glupteba | 231db005bf29ea596c7af4c264c0cca57271bb67d2208dfb8e320a4462767327

Analysis

max time kernel
4s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13-02-2024 02:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

231db005bf29ea596c7af4c264c0cca57271bb67d2208dfb8e320a4462767327.exe
Size

4.1MB
MD5

b157e72b328d941ff95bcedb357e2b1b
SHA1

9697221387a51260eeb70fba1d17c271e443e716
SHA256

231db005bf29ea596c7af4c264c0cca57271bb67d2208dfb8e320a4462767327
SHA512

3a3946398d8aaa499a12a5809648e509a708860a4ca2991e277123351034061e4fa2839743c91822143e105cf48f315e46347608dc1ebac060d2a9ba039bd21d
SSDEEP

49152:irtHaZL5Wjk2KurtcZtm0QlCmj+rYGWWB1XMO8YNtIyBSH302qqrJccUXAFAwijV:i5gLD3ycXi38WWB5tjCkyW4IRgc

Score

10^/10

glupteba dropper evasion loader upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 15 IoCs

resource	yara_rule
behavioral2/memory/3552-2-0x00000000052F0000-0x0000000005BDB000-memory.dmp	family_glupteba
behavioral2/memory/3552-3-0x0000000000400000-0x0000000002FC8000-memory.dmp	family_glupteba
behavioral2/memory/3552-58-0x00000000052F0000-0x0000000005BDB000-memory.dmp	family_glupteba
behavioral2/memory/3552-56-0x0000000000400000-0x0000000002FC8000-memory.dmp	family_glupteba
behavioral2/memory/2896-59-0x0000000000400000-0x0000000002FC8000-memory.dmp	family_glupteba
behavioral2/memory/2896-105-0x0000000000400000-0x0000000002FC8000-memory.dmp	family_glupteba
behavioral2/memory/2896-154-0x0000000000400000-0x0000000002FC8000-memory.dmp	family_glupteba
behavioral2/memory/4612-257-0x0000000000400000-0x0000000002FC8000-memory.dmp	family_glupteba
behavioral2/memory/4612-267-0x0000000000400000-0x0000000002FC8000-memory.dmp	family_glupteba
behavioral2/memory/4612-272-0x0000000000400000-0x0000000002FC8000-memory.dmp	family_glupteba
behavioral2/memory/4612-281-0x0000000000400000-0x0000000002FC8000-memory.dmp	family_glupteba
behavioral2/memory/4612-287-0x0000000000400000-0x0000000002FC8000-memory.dmp	family_glupteba
behavioral2/memory/4612-290-0x0000000000400000-0x0000000002FC8000-memory.dmp	family_glupteba
behavioral2/memory/4612-293-0x0000000000400000-0x0000000002FC8000-memory.dmp	family_glupteba
behavioral2/memory/4612-296-0x0000000000400000-0x0000000002FC8000-memory.dmp	family_glupteba

Detects Windows executables referencing non-Windows User-Agents 13 IoCs

resource	yara_rule
behavioral2/memory/3552-3-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/3552-56-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/2896-59-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/2896-105-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/2896-154-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4612-257-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4612-267-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4612-272-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4612-281-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4612-287-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4612-290-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4612-293-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4612-296-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects executables Discord URL observed in first stage droppers 13 IoCs

resource	yara_rule
behavioral2/memory/3552-3-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/3552-56-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/2896-59-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/2896-105-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/2896-154-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/4612-257-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/4612-267-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/4612-272-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/4612-281-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/4612-287-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/4612-290-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/4612-293-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/4612-296-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL

Detects executables containing URLs to raw contents of a Github gist 13 IoCs

resource	yara_rule
behavioral2/memory/3552-3-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3552-56-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2896-59-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2896-105-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2896-154-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4612-257-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4612-267-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4612-272-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4612-281-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4612-287-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4612-290-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4612-293-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4612-296-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL

Detects executables containing artifacts associated with disabling Widnows Defender 13 IoCs

resource	yara_rule
behavioral2/memory/3552-3-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral2/memory/3552-56-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral2/memory/2896-59-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral2/memory/2896-105-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral2/memory/2896-154-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral2/memory/4612-257-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral2/memory/4612-267-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral2/memory/4612-272-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral2/memory/4612-281-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral2/memory/4612-287-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral2/memory/4612-290-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral2/memory/4612-293-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral2/memory/4612-296-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender

Detects executables referencing many varying, potentially fake Windows User-Agents 13 IoCs

resource	yara_rule
behavioral2/memory/3552-3-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral2/memory/3552-56-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral2/memory/2896-59-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral2/memory/2896-105-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral2/memory/2896-154-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral2/memory/4612-257-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral2/memory/4612-267-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral2/memory/4612-272-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral2/memory/4612-281-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral2/memory/4612-287-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral2/memory/4612-290-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral2/memory/4612-293-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral2/memory/4612-296-0x0000000000400000-0x0000000002FC8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA

UPX dump on OEP (original entry point) 5 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023265-261.dat	UPX
behavioral2/files/0x0008000000023265-262.dat	UPX
behavioral2/files/0x0008000000023265-264.dat	UPX
behavioral2/memory/3088-266-0x0000000000400000-0x00000000008DF000-memory.dmp	UPX
behavioral2/memory/3292-269-0x0000000000400000-0x00000000008DF000-memory.dmp	UPX

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2232	netsh.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023265-261.dat	upx
behavioral2/files/0x0008000000023265-262.dat	upx
behavioral2/files/0x0008000000023265-264.dat	upx
behavioral2/memory/3088-266-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/3292-269-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/3292-276-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4500	sc.exe

Program crash 47 IoCs

pid	pid_target	Process	procid_target
680	3552	WerFault.exe	32
2956	3552	WerFault.exe	32
2236	3552	WerFault.exe	32
3280	3552	WerFault.exe	32
2732	3552	WerFault.exe	32
2448	3552	WerFault.exe	32
4812	3552	WerFault.exe	32
1556	3552	WerFault.exe	32
4392	3552	WerFault.exe	32
2140	3552	WerFault.exe	32
2400	3552	WerFault.exe	32
1440	3552	WerFault.exe	32
4656	3552	WerFault.exe	32
4500	3552	WerFault.exe	32
4680	3552	WerFault.exe	32
1496	3552	WerFault.exe	32
1724	3552	WerFault.exe	32
1552	3552	WerFault.exe	32
4012	3552	WerFault.exe	32
4592	3552	WerFault.exe	32
3372	2896	WerFault.exe	133
1388	2896	WerFault.exe	133
1148	2896	WerFault.exe	133
4232	2896	WerFault.exe	133
936	2896	WerFault.exe	133
4352	2896	WerFault.exe	133
4544	2896	WerFault.exe	133
3812	2896	WerFault.exe	133
2288	2896	WerFault.exe	133
1328	4612	WerFault.exe	163
1124	4612	WerFault.exe	163
4336	4612	WerFault.exe	163
384	4612	WerFault.exe	163
468	4612	WerFault.exe	163
2164	4612	WerFault.exe	163
2136	4612	WerFault.exe	163
3388	4612	WerFault.exe	163
3104	4612	WerFault.exe	163
1456	4612	WerFault.exe	163
1620	4612	WerFault.exe	163
1472	4612	WerFault.exe	163
4476	4612	WerFault.exe	163
4412	4612	WerFault.exe	163
4256	4612	WerFault.exe	163
1916	4612	WerFault.exe	163
4336	4612	WerFault.exe	163
4544	4612	WerFault.exe	163

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1084	schtasks.exe
5080	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\231db005bf29ea596c7af4c264c0cca57271bb67d2208dfb8e320a4462767327.exe
"C:\Users\Admin\AppData\Local\Temp\231db005bf29ea596c7af4c264c0cca57271bb67d2208dfb8e320a4462767327.exe"
1⤵
PID:3552
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 480
  2⤵
  - Program crash
  PID:680
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 496
  2⤵
  - Program crash
  PID:2956
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 500
  2⤵
  - Program crash
  PID:2236
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 544
  2⤵
  - Program crash
  PID:3280
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 636
  2⤵
  - Program crash
  PID:2732
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 740
  2⤵
  - Program crash
  PID:2448
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 760
  2⤵
  - Program crash
  PID:4812
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 760
  2⤵
  - Program crash
  PID:1556
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 788
  2⤵
  - Program crash
  PID:4392
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 728
  2⤵
  - Program crash
  PID:2140
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 728
  2⤵
  - Program crash
  PID:2400
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 764
  2⤵
  - Program crash
  PID:1440
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 872
  2⤵
  - Program crash
  PID:4656
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 856
  2⤵
  - Program crash
  PID:4500
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:2232
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 876
  2⤵
  - Program crash
  PID:4680
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 868
  2⤵
  - Program crash
  PID:1496
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 856
  2⤵
  - Program crash
  PID:1724
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 656
  2⤵
  - Program crash
  PID:1552
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 752
  2⤵
  - Program crash
  PID:4012
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 832
  2⤵
  - Program crash
  PID:4592
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  PID:4576
- C:\Users\Admin\AppData\Local\Temp\231db005bf29ea596c7af4c264c0cca57271bb67d2208dfb8e320a4462767327.exe
  "C:\Users\Admin\AppData\Local\Temp\231db005bf29ea596c7af4c264c0cca57271bb67d2208dfb8e320a4462767327.exe"
  2⤵
  PID:2896
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 452
    3⤵
    - Program crash
    PID:3372
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 472
    3⤵
    - Program crash
    PID:1388
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 468
    3⤵
    - Program crash
    PID:1148
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 520
    3⤵
    - Program crash
    PID:4232
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 688
    3⤵
    - Program crash
    PID:936
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 688
    3⤵
    - Program crash
    PID:4352
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 688
    3⤵
    - Program crash
    PID:4544
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 740
    3⤵
    - Program crash
    PID:3812
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 752
    3⤵
    - Program crash
    PID:2288
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:2732
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:4500
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:1348
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:1932
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    PID:4612
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 480
      4⤵
      Program crash
      PID:1328
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 492
      4⤵
      Program crash
      PID:1124
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 508
      4⤵
      Program crash
      PID:4336
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 676
      4⤵
      Program crash
      PID:384
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 728
      4⤵
      Program crash
      PID:468
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 716
      4⤵
      Program crash
      PID:2164
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 716
      4⤵
      Program crash
      PID:2136
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 748
      4⤵
      Program crash
      PID:3388
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 788
      4⤵
      Program crash
      PID:3104
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:844
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:1084
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 760
      4⤵
      Program crash
      PID:1456
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 900
      4⤵
      Program crash
      PID:1620
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:5076
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 748
      4⤵
      Program crash
      PID:1472
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:4536
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:1412
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 976
      4⤵
      Program crash
      PID:4476
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 988
      4⤵
      Program crash
      PID:4412
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      PID:4512
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 1016
      4⤵
      Program crash
      PID:4256
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 1028
      4⤵
      Program crash
      PID:1916
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:5080
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      PID:3088
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        
        PID:2220
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        
        PID:4500
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 1132
      4⤵
      Program crash
      PID:4336
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 1124
      4⤵
      Program crash
      PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3552 -ip 3552
1⤵
PID:1292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3552 -ip 3552
1⤵
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3552 -ip 3552
1⤵
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3552 -ip 3552
1⤵
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3552 -ip 3552
1⤵
PID:684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3552 -ip 3552
1⤵
PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3552 -ip 3552
1⤵
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3552 -ip 3552
1⤵
PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3552 -ip 3552
1⤵
PID:3400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3552 -ip 3552
1⤵
PID:3864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3552 -ip 3552
1⤵
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3552 -ip 3552
1⤵
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3552 -ip 3552
1⤵
PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3552 -ip 3552
1⤵
PID:884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3552 -ip 3552
1⤵
PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3552 -ip 3552
1⤵
PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3552 -ip 3552
1⤵
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3552 -ip 3552
1⤵
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3552 -ip 3552
1⤵
PID:1340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3552 -ip 3552
1⤵
PID:1352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2896 -ip 2896
1⤵
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2896 -ip 2896
1⤵
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2896 -ip 2896
1⤵
PID:232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2896 -ip 2896
1⤵
PID:792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2896 -ip 2896
1⤵
PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2896 -ip 2896
1⤵
PID:2276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2896 -ip 2896
1⤵
PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2896 -ip 2896
1⤵
PID:468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2896 -ip 2896
1⤵
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4612 -ip 4612
1⤵
PID:232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4612 -ip 4612
1⤵
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4612 -ip 4612
1⤵
PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4612 -ip 4612
1⤵
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4612 -ip 4612
1⤵
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4612 -ip 4612
1⤵
PID:3812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4612 -ip 4612
1⤵
PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4612 -ip 4612
1⤵
PID:4180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4612 -ip 4612
1⤵
PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4612 -ip 4612
1⤵
PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4612 -ip 4612
1⤵
PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4612 -ip 4612
1⤵
PID:556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4612 -ip 4612
1⤵
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4612 -ip 4612
1⤵
PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4612 -ip 4612
1⤵
PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4612 -ip 4612
1⤵
PID:4812

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:3292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4612 -ip 4612
1⤵
PID:1124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4612 -ip 4612
1⤵
PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e5voqram.e4i.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
70KB

MD5
3a79497699fc6916f91451769172ff13

SHA1
bf7be364cc0d80b1015b67673dfb19f6b8b84ec1

SHA256
5824cb12f900033d3ba0d4064eb9e274df722339c8f1fad78e43a5981f232885

SHA512
d6ad916b10d522557d26df134f983c1c9795371a9e25b439de36dcdd2afb5f6434681f3422c34c3ca9b3d74268303229a89ff1e17902dbf32a53e38e87b31cb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
83KB

MD5
177002c754549a109b8c1c6a39cc2bd0

SHA1
d66f191352ae3db04e57140b243951d5f831e55b

SHA256
22214033bc98d6923a3b706a7f5864e69412db302981cfed3a0b1dbb7b52afef

SHA512
fc50d0a338619152a9ef7148dc67541abec1ffd7b1c16435bee130e78a1daa3a07901324d81593a92b00cb8a36e1377439bad3c302f68c78589ceef8e9c7d2e8

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
d22cf45893d86b8a974cebe5d4278e2a

SHA1
a84bccfce3b166e89eee4b3a49d1729a600ae445

SHA256
d23000a0509634bd22980d48a646bf8b40530bc998f61b34066795547f065dc1

SHA512
aee40dc3ab9253c7b2cbc36b6bfd71d9a2808d1658d7a4fcb76dbc434e557245fdf2aa289014e7b0b9467a3c54e712efb316c9a1efdc808558e7f6f0194e1ff1

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
866c07c315f6b9fa7e3f7cfed8b88113

SHA1
5bb2af3d427a39fb5b452100a34454219b72a7f8

SHA256
643fc400f2a0886925e4f63133bfe26343e0c69d0da6363548a4d25f0996afc8

SHA512
2e8f466fa1225d844c3ae3154018288b455677045916cb60f62b0194044e4f723e3a54e72dae1fe6c3fed764fbd90d80ee6935eda7b593e25c0ec29bf9886212

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
1e433f0c402d9eba675cd395df8d106d

SHA1
14da1c318852aca13d46a601a1edc1404564436b

SHA256
4c9d6dcb55656a22d341215e92c3b39e18dfb57874533d90e0b9f4ff2ef2d4e6

SHA512
1f39423256b31e2f859d7fd1d3392699e731171b0b603de16f68f6c828a1cda5af36e225d4c56e83c98c22e5048b9c59be7d00690929597a126774da6d743357

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
f0406cadbe5291ccc736e9346e383251

SHA1
e172a9a5a725bad824bbf78a6c5f75054cc8b875

SHA256
7cf6849aa8d9fcae3f55a6249ad14d675e1e14a40201be2a5ba0b22c47889b43

SHA512
806322a2b66e02dbc8d51e364d1a2fd7afaab4b58e123ff4c7732d146154445b3002337aff6deb53d54edbdafcd5a578495b0df13ccdf76b016b13f8c21354fb

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
89ec744f2c04c35b7b89fcee05a3d5f0

SHA1
97a7c46573382b4a734b085e4f35bbeefaefd48b

SHA256
945b7100f1d617ca2806fef55660d53fdb3b2c9e09b651423baeefbbc83b1347

SHA512
c20c59bd30092b3c8843336fa557ce2f6846330f494d016ce41dd6ff1a95dd64c8d1d1e56fad80af9214028e59b79a41a0e27ad7d061eec6bf9819ee3859e02a

Download Submit
C:\Windows\rss\csrss.exe

Filesize
37KB

MD5
4f0ce485a00761a44259f4846f577aa6

SHA1
27a88f0f2ba3be9d71c5c9144a2f17a9d2391cd5

SHA256
1240075bb646d2df24786c8009252a1105fc00d65821b56f78efd16499b92df2

SHA512
ff45e53838bcc5fd7300c9414650bb41a64392e3744ba6c9863c5d29b210ee074d70afc3d52d4e8838b3f5e6488a9a0ceeb37f27eaa017b6227bbdb137c889d1

Download Submit
C:\Windows\rss\csrss.exe

Filesize
53KB

MD5
8c781a804555eeb5c36986fcb17440d5

SHA1
9b2a5945f42131c5d8828ae68cafe5c516569686

SHA256
1b55b9eddcd4b617f879df8791bbdabfbf9b265e6700632a56557548c762f9e2

SHA512
da6cee3d07ab732c84055aafd0489100c4a2a0fc1331bff8f73f45b0195ec84cfac2f5281822527aacdba4ce5a4a599f301656c969a1a70d571ed124680cb174

Download Submit
C:\Windows\windefender.exe

Filesize
119KB

MD5
c286c02e1f3544dbc9456c16397e803a

SHA1
86eb76bb35ce1c45ef71eaf2b68d26db14411ece

SHA256
2a1b8c795c569918eea25f7b0c3c722880d2649f19293cb56f678e0dcfc0524a

SHA512
a339613554700b263e05977ac8a7a24d02dbdf7fac1c19903f8b60d0af7d41fa7d78e8091d749308eef734579831c5a4b29ee89860e55b388aa4fbec2485ad84

Download Submit
C:\Windows\windefender.exe

Filesize
64KB

MD5
2870f0ce0db96cc5b6e06b233ac8c21c

SHA1
964e56e00bb4d367ab71917addb0a9080ac21802

SHA256
693a7805cc2994a8f918bf3e9cc451461501ec205db2fbce018d14a5b8eaddb7

SHA512
b8aa71043cc6f3f6bacc5db2f7242f56d8057dd0d76d1feb890621904e2a4f7461e56dee738850f581d6dfb50c3f4641e525782ff8f07e778db2ffce0a5339c2

Download Submit
C:\Windows\windefender.exe

Filesize
153KB

MD5
a1e21828d7edf8e377c621ccf1f263af

SHA1
6b7f122c702710e9127a65e4feb043888e0224f7

SHA256
35ce789b1df93b5a0a957724eb2439fa72fdfca891f27df875c12b62cc649ab2

SHA512
0979088ff56f574798bace998642f5a8089849d3be90a6e0f7ee8e9d041388446ee0be9abdf972d173a5e104d500cc88681d5ab17cd5756b28bfe76524ec9bb0

Download Submit
memory/1348-109-0x000000007EE80000-0x000000007EE90000-memory.dmp

Filesize
64KB

Download
memory/1348-111-0x0000000070610000-0x0000000070964000-memory.dmp

Filesize
3.3MB

Download
memory/1348-94-0x00000000035F0000-0x0000000003600000-memory.dmp

Filesize
64KB

Download
memory/1348-93-0x00000000035F0000-0x0000000003600000-memory.dmp

Filesize
64KB

Download
memory/1348-92-0x00000000745F0000-0x0000000074DA0000-memory.dmp

Filesize
7.7MB

Download
memory/1348-122-0x00000000745F0000-0x0000000074DA0000-memory.dmp

Filesize
7.7MB

Download
memory/1348-108-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/1348-106-0x00000000035F0000-0x0000000003600000-memory.dmp

Filesize
64KB

Download
memory/1932-139-0x0000000070C30000-0x0000000070F84000-memory.dmp

Filesize
3.3MB

Download
memory/1932-137-0x00000000031A0000-0x00000000031B0000-memory.dmp

Filesize
64KB

Download
memory/1932-138-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/1932-123-0x00000000745F0000-0x0000000074DA0000-memory.dmp

Filesize
7.7MB

Download
memory/1932-124-0x00000000031A0000-0x00000000031B0000-memory.dmp

Filesize
64KB

Download
memory/1932-125-0x0000000006090000-0x00000000063E4000-memory.dmp

Filesize
3.3MB

Download
memory/2732-87-0x0000000007780000-0x0000000007794000-memory.dmp

Filesize
80KB

Download
memory/2732-86-0x0000000007730000-0x0000000007741000-memory.dmp

Filesize
68KB

Download
memory/2732-90-0x00000000745F0000-0x0000000074DA0000-memory.dmp

Filesize
7.7MB

Download
memory/2732-75-0x0000000070C10000-0x0000000070F64000-memory.dmp

Filesize
3.3MB

Download
memory/2732-85-0x0000000007420000-0x00000000074C3000-memory.dmp

Filesize
652KB

Download
memory/2732-73-0x000000007F720000-0x000000007F730000-memory.dmp

Filesize
64KB

Download
memory/2732-74-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/2732-60-0x00000000745F0000-0x0000000074DA0000-memory.dmp

Filesize
7.7MB

Download
memory/2732-62-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/2732-63-0x0000000005BC0000-0x0000000005F14000-memory.dmp

Filesize
3.3MB

Download
memory/2732-61-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/2896-107-0x0000000004E70000-0x000000000526E000-memory.dmp

Filesize
4.0MB

Download
memory/2896-57-0x0000000004E70000-0x000000000526E000-memory.dmp

Filesize
4.0MB

Download
memory/2896-59-0x0000000000400000-0x0000000002FC8000-memory.dmp

Filesize
43.8MB

Download
memory/2896-136-0x0000000000400000-0x0000000002FC8000-memory.dmp

Filesize
43.8MB

Download
memory/2896-154-0x0000000000400000-0x0000000002FC8000-memory.dmp

Filesize
43.8MB

Download
memory/2896-105-0x0000000000400000-0x0000000002FC8000-memory.dmp

Filesize
43.8MB

Download
memory/3088-266-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3292-276-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3292-269-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3552-58-0x00000000052F0000-0x0000000005BDB000-memory.dmp

Filesize
8.9MB

Download
memory/3552-1-0x0000000004EE0000-0x00000000052E1000-memory.dmp

Filesize
4.0MB

Download
memory/3552-2-0x00000000052F0000-0x0000000005BDB000-memory.dmp

Filesize
8.9MB

Download
memory/3552-3-0x0000000000400000-0x0000000002FC8000-memory.dmp

Filesize
43.8MB

Download
memory/3552-29-0x0000000004EE0000-0x00000000052E1000-memory.dmp

Filesize
4.0MB

Download
memory/3552-56-0x0000000000400000-0x0000000002FC8000-memory.dmp

Filesize
43.8MB

Download
memory/4576-27-0x00000000076A0000-0x0000000007D1A000-memory.dmp

Filesize
6.5MB

Download
memory/4576-7-0x0000000002310000-0x0000000002320000-memory.dmp

Filesize
64KB

Download
memory/4576-32-0x0000000070490000-0x00000000704DC000-memory.dmp

Filesize
304KB

Download
memory/4576-44-0x0000000007240000-0x00000000072E3000-memory.dmp

Filesize
652KB

Download
memory/4576-43-0x00000000071E0000-0x00000000071FE000-memory.dmp

Filesize
120KB

Download
memory/4576-31-0x000000007F600000-0x000000007F610000-memory.dmp

Filesize
64KB

Download
memory/4576-30-0x0000000007200000-0x0000000007232000-memory.dmp

Filesize
200KB

Download
memory/4576-47-0x0000000007340000-0x0000000007351000-memory.dmp

Filesize
68KB

Download
memory/4576-28-0x0000000007040000-0x000000000705A000-memory.dmp

Filesize
104KB

Download
memory/4576-26-0x0000000006FA0000-0x0000000007016000-memory.dmp

Filesize
472KB

Download
memory/4576-25-0x0000000002310000-0x0000000002320000-memory.dmp

Filesize
64KB

Download
memory/4576-24-0x0000000006DF0000-0x0000000006E34000-memory.dmp

Filesize
272KB

Download
memory/4576-23-0x0000000005CD0000-0x0000000005D1C000-memory.dmp

Filesize
304KB

Download
memory/4576-45-0x0000000007330000-0x000000000733A000-memory.dmp

Filesize
40KB

Download
memory/4576-22-0x0000000005C80000-0x0000000005C9E000-memory.dmp

Filesize
120KB

Download
memory/4576-21-0x0000000005780000-0x0000000005AD4000-memory.dmp

Filesize
3.3MB

Download
memory/4576-11-0x0000000004F70000-0x0000000004FD6000-memory.dmp

Filesize
408KB

Download
memory/4576-10-0x0000000004E50000-0x0000000004EB6000-memory.dmp

Filesize
408KB

Download
memory/4576-46-0x0000000007440000-0x00000000074D6000-memory.dmp

Filesize
600KB

Download
memory/4576-9-0x0000000004DB0000-0x0000000004DD2000-memory.dmp

Filesize
136KB

Download
memory/4576-8-0x0000000004FE0000-0x0000000005608000-memory.dmp

Filesize
6.2MB

Download
memory/4576-33-0x0000000070610000-0x0000000070964000-memory.dmp

Filesize
3.3MB

Download
memory/4576-6-0x0000000002310000-0x0000000002320000-memory.dmp

Filesize
64KB

Download
memory/4576-5-0x00000000745F0000-0x0000000074DA0000-memory.dmp

Filesize
7.7MB

Download
memory/4576-48-0x0000000007380000-0x000000000738E000-memory.dmp

Filesize
56KB

Download
memory/4576-4-0x0000000002320000-0x0000000002356000-memory.dmp

Filesize
216KB

Download
memory/4576-54-0x00000000745F0000-0x0000000074DA0000-memory.dmp

Filesize
7.7MB

Download
memory/4576-51-0x00000000073E0000-0x00000000073E8000-memory.dmp

Filesize
32KB

Download
memory/4576-50-0x00000000073F0000-0x000000000740A000-memory.dmp

Filesize
104KB

Download
memory/4576-49-0x00000000073A0000-0x00000000073B4000-memory.dmp

Filesize
80KB

Download
memory/4612-267-0x0000000000400000-0x0000000002FC8000-memory.dmp

Filesize
43.8MB

Download
memory/4612-270-0x0000000000400000-0x0000000002FC8000-memory.dmp

Filesize
43.8MB

Download
memory/4612-272-0x0000000000400000-0x0000000002FC8000-memory.dmp

Filesize
43.8MB

Download
memory/4612-275-0x0000000000400000-0x0000000002FC8000-memory.dmp

Filesize
43.8MB

Download
memory/4612-257-0x0000000000400000-0x0000000002FC8000-memory.dmp

Filesize
43.8MB

Download
memory/4612-278-0x0000000000400000-0x0000000002FC8000-memory.dmp

Filesize
43.8MB

Download
memory/4612-281-0x0000000000400000-0x0000000002FC8000-memory.dmp

Filesize
43.8MB

Download
memory/4612-284-0x0000000000400000-0x0000000002FC8000-memory.dmp

Filesize
43.8MB

Download
memory/4612-287-0x0000000000400000-0x0000000002FC8000-memory.dmp

Filesize
43.8MB

Download
memory/4612-290-0x0000000000400000-0x0000000002FC8000-memory.dmp

Filesize
43.8MB

Download
memory/4612-293-0x0000000000400000-0x0000000002FC8000-memory.dmp

Filesize
43.8MB

Download
memory/4612-296-0x0000000000400000-0x0000000002FC8000-memory.dmp

Filesize
43.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads