glupteba | cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567

Analysis

max time kernel
10s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe
Size

4.2MB
MD5

c162490db3af8ac5ab44ebedbc0fb60b
SHA1

8f6084b1eac1de4461e0a1ab64aa8369b797dd95
SHA256

cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567
SHA512

db377e49261f8ed567034aed2b7412917610122ad9b0938266b86ba5bbcb1086fb65d645c507d1419f36f51ae227f4eeea679a66cd8a8737883744db6ca48462
SSDEEP

98304:DVFRqPMdPA984H0WMAw6acMgLNchhd+W2lPIIo31xn1vrLR/3Lz3:5FYkS+E0uawLNQ+/9Bo7/n

Score

10^/10

glupteba dropper evasion loader upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2304-2-0x0000000004120000-0x0000000004A0B000-memory.dmp	family_glupteba
behavioral1/memory/2304-3-0x0000000000400000-0x0000000001DFF000-memory.dmp	family_glupteba
behavioral1/memory/1284-57-0x0000000003FA0000-0x000000000488B000-memory.dmp	family_glupteba
behavioral1/memory/1284-58-0x0000000000400000-0x0000000001DFF000-memory.dmp	family_glupteba
behavioral1/memory/2304-59-0x0000000000400000-0x0000000001DFF000-memory.dmp	family_glupteba
behavioral1/memory/1284-157-0x0000000000400000-0x0000000001DFF000-memory.dmp	family_glupteba
behavioral1/memory/932-256-0x0000000000400000-0x0000000001DFF000-memory.dmp	family_glupteba
behavioral1/memory/932-266-0x0000000000400000-0x0000000001DFF000-memory.dmp	family_glupteba
behavioral1/memory/932-272-0x0000000000400000-0x0000000001DFF000-memory.dmp	family_glupteba
behavioral1/memory/932-276-0x0000000000400000-0x0000000001DFF000-memory.dmp	family_glupteba
behavioral1/memory/932-280-0x0000000000400000-0x0000000001DFF000-memory.dmp	family_glupteba
behavioral1/memory/932-284-0x0000000000400000-0x0000000001DFF000-memory.dmp	family_glupteba
behavioral1/memory/932-288-0x0000000000400000-0x0000000001DFF000-memory.dmp	family_glupteba
behavioral1/memory/932-292-0x0000000000400000-0x0000000001DFF000-memory.dmp	family_glupteba
behavioral1/memory/932-296-0x0000000000400000-0x0000000001DFF000-memory.dmp	family_glupteba
behavioral1/memory/932-300-0x0000000000400000-0x0000000001DFF000-memory.dmp	family_glupteba
behavioral1/memory/932-304-0x0000000000400000-0x0000000001DFF000-memory.dmp	family_glupteba
behavioral1/memory/932-307-0x0000000000400000-0x0000000001DFF000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

864 netsh.exe

pid	process
864	netsh.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\windefender.exe	upx
behavioral1/memory/2600-265-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/5052-269-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/5052-277-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

4168 sc.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

5064 schtasks.exe
1856 schtasks.exe

pid	process
4168	sc.exe

pid	process
5064	schtasks.exe
1856	schtasks.exe

Modifies data under HKEY_USERS 39 IoCs

Processes:

cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time"	cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time"	cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time"	cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time"	cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.execbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe

pid	process
5000	powershell.exe
5000	powershell.exe
2304	cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe
2304	cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.execbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe

description	pid	process
Token: SeDebugPrivilege	5000	powershell.exe
Token: SeDebugPrivilege	2304	cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe
Token: SeImpersonatePrivilege	2304	cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe

description	pid	process	target process
PID 2304 wrote to memory of 5000	2304	cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe	powershell.exe
PID 2304 wrote to memory of 5000	2304	cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe	powershell.exe
PID 2304 wrote to memory of 5000	2304	cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe
"C:\Users\Admin\AppData\Local\Temp\cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5000

C:\Users\Admin\AppData\Local\Temp\cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe
"C:\Users\Admin\AppData\Local\Temp\cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567.exe"
2⤵
- Modifies data under HKEY_USERS
PID:1284

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:1788

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
PID:5064

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:864

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:2900

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:2460

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
3⤵
PID:932

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:3008

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:5064

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
4⤵
PID:4352

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:1388

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:3576

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
4⤵
PID:1232

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:1856

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
4⤵
PID:2600

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
5⤵
PID:4000

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
- Launches sc.exe
PID:4168

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:5052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cgoqpllm.qq1.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
40f84f9fb5ccca5b2410990902ee20fa

SHA1
d1b2866ca74b7b38803db9ae154ec0d3cd338be1

SHA256
fdf72352d53daff3b39a1309e66c8966417fa6de7a32a4ab40e64ca4183e4e6e

SHA512
cf72da1e86e1c72c989dd08c69a4a64d8c3e69ee0323d6c0ae2f1a044f69d5241e7477e9a0f5a877253c55fa0ed5d1132d964ad99c342d90488f79fbda187bf3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
81f661a6c0a75e762509cfd52d6010bd

SHA1
78b802c9c592f36aaf7539fdcae819f59a9020bc

SHA256
881063653b69e739e40b7ca179c5a6dfd22e6d4f67ca42df0bba090ec9b7809e

SHA512
2c56910a1f0a916eacafe8b82192290c4bd9d8a828c19630afdf1ef353327121ce9c7d23abfa745b271b4576cb9adf5425da8fca57488f5aa4fdcc32a86aa0be

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
aeb3b23620517dc1792b2b24b3c9faaa

SHA1
710c473018a77841155608f428b645e22af60bd7

SHA256
851df3e0f65ad03d05e3a8e4b7b0e98f776b64fe23949d6de8b68984fc42587a

SHA512
17628ff8ef1167a25cbbb725fbadc080cdcfd6180f17d890d773416c55b558fde8121be8d7f7a6d9182aa3a5f52ac6cd4271e3b4cdb484978ea69103d0ec2dc8

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
26ca120193e584539acf3410bf58fd26

SHA1
99db920abd75362b1f2c40702a39d4099ddd3cf1

SHA256
b7b69aec78f7cc2db154187520e91883d5b79552cb6bbe085b0611d2d1342344

SHA512
9222366cce841288a2fd14ffe5856cc0859008ea804be64bd7a8c2ca8b86f2b91b062df6a38cae6efd35e7359441c3d6151ef824ee34bba1cecbeccbc2b8e16b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
fab5266e7891f37c7c1fd309afd453dd

SHA1
a7e93c9a1f70e86a98edec1a2a8f8e8ed723d7b2

SHA256
1b7f454ac235774d3db9fef25dafff7d812a4e3030dd0f0b94836c84e634c841

SHA512
84ddb0a1eab9900a3a8145f0959ddba07b04b0034ade6ac7e2bdefe8751da000351ddb74473f5a1ef6328b71a64cc6ee7e099008b521a95f916ae8f33d6d12b0

Download Submit
C:\Windows\rss\csrss.exe
Filesize
4.2MB

MD5
c162490db3af8ac5ab44ebedbc0fb60b

SHA1
8f6084b1eac1de4461e0a1ab64aa8369b797dd95

SHA256
cbb56b9ac3abe7fb76c5b36135295605a87fa62685ed6da528a0dbe593393567

SHA512
db377e49261f8ed567034aed2b7412917610122ad9b0938266b86ba5bbcb1086fb65d645c507d1419f36f51ae227f4eeea679a66cd8a8737883744db6ca48462

Download Submit
C:\Windows\windefender.exe
Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/932-304-0x0000000000400000-0x0000000001DFF000-memory.dmp

Filesize
26.0MB

Download
memory/932-272-0x0000000000400000-0x0000000001DFF000-memory.dmp

Filesize
26.0MB

Download
memory/932-296-0x0000000000400000-0x0000000001DFF000-memory.dmp

Filesize
26.0MB

Download
memory/932-292-0x0000000000400000-0x0000000001DFF000-memory.dmp

Filesize
26.0MB

Download
memory/932-311-0x0000000000400000-0x0000000001DFF000-memory.dmp

Filesize
26.0MB

Download
memory/932-256-0x0000000000400000-0x0000000001DFF000-memory.dmp

Filesize
26.0MB

Download
memory/932-284-0x0000000000400000-0x0000000001DFF000-memory.dmp

Filesize
26.0MB

Download
memory/932-288-0x0000000000400000-0x0000000001DFF000-memory.dmp

Filesize
26.0MB

Download
memory/932-307-0x0000000000400000-0x0000000001DFF000-memory.dmp

Filesize
26.0MB

Download
memory/932-280-0x0000000000400000-0x0000000001DFF000-memory.dmp

Filesize
26.0MB

Download
memory/932-266-0x0000000000400000-0x0000000001DFF000-memory.dmp

Filesize
26.0MB

Download
memory/932-300-0x0000000000400000-0x0000000001DFF000-memory.dmp

Filesize
26.0MB

Download
memory/932-276-0x0000000000400000-0x0000000001DFF000-memory.dmp

Filesize
26.0MB

Download
memory/1284-125-0x0000000003BA0000-0x0000000003F9A000-memory.dmp

Filesize
4.0MB

Download
memory/1284-57-0x0000000003FA0000-0x000000000488B000-memory.dmp

Filesize
8.9MB

Download
memory/1284-56-0x0000000003BA0000-0x0000000003F9A000-memory.dmp

Filesize
4.0MB

Download
memory/1284-58-0x0000000000400000-0x0000000001DFF000-memory.dmp

Filesize
26.0MB

Download
memory/1284-157-0x0000000000400000-0x0000000001DFF000-memory.dmp

Filesize
26.0MB

Download
memory/1788-86-0x00000000047F0000-0x0000000004800000-memory.dmp

Filesize
64KB

Download
memory/1788-83-0x0000000006D30000-0x0000000006DD3000-memory.dmp

Filesize
652KB

Download
memory/1788-91-0x00000000740C0000-0x0000000074870000-memory.dmp

Filesize
7.7MB

Download
memory/1788-88-0x0000000007090000-0x00000000070A4000-memory.dmp

Filesize
80KB

Download
memory/1788-87-0x0000000007040000-0x0000000007051000-memory.dmp

Filesize
68KB

Download
memory/1788-84-0x000000007F510000-0x000000007F520000-memory.dmp

Filesize
64KB

Download
memory/1788-85-0x00000000047F0000-0x0000000004800000-memory.dmp

Filesize
64KB

Download
memory/1788-73-0x00000000700E0000-0x0000000070434000-memory.dmp

Filesize
3.3MB

Download
memory/1788-72-0x000000006FF60000-0x000000006FFAC000-memory.dmp

Filesize
304KB

Download
memory/1788-62-0x00000000047F0000-0x0000000004800000-memory.dmp

Filesize
64KB

Download
memory/1788-61-0x00000000047F0000-0x0000000004800000-memory.dmp

Filesize
64KB

Download
memory/1788-60-0x00000000740C0000-0x0000000074870000-memory.dmp

Filesize
7.7MB

Download
memory/2304-59-0x0000000000400000-0x0000000001DFF000-memory.dmp

Filesize
26.0MB

Download
memory/2304-55-0x0000000003D20000-0x000000000411F000-memory.dmp

Filesize
4.0MB

Download
memory/2304-1-0x0000000003D20000-0x000000000411F000-memory.dmp

Filesize
4.0MB

Download
memory/2304-3-0x0000000000400000-0x0000000001DFF000-memory.dmp

Filesize
26.0MB

Download
memory/2304-2-0x0000000004120000-0x0000000004A0B000-memory.dmp

Filesize
8.9MB

Download
memory/2460-124-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/2460-123-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/2460-136-0x000000007F930000-0x000000007F940000-memory.dmp

Filesize
64KB

Download
memory/2460-122-0x00000000740C0000-0x0000000074870000-memory.dmp

Filesize
7.7MB

Download
memory/2460-137-0x000000006FF60000-0x000000006FFAC000-memory.dmp

Filesize
304KB

Download
memory/2600-265-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2900-109-0x0000000070710000-0x0000000070A64000-memory.dmp

Filesize
3.3MB

Download
memory/2900-119-0x0000000005670000-0x0000000005680000-memory.dmp

Filesize
64KB

Download
memory/2900-94-0x0000000005670000-0x0000000005680000-memory.dmp

Filesize
64KB

Download
memory/2900-95-0x0000000005670000-0x0000000005680000-memory.dmp

Filesize
64KB

Download
memory/2900-105-0x00000000063E0000-0x0000000006734000-memory.dmp

Filesize
3.3MB

Download
memory/2900-93-0x00000000740C0000-0x0000000074870000-memory.dmp

Filesize
7.7MB

Download
memory/2900-108-0x000000006FF60000-0x000000006FFAC000-memory.dmp

Filesize
304KB

Download
memory/2900-107-0x000000007F080000-0x000000007F090000-memory.dmp

Filesize
64KB

Download
memory/2900-121-0x00000000740C0000-0x0000000074870000-memory.dmp

Filesize
7.7MB

Download
memory/5000-27-0x0000000007C20000-0x0000000007C3A000-memory.dmp

Filesize
104KB

Download
memory/5000-24-0x0000000006DB0000-0x0000000006DF4000-memory.dmp

Filesize
272KB

Download
memory/5000-43-0x0000000007E40000-0x0000000007EE3000-memory.dmp

Filesize
652KB

Download
memory/5000-44-0x0000000007F30000-0x0000000007F3A000-memory.dmp

Filesize
40KB

Download
memory/5000-45-0x0000000007FF0000-0x0000000008086000-memory.dmp

Filesize
600KB

Download
memory/5000-41-0x0000000007E20000-0x0000000007E3E000-memory.dmp

Filesize
120KB

Download
memory/5000-31-0x00000000700E0000-0x0000000070434000-memory.dmp

Filesize
3.3MB

Download
memory/5000-46-0x0000000007F50000-0x0000000007F61000-memory.dmp

Filesize
68KB

Download
memory/5000-53-0x00000000740C0000-0x0000000074870000-memory.dmp

Filesize
7.7MB

Download
memory/5000-30-0x000000006FF60000-0x000000006FFAC000-memory.dmp

Filesize
304KB

Download
memory/5000-29-0x0000000007DE0000-0x0000000007E12000-memory.dmp

Filesize
200KB

Download
memory/5000-28-0x000000007F600000-0x000000007F610000-memory.dmp

Filesize
64KB

Download
memory/5000-42-0x0000000005420000-0x0000000005430000-memory.dmp

Filesize
64KB

Download
memory/5000-26-0x00000000082A0000-0x000000000891A000-memory.dmp

Filesize
6.5MB

Download
memory/5000-25-0x0000000007BA0000-0x0000000007C16000-memory.dmp

Filesize
472KB

Download
memory/5000-47-0x0000000007F90000-0x0000000007F9E000-memory.dmp

Filesize
56KB

Download
memory/5000-23-0x00000000068A0000-0x00000000068EC000-memory.dmp

Filesize
304KB

Download
memory/5000-50-0x0000000007FE0000-0x0000000007FE8000-memory.dmp

Filesize
32KB

Download
memory/5000-22-0x0000000006850000-0x000000000686E000-memory.dmp

Filesize
120KB

Download
memory/5000-48-0x0000000007FA0000-0x0000000007FB4000-memory.dmp

Filesize
80KB

Download
memory/5000-21-0x0000000006260000-0x00000000065B4000-memory.dmp

Filesize
3.3MB

Download
memory/5000-11-0x00000000061F0000-0x0000000006256000-memory.dmp

Filesize
408KB

Download
memory/5000-49-0x0000000008090000-0x00000000080AA000-memory.dmp

Filesize
104KB

Download
memory/5000-10-0x0000000006090000-0x00000000060F6000-memory.dmp

Filesize
408KB

Download
memory/5000-9-0x00000000058A0000-0x00000000058C2000-memory.dmp

Filesize
136KB

Download
memory/5000-8-0x0000000005A60000-0x0000000006088000-memory.dmp

Filesize
6.2MB

Download
memory/5000-7-0x0000000005420000-0x0000000005430000-memory.dmp

Filesize
64KB

Download
memory/5000-6-0x0000000005420000-0x0000000005430000-memory.dmp

Filesize
64KB

Download
memory/5000-5-0x00000000740C0000-0x0000000074870000-memory.dmp

Filesize
7.7MB

Download
memory/5000-4-0x00000000052D0000-0x0000000005306000-memory.dmp

Filesize
216KB

Download
memory/5052-277-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/5052-269-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download