Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
20-04-2024 09:53
General
-
Target
dfe244414c8461175241ce54707eb6b6.exe
-
Size
405KB
-
MD5
dfe244414c8461175241ce54707eb6b6
-
SHA1
1c94e583b7058d01dad42d56ef5ddf17b64b5778
-
SHA256
6b7baa1db0d2ed5c12dfb8f289449384ff821110f9b490379c5fcd9190090f4e
-
SHA512
a8b872308f2e4d51bf99617bad931117921a4332d2a4b2e84c6e45bf42829999a95883b146dca93894ffbd5bcd0f03cb682468457ac2ff1cefcb43155f4225c9
-
SSDEEP
12288:eN6XS66ZeKgLaIGVkwpU0uNqFrNNkpICQzlG:26CNe0IGVl+qHul
Malware Config
Extracted
stealc
http://185.172.128.209
-
url_path
/3cd2b41cbde8fc9c.php
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 16 IoCs
-
Modifies firewall policy service 2 TTPs 1 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 7 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 8 IoCs
-
Executes dropped EXE 23 IoCs
-
Loads dropped DLL 9 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 7 IoCs
Detects Themida, an advanced Windows software protection system.
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 8 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 14 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 9 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\dfe244414c8461175241ce54707eb6b6.exe"C:\Users\Admin\AppData\Local\Temp\dfe244414c8461175241ce54707eb6b6.exe"1⤵
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\dfe244414c8461175241ce54707eb6b6.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\Fdme3Tu8iZv2WMfiE0EcNHfd.exe"C:\Users\Admin\Pictures\Fdme3Tu8iZv2WMfiE0EcNHfd.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\uf8.0.exe"C:\Users\Admin\AppData\Local\Temp\uf8.0.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 10405⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe"C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Zqicom_beta\UniversalInstaller.exeC:\Users\Admin\AppData\Local\Temp\Zqicom_beta\UniversalInstaller.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Zqicom_beta\UniversalInstaller.exeC:\Users\Admin\AppData\Roaming\Zqicom_beta\UniversalInstaller.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe7⤵
- Drops file in Windows directory
-
-
-
-
-
-
C:\Users\Admin\Pictures\IyV7gPo8ohrWhtnDyz03tACU.exe"C:\Users\Admin\Pictures\IyV7gPo8ohrWhtnDyz03tACU.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Pictures\IyV7gPo8ohrWhtnDyz03tACU.exe"C:\Users\Admin\Pictures\IyV7gPo8ohrWhtnDyz03tACU.exe"4⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f6⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll6⤵
- Executes dropped EXE
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
C:\Users\Admin\Pictures\XHZE6XPpDYmmijt8QGIwAdbO.exe"C:\Users\Admin\Pictures\XHZE6XPpDYmmijt8QGIwAdbO.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 25645⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\XHZE6XPpDYmmijt8QGIwAdbO.exe"C:\Users\Admin\Pictures\XHZE6XPpDYmmijt8QGIwAdbO.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\Pictures\4uBfhilwjdlkKrb1TSCCuwRe.exe"C:\Users\Admin\Pictures\4uBfhilwjdlkKrb1TSCCuwRe.exe"3⤵
- Modifies firewall policy service
- Windows security bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\55dX5nybY74bBVYSEWX4v4JA.exe"C:\Users\Admin\Pictures\55dX5nybY74bBVYSEWX4v4JA.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS209E.tmp\Install.exe.\Install.exe /nxdidQZJ "385118" /S4⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"5⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 09:56:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\ROgyVeu.exe\" em /Dksite_idsVB 385118 /S" /V1 /F5⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
-
-
C:\Users\Admin\Pictures\KiL20IV7W2j3whVhoIQuT0wU.exe"C:\Users\Admin\Pictures\KiL20IV7W2j3whVhoIQuT0wU.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS402C.tmp\Install.exe.\Install.exe /nxdidQZJ "385118" /S4⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"5⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 09:56:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\UpMjCtr.exe\" em /Utsite_idARy 385118 /S" /V1 /F5⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
-
-
C:\Users\Admin\Pictures\7mmV2mgNZZRKBeZ3CX2aTL6F.exe"C:\Users\Admin\Pictures\7mmV2mgNZZRKBeZ3CX2aTL6F.exe" --silent --allusers=03⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
-
C:\Users\Admin\Pictures\7mmV2mgNZZRKBeZ3CX2aTL6F.exeC:\Users\Admin\Pictures\7mmV2mgNZZRKBeZ3CX2aTL6F.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x2a8,0x2ac,0x2b0,0x284,0x2b4,0x6fc2e1d0,0x6fc2e1dc,0x6fc2e1e84⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\7mmV2mgNZZRKBeZ3CX2aTL6F.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\7mmV2mgNZZRKBeZ3CX2aTL6F.exe" --version4⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\Pictures\7mmV2mgNZZRKBeZ3CX2aTL6F.exe"C:\Users\Admin\Pictures\7mmV2mgNZZRKBeZ3CX2aTL6F.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=208 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240420095528" --session-guid=16f521e5-d503-4113-b8b5-5d21dc171159 --server-tracking-blob="N2M4ODA2ZWU1MTQ0MDIwZGRmNjBhMDIzN2FhMmIzY2NhNzRkYjY5MDQ2ZjZjN2I0YWZlOWYwNGFhNWM1NDVkNzp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fMTIzIiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzEzNjA2NzkwLjY3MTMiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzEyMyIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiNTk0NzRmNDEtYTI3Mi00YzQwLWIxNjItN2VmYTBlYzVkMTczIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=80050000000000004⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
-
C:\Users\Admin\Pictures\7mmV2mgNZZRKBeZ3CX2aTL6F.exeC:\Users\Admin\Pictures\7mmV2mgNZZRKBeZ3CX2aTL6F.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x6ed0e1d0,0x6ed0e1dc,0x6ed0e1e85⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1152 -ip 11521⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1772 -ip 17721⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5a6ea7bfcd3aac150c0caef765cb52281
SHA1037dc22c46a0eb0b9ad4c74088129e387cffe96b
SHA256f019af2e5e74cdf13c963910500f9436c66b6f2901f5056d72f82310f20113b9
SHA512c8d2d373b48a26cf6eec1f5cfc05819011a3fc49d863820ad07b6442dd6d5f64e27022a9e4c381eb58bf7f6b19f8e77d508734ff803073ec2fb32da9081b6f23
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
11KB
MD5fd8d3044464b8387c36d088c8b8a9d6f
SHA1b724bb1c9fbfcc1282c7360245161025695bc309
SHA256d6cbd711a15f48efd033de59e751d6bbbd975efd8355dd750d829760bfbdb2c3
SHA5128e14d0f763931861e4738cdc4ea02f1b3c21a945cc4163d84ee3a1e0723d9262d5d48ee8a9c910c620889ab07814139ea35ddfdddd5d00ade23ee250524b1754
-
Filesize
5.9MB
MD5dcc26dd014bad9eafa9066d3781b615d
SHA1b0cb8621ca58a196ac73bed4e525deacfaf2d836
SHA25669502ffc7e2b8946d420e682cd1421f58a17f489590f761c580ce2a4feb74ae3
SHA5125a7804fdebe09aada86e327899fa7ce6830c26c426d398dd72ef68121c33e59c2572709a725f43d6f1d31c52e7b4ea10b2128d00d530a00ef9db9a8efef204e3
-
Filesize
1.4MB
MD5c7a2e3ab9a9d52c341c5442b55f79f3d
SHA1953b445877c8973414a348d9ca4bfdc2470e500f
SHA256b6c180c52b582b49ea41885e860da3a4407f2d8a20f1da08eff9106c6ce61560
SHA512463a9f3c977f16dc4c36c6f6a9d03448b27f034461fe72d3965bfcf2c852cad8e769f8ee538cabab622cca4888e5a5515256cb185f08d58f0f7b8fef9eab6294
-
Filesize
6.8MB
MD5e77964e011d8880eae95422769249ca4
SHA18e15d7c4b7812a1da6c91738c7178adf0ff3200f
SHA256f200984380d291051fc4b342641cd34e7560cadf4af41b2e02b8778f14418f50
SHA5128feb3dc4432ec0a87416cbc75110d59efaf6504b4de43090fc90286bd37f98fc0a5fb12878bb33ac2f6cd83252e8dfd67dd96871b4a224199c1f595d33d4cade
-
Filesize
4.6MB
MD50415cb7be0361a74a039d5f31e72fa65
SHA146ae154436c8c059ee75cbc6a18ccda96bb2021d
SHA256bb38a8806705980ee3e9181c099e8d5c425e6c9505a88e5af538ca6a48951798
SHA512f71c2b9e1559aa4eb2d72f852ef9807c781d4a7b96b8e0c2c53b895885319146bd43aa6e4223d43159f3d40bc60704206404dc034500e47fca0a94e53b60239e
-
Filesize
14.7MB
MD56955715b6ff15bdc153a2431cc395cca
SHA1272e1eec66a1871b300484b2200b507a4abe5420
SHA256a6d40169be9c151e9e6c86fe53d2bac3b4c2ddb41c0b650d961f8328939b4761
SHA512cf82d27d7010be69ab1c288fef9d820905407c8018e2a91f3c39a0eda5e9378e0ff04d077520d556d46d7a9cb0a3a640d15a10ad4090e482be3c83930836019d
-
Filesize
1.6MB
MD58f75e17a8bf3de6e22e77b5586f8a869
SHA1e0bf196cfc19a8772e003b9058bdc211b419b261
SHA2565f10a9fdcac32e93b1cebc365868ee3266f80c2734524b4aa7b6ea54e123f985
SHA5125a1e78613ad90cb0dc855d8a935b136722749889b66d4d8fc0f52438f0a4f4c8c31fbb981e9c6a13ffb2cc2b77fe0747204b63a91c6fff4646eed915387c8d7d
-
Filesize
2.4MB
MD59fb4770ced09aae3b437c1c6eb6d7334
SHA1fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256
-
Filesize
1.5MB
MD57d2f87123e63950159fb2c724e55bdab
SHA1360f304a6311080e1fead8591cb4659a8d135f2d
SHA256b3483bb771948ed8d3f76faaa3606c8ef72e3d2d355eaa652877e21e0651aa9a
SHA5126cb8d27ebcfdf9e472c0a6fff86e6f4ec604b8f0f21c197ba6d5b76b703296c10c8d7c4fb6b082c7e77f5c35d364bcffd76ae54137e2c8944c1ea7bb9e2e5f08
-
Filesize
24KB
MD5ff36ebcf134c8846aea77446867e5bc6
SHA153fdf2c0bec711e377edb4f97cd147728fb568f6
SHA256e1c256e5a7f17cb64740223084009f37bddccc49b05e881133412057689b04e9
SHA512b07d5065dd39843c8c7bdfccdd8d39f44b1ce9fe100a2fcf7210549ea1d46bcac54080cf91eff0a05360b26233c542daabdbd5d3f096a5bf0e366583ddb29ec1
-
Filesize
1.3MB
MD52d8de35aa00138b2bfc4fb0fc3d0f58b
SHA128c2d84e01815702c230da456aaa17c7d2519186
SHA25619340e9202db71d8010563c8b8d325cbef5d8448a8df2ad730e74a5a46e36dac
SHA512378116bc71de9f968aaef6ca27944e341a9a825a92831f5834c396160581f5e3656d3b6d1c2a304a65a74c0dd9ca0c50fb0e0016b6174d1fab68909ea1c95128
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
353KB
MD531cb8ff276a0a394c3572a942fb623c3
SHA1e64b3f111a0cd572b201ecac2b3cab849b854a06
SHA256e80bfaa0b68c7040402915f2d057e7114f0a0b16ca3e36dcd937bf19341347e8
SHA512cd864f77c63943836a34e6daa52c4cc65bbd6c8bf064c841598dd12f48b65a0182ce8147ebd38f5aaf25196889b1e8d23a3c73fb9d4493a95199940f9786f1be
-
Filesize
3.9MB
MD5ffee05ea98b1d51026a44fad0841a8a9
SHA150a703329c7b9812c17a02b554cf406040079fec
SHA2564cb040696b9ffb14794955b0e56eed04fde0cae3a5ee748dd513ad42c411c823
SHA512626ddc18a906b74a231daa5bcc092a90708e0e3d42e4db645d59d19de7ef38a2d91a843f11dbc7873d379bfa14e87c5fc6d09a657e0b44abd24b9991cb971f86
-
Filesize
6.4MB
MD5aaa56797070369ad346fbd9bb6cc5e8b
SHA1a1d01943f0a354d3a000628262671254ca6a91b8
SHA2569d7d08ac35f0113f7c814d257bf88b8222975aaa0a3fdeda88ac7185dbc50905
SHA512e69d25a158567c6bce6e9450de17d0814b9b9c11f4bb31e5dcc3e8b4378062cc7e31da625f6ba4a2280b393034a6c832a0fc0a1e16364dc7e8c8146de245b5be
-
Filesize
5.1MB
MD54d634e5d8dfab878d40802e7639aff32
SHA1225b69fc00a010ab67514c0e456231e04c39f66c
SHA2561d0ca26acbe2cc2ac9a4eca37bc9f8b6220e4552067170de750e93fac7a79775
SHA512d748cf06cd5af172f858811b83ad03e130b01fda254c98009433f4bb95ace9ba7b13698eab113b1ed802077249a09fbb9d507b95eaa5ad296d8bd1f851b50e94
-
Filesize
497KB
MD5b9ebdc793cc3fbe86aa0a538ffc33478
SHA19375ca7ec76d457333d9d486256c38e2702d8469
SHA2567753d4641934c2c05803c4d1704afa5c941d75b2d3cd67f76be27b21c66a26e9
SHA5128745440e3dda6dff251fddbc19e6ae13ec757808be161551ef7ef7f26a86031191fd7327127b5120f0c1e1f8449125327c9cf3f20cc453ad92da20e36605d4f8
-
Filesize
4.2MB
MD53b4f81a6c1cf0d18a0228d9b5797c1d1
SHA1a1bbeccb2e61c5fbd1ce35898418a5f95fb1130c
SHA256ef70e45cd7609f524ec2a8b4e03c846f637e6fbe04eaa46f6295609ee51f1302
SHA512e7979818b4790f8089cd5c5c7d61664f08e99ea7d809e73bc31f963db2bc67fc24af486a44313b8bc878f7bb569d2b60c841e6e2548c5be98b63a11abf6c50c9
-
Filesize
7KB
MD55b423612b36cde7f2745455c5dd82577
SHA10187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
19KB
MD56e113d40c96cc7ecb7cf2895c163d489
SHA1c6e33ecba70ee3ce3bf9c8dcd75e33afa067a0f6
SHA256b0e48864df0efddd2417a32692e973c63c706e65894c3c7c7e57a21d7b59daf2
SHA51259658604879f2c9f7d7763e5441a57eeb5eaab706aabd8cbbab89475e475a2ab325c889efa8d9896e51d3c7ec1e9082b98b6ed153bfd75d749f91dab14ce00e6
-
Filesize
19KB
MD5ce879c24aa3b4782b859b08568f7fbdf
SHA1f92f9b83661bae2a21f6b2e020266d15df110922
SHA256122b6d3ed38dfb27df5d1945a52c2e13930913cb50519122944075ee4171f5ee
SHA51209694bea1a1a18b24c63c2ed00d13c1c4746a93ef9e14cafbda93abae732a3cce11e98e1e3b8409753e5cedfd572e336c9d0c54970db3ec0c0f4e380349ddc37
-
Filesize
19KB
MD51c0020f110bd2fab52dfdf763a27a898
SHA146012c7b56d216261024947d4282706f7dfeb9cc
SHA25606d9d4e790568d6cd719a4d13f9d8b622bb77781727417bfdb6a8a56edd4c052
SHA5124f3a445e6cd9bfeb61a4c14d6b0cf287222b0b8788653569083f98541feb85932623a6f4c6d07fef120991341d3d6f2e708ed129c723665275636f817354d977
-
Filesize
19KB
MD54d1e4391e224b60874102b6845d321d8
SHA106e49283f7962344905ab8e343c2df5031af20c8
SHA256b68f32986785e90fa9f7dbac3f26a2c30b81350d56868dd653d8fbb3306d9e75
SHA51241c4d71c7d95d11fc813b28be49c582de5776651cbe58aa7999d3bbdf4368d31e61afdafb20ba6a765f456fb0749141e6e661fcbc7463456d530c8b707161826
-
Filesize
19KB
MD575113672c1f4ef5b6740420b06722632
SHA1eaa1f4634e0cb086a322ff97dfb554bb961bd4d4
SHA2568fe763d4da42c1e6a57f39e75eb818bde07be027343e69e6cb351bbd3c98a7f8
SHA5123b75b518887feef5327f0ae5d6bb4fcdd809af102a04cf9a99cae8ce06b73fa7d286443f9e73aec0987c1cd7e707868b1bfa72d5ac8f82b001dd9fe18410cb19
-
Filesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
408KB
-
Filesize
64KB
-
Filesize
408KB
-
Filesize
200KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
1024KB
-
Filesize
440KB
-
Filesize
22.3MB
-
Filesize
22.3MB
-
Filesize
440KB
-
Filesize
1024KB
-
Filesize
22.1MB
-
Filesize
1024KB
-
Filesize
156KB
-
Filesize
22.1MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
26.0MB
-
Filesize
2.8MB
-
Filesize
11.0MB
-
Filesize
2.8MB
-
Filesize
11.0MB
-
Filesize
2.8MB
-
Filesize
11.0MB
-
Filesize
760KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
11.0MB
-
Filesize
11.0MB
-
Filesize
11.0MB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
6.2MB
-
Filesize
120KB
-
Filesize
652KB
-
Filesize
216KB
-
Filesize
3.3MB
-
Filesize
472KB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
272KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
32KB
-
Filesize
376KB
-
Filesize
10.8MB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
26.0MB
-
Filesize
4.9MB
-
Filesize
26.0MB
-
Filesize
26.0MB
-
Filesize
4.0MB
-
Filesize
26.0MB
-
Filesize
8.9MB
-
Filesize
4.0MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
26.0MB
-
Filesize
4.0MB
-
Filesize
26.0MB
-
Filesize
8.9MB
-
Filesize
26.0MB
-
Filesize
26.0MB
-
Filesize
26.0MB
-
Filesize
26.0MB
-
Filesize
26.0MB
-
Filesize
26.0MB
-
Filesize
26.0MB