glupteba | 6667e1ab4f79b6ed3869ccfa9cce86551d54cbfa4661a2350eee40e6a7a8faf5

Analysis

max time kernel
2s
max time network
146s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/02/2024, 05:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6667e1ab4f79b6ed3869ccfa9cce86551d54cbfa4661a2350eee40e6a7a8faf5.exe
Size

4.1MB
MD5

79d4dff9174adc484693a231b3bd7af2
SHA1

63d80f54a2b560ef4227d6aca4934ae606f8b4a8
SHA256

6667e1ab4f79b6ed3869ccfa9cce86551d54cbfa4661a2350eee40e6a7a8faf5
SHA512

238935b8caf940db2045ff8adfedbbea5e3196a5544e297923e0f983ec69bc40242ce042038422da4ad961774e7f1f135f67022dbb1236bfd5b1a3a4a5a5d17a
SSDEEP

98304:xMzAMLpWeVBMfi1O79l3dk/dJxFamkHdK:xMzA2W8BMCq9RuxFAHY

Score

10^/10

glupteba dropper evasion loader upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 22 IoCs

resource	yara_rule
behavioral1/memory/1996-2-0x00000000051F0000-0x0000000005ADB000-memory.dmp	family_glupteba
behavioral1/memory/1996-3-0x0000000000400000-0x0000000003124000-memory.dmp	family_glupteba
behavioral1/memory/1996-4-0x0000000000400000-0x0000000003124000-memory.dmp	family_glupteba
behavioral1/memory/2436-6-0x0000000004E70000-0x000000000575B000-memory.dmp	family_glupteba
behavioral1/memory/1996-9-0x00000000051F0000-0x0000000005ADB000-memory.dmp	family_glupteba
behavioral1/memory/2436-10-0x0000000000400000-0x0000000003124000-memory.dmp	family_glupteba
behavioral1/memory/2436-19-0x0000000000400000-0x0000000003124000-memory.dmp	family_glupteba
behavioral1/memory/2964-22-0x0000000000400000-0x0000000003124000-memory.dmp	family_glupteba
behavioral1/memory/2964-103-0x0000000000400000-0x0000000003124000-memory.dmp	family_glupteba
behavioral1/memory/2964-116-0x0000000000400000-0x0000000003124000-memory.dmp	family_glupteba
behavioral1/memory/2964-120-0x0000000000400000-0x0000000003124000-memory.dmp	family_glupteba
behavioral1/memory/2964-121-0x0000000000400000-0x0000000003124000-memory.dmp	family_glupteba
behavioral1/memory/2964-122-0x0000000000400000-0x0000000003124000-memory.dmp	family_glupteba
behavioral1/memory/2964-151-0x0000000000400000-0x0000000003124000-memory.dmp	family_glupteba
behavioral1/memory/2964-160-0x0000000000400000-0x0000000003124000-memory.dmp	family_glupteba
behavioral1/memory/2964-162-0x0000000000400000-0x0000000003124000-memory.dmp	family_glupteba
behavioral1/memory/2964-164-0x0000000000400000-0x0000000003124000-memory.dmp	family_glupteba
behavioral1/memory/2964-166-0x0000000000400000-0x0000000003124000-memory.dmp	family_glupteba
behavioral1/memory/2964-168-0x0000000000400000-0x0000000003124000-memory.dmp	family_glupteba
behavioral1/memory/2964-170-0x0000000000400000-0x0000000003124000-memory.dmp	family_glupteba
behavioral1/memory/2964-172-0x0000000000400000-0x0000000003124000-memory.dmp	family_glupteba
behavioral1/memory/2964-174-0x0000000000400000-0x0000000003124000-memory.dmp	family_glupteba

Detects Windows executables referencing non-Windows User-Agents 19 IoCs

resource	yara_rule
behavioral1/memory/1996-3-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1996-4-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2436-10-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2436-19-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2964-22-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2964-103-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2964-116-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2964-120-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2964-121-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2964-122-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2964-151-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2964-160-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2964-162-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2964-164-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2964-166-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2964-168-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2964-170-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2964-172-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2964-174-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects executables Discord URL observed in first stage droppers 19 IoCs

resource	yara_rule
behavioral1/memory/1996-3-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/1996-4-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2436-10-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2436-19-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2964-22-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2964-103-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2964-116-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2964-120-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2964-121-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2964-122-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2964-151-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2964-160-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2964-162-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2964-164-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2964-166-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2964-168-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2964-170-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2964-172-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2964-174-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL

Detects executables containing URLs to raw contents of a Github gist 19 IoCs

resource	yara_rule
behavioral1/memory/1996-3-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/1996-4-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2436-10-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2436-19-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2964-22-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2964-103-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2964-116-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2964-120-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2964-121-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2964-122-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2964-151-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2964-160-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2964-162-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2964-164-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2964-166-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2964-168-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2964-170-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2964-172-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2964-174-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL

Detects executables containing artifacts associated with disabling Widnows Defender 19 IoCs

resource	yara_rule
behavioral1/memory/1996-3-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/1996-4-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2436-10-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2436-19-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2964-22-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2964-103-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2964-116-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2964-120-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2964-121-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2964-122-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2964-151-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2964-160-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2964-162-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2964-164-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2964-166-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2964-168-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2964-170-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2964-172-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2964-174-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender

Detects executables referencing many varying, potentially fake Windows User-Agents 19 IoCs

resource	yara_rule
behavioral1/memory/1996-3-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/1996-4-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2436-10-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2436-19-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2964-22-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2964-103-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2964-116-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2964-120-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2964-121-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2964-122-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2964-151-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2964-160-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2964-162-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2964-164-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2964-166-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2964-168-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2964-170-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2964-172-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2964-174-0x0000000000400000-0x0000000003124000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA

Modifies boot configuration data using bcdedit 14 IoCs

pid	Process
1756	bcdedit.exe
2172	bcdedit.exe
1712	bcdedit.exe
2564	bcdedit.exe
1592	bcdedit.exe
1544	bcdedit.exe
2160	bcdedit.exe
2960	bcdedit.exe
1504	bcdedit.exe
1912	bcdedit.exe
1900	bcdedit.exe
2824	bcdedit.exe
2880	bcdedit.exe
2440	bcdedit.exe

UPX dump on OEP (original entry point) 9 IoCs

resource	yara_rule
behavioral1/files/0x0005000000004ed8-154.dat	UPX
behavioral1/memory/1772-155-0x0000000000400000-0x00000000008DF000-memory.dmp	UPX
behavioral1/files/0x0005000000004ed8-156.dat	UPX
behavioral1/files/0x0005000000004ed8-157.dat	UPX
behavioral1/memory/2592-158-0x0000000000400000-0x00000000008DF000-memory.dmp	UPX
behavioral1/memory/1772-159-0x0000000000400000-0x00000000008DF000-memory.dmp	UPX
behavioral1/memory/2592-161-0x0000000000400000-0x00000000008DF000-memory.dmp	UPX
behavioral1/memory/2592-165-0x0000000000400000-0x00000000008DF000-memory.dmp	UPX
behavioral1/memory/2592-171-0x0000000000400000-0x00000000008DF000-memory.dmp	UPX

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2000	netsh.exe

Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0005000000004ed8-154.dat	upx
behavioral1/memory/1772-155-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/files/0x0005000000004ed8-156.dat	upx
behavioral1/files/0x0005000000004ed8-157.dat	upx
behavioral1/memory/2592-158-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/1772-159-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2592-161-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2592-165-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2592-171-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2740	sc.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1456	schtasks.exe
2728	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\6667e1ab4f79b6ed3869ccfa9cce86551d54cbfa4661a2350eee40e6a7a8faf5.exe
"C:\Users\Admin\AppData\Local\Temp\6667e1ab4f79b6ed3869ccfa9cce86551d54cbfa4661a2350eee40e6a7a8faf5.exe"
1⤵
PID:1996
- C:\Users\Admin\AppData\Local\Temp\6667e1ab4f79b6ed3869ccfa9cce86551d54cbfa4661a2350eee40e6a7a8faf5.exe
  "C:\Users\Admin\AppData\Local\Temp\6667e1ab4f79b6ed3869ccfa9cce86551d54cbfa4661a2350eee40e6a7a8faf5.exe"
  2⤵
  PID:2436
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:2440
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:2000
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    PID:2964
  - - C:\Windows\system32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:2840
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:1456
  - - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
      "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
      4⤵
      PID:1660
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1756
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2172
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1712
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2564
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1592
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1544
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2160
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2960
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -timeout 0
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1504
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1912
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1900
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2824
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2880
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      PID:696
  - - C:\Windows\system32\bcdedit.exe
      C:\Windows\Sysnative\bcdedit.exe /v
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2440
  - - C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
      4⤵
      PID:2584
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:2728
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      PID:1772
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        
        PID:1824
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        
        PID:2740

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240229053352.log C:\Windows\Logs\CBS\CbsPersist_20240229053352.cab
1⤵
PID:2544

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9C51.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

Filesize
421KB

MD5
434eaa4aa1b17da1d2bdb3320c35e968

SHA1
f03f64d46a6d9afb6b610e09336923e0b79be4b0

SHA256
93aef86ab1fdf616f072412f7a4c925635b74883694b4220d7fb7a7a25add61f

SHA512
0d51df7665dcde0253d030a3d5a96b1263fa4e68792852e9a2c742df25447cbf2b25319d0e7889a6849a5e37be7cdb1d94b0191b208cd70e939155dab0146d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

Filesize
492KB

MD5
fafbf2197151d5ce947872a4b0bcbe16

SHA1
a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020

SHA256
feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71

SHA512
acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9E3C.tmp

Filesize
82KB

MD5
ffb486df71fd9937493a43c5437bb359

SHA1
16f1c4d40398b78d4dbd44493b8f9865861f2abe

SHA256
1b481b44b938c075a30d093606256b09b2ac56387926d995e509b4b4a072d653

SHA512
b66302928bd90d35873cc3b152f4d20459d9a659571b3d5e26df75ee8acb504bee99510e87ec16eb15526df99351645736faeb9fc4c81e7bb8bda176c2b4201c

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

Filesize
94KB

MD5
d98e78fd57db58a11f880b45bb659767

SHA1
ab70c0d3bd9103c07632eeecee9f51d198ed0e76

SHA256
414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

SHA512
aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
122KB

MD5
b7bb6839a3aed5e221cee4d598c45cda

SHA1
3d02e268d2f10d170935d16a0c2323853ba486e7

SHA256
33232322653c11e9094515d81299c943765212287e67dd37746bcd24ee30f914

SHA512
cb5aec3a6f95223428a364054b2bbbee61eabd2aaff26f31a25f5bafb42367ceb825b5e2db6c92bf0175951ff1875b0e61311f9aad83483a4ac9ec00ec520dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
155KB

MD5
b9b6e0a887b229ffd7f778060ef2b82a

SHA1
8e999f25ef648f79b982e1ee217aad5d4b2ec311

SHA256
0e7b097ac1961ae0f34e3a2c35ba4b918e5c3bca676b8eb5407f3bf69ea111ab

SHA512
862b943559aaa6a658cc5c4d009b089d27a509dbd98dd1a334d262995e66c69412e379223c59cc8b90cdcb813a9b763d4eb74e5850fe129de05d7523b672641b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
180KB

MD5
5c687c16eebcd53d8e73b5c822471222

SHA1
a23162c6ee21a0de4192a9165e477d7308dbbdd8

SHA256
8b168171aa9b3315c812403054c134aa973279c6166284cbb0d4dc0722ee28c2

SHA512
97bff545bb9103ce7878daa28f844a0fab71d7f0317400ecfdbe8da79b1e110909c9582945c6bc4d2c11d30237a408fb7b3560626d3f06761cc7875037f7efb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
15KB

MD5
ac3c8e338ea3b17f500448b79adad240

SHA1
76fb437fcf395aeb0b24fa23953dc15c8a107928

SHA256
452f870c2dadb593c10272685c0f04f0248a4807f737fe5df7d92aff7f1c2d6c

SHA512
91922223b378b85c577f8db39a14b3d79e188de952508179258a2e95576cefeacec7b7a9bbd3bac64eecc3cc5a67e50709c442f7d1072129203d1ec9475fc186

Download Submit
C:\Windows\rss\csrss.exe

Filesize
1024KB

MD5
2b319ecb780f8dea989969c0ca95873c

SHA1
1bb94498ff69f9d9d271b93d9d7f97c1bb2a264e

SHA256
42a5ccef3045588e6c35101ff6d4670698f4aa201ef448277446da085c81a7e1

SHA512
5af70c0eb45169a5b1bb2eb8dd7f6520d845310bc1a6b6c4453c8b93aa6c8af7b552f90b5d3e343b5c2f58b274cef43fe5089e3825a41aeca35006a78f286dc7

Download Submit
C:\Windows\rss\csrss.exe

Filesize
5KB

MD5
c2ace223f673a1523fb4d5b93d495c4d

SHA1
d05c7d6a5225a1bf86314fb2d8ce35c4e53203fd

SHA256
e81b6dab99003d67b5646565c0741d489b44852220b0eca5cbbcbb7ed64a7438

SHA512
0bc605ce132380ba05cc4c4de0ef373e9d413f429e95aaa468cedc8d69f25718b7c0fa9510aab2183afedcdaef19ff95723c90a98b75f1b87f3c2dfe16797b98

Download Submit
C:\Windows\windefender.exe

Filesize
257KB

MD5
07efd1d3f0cc1328a980e367bd839e44

SHA1
5f9f1de6dc9ef628bb251cd3195e0cae9b61b014

SHA256
88fb117d5755e63b3e69c8c992c0afbf5df86a069c7315d64a3340572f4cea82

SHA512
f737011d3b80a25e7d89202a4c864a10ecd3131c92876cc599833a4500d9e54206e40fb39fff7f6df21a0d7ff31738f79445c9fea2aea8f2927e1c5a4d286bb2

Download Submit
C:\Windows\windefender.exe

Filesize
392KB

MD5
d55aaf15631ba17db7f5cbab8d73809b

SHA1
faf2673681a80491253156eec53a9b99cc82e449

SHA256
1a949920d69b6507bd9af37f12d765483d330507db6900ba529bd9735a7ac5f4

SHA512
abc930ed31429670e1412633846a57f72cb9486ec186cc778a6922d509c020f4d3fdb095fb763b4a5840181ed5827052244a5a1dbd6d256620f5ca33c4e22790

Download Submit
C:\Windows\windefender.exe

Filesize
267KB

MD5
5d93f03c282bea7d7caee62146817e1e

SHA1
ebd5f250a9afad212b71b6ac8907bbc872d774b2

SHA256
981afa5bb547ea45f82b96e1c10d3e53c934fe315634d81094ed7bac44aa1024

SHA512
235ee17a953731a83b87ee366fd4a2f40c78d3ac665b0885b910abe5d090cb3b6e933ddc30ec4183034f993c16e3ed8b4039c63634546b2ac9aefd7e396010fa

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
314KB

MD5
be2c9ec1faba09a2043b99e0dbc95ae1

SHA1
f598d3b868456c76e30c9177ed7d9ac09c54d55e

SHA256
382f94bcf11173782e813b1ae371d0e327fd444f80956470402ec473c6d99062

SHA512
a0ee911a552528e213be85677af430d0d37cd2fc2bec7b53c98667cf32f3bf95b5c4dd3e72207fe48c86008b60e97efb22858fcefd7cec782f2f4faf4e7a3e35

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll

Filesize
162KB

MD5
21b344b35db412572aae35833bf41a3b

SHA1
f608e05896dd31d5c058541a75dfb0cfaeceeaf6

SHA256
35b0cdb87ced6c62fe456b81170f081640bbcb86fa1c171c03299babb7b7950f

SHA512
e341d29080d6ac54f9e21464a888da8beaa408892182ba853b725d5b5103f52dd23cb189f42c0d2ec3bedc9b37b1e96d5788fc22e7cbfa19f899557a1f118e86

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
225KB

MD5
5f1e0254e11f9f933e305dc462262dcf

SHA1
83973e308ff8ec36fa5ac95d0f14825316a660e6

SHA256
6808072eddc0aab6777250177f533b6fd333b5beba61a057bf2b55519122e7e5

SHA512
7b4cfdf83b98176e8dd699dbf39664b2aaab3ff81009af6956073caadf41be6ced4adf1d5925419aa89d59fde5970baa151c0a74671eda30e6353356f428e803

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
256KB

MD5
6402889456e39d5d58795fe835e01480

SHA1
859a83a4110102a91a28230c13a040fc65bf5906

SHA256
fb3c756cf8edc2edc19ae11af007483a88d9d2e72fd61af6251bc86093978cb5

SHA512
4796545e7f115963fbe08bdec9b8f6c71cbb6e02f2c273e584f3410fadd9a93b40de172c380f5301045ed22eaea063c2e39a12d77adbba2be24692e6622a7e72

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
94KB

MD5
a15aa5879f5f84a12e2bdafe42c97cdc

SHA1
61c266370be583e7c9d7786ab355e8d5e1cafc6a

SHA256
1e70a5c6b84c2b22f4a1e99bf144a1993f9afe216f833a11252a7014dfd64a06

SHA512
6e8ada3db5d1348ecd3bc0ffa903368f740cade18c0e49b3f9321b09fe35d7e47b4275c4922e4458780462ef581bf2c89197d3cceac653eb9738331acea20d7d

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
45KB

MD5
30fc985ba8ad6b6c395805976ec3e077

SHA1
682fec1a6cf95005baf52a74318e6f9244f4e151

SHA256
5cd11c6a6a1ac3666c75a46bf042d994febe356053a2482fed5f0ae11e0b04f9

SHA512
0b30a295f612b44a68b2a3c147b2846a7694c78495f6e96c09a8532d33dc5fd2f649f31958e5a00da17a95906d3aa2026d8ec672a8dd3f7f7ab32f1b109865a6

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
64KB

MD5
367011d594a7f38c1e1d0e88f5028fbb

SHA1
d7ee26a3ed4ce1de0943a843b3e72a722da90698

SHA256
cce834eea99a6757290c5a9e560f88aa1e4b58c529fff4909c9b1a62753f9849

SHA512
a5a33f0640b80075878c604410eac19bd8add41e0bd5baf4bb9a052b26ab2e3af424203aec358809368fd4d53caf670cab25a272e1af7591cc0e20f548b3faa7

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
2KB

MD5
40a2c06adfd2d1b00ca22d82d08dffe1

SHA1
11915a16cfb8585b69f74538dd52dd0b433dbee8

SHA256
36e4c446a4a6ee8fae0681a870ecb3a350bf0dfc872995bf3b0faa1692f80a07

SHA512
bfd015d1c44178cd7644970fa0ee59ceed9db722edd630a5627fcf19a9969a9a6142f36f9b0a50a745b49e0fcfd6c0d45ef3432f15419b137b048f8d8d79df22

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll

Filesize
136KB

MD5
6a35f36188ee9296e719fb28d8692184

SHA1
af335dc17f82c1e6f9d740e488671273cda9c9f0

SHA256
3a9b93d963ff0941aadf605a92082ff8170116a61f58c56024999a3ecc705afa

SHA512
4fd7b7f111bea3291b950405370ba9dd8bfcac4496c397f4723f08229f2d32c4ac740a74293bdc30482199ebad19858c2bb5be62ae6806b009c10ed4561d3ff4

Download Submit
\Windows\rss\csrss.exe

Filesize
145KB

MD5
e4250e3cafe0c005d89180ede45e2a29

SHA1
02d041379063bba0c5f76b1f1873198c2924dd17

SHA256
0cac1ec69eb7e88775f2c773619f31fe848e83730198cc440ad622445d595a89

SHA512
b36ed1b6d33c63c9fcb371dfd8db5180af1c401daf39f2aa9a15bf9bddc6723c25521a24679ade8c5ff6829fc0fbc05a559aaf73fa63946434b4d80d2e6f6f93

Download Submit
\Windows\rss\csrss.exe

Filesize
64KB

MD5
baaf052da4c56c4ddd98fbaa2cf649ba

SHA1
1b02b466e5ffdd52f60ac7c6ae45cc49eb343daa

SHA256
d01ebcbffe71ec81b88c38a59aa1236f3df7337cdd65ef4ca946560a2c5d698c

SHA512
9a28e7c462fbca179fd8c9f285a6a46ba05c768c44178b261225c35a06f871e997b0f75a0a3b73dd6a4f29779a4611383856cb809ab1dac4b37921c15bbbb6aa

Download Submit
memory/1660-27-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1660-48-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1772-159-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1772-155-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1996-9-0x00000000051F0000-0x0000000005ADB000-memory.dmp

Filesize
8.9MB

Download
memory/1996-8-0x0000000004DF0000-0x00000000051E8000-memory.dmp

Filesize
4.0MB

Download
memory/1996-4-0x0000000000400000-0x0000000003124000-memory.dmp

Filesize
45.1MB

Download
memory/1996-1-0x0000000004DF0000-0x00000000051E8000-memory.dmp

Filesize
4.0MB

Download
memory/1996-2-0x00000000051F0000-0x0000000005ADB000-memory.dmp

Filesize
8.9MB

Download
memory/1996-0-0x0000000004DF0000-0x00000000051E8000-memory.dmp

Filesize
4.0MB

Download
memory/1996-3-0x0000000000400000-0x0000000003124000-memory.dmp

Filesize
45.1MB

Download
memory/2436-5-0x0000000004A70000-0x0000000004E68000-memory.dmp

Filesize
4.0MB

Download
memory/2436-19-0x0000000000400000-0x0000000003124000-memory.dmp

Filesize
45.1MB

Download
memory/2436-6-0x0000000004E70000-0x000000000575B000-memory.dmp

Filesize
8.9MB

Download
memory/2436-10-0x0000000000400000-0x0000000003124000-memory.dmp

Filesize
45.1MB

Download
memory/2436-7-0x0000000004A70000-0x0000000004E68000-memory.dmp

Filesize
4.0MB

Download
memory/2592-158-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2592-161-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2592-165-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2592-171-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2964-121-0x0000000000400000-0x0000000003124000-memory.dmp

Filesize
45.1MB

Download
memory/2964-162-0x0000000000400000-0x0000000003124000-memory.dmp

Filesize
45.1MB

Download
memory/2964-22-0x0000000000400000-0x0000000003124000-memory.dmp

Filesize
45.1MB

Download
memory/2964-21-0x0000000004A10000-0x0000000004E08000-memory.dmp

Filesize
4.0MB

Download
memory/2964-122-0x0000000000400000-0x0000000003124000-memory.dmp

Filesize
45.1MB

Download
memory/2964-120-0x0000000000400000-0x0000000003124000-memory.dmp

Filesize
45.1MB

Download
memory/2964-20-0x0000000004A10000-0x0000000004E08000-memory.dmp

Filesize
4.0MB

Download
memory/2964-160-0x0000000000400000-0x0000000003124000-memory.dmp

Filesize
45.1MB

Download
memory/2964-116-0x0000000000400000-0x0000000003124000-memory.dmp

Filesize
45.1MB

Download
memory/2964-151-0x0000000000400000-0x0000000003124000-memory.dmp

Filesize
45.1MB

Download
memory/2964-164-0x0000000000400000-0x0000000003124000-memory.dmp

Filesize
45.1MB

Download
memory/2964-115-0x0000000004A10000-0x0000000004E08000-memory.dmp

Filesize
4.0MB

Download
memory/2964-166-0x0000000000400000-0x0000000003124000-memory.dmp

Filesize
45.1MB

Download
memory/2964-168-0x0000000000400000-0x0000000003124000-memory.dmp

Filesize
45.1MB

Download
memory/2964-170-0x0000000000400000-0x0000000003124000-memory.dmp

Filesize
45.1MB

Download
memory/2964-103-0x0000000000400000-0x0000000003124000-memory.dmp

Filesize
45.1MB

Download
memory/2964-172-0x0000000000400000-0x0000000003124000-memory.dmp

Filesize
45.1MB

Download
memory/2964-174-0x0000000000400000-0x0000000003124000-memory.dmp

Filesize
45.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads