glupteba | de991298b019543e07054a5b47e67655266b9552ea317eda901968756febd9a3

Analysis

max time kernel
0s
max time network
147s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
18-05-2024 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de991298b019543e07054a5b47e67655266b9552ea317eda901968756febd9a3.exe
Size

4.1MB
MD5

7a3187474038b262c80eb70b55fd6f06
SHA1

73fc124403942d3207214a23ba4bf4b8f7f0a913
SHA256

de991298b019543e07054a5b47e67655266b9552ea317eda901968756febd9a3
SHA512

b39989c1f40810ef980bac8dec49fbe356fedfbb620962d3037b667d81b42ea565b4329c82880da07a175bdc65a4e7fb715b15176faf9e2fbd8d7d4d55460414
SSDEEP

98304:7mSOHuT7egJLhRTCVEkOCdqjiWtSbuAFmh921:70ObLh9WfG/tSdeC

Score

10^/10

glupteba dropper evasion execution loader upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 17 IoCs

resource	yara_rule
behavioral2/memory/4932-2-0x0000000004A00000-0x00000000052EB000-memory.dmp	family_glupteba
behavioral2/memory/4932-3-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4932-54-0x0000000004A00000-0x00000000052EB000-memory.dmp	family_glupteba
behavioral2/memory/4932-51-0x0000000000400000-0x0000000002738000-memory.dmp	family_glupteba
behavioral2/memory/4932-53-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/5004-126-0x0000000000400000-0x0000000002738000-memory.dmp	family_glupteba
behavioral2/memory/3440-204-0x0000000000400000-0x0000000002738000-memory.dmp	family_glupteba
behavioral2/memory/3440-214-0x0000000000400000-0x0000000002738000-memory.dmp	family_glupteba
behavioral2/memory/3440-216-0x0000000000400000-0x0000000002738000-memory.dmp	family_glupteba
behavioral2/memory/3440-218-0x0000000000400000-0x0000000002738000-memory.dmp	family_glupteba
behavioral2/memory/3440-220-0x0000000000400000-0x0000000002738000-memory.dmp	family_glupteba
behavioral2/memory/3440-222-0x0000000000400000-0x0000000002738000-memory.dmp	family_glupteba
behavioral2/memory/3440-224-0x0000000000400000-0x0000000002738000-memory.dmp	family_glupteba
behavioral2/memory/3440-226-0x0000000000400000-0x0000000002738000-memory.dmp	family_glupteba
behavioral2/memory/3440-228-0x0000000000400000-0x0000000002738000-memory.dmp	family_glupteba
behavioral2/memory/3440-230-0x0000000000400000-0x0000000002738000-memory.dmp	family_glupteba
behavioral2/memory/3440-232-0x0000000000400000-0x0000000002738000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4512	netsh.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000200000002a9e2-208.dat	upx
behavioral2/memory/1860-212-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/4512-213-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/1860-209-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/4512-215-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/4512-219-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2728	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1956	powershell.exe
2332	powershell.exe
4216	powershell.exe
4180	powershell.exe
3812	powershell.exe
1428	powershell.exe
4252	powershell.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2860	schtasks.exe
2392	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\de991298b019543e07054a5b47e67655266b9552ea317eda901968756febd9a3.exe
"C:\Users\Admin\AppData\Local\Temp\de991298b019543e07054a5b47e67655266b9552ea317eda901968756febd9a3.exe"
1⤵
PID:4932
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3812
- C:\Users\Admin\AppData\Local\Temp\de991298b019543e07054a5b47e67655266b9552ea317eda901968756febd9a3.exe
  "C:\Users\Admin\AppData\Local\Temp\de991298b019543e07054a5b47e67655266b9552ea317eda901968756febd9a3.exe"
  2⤵
  PID:5004
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1428
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:1828
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:4512
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4252
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1956
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    PID:3440
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2332
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:2860
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:5032
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4216
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4180
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      PID:3936
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:2392
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      PID:1860
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        
        PID:4944
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        
        PID:2728

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:4512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ir3razfq.lre.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d0c46cad6c0778401e21910bd6b56b70

SHA1
7be418951ea96326aca445b8dfe449b2bfa0dca6

SHA256
9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

SHA512
057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
1c14fb62d471e7fff3eb0d446dc878d8

SHA1
11c1be668ee07e839ea0541cda7c9b642c25444f

SHA256
7842e641bf15fca42ee7ed8a745eca399b9d115513234bf9cea7902680bd5973

SHA512
178cb1b4ab09fc8dc81b7973e6207543bd5274088c8ed45b7cd4af48a0a2ba5bd62ea0f62d09f76788445bf8d5234e8684213ecfa4d9924da6948423b661a937

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
5daad8c54a9f32a1f1b12fde3b782511

SHA1
83e821ebb085125c359f12eb8a9c76472a4ac47d

SHA256
c3baa772cde4526d34377dead7023e43b5fae7fb8a1f9c8705b3a1a3c5d70854

SHA512
54dc7de11a434a1a64e5f06f879179fbf1b901aac68e25d5be45deb697920658fcc24147735da7c05e3f8f2a713e3b3430ef83d359461eec12df6e5a2488daa4

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
66ee13490026e5dd6ac6b03c2fd59cf3

SHA1
cc0acea36588145fad1e4d021e13b364de2f3854

SHA256
39f358b2b62f6dbdf1c7526b4953176988c2251c286c4ac2a54e71d10aab4f27

SHA512
1e62c1016bb70444ec4f7a938cd43a639d02f0575c43517e466a02ae88290917ef3d2771c61819e69daa81e46d1465d46264ed61599cbd2a4046067ff006a013

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
6ae1b41b75bee7e12a1bc0151ece4294

SHA1
6242aebf889acf514c3b69d579309e8586649d47

SHA256
47056c1bc90c1c9e22566540feccfdebd49f7267e6c5e5c19c716374b3b15952

SHA512
d0eb5f71c9d890a4a00842c921f0a28df499113224cd928e2a78d6d57d295b9eb8fa41ab25edb564da8166ad6ca40e383d32fd12e546b6355f18423d900fc198

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
ce29d66b5f104f3e767f3cab9756671e

SHA1
1ba084f093f1d1a2ed7c754ac8f1af0b444ca5b3

SHA256
ae869f87cb954ea5139c0da3d7cf05bd9e5ad9f078de422bd1beff2873f3140b

SHA512
9114c094e5e05b6e57041730a120e54dc502537a580c56e0e4073eae6cc62419fd5c6af79bf2b9424c8627693590f1bb60ceabc8d332785fb9dcc0e5965bac6c

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
7a3187474038b262c80eb70b55fd6f06

SHA1
73fc124403942d3207214a23ba4bf4b8f7f0a913

SHA256
de991298b019543e07054a5b47e67655266b9552ea317eda901968756febd9a3

SHA512
b39989c1f40810ef980bac8dec49fbe356fedfbb620962d3037b667d81b42ea565b4329c82880da07a175bdc65a4e7fb715b15176faf9e2fbd8d7d4d55460414

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/1428-77-0x0000000007670000-0x0000000007685000-memory.dmp

Filesize
84KB

Download
memory/1428-63-0x0000000005C80000-0x0000000005FD7000-memory.dmp

Filesize
3.3MB

Download
memory/1428-64-0x00000000060B0000-0x00000000060FC000-memory.dmp

Filesize
304KB

Download
memory/1428-75-0x00000000072E0000-0x0000000007384000-memory.dmp

Filesize
656KB

Download
memory/1428-66-0x0000000070C40000-0x0000000070F97000-memory.dmp

Filesize
3.3MB

Download
memory/1428-65-0x0000000070AC0000-0x0000000070B0C000-memory.dmp

Filesize
304KB

Download
memory/1428-76-0x0000000007620000-0x0000000007631000-memory.dmp

Filesize
68KB

Download
memory/1860-209-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1860-212-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1956-112-0x0000000070AC0000-0x0000000070B0C000-memory.dmp

Filesize
304KB

Download
memory/1956-102-0x0000000005EE0000-0x0000000006237000-memory.dmp

Filesize
3.3MB

Download
memory/1956-113-0x0000000070D00000-0x0000000071057000-memory.dmp

Filesize
3.3MB

Download
memory/2332-151-0x0000000005A40000-0x0000000005A55000-memory.dmp

Filesize
84KB

Download
memory/2332-150-0x0000000007200000-0x0000000007211000-memory.dmp

Filesize
68KB

Download
memory/2332-149-0x0000000006EC0000-0x0000000006F64000-memory.dmp

Filesize
656KB

Download
memory/2332-139-0x0000000070A20000-0x0000000070A6C000-memory.dmp

Filesize
304KB

Download
memory/2332-140-0x0000000070C60000-0x0000000070FB7000-memory.dmp

Filesize
3.3MB

Download
memory/2332-138-0x0000000005CB0000-0x0000000005CFC000-memory.dmp

Filesize
304KB

Download
memory/3440-230-0x0000000000400000-0x0000000002738000-memory.dmp

Filesize
35.2MB

Download
memory/3440-226-0x0000000000400000-0x0000000002738000-memory.dmp

Filesize
35.2MB

Download
memory/3440-236-0x0000000000400000-0x0000000002738000-memory.dmp

Filesize
35.2MB

Download
memory/3440-204-0x0000000000400000-0x0000000002738000-memory.dmp

Filesize
35.2MB

Download
memory/3440-234-0x0000000000400000-0x0000000002738000-memory.dmp

Filesize
35.2MB

Download
memory/3440-232-0x0000000000400000-0x0000000002738000-memory.dmp

Filesize
35.2MB

Download
memory/3440-214-0x0000000000400000-0x0000000002738000-memory.dmp

Filesize
35.2MB

Download
memory/3440-228-0x0000000000400000-0x0000000002738000-memory.dmp

Filesize
35.2MB

Download
memory/3440-216-0x0000000000400000-0x0000000002738000-memory.dmp

Filesize
35.2MB

Download
memory/3440-218-0x0000000000400000-0x0000000002738000-memory.dmp

Filesize
35.2MB

Download
memory/3440-220-0x0000000000400000-0x0000000002738000-memory.dmp

Filesize
35.2MB

Download
memory/3440-222-0x0000000000400000-0x0000000002738000-memory.dmp

Filesize
35.2MB

Download
memory/3440-224-0x0000000000400000-0x0000000002738000-memory.dmp

Filesize
35.2MB

Download
memory/3812-25-0x00000000709B0000-0x00000000709FC000-memory.dmp

Filesize
304KB

Download
memory/3812-10-0x0000000005720000-0x0000000005786000-memory.dmp

Filesize
408KB

Download
memory/3812-38-0x0000000074740000-0x0000000074EF1000-memory.dmp

Filesize
7.7MB

Download
memory/3812-37-0x0000000007120000-0x00000000071C4000-memory.dmp

Filesize
656KB

Download
memory/3812-27-0x0000000074740000-0x0000000074EF1000-memory.dmp

Filesize
7.7MB

Download
memory/3812-40-0x0000000007240000-0x000000000725A000-memory.dmp

Filesize
104KB

Download
memory/3812-39-0x0000000007890000-0x0000000007F0A000-memory.dmp

Filesize
6.5MB

Download
memory/3812-26-0x0000000070B30000-0x0000000070E87000-memory.dmp

Filesize
3.3MB

Download
memory/3812-45-0x0000000007300000-0x0000000007315000-memory.dmp

Filesize
84KB

Download
memory/3812-24-0x00000000070C0000-0x00000000070F4000-memory.dmp

Filesize
208KB

Download
memory/3812-23-0x0000000006220000-0x0000000006266000-memory.dmp

Filesize
280KB

Download
memory/3812-22-0x0000000005CF0000-0x0000000005D3C000-memory.dmp

Filesize
304KB

Download
memory/3812-41-0x0000000007280000-0x000000000728A000-memory.dmp

Filesize
40KB

Download
memory/3812-21-0x0000000005CB0000-0x0000000005CCE000-memory.dmp

Filesize
120KB

Download
memory/3812-20-0x0000000005800000-0x0000000005B57000-memory.dmp

Filesize
3.3MB

Download
memory/3812-36-0x0000000007100000-0x000000000711E000-memory.dmp

Filesize
120KB

Download
memory/3812-11-0x0000000005790000-0x00000000057F6000-memory.dmp

Filesize
408KB

Download
memory/3812-9-0x0000000004E00000-0x0000000004E22000-memory.dmp

Filesize
136KB

Download
memory/3812-8-0x0000000074740000-0x0000000074EF1000-memory.dmp

Filesize
7.7MB

Download
memory/3812-6-0x0000000005080000-0x00000000056AA000-memory.dmp

Filesize
6.2MB

Download
memory/3812-7-0x0000000074740000-0x0000000074EF1000-memory.dmp

Filesize
7.7MB

Download
memory/3812-42-0x0000000007340000-0x00000000073D6000-memory.dmp

Filesize
600KB

Download
memory/3812-43-0x00000000072C0000-0x00000000072D1000-memory.dmp

Filesize
68KB

Download
memory/3812-44-0x00000000072F0000-0x00000000072FE000-memory.dmp

Filesize
56KB

Download
memory/3812-5-0x00000000027F0000-0x0000000002826000-memory.dmp

Filesize
216KB

Download
memory/3812-4-0x000000007474E000-0x000000007474F000-memory.dmp

Filesize
4KB

Download
memory/3812-50-0x0000000074740000-0x0000000074EF1000-memory.dmp

Filesize
7.7MB

Download
memory/3812-47-0x00000000074F0000-0x00000000074F8000-memory.dmp

Filesize
32KB

Download
memory/3812-46-0x0000000007500000-0x000000000751A000-memory.dmp

Filesize
104KB

Download
memory/4180-186-0x0000000005AA0000-0x0000000005DF7000-memory.dmp

Filesize
3.3MB

Download
memory/4180-189-0x0000000070AE0000-0x0000000070E37000-memory.dmp

Filesize
3.3MB

Download
memory/4180-188-0x0000000070940000-0x000000007098C000-memory.dmp

Filesize
304KB

Download
memory/4216-163-0x00000000066C0000-0x000000000670C000-memory.dmp

Filesize
304KB

Download
memory/4216-161-0x0000000006280000-0x00000000065D7000-memory.dmp

Filesize
3.3MB

Download
memory/4216-175-0x0000000007C10000-0x0000000007C21000-memory.dmp

Filesize
68KB

Download
memory/4216-164-0x0000000070940000-0x000000007098C000-memory.dmp

Filesize
304KB

Download
memory/4216-176-0x0000000006100000-0x0000000006115000-memory.dmp

Filesize
84KB

Download
memory/4216-174-0x00000000078E0000-0x0000000007984000-memory.dmp

Filesize
656KB

Download
memory/4216-165-0x0000000070AC0000-0x0000000070E17000-memory.dmp

Filesize
3.3MB

Download
memory/4252-91-0x0000000070AC0000-0x0000000070B0C000-memory.dmp

Filesize
304KB

Download
memory/4252-89-0x0000000005850000-0x0000000005BA7000-memory.dmp

Filesize
3.3MB

Download
memory/4252-92-0x0000000070C60000-0x0000000070FB7000-memory.dmp

Filesize
3.3MB

Download
memory/4512-219-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4512-215-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4512-213-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4932-1-0x00000000045F0000-0x00000000049F7000-memory.dmp

Filesize
4.0MB

Download
memory/4932-53-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4932-51-0x0000000000400000-0x0000000002738000-memory.dmp

Filesize
35.2MB

Download
memory/4932-54-0x0000000004A00000-0x00000000052EB000-memory.dmp

Filesize
8.9MB

Download
memory/4932-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4932-2-0x0000000004A00000-0x00000000052EB000-memory.dmp

Filesize
8.9MB

Download
memory/5004-126-0x0000000000400000-0x0000000002738000-memory.dmp

Filesize
35.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads