pid	Process
692	powershell.exe
3544	powershell.EXE
4040	powershell.exe
4880	powershell.exe
4204	powershell.exe
5092	powershell.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json	RfVdqZS.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	RfVdqZS.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\iblkhhacnmpkhkddgdjnnijnabfefgoe\1.0.0.0\manifest.json	RfVdqZS.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	RfVdqZS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	RfVdqZS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_6E4381F77BE6F6EB436B295D285593C5	RfVdqZS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	RfVdqZS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	RfVdqZS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	RfVdqZS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_672E22BF4DD6902F7F85F941E23571DA	RfVdqZS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_C66311BFC31F329FE5E6FBB46563B719	RfVdqZS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	RfVdqZS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	RfVdqZS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15	RfVdqZS.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_C66311BFC31F329FE5E6FBB46563B719	RfVdqZS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	RfVdqZS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	RfVdqZS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	RfVdqZS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15	RfVdqZS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	RfVdqZS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	RfVdqZS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_672E22BF4DD6902F7F85F941E23571DA	RfVdqZS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_6E4381F77BE6F6EB436B295D285593C5	RfVdqZS.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	RfVdqZS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	RfVdqZS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	RfVdqZS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	RfVdqZS.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	Install.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	RfVdqZS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	RfVdqZS.exe

description	ioc	Process
File created	C:\Program Files (x86)\kLpsRMujXEpbC\XnyNHtr.xml	RfVdqZS.exe
File created	C:\Program Files (x86)\tffvHWJZU\bMbSMy.dll	RfVdqZS.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	RfVdqZS.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	RfVdqZS.exe
File created	C:\Program Files (x86)\REeMUtPoCvFU2\NpeMHAw.xml	RfVdqZS.exe
File created	C:\Program Files (x86)\kLpsRMujXEpbC\YvpkEtd.dll	RfVdqZS.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	RfVdqZS.exe
File created	C:\Program Files (x86)\REeMUtPoCvFU2\xbFMbbSSqMVyJ.dll	RfVdqZS.exe
File created	C:\Program Files (x86)\BeEwQyQINcRtuKICoSR\NXbwydK.xml	RfVdqZS.exe
File created	C:\Program Files (x86)\RcAuZGsZhuUn\gkSFVdT.dll	RfVdqZS.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	RfVdqZS.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	RfVdqZS.exe
File created	C:\Program Files (x86)\tffvHWJZU\acexVhh.xml	RfVdqZS.exe
File created	C:\Program Files (x86)\BeEwQyQINcRtuKICoSR\MJYAyLe.dll	RfVdqZS.exe

description	ioc	Process
File created	C:\Windows\Tasks\WFVPvOFzrjCnPPlbL.job	schtasks.exe
File created	C:\Windows\Tasks\oiGBDDjiIQmhwtu.job	schtasks.exe
File created	C:\Windows\Tasks\dSPsRFCNvoTMekFez.job	schtasks.exe
File created	C:\Windows\Tasks\butYHpXTvMdZIJsEKZ.job	schtasks.exe

pid	Process
2928	schtasks.exe
1628	schtasks.exe
5056	schtasks.exe
3500	schtasks.exe
4164	schtasks.exe
4724	schtasks.exe
2228	schtasks.exe
1536	schtasks.exe
2776	schtasks.exe
4380	schtasks.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	RfVdqZS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{39cd0eda-0000-0000-0000-d01200000000}\MaxCapacity = "14116"	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{39cd0eda-0000-0000-0000-d01200000000}	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe

description	pid	Process
Token: SeDebugPrivilege	4204	powershell.exe
Token: SeDebugPrivilege	5092	powershell.exe
Token: SeIncreaseQuotaPrivilege	3140	WMIC.exe
Token: SeSecurityPrivilege	3140	WMIC.exe
Token: SeTakeOwnershipPrivilege	3140	WMIC.exe
Token: SeLoadDriverPrivilege	3140	WMIC.exe
Token: SeSystemProfilePrivilege	3140	WMIC.exe
Token: SeSystemtimePrivilege	3140	WMIC.exe
Token: SeProfSingleProcessPrivilege	3140	WMIC.exe
Token: SeIncBasePriorityPrivilege	3140	WMIC.exe
Token: SeCreatePagefilePrivilege	3140	WMIC.exe
Token: SeBackupPrivilege	3140	WMIC.exe
Token: SeRestorePrivilege	3140	WMIC.exe
Token: SeShutdownPrivilege	3140	WMIC.exe
Token: SeDebugPrivilege	3140	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3140	WMIC.exe
Token: SeRemoteShutdownPrivilege	3140	WMIC.exe
Token: SeUndockPrivilege	3140	WMIC.exe
Token: SeManageVolumePrivilege	3140	WMIC.exe
Token: 33	3140	WMIC.exe
Token: 34	3140	WMIC.exe
Token: 35	3140	WMIC.exe
Token: 36	3140	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3140	WMIC.exe
Token: SeSecurityPrivilege	3140	WMIC.exe
Token: SeTakeOwnershipPrivilege	3140	WMIC.exe
Token: SeLoadDriverPrivilege	3140	WMIC.exe
Token: SeSystemProfilePrivilege	3140	WMIC.exe
Token: SeSystemtimePrivilege	3140	WMIC.exe
Token: SeProfSingleProcessPrivilege	3140	WMIC.exe
Token: SeIncBasePriorityPrivilege	3140	WMIC.exe
Token: SeCreatePagefilePrivilege	3140	WMIC.exe
Token: SeBackupPrivilege	3140	WMIC.exe
Token: SeRestorePrivilege	3140	WMIC.exe
Token: SeShutdownPrivilege	3140	WMIC.exe
Token: SeDebugPrivilege	3140	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3140	WMIC.exe
Token: SeRemoteShutdownPrivilege	3140	WMIC.exe
Token: SeUndockPrivilege	3140	WMIC.exe
Token: SeManageVolumePrivilege	3140	WMIC.exe
Token: 33	3140	WMIC.exe
Token: 34	3140	WMIC.exe
Token: 35	3140	WMIC.exe
Token: 36	3140	WMIC.exe
Token: SeDebugPrivilege	692	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	3364	powershell.exe
Token: SeDebugPrivilege	3544	powershell.EXE
Token: SeDebugPrivilege	4040	powershell.exe
Token: SeDebugPrivilege	4880	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	2648	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2648	WMIC.exe
Token: SeSecurityPrivilege	2648	WMIC.exe
Token: SeTakeOwnershipPrivilege	2648	WMIC.exe
Token: SeLoadDriverPrivilege	2648	WMIC.exe
Token: SeSystemtimePrivilege	2648	WMIC.exe
Token: SeBackupPrivilege	2648	WMIC.exe
Token: SeRestorePrivilege	2648	WMIC.exe
Token: SeShutdownPrivilege	2648	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2648	WMIC.exe
Token: SeUndockPrivilege	2648	WMIC.exe
Token: SeManageVolumePrivilege	2648	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2648	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2648	WMIC.exe

description	pid	Process	procid_target
PID 412 wrote to memory of 428	412	cf613c83fd006ca96400f5e5cf2646edd93cc0755782021b52499084480d1f4d.exe	73
PID 412 wrote to memory of 428	412	cf613c83fd006ca96400f5e5cf2646edd93cc0755782021b52499084480d1f4d.exe	73
PID 412 wrote to memory of 428	412	cf613c83fd006ca96400f5e5cf2646edd93cc0755782021b52499084480d1f4d.exe	73
PID 428 wrote to memory of 4056	428	Install.exe	74
PID 428 wrote to memory of 4056	428	Install.exe	74
PID 428 wrote to memory of 4056	428	Install.exe	74
PID 4056 wrote to memory of 3160	4056	Install.exe	75
PID 4056 wrote to memory of 3160	4056	Install.exe	75
PID 4056 wrote to memory of 3160	4056	Install.exe	75
PID 3160 wrote to memory of 1672	3160	cmd.exe	77
PID 3160 wrote to memory of 1672	3160	cmd.exe	77
PID 3160 wrote to memory of 1672	3160	cmd.exe	77
PID 1672 wrote to memory of 368	1672	forfiles.exe	78
PID 1672 wrote to memory of 368	1672	forfiles.exe	78
PID 1672 wrote to memory of 368	1672	forfiles.exe	78
PID 368 wrote to memory of 192	368	cmd.exe	79
PID 368 wrote to memory of 192	368	cmd.exe	79
PID 368 wrote to memory of 192	368	cmd.exe	79
PID 3160 wrote to memory of 4808	3160	cmd.exe	80
PID 3160 wrote to memory of 4808	3160	cmd.exe	80
PID 3160 wrote to memory of 4808	3160	cmd.exe	80
PID 4808 wrote to memory of 4644	4808	forfiles.exe	81
PID 4808 wrote to memory of 4644	4808	forfiles.exe	81
PID 4808 wrote to memory of 4644	4808	forfiles.exe	81
PID 4644 wrote to memory of 2560	4644	cmd.exe	82
PID 4644 wrote to memory of 2560	4644	cmd.exe	82
PID 4644 wrote to memory of 2560	4644	cmd.exe	82
PID 3160 wrote to memory of 1556	3160	cmd.exe	83
PID 3160 wrote to memory of 1556	3160	cmd.exe	83
PID 3160 wrote to memory of 1556	3160	cmd.exe	83
PID 1556 wrote to memory of 212	1556	forfiles.exe	84
PID 1556 wrote to memory of 212	1556	forfiles.exe	84
PID 1556 wrote to memory of 212	1556	forfiles.exe	84
PID 212 wrote to memory of 1536	212	cmd.exe	85
PID 212 wrote to memory of 1536	212	cmd.exe	85
PID 212 wrote to memory of 1536	212	cmd.exe	85
PID 3160 wrote to memory of 1508	3160	cmd.exe	86
PID 3160 wrote to memory of 1508	3160	cmd.exe	86
PID 3160 wrote to memory of 1508	3160	cmd.exe	86
PID 1508 wrote to memory of 1384	1508	forfiles.exe	87

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.