glupteba | cd1b77c825b2d988e9142e90f54308d76071615e16731fa6d6c63e8ba0961bc5

Analysis

max time kernel
0s
max time network
5s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 12:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e8fd63fbf58938109c336c047af0e0bd059b3b7840da0ae1577b4ba9fd20599.exe
Size

1.2MB
MD5

cdffa37fc141d02c84b9b936ed0b9cf1
SHA1

353d2047b0c1ab2b56c9995025d166ccf53efdff
SHA256

9e8fd63fbf58938109c336c047af0e0bd059b3b7840da0ae1577b4ba9fd20599
SHA512

ae188bdf163e159b1fa86191ce97f243fb4eb3c75b8b3a1175d1d79d8357ecdbf97fe49ead3d949384cf1a4c35c6a5144d5574820f35c07f4262219c5ac3df80
SSDEEP

24576:Aitr5NIPHu1yWk0grwGaKdfQnmTmA5FE0y5ekqjVnlqud+/2P+Af:AIFN/1yNlwwdInSvkqXfd+/9Af

Score

10^/10

glupteba zgrat dropper evasion loader rat trojan upx

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023286-815.dat	family_zgrat_v1
behavioral2/files/0x000700000002329f-845.dat	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 1 IoCs

resource	yara_rule
behavioral2/memory/5448-730-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\9e8fd63fbf58938109c336c047af0e0bd059b3b7840da0ae1577b4ba9fd20599.exe = "0"	WerFault.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	WerFault.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Windows Service

T1543.003

pid	Process
5384	netsh.exe
5464	netsh.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000023283-700.dat	upx
behavioral2/memory/5536-717-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/5772-741-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5656	sc.exe

Program crash 64 IoCs

pid	pid_target	Process	procid_target
5032	1644	WerFault.exe	97
1220	1644	WerFault.exe	97
2464	1644	WerFault.exe	97
520	1644	WerFault.exe	97
2940	1644	WerFault.exe	97
2612	1644	WerFault.exe	97
2088	1644	WerFault.exe	97
2660	1644	WerFault.exe	97
4372	4060	WerFault.exe	121
3612	4060	WerFault.exe	121
1268	4060	WerFault.exe	121
4484	4060	WerFault.exe	121
456	4060	WerFault.exe	121
3512	1644	WerFault.exe	97
4548	4060	WerFault.exe	121
3544	1644	WerFault.exe	97
3528	4060	WerFault.exe	121
3324	1644	WerFault.exe	97
5032	4060	WerFault.exe	121
4484	4060	WerFault.exe	121
2560	1644	WerFault.exe	97
2852	1644	WerFault.exe	97
1040	1644	WerFault.exe	97
404	1644	WerFault.exe	97
4352	1644	WerFault.exe	97
3104	1644	WerFault.exe	97
64	1644	WerFault.exe	97
4712	3824	WerFault.exe
3696	4208	WerFault.exe
1020	3824	WerFault.exe
2612	4208	WerFault.exe
2388	4208	WerFault.exe
3144	3824	WerFault.exe
3504	4208	WerFault.exe
2880	4208	WerFault.exe
3104	3824	WerFault.exe
1340	4208	WerFault.exe
2072	3824	WerFault.exe
1560	4208	WerFault.exe
1496	3824	WerFault.exe
2408	3824	WerFault.exe
1676	3824	WerFault.exe
2036	4208	WerFault.exe
5012	3824	WerFault.exe
3184	4208	WerFault.exe
2504	1644	WerFault.exe	97
5968	5448	WerFault.exe	229
824	4208	WerFault.exe	205
6036	5448	WerFault.exe	229
5576	5448	WerFault.exe	229
5824	5448	WerFault.exe	229
5584	5448	WerFault.exe	229
5652	5448	WerFault.exe	229
5836	5448	WerFault.exe	229
5992	5448	WerFault.exe	229
5920	4208	WerFault.exe	205
5776	5448	WerFault.exe	229
5444	5448	WerFault.exe	229
5932	5448	WerFault.exe	229
5788	5448	WerFault.exe	229
5596	5448	WerFault.exe	229
5444	5448	WerFault.exe	229
4996	5448	WerFault.exe	229
2944	5448	WerFault.exe	229

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5324	schtasks.exe
1480	schtasks.exe
3104	schtasks.exe
4072	schtasks.exe

Runs net.exe

C:\Users\Admin\AppData\Local\Temp\9e8fd63fbf58938109c336c047af0e0bd059b3b7840da0ae1577b4ba9fd20599.exe
"C:\Users\Admin\AppData\Local\Temp\9e8fd63fbf58938109c336c047af0e0bd059b3b7840da0ae1577b4ba9fd20599.exe"
1⤵
PID:3144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:2028
- - C:\Users\Admin\Pictures\UGuOKG03pGZO5Qa48v7S3c7F.exe
    "C:\Users\Admin\Pictures\UGuOKG03pGZO5Qa48v7S3c7F.exe"
    3⤵
    PID:3148
- - C:\Users\Admin\Pictures\k8q17rDztAhioeTrpK0h9jYn.exe
    "C:\Users\Admin\Pictures\k8q17rDztAhioeTrpK0h9jYn.exe"
    3⤵
    PID:1644
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 696
      4⤵
      Program crash
      PID:5032
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 748
      4⤵
      Program crash
      PID:1220
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 740
      4⤵
      Program crash
      PID:2464
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 772
      4⤵
      Program crash
      PID:520
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 788
      4⤵
      Program crash
      PID:2940
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 796
      4⤵
      Program crash
      PID:2612
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 624
      4⤵
      Program crash
      PID:2088
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 916
      4⤵
      Program crash
      PID:2660
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:4860
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 964
      4⤵
      Program crash
      PID:3512
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 844
      4⤵
      Program crash
      PID:3544
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 916
      4⤵
      Program crash
      PID:3324
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 964
      4⤵
      Program crash
      PID:2560
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 932
      4⤵
      Program crash
      PID:2852
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 824
      4⤵
      Program crash
      PID:1040
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 696
      4⤵
      Program crash
      PID:404
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 684
      4⤵
      Program crash
      PID:4352
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 404
      4⤵
      Program crash
      PID:3104
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 388
      4⤵
      Program crash
      PID:64
  - - C:\Users\Admin\Pictures\k8q17rDztAhioeTrpK0h9jYn.exe
      "C:\Users\Admin\Pictures\k8q17rDztAhioeTrpK0h9jYn.exe"
      4⤵
      PID:3824
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:5536
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        Launches sc.exe
        
        PID:5656
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:5320
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:6080
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        
        PID:5448
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5448 -s 408
        6⤵
        Program crash
        
        PID:5968
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5448 -s 616
        6⤵
        Program crash
        
        PID:6036
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5448 -s 720
        6⤵
        Program crash
        
        PID:5576
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5448 -s 740
        6⤵
        Program crash
        
        PID:5824
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5448 -s 740
        6⤵
        Program crash
        
        PID:5584
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5448 -s 756
        6⤵
        Program crash
        
        PID:5652
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5448 -s 788
        6⤵
        Program crash
        
        PID:5836
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:5880
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5448 -s 388
        6⤵
        Program crash
        
        PID:5992
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5448 -s 380
        6⤵
        Program crash
        
        PID:5776
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:1480
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5448 -s 976
        6⤵
        Program crash
        
        PID:5444
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:5140
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:5432
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5448 -s 968
        6⤵
        Program crash
        
        PID:5932
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:5908
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5448 -s 980
        6⤵
        Program crash
        
        PID:5788
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5448 -s 1004
        6⤵
        Program crash
        
        PID:5596
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        
        PID:1244
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5448 -s 796
        6⤵
        Program crash
        
        PID:5444
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:3104
      - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        6⤵
        
        PID:5536
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5448 -s 1112
        6⤵
        Program crash
        
        PID:4996
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5448 -s 1128
        6⤵
        Program crash
        
        PID:2944
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 372
      4⤵
      Program crash
      PID:2504
- - C:\Users\Admin\Pictures\AgaeGSycVKOaK2OuwZZCOFka.exe
    "C:\Users\Admin\Pictures\AgaeGSycVKOaK2OuwZZCOFka.exe"
    3⤵
    PID:4060
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 372
      4⤵
      Program crash
      PID:4372
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 716
      4⤵
      Program crash
      PID:3612
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 760
      4⤵
      Program crash
      PID:1268
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 784
      4⤵
      Program crash
      PID:4484
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:3308
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 752
      4⤵
      Program crash
      PID:456
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 716
      4⤵
      Program crash
      PID:4548
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 620
      4⤵
      Program crash
      PID:3528
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 412
      4⤵
      Program crash
      PID:5032
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 400
      4⤵
      Program crash
      PID:4484
  - - C:\Users\Admin\Pictures\AgaeGSycVKOaK2OuwZZCOFka.exe
      "C:\Users\Admin\Pictures\AgaeGSycVKOaK2OuwZZCOFka.exe"
      4⤵
      PID:4208
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:5408
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:5592
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:5128
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 904
        5⤵
        Program crash
        
        PID:824
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 852
        5⤵
        Program crash
        
        PID:5920
- - C:\Users\Admin\Pictures\eIyxWC8I4YWfzE5UXb99O3RX.exe
    "C:\Users\Admin\Pictures\eIyxWC8I4YWfzE5UXb99O3RX.exe"
    3⤵
    PID:5780
  - - C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
      C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
      4⤵
      PID:5524
  - - C:\Users\Admin\AppData\Local\Temp\nsl1569.tmp
      C:\Users\Admin\AppData\Local\Temp\nsl1569.tmp
      4⤵
      PID:1608
- - C:\Users\Admin\Pictures\3G8dxq3PcukujTAEXi4Tx16F.exe
    "C:\Users\Admin\Pictures\3G8dxq3PcukujTAEXi4Tx16F.exe"
    3⤵
    PID:6028
- - C:\Users\Admin\Pictures\uvvVnvuHP3ZmgECXLKB5C4DG.exe
    "C:\Users\Admin\Pictures\uvvVnvuHP3ZmgECXLKB5C4DG.exe"
    3⤵
    PID:5984
  - - C:\Users\Admin\AppData\Local\Temp\7zS7308.tmp\Install.exe
      .\Install.exe
      4⤵
      PID:5544
    - - C:\Users\Admin\AppData\Local\Temp\7zS750C.tmp\Install.exe
        
        .\Install.exe /UdidKIT "385118" /S
        5⤵
        
        PID:5952
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        6⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        7⤵
        
        PID:3264
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        6⤵
        
        PID:6132
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gmazgHNUM"
        6⤵
        
        PID:5908
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gmazgHNUM" /SC once /ST 01:07:11 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        6⤵
        Creates scheduled task(s)
        
        PID:4072
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bQqfrfOcqJXaOOvqOO" /SC once /ST 15:36:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\kgFvdrWtvTuDliNJn\QNmqfQdbJlhVwcQ\evuDyfy.exe\" pA /Kpsite_idTmC 385118 /S" /V1 /F
        6⤵
        Creates scheduled task(s)
        
        PID:5324
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gmazgHNUM"
        6⤵
        
        PID:2976
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\9e8fd63fbf58938109c336c047af0e0bd059b3b7840da0ae1577b4ba9fd20599.exe" -Force
  2⤵
  PID:3920

C:\Users\Admin\Pictures\BVn4ZQGcZsBlL066HcWPOUE1.exe
"C:\Users\Admin\Pictures\BVn4ZQGcZsBlL066HcWPOUE1.exe"
1⤵
PID:3228

C:\Users\Admin\AppData\Local\Temp\is-4BQKT.tmp\UGuOKG03pGZO5Qa48v7S3c7F.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4BQKT.tmp\UGuOKG03pGZO5Qa48v7S3c7F.tmp" /SL5="$C0186,4472587,54272,C:\Users\Admin\Pictures\UGuOKG03pGZO5Qa48v7S3c7F.exe"
1⤵
PID:2608
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\system32\net.exe" helpmsg 1102
  2⤵
  PID:1564
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 helpmsg 1102
    3⤵
    PID:4192
- C:\Users\Admin\AppData\Local\Bitrix Report LIB\bitrixreportlib.exe
  "C:\Users\Admin\AppData\Local\Bitrix Report LIB\bitrixreportlib.exe" -s
  2⤵
  PID:3040
- C:\Users\Admin\AppData\Local\Bitrix Report LIB\bitrixreportlib.exe
  "C:\Users\Admin\AppData\Local\Bitrix Report LIB\bitrixreportlib.exe" -i
  2⤵
  PID:520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1644 -ip 1644
1⤵
PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1644 -ip 1644
1⤵
PID:2560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1644 -ip 1644
1⤵
PID:1224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1644 -ip 1644
1⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1644 -ip 1644
1⤵
PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1644 -ip 1644
1⤵
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1644 -ip 1644
1⤵
PID:3504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1644 -ip 1644
1⤵
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1644 -ip 1644
1⤵
PID:3304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1644 -ip 1644
1⤵
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1644 -ip 1644
1⤵
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1644 -ip 1644
1⤵
PID:3220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1644 -ip 1644
1⤵
PID:2680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1644 -ip 1644
1⤵
PID:2724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4060 -ip 4060
1⤵
PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1644 -ip 1644
1⤵
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4060 -ip 4060
1⤵
PID:2248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1644 -ip 1644
1⤵
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1644 -ip 1644
1⤵
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4060 -ip 4060
1⤵
PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4060 -ip 4060
1⤵
PID:3532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4060 -ip 4060
1⤵
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4060 -ip 4060
1⤵
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4060 -ip 4060
1⤵
PID:520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4060 -ip 4060
1⤵
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4060 -ip 4060
1⤵
PID:2836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1644 -ip 1644
1⤵
PID:424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1644 -ip 1644
1⤵
PID:1668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4208 -ip 4208
1⤵
PID:2508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 336
1⤵
- Program crash
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3824 -ip 3824
1⤵
PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4208 -ip 4208
1⤵
PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3824 -ip 3824
1⤵
PID:2016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4208 -ip 4208
1⤵
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3824 -ip 3824
1⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 368
1⤵
- Program crash
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 664
1⤵
- Program crash
PID:1020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 652
1⤵
- Program crash
PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4208 -ip 4208
1⤵
PID:1064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4208 -ip 4208
1⤵
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4208 -ip 4208
1⤵
PID:2064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 736
1⤵
- Program crash
PID:2388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 748
1⤵
- Windows security bypass
- Program crash
PID:3144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 756
1⤵
- Program crash
PID:3504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 744
1⤵
- Program crash
PID:2880

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
1⤵
PID:4092

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
1⤵
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4208 -ip 4208
1⤵
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3824 -ip 3824
1⤵
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4208 -ip 4208
1⤵
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 728
1⤵
- Program crash
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 664
1⤵
- Program crash
PID:1340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3824 -ip 3824
1⤵
PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 720
1⤵
- Program crash
PID:2072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 664
1⤵
- Program crash
PID:1560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3824 -ip 3824
1⤵
PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 664
1⤵
- Program crash
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3824 -ip 3824
1⤵
PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4208 -ip 4208
1⤵
PID:3428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3824 -ip 3824
1⤵
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 652
1⤵
- Program crash
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 356
1⤵
- Program crash
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 352
1⤵
- Program crash
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 352
1⤵
- Program crash
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 336
1⤵
- Program crash
PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3824 -ip 3824
1⤵
PID:3500

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
PID:5384

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
PID:5464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5448 -ip 5448
1⤵
PID:5792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4208 -ip 4208
1⤵
PID:5812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5448 -ip 5448
1⤵
PID:5772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5448 -ip 5448
1⤵
PID:6096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5448 -ip 5448
1⤵
PID:5568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5448 -ip 5448
1⤵
PID:5640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5448 -ip 5448
1⤵
PID:1380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 5448 -ip 5448
1⤵
PID:6028
- C:\Users\Admin\AppData\Local\Temp\is-QKH8M.tmp\3G8dxq3PcukujTAEXi4Tx16F.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-QKH8M.tmp\3G8dxq3PcukujTAEXi4Tx16F.tmp" /SL5="$202C6,140559,56832,C:\Users\Admin\Pictures\3G8dxq3PcukujTAEXi4Tx16F.exe"
  2⤵
  PID:5564
- - C:\Users\Admin\AppData\Local\Temp\is-H47MA.tmp\444567.exe
    "C:\Users\Admin\AppData\Local\Temp\is-H47MA.tmp\444567.exe" /S /UID=lylal220
    3⤵
    PID:5704
  - - C:\Users\Admin\AppData\Local\Temp\98-8b369-c18-8ba93-007a232a5a62c\Nefujyqaehy.exe
      "C:\Users\Admin\AppData\Local\Temp\98-8b369-c18-8ba93-007a232a5a62c\Nefujyqaehy.exe"
      4⤵
      PID:3744
  - - C:\Program Files (x86)\Windows Portable Devices\RKWHUITSET\lightcleaner.exe
      "C:\Program Files (x86)\Windows Portable Devices\RKWHUITSET\lightcleaner.exe" /VERYSILENT
      4⤵
      PID:3652
    - - C:\Users\Admin\AppData\Local\Temp\is-PRIBS.tmp\lightcleaner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-PRIBS.tmp\lightcleaner.tmp" /SL5="$902F6,833775,56832,C:\Program Files (x86)\Windows Portable Devices\RKWHUITSET\lightcleaner.exe" /VERYSILENT
        5⤵
        
        PID:5884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4208 -ip 4208
1⤵
PID:5916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5448 -ip 5448
1⤵
PID:5932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5448 -ip 5448
1⤵
PID:5936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5448 -ip 5448
1⤵
PID:5508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5448 -ip 5448
1⤵
PID:5976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5448 -ip 5448
1⤵
PID:5656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5448 -ip 5448
1⤵
PID:5876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5448 -ip 5448
1⤵
PID:4712

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:5772

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
1⤵
PID:352

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
1⤵
PID:5156

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
1⤵
PID:5664

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
1⤵
PID:1308

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
1⤵
PID:4276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:1196
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:5324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:6012

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:5940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:5864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5448 -ip 5448
1⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5448 -ip 5448
1⤵
PID:1284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
60fe01df86be2e5331b0cdbe86165686

SHA1
2a79f9713c3f192862ff80508062e64e8e0b29bd

SHA256
c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8

SHA512
ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
3847ce73f6f40243a8763d24bb553c00

SHA1
e5f4ce137673bf70470dcd3cda7928a2459162ad

SHA256
f6e9dcde4b4bb7c853f42b411fb2c93ac1404e53a996a32e9cff3a5133a3bc91

SHA512
b1ae3fb2c91ae24c83916e13e24c3e565a5cc0e9b016db68139f9e40e12af8b7f4ba4c2deb8b729c3aec76cbc33495662fedf8a0c3174c82721852872b366baa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
7d27422cb3821c1da2936424d5c39bac

SHA1
51d5e584251f305759c29861fbc554b832e9199e

SHA256
7628c87ded4362fe240099f07447119312001f226f4a85f87c1399a8d8574633

SHA512
7428bedc420249d8483ce4901d5e18fe21d6da750fdbf0d0e2176e942f534cdf8bf8d6f30f3274b634473369dde2a8b584176f2a2de2f88738792fa04a1a810b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7308.tmp\Install.exe

Filesize
6.1MB

MD5
a87ed7a8e986a940ecd54fef2ed44e4b

SHA1
5b889d42f550c75955e5d18db6b961348a8b49a7

SHA256
83ed9dd0b3c044782d376d0a0a68e50f1db81dbcb643ab1b83e3f5fc7b5e3dac

SHA512
c00a6a5ce5fe151fb74c974bfe41ca36c219bf24a3d132a47c209c8d7dec5e3d8ae84cee4540d935c9a41af8e4b37330019ad91d8b446fb77c1f538da91c3caa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS750C.tmp\Install.exe

Filesize
6.9MB

MD5
54d7b03e3609d463ac382f8adc9132e3

SHA1
667964ced2c10ff82bf3252de4a7f1462346eebf

SHA256
d790ba31bcc043b6ff5ec8e209a6229436e38c991e71567f0f8553a8967c405c

SHA512
6bf6414c84ac72c6b8205bf49364d5ec4f6a0a4f4a0e0e0e9f027c62c0883349ef0fefca5cc5ca24994fa65e509e3bacf7fc0644839d5bdee2c5c7dd80aa2e48

Download Submit
C:\Users\Admin\AppData\Local\Temp\98-8b369-c18-8ba93-007a232a5a62c\Nefujyqaehy.exe

Filesize
904KB

MD5
0eead789edfb33caa9ddba1b2e6a7572

SHA1
8016335dd364714a734604183fd9f292dda6f534

SHA256
d5b7c6dc1066046e391bae0c4d015bfb15898ebfdc3e79dd838b136abaa0aa85

SHA512
fc50e6fb5d01cac36978a491e719254aa689dd5e6f369f51f3d35d29ee57f4588fbde431c549e8561b5b08f8f4098e2b14c88a51b55d09428fb5bb566c2d30b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H47MA.tmp\444567.exe

Filesize
1.1MB

MD5
d07e3daf854625fba172f348a00806ee

SHA1
01325f272466b9c0e6f2a595e122dca29a9a6ea0

SHA256
579f517c548885bded8ce612e6d52a4bd82c27b3e25fbeeb37e69ae2ba57e434

SHA512
29877bea6b2f29dbc910ab6e8670b2411b35050c9423700f9719bfd7f2e70886cebddef2741bf50308433afb7a5a86c4e07ebd1ff1348662953656be9b7e37d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H47MA.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H47MA.tmp\idp.dll

Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QKH8M.tmp\3G8dxq3PcukujTAEXi4Tx16F.tmp

Filesize
694KB

MD5
ffcf263a020aa7794015af0edee5df0b

SHA1
bce1eb5f0efb2c83f416b1782ea07c776666fdab

SHA256
1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

SHA512
49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl1569.tmp

Filesize
260KB

MD5
0cd5e01a5df4a7733b3ae13133193a8d

SHA1
25b8f858fcd94931a9d311079fe9c1e1ec1e36f1

SHA256
4f40aadfd9e2211e5c9dad033a3f246dd7af2cc4b24e88b7cf71ea60a63e4ff1

SHA512
2ab0bdfc65d822f50476fce9c572641fec7d2d3d8f6d27c4f3b64e8ec8b8afe36642ecd43c1a9bc220684e2d7dc08661a550d6e476c03602bb53885eb1efa53d

Download Submit
C:\Users\Admin\Pictures\3G8dxq3PcukujTAEXi4Tx16F.exe

Filesize
380KB

MD5
748d10a9f74335cb40b9d62a720bd9d5

SHA1
ef91ce42b14e911a1c178e5cf8675b54922f8f88

SHA256
a32365528f89268c7a0e8a8a8052612ffb72e2eda4c1c8a299cba656cbaf3889

SHA512
9510690e4dff3efbe31fd8139f5694ecec0adeded536faefb4aef6b1eb7a572f7505746f6bbef9959a846e4fe3e63e5c8c7f4a726797c2c879cb7d4a0aa39961

Download Submit
C:\Users\Admin\Pictures\uvvVnvuHP3ZmgECXLKB5C4DG.exe

Filesize
7.3MB

MD5
9d4b9245bffbb728f651f6f8e7906ff5

SHA1
306b3c495da4f7c1cdc8034a0d751e1b3655def7

SHA256
edd39749902200b1d36569de0b3e54e7186038cf5f72e751f1908196476f895e

SHA512
b9210b6b379039f942898933486ddfca9655389d7ee8f928e925dde097b16e176c3abd906d1c15f94b3bc30f314a390d3ac3c16f5bb2f94f58ae66a4d926f1df

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/520-209-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/520-205-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/520-210-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/1608-747-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1608-742-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/1644-263-0x0000000002DD0000-0x00000000036BB000-memory.dmp

Filesize
8.9MB

Download
memory/1644-262-0x0000000001030000-0x000000000142E000-memory.dmp

Filesize
4.0MB

Download
memory/1644-264-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1644-468-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2028-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2028-206-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/2028-10-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/2028-212-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/2028-11-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/2608-96-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/2608-380-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2608-278-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/3040-655-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/3040-771-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/3040-213-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/3040-215-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/3040-608-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/3040-295-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/3040-736-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/3040-382-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/3144-3-0x00000000013B0000-0x00000000013B8000-memory.dmp

Filesize
32KB

Download
memory/3144-0-0x0000000000790000-0x00000000008D2000-memory.dmp

Filesize
1.3MB

Download
memory/3144-2-0x0000000005270000-0x0000000005280000-memory.dmp

Filesize
64KB

Download
memory/3144-6-0x00000000061B0000-0x0000000006754000-memory.dmp

Filesize
5.6MB

Download
memory/3144-1-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/3144-9-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/3144-5-0x0000000005AF0000-0x0000000005BE6000-memory.dmp

Filesize
984KB

Download
memory/3144-4-0x0000000005280000-0x000000000529A000-memory.dmp

Filesize
104KB

Download
memory/3148-84-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3148-86-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3148-276-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3228-42-0x00007FF6428E0000-0x00007FF64294F000-memory.dmp

Filesize
444KB

Download
memory/3308-297-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/3308-299-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

Filesize
64KB

Download
memory/3308-298-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

Filesize
64KB

Download
memory/3824-563-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3920-29-0x0000000005D60000-0x00000000060B4000-memory.dmp

Filesize
3.3MB

Download
memory/3920-43-0x000000007EFF0000-0x000000007F000000-memory.dmp

Filesize
64KB

Download
memory/3920-67-0x0000000007950000-0x0000000007958000-memory.dmp

Filesize
32KB

Download
memory/3920-55-0x00000000074D0000-0x00000000074EE000-memory.dmp

Filesize
120KB

Download
memory/3920-58-0x0000000007500000-0x00000000075A3000-memory.dmp

Filesize
652KB

Download
memory/3920-65-0x0000000007870000-0x0000000007884000-memory.dmp

Filesize
80KB

Download
memory/3920-70-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/3920-12-0x0000000004D30000-0x0000000004D66000-memory.dmp

Filesize
216KB

Download
memory/3920-16-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/3920-64-0x0000000007860000-0x000000000786E000-memory.dmp

Filesize
56KB

Download
memory/3920-63-0x0000000007830000-0x0000000007841000-memory.dmp

Filesize
68KB

Download
memory/3920-66-0x0000000007970000-0x000000000798A000-memory.dmp

Filesize
104KB

Download
memory/3920-14-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/3920-44-0x00000000068E0000-0x0000000006912000-memory.dmp

Filesize
200KB

Download
memory/3920-56-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/3920-60-0x0000000007630000-0x000000000764A000-memory.dmp

Filesize
104KB

Download
memory/3920-13-0x00000000054F0000-0x0000000005B18000-memory.dmp

Filesize
6.2MB

Download
memory/3920-45-0x0000000070F20000-0x0000000070F6C000-memory.dmp

Filesize
304KB

Download
memory/3920-59-0x0000000007C80000-0x00000000082FA000-memory.dmp

Filesize
6.5MB

Download
memory/3920-61-0x00000000076A0000-0x00000000076AA000-memory.dmp

Filesize
40KB

Download
memory/3920-18-0x0000000005BD0000-0x0000000005C36000-memory.dmp

Filesize
408KB

Download
memory/3920-19-0x0000000005CF0000-0x0000000005D56000-memory.dmp

Filesize
408KB

Download
memory/3920-57-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/3920-62-0x00000000078B0000-0x0000000007946000-memory.dmp

Filesize
600KB

Download
memory/3920-31-0x0000000006340000-0x000000000638C000-memory.dmp

Filesize
304KB

Download
memory/3920-30-0x0000000006300000-0x000000000631E000-memory.dmp

Filesize
120KB

Download
memory/3920-15-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/3920-17-0x0000000005470000-0x0000000005492000-memory.dmp

Filesize
136KB

Download
memory/4060-346-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4060-277-0x0000000001100000-0x0000000001501000-memory.dmp

Filesize
4.0MB

Download
memory/4060-279-0x0000000002EB0000-0x000000000379B000-memory.dmp

Filesize
8.9MB

Download
memory/4060-280-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4208-560-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4860-309-0x0000000006CC0000-0x0000000006D04000-memory.dmp

Filesize
272KB

Download
memory/4860-283-0x0000000000DE0000-0x0000000000DF0000-memory.dmp

Filesize
64KB

Download
memory/4860-285-0x0000000000DE0000-0x0000000000DF0000-memory.dmp

Filesize
64KB

Download
memory/4860-296-0x0000000005E30000-0x0000000005E7C000-memory.dmp

Filesize
304KB

Download
memory/4860-284-0x0000000005580000-0x00000000058D4000-memory.dmp

Filesize
3.3MB

Download
memory/4860-282-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/5448-730-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5448-746-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5448-646-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5524-738-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/5536-717-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/5564-740-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/5772-741-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/6028-739-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/6028-690-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads