Analysis Overview
SHA256
3ed6542d1c8cd0d1aef637127b6a4fcd459ed8e9b5e842909ec8740fa18f5c08
Threat Level: Known bad
The file 3ed6542d1c8cd0d1aef637127b6a4fcd459ed8e9b5e842909ec8740fa18f5c08 was found to be: Known bad.
Malicious Activity Summary
Imminent RAT
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-07-01 04:51
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-07-01 04:51
Reported
2022-07-01 05:45
Platform
win7-20220414-en
Max time kernel
151s
Max time network
154s
Command Line
Signatures
Imminent RAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3ed6542d1c8cd0d1aef637127b6a4fcd459ed8e9b5e842909ec8740fa18f5c08.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3ed6542d1c8cd0d1aef637127b6a4fcd459ed8e9b5e842909ec8740fa18f5c08.exe
"C:\Users\Admin\AppData\Local\Temp\3ed6542d1c8cd0d1aef637127b6a4fcd459ed8e9b5e842909ec8740fa18f5c08.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe
"C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | moview.mywire.org | udp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| US | 8.8.8.8:53 | moview.mywire.org | udp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
Files
memory/1256-54-0x0000000000F10000-0x0000000000FE0000-memory.dmp
memory/1256-55-0x0000000004B40000-0x0000000004C08000-memory.dmp
memory/1256-56-0x0000000000370000-0x000000000037A000-memory.dmp
memory/1256-57-0x0000000075B61000-0x0000000075B63000-memory.dmp
memory/940-58-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\Win64\Svchost.exe
| MD5 | 73349048786f9da8057aa52d76443190 |
| SHA1 | c006b92142a4e21eb99e2206055bb24d672ad9bd |
| SHA256 | 3ed6542d1c8cd0d1aef637127b6a4fcd459ed8e9b5e842909ec8740fa18f5c08 |
| SHA512 | 9a12eead2bb93c9769e7f75b983a7e2b2cbc9a9fe7cc80e2fc68527c75726fd29716d70bdecef72a7416338ecd8941093908b43146afc42ea01a05243c9fb73f |
C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe
| MD5 | 73349048786f9da8057aa52d76443190 |
| SHA1 | c006b92142a4e21eb99e2206055bb24d672ad9bd |
| SHA256 | 3ed6542d1c8cd0d1aef637127b6a4fcd459ed8e9b5e842909ec8740fa18f5c08 |
| SHA512 | 9a12eead2bb93c9769e7f75b983a7e2b2cbc9a9fe7cc80e2fc68527c75726fd29716d70bdecef72a7416338ecd8941093908b43146afc42ea01a05243c9fb73f |
memory/1344-61-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe
| MD5 | 73349048786f9da8057aa52d76443190 |
| SHA1 | c006b92142a4e21eb99e2206055bb24d672ad9bd |
| SHA256 | 3ed6542d1c8cd0d1aef637127b6a4fcd459ed8e9b5e842909ec8740fa18f5c08 |
| SHA512 | 9a12eead2bb93c9769e7f75b983a7e2b2cbc9a9fe7cc80e2fc68527c75726fd29716d70bdecef72a7416338ecd8941093908b43146afc42ea01a05243c9fb73f |
memory/1344-63-0x00000000001B0000-0x0000000000280000-memory.dmp
memory/1292-65-0x0000000000000000-mapping.dmp
memory/612-66-0x0000000000000000-mapping.dmp
memory/1344-67-0x0000000004240000-0x000000000429A000-memory.dmp
memory/760-68-0x0000000000000000-mapping.dmp
memory/1728-70-0x0000000000000000-mapping.dmp
memory/1344-69-0x00000000005D0000-0x00000000005E0000-memory.dmp
memory/1344-71-0x00000000070D0000-0x0000000007178000-memory.dmp
memory/1344-72-0x0000000001F30000-0x0000000001F58000-memory.dmp
memory/1956-73-0x0000000000000000-mapping.dmp
memory/1960-74-0x0000000000000000-mapping.dmp
memory/1988-75-0x0000000000000000-mapping.dmp
memory/2016-76-0x0000000000000000-mapping.dmp
memory/1344-77-0x0000000001F60000-0x0000000001F76000-memory.dmp
memory/568-78-0x0000000000000000-mapping.dmp
memory/556-79-0x0000000000000000-mapping.dmp
memory/1592-80-0x0000000000000000-mapping.dmp
memory/1780-81-0x0000000000000000-mapping.dmp
memory/1192-82-0x0000000000000000-mapping.dmp
memory/1704-83-0x0000000000000000-mapping.dmp
memory/1712-84-0x0000000000000000-mapping.dmp
memory/1500-85-0x0000000000000000-mapping.dmp
memory/2000-86-0x0000000000000000-mapping.dmp
memory/1912-87-0x0000000000000000-mapping.dmp
memory/652-88-0x0000000000000000-mapping.dmp
memory/584-89-0x0000000000000000-mapping.dmp
memory/1360-90-0x0000000000000000-mapping.dmp
memory/1068-91-0x0000000000000000-mapping.dmp
memory/1752-92-0x0000000000000000-mapping.dmp
memory/1788-93-0x0000000000000000-mapping.dmp
memory/520-94-0x0000000000000000-mapping.dmp
memory/1996-95-0x0000000000000000-mapping.dmp
memory/760-96-0x0000000000000000-mapping.dmp
memory/2004-97-0x0000000000000000-mapping.dmp
memory/1324-98-0x0000000000000000-mapping.dmp
memory/1956-99-0x0000000000000000-mapping.dmp
memory/1760-100-0x0000000000000000-mapping.dmp
memory/1568-101-0x0000000000000000-mapping.dmp
memory/1196-102-0x0000000000000000-mapping.dmp
memory/1048-103-0x0000000000000000-mapping.dmp
memory/992-104-0x0000000000000000-mapping.dmp
memory/268-105-0x0000000000000000-mapping.dmp
memory/1016-106-0x0000000000000000-mapping.dmp
memory/2016-107-0x0000000000000000-mapping.dmp
memory/1288-108-0x0000000000000000-mapping.dmp
memory/280-109-0x0000000000000000-mapping.dmp
memory/1148-110-0x0000000000000000-mapping.dmp
memory/1948-111-0x0000000000000000-mapping.dmp
memory/880-112-0x0000000000000000-mapping.dmp
memory/268-113-0x0000000000000000-mapping.dmp
memory/584-114-0x0000000000000000-mapping.dmp
memory/556-115-0x0000000000000000-mapping.dmp
memory/520-116-0x0000000000000000-mapping.dmp
memory/1196-117-0x0000000000000000-mapping.dmp
memory/760-118-0x0000000000000000-mapping.dmp
memory/1096-119-0x0000000000000000-mapping.dmp
memory/1348-120-0x0000000000000000-mapping.dmp
memory/1460-121-0x0000000000000000-mapping.dmp
memory/1392-122-0x0000000000000000-mapping.dmp
memory/1336-123-0x0000000000000000-mapping.dmp
memory/1068-124-0x0000000000000000-mapping.dmp
memory/1576-125-0x0000000000000000-mapping.dmp
memory/1912-126-0x0000000000000000-mapping.dmp
memory/1324-127-0x0000000000000000-mapping.dmp
memory/1752-128-0x0000000000000000-mapping.dmp
memory/1760-129-0x0000000000000000-mapping.dmp
memory/324-130-0x0000000000000000-mapping.dmp
memory/1620-131-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-07-01 04:51
Reported
2022-07-01 05:45
Platform
win10v2004-20220414-en
Max time kernel
151s
Max time network
154s
Command Line
Signatures
Imminent RAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3ed6542d1c8cd0d1aef637127b6a4fcd459ed8e9b5e842909ec8740fa18f5c08.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3ed6542d1c8cd0d1aef637127b6a4fcd459ed8e9b5e842909ec8740fa18f5c08.exe
"C:\Users\Admin\AppData\Local\Temp\3ed6542d1c8cd0d1aef637127b6a4fcd459ed8e9b5e842909ec8740fa18f5c08.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe
"C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | moview.mywire.org | udp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| NL | 104.110.191.140:80 | tcp | |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| US | 52.168.117.170:443 | tcp | |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| FR | 2.18.109.224:443 | tcp | |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| US | 104.18.25.243:80 | tcp | |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| US | 8.8.8.8:53 | moview.mywire.org | udp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
| BE | 109.134.212.99:9003 | moview.mywire.org | tcp |
Files
memory/4416-130-0x0000000000770000-0x0000000000840000-memory.dmp
memory/4416-131-0x0000000005690000-0x0000000005C34000-memory.dmp
memory/4416-132-0x00000000051E0000-0x000000000527C000-memory.dmp
memory/4416-133-0x0000000008230000-0x00000000082C2000-memory.dmp
memory/1432-134-0x0000000000000000-mapping.dmp
memory/1308-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe
| MD5 | 73349048786f9da8057aa52d76443190 |
| SHA1 | c006b92142a4e21eb99e2206055bb24d672ad9bd |
| SHA256 | 3ed6542d1c8cd0d1aef637127b6a4fcd459ed8e9b5e842909ec8740fa18f5c08 |
| SHA512 | 9a12eead2bb93c9769e7f75b983a7e2b2cbc9a9fe7cc80e2fc68527c75726fd29716d70bdecef72a7416338ecd8941093908b43146afc42ea01a05243c9fb73f |
C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe
| MD5 | 73349048786f9da8057aa52d76443190 |
| SHA1 | c006b92142a4e21eb99e2206055bb24d672ad9bd |
| SHA256 | 3ed6542d1c8cd0d1aef637127b6a4fcd459ed8e9b5e842909ec8740fa18f5c08 |
| SHA512 | 9a12eead2bb93c9769e7f75b983a7e2b2cbc9a9fe7cc80e2fc68527c75726fd29716d70bdecef72a7416338ecd8941093908b43146afc42ea01a05243c9fb73f |
memory/2140-138-0x0000000000000000-mapping.dmp
memory/228-139-0x0000000000000000-mapping.dmp
memory/4028-140-0x0000000000000000-mapping.dmp
memory/3068-141-0x0000000000000000-mapping.dmp
memory/1308-142-0x0000000006600000-0x0000000006666000-memory.dmp
memory/3248-143-0x0000000000000000-mapping.dmp
memory/3580-144-0x0000000000000000-mapping.dmp
memory/3312-145-0x0000000000000000-mapping.dmp
memory/1308-146-0x0000000006D90000-0x0000000006D9A000-memory.dmp
memory/2324-147-0x0000000000000000-mapping.dmp
memory/3676-148-0x0000000000000000-mapping.dmp
memory/1624-149-0x0000000000000000-mapping.dmp
memory/5000-150-0x0000000000000000-mapping.dmp
memory/936-151-0x0000000000000000-mapping.dmp
memory/3832-152-0x0000000000000000-mapping.dmp
memory/2764-153-0x0000000000000000-mapping.dmp
memory/4356-154-0x0000000000000000-mapping.dmp
memory/1240-155-0x0000000000000000-mapping.dmp
memory/2116-156-0x0000000000000000-mapping.dmp
memory/2156-157-0x0000000000000000-mapping.dmp
memory/4224-158-0x0000000000000000-mapping.dmp
memory/1600-159-0x0000000000000000-mapping.dmp
memory/1512-160-0x0000000000000000-mapping.dmp
memory/2320-161-0x0000000000000000-mapping.dmp
memory/224-162-0x0000000000000000-mapping.dmp
memory/4316-163-0x0000000000000000-mapping.dmp
memory/2140-164-0x0000000000000000-mapping.dmp
memory/3604-165-0x0000000000000000-mapping.dmp
memory/3692-166-0x0000000000000000-mapping.dmp
memory/2148-167-0x0000000000000000-mapping.dmp
memory/3092-168-0x0000000000000000-mapping.dmp
memory/3720-169-0x0000000000000000-mapping.dmp
memory/1312-170-0x0000000000000000-mapping.dmp
memory/1352-171-0x0000000000000000-mapping.dmp
memory/3308-172-0x0000000000000000-mapping.dmp
memory/4544-173-0x0000000000000000-mapping.dmp
memory/2228-174-0x0000000000000000-mapping.dmp
memory/4048-175-0x0000000000000000-mapping.dmp
memory/3476-176-0x0000000000000000-mapping.dmp
memory/1060-177-0x0000000000000000-mapping.dmp
memory/5012-178-0x0000000000000000-mapping.dmp
memory/1412-179-0x0000000000000000-mapping.dmp
memory/3172-180-0x0000000000000000-mapping.dmp
memory/1628-181-0x0000000000000000-mapping.dmp
memory/2412-182-0x0000000000000000-mapping.dmp
memory/2624-183-0x0000000000000000-mapping.dmp
memory/1416-184-0x0000000000000000-mapping.dmp
memory/2084-185-0x0000000000000000-mapping.dmp
memory/320-186-0x0000000000000000-mapping.dmp
memory/4032-187-0x0000000000000000-mapping.dmp
memory/4284-188-0x0000000000000000-mapping.dmp
memory/1976-189-0x0000000000000000-mapping.dmp
memory/3148-190-0x0000000000000000-mapping.dmp
memory/3684-191-0x0000000000000000-mapping.dmp
memory/4252-192-0x0000000000000000-mapping.dmp
memory/4344-193-0x0000000000000000-mapping.dmp
memory/4172-194-0x0000000000000000-mapping.dmp
memory/2004-195-0x0000000000000000-mapping.dmp
memory/1912-196-0x0000000000000000-mapping.dmp
memory/1320-197-0x0000000000000000-mapping.dmp
memory/1492-198-0x0000000000000000-mapping.dmp
memory/4524-199-0x0000000000000000-mapping.dmp
memory/1964-200-0x0000000000000000-mapping.dmp
memory/4640-201-0x0000000000000000-mapping.dmp