pid	Process
1636	powershell.exe
2744	powershell.exe
3148	powershell.exe
4764	powershell.EXE
596	powershell.exe
3840	powershell.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe

pid	Process
1808	Install.exe
4388	Install.exe
4964	Install.exe
2700	zcPGbPn.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json	zcPGbPn.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	zcPGbPn.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	zcPGbPn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	zcPGbPn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	zcPGbPn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	zcPGbPn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15	zcPGbPn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_672E22BF4DD6902F7F85F941E23571DA	zcPGbPn.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	zcPGbPn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_C66311BFC31F329FE5E6FBB46563B719	zcPGbPn.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	Install.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	zcPGbPn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_C66311BFC31F329FE5E6FBB46563B719	zcPGbPn.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	zcPGbPn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	zcPGbPn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	zcPGbPn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_672E22BF4DD6902F7F85F941E23571DA	zcPGbPn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_6E4381F77BE6F6EB436B295D285593C5	zcPGbPn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	zcPGbPn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	zcPGbPn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	zcPGbPn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	zcPGbPn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15	zcPGbPn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	zcPGbPn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	zcPGbPn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	zcPGbPn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_6E4381F77BE6F6EB436B295D285593C5	zcPGbPn.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	zcPGbPn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	zcPGbPn.exe

description	ioc	Process
File created	C:\Program Files (x86)\tffvHWJZU\pFTPFi.dll	zcPGbPn.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	zcPGbPn.exe
File created	C:\Program Files (x86)\BeEwQyQINcRtuKICoSR\ySDpotB.xml	zcPGbPn.exe
File created	C:\Program Files (x86)\tffvHWJZU\SZjKgih.xml	zcPGbPn.exe
File created	C:\Program Files (x86)\kLpsRMujXEpbC\uLwHmhG.dll	zcPGbPn.exe
File created	C:\Program Files (x86)\kLpsRMujXEpbC\ydQQvhR.xml	zcPGbPn.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	zcPGbPn.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	zcPGbPn.exe
File created	C:\Program Files (x86)\REeMUtPoCvFU2\dpoFgTdPDFKis.dll	zcPGbPn.exe
File created	C:\Program Files (x86)\REeMUtPoCvFU2\JmAbooC.xml	zcPGbPn.exe
File created	C:\Program Files (x86)\RcAuZGsZhuUn\zSbMdTT.dll	zcPGbPn.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	zcPGbPn.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	zcPGbPn.exe
File created	C:\Program Files (x86)\BeEwQyQINcRtuKICoSR\NhpWgcJ.dll	zcPGbPn.exe

description	ioc	Process
File created	C:\Windows\Tasks\oiGBDDjiIQmhwtu.job	schtasks.exe
File created	C:\Windows\Tasks\dSPsRFCNvoTMekFez.job	schtasks.exe
File created	C:\Windows\Tasks\butYHpXTvMdZIJsEKZ.job	schtasks.exe
File created	C:\Windows\Tasks\WFVPvOFzrjCnPPlbL.job	schtasks.exe

pid	Process
4524	schtasks.exe
4968	schtasks.exe
4692	schtasks.exe
1820	schtasks.exe
936	schtasks.exe
2600	schtasks.exe
4328	schtasks.exe
4420	schtasks.exe
4936	schtasks.exe
316	schtasks.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	zcPGbPn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	zcPGbPn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe

description	pid	Process
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeIncreaseQuotaPrivilege	4368	WMIC.exe
Token: SeSecurityPrivilege	4368	WMIC.exe
Token: SeTakeOwnershipPrivilege	4368	WMIC.exe
Token: SeLoadDriverPrivilege	4368	WMIC.exe
Token: SeSystemProfilePrivilege	4368	WMIC.exe
Token: SeSystemtimePrivilege	4368	WMIC.exe
Token: SeProfSingleProcessPrivilege	4368	WMIC.exe
Token: SeIncBasePriorityPrivilege	4368	WMIC.exe
Token: SeCreatePagefilePrivilege	4368	WMIC.exe
Token: SeBackupPrivilege	4368	WMIC.exe
Token: SeRestorePrivilege	4368	WMIC.exe
Token: SeShutdownPrivilege	4368	WMIC.exe
Token: SeDebugPrivilege	4368	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4368	WMIC.exe
Token: SeRemoteShutdownPrivilege	4368	WMIC.exe
Token: SeUndockPrivilege	4368	WMIC.exe
Token: SeManageVolumePrivilege	4368	WMIC.exe
Token: 33	4368	WMIC.exe
Token: 34	4368	WMIC.exe
Token: 35	4368	WMIC.exe
Token: 36	4368	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4368	WMIC.exe
Token: SeSecurityPrivilege	4368	WMIC.exe
Token: SeTakeOwnershipPrivilege	4368	WMIC.exe
Token: SeLoadDriverPrivilege	4368	WMIC.exe
Token: SeSystemProfilePrivilege	4368	WMIC.exe
Token: SeSystemtimePrivilege	4368	WMIC.exe
Token: SeProfSingleProcessPrivilege	4368	WMIC.exe
Token: SeIncBasePriorityPrivilege	4368	WMIC.exe
Token: SeCreatePagefilePrivilege	4368	WMIC.exe
Token: SeBackupPrivilege	4368	WMIC.exe
Token: SeRestorePrivilege	4368	WMIC.exe
Token: SeShutdownPrivilege	4368	WMIC.exe
Token: SeDebugPrivilege	4368	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4368	WMIC.exe
Token: SeRemoteShutdownPrivilege	4368	WMIC.exe
Token: SeUndockPrivilege	4368	WMIC.exe
Token: SeManageVolumePrivilege	4368	WMIC.exe

description	pid	Process	procid_target
PID 516 wrote to memory of 1808	516	4499ba71ec231f74863351e805915d9e821f83750091ce0c8d547b2014058fc4.exe	73
PID 516 wrote to memory of 1808	516	4499ba71ec231f74863351e805915d9e821f83750091ce0c8d547b2014058fc4.exe	73
PID 516 wrote to memory of 1808	516	4499ba71ec231f74863351e805915d9e821f83750091ce0c8d547b2014058fc4.exe	73
PID 1808 wrote to memory of 4388	1808	Install.exe	74
PID 1808 wrote to memory of 4388	1808	Install.exe	74
PID 1808 wrote to memory of 4388	1808	Install.exe	74
PID 4388 wrote to memory of 1836	4388	Install.exe	188
PID 4388 wrote to memory of 1836	4388	Install.exe	188
PID 4388 wrote to memory of 1836	4388	Install.exe	188
PID 1836 wrote to memory of 3964	1836	cmd.exe	77
PID 1836 wrote to memory of 3964	1836	cmd.exe	77
PID 1836 wrote to memory of 3964	1836	cmd.exe	77
PID 3964 wrote to memory of 2976	3964	forfiles.exe	125
PID 3964 wrote to memory of 2976	3964	forfiles.exe	125
PID 3964 wrote to memory of 2976	3964	forfiles.exe	125
PID 2976 wrote to memory of 4888	2976	cmd.exe	177
PID 2976 wrote to memory of 4888	2976	cmd.exe	177
PID 2976 wrote to memory of 4888	2976	cmd.exe	177
PID 1836 wrote to memory of 4936	1836	cmd.exe	80
PID 1836 wrote to memory of 4936	1836	cmd.exe	80
PID 1836 wrote to memory of 4936	1836	cmd.exe	80
PID 4936 wrote to memory of 2192	4936	forfiles.exe	81
PID 4936 wrote to memory of 2192	4936	forfiles.exe	81
PID 4936 wrote to memory of 2192	4936	forfiles.exe	81
PID 2192 wrote to memory of 4896	2192	cmd.exe	82
PID 2192 wrote to memory of 4896	2192	cmd.exe	82
PID 2192 wrote to memory of 4896	2192	cmd.exe	82
PID 1836 wrote to memory of 3188	1836	cmd.exe	83
PID 1836 wrote to memory of 3188	1836	cmd.exe	83
PID 1836 wrote to memory of 3188	1836	cmd.exe	83
PID 3188 wrote to memory of 2120	3188	forfiles.exe	84
PID 3188 wrote to memory of 2120	3188	forfiles.exe	84
PID 3188 wrote to memory of 2120	3188	forfiles.exe	84
PID 2120 wrote to memory of 1176	2120	cmd.exe	126
PID 2120 wrote to memory of 1176	2120	cmd.exe	126
PID 2120 wrote to memory of 1176	2120	cmd.exe	126
PID 1836 wrote to memory of 4468	1836	cmd.exe	86
PID 1836 wrote to memory of 4468	1836	cmd.exe	86
PID 1836 wrote to memory of 4468	1836	cmd.exe	86
PID 4468 wrote to memory of 3400	4468	forfiles.exe	87

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.