Analysis
-
max time kernel
12s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2024, 11:23
Static task
static1
Behavioral task
behavioral1
Sample
ad3276e302e34fed06a6afb6db77e6e7dd250df29a5d1695403991b174276f35.exe
Resource
win10v2004-20240226-en
General
-
Target
ad3276e302e34fed06a6afb6db77e6e7dd250df29a5d1695403991b174276f35.exe
-
Size
5.5MB
-
MD5
003600bc57311bd8073c1e0e04368dc3
-
SHA1
278361b1d0fc8339ede2f7119388bb384800214a
-
SHA256
ad3276e302e34fed06a6afb6db77e6e7dd250df29a5d1695403991b174276f35
-
SHA512
d859979b185e9cc1b3b41fd5531cbf17c22f6673adf4258868b5a11ed068429f464300546d437ff3582876a99fb1241aa9011182f5625c558bf8ed5be109dfe7
-
SSDEEP
49152:KIFzxLh+7KFc/rfltudWjXjGjYBJTcWIQKY6sB+gk89esANH1vcUbgkE4W4ed+aN:Fh+PL1rkPFAOFRUdSI9LwrYbN
Malware Config
Extracted
stealc
http://185.172.128.209
-
url_path
/3cd2b41cbde8fc9c.php
Signatures
-
Detect ZGRat V1 3 IoCs
resource yara_rule behavioral1/memory/2316-450-0x0000016CCB890000-0x0000016CCF188000-memory.dmp family_zgrat_v1 behavioral1/memory/2316-480-0x0000016CE9990000-0x0000016CE9AA0000-memory.dmp family_zgrat_v1 behavioral1/memory/2316-487-0x0000016CD0F70000-0x0000016CD0F94000-memory.dmp family_zgrat_v1 -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation regasm.exe Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation wIdGuFPH1EGhklPTYOCGq8vk.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5AOmCHxBrCJSR515fSyuZOJd.bat regasm.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QoPBbiWXTSxn1h7jYClQvpvA.bat regasm.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wS2hmpTxX2EbNFUNsepVX6OI.bat regasm.exe -
Executes dropped EXE 4 IoCs
pid Process 4152 wIdGuFPH1EGhklPTYOCGq8vk.exe 484 u37c.0.exe 1844 lyDAM8InUFWevy8N5a5MLMA7.exe 4580 lyDAM8InUFWevy8N5a5MLMA7.exe -
Loads dropped DLL 1 IoCs
pid Process 1844 lyDAM8InUFWevy8N5a5MLMA7.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x0007000000023357-244.dat themida behavioral1/memory/5728-250-0x00007FF644A90000-0x00007FF64559A000-memory.dmp themida behavioral1/memory/5728-261-0x00007FF644A90000-0x00007FF64559A000-memory.dmp themida behavioral1/memory/5728-263-0x00007FF644A90000-0x00007FF64559A000-memory.dmp themida behavioral1/memory/5728-264-0x00007FF644A90000-0x00007FF64559A000-memory.dmp themida behavioral1/memory/5728-268-0x00007FF644A90000-0x00007FF64559A000-memory.dmp themida behavioral1/memory/5728-269-0x00007FF644A90000-0x00007FF64559A000-memory.dmp themida behavioral1/memory/5728-274-0x00007FF644A90000-0x00007FF64559A000-memory.dmp themida behavioral1/memory/5728-275-0x00007FF644A90000-0x00007FF64559A000-memory.dmp themida behavioral1/memory/5728-327-0x00007FF644A90000-0x00007FF64559A000-memory.dmp themida behavioral1/files/0x0007000000023357-490.dat themida -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 8 pastebin.com 10 pastebin.com -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 103 ipinfo.io 97 api.myip.com 98 api.myip.com 102 ipinfo.io -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2228 set thread context of 1412 2228 ad3276e302e34fed06a6afb6db77e6e7dd250df29a5d1695403991b174276f35.exe 97 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 3084 4152 WerFault.exe 98 5500 484 WerFault.exe 103 -
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5808 schtasks.exe 5712 schtasks.exe 492 schtasks.exe 5796 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2388 PING.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1848 powershell.exe 1848 powershell.exe 1848 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2228 ad3276e302e34fed06a6afb6db77e6e7dd250df29a5d1695403991b174276f35.exe Token: SeDebugPrivilege 1848 powershell.exe Token: SeDebugPrivilege 1412 regasm.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2228 wrote to memory of 1848 2228 ad3276e302e34fed06a6afb6db77e6e7dd250df29a5d1695403991b174276f35.exe 95 PID 2228 wrote to memory of 1848 2228 ad3276e302e34fed06a6afb6db77e6e7dd250df29a5d1695403991b174276f35.exe 95 PID 2228 wrote to memory of 1412 2228 ad3276e302e34fed06a6afb6db77e6e7dd250df29a5d1695403991b174276f35.exe 97 PID 2228 wrote to memory of 1412 2228 ad3276e302e34fed06a6afb6db77e6e7dd250df29a5d1695403991b174276f35.exe 97 PID 2228 wrote to memory of 1412 2228 ad3276e302e34fed06a6afb6db77e6e7dd250df29a5d1695403991b174276f35.exe 97 PID 2228 wrote to memory of 1412 2228 ad3276e302e34fed06a6afb6db77e6e7dd250df29a5d1695403991b174276f35.exe 97 PID 2228 wrote to memory of 1412 2228 ad3276e302e34fed06a6afb6db77e6e7dd250df29a5d1695403991b174276f35.exe 97 PID 2228 wrote to memory of 1412 2228 ad3276e302e34fed06a6afb6db77e6e7dd250df29a5d1695403991b174276f35.exe 97 PID 2228 wrote to memory of 1412 2228 ad3276e302e34fed06a6afb6db77e6e7dd250df29a5d1695403991b174276f35.exe 97 PID 2228 wrote to memory of 1412 2228 ad3276e302e34fed06a6afb6db77e6e7dd250df29a5d1695403991b174276f35.exe 97 PID 1412 wrote to memory of 4152 1412 regasm.exe 98 PID 1412 wrote to memory of 4152 1412 regasm.exe 98 PID 1412 wrote to memory of 4152 1412 regasm.exe 98 PID 4152 wrote to memory of 484 4152 wIdGuFPH1EGhklPTYOCGq8vk.exe 103 PID 4152 wrote to memory of 484 4152 wIdGuFPH1EGhklPTYOCGq8vk.exe 103 PID 4152 wrote to memory of 484 4152 wIdGuFPH1EGhklPTYOCGq8vk.exe 103 PID 1412 wrote to memory of 1844 1412 regasm.exe 105 PID 1412 wrote to memory of 1844 1412 regasm.exe 105 PID 1412 wrote to memory of 1844 1412 regasm.exe 105 PID 1844 wrote to memory of 4580 1844 lyDAM8InUFWevy8N5a5MLMA7.exe 107 PID 1844 wrote to memory of 4580 1844 lyDAM8InUFWevy8N5a5MLMA7.exe 107 PID 1844 wrote to memory of 4580 1844 lyDAM8InUFWevy8N5a5MLMA7.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad3276e302e34fed06a6afb6db77e6e7dd250df29a5d1695403991b174276f35.exe"C:\Users\Admin\AppData\Local\Temp\ad3276e302e34fed06a6afb6db77e6e7dd250df29a5d1695403991b174276f35.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1848
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"2⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Users\Admin\Pictures\wIdGuFPH1EGhklPTYOCGq8vk.exe"C:\Users\Admin\Pictures\wIdGuFPH1EGhklPTYOCGq8vk.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Users\Admin\AppData\Local\Temp\u37c.0.exe"C:\Users\Admin\AppData\Local\Temp\u37c.0.exe"4⤵
- Executes dropped EXE
PID:484 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\BGIIDAEBGC.exe"5⤵PID:3656
-
C:\Users\Admin\AppData\Local\Temp\BGIIDAEBGC.exe"C:\Users\Admin\AppData\Local\Temp\BGIIDAEBGC.exe"6⤵PID:2936
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\BGIIDAEBGC.exe7⤵PID:2236
-
C:\Windows\SysWOW64\PING.EXEping 2.2.2.2 -n 1 -w 30008⤵
- Runs ping.exe
PID:2388
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 484 -s 34365⤵
- Program crash
PID:5500
-
-
-
C:\Users\Admin\AppData\Local\Temp\u37c.1.exe"C:\Users\Admin\AppData\Local\Temp\u37c.1.exe"4⤵PID:2960
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD15⤵PID:2316
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 15124⤵
- Program crash
PID:3084
-
-
-
C:\Users\Admin\Pictures\lyDAM8InUFWevy8N5a5MLMA7.exe"C:\Users\Admin\Pictures\lyDAM8InUFWevy8N5a5MLMA7.exe" --silent --allusers=03⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Users\Admin\Pictures\lyDAM8InUFWevy8N5a5MLMA7.exeC:\Users\Admin\Pictures\lyDAM8InUFWevy8N5a5MLMA7.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.38 --initial-client-data=0x2a4,0x2a8,0x2ac,0x2a0,0x2b0,0x6fcfe1d0,0x6fcfe1dc,0x6fcfe1e84⤵
- Executes dropped EXE
PID:4580
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\lyDAM8InUFWevy8N5a5MLMA7.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\lyDAM8InUFWevy8N5a5MLMA7.exe" --version4⤵PID:992
-
-
C:\Users\Admin\Pictures\lyDAM8InUFWevy8N5a5MLMA7.exe"C:\Users\Admin\Pictures\lyDAM8InUFWevy8N5a5MLMA7.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=1844 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240403112340" --session-guid=e416138d-61a7-4a1b-95a9-55ea05d02054 --server-tracking-blob=MDJlZjNhM2NkMTIwMWU5ODAwYzUzNzYyYzZlZDI0ZDBlYmE5M2RlYWQ0ZDk4YWMyNGJlOThiNjkyNTMyYmI0Yjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N180NTYiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMCIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTIxNDM0MTIuMzAwMiIsInV0bSI6eyJjYW1wYWlnbiI6Ijc2N180NTYiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJta3QifSwidXVpZCI6IjczOWUzMGIwLTI0NDUtNDNlNy05MjQzLTFlNGE1MzgyZjYzMiJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=B8050000000000004⤵PID:3068
-
C:\Users\Admin\Pictures\lyDAM8InUFWevy8N5a5MLMA7.exeC:\Users\Admin\Pictures\lyDAM8InUFWevy8N5a5MLMA7.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.38 --initial-client-data=0x290,0x288,0x284,0x28c,0x2c0,0x6ea0e1d0,0x6ea0e1dc,0x6ea0e1e85⤵PID:2484
-
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404031123401\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404031123401\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"4⤵PID:5388
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404031123401\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404031123401\assistant\assistant_installer.exe" --version4⤵PID:5160
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404031123401\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404031123401\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x250040,0x25004c,0x2500585⤵PID:2648
-
-
-
-
C:\Users\Admin\Pictures\zfcuF2OfGKaSOczCxh9gn7fi.exe"C:\Users\Admin\Pictures\zfcuF2OfGKaSOczCxh9gn7fi.exe"3⤵PID:3768
-
C:\Users\Admin\AppData\Local\Temp\7zSB4AA.tmp\Install.exe.\Install.exe /dEKGWdidYWnQ "385118" /S4⤵PID:2640
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"5⤵PID:5160
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&6⤵PID:5440
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:327⤵PID:5672
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:647⤵PID:5868
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"5⤵PID:5192
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&6⤵PID:5556
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:327⤵PID:5576
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:647⤵PID:5896
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gGjkHmMuD" /SC once /ST 03:57:31 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="5⤵
- Creates scheduled task(s)
PID:5796
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gGjkHmMuD"5⤵PID:6132
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gGjkHmMuD"5⤵PID:5268
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bCAdHbOFiqtMCRhbmR" /SC once /ST 11:25:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\FBSTPzu.exe\" hl /Ttsite_idgAO 385118 /S" /V1 /F5⤵
- Creates scheduled task(s)
PID:5712
-
-
-
-
C:\Users\Admin\Pictures\NEpeZwx87NgCOqLxxQfqAoe0.exe"C:\Users\Admin\Pictures\NEpeZwx87NgCOqLxxQfqAoe0.exe"3⤵PID:1236
-
C:\Users\Admin\AppData\Local\Temp\7zSBE2F.tmp\Install.exe.\Install.exe /dEKGWdidYWnQ "385118" /S4⤵PID:3044
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"5⤵PID:5152
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&6⤵PID:5468
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:327⤵PID:5592
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:647⤵PID:5752
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"5⤵PID:5216
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&6⤵PID:5460
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:327⤵PID:5584
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:647⤵PID:5836
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gMooXBDtJ" /SC once /ST 03:19:32 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="5⤵
- Creates scheduled task(s)
PID:5808
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gMooXBDtJ"5⤵PID:6080
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gMooXBDtJ"5⤵PID:6128
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bCAdHbOFiqtMCRhbmR" /SC once /ST 11:25:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\aZPyxGm.exe\" hl /mKsite_idHaQ 385118 /S" /V1 /F5⤵
- Creates scheduled task(s)
PID:492
-
-
-
-
C:\Users\Admin\Pictures\yRkw6QVBdHxeWyiJBjhjE5C8.exe"C:\Users\Admin\Pictures\yRkw6QVBdHxeWyiJBjhjE5C8.exe"3⤵PID:5728
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4152 -ip 41521⤵PID:2040
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2836 --field-trial-handle=2228,i,521073434451423547,2311651514500527526,262144 --variations-seed-version /prefetch:31⤵PID:5240
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵PID:984
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:5816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵PID:5608
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:5716
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:3056
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:5632
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3324 --field-trial-handle=2228,i,521073434451423547,2311651514500527526,262144 --variations-seed-version /prefetch:81⤵PID:6004
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 484 -ip 4841⤵PID:5268
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
Filesize
944B
MD5b1508d8dceaca754629a9c85d1b865b4
SHA130cad55a399d65369f12b82fc8269f21bc1fdabe
SHA2568479bd5d9ffd4d83ad1d39c3d00efaa44dce611b651d9a6bb2b3a68228f8db59
SHA512b32abe058afd416a21f13cad241f865e56b961db58300ce0a8d3f7de2b507bcf76fd94e1f2ab7a87b012d9e9a049d677f28cd30ceb4aef7d35c860d468dc550b
-
Filesize
64B
MD51a9b653ce754ba653f020d9211f2aa87
SHA1fe366af75ea06b9250b1737380d1e1ec5ee1a96e
SHA2564113d7fe1e15394606dd8b8ca1187c96d5c4bbf9fcbab6d6f1410921dbd16289
SHA51297e6cfe6798a8fb4c04c6fb75394ac369a61ef9ef5ebe68462dbd8cb9ede95613380bd0647d0d027f2674aed820bb4a6c52a8c874fe0a075cd5ee317ce77139e
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404031123401\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
Filesize2.5MB
MD520d293b9bf23403179ca48086ba88867
SHA1dedf311108f607a387d486d812514a2defbd1b9e
SHA256fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348
SHA5125d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404031123401\assistant\assistant_installer.exe
Filesize1.9MB
MD5b3f05009b53af6435e86cfd939717e82
SHA1770877e7c5f03e8d684984fe430bdfcc2cf41b26
SHA2563ea8d40fcede1fc03e5603246d75d13e8d44d7229d4c390c39a55534053027f7
SHA512d2dee80aaa79b19f1eb1db85079a05f621780e06bfea9e838b62d757ba29399f9090ec7c6ff553377c9b712f3ba8dd812cdff39f3e28829928e86746a8ac6b27
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404031123401\assistant\dbgcore.dll
Filesize166KB
MD58b6f64e5d3a608b434079e50a1277913
SHA103f431fabf1c99a48b449099455c1575893d9f32
SHA256926d444ffca166e006920412677c4ed2ef159cf0efc0578cb45b824f428f5eb2
SHA512c9aeac62ece564ac64a894300fb9d41d13f22951ead73421854c23c506760d984dff0af92bef2d80f3a66e782f0075832e9c24a50ae6110d27a25c14e065b41c
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404031123401\assistant\dbghelp.dll
Filesize1.7MB
MD5925ea07f594d3fce3f73ede370d92ef7
SHA1f67ea921368c288a9d3728158c3f80213d89d7c2
SHA2566d02ebd4ec9a6093f21cd8ccefb9445fa0ab7b1f69ac868a5cfc5d28ed8d2de9
SHA512a809851da820d9fdd8fb860a8f549311dcc2579df2c6f6fba74f50d5d8bf94baa834b09fb5476ac248f18d1deb6b47d4fdd6d658889d5d45ca8774a9264483d2
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404031123401\opera_package
Filesize103.9MB
MD5f9172d1f7a8316c593bdddc47f403b06
SHA1ed1e5a40b040af2c60ed6c2536b3bf7ee55e0e52
SHA256473f0d4b886db8cd39b900b92bdc0625a3fcec8addd43f71179696bdf186ec3b
SHA512f51ab2bdf29ca6839e4f7cf1fac1bdfc03ba2da4569a8f21e5d2ee13e6519097c3da40bf0b4ca7642286ed033d0126bbd14ef7842eb9f2db1d6e503849521b02
-
Filesize
6.9MB
MD5ea99e72c1ac89aa9cc14178b1c46d50d
SHA160b896781f40e89106d0c76abd11c5b5d0832943
SHA2569cd503eed313e3c5293f192804c0f20a4eef448876f8375fbc26a25be36d5b28
SHA51203693bda0c8b693c09e416a7d0c335294f74804f336058a59612a07aa0dd918cd70958cc95feba7d3b26b2df235b0a60d0347d6ed6e353fec8c87c969f6068f1
-
Filesize
106KB
MD5fe380780b5c35bd6d54541791151c2be
SHA17fe3a583cf91474c733f85cebf3c857682e269e1
SHA256b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53
SHA512ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c
-
Filesize
4.6MB
MD52a3159d6fef1100348d64bf9c72d15ee
SHA152a08f06f6baaa12163b92f3c6509e6f1e003130
SHA256668bf8a7f3e53953dd6789fc6146a205c6c7330832c5d20b439eedb7c52ed303
SHA512251c0d3cdd0597b962d4e32cf588a82454c42067cbe5e35b41b0548eea742ea25815e5d6830b63c1992b5730a4e6d7c005fb0019aa4c389549b06fff9a74b38c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2KB
MD5000c98f5d727304a5f37f6c63d7b49ea
SHA19e17b76a8ecc417bbc017b2b470c0be26e6883ed
SHA256b7670e5b3a2b524b002365046a25f35b9220d2529518de073e7a5e2cdf98c88d
SHA5127a4856b71a63c207134e5100f7e60e00b490779e8ff4ff39d2147d7eb7846b2548d5b8f70a717b5207fc1f187e618e82814645f878a9f1f8c3a59a5e79c20801
-
Filesize
3KB
MD5d811cc2ec04491564d06fc93a55576bd
SHA1e9cee1ccbc529803e7ee8ea5d5e31e38f95f8313
SHA2567008059259904e6e2c76f2d61c3d1e2a3fdfef9d05775c75fd5dbcd7edee470f
SHA5129ef873f8c0cbf94caa9ea1541920bfdd2e0115ded8943bc8f32bd136d515eb4ea3434fbe7287ee61071eb14736f6e9b7035df0cfec2b7deb025e9199468b0513
-
Filesize
288KB
MD551e3ef0a1d7922b7f8a12d2f71884f1a
SHA1c4d962755aff62b1645e930e516fed964dfe2d78
SHA25634567116a4502f378362327e1cde0dcaed0cee3c62f9fa651e8d52d44e49e54e
SHA512e1c6413dbb16434372afcb99c068971ef5a72243768488e93adb915f32c3850f7e34ecb1967b669e2bd658ff7f1e185c009bc7caff8753cc5ba42910145575f7
-
Filesize
4.6MB
MD5397926927bca55be4a77839b1c44de6e
SHA1e10f3434ef3021c399dbba047832f02b3c898dbd
SHA2564f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954
-
Filesize
40B
MD5f52fe890b1b8d7c31563dd4680d451e1
SHA128d6f17f17707f375e40856bd88d3380edfdb343
SHA256028a7fb805702f9fcda883788ac5d0be3a97df13c447eaf90eb4764ae644c3be
SHA5123e3bfca1d1fd2e7326e4c87901e091b11967cd829a99eec3afed307b9586f9a3e3e13bef3f43b389041e2636c4ddab572a03164bc69d32682a705d6c4ad4d8d6
-
Filesize
7KB
MD55b423612b36cde7f2745455c5dd82577
SHA10187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c
-
Filesize
5.1MB
MD531f56b19424e86ee545ea6e4ead861e9
SHA16d5be33b96d8353dcf8200223a65b2473571e5ea
SHA25614d71e1e714463b98424bdebc9c23a4eb2afb7ecaf66fa8e643920cf06dc6327
SHA512d18d0ea28a80ff4faefb30cfa5a5a7011244f87305b585a865c5723eb40c6ba850b2b60cfe0e92a83b62cd45bceb2e96993779e97535e64cd6d43b0dc7f78e72
-
Filesize
430KB
MD553dd8034407bbbf1557c704c4094cb34
SHA11fd38f2aa8ef7b2cc15a2e96eda28c64b0726b5a
SHA2564ebc04dc3b80947ba0da846dc72f5f70fc8bed7dade2cd91540ab374219e866f
SHA512083c0c6ee42ae39935e9f45ef500d82ba52eb868a51a8858c2b73466f71e5082b2606b5173c4ca58f90797b560d37d8ea5252f2daabce21d208ed8683bf37403
-
Filesize
4.3MB
MD5858bb0a3b4fa6a54586402e3ee117076
SHA1997c31f043347883ea5ed2323a558b6cc5ea9c8e
SHA256d97a7fc44bf341b9b2b2e65b46dab4f7d329afe15b4308b5aa56d5bfd7b99d35
SHA512e8374b115f056b5d345c9b5f9c42b3d49e0640d7fad869448f686add6e52b783ecc7fd35ee15a67b944843491a91becf5b7c0bd5603eda01042dd2904c1ad8fd
-
Filesize
2.6MB
MD57cb7ccf825bda44f89feb094149b38dc
SHA1ede85d363065d06cddd0441eddbe28eb1df90605
SHA256005c6897e6c40ff06af63cca71c39d267c81ffa3367d3d1c639ce57e0eafbf10
SHA512ba35127635feea4bc63a6f73d68f0e72d3edcd36e20504f5add9e3893e4851128c209626520648c68f33c7093c54a409425fae0a0df795cd4b1b4047955f453e
-
Filesize
6.6MB
MD5043dbd643661057bd57f2b5fef28d155
SHA108819d63ab2f4641aaf891575b46f3b458045fa2
SHA256cd397b8859f41846902412c7a48da2adf6f5c0dba1497457009e0495aa01fda6
SHA512b5abb4082995d7f2b653d7621afceb8b0c455cc0379d7d6c643cf6c43d2e3e24fbdfb391f18cea1c5b7af51be99f2e128f587be2c71e18e6ad0c88a66ff56439
-
Filesize
306B
MD57534b5b74212cb95b819401235bd116c
SHA1787ad181b22e161330aab804de4abffbfc0683b0
SHA256b05c6723077813dc9b48a2f1142db37ea63c672931d13a74d320f7d006756a04
SHA512ea268788dc59ab78c0aadd4db9bbcf95493bf4eb2b5ae3d592e6876596246832fc574e7bc1348ce7922b32dcedcf71876ff59fb8beace5c06891ec897c9dac51
-
Filesize
522B
MD571068f63f4ef05eb4c413a0a72668637
SHA15c23b82d1beac52e21f12ef362c6cfd30fc87a43
SHA2563c411fe5888ee956d9b9cd8dac72903b74919e77d78dabec2a094ed7e839367b
SHA512f012e253f18ba1edea5c446cdba6fadb6f3d17eecec7d923c546350577d49e9a2b3b617589caafba63adbbecf4d4a0bbd3069c773c2a26111287b8e160df8cec
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732