F1000-memory.dmp

Filesize
68KB

Download
memory/4736-74-0x0000000006DD0000-0x0000000006E73000-memory.dmp

Filesize
652KB

Download
memory/4736-63-0x0000000070D70000-0x0000000070DBC000-memory.dmp

Filesize
304KB

Download
memory/5116-166-0x0000000005E70000-0x00000000061C4000-memory.dmp

Filesize
3.3MB

Download
memory/5116-168-0x00000000069E0000-0x0000000006A2C000-memory.dmp

Filesize
304KB

Download
memory/5116-182-0x0000000006260000-0x0000000006274000-memory.dmp

Filesize
80KB

Download
memory/5116-181-0x00000000079E0000-0x00000000079F1000-memory.dmp

Filesize
68KB

Download
memory/5116-169-0x0000000070C90000-0x0000000070CDC000-memory.dmp

Filesize
304KB

Download
memory/5116-170-0x0000000070E40000-0x0000000071194000-memory.dmp

Filesize
3.3MB

Download
memory/5116-180-0x00000000076C0000-0x0000000007763000-memory.dmp

Filesize
652KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads