01b3fa1094d23123c7e5dfd22e8aa1b27d6fb9ce8d1efce1d950f27bc9938b38

Analysis

max time kernel
6s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
29/01/2024, 04:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ed54bbd1207ed3660f9bf544676bb58.exe
Size

18KB
MD5

7ed54bbd1207ed3660f9bf544676bb58
SHA1

fb9570c2a560f26e68185e79da916ab77b0978a2
SHA256

01b3fa1094d23123c7e5dfd22e8aa1b27d6fb9ce8d1efce1d950f27bc9938b38
SHA512

82e397f24cd2d49e01a5858f37d6bffe96e03ae06cb8032234e8fa88e589351a1343824b0d2250b237aac3df6081b866185d4c4c7c68e3b59d6ce9969f1efa75
SSDEEP

384:IO76Fphlmx9qocoNjbZNY52eND9qytjnZibZnAOchTO7/RRK6jQf:yPhoNjbXY5aAjnZibtD0O7ZRo

Score

7^/10

adware stealer

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
692	zscqahlp.exe
2872	zscqahlp.exe
1172	zscqahlp.exe
4848	zscqahlp.exe
4928	zscqahlp.exe
5008	zscqahlp.exe
5096	zscqahlp.exe

Loads dropped DLL 14 IoCs

pid	Process
2368	7ed54bbd1207ed3660f9bf544676bb58.exe
2368	7ed54bbd1207ed3660f9bf544676bb58.exe
692	zscqahlp.exe
692	zscqahlp.exe
2872	zscqahlp.exe
2872	zscqahlp.exe
1172	zscqahlp.exe
1172	zscqahlp.exe
4848	zscqahlp.exe
4848	zscqahlp.exe
4928	zscqahlp.exe
4928	zscqahlp.exe
5008	zscqahlp.exe
5008	zscqahlp.exe

Installs/modifies Browser Helper Object 2 TTPs 16 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{70AF1289-F140-A140-D012-C1458759FC07}\ = "ypcqfhlp.dll"	zscqahlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{70AF1289-F140-A140-D012-C1458759FC07}	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{70AF1289-F140-A140-D012-C1458759FC07}\ = "ypcqfhlp.dll"	zscqahlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{70AF1289-F140-A140-D012-C1458759FC07}	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{70AF1289-F140-A140-D012-C1458759FC07}\ = "ypcqfhlp.dll"	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{70AF1289-F140-A140-D012-C1458759FC07}\ = "ypcqfhlp.dll"	zscqahlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{70AF1289-F140-A140-D012-C1458759FC07}	zscqahlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{70AF1289-F140-A140-D012-C1458759FC07}	zscqahlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{70AF1289-F140-A140-D012-C1458759FC07}	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{70AF1289-F140-A140-D012-C1458759FC07}\ = "ypcqfhlp.dll"	zscqahlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{70AF1289-F140-A140-D012-C1458759FC07}	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{70AF1289-F140-A140-D012-C1458759FC07}\ = "ypcqfhlp.dll"	7ed54bbd1207ed3660f9bf544676bb58.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{70AF1289-F140-A140-D012-C1458759FC07}\ = "ypcqfhlp.dll"	zscqahlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{70AF1289-F140-A140-D012-C1458759FC07}	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{70AF1289-F140-A140-D012-C1458759FC07}\ = "ypcqfhlp.dll"	zscqahlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{70AF1289-F140-A140-D012-C1458759FC07}	7ed54bbd1207ed3660f9bf544676bb58.exe

Drops file in System32 directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\xscqbhlp.sys	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\zscqahlp.exe	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\zscqahlp.exe	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\zscqahlp.exe	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\xscqbhlp.sys	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\ypcqfhlp.dll	7ed54bbd1207ed3660f9bf544676bb58.exe
File opened for modification	C:\Windows\SysWOW64\zscqahlp.exe	7ed54bbd1207ed3660f9bf544676bb58.exe
File opened for modification	C:\Windows\SysWOW64\ypcqfhlp.dll	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\ypcqfhlp.dll	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\zscqahlp.exe	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\zscqahlp.exe	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\ypcqfhlp.dll	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\ypcqfhlp.dll	zscqahlp.exe
File created	C:\Windows\SysWOW64\ypcqfhlp.dll	7ed54bbd1207ed3660f9bf544676bb58.exe
File opened for modification	C:\Windows\SysWOW64\xscqbhlp.sys	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\xscqbhlp.sys	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\ypcqfhlp.dll	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\xscqbhlp.sys	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	7ed54bbd1207ed3660f9bf544676bb58.exe
File opened for modification	C:\Windows\SysWOW64\xscqbhlp.sys	7ed54bbd1207ed3660f9bf544676bb58.exe
File opened for modification	C:\Windows\SysWOW64\ypcqfhlp.dll	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\zscqahlp.exe	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\zscqahlp.exe	zscqahlp.exe
File created	C:\Windows\SysWOW64\ypcqfhlp.dll	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\xscqbhlp.sys	zscqahlp.exe
File created	C:\Windows\SysWOW64\zscqahlp.exe	7ed54bbd1207ed3660f9bf544676bb58.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\xscqbhlp.sys	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\ypcqfhlp.dll	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	zscqahlp.exe

Modifies registry class 27 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70AF1289-F140-A140-D012-C1458759FC07}\InprocServer32\ThreadingModel = "Apartment"	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70AF1289-F140-A140-D012-C1458759FC07}\InprocServer32\ThreadingModel = "Apartment"	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70AF1289-F140-A140-D012-C1458759FC07}\InprocServer32\ = "C:\\Windows\\SysWow64\\ypcqfhlp.dll"	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70AF1289-F140-A140-D012-C1458759FC07}\InprocServer32\ = "C:\\Windows\\SysWow64\\ypcqfhlp.dll"	zscqahlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70AF1289-F140-A140-D012-C1458759FC07}\InprocServer32	zscqahlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70AF1289-F140-A140-D012-C1458759FC07}\InprocServer32	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70AF1289-F140-A140-D012-C1458759FC07}\InprocServer32\ = "C:\\Windows\\SysWow64\\ypcqfhlp.dll"	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70AF1289-F140-A140-D012-C1458759FC07}\InprocServer32\ThreadingModel = "Apartment"	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70AF1289-F140-A140-D012-C1458759FC07}\InprocServer32\ = "C:\\Windows\\SysWow64\\ypcqfhlp.dll"	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70AF1289-F140-A140-D012-C1458759FC07}\InprocServer32\ThreadingModel = "Apartment"	zscqahlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	7ed54bbd1207ed3660f9bf544676bb58.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70AF1289-F140-A140-D012-C1458759FC07}\InprocServer32\ = "C:\\Windows\\SysWow64\\ypcqfhlp.dll"	zscqahlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70AF1289-F140-A140-D012-C1458759FC07}	7ed54bbd1207ed3660f9bf544676bb58.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70AF1289-F140-A140-D012-C1458759FC07}\InprocServer32\ThreadingModel = "Apartment"	7ed54bbd1207ed3660f9bf544676bb58.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70AF1289-F140-A140-D012-C1458759FC07}\InprocServer32\ThreadingModel = "Apartment"	zscqahlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70AF1289-F140-A140-D012-C1458759FC07}\InprocServer32	7ed54bbd1207ed3660f9bf544676bb58.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70AF1289-F140-A140-D012-C1458759FC07}\InprocServer32\ = "C:\\Windows\\SysWow64\\ypcqfhlp.dll"	7ed54bbd1207ed3660f9bf544676bb58.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70AF1289-F140-A140-D012-C1458759FC07}\InprocServer32	zscqahlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70AF1289-F140-A140-D012-C1458759FC07}\InprocServer32	zscqahlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	7ed54bbd1207ed3660f9bf544676bb58.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70AF1289-F140-A140-D012-C1458759FC07}\InprocServer32\ = "C:\\Windows\\SysWow64\\ypcqfhlp.dll"	zscqahlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70AF1289-F140-A140-D012-C1458759FC07}\InprocServer32	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70AF1289-F140-A140-D012-C1458759FC07}\InprocServer32\ThreadingModel = "Apartment"	zscqahlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70AF1289-F140-A140-D012-C1458759FC07}\InprocServer32	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70AF1289-F140-A140-D012-C1458759FC07}\InprocServer32\ = "C:\\Windows\\SysWow64\\ypcqfhlp.dll"	zscqahlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70AF1289-F140-A140-D012-C1458759FC07}\InprocServer32	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70AF1289-F140-A140-D012-C1458759FC07}\InprocServer32\ThreadingModel = "Apartment"	zscqahlp.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2368	7ed54bbd1207ed3660f9bf544676bb58.exe
2368	7ed54bbd1207ed3660f9bf544676bb58.exe
692	zscqahlp.exe
692	zscqahlp.exe
2872	zscqahlp.exe
2872	zscqahlp.exe
1172	zscqahlp.exe
1172	zscqahlp.exe
4848	zscqahlp.exe
4848	zscqahlp.exe
4928	zscqahlp.exe
4928	zscqahlp.exe
5008	zscqahlp.exe
5008	zscqahlp.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2368	7ed54bbd1207ed3660f9bf544676bb58.exe
Token: SeDebugPrivilege	692	zscqahlp.exe
Token: SeDebugPrivilege	2872	zscqahlp.exe
Token: SeDebugPrivilege	1172	zscqahlp.exe
Token: SeDebugPrivilege	4848	zscqahlp.exe
Token: SeDebugPrivilege	4928	zscqahlp.exe
Token: SeDebugPrivilege	5008	zscqahlp.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2760	2368	7ed54bbd1207ed3660f9bf544676bb58.exe	28
PID 2368 wrote to memory of 2760	2368	7ed54bbd1207ed3660f9bf544676bb58.exe	28
PID 2368 wrote to memory of 2760	2368	7ed54bbd1207ed3660f9bf544676bb58.exe	28
PID 2368 wrote to memory of 2760	2368	7ed54bbd1207ed3660f9bf544676bb58.exe	28
PID 2368 wrote to memory of 692	2368	7ed54bbd1207ed3660f9bf544676bb58.exe	30
PID 2368 wrote to memory of 692	2368	7ed54bbd1207ed3660f9bf544676bb58.exe	30
PID 2368 wrote to memory of 692	2368	7ed54bbd1207ed3660f9bf544676bb58.exe	30
PID 2368 wrote to memory of 692	2368	7ed54bbd1207ed3660f9bf544676bb58.exe	30
PID 692 wrote to memory of 2072	692	zscqahlp.exe	31
PID 692 wrote to memory of 2072	692	zscqahlp.exe	31
PID 692 wrote to memory of 2072	692	zscqahlp.exe	31
PID 692 wrote to memory of 2072	692	zscqahlp.exe	31
PID 692 wrote to memory of 2872	692	zscqahlp.exe	36
PID 692 wrote to memory of 2872	692	zscqahlp.exe	36
PID 692 wrote to memory of 2872	692	zscqahlp.exe	36
PID 692 wrote to memory of 2872	692	zscqahlp.exe	36
PID 2872 wrote to memory of 792	2872	zscqahlp.exe	33
PID 2872 wrote to memory of 792	2872	zscqahlp.exe	33
PID 2872 wrote to memory of 792	2872	zscqahlp.exe	33
PID 2872 wrote to memory of 792	2872	zscqahlp.exe	33
PID 2872 wrote to memory of 1172	2872	zscqahlp.exe	35
PID 2872 wrote to memory of 1172	2872	zscqahlp.exe	35
PID 2872 wrote to memory of 1172	2872	zscqahlp.exe	35
PID 2872 wrote to memory of 1172	2872	zscqahlp.exe	35
PID 1172 wrote to memory of 3068	1172	zscqahlp.exe	38
PID 1172 wrote to memory of 3068	1172	zscqahlp.exe	38
PID 1172 wrote to memory of 3068	1172	zscqahlp.exe	38
PID 1172 wrote to memory of 3068	1172	zscqahlp.exe	38
PID 1172 wrote to memory of 4848	1172	zscqahlp.exe	39
PID 1172 wrote to memory of 4848	1172	zscqahlp.exe	39
PID 1172 wrote to memory of 4848	1172	zscqahlp.exe	39
PID 1172 wrote to memory of 4848	1172	zscqahlp.exe	39
PID 4848 wrote to memory of 4896	4848	zscqahlp.exe	40
PID 4848 wrote to memory of 4896	4848	zscqahlp.exe	40
PID 4848 wrote to memory of 4896	4848	zscqahlp.exe	40
PID 4848 wrote to memory of 4896	4848	zscqahlp.exe	40
PID 4848 wrote to memory of 4928	4848	zscqahlp.exe	54
PID 4848 wrote to memory of 4928	4848	zscqahlp.exe	54
PID 4848 wrote to memory of 4928	4848	zscqahlp.exe	54
PID 4848 wrote to memory of 4928	4848	zscqahlp.exe	54
PID 4928 wrote to memory of 4988	4928	zscqahlp.exe	52
PID 4928 wrote to memory of 4988	4928	zscqahlp.exe	52
PID 4928 wrote to memory of 4988	4928	zscqahlp.exe	52
PID 4928 wrote to memory of 4988	4928	zscqahlp.exe	52
PID 4928 wrote to memory of 5008	4928	zscqahlp.exe	50
PID 4928 wrote to memory of 5008	4928	zscqahlp.exe	50
PID 4928 wrote to memory of 5008	4928	zscqahlp.exe	50
PID 4928 wrote to memory of 5008	4928	zscqahlp.exe	50
PID 5008 wrote to memory of 5072	5008	zscqahlp.exe	49
PID 5008 wrote to memory of 5072	5008	zscqahlp.exe	49
PID 5008 wrote to memory of 5072	5008	zscqahlp.exe	49
PID 5008 wrote to memory of 5072	5008	zscqahlp.exe	49
PID 5008 wrote to memory of 5096	5008	zscqahlp.exe	41
PID 5008 wrote to memory of 5096	5008	zscqahlp.exe	41
PID 5008 wrote to memory of 5096	5008	zscqahlp.exe	41
PID 5008 wrote to memory of 5096	5008	zscqahlp.exe	41
PID 5096 wrote to memory of 2756	5096	zscqahlp.exe	43
PID 5096 wrote to memory of 2756	5096	zscqahlp.exe	43
PID 5096 wrote to memory of 2756	5096	zscqahlp.exe	43
PID 5096 wrote to memory of 2756	5096	zscqahlp.exe	43

C:\Users\Admin\AppData\Local\Temp\7ed54bbd1207ed3660f9bf544676bb58.exe
"C:\Users\Admin\AppData\Local\Temp\7ed54bbd1207ed3660f9bf544676bb58.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259394796.bat
  2⤵
  PID:2760
- C:\Windows\SysWOW64\zscqahlp.exe
  C:\Windows\system32\zscqahlp.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:692
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259395108.bat
    3⤵
    PID:2072
- - C:\Windows\SysWOW64\zscqahlp.exe
    C:\Windows\system32\zscqahlp.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259425715.bat
      4⤵
      PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259425700.bat
    3⤵
    PID:2620
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259425637.bat
  2⤵
  PID:2572

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259395124.bat
1⤵
PID:792

C:\Windows\SysWOW64\zscqahlp.exe
C:\Windows\system32\zscqahlp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259395170.bat
  2⤵
  PID:3068
- C:\Windows\SysWOW64\zscqahlp.exe
  C:\Windows\system32\zscqahlp.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259399507.bat
    3⤵
    PID:4896
- - C:\Windows\SysWOW64\zscqahlp.exe
    C:\Windows\system32\zscqahlp.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4928
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259430910.bat
      4⤵
      PID:5708
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259430193.bat
    3⤵
    PID:5568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259430239.bat
  2⤵
  PID:5620

C:\Windows\SysWOW64\zscqahlp.exe
C:\Windows\system32\zscqahlp.exe
1⤵
- Executes dropped EXE
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259401379.bat
  2⤵
  PID:2756
- C:\Windows\SysWOW64\zscqahlp.exe
  C:\Windows\system32\zscqahlp.exe
  2⤵
  PID:2216
- - C:\Windows\SysWOW64\zscqahlp.exe
    C:\Windows\system32\zscqahlp.exe
    3⤵
    PID:5828
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259402768.bat
      4⤵
      PID:5912
  - - C:\Windows\SysWOW64\zscqahlp.exe
      C:\Windows\system32\zscqahlp.exe
      4⤵
      PID:5932
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259402814.bat
        5⤵
        
        PID:5996
    - - C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        5⤵
        
        PID:5696
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259410115.bat
        6⤵
        
        PID:5756
      - C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        6⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259410505.bat
        7⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        7⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259416839.bat
        8⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        8⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259417307.bat
        9⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        9⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259427494.bat
        10⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        10⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259427884.bat
        11⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        11⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259428243.bat
        12⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        12⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259431300.bat
        13⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        13⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259433375.bat
        14⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        14⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259434701.bat
        15⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        15⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259443624.bat
        16⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        16⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259447633.bat
        17⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        17⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259448164.bat
        18⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        18⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259452501.bat
        19⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        19⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259454482.bat
        20⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        20⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259457961.bat
        21⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        21⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259466322.bat
        22⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        22⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259471564.bat
        23⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        23⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259473530.bat
        24⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        24⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259474013.bat
        25⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        25⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259475604.bat
        26⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        26⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259476213.bat
        27⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        27⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259476696.bat
        28⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        28⤵
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259477086.bat
        29⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        29⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259478366.bat
        30⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        30⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259480721.bat
        31⤵
        
        PID:332
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        31⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259482749.bat
        32⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        32⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259483280.bat
        33⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        33⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259484575.bat
        34⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        34⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259485245.bat
        35⤵
        
        PID:988
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        35⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259493623.bat
        36⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        36⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259494403.bat
        37⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        37⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259497133.bat
        38⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        38⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259497569.bat
        39⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        39⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259499005.bat
        40⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        40⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259499878.bat
        41⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        41⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259500705.bat
        42⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        42⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259501282.bat
        43⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        43⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259504199.bat
        44⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        44⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259504621.bat
        45⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        45⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259509550.bat
        46⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        46⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259512842.bat
        47⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        47⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259518848.bat
        48⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        48⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259520065.bat
        49⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        49⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259522202.bat
        50⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        50⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259522670.bat
        51⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        51⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259524043.bat
        52⤵
        
        PID:448
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        52⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259524542.bat
        53⤵
        
        PID:784
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        53⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259526710.bat
        54⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        54⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259530798.bat
        55⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        55⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259538208.bat
        56⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        56⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259543917.bat
        57⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259543902.bat
        46⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259540033.bat
        45⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259535836.bat
        44⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259535524.bat
        43⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259531936.bat
        42⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259531281.bat
        41⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259530595.bat
        40⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259530018.bat
        39⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259529191.bat
        38⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259527818.bat
        37⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259524776.bat
        36⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259523731.bat
        35⤵
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259515884.bat
        34⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259515120.bat
        33⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259514012.bat
        32⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259513326.bat
        31⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259512109.bat
        30⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259509223.bat
        29⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259507959.bat
        28⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259507928.bat
        27⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259506898.bat
        26⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259505385.bat
        25⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259504699.bat
        24⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259503669.bat
        23⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259501485.bat
        22⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259495214.bat
        21⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259485838.bat
        20⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259485230.bat
        19⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259483139.bat
        18⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259479427.bat
        17⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259478366.bat
        16⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259470862.bat
        15⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259470815.bat
        14⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259464185.bat
        13⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259463374.bat
        12⤵
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259459552.bat
        11⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259458460.bat
        10⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259458460.bat
        9⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259448133.bat
        8⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259447306.bat
        7⤵
        
        PID:3800
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259446744.bat
        6⤵
        
        PID:4528
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259446744.bat
        5⤵
        
        PID:2476
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259433531.bat
      4⤵
      PID:4660
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259402190.bat
    3⤵
    PID:960
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259433016.bat
    3⤵
    PID:2288
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259432673.bat
  2⤵
  PID:2196

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259399960.bat
1⤵
PID:5072

C:\Windows\SysWOW64\zscqahlp.exe
C:\Windows\system32\zscqahlp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259430583.bat
  2⤵
  PID:5684

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259399804.bat
1⤵
PID:4988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~DFD259394796.bat

Filesize
121B

MD5
09517fc62284f33e877a276463580bd1

SHA1
0b14fe1db4493818f9de0bf2a56ee5370b8d479a

SHA256
6cc6bbb1f3f754b6894d84130f5f2d86569ac3a603e1632d3cefa028f22b6238

SHA512
1b924dd216d0f38199cc6df215e65ff260aa48fa37aa620dabcbc616f434643bd1f2e617d66b14bd52900214148741565128ba9589782ba582fd7308369f4a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFD259425637.bat

Filesize
197B

MD5
281c3532c929546d062bdfbd17ba582b

SHA1
586ac3d8b0fad4d4befd3bc74eae158b13782027

SHA256
b341c46ea0cc1d4a5add83945d430770d6ceba7d282b7b2d7d898d984bcf02d0

SHA512
8d0f237a98c25da3605dfd08c69554d0101224f858d723909f3e33d036d0908bae1ecdd439b24dc74c3c53ab8aad8415a904d935ad4d11288cddb6db3d7cc5d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFD259425700.bat

Filesize
121B

MD5
c2c0873091165aeac1ca8b123e633948

SHA1
00c5eded4d1d987c07591bc2cba9d24f8a1ca643

SHA256
0eeb85cae44714f166d04bc76ffc4232001a4ab111b0bf3e89cb1efe94f49146

SHA512
dbd1e6fda9d9bef507000c9d859b818569e61e493b83da93029232a36edca33f627f62b0d90cb72c062ff5f6d4c7b7e9153989b7b355bed7d7663ccd12a5be12

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFD259446744.bat

Filesize
242B

MD5
32cf344d4cbe7bd66daf54960f102543

SHA1
791389f480801b3e255139e044192c40ebc198ca

SHA256
06039815b122471c2e56e35cebe0bca734ba598a0fae8faffce2e851354023a2

SHA512
da583215039e2880bd9c0871ddd34671dacbbec829f561cfa2556188a109f2ed9c5c0b554f897cb24153b29256f42607be0b372f128b3f77ff740a989b881995

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFD259478366.bat

Filesize
242B

MD5
bba77befd78c001fbdd1074a771acd83

SHA1
22ac5ec37c8334118a6adf4c44de3f1193199db7

SHA256
8ca13a1fa529446e99a1e16a3d51e74411e3c60b5753d8f871d58da5b742f299

SHA512
79fbc7c3089f45ed03de2845b9653b11f0fcb4e486cd36ef23602d58e3a9cf1b6bcffbe56b64e8fc1b21ab948eafbb8d6c7b3e4eea2b32d456e807882d56e11f

Download Submit
C:\Windows\SysWOW64\xscqbhlp.sys

Filesize
520B

MD5
61cbe45d5e3dfecb306ca0dc3a0f6b38

SHA1
045102b121ca5642f2707e04c4358fefeb2c6643

SHA256
0fcc14297ecc3c6ffa6fbd93693d39d9c7a9833f0b209f79286cafc2c9306624

SHA512
194e2b49c02df02443f9d7fc1f0a4feee8389aa2daced9691da6f8db872342154fc5de1d92c201a0e755d135d237ba183f23d5990a0deb93b521e14a1646a61a

Download Submit
C:\Windows\SysWOW64\xscqbhlp.sys

Filesize
4KB

MD5
d9c12c9a841ee78c904dd8ba3405da8e

SHA1
c552736131a13898987e1f774cdf63a2c643d1f5

SHA256
f66d4a7e798fdab89ca5764bc9b1f4f4ac2c19c4c0125630d0b3b778dc143d1c

SHA512
1c8a5a1e27c521772eb71ffdd92c8b8548be01fb84d25ddd2e58824a8f4cd278225d2ebedc3b94767e5744be76d1c6825c3c48cd654456dc5c74955d26af3df0

Download Submit
C:\Windows\SysWOW64\ypcqfhlp.dll

Filesize
526KB

MD5
0fdbc27053a30454d9feb3ff600d2d6c

SHA1
edd1b4da5814dedcc6e69744b2751d3ad19a0910

SHA256
dfbe7108d1d93f227c990c98746ed065b2beea1312ccec229ab05d827cb68796

SHA512
d01e4a4c46fb090d107040ce0cb1058b66f2c6eb84455bca0e0feadb395c4c1be0d54cb872f2e57d68788888e79f458518ad708bde3ab2b7254ccca04c2d8c4b

Download Submit
C:\Windows\SysWOW64\ypcqfhlp.dll

Filesize
59KB

MD5
692de318e5892910741ef7690a8d0ba1

SHA1
037adf9f9a3a338c250bb42ae976f92ffdf0bcd5

SHA256
534f871eb004c89d25a1f145d54af2f1f9d56f80c5047a7d572cfd1d8f992731

SHA512
0ee61cb8cb2ee945a6abe7709f12b4a8a805adcdd53054ac06f73fc24e5f1e3bea7e7fde43078f820de158a9135056f348e75c704726693de321153ae0b26900

Download Submit
C:\Windows\SysWOW64\ypcqfhlp.dll

Filesize
526KB

MD5
ab33a85a1a9037716dce70a6986f8c7a

SHA1
ff0eeec5f7bbd2f9f32f5e2e20dec2281891a9d8

SHA256
e112475517b92106c7c89a5c654d54670a7c92ae60f4d834b78c4ce57eede856

SHA512
31f72c20244819f738009ea8b9930235ab1bcd937530a64f6157be5df9c66af7b6b239cbf886920105e81ba53b4c3fd06f695d5984ff242378dd3dd06ce635b6

Download Submit
\Windows\SysWOW64\zscqahlp.exe

Filesize
18KB

MD5
7ed54bbd1207ed3660f9bf544676bb58

SHA1
fb9570c2a560f26e68185e79da916ab77b0978a2

SHA256
01b3fa1094d23123c7e5dfd22e8aa1b27d6fb9ce8d1efce1d950f27bc9938b38

SHA512
82e397f24cd2d49e01a5858f37d6bffe96e03ae06cb8032234e8fa88e589351a1343824b0d2250b237aac3df6081b866185d4c4c7c68e3b59d6ce9969f1efa75

Download Submit
memory/692-1044-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1172-2089-0x0000000000220000-0x000000000023B000-memory.dmp

Filesize
108KB

Download
memory/1172-4192-0x0000000000220000-0x000000000023B000-memory.dmp

Filesize
108KB

Download
memory/2000-17568-0x0000000000420000-0x000000000043B000-memory.dmp

Filesize
108KB

Download
memory/2216-3153-0x0000000000260000-0x000000000027B000-memory.dmp

Filesize
108KB

Download
memory/2216-5229-0x0000000000260000-0x000000000027B000-memory.dmp

Filesize
108KB

Download
memory/2368-1032-0x0000000000280000-0x000000000029B000-memory.dmp

Filesize
108KB

Download
memory/2368-2090-0x0000000000280000-0x000000000029B000-memory.dmp

Filesize
108KB

Download
memory/2368-2093-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2368-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2368-2128-0x0000000000280000-0x000000000029B000-memory.dmp

Filesize
108KB

Download
memory/2368-1026-0x0000000000280000-0x000000000029B000-memory.dmp

Filesize
108KB

Download
memory/2628-9361-0x0000000000420000-0x000000000043B000-memory.dmp

Filesize
108KB

Download
memory/2628-12435-0x0000000000420000-0x000000000043B000-memory.dmp

Filesize
108KB

Download
memory/2628-9362-0x0000000000420000-0x000000000043B000-memory.dmp

Filesize
108KB

Download
memory/2628-8317-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2628-12436-0x0000000000420000-0x000000000043B000-memory.dmp

Filesize
108KB

Download
memory/2736-14499-0x0000000000220000-0x000000000023B000-memory.dmp

Filesize
108KB

Download
memory/2736-17566-0x0000000000220000-0x000000000023B000-memory.dmp

Filesize
108KB

Download
memory/2736-17567-0x0000000000220000-0x000000000023B000-memory.dmp

Filesize
108KB

Download
memory/2736-13477-0x0000000000220000-0x000000000023B000-memory.dmp

Filesize
108KB

Download
memory/2872-4187-0x0000000000420000-0x000000000043B000-memory.dmp

Filesize
108KB

Download
memory/2872-1058-0x0000000000420000-0x000000000043B000-memory.dmp

Filesize
108KB

Download
memory/2872-1214-0x0000000000420000-0x000000000043B000-memory.dmp

Filesize
108KB

Download
memory/3452-16550-0x0000000000220000-0x000000000023B000-memory.dmp

Filesize
108KB

Download
memory/3452-15530-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3588-14508-0x00000000001B0000-0x00000000001CB000-memory.dmp

Filesize
108KB

Download
memory/3588-14500-0x00000000001B0000-0x00000000001CB000-memory.dmp

Filesize
108KB

Download
memory/3588-11417-0x00000000001B0000-0x00000000001CB000-memory.dmp

Filesize
108KB

Download
memory/3588-11418-0x00000000001B0000-0x00000000001CB000-memory.dmp

Filesize
108KB

Download
memory/3920-11985-0x0000000000260000-0x000000000027B000-memory.dmp

Filesize
108KB

Download
memory/3920-7300-0x0000000000260000-0x000000000027B000-memory.dmp

Filesize
108KB

Download
memory/3920-7301-0x0000000000260000-0x000000000027B000-memory.dmp

Filesize
108KB

Download
memory/4848-4200-0x0000000000260000-0x000000000027B000-memory.dmp

Filesize
108KB

Download
memory/4848-2104-0x0000000000260000-0x000000000027B000-memory.dmp

Filesize
108KB

Download
memory/4928-2114-0x0000000000260000-0x000000000027B000-memory.dmp

Filesize
108KB

Download
memory/4928-4752-0x0000000000260000-0x000000000027B000-memory.dmp

Filesize
108KB

Download
memory/4928-4202-0x0000000000260000-0x000000000027B000-memory.dmp

Filesize
108KB

Download
memory/5008-4198-0x0000000000260000-0x000000000027B000-memory.dmp

Filesize
108KB

Download
memory/5008-4203-0x0000000000260000-0x000000000027B000-memory.dmp

Filesize
108KB

Download
memory/5008-2130-0x0000000000260000-0x000000000027B000-memory.dmp

Filesize
108KB

Download
memory/5008-2118-0x0000000000260000-0x000000000027B000-memory.dmp

Filesize
108KB

Download
memory/5096-2133-0x0000000000260000-0x000000000027B000-memory.dmp

Filesize
108KB

Download
memory/5096-3150-0x0000000000260000-0x000000000027B000-memory.dmp

Filesize
108KB

Download
memory/5096-4754-0x0000000000260000-0x000000000027B000-memory.dmp

Filesize
108KB

Download
memory/5096-4753-0x0000000000260000-0x000000000027B000-memory.dmp

Filesize
108KB

Download
memory/5696-6216-0x00000000001B0000-0x00000000001CB000-memory.dmp

Filesize
108KB

Download
memory/5696-5960-0x00000000001B0000-0x00000000001CB000-memory.dmp

Filesize
108KB

Download
memory/5744-5241-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5744-10394-0x0000000000260000-0x000000000027B000-memory.dmp

Filesize
108KB

Download
memory/5744-6282-0x0000000000260000-0x000000000027B000-memory.dmp

Filesize
108KB

Download
memory/5784-7299-0x0000000000260000-0x000000000027B000-memory.dmp

Filesize
108KB

Download
memory/5784-6283-0x0000000000260000-0x000000000027B000-memory.dmp

Filesize
108KB

Download
memory/5784-5226-0x0000000000260000-0x000000000027B000-memory.dmp

Filesize
108KB

Download
memory/5784-5228-0x0000000000260000-0x000000000027B000-memory.dmp

Filesize
108KB

Download
memory/5816-13479-0x0000000000260000-0x000000000027B000-memory.dmp

Filesize
108KB

Download
memory/5816-13478-0x0000000000260000-0x000000000027B000-memory.dmp

Filesize
108KB

Download
memory/5816-10393-0x0000000000260000-0x000000000027B000-memory.dmp

Filesize
108KB

Download
memory/5816-10392-0x0000000000260000-0x000000000027B000-memory.dmp

Filesize
108KB

Download
memory/5928-14509-0x0000000000420000-0x000000000043B000-memory.dmp

Filesize
108KB

Download
memory/5928-18602-0x0000000000420000-0x000000000043B000-memory.dmp

Filesize
108KB

Download
memory/6040-18621-0x00000000003E0000-0x00000000003FB000-memory.dmp

Filesize
108KB

Download
memory/6492-15529-0x0000000000260000-0x000000000027B000-memory.dmp

Filesize
108KB

Download
memory/6492-18620-0x0000000000260000-0x000000000027B000-memory.dmp

Filesize
108KB

Download