glupteba | ed451ab9bc98df781e851bc59415edb980f7f74f940900d91cb710f22b37d27e

Analysis

max time kernel
8s
max time network
88s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
23/10/2023, 00:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.7MB
MD5

b072aae7b2a632400089a197d4342343
SHA1

ac59d48e8096c83eb6df8a7c0ff83056b83df1c3
SHA256

ed451ab9bc98df781e851bc59415edb980f7f74f940900d91cb710f22b37d27e
SHA512

39952cf47829c0968022fa42f23e53bf831578956890b34b4b5ad6d2c51f6902cd7760fa829bd22af2c88bf5d45fc28f795657881a5a93818879659dab59bbf8
SSDEEP

24576:oHDKnZ3PBiGVLvVwzE5L0r8hum199rrntIdpBiHAAfwT:NnZ3p3N7TJw6AAfW

Score

10^/10

glupteba vidar af2b108237a470d5313ebab11ef5d055 dropper evasion loader spyware stealer upx

Malware Config

Extracted

Family

vidar

Version

6.1

Botnet

af2b108237a470d5313ebab11ef5d055

https://steamcommunity.com/profiles/76561199563297648

https://t.me/twowheelfun

Attributes

profile_id_v2
af2b108237a470d5313ebab11ef5d055
user_agent
Mozilla/5.0 (iPad; CPU OS 17_0_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 Mobile/15E148 Safari/605.1.15

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 14 IoCs

resource	yara_rule
behavioral2/memory/3588-91-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/3588-94-0x0000000002EE0000-0x00000000037CB000-memory.dmp	family_glupteba
behavioral2/memory/740-135-0x0000000002EE0000-0x00000000037CB000-memory.dmp	family_glupteba
behavioral2/memory/740-139-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/3588-158-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/740-163-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/3588-173-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/740-176-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/3588-220-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/3588-288-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/740-291-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/740-295-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/3588-368-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/740-385-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Drops startup file 7 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IfHLHIy8ezQk6yfztdgde5Yw.bat	InstallUtil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fBNWe0ZfEaeYghYyLHKZ7894.bat	InstallUtil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z4deE4D0v5gwfXseRJq36h3w.bat	InstallUtil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AtKr9ss1BrLCf4ImOd0dbjS6.bat	InstallUtil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t4WRJa89JZ0fBcxQv9ZaeDvZ.bat	InstallUtil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XVEeSTQxBjOLsCi3LpihKMiA.bat	InstallUtil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z6bPAmOpJ7wZfU19GR9kHGvy.bat	InstallUtil.exe

Executes dropped EXE 6 IoCs

pid	Process
3588	xUdPUMtvKFqsMgsQ5d4F16jh.exe
740	rioNJaJ2qGI889EMTEHeIalT.exe
1940	kwOJi31aaN9aDeskhTVZwJnO.exe
2108	ft4nIKSigaVrf6mDVAvcIrsV.exe
4920	JwV0sHNSLn2ohuXzr8X6FpQD.exe
2508	tFZbiNnKxEUg7ZE4V5AFK3Vb.exe

Loads dropped DLL 1 IoCs

pid	Process
2108	ft4nIKSigaVrf6mDVAvcIrsV.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022e6f-59.dat	upx
behavioral2/memory/2108-80-0x0000000000550000-0x0000000000A9D000-memory.dmp	upx
behavioral2/files/0x0006000000022e6f-97.dat	upx
behavioral2/files/0x0006000000022e6f-69.dat	upx
behavioral2/memory/4092-104-0x0000000000550000-0x0000000000A9D000-memory.dmp	upx
behavioral2/files/0x0006000000022e6f-109.dat	upx
behavioral2/files/0x0006000000022e83-112.dat	upx
behavioral2/memory/3200-114-0x0000000000F30000-0x000000000147D000-memory.dmp	upx
behavioral2/memory/3200-118-0x0000000000F30000-0x000000000147D000-memory.dmp	upx
behavioral2/files/0x0006000000022e6f-120.dat	upx
behavioral2/files/0x0006000000022e6f-127.dat	upx
behavioral2/memory/4872-129-0x0000000000550000-0x0000000000A9D000-memory.dmp	upx
behavioral2/memory/2800-134-0x0000000000550000-0x0000000000A9D000-memory.dmp	upx
behavioral2/memory/2108-180-0x0000000000550000-0x0000000000A9D000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1692 set thread context of 1936	1692	file.exe	85

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2152	sc.exe
3992	sc.exe
2572	sc.exe
3104	sc.exe
1772	sc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3044	4920	WerFault.exe	94

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2528	schtasks.exe
4924	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1892	timeout.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1936	InstallUtil.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 1936	1692	file.exe	85
PID 1692 wrote to memory of 1936	1692	file.exe	85
PID 1692 wrote to memory of 1936	1692	file.exe	85
PID 1692 wrote to memory of 1936	1692	file.exe	85
PID 1692 wrote to memory of 1936	1692	file.exe	85
PID 1692 wrote to memory of 1936	1692	file.exe	85
PID 1692 wrote to memory of 1936	1692	file.exe	85
PID 1692 wrote to memory of 1936	1692	file.exe	85
PID 1936 wrote to memory of 3588	1936	InstallUtil.exe	89
PID 1936 wrote to memory of 3588	1936	InstallUtil.exe	89
PID 1936 wrote to memory of 3588	1936	InstallUtil.exe	89
PID 1936 wrote to memory of 740	1936	InstallUtil.exe	91
PID 1936 wrote to memory of 740	1936	InstallUtil.exe	91
PID 1936 wrote to memory of 740	1936	InstallUtil.exe	91
PID 1936 wrote to memory of 1940	1936	InstallUtil.exe	92
PID 1936 wrote to memory of 1940	1936	InstallUtil.exe	92
PID 1936 wrote to memory of 1940	1936	InstallUtil.exe	92
PID 1936 wrote to memory of 2108	1936	InstallUtil.exe	93
PID 1936 wrote to memory of 2108	1936	InstallUtil.exe	93
PID 1936 wrote to memory of 2108	1936	InstallUtil.exe	93
PID 1936 wrote to memory of 4920	1936	InstallUtil.exe	94
PID 1936 wrote to memory of 4920	1936	InstallUtil.exe	94
PID 1936 wrote to memory of 4920	1936	InstallUtil.exe	94
PID 1936 wrote to memory of 2508	1936	InstallUtil.exe	96
PID 1936 wrote to memory of 2508	1936	InstallUtil.exe	96

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - Drops startup file
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Users\Admin\Pictures\xUdPUMtvKFqsMgsQ5d4F16jh.exe
    "C:\Users\Admin\Pictures\xUdPUMtvKFqsMgsQ5d4F16jh.exe"
    3⤵
    - Executes dropped EXE
    PID:3588
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:4340
- - C:\Users\Admin\Pictures\rioNJaJ2qGI889EMTEHeIalT.exe
    "C:\Users\Admin\Pictures\rioNJaJ2qGI889EMTEHeIalT.exe"
    3⤵
    - Executes dropped EXE
    PID:740
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:3536
- - C:\Users\Admin\Pictures\kwOJi31aaN9aDeskhTVZwJnO.exe
    "C:\Users\Admin\Pictures\kwOJi31aaN9aDeskhTVZwJnO.exe"
    3⤵
    - Executes dropped EXE
    PID:1940
- - C:\Users\Admin\Pictures\ft4nIKSigaVrf6mDVAvcIrsV.exe
    "C:\Users\Admin\Pictures\ft4nIKSigaVrf6mDVAvcIrsV.exe" --silent --allusers=0
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2108
  - - C:\Users\Admin\Pictures\ft4nIKSigaVrf6mDVAvcIrsV.exe
      C:\Users\Admin\Pictures\ft4nIKSigaVrf6mDVAvcIrsV.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.34 --initial-client-data=0x2e0,0x2e4,0x2e8,0x2bc,0x2ec,0x70668538,0x70668548,0x70668554
      4⤵
      PID:4092
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\ft4nIKSigaVrf6mDVAvcIrsV.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\ft4nIKSigaVrf6mDVAvcIrsV.exe" --version
      4⤵
      PID:3200
  - - C:\Users\Admin\Pictures\ft4nIKSigaVrf6mDVAvcIrsV.exe
      "C:\Users\Admin\Pictures\ft4nIKSigaVrf6mDVAvcIrsV.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=2108 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20231023003144" --session-guid=4a592bc1-3be8-4998-a1da-1161004dd8ad --server-tracking-blob=NDc3NzVlODBlNzBiN2Q0MWNiZjY4NmNkYWNkODg4YzkyYjYzMzQ1YjVlZWZjMDY1ZTc1MTVmOGZlYjU0YTIyNzp7ImNvdW50cnkiOiJOTCIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTY5ODAyMTA5Ny4wMjg0IiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiI1YWZlMWUwZi1jM2UyLTQ0YmMtODA4YS04YTFjNTZlNzg5OTAifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=DC04000000000000
      4⤵
      PID:4872
    - - C:\Users\Admin\Pictures\ft4nIKSigaVrf6mDVAvcIrsV.exe
        
        C:\Users\Admin\Pictures\ft4nIKSigaVrf6mDVAvcIrsV.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.34 --initial-client-data=0x2ec,0x2f0,0x2f4,0x2bc,0x2f8,0x6ee48538,0x6ee48548,0x6ee48554
        5⤵
        
        PID:2800
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310230031441\assistant\Assistant_103.0.4928.25_Setup.exe_sfx.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310230031441\assistant\Assistant_103.0.4928.25_Setup.exe_sfx.exe"
      4⤵
      PID:3108
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310230031441\assistant\assistant_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310230031441\assistant\assistant_installer.exe" --version
      4⤵
      PID:4792
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310230031441\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310230031441\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.25 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x2a1588,0x2a1598,0x2a15a4
        5⤵
        
        PID:2472
- - C:\Users\Admin\Pictures\JwV0sHNSLn2ohuXzr8X6FpQD.exe
    "C:\Users\Admin\Pictures\JwV0sHNSLn2ohuXzr8X6FpQD.exe"
    3⤵
    - Executes dropped EXE
    PID:4920
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\JwV0sHNSLn2ohuXzr8X6FpQD.exe" & exit
      4⤵
      PID:3940
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        5⤵
        Delays execution with timeout.exe
        
        PID:1892
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 2012
      4⤵
      Program crash
      PID:3044
- - C:\Users\Admin\Pictures\tFZbiNnKxEUg7ZE4V5AFK3Vb.exe
    "C:\Users\Admin\Pictures\tFZbiNnKxEUg7ZE4V5AFK3Vb.exe"
    3⤵
    - Executes dropped EXE
    PID:2508
- - C:\Users\Admin\Pictures\LCGcD2BbziRUBuyVYR2un4kg.exe
    "C:\Users\Admin\Pictures\LCGcD2BbziRUBuyVYR2un4kg.exe"
    3⤵
    PID:500
  - - C:\Users\Admin\AppData\Local\Temp\7zS3081.tmp\Install.exe
      .\Install.exe
      4⤵
      PID:2712
    - - C:\Users\Admin\AppData\Local\Temp\7zS3285.tmp\Install.exe
        
        .\Install.exe /dcCcdidRiisJ "385118" /S
        5⤵
        
        PID:4604
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        6⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        7⤵
        
        PID:1984
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        8⤵
        
        PID:3084
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        8⤵
        
        PID:5000
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        6⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        7⤵
        
        PID:3524
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        8⤵
        
        PID:4264
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        8⤵
        
        PID:4964
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gkIaHZBCZ" /SC once /ST 00:22:44 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        6⤵
        Creates scheduled task(s)
        
        PID:4924
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gkIaHZBCZ"
        6⤵
        
        PID:5020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:1592

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:4484
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2152
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:3992
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:2572
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:3104
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:1772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4920 -ip 4920
1⤵
PID:3644

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:4812
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:3456
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:860
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:1772
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:2900

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:4440

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\iacrcjwhmdyc.xml"
1⤵
- Creates scheduled task(s)
PID:2528

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:3252

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:2896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:4524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
5.2MB

MD5
df280925e135481b26e921dd1221e359

SHA1
877737c142fdcc03c33e20d4f17c48a741373c9e

SHA256
710a3e1beda67e1c543ba04423bfb0ba643815582310c0b3d03d03e071c894b8

SHA512
3da682a655a9df0ad0fcc6f28953f104383f3abe695afdd7a236d9ea0f05ef4de210da7c46139f3ce01e3e7dde9abf02b3665d1289e20426ba9164468807f487

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\ft4nIKSigaVrf6mDVAvcIrsV.exe

Filesize
2.8MB

MD5
2c80397c5743811bbb1b0378a8fcd070

SHA1
afe09d851cbfb09d60388bca28131bde3165d102

SHA256
8b8dcaf32ab68c2ec25a080394aa88f0b3a43544730ca6a5ea966cad52c31d4c

SHA512
98276d3e0da507bc1e2026c4c8e0262dfb3ca006467b1b15c2aa8a8eaf437334940f474815928398a192aab4ec47d3fa7da774206f03a28e843aebeb223de1c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310230031441\assistant\Assistant_103.0.4928.25_Setup.exe_sfx.exe

Filesize
1.9MB

MD5
b0f128c3579e6921cfff620179fb9864

SHA1
60e19c987a96182206994ffd509d2849fdb427e3

SHA256
1c3ddbdd3a8cc2e66a5f4c4db388dff028cd437d42f8982ddf7695cf38a1a9ee

SHA512
17977d85cbdbd4217098850d7eaff0a51e34d641648ec29e843fc299668d8127e367622c82b2a9ceab364099da8c707c8b4aa039e747102d7c950447a5d29212

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310230031441\assistant\Assistant_103.0.4928.25_Setup.exe_sfx.exe

Filesize
1.9MB

MD5
b0f128c3579e6921cfff620179fb9864

SHA1
60e19c987a96182206994ffd509d2849fdb427e3

SHA256
1c3ddbdd3a8cc2e66a5f4c4db388dff028cd437d42f8982ddf7695cf38a1a9ee

SHA512
17977d85cbdbd4217098850d7eaff0a51e34d641648ec29e843fc299668d8127e367622c82b2a9ceab364099da8c707c8b4aa039e747102d7c950447a5d29212

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310230031441\assistant\Assistant_103.0.4928.25_Setup.exe_sfx.exe

Filesize
1.9MB

MD5
b0f128c3579e6921cfff620179fb9864

SHA1
60e19c987a96182206994ffd509d2849fdb427e3

SHA256
1c3ddbdd3a8cc2e66a5f4c4db388dff028cd437d42f8982ddf7695cf38a1a9ee

SHA512
17977d85cbdbd4217098850d7eaff0a51e34d641648ec29e843fc299668d8127e367622c82b2a9ceab364099da8c707c8b4aa039e747102d7c950447a5d29212

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310230031441\assistant\assistant_installer.exe

Filesize
2.1MB

MD5
34afbc4605531efdbe6f6ce57f567c0a

SHA1
6cb65f3565e40e7d08f5a0ad37b1b9182b4fc81b

SHA256
0441668bc7daf97c16734a8a95eb29de9fd2f4bec368f4d009e5437862249019

SHA512
577fe412d9b20055cf2f67e029a6829301d6b010cc03d2cf8ce89b87c213530dc4d396a27b92f56ed8260afd59d6fbd8cf841e807460f0a0bad4ad1df5b7c25c

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310230031441\assistant\assistant_installer.exe

Filesize
2.1MB

MD5
34afbc4605531efdbe6f6ce57f567c0a

SHA1
6cb65f3565e40e7d08f5a0ad37b1b9182b4fc81b

SHA256
0441668bc7daf97c16734a8a95eb29de9fd2f4bec368f4d009e5437862249019

SHA512
577fe412d9b20055cf2f67e029a6829301d6b010cc03d2cf8ce89b87c213530dc4d396a27b92f56ed8260afd59d6fbd8cf841e807460f0a0bad4ad1df5b7c25c

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310230031441\assistant\dbgcore.DLL

Filesize
166KB

MD5
5a6cd2117967ec78e7195b6ee10fc4da

SHA1
72d929eeb50dd58861a1d4cf13902c0b89fadc34

SHA256
a013652c95eca80356040312390d09ed78458fca6a0aef5ce3203dfe9cbc5040

SHA512
07aa64e6c681360c6c6c504041bd97f54dbf0aad8e498281dc8f8bdec2de4fc1c1bed9d0c4d3b6f4a4be19c408f7d34ff1c4a13db36488f698e3ae11855b895c

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310230031441\assistant\dbgcore.dll

Filesize
166KB

MD5
5a6cd2117967ec78e7195b6ee10fc4da

SHA1
72d929eeb50dd58861a1d4cf13902c0b89fadc34

SHA256
a013652c95eca80356040312390d09ed78458fca6a0aef5ce3203dfe9cbc5040

SHA512
07aa64e6c681360c6c6c504041bd97f54dbf0aad8e498281dc8f8bdec2de4fc1c1bed9d0c4d3b6f4a4be19c408f7d34ff1c4a13db36488f698e3ae11855b895c

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310230031441\assistant\dbgcore.dll

Filesize
166KB

MD5
5a6cd2117967ec78e7195b6ee10fc4da

SHA1
72d929eeb50dd58861a1d4cf13902c0b89fadc34

SHA256
a013652c95eca80356040312390d09ed78458fca6a0aef5ce3203dfe9cbc5040

SHA512
07aa64e6c681360c6c6c504041bd97f54dbf0aad8e498281dc8f8bdec2de4fc1c1bed9d0c4d3b6f4a4be19c408f7d34ff1c4a13db36488f698e3ae11855b895c

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310230031441\assistant\dbghelp.dll

Filesize
1.7MB

MD5
861a07bcf2a5cb0dda1aaf6dfcb57b26

SHA1
a0bdbbc398583a7cfdd88624c9ac2da1764e0826

SHA256
7878be3359a3ecfcf94f961bcdce3e6e8bc01a55eba640d45b867b94f30fcdbc

SHA512
062159168817968f1165cb06299217a556c4e6b00ef7c740f845fdcbbaca77da346ef5fd7403c6f9d81e173a2fcf40c63da57cb884158f8c037c0df0ce1cc5b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310230031441\assistant\dbghelp.dll

Filesize
1.7MB

MD5
861a07bcf2a5cb0dda1aaf6dfcb57b26

SHA1
a0bdbbc398583a7cfdd88624c9ac2da1764e0826

SHA256
7878be3359a3ecfcf94f961bcdce3e6e8bc01a55eba640d45b867b94f30fcdbc

SHA512
062159168817968f1165cb06299217a556c4e6b00ef7c740f845fdcbbaca77da346ef5fd7403c6f9d81e173a2fcf40c63da57cb884158f8c037c0df0ce1cc5b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310230031441\assistant\dbghelp.dll

Filesize
1.7MB

MD5
861a07bcf2a5cb0dda1aaf6dfcb57b26

SHA1
a0bdbbc398583a7cfdd88624c9ac2da1764e0826

SHA256
7878be3359a3ecfcf94f961bcdce3e6e8bc01a55eba640d45b867b94f30fcdbc

SHA512
062159168817968f1165cb06299217a556c4e6b00ef7c740f845fdcbbaca77da346ef5fd7403c6f9d81e173a2fcf40c63da57cb884158f8c037c0df0ce1cc5b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310230031441\opera_package

Filesize
79.8MB

MD5
9f372a0a4be788859ef436fdff555a54

SHA1
62c5274119b23c42c1487cf381e6fdfc518c2ffb

SHA256
e5818a83f86d810131a5d106bd923b8b0b55225a1ff04d65a948f46d1f368752

SHA512
98c40dbe398e891319a04f59d804be62776c61dd6c521d9518a42ed4525a51ceb27be1f0a824a4f0d89800fb43bbe53694064b9daf2e8e9bc2c31f5b9beaf1eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3081.tmp\Install.exe

Filesize
6.1MB

MD5
60ddd726bba5ccd38361277c0b86f26c

SHA1
33bbc251be61a7fbf084f1e8540649f68dc18d52

SHA256
cf158febdfab345e47423394b53dcb640c03473bae3d84bbaa52e91ed4b39461

SHA512
b21e4a453efe265510585e85ab2fe1e02a5a6b1cce734e4a05f416d088edc8a6d59a7bc8b1d20c56faf48fdd2feab9431367529cf2aeeca5ad70b2e3f072a5f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3081.tmp\Install.exe

Filesize
6.1MB

MD5
60ddd726bba5ccd38361277c0b86f26c

SHA1
33bbc251be61a7fbf084f1e8540649f68dc18d52

SHA256
cf158febdfab345e47423394b53dcb640c03473bae3d84bbaa52e91ed4b39461

SHA512
b21e4a453efe265510585e85ab2fe1e02a5a6b1cce734e4a05f416d088edc8a6d59a7bc8b1d20c56faf48fdd2feab9431367529cf2aeeca5ad70b2e3f072a5f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3285.tmp\Install.exe

Filesize
6.9MB

MD5
cd3191644eeaab1d1cf9b4bea245f78c

SHA1
75f04b22e62b1366a4c5b2887242b63de1d83c9c

SHA256
f626f7361d341ca2b7c67c2b20ca5ab516a6ce4104048c5a3ee3f2d83cc3039f

SHA512
79ebd59d2f66bf3f4417760ff1c9021b3d0e3dcb65da390bf377c3316ce675add82b79bd90750e9b98f68bd5a5625c2b863fadbd0bf447c372b14a619e43d57a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310230031415342108.dll

Filesize
4.7MB

MD5
1312b9c3111e7eaea09326ff644feb04

SHA1
114f2fd35c67fe5378e0cac3335485eb2ae8f292

SHA256
246411eb4d336db6f5563483030c3ebdc476e6715f264658655f6712aee5bb0f

SHA512
372ea048f5ebf256fd85e932a406de5e3d1842722e505d432b0679ed0990ea3522c2397fe7c91a9e915950f36207d81689d7b04817005b95d118539452f4384a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310230031426154092.dll

Filesize
4.7MB

MD5
1312b9c3111e7eaea09326ff644feb04

SHA1
114f2fd35c67fe5378e0cac3335485eb2ae8f292

SHA256
246411eb4d336db6f5563483030c3ebdc476e6715f264658655f6712aee5bb0f

SHA512
372ea048f5ebf256fd85e932a406de5e3d1842722e505d432b0679ed0990ea3522c2397fe7c91a9e915950f36207d81689d7b04817005b95d118539452f4384a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310230031434173200.dll

Filesize
4.7MB

MD5
1312b9c3111e7eaea09326ff644feb04

SHA1
114f2fd35c67fe5378e0cac3335485eb2ae8f292

SHA256
246411eb4d336db6f5563483030c3ebdc476e6715f264658655f6712aee5bb0f

SHA512
372ea048f5ebf256fd85e932a406de5e3d1842722e505d432b0679ed0990ea3522c2397fe7c91a9e915950f36207d81689d7b04817005b95d118539452f4384a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310230031434173200.dll

Filesize
4.7MB

MD5
1312b9c3111e7eaea09326ff644feb04

SHA1
114f2fd35c67fe5378e0cac3335485eb2ae8f292

SHA256
246411eb4d336db6f5563483030c3ebdc476e6715f264658655f6712aee5bb0f

SHA512
372ea048f5ebf256fd85e932a406de5e3d1842722e505d432b0679ed0990ea3522c2397fe7c91a9e915950f36207d81689d7b04817005b95d118539452f4384a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310230031442924872.dll

Filesize
4.7MB

MD5
1312b9c3111e7eaea09326ff644feb04

SHA1
114f2fd35c67fe5378e0cac3335485eb2ae8f292

SHA256
246411eb4d336db6f5563483030c3ebdc476e6715f264658655f6712aee5bb0f

SHA512
372ea048f5ebf256fd85e932a406de5e3d1842722e505d432b0679ed0990ea3522c2397fe7c91a9e915950f36207d81689d7b04817005b95d118539452f4384a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310230031448622800.dll

Filesize
4.7MB

MD5
1312b9c3111e7eaea09326ff644feb04

SHA1
114f2fd35c67fe5378e0cac3335485eb2ae8f292

SHA256
246411eb4d336db6f5563483030c3ebdc476e6715f264658655f6712aee5bb0f

SHA512
372ea048f5ebf256fd85e932a406de5e3d1842722e505d432b0679ed0990ea3522c2397fe7c91a9e915950f36207d81689d7b04817005b95d118539452f4384a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vxph1k1l.j4v.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\iacrcjwhmdyc.xml

Filesize
1KB

MD5
546d67a48ff2bf7682cea9fac07b942e

SHA1
a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90

SHA256
eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a

SHA512
10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
86b85bd01920007e320c29c50fb533ae

SHA1
b56f574c126ab37d09a645dc6a669c73964bd220

SHA256
5bf0bef43089278c5fd130c2fe78040af04d178f0adfca6d5cee282ffa5dcbd4

SHA512
035cf4132176d2fa5344e26c35a13133418d6098bc21c9bea6522a99dfb1f81831535f6376a1496dbd75b4fb39a3bebf3595773255d3ebb8c5755fe4e1dcd50a

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
86b85bd01920007e320c29c50fb533ae

SHA1
b56f574c126ab37d09a645dc6a669c73964bd220

SHA256
5bf0bef43089278c5fd130c2fe78040af04d178f0adfca6d5cee282ffa5dcbd4

SHA512
035cf4132176d2fa5344e26c35a13133418d6098bc21c9bea6522a99dfb1f81831535f6376a1496dbd75b4fb39a3bebf3595773255d3ebb8c5755fe4e1dcd50a

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
86b85bd01920007e320c29c50fb533ae

SHA1
b56f574c126ab37d09a645dc6a669c73964bd220

SHA256
5bf0bef43089278c5fd130c2fe78040af04d178f0adfca6d5cee282ffa5dcbd4

SHA512
035cf4132176d2fa5344e26c35a13133418d6098bc21c9bea6522a99dfb1f81831535f6376a1496dbd75b4fb39a3bebf3595773255d3ebb8c5755fe4e1dcd50a

Download Submit
C:\Users\Admin\Pictures\JwV0sHNSLn2ohuXzr8X6FpQD.exe

Filesize
364KB

MD5
cedf22baa300e7f9acd9ebee582c142b

SHA1
3d7cf3dbe863330d0ff994f6624f8842c35b2fcb

SHA256
30b003dc2934c6e3352f173e625fe6efbeacef5df1306cbb67035d4dbb611107

SHA512
834841d1932be8842db595dedd4ae38df59e11b80d793e2e13a3a5c1e4ea0b2d1a71cb02197cfbbdec44f6bd1ec295903a680c4434fb5a975c8b52ff6b5295a2

Download Submit
C:\Users\Admin\Pictures\JwV0sHNSLn2ohuXzr8X6FpQD.exe

Filesize
364KB

MD5
cedf22baa300e7f9acd9ebee582c142b

SHA1
3d7cf3dbe863330d0ff994f6624f8842c35b2fcb

SHA256
30b003dc2934c6e3352f173e625fe6efbeacef5df1306cbb67035d4dbb611107

SHA512
834841d1932be8842db595dedd4ae38df59e11b80d793e2e13a3a5c1e4ea0b2d1a71cb02197cfbbdec44f6bd1ec295903a680c4434fb5a975c8b52ff6b5295a2

Download Submit
C:\Users\Admin\Pictures\JwV0sHNSLn2ohuXzr8X6FpQD.exe

Filesize
364KB

MD5
cedf22baa300e7f9acd9ebee582c142b

SHA1
3d7cf3dbe863330d0ff994f6624f8842c35b2fcb

SHA256
30b003dc2934c6e3352f173e625fe6efbeacef5df1306cbb67035d4dbb611107

SHA512
834841d1932be8842db595dedd4ae38df59e11b80d793e2e13a3a5c1e4ea0b2d1a71cb02197cfbbdec44f6bd1ec295903a680c4434fb5a975c8b52ff6b5295a2

Download Submit
C:\Users\Admin\Pictures\LCGcD2BbziRUBuyVYR2un4kg.exe

Filesize
7.1MB

MD5
3111f8d446efd3c0a0e2c91cbf303998

SHA1
da86c8d200f799d6467e74e1ea65781078f50be7

SHA256
7ad618232c089a82b096bd93151d6930853caa6cde160d24787e9d70bd87acad

SHA512
0f4101325b359e5f85692ec5fa5bb771ca723a119fee6fde787336fc623c30bf104cc4cdedab6a1a8ff0eb9efc97f5f5245c677869117161e25e5f189a874170

Download Submit
C:\Users\Admin\Pictures\LCGcD2BbziRUBuyVYR2un4kg.exe

Filesize
7.1MB

MD5
3111f8d446efd3c0a0e2c91cbf303998

SHA1
da86c8d200f799d6467e74e1ea65781078f50be7

SHA256
7ad618232c089a82b096bd93151d6930853caa6cde160d24787e9d70bd87acad

SHA512
0f4101325b359e5f85692ec5fa5bb771ca723a119fee6fde787336fc623c30bf104cc4cdedab6a1a8ff0eb9efc97f5f5245c677869117161e25e5f189a874170

Download Submit
C:\Users\Admin\Pictures\LCGcD2BbziRUBuyVYR2un4kg.exe

Filesize
7.1MB

MD5
3111f8d446efd3c0a0e2c91cbf303998

SHA1
da86c8d200f799d6467e74e1ea65781078f50be7

SHA256
7ad618232c089a82b096bd93151d6930853caa6cde160d24787e9d70bd87acad

SHA512
0f4101325b359e5f85692ec5fa5bb771ca723a119fee6fde787336fc623c30bf104cc4cdedab6a1a8ff0eb9efc97f5f5245c677869117161e25e5f189a874170

Download Submit
C:\Users\Admin\Pictures\MJndnXuIODURu77eQHbiXqFN.exe

Filesize
7KB

MD5
fcad815e470706329e4e327194acc07c

SHA1
c4edd81d00318734028d73be94bc3904373018a9

SHA256
280d939a66a0107297091b3b6f86d6529ef6fac222a85dbc82822c3d5dc372b8

SHA512
f4031b49946da7c6c270e0354ac845b5c77b9dfcd267442e0571dd33ccd5146bc352ed42b59800c9d166c8c1ede61469a00a4e8d3738d937502584e8a1b72485

Download Submit
C:\Users\Admin\Pictures\ft4nIKSigaVrf6mDVAvcIrsV.exe

Filesize
2.8MB

MD5
2c80397c5743811bbb1b0378a8fcd070

SHA1
afe09d851cbfb09d60388bca28131bde3165d102

SHA256
8b8dcaf32ab68c2ec25a080394aa88f0b3a43544730ca6a5ea966cad52c31d4c

SHA512
98276d3e0da507bc1e2026c4c8e0262dfb3ca006467b1b15c2aa8a8eaf437334940f474815928398a192aab4ec47d3fa7da774206f03a28e843aebeb223de1c1

Download Submit
C:\Users\Admin\Pictures\ft4nIKSigaVrf6mDVAvcIrsV.exe

Filesize
2.8MB

MD5
2c80397c5743811bbb1b0378a8fcd070

SHA1
afe09d851cbfb09d60388bca28131bde3165d102

SHA256
8b8dcaf32ab68c2ec25a080394aa88f0b3a43544730ca6a5ea966cad52c31d4c

SHA512
98276d3e0da507bc1e2026c4c8e0262dfb3ca006467b1b15c2aa8a8eaf437334940f474815928398a192aab4ec47d3fa7da774206f03a28e843aebeb223de1c1

Download Submit
C:\Users\Admin\Pictures\ft4nIKSigaVrf6mDVAvcIrsV.exe

Filesize
2.8MB

MD5
2c80397c5743811bbb1b0378a8fcd070

SHA1
afe09d851cbfb09d60388bca28131bde3165d102

SHA256
8b8dcaf32ab68c2ec25a080394aa88f0b3a43544730ca6a5ea966cad52c31d4c

SHA512
98276d3e0da507bc1e2026c4c8e0262dfb3ca006467b1b15c2aa8a8eaf437334940f474815928398a192aab4ec47d3fa7da774206f03a28e843aebeb223de1c1

Download Submit
C:\Users\Admin\Pictures\ft4nIKSigaVrf6mDVAvcIrsV.exe

Filesize
2.8MB

MD5
2c80397c5743811bbb1b0378a8fcd070

SHA1
afe09d851cbfb09d60388bca28131bde3165d102

SHA256
8b8dcaf32ab68c2ec25a080394aa88f0b3a43544730ca6a5ea966cad52c31d4c

SHA512
98276d3e0da507bc1e2026c4c8e0262dfb3ca006467b1b15c2aa8a8eaf437334940f474815928398a192aab4ec47d3fa7da774206f03a28e843aebeb223de1c1

Download Submit
C:\Users\Admin\Pictures\ft4nIKSigaVrf6mDVAvcIrsV.exe

Filesize
2.8MB

MD5
2c80397c5743811bbb1b0378a8fcd070

SHA1
afe09d851cbfb09d60388bca28131bde3165d102

SHA256
8b8dcaf32ab68c2ec25a080394aa88f0b3a43544730ca6a5ea966cad52c31d4c

SHA512
98276d3e0da507bc1e2026c4c8e0262dfb3ca006467b1b15c2aa8a8eaf437334940f474815928398a192aab4ec47d3fa7da774206f03a28e843aebeb223de1c1

Download Submit
C:\Users\Admin\Pictures\ft4nIKSigaVrf6mDVAvcIrsV.exe

Filesize
2.8MB

MD5
2c80397c5743811bbb1b0378a8fcd070

SHA1
afe09d851cbfb09d60388bca28131bde3165d102

SHA256
8b8dcaf32ab68c2ec25a080394aa88f0b3a43544730ca6a5ea966cad52c31d4c

SHA512
98276d3e0da507bc1e2026c4c8e0262dfb3ca006467b1b15c2aa8a8eaf437334940f474815928398a192aab4ec47d3fa7da774206f03a28e843aebeb223de1c1

Download Submit
C:\Users\Admin\Pictures\kwOJi31aaN9aDeskhTVZwJnO.exe

Filesize
3.1MB

MD5
823b5fcdef282c5318b670008b9e6922

SHA1
d20cd5321d8a3d423af4c6dabc0ac905796bdc6d

SHA256
712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d

SHA512
4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

Download Submit
C:\Users\Admin\Pictures\kwOJi31aaN9aDeskhTVZwJnO.exe

Filesize
3.1MB

MD5
823b5fcdef282c5318b670008b9e6922

SHA1
d20cd5321d8a3d423af4c6dabc0ac905796bdc6d

SHA256
712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d

SHA512
4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

Download Submit
C:\Users\Admin\Pictures\kwOJi31aaN9aDeskhTVZwJnO.exe

Filesize
3.1MB

MD5
823b5fcdef282c5318b670008b9e6922

SHA1
d20cd5321d8a3d423af4c6dabc0ac905796bdc6d

SHA256
712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d

SHA512
4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

Download Submit
C:\Users\Admin\Pictures\rioNJaJ2qGI889EMTEHeIalT.exe

Filesize
4.1MB

MD5
94097ce65ef5e11c604c34d2934bf74c

SHA1
1968fcf8ae2707361b933ba82c9bb315fccc97eb

SHA256
8154844a72a8da965df7bbab93b1782d265cf51adaf8ae6b4a1e508a2cbc500a

SHA512
87d238094271cb26f35ad94834486c07b8c08c3c458013c0d0dc5f89c12bf13ef06d21f16128b6c634911c8819bddf0e2217095d90c9b73a36214277940d7998

Download Submit
C:\Users\Admin\Pictures\rioNJaJ2qGI889EMTEHeIalT.exe

Filesize
4.1MB

MD5
94097ce65ef5e11c604c34d2934bf74c

SHA1
1968fcf8ae2707361b933ba82c9bb315fccc97eb

SHA256
8154844a72a8da965df7bbab93b1782d265cf51adaf8ae6b4a1e508a2cbc500a

SHA512
87d238094271cb26f35ad94834486c07b8c08c3c458013c0d0dc5f89c12bf13ef06d21f16128b6c634911c8819bddf0e2217095d90c9b73a36214277940d7998

Download Submit
C:\Users\Admin\Pictures\rioNJaJ2qGI889EMTEHeIalT.exe

Filesize
4.1MB

MD5
94097ce65ef5e11c604c34d2934bf74c

SHA1
1968fcf8ae2707361b933ba82c9bb315fccc97eb

SHA256
8154844a72a8da965df7bbab93b1782d265cf51adaf8ae6b4a1e508a2cbc500a

SHA512
87d238094271cb26f35ad94834486c07b8c08c3c458013c0d0dc5f89c12bf13ef06d21f16128b6c634911c8819bddf0e2217095d90c9b73a36214277940d7998

Download Submit
C:\Users\Admin\Pictures\tFZbiNnKxEUg7ZE4V5AFK3Vb.exe

Filesize
5.2MB

MD5
df280925e135481b26e921dd1221e359

SHA1
877737c142fdcc03c33e20d4f17c48a741373c9e

SHA256
710a3e1beda67e1c543ba04423bfb0ba643815582310c0b3d03d03e071c894b8

SHA512
3da682a655a9df0ad0fcc6f28953f104383f3abe695afdd7a236d9ea0f05ef4de210da7c46139f3ce01e3e7dde9abf02b3665d1289e20426ba9164468807f487

Download Submit
C:\Users\Admin\Pictures\tFZbiNnKxEUg7ZE4V5AFK3Vb.exe

Filesize
5.2MB

MD5
df280925e135481b26e921dd1221e359

SHA1
877737c142fdcc03c33e20d4f17c48a741373c9e

SHA256
710a3e1beda67e1c543ba04423bfb0ba643815582310c0b3d03d03e071c894b8

SHA512
3da682a655a9df0ad0fcc6f28953f104383f3abe695afdd7a236d9ea0f05ef4de210da7c46139f3ce01e3e7dde9abf02b3665d1289e20426ba9164468807f487

Download Submit
C:\Users\Admin\Pictures\tFZbiNnKxEUg7ZE4V5AFK3Vb.exe

Filesize
5.2MB

MD5
df280925e135481b26e921dd1221e359

SHA1
877737c142fdcc03c33e20d4f17c48a741373c9e

SHA256
710a3e1beda67e1c543ba04423bfb0ba643815582310c0b3d03d03e071c894b8

SHA512
3da682a655a9df0ad0fcc6f28953f104383f3abe695afdd7a236d9ea0f05ef4de210da7c46139f3ce01e3e7dde9abf02b3665d1289e20426ba9164468807f487

Download Submit
C:\Users\Admin\Pictures\xUdPUMtvKFqsMgsQ5d4F16jh.exe

Filesize
4.1MB

MD5
0fea6a26c7b1e68332d83b3b5ebb8355

SHA1
f1cc882c7fa8c2e662575c5f79b19f1f02d82f13

SHA256
bd2349a7648f075606cfabf64e31b192809c1678f0088e1acf65746a0a4ae668

SHA512
f38cbbe706390ca6c4c32e0435ed0e4d1ac553b691e32223bb25c7927053fadf943ff55f13b4f3f6593b90eb62f38d1f8502709e126e05f53bafbfcce9b2f2e2

Download Submit
C:\Users\Admin\Pictures\xUdPUMtvKFqsMgsQ5d4F16jh.exe

Filesize
4.1MB

MD5
0fea6a26c7b1e68332d83b3b5ebb8355

SHA1
f1cc882c7fa8c2e662575c5f79b19f1f02d82f13

SHA256
bd2349a7648f075606cfabf64e31b192809c1678f0088e1acf65746a0a4ae668

SHA512
f38cbbe706390ca6c4c32e0435ed0e4d1ac553b691e32223bb25c7927053fadf943ff55f13b4f3f6593b90eb62f38d1f8502709e126e05f53bafbfcce9b2f2e2

Download Submit
C:\Users\Admin\Pictures\xUdPUMtvKFqsMgsQ5d4F16jh.exe

Filesize
4.1MB

MD5
0fea6a26c7b1e68332d83b3b5ebb8355

SHA1
f1cc882c7fa8c2e662575c5f79b19f1f02d82f13

SHA256
bd2349a7648f075606cfabf64e31b192809c1678f0088e1acf65746a0a4ae668

SHA512
f38cbbe706390ca6c4c32e0435ed0e4d1ac553b691e32223bb25c7927053fadf943ff55f13b4f3f6593b90eb62f38d1f8502709e126e05f53bafbfcce9b2f2e2

Download Submit
memory/740-385-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/740-139-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/740-287-0x0000000002AE0000-0x0000000002EDB000-memory.dmp

Filesize
4.0MB

Download
memory/740-295-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/740-135-0x0000000002EE0000-0x00000000037CB000-memory.dmp

Filesize
8.9MB

Download
memory/740-291-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/740-163-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/740-176-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/740-138-0x0000000002AE0000-0x0000000002EDB000-memory.dmp

Filesize
4.0MB

Download
memory/1592-258-0x0000021B0D8B0000-0x0000021B0D8D2000-memory.dmp

Filesize
136KB

Download
memory/1592-296-0x0000021B0D6A0000-0x0000021B0D6B0000-memory.dmp

Filesize
64KB

Download
memory/1592-303-0x00007FFE35460000-0x00007FFE35F21000-memory.dmp

Filesize
10.8MB

Download
memory/1592-265-0x0000021B0D6A0000-0x0000021B0D6B0000-memory.dmp

Filesize
64KB

Download
memory/1592-255-0x00007FFE35460000-0x00007FFE35F21000-memory.dmp

Filesize
10.8MB

Download
memory/1936-124-0x0000000075450000-0x0000000075C00000-memory.dmp

Filesize
7.7MB

Download
memory/1936-1-0x0000000075450000-0x0000000075C00000-memory.dmp

Filesize
7.7MB

Download
memory/1936-136-0x0000000005270000-0x0000000005280000-memory.dmp

Filesize
64KB

Download
memory/1936-2-0x0000000005270000-0x0000000005280000-memory.dmp

Filesize
64KB

Download
memory/1936-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1940-99-0x0000000075450000-0x0000000075C00000-memory.dmp

Filesize
7.7MB

Download
memory/1940-146-0x00000000065D0000-0x0000000006AFC000-memory.dmp

Filesize
5.2MB

Download
memory/1940-93-0x0000000004FA0000-0x0000000005032000-memory.dmp

Filesize
584KB

Download
memory/1940-92-0x0000000005450000-0x00000000059F4000-memory.dmp

Filesize
5.6MB

Download
memory/1940-313-0x0000000005B10000-0x0000000005B20000-memory.dmp

Filesize
64KB

Download
memory/1940-103-0x0000000005180000-0x00000000051E6000-memory.dmp

Filesize
408KB

Download
memory/1940-98-0x00000000050E0000-0x000000000517C000-memory.dmp

Filesize
624KB

Download
memory/1940-105-0x0000000005B10000-0x0000000005B20000-memory.dmp

Filesize
64KB

Download
memory/1940-96-0x0000000005210000-0x00000000053D2000-memory.dmp

Filesize
1.8MB

Download
memory/1940-225-0x0000000075450000-0x0000000075C00000-memory.dmp

Filesize
7.7MB

Download
memory/1940-86-0x00000000003E0000-0x00000000006FC000-memory.dmp

Filesize
3.1MB

Download
memory/1940-147-0x0000000007300000-0x000000000730A000-memory.dmp

Filesize
40KB

Download
memory/1940-322-0x0000000005B10000-0x0000000005B20000-memory.dmp

Filesize
64KB

Download
memory/1940-269-0x0000000005B10000-0x0000000005B20000-memory.dmp

Filesize
64KB

Download
memory/1940-151-0x0000000005B10000-0x0000000005B20000-memory.dmp

Filesize
64KB

Download
memory/1940-167-0x0000000005B10000-0x0000000005B20000-memory.dmp

Filesize
64KB

Download
memory/2108-180-0x0000000000550000-0x0000000000A9D000-memory.dmp

Filesize
5.3MB

Download
memory/2108-80-0x0000000000550000-0x0000000000A9D000-memory.dmp

Filesize
5.3MB

Download
memory/2508-321-0x00007FF786B00000-0x00007FF787043000-memory.dmp

Filesize
5.3MB

Download
memory/2508-184-0x00007FF786B00000-0x00007FF787043000-memory.dmp

Filesize
5.3MB

Download
memory/2508-365-0x00007FF786B00000-0x00007FF787043000-memory.dmp

Filesize
5.3MB

Download
memory/2800-134-0x0000000000550000-0x0000000000A9D000-memory.dmp

Filesize
5.3MB

Download
memory/3200-114-0x0000000000F30000-0x000000000147D000-memory.dmp

Filesize
5.3MB

Download
memory/3200-118-0x0000000000F30000-0x000000000147D000-memory.dmp

Filesize
5.3MB

Download
memory/3536-356-0x0000000005360000-0x0000000005382000-memory.dmp

Filesize
136KB

Download
memory/3536-323-0x0000000005460000-0x0000000005A88000-memory.dmp

Filesize
6.2MB

Download
memory/3536-319-0x0000000002D10000-0x0000000002D46000-memory.dmp

Filesize
216KB

Download
memory/3536-398-0x0000000002D70000-0x0000000002D80000-memory.dmp

Filesize
64KB

Download
memory/3536-336-0x0000000002D70000-0x0000000002D80000-memory.dmp

Filesize
64KB

Download
memory/3536-390-0x0000000005E60000-0x00000000061B4000-memory.dmp

Filesize
3.3MB

Download
memory/3536-400-0x0000000075450000-0x0000000075C00000-memory.dmp

Filesize
7.7MB

Download
memory/3536-392-0x00000000063A0000-0x00000000063BE000-memory.dmp

Filesize
120KB

Download
memory/3536-324-0x0000000075450000-0x0000000075C00000-memory.dmp

Filesize
7.7MB

Download
memory/3588-220-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/3588-173-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/3588-288-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/3588-205-0x0000000002AD0000-0x0000000002ED4000-memory.dmp

Filesize
4.0MB

Download
memory/3588-65-0x0000000002AD0000-0x0000000002ED4000-memory.dmp

Filesize
4.0MB

Download
memory/3588-91-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/3588-158-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/3588-368-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/3588-94-0x0000000002EE0000-0x00000000037CB000-memory.dmp

Filesize
8.9MB

Download
memory/4092-104-0x0000000000550000-0x0000000000A9D000-memory.dmp

Filesize
5.3MB

Download
memory/4340-337-0x0000000075450000-0x0000000075C00000-memory.dmp

Filesize
7.7MB

Download
memory/4340-393-0x0000000006AB0000-0x0000000006AFC000-memory.dmp

Filesize
304KB

Download
memory/4340-395-0x0000000006EE0000-0x0000000006F24000-memory.dmp

Filesize
272KB

Download
memory/4340-334-0x0000000005490000-0x00000000054A0000-memory.dmp

Filesize
64KB

Download
memory/4340-335-0x0000000005490000-0x00000000054A0000-memory.dmp

Filesize
64KB

Download
memory/4340-399-0x0000000005490000-0x00000000054A0000-memory.dmp

Filesize
64KB

Download
memory/4340-369-0x0000000005A60000-0x0000000005AC6000-memory.dmp

Filesize
408KB

Download
memory/4340-401-0x0000000007CA0000-0x0000000007D16000-memory.dmp

Filesize
472KB

Download
memory/4604-348-0x0000000000D10000-0x00000000013FF000-memory.dmp

Filesize
6.9MB

Download
memory/4604-268-0x0000000000D10000-0x00000000013FF000-memory.dmp

Filesize
6.9MB

Download
memory/4604-289-0x0000000010000000-0x000000001057B000-memory.dmp

Filesize
5.5MB

Download
memory/4872-129-0x0000000000550000-0x0000000000A9D000-memory.dmp

Filesize
5.3MB

Download
memory/4920-182-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4920-132-0x0000000000950000-0x00000000009A1000-memory.dmp

Filesize
324KB

Download
memory/4920-133-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4920-137-0x00000000009B0000-0x0000000000AB0000-memory.dmp

Filesize
1024KB

Download
memory/4920-174-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4920-320-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4920-233-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4920-285-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4920-286-0x00000000009B0000-0x0000000000AB0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads