glupteba | 8ddb2ac7260e57b2f20a55e30eb1b41595f38bf484b0a94e9495f3107c3bb913

Analysis

max time kernel
3s
max time network
49s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
08-05-2024 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ddb2ac7260e57b2f20a55e30eb1b41595f38bf484b0a94e9495f3107c3bb913.exe
Size

389KB
MD5

d6078bbecc15a333c6171debc4488498
SHA1

ca57a639ec0fc1a6489b69278478c5845a4c046b
SHA256

8ddb2ac7260e57b2f20a55e30eb1b41595f38bf484b0a94e9495f3107c3bb913
SHA512

912f67baa141bb846a12568c94d5dfbd6d6cdefe0a036a9249accd83e9ee460bc8863758c8bd5cdac7a0af3f481194b57ef414378ebb400967579ba6d736469e
SSDEEP

6144:vLFJaFBq+TaKqqrlBLSIOHGt8i3/gmjX/RBdRP2gjycIeVMO+ZyeR:vOlldCGt//gmjXjdR+KjFVMPZN

Score

10^/10

glupteba stealc dropper evasion execution loader stealer

Malware Config

Extracted

Family

stealc

http://185.172.128.150

Attributes

url_path
/c698e1bc8a2f5e6d.php

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 6 IoCs

resource	yara_rule
behavioral2/memory/4776-1290-0x0000000000400000-0x0000000002957000-memory.dmp	family_glupteba
behavioral2/memory/5528-3214-0x0000000000400000-0x0000000002957000-memory.dmp	family_glupteba
behavioral2/memory/5608-3215-0x0000000000400000-0x0000000002957000-memory.dmp	family_glupteba
behavioral2/memory/6000-3225-0x0000000000400000-0x0000000002957000-memory.dmp	family_glupteba
behavioral2/memory/5608-3937-0x0000000000400000-0x0000000002957000-memory.dmp	family_glupteba
behavioral2/memory/6000-4272-0x0000000000400000-0x0000000002957000-memory.dmp	family_glupteba

Stealc
Stealc is an infostealer written in C++.
stealer stealc

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1288	powershell.exe
2604	powershell.exe
5736	powershell.exe
5660	powershell.exe
5272	powershell.exe
5312	powershell.exe
5384	powershell.exe
5148	powershell.exe
5860	powershell.exe
5792	powershell.exe
2336	powershell.exe
2508	powershell.exe
5256	powershell.exe
5128	powershell.exe
2564	powershell.exe
3292	powershell.exe
4728	powershell.exe
2700	powershell.exe

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5632	netsh.exe
5416	netsh.exe
3588	netsh.exe
1560	netsh.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	pastebin.com
3	pastebin.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
1064	tasklist.exe
5564	tasklist.exe

C:\Users\Admin\AppData\Local\Temp\8ddb2ac7260e57b2f20a55e30eb1b41595f38bf484b0a94e9495f3107c3bb913.exe
"C:\Users\Admin\AppData\Local\Temp\8ddb2ac7260e57b2f20a55e30eb1b41595f38bf484b0a94e9495f3107c3bb913.exe"
1⤵
PID:4384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\8ddb2ac7260e57b2f20a55e30eb1b41595f38bf484b0a94e9495f3107c3bb913.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
  2⤵
  PID:2512
- - C:\Users\Admin\Pictures\bzLA8ZSelTC1hh5wgRrTbuU3.exe
    "C:\Users\Admin\Pictures\bzLA8ZSelTC1hh5wgRrTbuU3.exe"
    3⤵
    PID:4336
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2508
  - - C:\Users\Admin\Pictures\bzLA8ZSelTC1hh5wgRrTbuU3.exe
      "C:\Users\Admin\Pictures\bzLA8ZSelTC1hh5wgRrTbuU3.exe"
      4⤵
      PID:5528
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5660
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:512
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:5632
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5128
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5256
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        
        PID:4984
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3292
- - C:\Users\Admin\Pictures\TManPRnSMK6ViWfpBfAyt6tl.exe
    "C:\Users\Admin\Pictures\TManPRnSMK6ViWfpBfAyt6tl.exe"
    3⤵
    PID:1612
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4728
  - - C:\Users\Admin\Pictures\TManPRnSMK6ViWfpBfAyt6tl.exe
      "C:\Users\Admin\Pictures\TManPRnSMK6ViWfpBfAyt6tl.exe"
      4⤵
      PID:5608
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5792
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:5256
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:5416
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2604
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5148
- - C:\Users\Admin\Pictures\DxJzHHQC8KZq2ULEBJprBI0H.exe
    "C:\Users\Admin\Pictures\DxJzHHQC8KZq2ULEBJprBI0H.exe"
    3⤵
    PID:2200
  - - C:\Users\Admin\AppData\Local\Temp\u1p4.0.exe
      "C:\Users\Admin\AppData\Local\Temp\u1p4.0.exe"
      4⤵
      PID:4172
  - - C:\Users\Admin\AppData\Local\Temp\u1p4.1.exe
      "C:\Users\Admin\AppData\Local\Temp\u1p4.1.exe"
      4⤵
      PID:1164
- - C:\Users\Admin\Pictures\4UIpxp9g652bqNj8Q0rpFFyT.exe
    "C:\Users\Admin\Pictures\4UIpxp9g652bqNj8Q0rpFFyT.exe"
    3⤵
    PID:2188
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2700
  - - C:\Users\Admin\Pictures\4UIpxp9g652bqNj8Q0rpFFyT.exe
      "C:\Users\Admin\Pictures\4UIpxp9g652bqNj8Q0rpFFyT.exe"
      4⤵
      PID:6000
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5312
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:5752
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:1560
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2564
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2336
- - C:\Users\Admin\Pictures\tamo2N6Sr3b0JXuSv72eT9hD.exe
    "C:\Users\Admin\Pictures\tamo2N6Sr3b0JXuSv72eT9hD.exe"
    3⤵
    PID:3756
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k move Condos Condos.cmd & Condos.cmd & exit
      4⤵
      PID:1772
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:5564
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        5⤵
        
        PID:5560
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:1064
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
        5⤵
        
        PID:2508
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 1181
        5⤵
        
        PID:4460
- - C:\Users\Admin\Pictures\AklCjqfbVSiKqFCYVPgekRyB.exe
    "C:\Users\Admin\Pictures\AklCjqfbVSiKqFCYVPgekRyB.exe"
    3⤵
    PID:4776
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5860
  - - C:\Users\Admin\Pictures\AklCjqfbVSiKqFCYVPgekRyB.exe
      "C:\Users\Admin\Pictures\AklCjqfbVSiKqFCYVPgekRyB.exe"
      4⤵
      PID:6116
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5272
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:3372
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:3588
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5736
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5384
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
  2⤵
  PID:3112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Condos

Filesize
25KB

MD5
cdb2932ff35f980158e251eb95392a54

SHA1
f0133b9bc1d06646b537eb3ad6771b17c1b9b397

SHA256
1e8d9429827487572b8a0e4b8b0ff7deab9696d2186075ca1d9df404ecbc88f2

SHA512
53d7f302ed135a1e780be037918f9bb4aae5502b9ca2539719002fe47bf6d1e0b1cae62f4d0c56e55520c66e1fcb4ec515f5046a8ec14c6d613fe417698625b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
b1d7c969a67b0e53431c4282d22c4bdc

SHA1
a8f72248b483c6d44d4e09fbdffd924a402ae026

SHA256
381ae1e7d21382d34c17271902e860bf62bf1b1a829af4c20e44395a6e9c0b9d

SHA512
a959a5f392e31947ccdb221751273e6428f133cb172ddae946623f909182a77c2e12fa049658ee0cc97a2040d202d8842414bb5faef927eece36fcc1ca52e0fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
1bf6110964f3d8d56aa462431d34842a

SHA1
fbdfe80da6f3c37fb20646b085b8dee484326acb

SHA256
da19efe4ef5a931817e512ca085b9b6cc2b9d246a42da1a4ed9bc7236518c319

SHA512
3d3cd613e602d6ecec44a7269d6f879c1ea3a439519da12fa12bf46571ca66036dc140f93269d4c95d81c2e23b85fed209f94a0312d3e403421a54152a565a1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
4e1871b3d253917dc6111233ff5680c8

SHA1
b0ba536c08e57e02b03b7d10054e5c06b484ed0c

SHA256
732bd55a8c6cf441c5c15745015dc5b5417549d331518018a413cee109ff84d7

SHA512
bfcbf6d888edea886b4a534410c4073a62585080c21e94b527c4530694b6c5306acabb738fa40a18d386386e1afa2cc3171aba6c744adbb813ec7e843d4382f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xir0vwzl.kfw.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
2KB

MD5
2f2c386d80476f965e9f5618e20f6451

SHA1
a57f9853a15fb6748ef5d3801dda5388e0ddf65d

SHA256
e0f36514d27fd172d5d68fcbc7e463c124d435a079765962a5d1fe105436ac99

SHA512
ac692ed9e4eae38944ed5842ee6fb68f14a96b87832bc57c1e38bb17803eb9c703cfd0a76af9f9438d9708f48a17c889a7356afab7c7d4776d63ec6710ec199e

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1p4.0.exe

Filesize
223KB

MD5
280229b137b0f36f2b18b9bc7841995d

SHA1
d800c8ecc758ccacfe9a91efd45904efcc17b84a

SHA256
49533fc0ca008e430d35fdabab4b200a70e629e62f5b16f9157b5a82b6494536

SHA512
aeb7566ad83b6b1a01e2d8f6e557a18a75a8bd4229f72cc9e1b1ffe9dd86d14469937eea221e0d436274d4444d4f1732098b98ca3ddc3c7aec65867107fbdec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1p4.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\Pictures\4UIpxp9g652bqNj8Q0rpFFyT.exe

Filesize
4.1MB

MD5
5fe730ab2ac35a2539d3a10fa546e8db

SHA1
b4d5706fed29221a76998a189e60175e28d6e997

SHA256
79b82ab87b8cc6b6ba829a2c3675cc1fef342a6d1c0d06c0afd9942c9726dc1a

SHA512
e7db08dc832ad04728d244c6cffedb5d3c72672f95e54533b72392af67ead0e3bef400e6865f2add226f740751686f2ba07dfa3341694a36c49f235a85a76636

Download Submit
C:\Users\Admin\Pictures\4UIpxp9g652bqNj8Q0rpFFyT.exe

Filesize
3.6MB

MD5
a2d8bf9fe17f2b872a4488bd065b7203

SHA1
b0268d4dd7785344f66d306a7cf503edd4cb00a4

SHA256
1d1eb7bf44d36bb1d50ffb1c8250ef2092dcd249677455333757a73966be4302

SHA512
c3a97d99f05a68d03cc1dcc24fae04573687b5f05399a06e0b802a8b522ca57288d0ca44cd1e54b54351059dad833808b6f354c5c5acae88c073aadd3367b962

Download Submit
C:\Users\Admin\Pictures\AklCjqfbVSiKqFCYVPgekRyB.exe

Filesize
3.6MB

MD5
3fe203747d0230d1e42622e36f2f3083

SHA1
cc79528371ba6dba99fd156b3ef6fa4099380cd9

SHA256
0c4f19f36f7cb4e91b503e4afe755d2b88c27f1779102e643e1790500dcff142

SHA512
a92bebf6343a84d76206c927b425d8517f8b8d588f4f3d0e0d6f7300f01c10b69fc03af6c7e3a276b2b4b2fcba40f1745244f74be22128e249da150acff86e63

Download Submit
C:\Users\Admin\Pictures\DxJzHHQC8KZq2ULEBJprBI0H.exe

Filesize
364KB

MD5
164928a82210574dbb33128a7416e69a

SHA1
5483ed912d256abad4c51dfac3c6bd5417e5102d

SHA256
d9c1e5df5baf1833a72a9591ab685d65c9e985563d791e27d5c4e4afeb672697

SHA512
0900ddb9cc6e8d2f2c5a9c2432c053c8120668314e0c9a15808718c27cee987fd83b647c280995a6bebbe7c79d7e2d9f1ae72e15be4f09f723fc7aa9dc777b41

Download Submit
C:\Users\Admin\Pictures\KAdHx9OIaNPdeVpvORgYLNFS.exe

Filesize
7KB

MD5
77f762f953163d7639dff697104e1470

SHA1
ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

SHA256
d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

SHA512
d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

Download Submit
C:\Users\Admin\Pictures\bzLA8ZSelTC1hh5wgRrTbuU3.exe

Filesize
4.1MB

MD5
acc96ea4633ab3916b47a71560de1ac4

SHA1
c1fc7d97eea75535e3fc9bdb3c8b3070ac058bcf

SHA256
e7e791761b87d13024503f0b3268130634febc3639b5765541180dbfa5c852ac

SHA512
e26b9afff50e18f6746c6555aed29ead0e1533d4e3fddf8fb0ac7b80abe93cbdb50f3e48964fcaefa3a88f7238390a1f43b031d27cf72fd7fea64d2cdb8bebad

Download Submit
C:\Users\Admin\Pictures\tamo2N6Sr3b0JXuSv72eT9hD.exe

Filesize
760KB

MD5
b014a9fa212f522998525a0d50513237

SHA1
2e0f6e70510af4f265e74c423a5994d5926e8620

SHA256
64c69d08fe3c0f60d11aa4c93ee181b34cb8769175f4cb6c6c4dbb799d029e90

SHA512
944f0d681a0c54ee3b8a14ade618eb26291ce457c3bf56a8234748257e8e8cec36cbfd9db63ba0964c42503db29999e919799e587488d34038824e47159f383a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
1719b0841d7f983286cebf493db0c70b

SHA1
c83e6d50ef171d318af3a3ed9ebce18fa79dca15

SHA256
35d6ea3e5a80f45a86118a8862dfb2fb1be19186abce76da83348dd5545523ce

SHA512
a17cef9ebe91362da2e6d15ff49daceb72b17bd087b462f8db1e3288ae0d1ba24d6a0af8e688cae32bb7c47a806e14b805d7b4bd37d0abb910939ae4737ca541

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
7217d696ba521ea1df7614a42f0d9814

SHA1
297e9886d4697527e27f4e89275da4fc5260c452

SHA256
23ed0d33808138dce5c7d170679fc16fe2d318f074f9970dc3594a97d92a8430

SHA512
fbead9849356445553c6d4e2eaa40e6ce6bf852d37425ecb92daf12a0ed512674996ced51a2bc4e6f68e2583641b0cd819771f62928acd1a264cfb38a064e134

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
787b4c6bafdfcc6b48a52927d3f5e4cf

SHA1
f3c810cb3ebac3b29aa57b62e7e79a9001275d02

SHA256
31114522d9bfffde1564927a29a94e980ebba2cd13889650be3d4c4fdf343611

SHA512
5a0f3866be4c49adfe2f9a711a4803e62740e88c9cdb595cf6810f848b2c16bb52981a8c09bb0209c68f63df1442f09c65a81d2f71abd790e7fd13e6e8994436

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
ca835c7df28907a10a865078a105dbdd

SHA1
1b17125326b0d2a78d3bf08567b2f4a64cd61085

SHA256
4494fc72537b274557daee466023b654bf4c3c3181fb1cb0e6485a64a5217f71

SHA512
9560352b0de7cd01d98b7fc85447dd7c5896415e441b00700d6ebafc5fbb42a0ea70fc65e8e2c0e097dab2ca70e7726b75e6aa8ee4f4b4813e7e67be85f9987a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
13a308ae081ceca4e85c2409e2e89b61

SHA1
f33344ac3a7843e277da3b193f2cbd407fc9b69b

SHA256
a5e3caf279d79f45f208969b9367fc48906cd392d6363c49ac3150199df43479

SHA512
95a14ccc0b0206298383cf9e7ada9666d260697017eac119ef5607c12ffca1d41e2a789281edfb939ec302b441f1398984611f529875727c39d8ad55113455dd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
9822df54d8db531b5d3fea4d7de646a7

SHA1
594b351ea30210bfa2b9486067418159173cee75

SHA256
f86a925d2af090511c6ea8071add48fa1e1d46f17223f88a6256bf20bea7cfc9

SHA512
cca60042c7f832ffee55ce8eb23c19c42e619a33c33473cd045c13d0ac7f90847093abefb57dd2fcdd4dfa3ec148e0d7a69c1ca5f302de9dcb80ded5d9c8c14d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
96de2916355811bfaeb0bc26392ba466

SHA1
cb3d73ae08bd3d05985f5c63f1a31437ac3afde8

SHA256
efdbee36ec7b3d7cb4727432296c197e758bacc8aad4b85549f558cb98becf28

SHA512
5b5a70ed2ae7491ce80b8bc235000ef4b2dee0b326d416f6e553d6ec856a426324ee66518b8c3bcb731019383af25034373db38930762e9d38ec69e644008ec1

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
82ec79fcb19ea3d83ebd48a9fb221e30

SHA1
952cedfe2efe21e3b20a465a21efcebd20bfe3a2

SHA256
aaea1179b3d461e0c7939f97c91306c112c013384346582f951fa2c2725fe1b2

SHA512
4f5ccd927e78bdfc5966791a4a3c1f7b64900517c0af2027a72fa81261378d6e9870fd1ba2a2ce228092e393e8c4052d42ec7bd3cd5cf923cf5b4a2cdd1f9c84

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
ca970cb4b232ef2f0285f018e172c1d6

SHA1
ad03b9e4ba49a34c0ad8d558cad25cc3629ba5b8

SHA256
52b449d33a7786d121c32911de8f429f6d5472291ba507123138fece0ba729f7

SHA512
bf3a4c36fd6e1ddbbe7d6bb25c0f01429d01b3a3d95321f1cc107c7778796998df18de1306c3a2159da8fc68815c515911eb2eccbd83306b7417d5b194eb206a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
117c836918ba2f0b269b2edd1f94aadc

SHA1
911937ecd0fb27eff9f322e8e4f59094fee8c248

SHA256
90ac473986e3f327f0c129b06b1f97732d71caef26ef64c5818d5e89d4d59b98

SHA512
18ceba70beccd185bd47901c64e38c28eb9807715514ae1066c5ef88b2321ac5ff68b80bd60687c439b0a1139795e968355f9cfe6be82780f72ded020ad5f549

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
7e3a546a10e9829cc1d47247956c729f

SHA1
3d746171ea01b54281e05b748be4c8af7393aa48

SHA256
124c6a3d3430155fac5ca3933cf89aa78f86ca269794ee0eb21a84f277ac7dcf

SHA512
4f7ff249ccbde055e9763cb1b3399fef18a3a551eab825a9c60565022ce7b0896b76283e75c6d5ccf8f1ce7a3f7caf8e26322282bf9aef445fa5cb94fecb5827

Download Submit
memory/1288-54-0x00007FF95A540000-0x00007FF95AF2C000-memory.dmp

Filesize
9.9MB

Download
memory/1288-9-0x000002C964990000-0x000002C9649B2000-memory.dmp

Filesize
136KB

Download
memory/1288-13-0x00007FF95A540000-0x00007FF95AF2C000-memory.dmp

Filesize
9.9MB

Download
memory/1288-15-0x00007FF95A540000-0x00007FF95AF2C000-memory.dmp

Filesize
9.9MB

Download
memory/1288-14-0x000002C97D130000-0x000002C97D1A6000-memory.dmp

Filesize
472KB

Download
memory/1288-10-0x00007FF95A540000-0x00007FF95AF2C000-memory.dmp

Filesize
9.9MB

Download
memory/1612-1264-0x0000000000400000-0x0000000002957000-memory.dmp

Filesize
37.3MB

Download
memory/2188-1276-0x0000000000400000-0x0000000002957000-memory.dmp

Filesize
37.3MB

Download
memory/2200-1388-0x0000000000400000-0x0000000002597000-memory.dmp

Filesize
33.6MB

Download
memory/2200-2812-0x0000000000400000-0x0000000002597000-memory.dmp

Filesize
33.6MB

Download
memory/2336-3979-0x0000000009060000-0x0000000009105000-memory.dmp

Filesize
660KB

Download
memory/2336-3974-0x000000006DE90000-0x000000006E1E0000-memory.dmp

Filesize
3.3MB

Download
memory/2336-3973-0x000000006FAF0000-0x000000006FB3B000-memory.dmp

Filesize
300KB

Download
memory/2336-3934-0x0000000007620000-0x0000000007970000-memory.dmp

Filesize
3.3MB

Download
memory/2336-3939-0x0000000007B10000-0x0000000007B5B000-memory.dmp

Filesize
300KB

Download
memory/2508-659-0x0000000009E80000-0x0000000009E88000-memory.dmp

Filesize
32KB

Download
memory/2508-261-0x0000000009CC0000-0x0000000009CDE000-memory.dmp

Filesize
120KB

Download
memory/2508-260-0x000000006F650000-0x000000006F9A0000-memory.dmp

Filesize
3.3MB

Download
memory/2508-103-0x00000000080C0000-0x000000000810B000-memory.dmp

Filesize
300KB

Download
memory/2508-214-0x0000000008E90000-0x0000000008F06000-memory.dmp

Filesize
472KB

Download
memory/2508-266-0x0000000009D20000-0x0000000009DC5000-memory.dmp

Filesize
660KB

Download
memory/2508-93-0x0000000007230000-0x0000000007858000-memory.dmp

Filesize
6.2MB

Download
memory/2508-102-0x0000000007D30000-0x0000000007D4C000-memory.dmp

Filesize
112KB

Download
memory/2508-99-0x0000000007040000-0x00000000070A6000-memory.dmp

Filesize
408KB

Download
memory/2508-171-0x0000000008DD0000-0x0000000008E0C000-memory.dmp

Filesize
240KB

Download
memory/2508-275-0x0000000009F40000-0x0000000009FD4000-memory.dmp

Filesize
592KB

Download
memory/2508-259-0x000000006FA70000-0x000000006FABB000-memory.dmp

Filesize
300KB

Download
memory/2508-652-0x0000000009EA0000-0x0000000009EBA000-memory.dmp

Filesize
104KB

Download
memory/2508-258-0x0000000009CE0000-0x0000000009D13000-memory.dmp

Filesize
204KB

Download
memory/2512-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2512-16-0x0000000073EAE000-0x0000000073EAF000-memory.dmp

Filesize
4KB

Download
memory/2564-3207-0x000000006F650000-0x000000006F9A0000-memory.dmp

Filesize
3.3MB

Download
memory/2564-3206-0x000000006FA70000-0x000000006FABB000-memory.dmp

Filesize
300KB

Download
memory/2604-2488-0x000000006F650000-0x000000006F9A0000-memory.dmp

Filesize
3.3MB

Download
memory/2604-2485-0x000000006FA70000-0x000000006FABB000-memory.dmp

Filesize
300KB

Download
memory/2700-769-0x000000006FA70000-0x000000006FABB000-memory.dmp

Filesize
300KB

Download
memory/2700-770-0x000000006F650000-0x000000006F9A0000-memory.dmp

Filesize
3.3MB

Download
memory/3292-4052-0x000000006FAF0000-0x000000006FB3B000-memory.dmp

Filesize
300KB

Download
memory/3292-4053-0x000000006DE90000-0x000000006E1E0000-memory.dmp

Filesize
3.3MB

Download
memory/4172-2329-0x0000000000400000-0x0000000002574000-memory.dmp

Filesize
33.5MB

Download
memory/4336-1261-0x0000000000400000-0x0000000002957000-memory.dmp

Filesize
37.3MB

Download
memory/4384-2-0x000001A0FF5A0000-0x000001A0FF5FE000-memory.dmp

Filesize
376KB

Download
memory/4384-1-0x000001A0FD970000-0x000001A0FD97A000-memory.dmp

Filesize
40KB

Download
memory/4384-0-0x00007FF95A543000-0x00007FF95A544000-memory.dmp

Filesize
4KB

Download
memory/4384-3224-0x00007FF95A540000-0x00007FF95AF2C000-memory.dmp

Filesize
9.9MB

Download
memory/4384-1389-0x00007FF95A543000-0x00007FF95A544000-memory.dmp

Filesize
4KB

Download
memory/4384-3-0x00007FF95A540000-0x00007FF95AF2C000-memory.dmp

Filesize
9.9MB

Download
memory/4728-96-0x0000000007170000-0x0000000007192000-memory.dmp

Filesize
136KB

Download
memory/4728-273-0x000000006FA70000-0x000000006FABB000-memory.dmp

Filesize
300KB

Download
memory/4728-101-0x0000000007A80000-0x0000000007DD0000-memory.dmp

Filesize
3.3MB

Download
memory/4728-274-0x000000006F650000-0x000000006F9A0000-memory.dmp

Filesize
3.3MB

Download
memory/4728-100-0x0000000007A10000-0x0000000007A76000-memory.dmp

Filesize
408KB

Download
memory/4728-89-0x0000000004A70000-0x0000000004AA6000-memory.dmp

Filesize
216KB

Download
memory/4776-1290-0x0000000000400000-0x0000000002957000-memory.dmp

Filesize
37.3MB

Download
memory/5128-2245-0x000000006FA70000-0x000000006FABB000-memory.dmp

Filesize
300KB

Download
memory/5128-2246-0x000000006F650000-0x000000006F9A0000-memory.dmp

Filesize
3.3MB

Download
memory/5148-3688-0x000000006F650000-0x000000006F9A0000-memory.dmp

Filesize
3.3MB

Download
memory/5148-3685-0x000000006FA70000-0x000000006FABB000-memory.dmp

Filesize
300KB

Download
memory/5256-2825-0x000000006FA70000-0x000000006FABB000-memory.dmp

Filesize
300KB

Download
memory/5256-2826-0x000000006F650000-0x000000006F9A0000-memory.dmp

Filesize
3.3MB

Download
memory/5272-1794-0x000000006F650000-0x000000006F9A0000-memory.dmp

Filesize
3.3MB

Download
memory/5272-1789-0x000000006FA70000-0x000000006FABB000-memory.dmp

Filesize
300KB

Download
memory/5312-1799-0x000000006FA70000-0x000000006FABB000-memory.dmp

Filesize
300KB

Download
memory/5312-1800-0x000000006F650000-0x000000006F9A0000-memory.dmp

Filesize
3.3MB

Download
memory/5384-3336-0x000000006F650000-0x000000006F9A0000-memory.dmp

Filesize
3.3MB

Download
memory/5384-3307-0x000000006FA70000-0x000000006FABB000-memory.dmp

Filesize
300KB

Download
memory/5528-3214-0x0000000000400000-0x0000000002957000-memory.dmp

Filesize
37.3MB

Download
memory/5528-3684-0x0000000000400000-0x0000000002957000-memory.dmp

Filesize
37.3MB

Download
memory/5608-3215-0x0000000000400000-0x0000000002957000-memory.dmp

Filesize
37.3MB

Download
memory/5608-3937-0x0000000000400000-0x0000000002957000-memory.dmp

Filesize
37.3MB

Download
memory/5660-1305-0x0000000009620000-0x00000000096C5000-memory.dmp

Filesize
660KB

Download
memory/5660-1299-0x000000006FA70000-0x000000006FABB000-memory.dmp

Filesize
300KB

Download
memory/5660-1300-0x000000006F650000-0x000000006F9A0000-memory.dmp

Filesize
3.3MB

Download
memory/5736-2722-0x000000006FA70000-0x000000006FABB000-memory.dmp

Filesize
300KB

Download
memory/5736-2723-0x000000006F650000-0x000000006F9A0000-memory.dmp

Filesize
3.3MB

Download
memory/5792-1533-0x000000006F650000-0x000000006F9A0000-memory.dmp

Filesize
3.3MB

Download
memory/5792-1532-0x000000006FA70000-0x000000006FABB000-memory.dmp

Filesize
300KB

Download
memory/5860-973-0x000000006FA70000-0x000000006FABB000-memory.dmp

Filesize
300KB

Download
memory/5860-1004-0x000000006F650000-0x000000006F9A0000-memory.dmp

Filesize
3.3MB

Download
memory/6000-3225-0x0000000000400000-0x0000000002957000-memory.dmp

Filesize
37.3MB

Download
memory/6000-4272-0x0000000000400000-0x0000000002957000-memory.dmp

Filesize
37.3MB

Download
memory/6116-3894-0x0000000000400000-0x0000000002957000-memory.dmp

Filesize
37.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads