Malware Analysis Report

2024-11-15 07:47

Sample ID 241111-sa5ejazkay
Target checker.exe
SHA256 1f0a70334fb3a63b9c70cdfe01c012829cc380970cd6b12936f22d44e3c0e388
Tags
pyinstaller gurcu milleniumrat discovery evasion execution persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1f0a70334fb3a63b9c70cdfe01c012829cc380970cd6b12936f22d44e3c0e388

Threat Level: Known bad

The file checker.exe was found to be: Known bad.

Malicious Activity Summary

pyinstaller gurcu milleniumrat discovery evasion execution persistence rat spyware stealer

Suspicious use of NtCreateUserProcessOtherParentProcess

MilleniumRat

Process spawned unexpected child process

Gurcu family

Suspicious use of NtCreateProcessExOtherParentProcess

Milleniumrat family

Gurcu, WhiteSnake

Modifies WinLogon for persistence

Stops running service(s)

Contacts a large (1445) amount of remote hosts

Contacts a large (1501) amount of remote hosts

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Checks computer location settings

Checks BIOS information in registry

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates processes with tasklist

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Launches sc.exe

Drops file in Program Files directory

Drops file in Windows directory

System Network Configuration Discovery: Internet Connection Discovery

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Detects Pyinstaller

Browser Information Discovery

Uses Task Scheduler COM API

Suspicious behavior: GetForegroundWindowSpam

Checks processor information in registry

Suspicious use of WriteProcessMemory

Runs ping.exe

Suspicious use of UnmapMainImage

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Modifies registry key

Enumerates system info in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Delays execution with timeout.exe

Checks SCSI registry key(s)

Modifies registry class

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-11-11 14:56

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 14:56

Reported

2024-11-11 14:59

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

152s

Command Line

winlogon.exe

Signatures

Gurcu family

gurcu

Gurcu, WhiteSnake

stealer gurcu

MilleniumRat

rat stealer milleniumrat

Milleniumrat family

milleniumrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Application Data\\sppsvc.exe\", \"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\TextInputHost.exe\"" C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Application Data\\sppsvc.exe\", \"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\TextInputHost.exe\", \"C:\\Windows\\appcompat\\appraiser\\Telemetry\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Application Data\\sppsvc.exe\", \"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\TextInputHost.exe\", \"C:\\Windows\\appcompat\\appraiser\\Telemetry\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\setup.exe\"" C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default\\Application Data\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe C:\Windows\system32\wbem\wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe C:\Windows\system32\wbem\wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe C:\Windows\system32\wbem\wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe C:\Windows\system32\wbem\wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe C:\Windows\system32\wbem\wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe C:\Windows\system32\wbem\wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe C:\Windows\system32\wbem\wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe C:\Windows\system32\wbem\wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe C:\Windows\system32\wbem\wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe C:\Windows\system32\wbem\wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe C:\Windows\system32\wbem\wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe C:\Windows\system32\wbem\wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe C:\Windows\system32\wbem\wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe C:\Windows\system32\wbem\wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe C:\Windows\system32\wbem\wmiprvse.exe

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Contacts a large (1501) amount of remote hosts

discovery

Stops running service(s)

evasion execution

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\system32\wbem\wmiprvse.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\ProgramData\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\ProgramData\main.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\_MEI17962\s.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\TextInputHost.exe\"" C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\TextInputHost.exe\"" C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\appcompat\\appraiser\\Telemetry\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\setup = "\"C:\\Recovery\\WindowsRE\\setup.exe\"" C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChromeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromeUpdateLog\\Update.exe" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\козляк = "C:\\ProgramData\\crss.exe" C:\ProgramData\crss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Default\\Application Data\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Default\\Application Data\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\appcompat\\appraiser\\Telemetry\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\setup = "\"C:\\Recovery\\WindowsRE\\setup.exe\"" C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
File created \??\c:\Windows\System32\CSC2D1A86F26F54872AC892C34AECAA1CD.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A
File created \??\c:\Windows\System32\xqt5sk.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\ProgramData\crss.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4028 set thread context of 8068 N/A C:\ProgramData\setup.exe C:\Windows\System32\dialer.exe
PID 7896 set thread context of 8148 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\dialer.exe
PID 7896 set thread context of 8172 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\dialer.exe
PID 7896 set thread context of 7788 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\dialer.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\ProgramData\setup.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\TextInputHost.exe C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\22eafd247d37c3 C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
File created C:\Program Files\ModifiableWindowsApps\System.exe C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\appcompat\appraiser\Telemetry\Idle.exe C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
File created C:\Windows\appcompat\appraiser\Telemetry\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk C:\Windows\system32\svchost.exe N/A

Browser Information Discovery

discovery

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_MEI17962\s.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\wbem\wmiprvse.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\WerFault.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Mon, 11 Nov 2024 14:58:18 GMT" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={1CEB11FC-AAA2-4D46-AC7F-70CB91DA5A1F}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1731337096" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\ProgramData\svchost.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\ProgramData\main.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\crss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Application Data\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dialer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\System32\RuntimeBroker.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1796 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\checker.exe C:\Users\Admin\AppData\Local\Temp\checker.exe
PID 1796 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\checker.exe C:\Users\Admin\AppData\Local\Temp\checker.exe
PID 4372 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\checker.exe C:\Windows\system32\cmd.exe
PID 4372 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\checker.exe C:\Windows\system32\cmd.exe
PID 752 wrote to memory of 3232 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\_MEI17962\s.exe
PID 752 wrote to memory of 3232 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\_MEI17962\s.exe
PID 752 wrote to memory of 3232 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\_MEI17962\s.exe
PID 3232 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\_MEI17962\s.exe C:\ProgramData\main.exe
PID 3232 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\_MEI17962\s.exe C:\ProgramData\main.exe
PID 3232 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\_MEI17962\s.exe C:\ProgramData\svchost.exe
PID 3232 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\_MEI17962\s.exe C:\ProgramData\svchost.exe
PID 3232 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\_MEI17962\s.exe C:\ProgramData\svchost.exe
PID 3232 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\_MEI17962\s.exe C:\ProgramData\crss.exe
PID 3232 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\_MEI17962\s.exe C:\ProgramData\crss.exe
PID 3232 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\_MEI17962\s.exe C:\ProgramData\setup.exe
PID 3232 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\_MEI17962\s.exe C:\ProgramData\setup.exe
PID 4548 wrote to memory of 4908 N/A C:\ProgramData\svchost.exe C:\Windows\SysWOW64\WScript.exe
PID 4548 wrote to memory of 4908 N/A C:\ProgramData\svchost.exe C:\Windows\SysWOW64\WScript.exe
PID 4548 wrote to memory of 4908 N/A C:\ProgramData\svchost.exe C:\Windows\SysWOW64\WScript.exe
PID 3320 wrote to memory of 2096 N/A C:\ProgramData\crss.exe C:\ProgramData\crss.exe
PID 3320 wrote to memory of 2096 N/A C:\ProgramData\crss.exe C:\ProgramData\crss.exe
PID 4908 wrote to memory of 752 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 752 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 752 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 4944 N/A C:\ProgramData\crss.exe C:\Windows\system32\cmd.exe
PID 2096 wrote to memory of 4944 N/A C:\ProgramData\crss.exe C:\Windows\system32\cmd.exe
PID 752 wrote to memory of 5188 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
PID 752 wrote to memory of 5188 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
PID 5188 wrote to memory of 6204 N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 5188 wrote to memory of 6204 N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 6204 wrote to memory of 6112 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 6204 wrote to memory of 6112 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 5188 wrote to memory of 6152 N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 5188 wrote to memory of 6152 N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 6152 wrote to memory of 6004 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 6152 wrote to memory of 6004 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1064 wrote to memory of 5912 N/A C:\ProgramData\main.exe C:\Windows\System32\cmd.exe
PID 1064 wrote to memory of 5912 N/A C:\ProgramData\main.exe C:\Windows\System32\cmd.exe
PID 5912 wrote to memory of 5804 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\tasklist.exe
PID 5912 wrote to memory of 5804 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\tasklist.exe
PID 5912 wrote to memory of 5792 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 5912 wrote to memory of 5792 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 5912 wrote to memory of 5628 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 5912 wrote to memory of 5628 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 5188 wrote to memory of 5596 N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe C:\Windows\System32\cmd.exe
PID 5188 wrote to memory of 5596 N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe C:\Windows\System32\cmd.exe
PID 5596 wrote to memory of 5540 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 5596 wrote to memory of 5540 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 5596 wrote to memory of 5520 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5596 wrote to memory of 5520 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5912 wrote to memory of 4528 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe
PID 5912 wrote to memory of 4528 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe
PID 5596 wrote to memory of 6804 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Application Data\sppsvc.exe
PID 5596 wrote to memory of 6804 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Application Data\sppsvc.exe
PID 4528 wrote to memory of 6980 N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe C:\Windows\System32\cmd.exe
PID 4528 wrote to memory of 6980 N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe C:\Windows\System32\cmd.exe
PID 6980 wrote to memory of 7228 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 6980 wrote to memory of 7228 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 3288 wrote to memory of 8184 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3288 wrote to memory of 8184 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3288 wrote to memory of 8148 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3288 wrote to memory of 8148 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3288 wrote to memory of 8128 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3288 wrote to memory of 8128 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\checker.exe

"C:\Users\Admin\AppData\Local\Temp\checker.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\checker.exe

"C:\Users\Admin\AppData\Local\Temp\checker.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\_MEI17962\s.exe -pbeznogym

C:\Users\Admin\AppData\Local\Temp\_MEI17962\s.exe

C:\Users\Admin\AppData\Local\Temp\_MEI17962\s.exe -pbeznogym

C:\ProgramData\main.exe

"C:\ProgramData\main.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc

C:\ProgramData\svchost.exe

"C:\ProgramData\svchost.exe"

C:\ProgramData\crss.exe

"C:\ProgramData\crss.exe"

C:\ProgramData\setup.exe

"C:\ProgramData\setup.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe"

C:\ProgramData\crss.exe

"C:\ProgramData\crss.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\oGgyulsi03j6EO3sjCC.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe

"C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor/ChainComServermonitor.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\s2ovvggx\s2ovvggx.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE22.tmp" "c:\ProgramData\CSC731EE69FAFA3469EAF4DF58C5D729646.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5wcwxeem\5wcwxeem.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAF3B.tmp" "c:\Windows\System32\CSC2D1A86F26F54872AC892C34AECAA1CD.TMP"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Application Data\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Application Data\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Application Data\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\TextInputHost.exe'" /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpAF6A.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpAF6A.tmp.bat

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\appcompat\appraiser\Telemetry\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\appcompat\appraiser\Telemetry\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 1064"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\appcompat\appraiser\Telemetry\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "setups" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\setup.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "setup" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\setup.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "setups" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\setup.exe'" /rl HIGHEST /f

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ARh7JHHqAE.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe

"C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

C:\Users\Default\Application Data\sppsvc.exe

"C:\Users\Default\Application Data\sppsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f

C:\Windows\system32\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 4528 -s 2856

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\dialer.exe

C:\Windows\System32\dialer.exe

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\yntnomxcupkb.xml"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\dialer.exe

C:\Windows\System32\dialer.exe

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\yntnomxcupkb.xml"

C:\Windows\System32\dialer.exe

C:\Windows\System32\dialer.exe

C:\Windows\System32\dialer.exe

C:\Windows\System32\dialer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:80 www.google.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.13.205:443 api.ipify.org tcp
MU 102.208.135.126:80 tcp
US 32.171.110.255:80 tcp
US 166.71.86.152:80 tcp
MA 102.54.202.137:80 tcp
CN 36.152.109.231:80 tcp
GB 31.51.50.236:80 tcp
CN 14.157.182.198:80 tcp
CN 163.177.170.102:80 tcp
US 72.183.202.226:80 tcp
US 75.40.226.50:80 tcp
GR 94.70.194.45:80 tcp
US 8.8.8.8:53 205.13.26.104.in-addr.arpa udp
US 192.173.62.250:80 tcp
US 98.183.53.10:80 tcp
NL 94.208.70.198:80 tcp
US 150.238.145.105:80 tcp
ZA 143.128.50.6:80 tcp
US 128.126.60.86:80 tcp
US 40.207.120.76:80 tcp
US 154.7.138.83:80 tcp
US 184.1.180.115:80 tcp
JP 210.167.197.182:80 tcp
SE 147.220.78.114:80 tcp
CA 206.167.127.243:80 tcp
US 184.125.224.110:80 tcp
IT 62.170.243.90:80 tcp
US 72.146.57.92:80 tcp
CN 211.96.123.250:80 tcp
US 98.51.236.142:80 tcp
CN 49.121.148.84:80 tcp
CN 183.211.108.246:80 tcp
TR 78.184.237.15:80 tcp
US 160.10.113.247:80 tcp
IR 5.75.33.145:80 tcp
TW 120.98.218.152:80 tcp
US 67.147.165.145:80 tcp
IN 59.97.14.129:80 tcp
BR 177.2.134.188:80 tcp
CA 74.126.110.230:80 tcp
US 16.191.208.242:80 tcp
VN 116.100.79.200:80 tcp
US 208.95.112.1:80 ip-api.com tcp
US 48.230.231.35:80 tcp
US 26.236.244.64:80 tcp
EC 190.10.165.18:80 tcp
CN 36.215.2.69:80 tcp
DE 53.24.196.229:80 tcp
US 107.221.202.198:80 tcp
US 52.35.99.202:80 tcp
RU 5.140.181.32:80 tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 30.75.106.192:80 tcp
US 165.184.103.116:80 tcp
NL 93.125.184.198:80 tcp
CN 1.31.250.171:80 tcp
US 96.118.15.213:80 tcp
US 137.137.233.194:80 tcp
US 18.88.97.184:80 tcp
US 144.99.58.253:80 tcp
CA 165.185.88.41:80 tcp
US 135.191.0.169:80 tcp
PK 182.177.94.117:80 tcp
US 17.214.22.114:80 tcp
DE 88.77.126.205:80 tcp
CA 142.118.52.20:80 tcp
RU 213.190.228.167:80 tcp
US 139.240.221.156:80 tcp
US 70.23.23.111:80 tcp
AR 179.39.161.244:80 tcp
FI 84.239.253.119:80 tcp
CN 61.242.80.26:80 tcp
KR 119.198.138.212:80 tcp
US 149.128.221.173:80 tcp
KR 58.78.118.151:80 tcp
GB 8.211.224.238:80 tcp
GB 82.68.220.243:80 tcp
US 44.28.245.1:80 tcp
DE 82.165.31.8:80 tcp
CA 71.7.201.92:80 tcp
DE 82.165.31.8:80 82.165.31.8 tcp
JP 218.114.75.143:80 tcp
DE 53.4.146.70:80 tcp
US 47.86.83.198:80 tcp
US 207.88.96.123:80 tcp
US 215.176.107.202:80 tcp
US 8.86.63.13:80 tcp
MX 201.109.70.224:80 tcp
DE 31.253.36.28:80 tcp
US 8.8.8.8:53 thedaypress.com udp
US 8.8.8.8:53 8.31.165.82.in-addr.arpa udp
US 51.51.232.107:80 tcp
DK 37.97.48.152:80 tcp
EG 45.244.60.50:80 tcp
US 146.150.167.74:80 tcp
NL 81.85.89.6:80 tcp
CN 58.19.177.246:80 tcp
RU 92.101.41.121:80 tcp
US 216.49.216.177:80 tcp
IN 124.125.228.183:80 tcp
US 128.49.185.173:80 tcp
ES 45.148.188.27:80 tcp
JP 160.237.17.219:80 tcp
US 140.171.142.175:80 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 api.telegram.org udp
FR 5.83.237.147:80 tcp
CH 164.128.179.194:80 tcp
US 69.228.52.69:80 tcp
CO 186.115.239.18:80 tcp
US 64.56.122.157:80 tcp
US 74.41.201.104:80 tcp
CN 27.15.200.229:80 tcp
US 9.20.216.80:80 tcp
US 147.19.112.166:80 tcp
NL 149.154.167.220:443 api.telegram.org tcp
KR 182.216.41.151:80 tcp
US 26.79.81.109:80 tcp
VE 150.188.127.214:80 tcp
NL 149.154.167.220:443 api.telegram.org tcp
CN 14.197.25.97:80 tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 28.41.144.164:80 tcp
CN 183.217.161.46:80 tcp
US 214.85.184.7:80 tcp
RU 93.187.103.115:80 tcp
JP 222.1.44.217:80 tcp
GB 25.163.84.102:80 tcp
JP 180.198.210.148:80 tcp
US 150.177.147.94:80 tcp
KZ 194.58.42.154:80 194.58.42.154 tcp
DE 163.242.221.28:80 tcp
US 138.152.10.232:80 tcp
US 11.247.85.95:80 tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 154.42.58.194.in-addr.arpa udp
JP 124.39.61.202:80 tcp
US 30.1.65.7:80 tcp
BR 177.91.11.23:80 tcp
US 52.119.3.131:80 tcp
JP 219.123.84.172:80 tcp
KZ 194.58.42.154:80 194.58.42.154 tcp
US 129.33.32.143:80 tcp
CN 113.86.244.153:80 tcp
KR 39.30.222.58:80 tcp
US 70.232.227.14:80 tcp
US 140.35.232.123:80 tcp
US 32.18.189.31:80 tcp
US 204.175.248.119:80 tcp
US 24.245.60.193:80 tcp
CN 115.239.232.54:80 tcp
US 21.145.88.229:80 tcp
TW 182.235.242.12:80 tcp
IT 62.98.85.38:80 tcp
US 150.159.193.40:80 tcp
CA 216.232.157.148:80 tcp
ZA 137.171.110.216:80 tcp
US 72.184.149.175:80 tcp
CH 160.61.78.107:80 tcp
US 6.181.5.217:80 tcp
GB 86.22.237.253:80 tcp
US 65.203.239.99:80 tcp
US 18.77.35.122:80 tcp
FI 87.93.70.235:80 tcp
SA 178.81.223.220:80 tcp
US 204.120.58.0:80 tcp
JP 126.68.86.252:80 tcp
US 13.59.246.155:80 tcp
CN 116.137.186.187:80 tcp
US 73.41.198.200:80 tcp
US 184.27.208.41:80 tcp
JP 120.29.183.59:80 tcp
CN 182.135.42.245:80 tcp
US 184.27.208.41:80 184.27.208.41 tcp
CN 116.162.121.26:80 tcp
US 44.47.211.73:80 tcp
US 137.53.94.11:80 tcp
JP 165.241.106.83:80 tcp
US 152.214.202.125:80 tcp
BR 201.63.134.229:80 tcp
US 214.89.6.148:80 tcp
US 63.127.33.64:80 tcp
GB 25.159.97.35:80 tcp
KR 121.141.54.118:80 tcp
US 8.8.8.8:53 41.208.27.184.in-addr.arpa udp
CN 36.116.130.85:80 tcp
SE 2.2.55.147:80 tcp
US 72.212.208.80:80 tcp
US 9.5.159.89:80 tcp
UA 95.69.191.123:80 tcp
IN 125.22.194.12:80 tcp
GB 82.32.200.14:80 tcp
KR 125.250.73.13:80 tcp
CO 181.143.85.70:80 tcp
CN 221.3.223.113:80 tcp
DE 176.5.170.216:80 tcp
SG 175.41.166.140:80 tcp
SG 175.41.166.140:80 175.41.166.140 tcp
US 172.133.232.230:80 tcp
US 155.120.141.198:80 tcp
US 204.122.62.51:80 tcp
US 72.157.116.112:80 tcp
DE 185.75.75.215:80 tcp
US 38.218.72.214:80 tcp
GB 86.27.78.240:80 tcp
KR 211.197.86.184:80 tcp
US 74.214.105.133:80 tcp
KR 14.5.85.29:80 tcp
IN 115.248.196.118:80 tcp
US 8.8.8.8:53 140.166.41.175.in-addr.arpa udp
BR 189.5.140.62:80 tcp
GB 185.240.197.182:80 tcp
BE 193.244.161.40:80 tcp
US 209.125.114.42:80 tcp
RU 5.130.124.234:80 tcp
US 18.51.29.195:80 tcp
US 56.190.208.249:80 tcp
US 48.176.91.233:80 tcp
IT 188.14.202.74:80 tcp
US 215.164.173.247:80 tcp
US 156.84.236.143:80 tcp
IE 18.200.251.93:80 tcp
FR 109.219.96.23:80 tcp
KE 196.104.35.75:80 tcp
US 149.165.85.214:80 tcp
ES 79.153.201.173:80 tcp
AU 103.52.168.163:80 tcp
FR 91.160.8.230:80 tcp
KR 27.181.62.36:80 tcp
US 209.62.119.213:80 tcp
AR 181.5.168.46:80 tcp
US 132.100.148.112:80 tcp
US 169.82.108.222:80 tcp
GB 25.150.254.239:80 tcp
KR 1.238.165.72:80 tcp
CN 101.35.215.123:80 tcp
US 20.111.143.4:80 tcp
US 107.71.138.158:80 tcp
IL 149.49.77.21:80 tcp
US 147.103.159.196:80 tcp
US 8.77.112.177:80 tcp
IN 182.156.176.96:80 tcp
US 48.77.139.48:80 tcp
IT 78.219.180.128:80 tcp
AU 203.48.123.181:80 tcp
US 50.79.5.93:80 tcp
ID 36.71.175.159:80 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
JP 220.8.240.45:80 tcp
US 19.240.108.134:80 tcp
SG 43.115.142.55:80 tcp
JP 122.27.191.193:80 tcp
MX 189.143.98.196:80 tcp
LV 89.201.73.68:80 tcp
UA 5.58.198.176:80 tcp
US 169.165.105.82:80 tcp
US 208.30.135.215:80 tcp
CN 112.242.177.228:80 tcp
CA 216.191.203.60:80 tcp
FR 171.18.1.191:80 tcp
BR 177.171.51.12:80 tcp
US 164.241.63.188:80 tcp
CN 123.73.102.83:80 tcp
US 99.124.44.19:80 tcp
US 38.100.20.226:80 tcp
JP 126.49.245.52:80 tcp
US 23.231.238.18:80 tcp
CN 106.25.169.74:80 tcp
US 215.127.173.161:80 tcp
DE 3.75.20.153:80 tcp
BR 170.80.197.236:80 tcp
DE 84.175.127.145:80 tcp
CA 35.183.189.188:80 tcp
SG 43.124.218.162:80 tcp
MY 123.253.32.3:80 tcp
US 152.13.169.255:80 tcp
GB 86.3.175.56:80 tcp
US 52.185.218.93:80 tcp
US 100.208.63.7:80 tcp
US 97.177.155.164:80 tcp
BR 189.89.221.53:80 tcp
US 172.108.66.134:80 tcp
NL 195.193.77.148:80 tcp
CN 106.21.132.245:80 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
KR 180.64.192.15:80 tcp
KR 211.238.30.174:80 tcp
US 128.148.56.165:80 tcp
KR 1.249.52.154:80 tcp
FR 90.109.97.65:80 tcp
US 72.224.49.48:80 tcp
US 29.121.93.245:80 tcp
CN 59.237.113.152:80 tcp
CN 119.112.126.164:80 tcp
DO 148.101.132.230:80 tcp
EC 64.46.92.204:80 tcp
DE 217.232.141.216:80 tcp
IL 62.128.45.4:80 tcp
US 33.184.255.180:80 tcp
ES 193.145.56.21:80 tcp
KR 112.133.156.107:80 tcp
US 63.151.78.65:80 tcp
US 163.234.126.6:80 tcp
KR 182.195.212.102:80 tcp
SA 176.44.74.33:80 tcp
US 215.140.83.16:80 tcp
CN 122.84.240.198:80 tcp
CN 101.31.36.202:80 tcp
US 40.77.19.107:80 tcp
CN 119.139.146.167:80 tcp
US 174.182.9.55:80 tcp
CN 112.96.16.183:80 tcp
BY 46.53.139.194:80 tcp
US 69.218.192.216:80 tcp
US 68.70.38.90:80 tcp
US 157.60.245.41:80 tcp
US 71.160.88.248:80 tcp
RU 31.210.217.60:80 tcp
CN 116.53.75.81:80 tcp
IT 51.100.180.87:80 tcp
US 168.178.215.220:80 tcp
US 56.105.169.125:80 tcp
CN 222.244.103.133:80 tcp
US 132.138.255.171:80 tcp
US 159.212.237.17:80 tcp
CN 202.203.22.222:80 tcp
US 173.102.2.110:80 tcp
CN 211.81.196.226:80 tcp
CN 1.196.66.135:80 tcp
RU 83.151.2.13:80 tcp
CN 49.94.164.184:80 tcp
AU 124.169.189.198:80 tcp
ID 182.2.141.202:80 tcp
US 26.102.94.100:80 tcp
US 9.4.247.44:80 tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:443 pool.hashvault.pro tcp
CN 115.208.148.190:80 tcp
CN 112.33.254.135:80 tcp
US 99.87.101.97:80 tcp
NL 212.238.133.250:80 tcp
US 74.46.143.171:80 tcp
DE 77.184.194.61:80 tcp
US 100.8.216.167:80 tcp
US 22.232.184.110:80 tcp
US 141.151.161.201:80 tcp
CN 123.94.125.65:80 tcp
US 26.243.129.134:80 tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
KR 182.219.88.8:80 tcp
GB 185.127.194.226:80 tcp
US 3.208.113.107:80 tcp
US 209.169.235.87:80 tcp
FR 86.210.86.186:80 tcp
VN 117.2.162.57:80 tcp
US 63.81.134.138:80 tcp
KR 59.187.201.190:80 tcp
GB 81.143.2.192:80 tcp
US 204.126.90.150:80 tcp
US 128.202.54.153:80 tcp
CN 123.10.193.214:80 tcp
ZA 197.69.123.157:80 tcp
CN 112.236.152.24:80 tcp
IN 210.214.111.130:80 tcp
DE 77.20.224.124:80 tcp
FR 140.93.202.26:80 tcp
US 13.123.34.246:80 tcp
US 7.62.58.168:80 tcp
RO 88.158.157.94:80 tcp
US 35.129.229.33:80 tcp
KR 116.37.157.105:80 tcp
JP 158.200.170.117:80 tcp
SA 100.227.25.24:80 tcp
IN 103.68.22.240:80 tcp
CN 175.14.174.119:80 tcp
AU 110.145.51.178:80 tcp
US 99.165.128.130:80 tcp
DE 53.130.13.223:80 tcp
SA 46.153.126.15:80 tcp
AU 58.105.5.157:80 tcp
US 162.75.151.187:80 tcp
IN 103.68.22.240:80 103.68.22.240 tcp
AT 194.37.138.163:80 tcp
US 8.8.8.8:53 240.22.68.103.in-addr.arpa udp
FR 92.92.39.89:80 tcp
US 71.116.152.190:80 tcp
US 150.190.166.65:80 tcp
GB 91.125.252.55:80 tcp
IT 82.185.181.145:80 tcp
CA 99.212.121.85:80 tcp
US 204.153.143.193:80 tcp
US 150.247.55.159:80 tcp
GB 81.170.65.146:80 tcp
NL 145.35.157.192:80 tcp
GB 128.240.161.198:80 tcp
US 11.78.193.207:80 tcp
VN 116.106.92.118:80 tcp
US 208.41.45.118:80 tcp
US 98.24.84.86:80 tcp
US 172.101.237.52:80 tcp
US 7.235.193.49:80 tcp
US 138.33.250.194:80 tcp
IN 103.181.102.7:80 tcp
US 35.57.125.1:80 tcp
US 11.146.174.204:80 tcp
CA 159.2.71.90:80 tcp
CN 222.47.131.31:80 tcp
N/A 10.134.124.167:80 tcp
AU 49.198.17.195:80 tcp
US 66.207.179.203:80 tcp
US 97.56.6.12:80 tcp
US 44.202.99.243:80 tcp
NL 40.112.109.96:80 tcp
US 217.180.217.130:80 tcp
BR 191.31.55.89:80 tcp
AU 165.99.112.144:80 tcp
CN 123.135.68.161:80 tcp
CH 150.205.124.101:80 tcp
US 136.21.155.147:80 tcp
US 198.94.170.204:80 tcp
US 65.98.142.151:80 tcp
AU 131.217.222.66:80 tcp
US 148.34.98.210:80 tcp
US 13.131.36.81:80 tcp
JP 211.1.222.162:80 tcp
GB 4.234.198.33:80 tcp
CN 221.218.29.79:80 tcp
VE 200.8.98.56:80 tcp
LU 158.64.182.208:80 tcp
CN 112.109.160.117:80 tcp
FR 37.187.212.145:80 tcp
BY 176.60.59.43:80 tcp
US 207.187.29.225:80 tcp
IN 182.75.218.81:80 tcp
N/A 127.107.195.255:80 tcp
N/A 127.24.66.21:80 tcp
US 199.28.217.0:80 tcp
DE 144.41.51.147:80 tcp
US 12.120.140.159:80 tcp
FR 149.251.64.81:80 tcp
CN 116.164.157.59:80 tcp
US 55.73.51.243:80 tcp
US 155.92.100.38:80 tcp
IL 94.188.228.248:80 tcp
JP 202.253.163.120:80 tcp
MA 102.97.105.195:80 tcp
BR 177.88.162.34:80 tcp
ES 90.161.197.225:80 tcp
US 68.111.216.7:80 tcp
CN 182.82.141.86:80 tcp
CN 125.64.141.255:80 tcp
SE 78.76.136.55:80 tcp
US 216.189.112.71:80 tcp
DE 79.243.111.107:80 tcp
FR 83.201.215.63:80 tcp
US 74.36.23.155:80 tcp
US 65.121.116.191:80 tcp
US 137.49.49.102:80 tcp
JP 106.150.37.142:80 tcp
JP 220.19.100.172:80 tcp
JP 210.144.75.2:80 tcp
CA 99.245.34.115:80 tcp
US 205.86.224.131:80 tcp
IN 47.11.9.84:80 tcp
US 152.4.124.234:80 tcp
US 204.66.93.91:80 tcp
US 32.28.109.5:80 tcp
ES 88.26.76.236:80 tcp
AU 191.239.170.110:80 tcp
US 146.151.18.80:80 tcp
ES 81.39.252.159:80 tcp
US 19.105.5.142:80 tcp
KZ 194.58.42.154:80 194.58.42.154 tcp
US 131.65.208.43:80 tcp
US 205.140.165.18:80 tcp
SG 43.166.67.238:80 tcp
US 7.59.124.46:80 tcp
US 12.157.129.92:80 tcp
GB 188.241.45.161:80 tcp
US 136.151.156.99:80 tcp
US 74.232.152.97:80 tcp
US 216.91.216.236:80 tcp
US 199.208.206.127:80 tcp
MA 160.172.122.121:80 tcp
US 55.143.218.209:80 tcp
GB 84.64.74.206:80 tcp
CN 175.150.14.237:80 tcp
KR 223.52.219.34:80 tcp
US 67.209.78.144:80 tcp
GB 223.120.8.204:80 tcp
US 146.96.208.221:80 tcp
ID 103.253.127.97:80 tcp
PH 112.198.145.34:80 tcp
US 24.28.10.221:80 tcp
AU 1.41.80.142:80 tcp
DE 80.130.133.193:80 tcp
US 157.130.164.58:80 tcp
US 71.198.70.145:80 tcp
US 140.204.143.213:80 tcp
TN 154.109.156.53:80 tcp
CN 122.239.190.216:80 tcp
N/A 127.149.120.39:80 tcp
IT 151.21.182.141:80 tcp
GB 80.177.174.3:80 tcp
US 97.124.141.246:80 tcp
PL 146.59.106.114:80 tcp
US 29.138.61.203:80 tcp
JP 219.168.170.238:80 tcp
KR 222.97.98.52:80 tcp
AZ 37.61.66.156:80 tcp
CN 39.155.255.187:80 tcp
IT 18.66.213.153:80 tcp
US 3.221.128.161:80 tcp
IT 18.66.213.153:80 18.66.213.153 tcp
US 8.19.175.38:80 tcp
TN 197.27.8.233:80 tcp
US 40.2.157.235:80 tcp
FI 85.76.126.176:80 tcp
TW 168.95.124.144:80 tcp
US 73.196.119.133:80 tcp
US 156.242.117.122:80 tcp
HK 113.252.176.64:80 tcp
US 30.196.182.10:80 tcp
US 65.25.115.212:80 tcp
US 8.8.8.8:53 153.213.66.18.in-addr.arpa udp
FR 37.64.90.225:80 tcp
US 69.20.104.10:80 tcp
US 214.239.156.135:80 tcp
US 20.65.187.152:80 tcp
US 108.154.245.237:80 tcp
HK 166.81.116.60:80 tcp
JP 138.2.7.20:80 tcp
CO 190.24.32.33:80 tcp
GB 94.7.199.158:80 tcp
NL 20.71.60.159:80 tcp
CN 36.190.187.244:80 tcp
CN 121.39.52.184:80 tcp
US 107.72.33.39:80 tcp
US 47.217.160.178:80 tcp
US 166.127.2.118:80 tcp
US 69.13.75.215:80 tcp
NZ 202.169.218.232:80 tcp
CH 157.26.185.241:80 tcp
BR 177.185.10.161:80 tcp
US 47.136.43.65:80 tcp
PL 77.65.116.192:80 tcp
IE 3.40.226.140:80 tcp
RO 82.76.140.110:80 tcp
ID 39.212.75.111:80 tcp
CH 212.243.47.2:80 tcp
US 75.130.212.201:80 tcp
SE 143.217.243.99:80 tcp
NL 145.61.220.240:80 tcp
ES 47.58.91.70:80 tcp
US 171.149.119.186:80 tcp
CN 112.96.242.244:80 tcp
US 26.164.62.53:80 tcp
UY 190.133.91.121:80 tcp
ZA 41.114.208.78:80 tcp
HK 45.204.223.23:80 tcp
CN 101.134.92.247:80 tcp
US 3.59.95.175:80 tcp
US 13.10.170.100:80 tcp
US 192.159.58.104:80 tcp
ZA 196.26.174.9:80 tcp
US 215.20.138.0:80 tcp
US 29.145.207.210:80 tcp
GB 31.97.88.184:80 tcp
US 100.149.1.187:80 tcp
IE 40.113.16.58:80 tcp
US 56.87.124.128:80 tcp
US 206.205.45.125:80 tcp
US 152.11.223.4:80 tcp
UA 195.26.67.226:80 tcp
JP 140.81.118.56:80 tcp
US 107.23.124.200:80 tcp
US 26.15.220.151:80 tcp
CN 106.116.116.90:80 tcp
US 73.71.205.21:80 tcp
DK 130.227.34.47:80 tcp
GB 90.206.203.24:80 tcp
CN 202.205.169.228:80 tcp
US 152.131.55.62:80 tcp
JP 43.222.78.71:80 tcp
GB 5.65.244.36:80 tcp
US 131.109.220.15:80 tcp
US 150.171.215.196:80 tcp
HK 210.177.242.238:80 tcp
DE 53.137.249.183:80 tcp
HK 103.47.242.28:80 tcp
US 96.208.132.128:80 tcp
CN 110.120.176.50:80 tcp
AU 120.157.198.246:80 tcp
TW 203.75.175.153:80 tcp
CN 113.25.134.219:80 tcp
DE 51.227.186.39:80 tcp
US 216.92.150.215:80 tcp
US 146.63.58.55:80 tcp
US 63.14.25.17:80 tcp
MA 196.76.217.103:80 tcp
KR 124.49.103.114:80 tcp
TW 120.109.13.16:80 tcp
SK 90.64.136.40:80 tcp
US 162.42.146.93:80 tcp
US 216.92.150.215:80 216.92.150.215 tcp
PT 165.220.151.91:80 tcp
TW 210.61.226.198:80 tcp
JP 218.125.200.187:80 tcp
GB 5.68.101.25:80 tcp
FR 86.197.218.115:80 tcp
US 8.8.8.8:53 215.150.92.216.in-addr.arpa udp
US 166.127.166.135:80 tcp
GB 88.212.169.31:80 tcp
US 50.56.241.92:80 tcp
FR 163.100.253.247:80 tcp
US 136.125.244.73:80 tcp
US 153.75.21.126:80 tcp
US 208.42.113.30:80 tcp
CN 120.94.252.229:80 tcp
CN 27.47.33.42:80 tcp
US 64.102.103.247:80 tcp
DK 80.199.118.88:80 tcp
BR 200.145.119.219:80 tcp
US 63.235.252.250:80 tcp
BR 177.28.45.211:80 tcp
US 143.219.237.120:80 tcp
CA 198.167.68.208:80 tcp
IT 88.57.224.197:80 tcp
MX 154.27.215.49:80 tcp
US 140.91.137.155:80 tcp
CA 162.139.252.157:80 tcp
US 29.124.241.148:80 tcp
US 3.129.217.17:80 tcp
ES 62.82.192.93:80 tcp
US 73.27.95.1:80 tcp
DE 141.27.95.91:80 tcp
US 75.80.55.171:80 tcp
US 30.241.21.171:80 tcp
US 66.219.66.215:80 tcp
JP 161.93.218.52:80 tcp
US 214.224.96.245:80 tcp
DE 37.80.204.16:80 tcp
TH 110.78.232.215:80 tcp
IT 109.112.173.108:80 tcp
AO 105.168.186.71:80 tcp
BR 177.147.56.82:80 tcp
JP 211.17.14.191:80 tcp
FR 87.89.101.54:80 tcp
US 76.23.65.217:80 tcp
SE 13.53.215.62:80 tcp
CN 36.128.56.91:80 tcp
TT 190.97.104.9:80 tcp
US 174.170.22.151:80 tcp
US 158.107.97.231:80 tcp
KR 119.203.254.224:80 tcp
US 215.186.30.22:80 tcp
MN 139.5.219.214:80 tcp
CN 36.151.18.52:80 tcp
US 64.41.213.109:80 tcp
CO 190.240.161.25:80 tcp
DE 81.210.132.182:80 tcp
IT 213.255.45.121:80 tcp
BE 138.203.93.169:80 tcp
FR 86.68.89.122:80 tcp
JP 153.188.117.145:80 tcp
IT 212.77.12.106:80 tcp
IN 27.57.250.229:80 tcp
US 9.50.208.50:80 tcp
US 100.145.196.106:80 tcp
CN 219.216.249.65:80 tcp
CA 50.98.101.93:80 tcp
US 70.104.212.158:80 tcp
DE 193.7.179.181:80 tcp
US 166.165.208.189:80 tcp
TH 49.48.62.198:80 tcp
RO 82.77.160.81:80 tcp
US 7.164.100.174:80 tcp
GB 25.242.139.201:80 tcp
US 33.104.152.141:80 tcp
IR 77.36.145.173:80 tcp
US 165.237.134.246:80 tcp
GB 25.29.154.44:80 tcp
EG 105.195.149.115:80 tcp
CN 222.180.6.245:80 tcp
IN 13.203.233.238:80 tcp
TN 197.2.242.85:80 tcp
ES 194.124.56.246:80 tcp
US 159.13.91.105:80 tcp
US 199.9.240.64:80 tcp
IN 59.95.138.228:80 tcp
US 136.150.28.101:80 tcp
JP 150.20.152.154:80 tcp
FR 90.100.124.228:80 tcp
ES 145.1.244.96:80 tcp
IR 5.72.202.178:80 tcp
US 153.23.180.155:80 tcp
CA 207.61.84.86:80 tcp
RU 31.220.160.207:80 tcp
US 13.82.98.110:80 tcp
JP 153.248.254.177:80 tcp
CA 174.93.157.19:80 tcp
US 157.216.219.243:80 tcp
US 99.43.200.171:80 tcp
CN 180.77.7.71:80 tcp
US 48.178.83.163:80 tcp
DE 94.125.72.175:80 tcp
IT 31.223.243.143:80 tcp
US 32.77.47.184:80 tcp
US 26.118.238.205:80 tcp
US 13.178.66.139:80 tcp
GR 147.95.51.0:80 tcp
US 131.70.13.207:80 tcp
BR 201.10.30.142:80 tcp
US 44.241.252.83:80 tcp
US 198.225.5.203:80 tcp
MA 196.74.116.250:80 tcp
SG 43.28.102.51:80 tcp
BE 164.15.5.18:80 tcp
MD 89.39.76.129:80 tcp
GB 25.144.71.204:80 tcp
FR 91.91.60.246:80 tcp
IN 113.193.21.215:80 tcp
US 29.237.20.184:80 tcp
US 52.239.235.181:80 tcp
US 108.66.137.42:80 tcp
US 153.68.75.179:80 tcp
US 52.239.235.181:80 52.239.235.181 tcp
US 8.8.8.8:53 181.235.239.52.in-addr.arpa udp
JP 110.0.45.97:80 tcp
US 71.132.226.28:80 tcp
US 54.33.44.19:80 tcp
AU 144.133.91.18:80 tcp
US 131.215.77.215:80 tcp
US 63.138.52.249:80 tcp
US 104.38.0.89:80 tcp
BR 179.135.39.228:80 tcp
FR 109.218.56.204:80 tcp
CN 121.8.58.231:80 tcp
US 169.73.60.231:80 tcp
SG 66.96.197.12:80 tcp
CR 201.191.243.180:80 tcp
AU 124.189.199.80:80 tcp
US 104.211.7.227:80 tcp
US 6.241.244.87:80 tcp
CA 24.82.218.41:80 tcp
US 174.110.215.142:80 tcp
US 108.146.86.213:80 tcp
JP 202.17.47.23:80 tcp
US 6.114.179.86:80 tcp
CN 111.49.23.206:80 tcp
JP 163.132.154.155:80 tcp
BR 191.1.200.216:80 tcp
NZ 138.235.172.140:80 tcp
PL 83.4.1.14:80 tcp
NL 77.167.190.84:80 tcp
US 19.116.4.203:80 tcp
US 198.43.243.180:80 tcp
CA 108.174.132.146:80 tcp
CN 183.56.39.208:80 tcp
US 98.145.40.198:80 tcp
BR 177.101.208.30:80 tcp
BR 191.50.125.254:80 tcp
US 209.149.126.160:80 tcp
US 143.181.158.179:80 tcp
US 174.27.240.121:80 tcp
US 167.170.159.124:80 tcp
GB 193.223.70.216:80 tcp
US 69.165.9.197:80 tcp
US 48.106.158.108:80 tcp
IE 87.32.112.170:80 tcp
SA 176.225.240.158:80 tcp
KR 211.223.205.146:80 tcp
IT 85.45.43.155:80 tcp
JP 118.21.88.235:80 tcp
N/A 127.149.226.190:80 tcp
US 40.164.84.157:80 tcp
GB 80.2.195.44:80 tcp
US 170.252.135.204:80 tcp
US 107.222.230.154:80 tcp
KR 118.49.226.14:80 tcp
GB 131.231.40.209:80 tcp
IT 217.59.244.110:80 tcp
BG 195.230.13.236:80 tcp
MX 185.5.146.132:80 tcp
US 147.138.254.104:80 tcp
AU 220.253.55.214:80 tcp
US 204.228.246.176:80 tcp
JP 126.113.46.49:80 tcp
US 162.27.230.37:80 tcp
IN 203.197.134.173:80 tcp
BR 191.232.41.7:80 tcp
BR 186.209.102.91:80 tcp
VE 200.109.114.137:80 tcp
DE 161.218.33.124:80 tcp
US 214.250.225.209:80 tcp
CN 27.213.47.141:80 tcp
ZA 41.172.126.122:80 tcp
CN 106.29.29.62:80 tcp
US 68.59.222.190:80 tcp
US 21.244.207.43:80 tcp
US 135.140.173.51:80 tcp
DE 2.169.141.56:80 tcp
JP 160.15.128.204:80 tcp
US 38.85.192.42:80 tcp
GB 160.9.50.231:80 tcp
US 198.10.185.86:80 tcp
US 71.169.132.215:80 tcp
US 73.159.227.94:80 tcp
PT 212.13.61.26:80 tcp
US 18.20.40.40:80 tcp
US 6.175.179.168:80 tcp
IT 82.91.205.214:80 tcp
US 108.90.42.102:80 tcp
US 100.168.131.90:80 tcp
GB 82.39.82.89:80 tcp
US 23.156.152.40:80 tcp
JP 61.197.79.159:80 tcp
GB 194.83.198.242:80 tcp
CN 101.93.136.29:80 tcp
CN 220.190.11.65:80 tcp
IN 23.57.45.108:80 tcp
IN 23.57.45.108:80 23.57.45.108 tcp
CN 182.47.142.130:80 tcp
RU 5.131.134.59:80 tcp
N/A 100.109.149.153:80 tcp
IT 93.49.105.168:80 tcp
US 75.94.239.146:80 tcp
FR 88.160.150.13:80 tcp
US 8.8.8.8:53 108.45.57.23.in-addr.arpa udp
US 70.203.131.195:80 tcp
US 214.37.37.66:80 tcp
ID 120.184.120.195:80 tcp
US 96.186.93.61:80 tcp
TH 171.4.221.120:80 tcp
CN 124.126.32.4:80 tcp
US 135.112.83.191:80 tcp
AR 186.22.199.91:80 tcp
US 7.140.209.6:80 tcp
US 7.192.203.196:80 tcp
SG 43.79.25.140:80 tcp
AU 203.51.176.4:80 tcp
US 56.102.42.52:80 tcp
US 15.166.4.229:80 tcp
IE 20.223.7.67:80 tcp
DE 176.5.248.219:80 tcp
N/A 127.110.181.143:80 tcp
CN 175.91.13.208:80 tcp
BE 91.180.107.26:80 tcp
US 48.135.69.87:80 tcp
JP 60.42.25.235:80 tcp
BR 201.46.55.209:80 tcp
US 205.71.84.214:80 tcp
SA 37.42.93.161:80 tcp
DE 78.34.30.255:80 tcp
HK 23.7.221.191:80 tcp
CN 60.15.149.50:80 tcp
SG 166.62.31.39:80 tcp
DK 212.242.188.109:80 tcp
HK 23.7.221.191:80 23.7.221.191 tcp
NL 89.146.36.16:80 tcp
US 19.17.114.152:80 tcp
US 8.8.8.8:53 191.221.7.23.in-addr.arpa udp
ZA 102.218.195.59:80 tcp
CO 181.207.120.244:80 tcp
NL 145.206.14.9:80 tcp
DE 88.74.27.81:80 tcp
GB 95.141.169.135:80 tcp
DE 84.164.37.217:80 tcp
US 161.205.100.3:80 tcp
DE 168.153.172.203:80 tcp
US 140.176.181.85:80 tcp
US 98.116.117.169:80 tcp
MX 189.150.7.87:80 tcp
CN 175.70.42.48:80 tcp
CA 142.229.97.10:80 tcp
CN 223.12.155.168:80 tcp
KR 61.37.62.49:80 tcp
DE 18.158.31.69:80 tcp
US 129.114.230.208:80 tcp
US 172.4.188.168:80 tcp
US 104.113.124.185:80 tcp
ZA 155.238.251.101:80 tcp
IR 2.179.161.133:80 tcp
BE 188.189.239.247:80 tcp
TH 222.123.90.51:80 tcp
GB 25.127.34.171:80 tcp
IN 106.78.37.87:80 tcp
US 136.208.24.145:80 tcp
US 165.116.200.198:80 tcp
US 46.110.228.5:80 tcp
US 165.171.81.175:80 tcp
GB 212.74.121.146:80 tcp
CA 40.176.129.65:80 tcp
US 22.135.29.251:80 tcp
MU 102.238.134.147:80 tcp
US 168.238.103.0:80 tcp
US 69.41.218.30:80 tcp
JP 27.133.6.17:80 tcp
IN 27.250.46.61:80 tcp
AU 146.11.69.200:80 tcp
US 100.146.22.96:80 tcp
US 152.113.167.246:80 tcp
FR 81.250.73.111:80 tcp
BR 177.106.40.16:80 tcp
ES 3.160.230.231:80 tcp
ES 3.160.230.231:80 3.160.230.231 tcp
CO 186.31.80.21:80 tcp
US 16.80.156.248:80 tcp
US 8.8.8.8:53 231.230.160.3.in-addr.arpa udp
CO 186.31.80.21:80 186.31.80.21 tcp
US 166.207.60.55:80 tcp
US 30.204.217.70:80 tcp
BR 200.192.69.43:80 tcp
US 150.206.13.235:80 tcp
US 148.149.58.211:80 tcp
BR 189.103.13.214:80 tcp
US 69.208.187.6:80 tcp
IT 5.95.43.151:80 tcp
JP 180.21.186.34:80 tcp
BR 177.51.89.84:80 tcp
TW 202.151.61.192:80 tcp
US 8.8.8.8:53 21.80.31.186.in-addr.arpa udp
TN 102.155.228.132:80 tcp
CN 59.211.255.58:80 tcp
CZ 185.220.220.222:80 tcp
ID 39.221.34.98:80 tcp
CH 56.240.22.50:80 tcp
US 76.82.95.232:80 tcp
SE 193.217.138.169:80 tcp
ES 72.247.215.240:80 tcp
NL 109.39.142.102:80 tcp
AT 77.118.10.113:80 tcp
ES 72.247.215.240:80 72.247.215.240 tcp
US 16.202.215.230:80 tcp
US 167.247.150.254:80 tcp
US 8.8.8.8:53 240.215.247.72.in-addr.arpa udp
LT 78.59.27.248:80 tcp
US 52.160.217.227:80 tcp
DO 38.44.83.167:80 tcp
RS 95.180.44.12:80 tcp
US 18.104.49.182:80 tcp
IL 31.168.234.96:80 tcp
NL 31.136.51.99:80 tcp
DE 20.113.174.8:80 tcp
MX 177.224.38.8:80 tcp
US 6.197.240.123:80 tcp
CN 171.41.14.235:80 tcp
CA 207.194.16.231:80 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
JP 210.143.135.148:80 tcp
US 65.41.243.44:80 tcp
US 12.36.227.87:80 tcp
US 159.248.238.222:80 tcp
IN 20.219.81.35:80 tcp
DE 53.19.33.173:80 tcp
JP 126.132.90.223:80 tcp
US 28.158.183.41:80 tcp
US 55.230.31.225:80 tcp
DE 2.241.125.82:80 tcp
IN 171.79.160.249:80 tcp
PL 89.250.194.26:80 tcp
KR 175.122.214.161:80 tcp
US 108.20.163.44:80 tcp
CN 101.105.76.194:80 tcp
DE 149.220.252.189:80 tcp
DE 134.104.71.22:80 tcp
US 15.57.198.232:80 tcp
CO 191.75.29.186:80 tcp
US 214.157.68.250:80 tcp
DE 141.25.158.169:80 tcp
US 34.204.137.40:80 tcp
US 38.172.13.199:80 tcp
US 135.170.244.226:80 tcp
US 75.37.112.53:80 tcp
EG 197.63.33.104:80 tcp
US 131.82.40.110:80 tcp
US 130.70.199.152:80 tcp
KR 180.237.65.78:80 tcp
FR 90.107.142.6:80 tcp
IN 110.227.250.63:80 tcp
US 19.35.11.218:80 tcp
US 34.57.148.197:80 tcp
US 209.102.106.13:80 tcp
FR 163.66.57.228:80 tcp
US 205.165.21.23:80 tcp
SA 124.81.234.16:80 tcp
IN 136.185.7.159:80 tcp
AU 203.89.232.15:80 tcp
US 6.230.244.220:80 tcp
US 28.124.39.7:80 tcp
US 26.202.57.94:80 tcp
RU 94.241.237.210:80 tcp
EG 105.88.193.106:80 tcp
JP 180.63.92.30:80 tcp
US 40.223.132.76:80 tcp
GB 109.144.82.159:80 tcp
US 40.163.189.34:80 tcp
US 11.116.65.250:80 tcp
TW 39.9.71.54:80 tcp
US 28.86.219.109:80 tcp
GB 163.164.220.207:80 tcp
US 7.63.140.160:80 tcp
US 75.212.227.231:80 tcp
US 4.48.200.156:80 tcp
US 63.148.10.75:80 tcp
GB 146.179.181.50:80 tcp
US 33.95.5.162:80 tcp
CH 84.75.189.132:80 tcp
PL 188.125.145.2:80 tcp
CN 180.202.114.13:80 tcp
US 56.117.226.28:80 tcp
US 71.132.152.239:80 tcp
US 170.206.204.71:80 tcp
IL 62.219.52.98:80 tcp
AW 179.61.51.132:80 tcp
US 214.128.240.8:80 tcp
KZ 178.91.166.82:80 tcp
DE 93.228.219.205:80 tcp
JP 60.75.30.198:80 tcp
US 208.222.35.120:80 tcp
CN 183.186.29.208:80 tcp
CN 111.115.175.168:80 tcp
US 34.120.73.149:80 tcp
MU 165.54.204.202:80 tcp
US 209.188.169.2:80 tcp
US 34.120.73.149:80 34.120.73.149 tcp
US 67.254.209.39:80 tcp
US 207.189.79.81:80 tcp
US 3.231.231.94:80 tcp
US 165.127.169.135:80 tcp
US 169.87.227.82:80 tcp
US 129.213.204.46:80 tcp
HR 93.141.227.209:80 tcp
US 30.84.48.5:80 tcp
DE 62.157.176.93:80 tcp
US 8.8.8.8:53 149.73.120.34.in-addr.arpa udp
FR 213.90.151.132:80 tcp
CN 210.27.109.143:80 tcp
US 20.159.62.127:80 tcp
DE 80.149.234.15:80 tcp
US 108.219.21.200:80 tcp
US 67.31.72.26:80 tcp
TW 223.141.155.4:80 tcp
RU 79.143.11.30:80 tcp
DE 45.82.240.90:80 tcp
MX 187.176.139.75:80 tcp
CN 110.105.94.41:80 tcp
FI 194.188.229.65:80 tcp
US 216.3.193.25:80 tcp
NL 171.21.181.86:80 tcp
US 214.249.185.58:80 tcp
IR 5.115.189.136:80 tcp
AR 190.173.19.16:80 tcp
IN 45.114.76.177:80 tcp
KR 1.107.5.224:80 tcp
SE 195.210.62.19:80 tcp
US 216.50.141.219:80 tcp
RE 154.67.23.243:80 tcp
NL 37.48.124.166:80 tcp
US 29.145.53.36:80 tcp
CN 114.250.129.95:80 tcp
CN 47.107.1.70:80 tcp
US 16.98.30.71:80 tcp
JP 150.98.46.178:80 tcp
JP 59.134.91.214:80 tcp
CO 152.204.9.17:80 tcp
US 56.85.232.135:80 tcp
US 70.225.16.78:80 tcp
JP 163.43.202.76:80 tcp
US 174.78.96.200:80 tcp
CA 135.23.170.92:80 tcp
JP 126.65.48.248:80 tcp
DE 31.232.22.22:80 tcp
AO 154.116.205.206:80 tcp
US 204.195.107.106:80 tcp
MX 187.236.164.250:80 tcp
US 198.219.224.113:80 tcp
US 170.26.35.39:80 tcp
US 136.72.172.9:80 tcp
TR 88.224.10.216:80 tcp
US 204.168.24.64:80 tcp
KR 14.40.41.178:80 tcp
RU 2.92.182.174:80 tcp
US 215.227.254.115:80 tcp
TW 175.180.230.152:80 tcp
US 57.144.173.105:80 tcp
CN 171.45.128.208:80 tcp
US 24.254.39.127:80 tcp
ID 120.189.36.168:80 tcp
IE 18.202.170.57:80 tcp
GB 79.170.45.89:80 tcp
CA 167.42.180.25:80 tcp
CN 221.228.247.70:80 tcp
US 158.141.69.49:80 tcp
US 38.220.134.161:80 tcp
CN 123.124.142.110:80 tcp
US 166.60.254.45:80 tcp
MX 187.141.43.101:80 tcp
UY 167.61.160.43:80 tcp
FR 83.197.102.65:80 tcp
US 67.168.99.81:80 tcp
US 40.2.85.127:80 tcp
ZA 197.107.149.30:80 tcp
US 28.82.148.97:80 tcp
CN 27.155.249.90:80 tcp
CN 139.186.224.70:80 tcp
US 30.0.243.127:80 tcp
JP 163.139.30.231:80 tcp
US 160.139.225.62:80 tcp
US 65.60.34.18:80 tcp
UY 186.50.217.219:80 tcp
US 12.37.218.204:80 tcp
CN 223.246.223.15:80 tcp
IN 180.151.132.249:80 tcp
AR 201.176.180.26:80 tcp
CN 110.123.63.151:80 tcp
HK 1.64.136.217:80 tcp
US 174.96.61.138:80 tcp
SA 160.79.255.95:80 tcp
US 205.74.157.4:80 tcp
US 16.228.140.248:80 tcp
ES 87.219.212.129:80 tcp
MY 175.144.90.88:80 tcp
US 38.105.164.146:80 tcp
BE 130.104.163.44:80 tcp
US 65.185.79.5:80 tcp
DE 146.253.162.22:80 tcp
US 135.217.57.123:80 tcp
MX 189.245.255.79:80 tcp
US 129.116.6.241:80 tcp
US 146.214.245.211:80 tcp
US 75.76.18.48:80 tcp
US 205.191.159.222:80 tcp
US 147.104.208.114:80 tcp
US 97.13.164.44:80 tcp
SE 195.95.184.98:80 tcp
DE 132.252.131.114:80 tcp
PH 122.53.35.122:80 tcp
N/A 140.235.246.9:80 tcp
US 99.68.215.1:80 tcp
US 98.73.249.200:80 tcp
US 164.175.204.222:80 tcp
US 32.206.42.59:80 tcp
ZA 41.156.51.83:80 tcp
US 21.164.77.165:80 tcp
MZ 197.158.3.192:80 tcp
US 23.83.249.157:80 tcp
NL 141.148.233.85:80 tcp
TW 223.136.243.69:80 tcp
US 34.160.163.57:80 tcp
US 34.160.163.57:80 34.160.163.57 tcp
DE 141.47.6.46:80 tcp
MA 81.192.80.61:80 tcp
US 130.154.66.227:80 tcp
US 8.8.8.8:53 57.163.160.34.in-addr.arpa udp
BR 181.217.59.111:80 tcp
CN 1.68.152.174:80 tcp
US 108.86.214.178:80 tcp
US 9.23.246.218:80 tcp
N/A 127.0.66.185:80 tcp
US 50.188.242.32:80 tcp
GB 159.86.60.229:80 tcp
US 16.15.170.62:80 tcp
US 204.86.233.198:80 tcp
US 24.1.116.9:80 tcp
CN 202.131.53.124:80 tcp
GB 212.196.229.71:80 tcp
US 137.141.97.111:80 tcp
US 215.31.183.5:80 tcp
CN 45.255.209.250:80 tcp
DZ 41.106.250.166:80 tcp
HU 195.199.30.226:80 tcp
CN 119.57.106.147:80 tcp
RU 37.192.24.253:80 tcp
JP 219.102.24.0:80 tcp
CN 113.227.9.219:80 tcp
UA 195.64.148.221:80 tcp
US 135.92.201.199:80 tcp
US 48.187.115.88:80 tcp
VE 206.49.45.204:80 tcp
KR 123.140.25.148:80 tcp
CL 163.250.222.83:80 tcp
US 214.159.80.69:80 tcp
US 209.133.211.125:80 tcp
US 32.107.147.64:80 tcp
US 54.6.183.239:80 tcp
CO 191.104.73.248:80 tcp
US 18.117.135.204:80 tcp
MX 184.50.145.75:80 tcp
DE 164.21.145.109:80 tcp
US 216.187.3.41:80 tcp
MX 184.50.145.75:80 184.50.145.75 tcp
US 18.33.36.28:80 tcp
CA 208.84.107.131:80 tcp
US 207.51.161.204:80 tcp
JP 153.242.109.187:80 tcp
US 21.146.229.240:80 tcp
ES 213.192.213.119:80 tcp
US 143.105.161.39:80 tcp
US 8.8.8.8:53 75.145.50.184.in-addr.arpa udp
EG 196.154.183.65:80 tcp
IN 182.59.31.203:80 tcp
JP 126.216.170.153:80 tcp
US 56.210.102.18:80 tcp
JP 106.142.111.27:80 tcp
CN 60.215.127.99:80 tcp
CA 164.18.162.38:80 tcp
CN 42.49.44.69:80 tcp
US 170.124.233.122:80 tcp
GB 90.152.17.231:80 tcp
US 55.224.62.6:80 tcp
CN 180.110.220.96:80 tcp
CN 27.225.52.197:80 tcp
AR 200.58.111.225:80 tcp
CN 114.95.238.32:80 tcp
NL 149.104.229.129:80 tcp
KR 121.170.202.28:80 tcp
KR 118.43.172.19:80 tcp
US 74.25.232.227:80 tcp
CN 113.125.138.41:80 tcp
US 11.79.105.187:80 tcp
CN 116.117.204.189:80 tcp
US 32.107.238.222:80 tcp
BR 200.178.51.249:80 tcp
US 71.238.211.56:80 tcp
DE 160.200.205.72:80 tcp
IE 57.141.14.154:80 tcp
US 15.87.245.178:80 tcp
JP 59.166.216.6:80 tcp
NL 195.183.171.106:80 tcp
IN 171.78.189.195:80 tcp
NL 77.165.218.108:80 tcp
CN 123.82.185.55:80 tcp
US 11.179.221.211:80 tcp
CN 111.128.26.219:80 tcp
LU 158.167.184.172:80 tcp
US 11.37.59.31:80 tcp
CN 211.167.169.205:80 tcp
DE 145.225.40.247:80 tcp
US 66.20.207.91:80 tcp
BR 170.84.63.209:80 tcp
RO 81.181.252.29:80 tcp
RO 81.181.252.29:80 81.181.252.29 tcp
US 8.8.8.8:53 29.252.181.81.in-addr.arpa udp
JP 125.102.192.223:80 tcp
RO 81.181.252.29:443 tcp
US 71.204.168.225:80 tcp
US 144.2.2.111:80 tcp
AU 202.37.90.217:80 tcp
IN 108.158.246.109:80 tcp
US 169.204.154.132:80 tcp
FR 86.204.46.4:80 tcp
US 29.201.117.111:80 tcp
IN 108.158.246.109:80 108.158.246.109 tcp
KR 203.248.175.55:80 tcp
US 129.22.78.21:80 tcp
US 98.17.5.136:80 tcp
US 8.8.8.8:53 109.246.158.108.in-addr.arpa udp
TW 140.124.68.103:80 tcp
SG 43.38.57.176:80 tcp
US 206.208.103.90:80 tcp
CA 142.21.10.177:80 tcp
JP 115.177.166.6:80 tcp
CN 122.156.28.150:80 tcp
US 75.211.23.33:80 tcp
CN 116.234.53.6:80 tcp
SE 194.71.235.144:80 tcp
CN 183.233.242.234:80 tcp
DE 158.220.229.30:80 tcp
RU 82.194.245.146:80 tcp
VE 201.242.194.127:80 tcp
US 137.170.229.228:80 tcp
GB 31.76.217.167:80 tcp
US 158.52.63.223:80 tcp
US 17.184.3.203:80 tcp
DE 31.249.126.197:80 tcp
US 26.151.75.244:80 tcp
IT 87.17.214.198:80 tcp
US 137.170.173.2:80 tcp
CA 3.96.11.114:80 tcp
ES 90.174.51.214:80 tcp
VN 171.253.5.75:80 tcp
AU 144.138.28.78:80 tcp
US 40.30.195.222:80 tcp
NL 145.22.103.62:80 tcp
US 128.200.98.146:80 tcp
CN 39.80.135.245:80 tcp
PL 89.71.7.12:80 tcp
US 174.129.114.85:80 tcp
NL 145.141.206.216:80 tcp
US 152.5.224.82:80 tcp
US 17.245.192.73:80 tcp
US 48.192.179.45:80 tcp
ID 39.239.248.143:80 tcp
US 98.78.3.32:80 tcp
BR 177.157.253.152:80 tcp
US 71.116.180.80:80 tcp
US 128.62.146.250:80 tcp
US 7.62.136.13:80 tcp
CN 36.180.132.184:80 tcp
NZ 121.90.245.19:80 tcp
GB 151.180.233.122:80 tcp
US 72.181.74.64:80 tcp
US 12.198.113.149:80 tcp
JP 126.145.173.140:80 tcp
US 17.120.43.13:80 tcp
DE 141.62.112.136:80 tcp
US 32.161.85.177:80 tcp
US 30.50.218.136:80 tcp
US 11.253.197.167:80 tcp
DE 5.146.233.156:80 tcp
US 208.85.172.71:80 tcp
US 11.237.23.14:80 tcp
JP 150.55.28.252:80 tcp
US 146.9.75.222:80 tcp
JP 133.91.199.245:80 tcp
US 174.45.27.169:80 tcp
KR 210.110.253.221:80 tcp
US 97.1.111.46:80 tcp
CN 110.84.188.51:80 tcp
US 67.150.142.134:80 tcp
CN 182.245.44.246:80 tcp
PL 31.193.96.91:80 tcp
US 97.138.254.140:80 tcp
SK 87.197.18.174:80 tcp
US 168.230.29.150:80 tcp
US 149.121.247.117:80 tcp
GB 80.82.245.217:80 tcp
HK 8.223.13.3:80 tcp
FI 82.116.231.80:80 tcp
US 96.222.159.3:80 tcp
FR 176.150.27.5:80 tcp
CN 111.30.129.49:80 tcp
US 168.184.115.205:80 tcp
IT 5.94.144.222:80 tcp
US 167.190.222.65:80 tcp
CN 112.30.62.177:80 tcp
AU 110.238.188.180:80 tcp
IT 87.17.206.28:80 tcp
ZA 41.194.232.16:80 tcp
TR 213.14.62.204:80 tcp
AU 150.203.97.92:80 tcp
CA 142.9.234.41:80 tcp
VN 14.183.169.246:80 tcp
BE 109.136.108.10:80 tcp
HU 146.110.120.39:80 tcp
JP 126.60.76.7:80 tcp
US 75.146.147.37:80 tcp
US 208.169.1.186:80 tcp
US 71.165.168.243:80 tcp
FI 195.156.3.127:80 tcp
US 24.39.248.174:80 tcp
US 29.85.243.27:80 tcp
TN 102.28.149.160:80 tcp
LV 81.198.129.153:80 tcp
LV 81.198.129.153:80 81.198.129.153 tcp
US 143.211.193.71:80 tcp
US 17.164.135.166:80 tcp
BR 179.186.7.68:80 tcp
CH 138.198.132.197:80 tcp
US 131.150.211.90:80 tcp
US 192.84.19.62:80 tcp
US 12.182.120.64:80 tcp
DE 62.9.147.211:80 tcp
KW 31.203.255.12:80 tcp
US 11.195.60.69:80 tcp
KR 220.120.15.99:80 tcp
US 215.54.243.184:80 tcp
US 8.8.8.8:53 153.129.198.81.in-addr.arpa udp
CH 138.222.161.143:80 tcp
IT 82.53.67.101:80 tcp
US 17.190.243.128:80 tcp
US 6.192.214.184:80 tcp
KR 58.143.234.245:80 tcp
US 63.40.242.145:80 tcp
PL 31.178.146.21:80 tcp
US 69.62.91.39:80 tcp
US 147.49.5.78:80 tcp
CN 120.37.248.101:80 tcp
RO 89.165.202.65:80 tcp
US 75.126.55.95:80 tcp
AU 168.186.53.233:80 tcp
US 15.231.122.166:80 tcp
CH 137.138.114.23:80 tcp
US 157.55.127.196:80 tcp
US 9.208.196.101:80 tcp
GB 18.169.148.248:80 tcp
DE 87.134.37.205:80 tcp
US 184.97.205.183:80 tcp
US 147.203.110.51:80 tcp
CN 59.244.160.243:80 tcp
HK 43.198.242.51:80 tcp
US 107.214.236.254:80 tcp
IN 103.153.22.171:80 tcp
CN 42.49.88.153:80 tcp
IN 103.153.22.171:80 103.153.22.171 tcp
ES 213.151.105.13:80 tcp
US 26.206.196.91:80 tcp
US 216.235.192.47:80 tcp
US 147.153.94.252:80 tcp
CA 207.112.85.190:80 tcp
US 47.234.196.135:80 tcp
US 8.8.8.8:53 171.22.153.103.in-addr.arpa udp
BE 109.131.103.124:80 tcp
US 68.116.249.255:80 tcp
CN 115.49.78.152:80 tcp
DE 2.174.27.50:80 tcp
PL 89.71.39.185:80 tcp
CN 14.204.64.192:80 tcp
SG 43.34.3.157:80 tcp
JP 1.114.128.103:80 tcp
NL 178.230.235.163:80 tcp
CN 52.82.24.188:80 tcp
EG 196.158.99.126:80 tcp
US 16.70.33.207:80 tcp
KR 58.74.110.88:80 tcp
AT 193.154.229.229:80 tcp
TR 212.2.193.66:80 tcp
US 64.47.111.62:80 tcp
US 207.133.208.35:80 tcp
US 47.253.17.1:80 tcp
SE 130.238.20.222:80 tcp
US 172.85.241.90:80 tcp
SE 213.112.222.101:80 tcp
JP 223.218.18.96:80 tcp
CN 43.183.12.62:80 tcp
US 98.146.216.243:80 tcp
GB 82.36.93.61:80 tcp
US 54.49.98.222:80 tcp
FR 80.10.138.147:80 tcp
KR 211.169.253.19:80 tcp
US 65.206.70.156:80 tcp
US 32.68.68.79:80 tcp
CN 114.221.193.28:80 tcp
US 198.211.76.50:80 tcp
IT 217.9.77.127:80 tcp
US 75.64.250.167:80 tcp
US 38.124.30.247:80 tcp
JP 161.95.83.150:80 tcp
US 162.158.120.96:80 tcp
US 33.162.77.5:80 tcp
US 21.168.47.96:80 tcp
AT 93.111.218.161:80 tcp
CO 181.51.97.255:80 tcp
CN 120.232.24.44:80 tcp
CN 119.145.152.73:80 tcp
ZA 105.245.254.209:80 tcp
US 4.57.167.222:80 tcp
US 74.162.44.53:80 tcp
SG 43.114.167.4:80 tcp
BR 186.226.58.218:80 tcp
DE 217.91.211.102:80 tcp
IE 17.65.207.155:80 tcp
JP 20.89.134.76:80 tcp
ID 103.155.153.104:80 tcp
BR 186.226.58.218:80 186.226.58.218 tcp
BR 191.179.112.16:80 tcp
US 30.237.249.130:80 tcp
TR 178.247.173.135:80 tcp
US 137.103.81.140:80 tcp
US 12.180.193.83:80 tcp
DE 53.185.69.118:80 tcp
DE 83.127.13.208:80 tcp
JP 133.126.98.227:80 tcp
US 38.189.98.188:80 tcp
US 38.247.70.140:80 tcp
CN 113.128.96.239:80 tcp
BE 78.22.214.81:80 tcp
CN 218.95.110.55:80 tcp
US 8.8.8.8:53 218.58.226.186.in-addr.arpa udp
US 67.72.231.163:80 tcp
KR 182.172.57.176:80 tcp
CN 223.160.64.40:80 tcp
US 66.214.201.168:80 tcp
US 214.13.87.200:80 tcp
US 209.189.182.236:80 tcp
US 96.210.227.157:80 tcp
CN 1.92.71.8:80 tcp
SG 43.3.223.134:80 tcp
HU 193.68.40.233:80 tcp
GB 158.176.193.75:80 tcp
KR 14.65.90.2:80 tcp
US 173.83.85.53:80 tcp
GB 81.132.9.13:80 tcp
GB 92.234.38.240:80 tcp
US 161.123.184.9:80 tcp
US 204.142.124.99:80 tcp
AU 220.236.72.63:80 tcp
AU 60.231.23.113:80 tcp
NO 139.117.176.18:80 tcp
US 71.54.248.167:80 tcp
US 29.170.4.189:80 tcp
CN 49.84.85.134:80 tcp
JP 60.118.115.85:80 tcp
RU 95.71.39.98:80 tcp
US 35.250.253.222:80 tcp
TW 125.231.96.135:80 tcp
US 71.240.179.92:80 tcp
IT 93.32.92.10:80 tcp
RS 109.93.70.169:80 tcp
US 205.231.222.191:80 tcp
PT 94.132.119.142:80 tcp
US 96.198.105.102:80 tcp
JP 180.15.96.214:80 tcp
FR 92.134.58.98:80 tcp
US 98.93.208.36:80 tcp
US 76.246.219.82:80 tcp
US 28.199.172.141:80 tcp
US 29.75.134.117:80 tcp
FR 176.174.245.214:80 tcp
US 156.136.214.53:80 tcp
US 17.93.244.17:80 tcp
AR 186.182.14.67:80 tcp
CO 191.88.255.182:80 tcp
MX 189.145.142.64:80 tcp
US 173.249.109.124:80 tcp
CA 15.235.17.171:80 tcp
ID 120.161.172.31:80 tcp
AR 190.94.165.241:80 tcp
US 157.145.43.99:80 tcp
FR 176.188.2.167:80 tcp
CH 169.34.2.185:80 tcp
KZ 194.58.42.154:80 194.58.42.154 tcp
CA 51.79.70.92:80 tcp
PK 119.73.36.198:80 tcp
US 204.239.182.91:80 tcp
US 206.183.217.86:80 tcp
CO 186.87.240.210:80 tcp
KR 58.102.197.14:80 tcp
US 70.85.205.109:80 tcp
BR 179.218.171.191:80 tcp
JP 126.171.207.77:80 tcp
US 148.126.255.42:80 tcp
US 48.101.206.161:80 tcp
DE 57.111.199.65:80 tcp
HU 195.111.174.174:80 tcp
IT 17.70.226.196:80 tcp
DE 195.63.188.23:80 tcp
DE 53.181.88.186:80 tcp
CN 116.160.63.125:80 tcp
US 98.43.237.90:80 tcp
CN 157.119.141.216:80 tcp
US 48.250.101.221:80 tcp
US 48.225.5.31:80 tcp
CN 111.211.176.218:80 tcp
US 11.5.46.103:80 tcp
CN 123.232.200.202:80 tcp
US 67.15.69.22:80 tcp
CH 160.85.52.170:80 tcp
KR 175.116.125.141:80 tcp
US 164.83.54.73:80 tcp
IE 99.81.205.95:80 tcp
US 140.200.39.243:80 tcp
CO 191.66.18.213:80 tcp
US 215.174.9.241:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI17962\python310.dll

MD5 63a1fa9259a35eaeac04174cecb90048
SHA1 0dc0c91bcd6f69b80dcdd7e4020365dd7853885a
SHA256 14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed
SHA512 896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

C:\Users\Admin\AppData\Local\Temp\_MEI17962\VCRUNTIME140.dll

MD5 f34eb034aa4a9735218686590cba2e8b
SHA1 2bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA256 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512 d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

C:\Users\Admin\AppData\Local\Temp\_MEI17962\_socket.pyd

MD5 819166054fec07efcd1062f13c2147ee
SHA1 93868ebcd6e013fda9cd96d8065a1d70a66a2a26
SHA256 e6deb751039cd5424a139708475ce83f9c042d43e650765a716cb4a924b07e4f
SHA512 da3a440c94cb99b8af7d2bc8f8f0631ae9c112bd04badf200edbf7ea0c48d012843b4a9fb9f1e6d3a9674fd3d4eb6f0fa78fd1121fad1f01f3b981028538b666

C:\Users\Admin\AppData\Local\Temp\_MEI17962\_lzma.pyd

MD5 7447efd8d71e8a1929be0fac722b42dc
SHA1 6080c1b84c2dcbf03dcc2d95306615ff5fce49a6
SHA256 60793c8592193cfbd00fd3e5263be4315d650ba4f9e4fda9c45a10642fd998be
SHA512 c6295d45ed6c4f7534c1a38d47ddc55fea8b9f62bbdc0743e4d22e8ad0484984f8ab077b73e683d0a92d11bf6588a1ae395456cfa57da94bb2a6c4a1b07984de

C:\Users\Admin\AppData\Local\Temp\_MEI17962\_hashlib.pyd

MD5 d4674750c732f0db4c4dd6a83a9124fe
SHA1 fd8d76817abc847bb8359a7c268acada9d26bfd5
SHA256 caa4d2f8795e9a55e128409cc016e2cc5c694cb026d7058fc561e4dd131ed1c9
SHA512 97d57cfb80dd9dd822f2f30f836e13a52f771ee8485bc0fd29236882970f6bfbdfaac3f2e333bba5c25c20255e8c0f5ad82d8bc8a6b6e2f7a07ea94a9149c81e

C:\Users\Admin\AppData\Local\Temp\_MEI17962\_decimal.pyd

MD5 20c77203ddf9ff2ff96d6d11dea2edcf
SHA1 0d660b8d1161e72c993c6e2ab0292a409f6379a5
SHA256 9aac010a424c757c434c460c3c0a6515d7720966ab64bad667539282a17b4133
SHA512 2b24346ece2cbd1e9472a0e70768a8b4a5d2c12b3d83934f22ebdc9392d9023dcb44d2322ada9edbe2eb0e2c01b5742d2a83fa57ca23054080909ec6eb7cf3ca

C:\Users\Admin\AppData\Local\Temp\_MEI17962\_bz2.pyd

MD5 86d1b2a9070cd7d52124126a357ff067
SHA1 18e30446fe51ced706f62c3544a8c8fdc08de503
SHA256 62173a8fadd4bf4dd71ab89ea718754aa31620244372f0c5bbbae102e641a60e
SHA512 7db4b7e0c518a02ae901f4b24e3860122acc67e38e73f98f993fe99eb20bb3aa539db1ed40e63d6021861b54f34a5f5a364907ffd7da182adea68bbdd5c2b535

C:\Users\Admin\AppData\Local\Temp\_MEI17962\unicodedata.pyd

MD5 81d62ad36cbddb4e57a91018f3c0816e
SHA1 fe4a4fc35df240b50db22b35824e4826059a807b
SHA256 1fb2d66c056f69e8bbdd8c6c910e72697874dae680264f8fb4b4df19af98aa2e
SHA512 7d15d741378e671591356dfaad4e1e03d3f5456cbdf87579b61d02a4a52ab9b6ecbffad3274cede8c876ea19eaeb8ba4372ad5986744d430a29f50b9caffb75d

C:\Users\Admin\AppData\Local\Temp\_MEI17962\select.pyd

MD5 a653f35d05d2f6debc5d34daddd3dfa1
SHA1 1a2ceec28ea44388f412420425665c3781af2435
SHA256 db85f2f94d4994283e1055057372594538ae11020389d966e45607413851d9e9
SHA512 5aede99c3be25b1a962261b183ae7a7fb92cb0cb866065dc9cd7bb5ff6f41cc8813d2cc9de54670a27b3ad07a33b833eaa95a5b46dad7763ca97dfa0c1ce54c9

C:\Users\Admin\AppData\Local\Temp\_MEI17962\s.exe

MD5 c3ce667a9cc72a2177539a1c6a56d497
SHA1 724cb32ba6d00731d3c86ef93ccdb67e2218711a
SHA256 aa8fe5692f9327c2e7d8c68f4704eddc3683de8e3f9a551bc143e08617dcf255
SHA512 a5d493455e839072da357a0f480cef7065755a8ffaa1efaacb0baaaf068edd08be33e8d75604e3aa3387afebbf8dcc63bf842a4664847b06b5771f9575d6aceb

C:\Users\Admin\AppData\Local\Temp\_MEI17962\libcrypto-1_1.dll

MD5 9d7a0c99256c50afd5b0560ba2548930
SHA1 76bd9f13597a46f5283aa35c30b53c21976d0824
SHA256 9b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939
SHA512 cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2

C:\Users\Admin\AppData\Local\Temp\_MEI17962\base_library.zip

MD5 c4989bceb9e7e83078812c9532baeea7
SHA1 aafb66ebdb5edc327d7cb6632eb80742be1ad2eb
SHA256 a0f5c7f0bac1ea9dc86d60d20f903cc42cff3f21737426d69d47909fc28b6dcd
SHA512 fb6d431d0f2c8543af8df242337797f981d108755712ec6c134d451aa777d377df085b4046970cc5ac0991922ddf1f37445a51be1a63ef46b0d80841222fb671

C:\ProgramData\main.exe

MD5 3d3c49dd5d13a242b436e0a065cd6837
SHA1 e38a773ffa08452c449ca5a880d89cfad24b6f1b
SHA256 e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf
SHA512 dd0e590310392b0543d47a2d24d55f6f091ba59acc0d7ea533039ffb48f1b8938587889bcfa19b0538a62ba26fcde2172253860ceab34af40fd7bf65b6587b00

memory/1064-49-0x00007FFD2E923000-0x00007FFD2E925000-memory.dmp

C:\ProgramData\svchost.exe

MD5 45c59202dce8ed255b4dbd8ba74c630f
SHA1 60872781ed51d9bc22a36943da5f7be42c304130
SHA256 d07c47f759245d34a5b94786637c3d2424c7e3f3dea3d738d95bf4721dbf3b16
SHA512 fff5b16ae38681ed56782c0f0423560dab45065685d7272424206f43c80486318180aa22d66bd197c8c530e4c24dbaaaa020beb76b619dc767ee59faa27e23ed

C:\ProgramData\crss.exe

MD5 af7c523acfdfc98b945b8092170a5fd3
SHA1 cc8131cdbaeceaa28a757f8289077d3214938176
SHA256 cd4ebc4942faf22d6b41d8d0d41aad0570807e7dc484f35010a903caa5a1adb7
SHA512 3dd365665594fddb3e64e3ef3af25ae858538522f2ca61706d0708ca927230f54da23088e578b3ccc11c3f10a8498647b1d701769944fdd17690d2f239777acf

C:\ProgramData\setup.exe

MD5 1274cbcd6329098f79a3be6d76ab8b97
SHA1 53c870d62dcd6154052445dc03888cdc6cffd370
SHA256 bbe5544c408a6eb95dd9980c61a63c4ebc8ccbeecade4de4fae8332361e27278
SHA512 a0febbd4915791d3c32531fb3cf177ee288dd80ce1c8a1e71fa9ad59a4ebddeef69b6be7f3d19e687b96dc59c8a8fa80afff8378a71431c3133f361b28e0d967

memory/1064-54-0x0000021873150000-0x00000218736F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

MD5 65ccd6ecb99899083d43f7c24eb8f869
SHA1 27037a9470cc5ed177c0b6688495f3a51996a023
SHA256 aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4
SHA512 533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

memory/1064-82-0x0000021875C00000-0x0000021875C76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI33202\setuptools\_vendor\importlib_resources-6.4.0.dist-info\INSTALLER

MD5 365c9bfeb7d89244f2ce01c1de44cb85
SHA1 d7a03141d5d6b1e88b6b59ef08b6681df212c599
SHA256 ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508
SHA512 d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

C:\Users\Admin\AppData\Local\Temp\_MEI33202\setuptools\_vendor\jaraco.text-3.12.1.dist-info\WHEEL

MD5 43136dde7dd276932f6197bb6d676ef4
SHA1 6b13c105452c519ea0b65ac1a975bd5e19c50122
SHA256 189eedfe4581172c1b6a02b97a8f48a14c0b5baa3239e4ca990fbd8871553714
SHA512 e7712ba7d36deb083ebcc3b641ad3e7d19fb071ee64ae3a35ad6a50ee882b20cd2e60ca1319199df12584fe311a6266ec74f96a3fb67e59f90c7b5909668aee1

C:\Users\Admin\AppData\Local\Temp\_MEI33202\setuptools\_vendor\jaraco.functools-4.0.1.dist-info\LICENSE

MD5 141643e11c48898150daa83802dbc65f
SHA1 0445ed0f69910eeaee036f09a39a13c6e1f37e12
SHA256 86da0f01aeae46348a3c3d465195dc1ceccde79f79e87769a64b8da04b2a4741
SHA512 ef62311602b466397baf0b23caca66114f8838f9e78e1b067787ceb709d09e0530e85a47bbcd4c5a0905b74fdb30df0cc640910c6cc2e67886e5b18794a3583f

C:\Users\Admin\AppData\Local\Temp\_MEI33202\_cffi_backend.cp310-win_amd64.pyd

MD5 2baaa98b744915339ae6c016b17c3763
SHA1 483c11673b73698f20ca2ff0748628c789b4dc68
SHA256 4f1ce205c2be986c9d38b951b6bcb6045eb363e06dacc069a41941f80be9068c
SHA512 2ae8df6e764c0813a4c9f7ac5a08e045b44daac551e8ff5f8aa83286be96aa0714d373b8d58e6d3aa4b821786a919505b74f118013d9fcd1ebc5a9e4876c2b5f

C:\Users\Admin\AppData\Local\Temp\_MEI33202\_ssl.pyd

MD5 7910fb2af40e81bee211182cffec0a06
SHA1 251482ed44840b3c75426dd8e3280059d2ca06c6
SHA256 d2a7999e234e33828888ad455baa6ab101d90323579abc1095b8c42f0f723b6f
SHA512 bfe6506feb27a592fe9cf1db7d567d0d07f148ef1a2c969f1e4f7f29740c6bb8ccf946131e65fe5aa8ede371686c272b0860bd4c0c223195aaa1a44f59301b27

memory/2096-340-0x0000017C7EC70000-0x0000017C7EC71000-memory.dmp

memory/2096-338-0x0000017C7EC70000-0x0000017C7EC71000-memory.dmp

memory/5188-874-0x0000000000FB0000-0x0000000001342000-memory.dmp

memory/2096-336-0x0000017C7EC70000-0x0000017C7EC71000-memory.dmp

memory/2096-334-0x0000017C7EC70000-0x0000017C7EC71000-memory.dmp

memory/2096-332-0x0000017C7EC70000-0x0000017C7EC71000-memory.dmp

memory/2096-330-0x0000017C7EC70000-0x0000017C7EC71000-memory.dmp

memory/2096-328-0x0000017C7EC70000-0x0000017C7EC71000-memory.dmp

memory/2096-326-0x0000017C7EC70000-0x0000017C7EC71000-memory.dmp

memory/2096-324-0x0000017C7EC70000-0x0000017C7EC71000-memory.dmp

memory/2096-322-0x0000017C7EC70000-0x0000017C7EC71000-memory.dmp

memory/2096-320-0x0000017C7EC70000-0x0000017C7EC71000-memory.dmp

memory/2096-318-0x0000017C7EC70000-0x0000017C7EC71000-memory.dmp

memory/2096-316-0x0000017C7EC70000-0x0000017C7EC71000-memory.dmp

memory/2096-314-0x0000017C7EC70000-0x0000017C7EC71000-memory.dmp

memory/2096-312-0x0000017C7EC70000-0x0000017C7EC71000-memory.dmp

memory/2096-310-0x0000017C7EC70000-0x0000017C7EC71000-memory.dmp

memory/2096-308-0x0000017C7EC70000-0x0000017C7EC71000-memory.dmp

memory/2096-306-0x0000017C7EC70000-0x0000017C7EC71000-memory.dmp

memory/2096-304-0x0000017C7EC70000-0x0000017C7EC71000-memory.dmp

memory/2096-302-0x0000017C7EC70000-0x0000017C7EC71000-memory.dmp

memory/2096-300-0x0000017C7EC70000-0x0000017C7EC71000-memory.dmp

memory/2096-298-0x0000017C7EC70000-0x0000017C7EC71000-memory.dmp

memory/2096-296-0x0000017C7EC70000-0x0000017C7EC71000-memory.dmp

memory/2096-294-0x0000017C7EC70000-0x0000017C7EC71000-memory.dmp

memory/2096-292-0x0000017C7EC70000-0x0000017C7EC71000-memory.dmp

memory/2096-290-0x0000017C7EC70000-0x0000017C7EC71000-memory.dmp

memory/2096-288-0x0000017C7EC70000-0x0000017C7EC71000-memory.dmp

memory/2096-286-0x0000017C7EC70000-0x0000017C7EC71000-memory.dmp

memory/2096-284-0x0000017C7EC70000-0x0000017C7EC71000-memory.dmp

memory/2096-282-0x0000017C7EC70000-0x0000017C7EC71000-memory.dmp

memory/2096-280-0x0000017C7EC70000-0x0000017C7EC71000-memory.dmp

memory/2096-278-0x0000017C7EC70000-0x0000017C7EC71000-memory.dmp

memory/2096-277-0x0000017C7EC60000-0x0000017C7EC61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI33202\_queue.pyd

MD5 d8c1b81bbc125b6ad1f48a172181336e
SHA1 3ff1d8dcec04ce16e97e12263b9233fbf982340c
SHA256 925f05255f4aae0997dc4ec94d900fd15950fd840685d5b8aa755427c7422b14
SHA512 ccc9f0d3aca66729832f26be12f8e7021834bbee1f4a45da9451b1aa5c2e63126c0031d223af57cf71fad2c85860782a56d78d8339b35720194df139076e0772

C:\Users\Admin\AppData\Local\Temp\_MEI33202\pyexpat.pyd

MD5 1118c1329f82ce9072d908cbd87e197c
SHA1 c59382178fe695c2c5576dca47c96b6de4bbcffd
SHA256 4a2d59993bce76790c6d923af81bf404f8e2cb73552e320113663b14cf78748c
SHA512 29f1b74e96a95b0b777ef00448da8bd0844e2f1d8248788a284ec868ae098c774a694d234a00bd991b2d22c2372c34f762cdbd9ec523234861e39c0ca752dcaa

C:\Users\Admin\AppData\Local\Temp\_MEI33202\_pytransform.dll

MD5 23376a4df02c2bb0b770930449355acb
SHA1 05878e4a25b07c74b03ee9c2396e15e9933f1c98
SHA256 e999f10f53a09ddd5c6e05ad8bd3635c43d1035eb70afd32463875a1aef030cd
SHA512 b7a96e6fa0744201e54edf748fb89ed243834b3569867222857a1c03c30f485ea4faff4901cca57f699353771fb7f053a2afe1e6fd2c3687b0073a3e9ed9602d

C:\Users\Admin\AppData\Local\Temp\_MEI33202\_overlapped.pyd

MD5 fdf8663b99959031780583cce98e10f5
SHA1 6c0bafc48646841a91625d74d6b7d1d53656944d
SHA256 2ebbb0583259528a5178dd37439a64affcb1ab28cf323c6dc36a8c30362aa992
SHA512 a5371d6f6055b92ac119a3e3b52b21e2d17604e5a5ac241c008ec60d1db70b3ce4507d82a3c7ce580ed2eb7d83bb718f4edc2943d10cb1d377fa006f4d0026b6

C:\Users\Admin\AppData\Local\Temp\_MEI33202\_multiprocessing.pyd

MD5 a9a0588711147e01eed59be23c7944a9
SHA1 122494f75e8bb083ddb6545740c4fae1f83970c9
SHA256 7581edea33c1db0a49b8361e51e6291688601640e57d75909fb2007b2104fa4c
SHA512 6b580f5c53000db5954deb5b2400c14cb07f5f8bbcfc069b58c2481719a0f22f0d40854ca640ef8425c498fbae98c9de156b5cc04b168577f0da0c6b13846a88

C:\Users\Admin\AppData\Local\Temp\_MEI33202\_brotli.cp310-win_amd64.pyd

MD5 ee3d454883556a68920caaedefbc1f83
SHA1 45b4d62a6e7db022e52c6159eef17e9d58bec858
SHA256 791e7195d7df47a21466868f3d7386cff13f16c51fcd0350bf4028e96278dff1
SHA512 e404adf831076d27680cc38d3879af660a96afc8b8e22ffd01647248c601f3c6c4585d7d7dc6bbd187660595f6a48f504792106869d329aa1a0f3707d7f777c6

C:\Users\Admin\AppData\Local\Temp\_MEI33202\_asyncio.pyd

MD5 33d0b6de555ddbbbd5ca229bfa91c329
SHA1 03034826675ac93267ce0bf0eaec9c8499e3fe17
SHA256 a9a99a2b847e46c0efce7fcfefd27f4bce58baf9207277c17bffd09ef4d274e5
SHA512 dbbd1ddfa445e22a0170a628387fcf3cb95e6f8b09465d76595555c4a67da4274974ba7b348c4c81fe71c68d735c13aacb8063d3a964a8a0556fb000d68686b7

C:\Users\Admin\AppData\Local\Temp\_MEI33202\VCRUNTIME140_1.dll

MD5 135359d350f72ad4bf716b764d39e749
SHA1 2e59d9bbcce356f0fece56c9c4917a5cacec63d7
SHA256 34048abaa070ecc13b318cea31425f4ca3edd133d350318ac65259e6058c8b32
SHA512 cf23513d63ab2192c78cae98bd3fea67d933212b630be111fa7e03be3e92af38e247eb2d3804437fd0fda70fdc87916cd24cf1d3911e9f3bfb2cc4ab72b459ba

C:\Users\Admin\AppData\Local\Temp\_MEI33202\libssl-1_1.dll

MD5 bec0f86f9da765e2a02c9237259a7898
SHA1 3caa604c3fff88e71f489977e4293a488fb5671c
SHA256 d74ce01319ae6f54483a19375524aa39d9f5fd91f06cf7df238ca25e043130fd
SHA512 ffbc4e5ffdb49704e7aa6d74533e5af76bbe5db297713d8e59bd296143fe5f145fbb616b343eed3c48eceaccccc2431630470d8975a4a17c37eafcc12edd19f4

C:\Users\Admin\AppData\Local\Temp\_MEI33202\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

memory/1064-249-0x0000021873B20000-0x0000021873B3E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI33202\_ctypes.pyd

MD5 1635a0c5a72df5ae64072cbb0065aebe
SHA1 c975865208b3369e71e3464bbcc87b65718b2b1f
SHA256 1ea3dd3df393fa9b27bf6595be4ac859064cd8ef9908a12378a6021bba1cb177
SHA512 6e34346ea8a0aacc29ccd480035da66e280830a7f3d220fd2f12d4cfa3e1c03955d58c0b95c2674aea698a36a1b674325d3588483505874c2ce018135320ff99

C:\Users\Admin\AppData\Local\Temp\_MEI33202\python3.dll

MD5 fd4a39e7c1f7f07cf635145a2af0dc3a
SHA1 05292ba14acc978bb195818499a294028ab644bd
SHA256 dc909eb798a23ba8ee9f8e3f307d97755bc0d2dc0cb342cedae81fbbad32a8a9
SHA512 37d3218bc767c44e8197555d3fa18d5aad43a536cfe24ac17bf8a3084fb70bd4763ccfd16d2df405538b657f720871e0cd312dfeb7f592f3aac34d9d00d5a643

C:\Users\Admin\AppData\Local\Temp\_MEI33202\base_library.zip

MD5 39ee03fdaaeeab50415acf71fa86589a
SHA1 d181497c9eceffbcb55d0a1b76b56aa300142dd5
SHA256 7033ab039d46c8156eac0948f7c4779bd070b52e017aa655d480befd982c9feb
SHA512 b9bebc06b9e601d40dc41d1999b8c60bbe9e8a1355fa5e26c149677aeeae9b641a4be4ce7ffa84dcabe6e61a58b99da2e82d595a83df7f4aabb6b592256c2b5b

C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe

MD5 d6da6166258e23c9170ee2a4ff73c725
SHA1 c3c9d6925553e266fe6f20387feee665ce3e4ba9
SHA256 78ee67a8ae359f697979f4cd3c7228d3235c32d3b611303e070b71414591ba1e
SHA512 37a5a18acbb56e5458baebb12a4d3b3229b218eb606be3535d1c30e8e0d4fa969543889c587078456321209fe4503688432f45ff35a7af598b770393e7ae3b05

memory/5188-1540-0x0000000003440000-0x0000000003466000-memory.dmp

memory/5188-1543-0x0000000001B30000-0x0000000001B3E000-memory.dmp

memory/5188-1545-0x000000001C1D0000-0x000000001C1EC000-memory.dmp

memory/5188-1546-0x000000001C240000-0x000000001C290000-memory.dmp

memory/5188-1548-0x0000000001B40000-0x0000000001B50000-memory.dmp

memory/5188-1550-0x000000001C1F0000-0x000000001C208000-memory.dmp

memory/5188-1552-0x000000001C090000-0x000000001C0A0000-memory.dmp

memory/5188-1554-0x000000001C1B0000-0x000000001C1C0000-memory.dmp

memory/5188-1556-0x000000001C1C0000-0x000000001C1CE000-memory.dmp

memory/5188-1558-0x000000001C210000-0x000000001C21E000-memory.dmp

memory/5188-1560-0x000000001C290000-0x000000001C2A2000-memory.dmp

memory/5188-1562-0x000000001C220000-0x000000001C230000-memory.dmp

memory/5188-1564-0x000000001C2D0000-0x000000001C2E6000-memory.dmp

memory/5188-1566-0x000000001C2F0000-0x000000001C302000-memory.dmp

memory/5188-1567-0x000000001C840000-0x000000001CD68000-memory.dmp

memory/5188-1569-0x000000001C230000-0x000000001C23E000-memory.dmp

memory/5188-1571-0x000000001C2B0000-0x000000001C2C0000-memory.dmp

memory/5188-1573-0x000000001C2C0000-0x000000001C2D0000-memory.dmp

memory/5188-1575-0x000000001C370000-0x000000001C3CA000-memory.dmp

memory/5188-1577-0x000000001C310000-0x000000001C31E000-memory.dmp

memory/5188-1579-0x000000001C320000-0x000000001C330000-memory.dmp

memory/5188-1581-0x000000001C330000-0x000000001C33E000-memory.dmp

memory/5188-1583-0x000000001C3D0000-0x000000001C3E8000-memory.dmp

memory/5188-1585-0x000000001C440000-0x000000001C48E000-memory.dmp

C:\Users\Default\AppData\Roaming\sppsvc.exe

MD5 5fe249bbcc644c6f155d86e8b3cc1e12
SHA1 f5c550ab2576d2daeff9cb72a4d41d1bcfee0e6d
SHA256 9308b0ce7206c60517db7207c488b4fa1cc313413e5378d8bac63b22cabcdd80
SHA512 b210c6b5d8db31d8f4ea82a79fe4679ced289636570e3fd72a45c488fd2cd75ed74677d723c1bfa67432e46e71901cb6551595e1053448c2f5e297829a6e1b39

memory/4528-1647-0x00000244FC260000-0x00000244FC26A000-memory.dmp

memory/4528-1648-0x00000244FC2E0000-0x00000244FC34A000-memory.dmp

memory/4528-1655-0x00000244FD1D0000-0x00000244FD20A000-memory.dmp

memory/4528-1656-0x00000244FC230000-0x00000244FC256000-memory.dmp

memory/4528-1657-0x00000244FD210000-0x00000244FD2C2000-memory.dmp

memory/4528-1658-0x00000244FD360000-0x00000244FD382000-memory.dmp

memory/4528-1659-0x00000244FD390000-0x00000244FD6BE000-memory.dmp

memory/4528-1678-0x00000244FC5D0000-0x00000244FC5E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mcsezmgp.ia1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\ProgramData\шева.txt

MD5 17bcf11dc5f1fa6c48a1a856a72f1119
SHA1 873ec0cbd312762df3510b8cccf260dc0a23d709
SHA256 a7bf504871a46343c2feab9d923e01b9dca4e980b2e122ad55fd4dbb3f6c16d9
SHA512 9c12db4c6a105e767ff27048d2f8f19de5c9721ce6503dbb497aedcc1fc8b910a6fa43ec987fecd26794aff7440cb984744698fec5741dd73400a299dc3b2a25

memory/3848-2050-0x0000021EA39A0000-0x0000021EA39BC000-memory.dmp

memory/3848-2051-0x0000021EA39C0000-0x0000021EA3A75000-memory.dmp

memory/3848-2052-0x0000021EA3990000-0x0000021EA399A000-memory.dmp

memory/3848-2053-0x0000021EA3BE0000-0x0000021EA3BFC000-memory.dmp

memory/3848-2054-0x0000021EA3BC0000-0x0000021EA3BCA000-memory.dmp

memory/3848-2055-0x0000021EA3C20000-0x0000021EA3C3A000-memory.dmp

memory/3848-2056-0x0000021EA3BD0000-0x0000021EA3BD8000-memory.dmp

memory/3848-2057-0x0000021EA3C00000-0x0000021EA3C06000-memory.dmp

memory/3848-2058-0x0000021EA3C10000-0x0000021EA3C1A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 14:56

Reported

2024-11-11 14:59

Platform

win10ltsc2021-20241023-en

Max time kernel

150s

Max time network

152s

Command Line

winlogon.exe

Signatures

Gurcu family

gurcu

Gurcu, WhiteSnake

stealer gurcu

MilleniumRat

rat stealer milleniumrat

Milleniumrat family

milleniumrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Pictures\\SppExtComObj.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Pictures\\SppExtComObj.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\dwm.exe\", \"C:\\Windows\\Help\\Corporate\\unsecapp.exe\"" C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Pictures\\SppExtComObj.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\dwm.exe\", \"C:\\Windows\\Help\\Corporate\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Pictures\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Pictures\\SppExtComObj.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe C:\Windows\system32\wbem\wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe C:\Windows\system32\wbem\wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe C:\Windows\system32\wbem\wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe C:\Windows\system32\wbem\wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe C:\Windows\system32\wbem\wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe C:\Windows\system32\wbem\wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe C:\Windows\system32\wbem\wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe C:\Windows\system32\wbem\wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe C:\Windows\system32\wbem\wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe C:\Windows\system32\wbem\wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe C:\Windows\system32\wbem\wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe C:\Windows\system32\wbem\wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe C:\Windows\system32\wbem\wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe C:\Windows\system32\wbem\wmiprvse.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe C:\Windows\system32\wbem\wmiprvse.exe

Suspicious use of NtCreateProcessExOtherParentProcess

Description Indicator Process Target
PID 8592 created 2900 N/A C:\Windows\system32\WerFault.exe C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Contacts a large (1445) amount of remote hosts

discovery

Stops running service(s)

evasion execution

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\system32\wbem\wmiprvse.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\_MEI25882\s.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation C:\ProgramData\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation C:\ProgramData\main.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\Help\\Corporate\\unsecapp.exe\"" C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChromeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromeUpdateLog\\Update.exe" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Users\\Admin\\Pictures\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default User\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Admin\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Admin\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\Help\\Corporate\\unsecapp.exe\"" C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\козляк = "C:\\ProgramData\\crss.exe" C:\ProgramData\crss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Users\\Admin\\Pictures\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default User\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
File created \??\c:\Windows\System32\CSC7D9F541B63EF49B98441769162358B2.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A
File created \??\c:\Windows\System32\gl7s3v.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\system32\svchost.exe N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\ProgramData\crss.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5276 set thread context of 6172 N/A C:\ProgramData\setup.exe C:\Windows\System32\dialer.exe
PID 6776 set thread context of 5348 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\dialer.exe
PID 6776 set thread context of 4632 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\dialer.exe
PID 6776 set thread context of 3960 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\dialer.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\ModifiableWindowsApps\TrustedInstaller.exe C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
File created C:\Program Files\Google\Chrome\updater.exe C:\ProgramData\setup.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Help\Corporate\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
File created C:\Windows\Help\Corporate\29c1c3cc0f7685 C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
File created C:\Windows\LanguageOverlayCache\crss.exe C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk C:\Windows\system32\svchost.exe N/A

Browser Information Discovery

discovery

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_MEI25882\s.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service C:\Windows\system32\wbem\wmiprvse.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\WerFault.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\WerFault.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={8F4CBB41-74B8-4011-B44C-F76D702C5A96}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Mon, 11 Nov 2024 14:58:22 GMT" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1731337100" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings C:\ProgramData\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\ProgramData\main.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\crss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dialer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\SppExtComObj.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2588 wrote to memory of 5200 N/A C:\Users\Admin\AppData\Local\Temp\checker.exe C:\Users\Admin\AppData\Local\Temp\checker.exe
PID 2588 wrote to memory of 5200 N/A C:\Users\Admin\AppData\Local\Temp\checker.exe C:\Users\Admin\AppData\Local\Temp\checker.exe
PID 5200 wrote to memory of 5188 N/A C:\Users\Admin\AppData\Local\Temp\checker.exe C:\Windows\system32\cmd.exe
PID 5200 wrote to memory of 5188 N/A C:\Users\Admin\AppData\Local\Temp\checker.exe C:\Windows\system32\cmd.exe
PID 5188 wrote to memory of 4324 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\_MEI25882\s.exe
PID 5188 wrote to memory of 4324 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\_MEI25882\s.exe
PID 5188 wrote to memory of 4324 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\_MEI25882\s.exe
PID 4324 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\_MEI25882\s.exe C:\ProgramData\main.exe
PID 4324 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\_MEI25882\s.exe C:\ProgramData\main.exe
PID 4324 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\_MEI25882\s.exe C:\ProgramData\svchost.exe
PID 4324 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\_MEI25882\s.exe C:\ProgramData\svchost.exe
PID 4324 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\_MEI25882\s.exe C:\ProgramData\svchost.exe
PID 4324 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\_MEI25882\s.exe C:\ProgramData\crss.exe
PID 4324 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\_MEI25882\s.exe C:\ProgramData\crss.exe
PID 4324 wrote to memory of 5276 N/A C:\Users\Admin\AppData\Local\Temp\_MEI25882\s.exe C:\ProgramData\setup.exe
PID 4324 wrote to memory of 5276 N/A C:\Users\Admin\AppData\Local\Temp\_MEI25882\s.exe C:\ProgramData\setup.exe
PID 4668 wrote to memory of 588 N/A C:\ProgramData\svchost.exe C:\Windows\SysWOW64\WScript.exe
PID 4668 wrote to memory of 588 N/A C:\ProgramData\svchost.exe C:\Windows\SysWOW64\WScript.exe
PID 4668 wrote to memory of 588 N/A C:\ProgramData\svchost.exe C:\Windows\SysWOW64\WScript.exe
PID 3760 wrote to memory of 420 N/A C:\ProgramData\crss.exe C:\ProgramData\crss.exe
PID 3760 wrote to memory of 420 N/A C:\ProgramData\crss.exe C:\ProgramData\crss.exe
PID 588 wrote to memory of 4504 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 588 wrote to memory of 4504 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 588 wrote to memory of 4504 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 420 wrote to memory of 1400 N/A C:\ProgramData\crss.exe C:\Windows\system32\cmd.exe
PID 420 wrote to memory of 1400 N/A C:\ProgramData\crss.exe C:\Windows\system32\cmd.exe
PID 4504 wrote to memory of 4460 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
PID 4504 wrote to memory of 4460 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
PID 4460 wrote to memory of 5472 N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4460 wrote to memory of 5472 N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 5472 wrote to memory of 2288 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 5472 wrote to memory of 2288 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4460 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4460 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 5016 wrote to memory of 2244 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 5016 wrote to memory of 2244 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4348 wrote to memory of 116 N/A C:\ProgramData\main.exe C:\Windows\System32\cmd.exe
PID 4348 wrote to memory of 116 N/A C:\ProgramData\main.exe C:\Windows\System32\cmd.exe
PID 116 wrote to memory of 6132 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\tasklist.exe
PID 116 wrote to memory of 6132 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\tasklist.exe
PID 116 wrote to memory of 5608 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 116 wrote to memory of 5608 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 4460 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe C:\Windows\System32\cmd.exe
PID 4460 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe C:\Windows\System32\cmd.exe
PID 4256 wrote to memory of 1036 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4256 wrote to memory of 1036 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 116 wrote to memory of 4188 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 116 wrote to memory of 4188 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 4256 wrote to memory of 5340 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 4256 wrote to memory of 5340 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 116 wrote to memory of 2900 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe
PID 116 wrote to memory of 2900 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe
PID 2900 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe C:\Windows\System32\cmd.exe
PID 2900 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe C:\Windows\System32\cmd.exe
PID 4240 wrote to memory of 5008 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 4240 wrote to memory of 5008 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 3244 wrote to memory of 3948 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3244 wrote to memory of 3948 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3244 wrote to memory of 4136 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3244 wrote to memory of 4136 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3244 wrote to memory of 5360 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3244 wrote to memory of 5360 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3244 wrote to memory of 3276 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3244 wrote to memory of 3276 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:Global.IrisService.AppXwt29n3t7x7q6fgyrrbbqxwzkqjfjaw4y.mca

C:\Users\Admin\AppData\Local\Temp\checker.exe

"C:\Users\Admin\AppData\Local\Temp\checker.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\checker.exe

"C:\Users\Admin\AppData\Local\Temp\checker.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\_MEI25882\s.exe -pbeznogym

C:\Users\Admin\AppData\Local\Temp\_MEI25882\s.exe

C:\Users\Admin\AppData\Local\Temp\_MEI25882\s.exe -pbeznogym

C:\ProgramData\main.exe

"C:\ProgramData\main.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc

C:\ProgramData\svchost.exe

"C:\ProgramData\svchost.exe"

C:\ProgramData\crss.exe

"C:\ProgramData\crss.exe"

C:\ProgramData\setup.exe

"C:\ProgramData\setup.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe"

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\ProgramData\crss.exe

"C:\ProgramData\crss.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\oGgyulsi03j6EO3sjCC.bat" "

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe

"C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor/ChainComServermonitor.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Pictures\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Pictures\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ghbu4dhx\ghbu4dhx.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFE94.tmp" "c:\ProgramData\CSCB3CD0377427648E5BAF352C584CC1837.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wildtfny\wildtfny.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2A.tmp" "c:\Windows\System32\CSC7D9F541B63EF49B98441769162358B2.TMP"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Windows\Help\Corporate\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\Help\Corporate\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Windows\Help\Corporate\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp114.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp114.tmp.bat

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 4348"

C:\Windows\system32\find.exe

find ":"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\geeesNrn1f.bat"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe

"C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f

C:\Windows\system32\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\dialer.exe

C:\Windows\System32\dialer.exe

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\yntnomxcupkb.xml"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Users\Admin\Pictures\SppExtComObj.exe

"C:\Users\Admin\Pictures\SppExtComObj.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 464 -p 2900 -ip 2900

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2900 -s 3024

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\dialer.exe

C:\Windows\System32\dialer.exe

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\yntnomxcupkb.xml"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\dialer.exe

C:\Windows\System32\dialer.exe

C:\Windows\System32\dialer.exe

C:\Windows\System32\dialer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.179.228:80 www.google.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 228.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 172.67.74.152:443 api.ipify.org tcp
CH 57.5.152.202:80 tcp
JP 106.183.182.135:80 tcp
KR 1.212.83.167:80 tcp
KR 61.78.66.84:80 tcp
US 104.27.114.77:80 tcp
ID 39.200.155.100:80 tcp
FR 176.159.96.147:80 tcp
KR 211.195.19.18:80 tcp
US 97.162.153.5:80 tcp
CO 191.106.198.118:80 tcp
GB 2.127.50.131:80 tcp
CN 59.110.210.79:80 tcp
US 104.27.114.77:80 104.27.114.77 tcp
US 132.133.31.229:80 tcp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 152.74.67.172.in-addr.arpa udp
US 8.8.8.8:53 77.114.27.104.in-addr.arpa udp
FR 62.217.16.68:80 tcp
US 19.84.251.137:80 tcp
US 198.143.24.15:80 tcp
US 209.71.84.166:80 tcp
DE 82.206.35.62:80 tcp
VN 115.74.197.108:80 tcp
US 158.138.143.102:80 tcp
US 68.166.46.31:80 tcp
US 4.31.10.191:80 tcp
CN 123.82.149.183:80 tcp
FR 13.36.201.140:80 tcp
FR 13.36.201.140:80 13.36.201.140 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 140.201.36.13.in-addr.arpa udp
TW 1.160.63.236:80 tcp
US 143.145.200.41:80 tcp
US 56.133.142.104:80 tcp
N/A 100.81.120.18:80 tcp
SI 46.122.9.206:80 tcp
IN 120.59.71.246:80 tcp
US 153.32.13.223:80 tcp
MY 219.92.63.182:80 tcp
IN 106.213.129.75:80 tcp
BR 45.188.197.101:80 tcp
US 206.217.98.178:80 tcp
FR 86.201.15.5:80 tcp
PT 94.133.193.249:80 tcp
JP 213.18.70.225:80 tcp
US 98.99.185.51:80 tcp
US 33.116.127.81:80 tcp
US 71.223.45.169:80 tcp
AR 181.92.224.11:80 tcp
BR 201.91.116.172:80 tcp
CN 113.224.199.242:80 tcp
JP 150.18.121.145:80 tcp
US 136.91.72.143:80 tcp
US 28.3.245.26:80 tcp
US 9.65.173.126:80 tcp
CA 142.201.92.117:80 tcp
US 208.95.112.1:80 ip-api.com tcp
US 172.183.133.69:80 tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 216.55.73.238:80 tcp
ES 178.239.212.150:80 tcp
CN 58.59.34.15:80 tcp
DK 85.24.119.137:80 tcp
VE 190.37.226.181:80 tcp
US 162.82.119.231:80 tcp
DE 88.130.239.204:80 tcp
US 165.251.186.101:80 tcp
US 157.137.246.30:80 tcp
US 97.204.92.117:80 tcp
US 141.140.146.152:80 tcp
CN 113.46.18.204:80 tcp
US 8.99.222.67:80 tcp
FR 92.147.125.92:80 tcp
US 17.162.175.227:80 tcp
CH 172.162.157.141:80 tcp
KR 220.103.122.0:80 tcp
US 55.130.82.91:80 tcp
JP 123.221.180.122:80 tcp
CN 121.248.50.53:80 tcp
ID 43.227.148.120:80 tcp
CN 223.70.213.6:80 tcp
FR 92.148.122.83:80 tcp
JP 121.107.9.119:80 tcp
US 6.252.142.118:80 tcp
JP 166.100.112.246:80 tcp
KR 13.124.154.70:80 tcp
US 48.222.111.142:80 tcp
US 28.72.70.9:80 tcp
CN 27.191.164.34:80 tcp
US 148.36.239.85:80 tcp
CN 42.80.23.227:80 tcp
US 22.113.95.25:80 tcp
JP 221.184.211.236:80 tcp
KR 13.124.154.70:80 13.124.154.70 tcp
TR 217.65.180.199:80 tcp
CN 36.195.109.240:80 tcp
US 8.8.8.8:53 70.154.124.13.in-addr.arpa udp
KR 13.124.154.70:443 tcp
VN 14.246.151.29:80 tcp
JP 175.129.42.134:80 tcp
US 40.45.9.133:80 tcp
US 65.30.121.234:80 tcp
CZ 31.28.143.163:80 tcp
UG 154.227.227.184:80 tcp
US 199.250.184.54:80 tcp
HU 78.92.170.66:80 tcp
US 65.30.121.234:80 65.30.121.234 tcp
IE 57.220.117.22:80 tcp
US 143.209.230.181:80 tcp
FR 92.171.109.186:80 tcp
BR 179.127.162.247:80 tcp
US 65.30.121.234:443 tcp
DE 91.5.19.174:80 tcp
GR 5.203.155.143:80 tcp
KR 113.131.102.117:80 tcp
FR 92.149.79.165:80 tcp
US 15.132.118.101:80 tcp
TW 122.121.19.161:80 tcp
US 174.126.66.161:80 tcp
US 8.8.8.8:53 google.com udp
DE 80.131.187.226:80 tcp
US 8.8.8.8:53 api.telegram.org udp
IE 63.33.147.88:80 tcp
US 72.58.158.25:80 tcp
BR 186.203.185.223:80 tcp
US 207.19.250.223:80 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 77.159.160.186:80 tcp
US 98.239.222.255:80 tcp
US 50.224.157.47:80 tcp
US 6.183.241.153:80 tcp
RU 81.195.48.79:80 tcp
US 138.109.156.126:80 tcp
US 174.47.169.41:80 tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
TW 1.171.128.54:80 tcp
US 73.182.221.62:80 tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 70.147.218.93:80 tcp
FR 92.171.195.14:80 tcp
SG 148.145.194.226:80 tcp
US 161.193.38.38:80 tcp
HU 188.143.49.47:80 tcp
US 9.155.49.19:80 tcp
SG 119.74.244.107:80 tcp
US 74.54.210.2:80 tcp
US 140.25.86.166:80 tcp
NL 165.114.17.146:80 tcp
CN 60.206.161.100:80 tcp
US 50.4.103.82:80 tcp
US 132.121.150.254:80 tcp
IN 115.114.15.106:80 tcp
US 96.198.13.43:80 tcp
CA 167.17.113.156:80 tcp
US 173.113.224.56:80 tcp
AR 201.190.247.113:80 tcp
US 162.125.153.30:80 tcp
GB 25.131.237.181:80 tcp
US 15.107.45.189:80 tcp
US 198.214.68.158:80 tcp
US 66.148.142.70:80 tcp
GB 188.28.61.87:80 tcp
NL 208.93.171.70:80 tcp
US 215.133.135.160:80 tcp
US 166.234.87.253:80 tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 135.108.221.6:80 tcp
US 137.198.53.83:80 tcp
TN 197.18.250.202:80 tcp
US 72.49.60.124:80 tcp
BR 179.81.141.126:80 tcp
JP 126.238.213.54:80 tcp
CN 115.215.240.230:80 tcp
IL 132.66.84.101:80 tcp
ES 217.126.248.111:80 tcp
US 215.101.197.52:80 tcp
FR 90.3.131.206:80 tcp
US 63.207.182.127:80 tcp
US 192.44.92.95:80 tcp
US 99.167.233.1:80 tcp
JP 110.135.26.73:80 tcp
IN 103.208.104.62:80 tcp
JP 124.159.171.132:80 tcp
US 48.161.106.24:80 tcp
JP 218.127.9.255:80 tcp
CA 207.162.127.134:80 tcp
CA 99.243.61.110:80 tcp
TH 110.171.61.197:80 tcp
N/A 10.239.151.32:80 tcp
AU 110.143.211.136:80 tcp
KZ 194.58.42.154:80 194.58.42.154 tcp
US 134.161.50.10:80 tcp
JP 119.174.239.64:80 tcp
ZA 169.255.252.214:80 tcp
KR 119.202.84.136:80 tcp
JP 132.179.9.232:80 tcp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
IE 20.223.35.26:443 fd.api.iris.microsoft.com tcp
DE 88.75.5.103:80 tcp
TW 120.98.143.45:80 tcp
US 48.62.64.85:80 tcp
CN 101.132.217.46:80 tcp
GR 89.210.182.146:80 tcp
US 129.55.7.210:80 tcp
KZ 194.58.42.154:80 194.58.42.154 tcp
US 8.8.8.8:53 154.42.58.194.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 205.48.98.87:80 tcp
PR 207.166.118.35:80 tcp
US 136.121.58.85:80 tcp
IL 37.142.59.224:80 tcp
US 32.113.202.45:80 tcp
GB 94.1.78.75:80 tcp
US 153.76.77.99:80 tcp
US 159.42.246.88:80 tcp
RU 154.210.118.5:80 tcp
US 204.1.174.65:80 tcp
US 72.105.171.211:80 tcp
MA 197.144.77.6:80 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
NO 77.18.226.159:80 tcp
IT 95.237.168.221:80 tcp
US 147.190.145.211:80 tcp
US 214.18.72.99:80 tcp
US 18.204.152.107:80 tcp
US 165.212.116.73:80 tcp
US 23.254.179.19:80 tcp
AU 120.17.4.66:80 tcp
AR 190.177.167.23:80 tcp
BR 189.123.240.38:80 tcp
US 165.196.26.212:80 tcp
HK 18.163.44.95:80 tcp
CL 200.11.99.102:80 tcp
EG 154.130.224.180:80 tcp
IT 158.58.140.134:80 tcp
US 30.82.93.168:80 tcp
MX 189.161.190.231:80 tcp
US 104.238.49.252:80 tcp
US 107.154.212.201:80 tcp
IE 3.253.247.179:80 tcp
FR 37.169.76.218:80 tcp
US 21.135.9.0:80 tcp
N/A 10.202.57.231:80 tcp
US 107.154.212.201:80 107.154.212.201 tcp
FR 144.56.129.101:80 tcp
US 136.56.137.147:80 tcp
US 73.16.145.178:80 tcp
TH 158.108.3.73:80 tcp
US 52.89.113.3:80 tcp
CN 27.36.133.21:80 tcp
US 8.8.8.8:53 201.212.154.107.in-addr.arpa udp
IT 2.114.43.23:80 tcp
US 29.146.77.244:80 tcp
CN 122.194.52.157:80 tcp
CN 42.197.31.36:80 tcp
US 9.68.186.91:80 tcp
CN 58.206.95.71:80 tcp
JP 113.37.75.13:80 tcp
US 38.174.228.232:80 tcp
SE 2.251.58.58:80 tcp
US 38.174.228.232:80 38.174.228.232 tcp
IR 5.116.16.55:80 tcp
US 21.221.26.59:80 tcp
US 8.8.8.8:53 232.228.174.38.in-addr.arpa udp
CN 52.130.72.5:80 tcp
CA 142.237.37.213:80 tcp
GB 85.210.145.34:80 tcp
GB 217.34.129.181:80 tcp
IE 52.49.53.191:80 tcp
US 67.99.123.182:80 tcp
KR 14.65.46.254:80 tcp
US 82.180.138.23:80 tcp
US 6.43.18.191:80 tcp
US 82.180.138.23:80 82.180.138.23 tcp
US 128.225.95.42:80 tcp
US 63.248.123.16:80 tcp
US 8.8.8.8:53 23.138.180.82.in-addr.arpa udp
US 170.200.211.67:80 tcp
US 164.153.217.177:80 tcp
US 50.48.32.62:80 tcp
US 74.151.28.207:80 tcp
TH 223.207.168.151:80 tcp
TW 1.162.151.250:80 tcp
US 192.172.33.162:80 tcp
DE 53.234.208.86:80 tcp
IE 3.255.35.112:80 tcp
US 199.163.185.100:80 tcp
CN 120.33.232.57:80 tcp
US 74.39.247.197:80 tcp
IT 95.227.63.52:80 tcp
US 199.113.153.84:80 tcp
US 4.115.153.62:80 tcp
US 20.176.75.194:80 tcp
US 54.18.207.224:80 tcp
KH 221.120.163.15:80 tcp
US 66.57.150.171:80 tcp
US 24.10.83.198:80 tcp
US 198.228.130.18:80 tcp
US 208.205.251.115:80 tcp
US 17.27.132.67:80 tcp
CN 58.42.146.219:80 tcp
UA 176.107.61.154:80 tcp
JP 126.138.104.44:80 tcp
US 108.160.148.119:80 tcp
CN 221.7.47.57:80 tcp
US 63.54.108.94:80 tcp
US 108.160.148.119:80 108.160.148.119 tcp
US 205.158.5.43:80 tcp
US 107.95.201.193:80 tcp
JP 126.141.103.165:80 tcp
US 8.8.8.8:53 fairlanefinancial.com udp
AU 4.197.195.78:80 tcp
US 144.35.110.77:80 tcp
US 8.8.8.8:53 119.148.160.108.in-addr.arpa udp
US 13.58.183.57:443 fairlanefinancial.com tcp
ES 85.152.195.217:80 tcp
US 29.3.43.146:80 tcp
FR 93.24.140.0:80 tcp
US 7.20.245.41:80 tcp
SE 193.235.80.69:80 tcp
US 162.33.67.245:80 tcp
CN 116.159.173.182:80 tcp
US 57.169.18.177:80 tcp
FI 65.21.212.177:80 tcp
BR 200.146.36.41:80 tcp
US 8.8.8.8:53 57.183.58.13.in-addr.arpa udp
IR 2.146.226.200:80 tcp
IN 117.196.55.228:80 tcp
SK 193.87.150.233:80 tcp
CN 171.121.38.186:80 tcp
DZ 154.240.24.14:80 tcp
US 198.115.240.255:80 tcp
BR 179.198.193.213:80 tcp
US 32.30.229.57:80 tcp
IL 199.203.232.188:80 tcp
CL 186.175.177.189:80 tcp
US 33.72.25.113:80 tcp
CN 211.156.49.74:80 tcp
SG 43.40.66.171:80 tcp
US 64.78.86.191:80 tcp
US 143.98.185.167:80 tcp
ES 45.120.221.14:80 tcp
US 32.1.96.143:80 tcp
FR 52.97.235.163:80 tcp
US 16.86.40.153:80 tcp
GB 51.61.119.87:80 tcp
US 107.21.203.68:80 tcp
CA 99.255.148.198:80 tcp
US 153.43.172.52:80 tcp
DK 139.45.6.213:80 tcp
US 166.173.1.3:80 tcp
US 132.83.246.71:80 tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:443 pool.hashvault.pro tcp
US 165.28.141.40:80 tcp
US 26.189.226.143:80 tcp
JP 180.145.106.245:80 tcp
KR 165.141.1.80:80 tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 147.166.114.177:80 tcp
CN 42.121.45.83:80 tcp
SE 81.237.248.97:80 tcp
ZA 41.162.15.66:80 tcp
JP 220.11.181.153:80 tcp
TW 60.251.93.23:80 tcp
FR 93.2.111.7:80 tcp
US 75.100.164.134:80 tcp
FR 90.109.75.80:80 tcp
US 66.129.84.90:80 tcp
FR 129.185.112.118:80 tcp
US 97.35.194.50:80 tcp
HR 93.141.109.243:80 tcp
JP 110.233.163.209:80 tcp
US 75.161.109.0:80 tcp
US 136.13.45.53:80 tcp
US 204.52.207.150:80 tcp
GH 154.169.251.170:80 tcp
US 40.27.52.38:80 tcp
GB 25.38.83.25:80 tcp
IE 52.211.71.137:80 tcp
IE 52.211.71.137:80 52.211.71.137 tcp
TH 183.89.155.40:80 tcp
US 19.155.243.177:80 tcp
IE 52.211.71.137:443 tcp
US 198.227.173.162:80 tcp
AU 147.209.173.181:80 tcp
FR 160.8.10.45:80 tcp
US 149.123.29.213:80 tcp
US 162.1.250.81:80 tcp
FR 160.8.10.45:80 160.8.10.45 tcp
AR 190.19.125.94:80 tcp
SG 43.68.42.69:80 tcp
CN 171.40.47.222:80 tcp
US 108.58.149.85:80 tcp
DE 93.202.174.85:80 tcp
DE 153.97.224.96:80 tcp
US 8.8.8.8:53 137.71.211.52.in-addr.arpa udp
US 8.8.8.8:53 45.10.8.160.in-addr.arpa udp
US 74.202.129.121:80 tcp
FR 82.235.63.175:80 tcp
DE 89.12.108.222:80 tcp
US 137.32.222.211:80 tcp
US 155.94.242.233:80 tcp
IN 103.73.89.226:80 tcp
US 198.219.141.57:80 tcp
US 135.87.74.152:80 tcp
US 144.59.195.23:80 tcp
US 141.246.222.246:80 tcp
US 131.107.175.247:80 tcp
CH 84.226.222.218:80 tcp
US 68.76.72.47:80 tcp
US 108.67.79.84:80 tcp
JP 121.200.204.72:80 tcp
VN 14.245.228.10:80 tcp
US 26.207.178.28:80 tcp
KR 124.46.7.51:80 tcp
NL 82.169.169.184:80 tcp
PK 119.160.39.253:80 tcp
US 138.120.130.101:80 tcp
US 97.61.156.244:80 tcp
US 70.33.67.184:80 tcp
US 147.241.194.248:80 tcp
GB 82.16.87.174:80 tcp
NZ 49.227.82.133:80 tcp
DE 31.226.138.219:80 tcp
US 166.69.155.52:80 tcp
CA 184.150.223.26:80 tcp
GB 86.158.156.208:80 tcp
US 215.200.145.70:80 tcp
JP 126.203.52.105:80 tcp
US 4.76.234.115:80 tcp
KR 112.159.91.60:80 tcp
FI 143.51.87.106:80 tcp
US 204.45.144.125:80 tcp
US 132.10.198.248:80 tcp
PH 112.206.143.156:80 tcp
US 216.111.234.193:80 tcp
KR 59.8.234.29:80 tcp
PL 145.237.72.138:80 tcp
TW 163.16.129.27:80 tcp
US 63.89.49.19:80 tcp
SI 87.119.139.4:80 tcp
CO 181.58.84.29:80 tcp
US 69.161.24.13:80 tcp
JP 126.100.49.139:80 tcp
KR 14.66.109.176:80 tcp
GB 51.130.249.53:80 tcp
CN 36.128.31.255:80 tcp
GB 5.69.48.65:80 tcp
IE 3.41.136.122:80 tcp
FI 185.147.23.216:80 tcp
US 48.249.105.248:80 tcp
US 205.94.166.163:80 tcp
DE 92.117.226.43:80 tcp
IT 185.204.100.9:80 tcp
CN 42.224.125.47:80 tcp
N/A 100.96.233.97:80 tcp
US 65.26.36.49:80 tcp
US 33.208.155.156:80 tcp
JP 126.93.4.152:80 tcp
US 215.92.81.95:80 tcp
US 9.113.86.146:80 tcp
US 215.215.48.26:80 tcp
US 8.110.200.2:80 tcp
US 215.13.122.159:80 tcp
SG 43.57.116.200:80 tcp
US 107.123.189.7:80 tcp
KR 211.224.212.68:80 tcp
HK 38.55.203.240:80 tcp
CN 175.90.73.72:80 tcp
BR 191.37.192.215:80 tcp
BR 177.153.108.191:80 tcp
US 67.186.106.182:80 tcp
CL 139.229.6.41:80 tcp
BR 200.243.72.36:80 tcp
IN 111.92.73.118:80 tcp
US 147.224.57.72:80 tcp
JP 126.238.192.198:80 tcp
AU 203.214.226.222:80 tcp
MX 189.222.195.22:80 tcp
RU 81.95.212.70:80 tcp
JP 133.122.247.196:80 tcp
GB 151.170.42.57:80 tcp
CA 216.95.139.22:80 tcp
US 132.93.254.2:80 tcp
N/A 10.170.194.64:80 tcp
US 55.239.60.17:80 tcp
GB 86.24.231.229:80 tcp
IR 5.218.118.244:80 tcp
US 156.47.193.156:80 tcp
NL 95.211.115.189:80 tcp
US 166.196.74.80:80 tcp
RU 46.229.222.225:80 tcp
CN 203.107.77.72:80 tcp
FI 194.111.247.203:80 tcp
US 30.81.152.202:80 tcp
US 54.8.124.45:80 tcp
US 184.34.187.60:80 tcp
HK 220.246.122.67:80 tcp
KR 223.131.65.147:80 tcp
US 198.40.107.226:80 tcp
JP 219.179.100.182:80 tcp
CN 101.88.108.94:80 tcp
US 215.237.244.64:80 tcp
RO 94.53.209.92:80 tcp
US 50.23.152.9:80 tcp
HK 8.217.242.161:80 tcp
BR 179.67.90.192:80 tcp
CO 200.116.51.168:80 tcp
IT 212.47.51.188:80 tcp
CN 42.5.60.253:80 tcp
SE 2.65.253.133:80 tcp
DE 78.43.25.159:80 tcp
IR 5.214.37.244:80 tcp
US 135.233.252.43:80 tcp
NP 113.199.167.119:80 tcp
JP 223.133.190.51:80 tcp
US 23.46.239.196:80 tcp
US 8.197.107.143:80 tcp
US 63.83.67.158:80 tcp
US 143.72.110.167:80 tcp
US 40.21.21.147:80 tcp
US 148.107.179.105:80 tcp
GE 85.114.227.18:80 tcp
CN 110.152.162.192:80 tcp
GB 2.217.170.27:80 tcp
EG 197.165.207.96:80 tcp
US 34.37.234.230:80 tcp
CN 36.51.106.168:80 tcp
DE 53.39.112.225:80 tcp
NO 146.172.193.231:80 tcp
US 55.108.96.31:80 tcp
US 16.130.144.130:80 tcp
US 68.48.51.88:80 tcp
JP 126.178.47.136:80 tcp
NL 31.184.91.129:80 tcp
AU 61.9.132.210:80 tcp
HK 103.234.72.220:80 tcp
AU 139.168.221.6:80 tcp
US 174.204.214.0:80 tcp
US 104.118.229.61:80 tcp
US 34.74.143.84:80 tcp
TR 95.5.96.74:80 tcp
US 20.35.50.23:80 tcp
AR 186.134.196.100:80 tcp
ZA 102.211.39.123:80 tcp
GB 25.229.46.246:80 tcp
KR 112.157.188.14:80 tcp
DE 53.62.27.16:80 tcp
CA 142.47.12.97:80 tcp
KR 221.133.139.179:80 tcp
US 32.183.64.103:80 tcp
US 6.55.203.199:80 tcp
VN 171.225.125.138:80 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
NL 37.48.124.49:80 tcp
UY 186.51.150.61:80 tcp
PT 85.244.215.88:80 tcp
JP 60.61.241.199:80 tcp
BR 177.101.166.240:80 tcp
MX 201.165.227.11:80 tcp
US 13.33.251.142:80 tcp
CN 116.209.42.172:80 tcp
US 13.33.251.142:80 13.33.251.142 tcp
BR 179.250.225.198:80 tcp
US 22.110.42.149:80 tcp
KZ 194.58.42.154:80 194.58.42.154 tcp
NL 108.142.195.5:80 tcp
GB 87.114.238.236:80 tcp
US 8.8.8.8:53 142.251.33.13.in-addr.arpa udp
KR 58.234.229.20:80 tcp
US 199.13.213.9:80 tcp
GB 62.254.106.53:80 tcp
US 198.210.15.141:80 tcp
US 96.236.27.140:80 tcp
US 184.197.12.26:80 tcp
US 174.102.228.145:80 tcp
US 26.189.129.115:80 tcp
CH 185.59.52.161:80 tcp
US 17.31.162.47:80 tcp
N/A 100.88.191.194:80 tcp
US 67.213.245.237:80 tcp
MA 102.100.223.24:80 tcp
US 67.213.245.237:80 67.213.245.237 tcp
AU 124.188.83.73:80 tcp
US 104.149.197.57:80 tcp
KR 218.39.190.240:80 tcp
BR 177.159.165.105:80 tcp
US 96.75.171.24:80 tcp
US 72.199.132.133:80 tcp
US 167.184.29.121:80 tcp
DE 145.243.139.26:80 tcp
GB 25.109.59.202:80 tcp
US 8.8.8.8:53 237.245.213.67.in-addr.arpa udp
US 44.172.211.189:80 tcp
DE 134.106.56.2:80 tcp
US 63.239.146.58:80 tcp
US 167.220.158.187:80 tcp
US 30.161.219.84:80 tcp
RU 82.114.132.119:80 tcp
US 158.52.147.222:80 tcp
NZ 166.83.10.162:80 tcp
US 68.51.169.217:80 tcp
US 139.71.89.150:80 tcp
CH 89.236.134.217:80 tcp
CN 180.106.75.95:80 tcp
CL 186.172.170.155:80 tcp
US 66.195.106.250:80 tcp
US 65.226.232.185:80 tcp
CN 1.69.244.187:80 tcp
US 38.215.51.194:80 tcp
AT 143.224.191.235:80 tcp
IE 54.154.9.148:80 tcp
JP 219.5.205.13:80 tcp
CA 207.189.211.87:80 tcp
US 170.184.156.100:80 tcp
US 198.70.52.246:80 tcp
US 55.41.66.206:80 tcp
CN 180.152.218.255:80 tcp
SE 213.103.189.200:80 tcp
CN 182.98.168.26:80 tcp
KR 118.33.250.85:80 tcp
US 32.137.202.227:80 tcp
CA 173.32.239.172:80 tcp
PL 195.69.209.254:80 tcp
ZA 41.133.160.75:80 tcp
US 12.186.18.172:80 tcp
PL 195.69.209.254:80 195.69.209.254 tcp
US 160.137.235.92:80 tcp
GB 90.196.61.148:80 tcp
N/A 10.63.48.170:80 tcp
ES 85.61.159.38:80 tcp
CN 210.27.179.130:80 tcp
GB 90.250.33.136:80 tcp
US 162.119.97.245:80 tcp
CA 104.37.201.168:80 tcp
US 8.8.8.8:53 254.209.69.195.in-addr.arpa udp
US 29.103.221.73:80 tcp
RE 165.169.192.95:80 tcp
KR 116.127.63.149:80 tcp
US 69.203.145.101:80 tcp
US 207.208.85.60:80 tcp
MA 102.52.250.73:80 tcp
US 198.207.191.65:80 tcp
US 100.11.0.181:80 tcp
US 22.210.210.26:80 tcp
US 153.117.81.134:80 tcp
CN 119.232.228.207:80 tcp
US 129.251.75.56:80 tcp
US 199.14.142.232:80 tcp
SG 144.89.129.220:80 tcp
RU 5.142.5.204:80 tcp
CN 123.14.80.90:80 tcp
US 76.123.98.58:80 tcp
US 48.142.135.84:80 tcp
US 130.197.111.107:80 tcp
RU 77.39.56.197:80 tcp
MA 197.145.94.61:80 tcp
US 38.243.116.117:80 tcp
BR 179.131.45.34:80 tcp
US 215.199.1.59:80 tcp
US 168.74.251.229:80 tcp
US 54.226.80.209:80 tcp
NL 130.115.127.247:80 tcp
DE 141.89.12.165:80 tcp
US 44.107.236.89:80 tcp
US 162.116.58.175:80 tcp
US 30.163.168.126:80 tcp
VN 113.177.57.202:80 tcp
US 135.243.13.52:80 tcp
CA 137.122.78.124:80 tcp
CN 110.16.164.246:80 tcp
US 6.10.201.168:80 tcp
DE 31.254.20.29:80 tcp
MU 165.54.10.30:80 tcp
CA 142.203.85.254:80 tcp
KE 102.6.135.86:80 tcp
US 16.87.36.82:80 tcp
ES 80.174.37.48:80 tcp
US 6.138.73.134:80 tcp
RU 109.161.11.72:80 tcp
US 22.234.184.219:80 tcp
JP 153.164.126.50:80 tcp
US 136.77.224.172:80 tcp
US 44.76.248.228:80 tcp
US 166.227.241.140:80 tcp
US 17.26.188.186:80 tcp
GB 81.150.184.49:80 tcp
US 69.117.26.172:80 tcp
UA 213.155.28.179:80 tcp
US 55.182.217.230:80 tcp
FR 78.192.140.106:80 tcp
CN 183.32.50.3:80 tcp
US 161.150.54.36:80 tcp
PL 81.163.207.72:80 tcp
CN 113.89.178.200:80 tcp
RU 212.14.220.93:80 tcp
FR 90.52.150.36:80 tcp
US 22.175.233.191:80 tcp
SG 8.214.161.250:80 tcp
MX 189.226.89.26:80 tcp
US 137.155.50.220:80 tcp
GB 178.238.136.195:80 tcp
US 164.84.133.108:80 tcp
TW 218.160.191.129:80 tcp
US 214.229.71.214:80 tcp
US 7.22.104.176:80 tcp
US 15.243.171.11:80 tcp
CN 223.101.102.136:80 tcp
SA 34.1.49.47:80 tcp
DE 94.219.167.64:80 tcp
CN 111.157.52.39:80 tcp
KR 27.119.70.90:80 tcp
CN 139.159.166.19:80 tcp
US 34.16.193.175:80 tcp
US 66.4.58.23:80 tcp
US 66.208.194.9:80 tcp
AU 101.176.3.94:80 tcp
US 170.203.246.22:80 tcp
US 44.170.122.241:80 tcp
US 155.172.41.119:80 tcp
KR 211.63.138.191:80 tcp
US 4.53.106.19:80 tcp
US 174.227.85.101:80 tcp
US 48.91.96.202:80 tcp
FR 86.247.76.79:80 tcp
VN 171.252.184.195:80 tcp
BR 152.233.163.223:80 tcp
US 198.194.62.57:80 tcp
MA 105.159.252.132:80 tcp
ZA 196.212.148.222:80 tcp
US 73.30.96.139:80 tcp
ES 87.111.0.239:80 tcp
US 18.209.54.197:80 tcp
KR 14.93.139.28:80 tcp
PL 194.116.134.178:80 tcp
US 144.243.42.211:80 tcp
US 3.13.45.250:80 tcp
HK 23.50.63.154:80 tcp
US 6.0.167.17:80 tcp
US 9.211.26.191:80 tcp
JP 124.248.147.4:80 tcp
US 137.99.148.198:80 tcp
CN 39.172.91.201:80 tcp
US 138.196.244.5:80 tcp
JP 118.8.92.199:80 tcp
CN 111.225.58.174:80 tcp
US 16.174.79.11:80 tcp
BG 87.116.127.35:80 tcp
US 166.10.166.72:80 tcp
ES 95.127.223.79:80 tcp
PA 201.226.245.125:80 tcp
FR 93.7.219.50:80 tcp
US 136.55.183.206:80 tcp
EG 102.47.160.167:80 tcp
BE 85.27.33.25:80 tcp
IN 59.181.124.160:80 tcp
US 152.184.235.155:80 tcp
US 184.169.155.167:80 tcp
US 4.138.13.138:80 tcp
US 15.44.196.191:80 tcp
US 20.171.179.7:80 tcp
CN 42.185.17.93:80 tcp
KR 125.135.104.230:80 tcp
FR 86.206.175.247:80 tcp
BR 179.113.128.189:80 tcp
RU 212.193.81.73:80 tcp
US 50.209.226.96:80 tcp
GB 101.61.8.19:80 tcp
US 147.28.230.80:80 tcp
US 18.54.87.132:80 tcp
JP 126.153.76.213:80 tcp
FR 90.4.178.220:80 tcp
NL 145.13.91.188:80 tcp
US 6.211.203.209:80 tcp
FR 91.163.111.85:80 tcp
US 150.137.2.60:80 tcp
IT 93.48.237.133:80 tcp
NL 83.80.176.100:80 tcp
IT 2.16.4.116:80 tcp
US 47.133.156.5:80 tcp
RU 89.151.178.229:80 tcp
CN 123.134.169.189:80 tcp
CN 123.114.195.129:80 tcp
GB 25.9.75.122:80 tcp
US 98.57.177.156:80 tcp
US 138.29.20.184:80 tcp
US 54.119.83.22:80 tcp
SE 83.183.228.51:80 tcp
CN 113.13.198.243:80 tcp
CA 184.161.5.115:80 tcp
MA 105.65.235.172:80 tcp
IT 80.18.222.195:80 tcp
CN 111.152.66.70:80 tcp
US 64.153.147.2:80 tcp
US 207.73.29.146:80 tcp
JP 60.92.200.50:80 tcp
US 50.104.206.160:80 tcp
CN 122.112.151.14:80 tcp
US 156.95.122.96:80 tcp
US 11.28.174.218:80 tcp
US 136.105.68.224:80 tcp
US 135.191.77.240:80 tcp
US 148.167.203.206:80 tcp
US 156.246.199.34:80 tcp
US 137.28.105.71:80 tcp
CN 58.210.127.160:80 tcp
KR 59.29.0.104:80 tcp
SE 83.140.65.98:80 tcp
CN 116.164.80.232:80 tcp
CN 218.93.115.166:80 tcp
US 72.155.213.49:80 tcp
IN 13.234.151.95:80 tcp
US 6.175.87.203:80 tcp
IN 13.234.151.95:80 13.234.151.95 tcp
US 99.26.68.17:80 tcp
US 19.22.210.172:80 tcp
DE 62.124.107.113:80 tcp
PH 1.37.227.214:80 tcp
US 100.167.228.20:80 tcp
CN 124.164.224.230:80 tcp
CN 1.198.106.133:80 tcp
CA 64.137.155.244:80 tcp
CN 183.59.16.68:80 tcp
US 139.70.90.85:80 tcp
SD 41.241.189.146:80 tcp
GB 147.152.56.113:80 tcp
VN 14.167.33.83:80 tcp
CL 179.2.69.154:80 tcp
NL 169.51.135.56:80 tcp
US 8.8.8.8:53 95.151.234.13.in-addr.arpa udp
US 128.50.58.144:80 tcp
CN 113.25.142.21:80 tcp
JP 60.102.150.177:80 tcp
US 132.116.125.110:80 tcp
US 162.183.93.189:80 tcp
CN 101.87.83.61:80 tcp
SG 119.234.10.206:80 tcp
JP 163.133.12.62:80 tcp
US 157.154.160.166:80 tcp
ID 39.220.177.127:80 tcp
US 28.96.254.72:80 tcp
ES 156.35.189.136:80 tcp
AR 181.166.73.169:80 tcp
KR 106.254.113.125:80 tcp
BR 45.183.9.70:80 tcp
CH 146.216.83.102:80 tcp
US 6.115.17.48:80 tcp
LT 109.205.234.20:80 tcp
CN 58.133.251.117:80 tcp
JP 133.247.65.151:80 tcp
JP 210.162.72.193:80 tcp
IT 95.242.136.84:80 tcp
US 173.222.224.10:80 tcp
US 47.85.28.129:80 tcp
US 100.59.3.155:80 tcp
US 63.109.139.253:80 tcp
US 173.222.224.10:80 173.222.224.10 tcp
US 216.137.203.79:80 tcp
US 132.115.9.69:80 tcp
FI 157.200.152.217:80 tcp
US 73.127.9.188:80 tcp
US 11.88.75.39:80 tcp
NL 185.136.66.223:80 tcp
CO 186.168.51.106:80 tcp
US 8.8.8.8:53 10.224.222.173.in-addr.arpa udp
US 29.7.192.241:80 tcp
MW 102.71.63.210:80 tcp
CN 1.119.115.130:80 tcp
AU 194.193.40.151:80 tcp
YE 175.110.12.121:80 tcp
SG 43.127.237.127:80 tcp
US 215.25.215.6:80 tcp
US 57.120.253.250:80 tcp
US 34.238.148.9:80 tcp
DZ 213.179.166.103:80 tcp
CN 36.174.192.24:80 tcp
PT 144.64.96.127:80 tcp
TW 60.251.129.31:80 tcp
DE 145.254.46.89:80 tcp
US 97.222.15.84:80 tcp
DE 84.179.179.126:80 tcp
TN 197.17.26.86:80 tcp
US 47.42.135.9:80 tcp
US 9.238.150.156:80 tcp
TR 95.6.245.117:80 tcp
US 207.140.202.22:80 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 79.213.87.127:80 tcp
HK 223.17.107.188:80 tcp
US 67.39.183.204:80 tcp
KR 115.13.125.144:80 tcp
US 215.205.15.64:80 tcp
US 66.105.47.81:80 tcp
CO 186.97.48.12:80 tcp
DE 2.240.86.220:80 tcp
US 159.3.98.100:80 tcp
CH 57.229.133.104:80 tcp
CN 114.139.121.148:80 tcp
US 71.72.86.59:80 tcp
JP 222.15.33.132:80 tcp
US 131.98.240.202:80 tcp
CA 138.119.145.98:80 tcp
DE 87.182.56.11:80 tcp
US 132.142.160.94:80 tcp
US 33.129.235.199:80 tcp
FR 78.231.220.218:80 tcp
CN 103.201.111.24:80 tcp
US 71.49.1.222:80 tcp
US 50.252.217.158:80 tcp
ES 79.155.63.12:80 tcp
BE 84.198.158.34:80 tcp
CN 112.66.23.253:80 tcp
US 97.42.18.224:80 tcp
US 214.198.223.245:80 tcp
GB 149.235.130.230:80 tcp
US 72.195.9.95:80 tcp
IN 136.232.20.142:80 tcp
EC 191.100.234.250:80 tcp
JP 59.137.246.53:80 tcp
FR 81.52.48.78:80 tcp
US 48.191.134.143:80 tcp
KR 121.146.120.120:80 tcp
N/A 100.73.220.159:80 tcp
US 28.150.74.79:80 tcp
GB 25.215.211.78:80 tcp
US 168.102.143.182:80 tcp
US 171.141.198.193:80 tcp
US 15.216.6.114:80 tcp
US 24.97.241.112:80 tcp
US 216.55.19.28:80 tcp
ZA 105.187.127.211:80 tcp
AU 146.195.136.98:80 tcp
US 67.236.55.164:80 tcp
SD 154.100.155.59:80 tcp
BR 200.144.7.151:80 tcp
NL 161.85.54.149:80 tcp
US 19.107.12.45:80 tcp
FR 109.222.78.180:80 tcp
RU 81.161.124.206:80 tcp
EG 155.11.52.252:80 tcp
US 198.150.200.202:80 tcp
BR 179.230.12.249:80 tcp
CN 113.101.58.255:80 tcp
FR 138.21.153.229:80 tcp
JP 153.171.23.130:80 tcp
BR 179.199.149.108:80 tcp
CN 202.127.16.94:80 tcp
JP 126.216.208.171:80 tcp
TW 42.72.26.122:80 tcp
CN 110.77.42.131:80 tcp
NG 105.123.108.129:80 tcp
US 104.242.250.30:80 tcp
VN 14.160.83.250:80 tcp
CN 122.231.43.0:80 tcp
US 28.127.142.254:80 tcp
NL 31.201.84.105:80 tcp
CN 110.65.35.150:80 tcp
JP 203.141.42.249:80 tcp
US 70.147.151.193:80 tcp
VN 1.52.157.133:80 tcp
CL 168.231.106.145:80 tcp
US 29.22.184.12:80 tcp
CN 1.86.92.90:80 tcp
US 56.193.24.218:80 tcp
US 74.20.215.124:80 tcp
MK 95.86.17.237:80 tcp
US 153.55.126.31:80 tcp
DE 53.148.143.89:80 tcp
HK 154.207.220.119:80 tcp
US 104.112.81.154:80 tcp
IT 87.7.154.165:80 tcp
US 69.110.252.63:80 tcp
N/A 127.235.75.18:80 tcp
US 9.6.48.252:80 tcp
ES 83.54.130.226:80 tcp
DE 141.88.237.226:80 tcp
IT 91.92.25.29:80 tcp
US 208.86.11.231:80 tcp
US 166.133.64.197:80 tcp
US 144.198.209.254:80 tcp
US 149.149.137.89:80 tcp
US 98.68.78.105:80 tcp
AU 151.178.182.42:80 tcp
US 167.184.94.68:80 tcp
US 76.251.197.119:80 tcp
KR 49.166.157.65:80 tcp
US 206.137.144.100:80 tcp
AU 203.6.24.106:80 tcp
JP 133.4.93.122:80 tcp
US 52.90.99.89:80 tcp
US 98.253.44.183:80 tcp
CA 198.161.182.8:80 tcp
IE 20.234.18.223:80 tcp
CA 69.158.181.67:80 tcp
CA 209.15.156.230:80 tcp
CN 119.176.178.132:80 tcp
US 18.218.255.105:80 tcp
CN 220.169.103.92:80 tcp
US 71.198.102.88:80 tcp
US 28.220.86.112:80 tcp
JP 219.98.83.128:80 tcp
CN 122.48.255.90:80 tcp
MX 187.135.51.101:80 tcp
RU 95.175.251.146:80 tcp
KR 4.218.115.104:80 tcp
US 26.45.217.95:80 tcp
FR 80.118.173.2:80 tcp
RU 85.90.127.34:80 tcp
HK 123.255.124.212:80 tcp
AU 58.169.96.72:80 tcp
BR 201.62.195.210:80 tcp
JP 110.128.187.21:80 tcp
KR 125.178.175.196:80 tcp
SA 87.109.68.179:80 tcp
ZA 41.84.70.240:80 tcp
MX 177.246.144.215:80 tcp
HK 113.254.170.72:80 tcp
CN 27.148.34.91:80 tcp
US 158.18.50.125:80 tcp
US 150.134.212.45:80 tcp
EG 41.33.255.75:80 tcp
RU 91.245.57.35:80 tcp
US 139.242.166.83:80 tcp
AT 193.170.63.244:80 tcp
US 192.90.95.100:80 tcp
US 30.28.204.187:80 tcp
US 147.219.154.32:80 tcp
CN 114.213.127.174:80 tcp
CN 101.26.105.78:80 tcp
CN 111.128.98.181:80 tcp
US 130.110.212.106:80 tcp
BO 186.121.235.212:80 tcp
US 12.84.170.223:80 tcp
DE 84.178.89.103:80 tcp
MU 102.198.188.134:80 tcp
US 135.50.192.248:80 tcp
US 108.171.28.131:80 tcp
US 160.37.222.115:80 tcp
KR 39.119.25.199:80 tcp
US 138.158.84.34:80 tcp
FR 163.78.163.197:80 tcp
GB 212.250.77.126:80 tcp
US 96.158.157.230:80 tcp
DE 51.50.195.41:80 tcp
KR 123.111.171.252:80 tcp
ES 163.117.44.191:80 tcp
JP 222.145.51.80:80 tcp
GB 86.24.70.232:80 tcp
JP 114.189.228.10:80 tcp
ES 90.75.246.170:80 tcp
US 11.243.125.233:80 tcp
US 184.220.192.235:80 tcp
US 107.191.193.63:80 tcp
US 166.172.163.242:80 tcp
US 35.28.139.157:80 tcp
KR 183.107.244.124:80 tcp
CN 43.146.31.34:80 tcp
US 198.73.207.93:80 tcp
US 143.249.192.161:80 tcp
US 7.225.99.154:80 tcp
US 21.23.156.87:80 tcp
US 15.30.38.107:80 tcp
JP 126.180.9.1:80 tcp
US 147.40.74.63:80 tcp
BR 177.16.80.128:80 tcp
JP 126.66.108.148:80 tcp
CA 142.109.99.133:80 tcp
CH 4.164.86.175:80 tcp
IT 83.225.90.82:80 tcp
US 64.108.178.219:80 tcp
PR 64.178.216.60:80 tcp
CN 106.12.1.96:80 tcp
US 64.48.42.73:80 tcp
US 15.90.220.73:80 tcp
IN 61.0.231.241:80 tcp
CN 124.14.89.158:80 tcp
GB 149.235.225.61:80 tcp
US 12.140.49.201:80 tcp
US 214.54.11.183:80 tcp
DE 53.34.39.217:80 tcp
US 12.175.11.232:80 tcp
US 134.167.202.202:80 tcp
US 17.39.210.186:80 tcp
US 192.213.34.37:80 tcp
FI 109.204.195.110:80 tcp
JP 218.136.38.106:80 tcp
CA 142.108.63.53:80 tcp
US 30.63.83.244:80 tcp
IN 117.195.229.38:80 tcp
US 7.91.248.246:80 tcp
IT 5.84.17.76:80 tcp
US 70.244.75.53:80 tcp
KR 27.113.21.91:80 tcp
FR 84.14.43.15:80 tcp
US 6.179.234.190:80 tcp
US 70.173.172.16:80 tcp
ZA 20.87.89.222:80 tcp
HK 150.109.41.232:80 tcp
US 135.113.238.46:80 tcp
CN 101.197.221.89:80 tcp
GB 212.134.83.57:80 tcp
US 104.74.224.14:80 tcp
US 161.11.206.131:80 tcp
TH 103.14.10.62:80 tcp
CN 106.116.80.154:80 tcp
MU 102.162.51.213:80 tcp
US 206.25.142.176:80 tcp
IT 213.217.165.109:80 tcp
US 162.9.15.42:80 tcp
US 47.218.184.142:80 tcp
US 13.186.38.50:80 tcp
AU 147.66.17.130:80 tcp
AR 186.143.120.150:80 tcp
FR 130.176.152.205:80 tcp
EG 197.165.49.92:80 tcp
US 26.102.195.220:80 tcp
US 52.226.203.158:80 tcp
US 43.175.39.7:80 tcp
US 132.117.84.19:80 tcp
GB 51.11.164.151:80 tcp
US 22.200.253.167:80 tcp
SG 160.96.95.58:80 tcp
US 30.214.125.57:80 tcp
US 9.190.179.32:80 tcp
US 170.193.227.251:80 tcp
IN 20.193.179.197:80 tcp
US 34.125.251.240:80 tcp
AU 49.176.226.123:80 tcp
US 74.69.23.116:80 tcp
US 22.109.24.66:80 tcp
US 164.56.189.2:80 tcp
US 74.4.18.142:80 tcp
JP 133.140.235.156:80 tcp
US 97.74.245.85:80 tcp
US 76.208.104.195:80 tcp
US 131.75.162.6:80 tcp
CN 182.110.215.52:80 tcp
US 171.185.37.240:80 tcp
DE 31.251.157.156:80 tcp
US 148.17.127.200:80 tcp
NL 84.24.134.123:80 tcp
CN 113.230.25.80:80 tcp
US 26.49.185.102:80 tcp
N/A 100.126.71.221:80 tcp
FR 193.249.253.182:80 tcp
GB 90.253.137.12:80 tcp
AU 203.194.62.116:80 tcp
TW 223.137.242.108:80 tcp
MA 196.88.196.65:80 tcp
US 154.26.169.210:80 tcp
DK 193.3.225.144:80 tcp
US 154.26.169.210:80 154.26.169.210 tcp
US 22.45.207.57:80 tcp
US 68.44.30.243:80 tcp
US 8.8.8.8:53 210.169.26.154.in-addr.arpa udp
CO 181.52.123.231:80 tcp
US 65.140.86.172:80 tcp
FR 109.3.219.212:80 tcp
US 11.128.247.40:80 tcp
CN 114.232.128.44:80 tcp
CN 219.142.218.26:80 tcp
SA 93.98.5.46:80 tcp
US 151.161.41.47:80 tcp
US 54.16.49.3:80 tcp
US 47.167.154.202:80 tcp
ZA 196.252.138.221:80 tcp
US 68.64.43.189:80 tcp
BR 200.133.159.154:80 tcp
KR 203.246.222.97:80 tcp
CN 58.83.222.141:80 tcp
FR 23.90.195.155:80 tcp
US 4.236.243.38:80 tcp
US 162.162.94.218:80 tcp
US 4.236.243.38:80 4.236.243.38 tcp
DE 51.122.45.15:80 tcp
US 67.238.184.39:80 tcp
VN 27.75.58.125:80 tcp
US 22.219.5.18:80 tcp
US 148.194.122.195:80 tcp
US 152.18.135.145:80 tcp
US 8.8.8.8:53 38.243.236.4.in-addr.arpa udp
CO 181.128.181.245:80 tcp
CA 139.142.68.201:80 tcp
NO 150.106.35.76:80 tcp
JP 221.245.248.112:80 tcp
NL 193.78.94.56:80 tcp
FR 77.155.127.157:80 tcp
AR 191.82.137.234:80 tcp
US 38.89.71.123:80 tcp
SA 143.92.204.104:80 tcp
JP 133.91.71.163:80 tcp
US 148.133.197.27:80 tcp
US 97.125.99.150:80 tcp
IT 194.179.175.235:80 tcp
US 207.46.83.73:80 tcp
CN 120.202.110.58:80 tcp
CA 142.106.66.114:80 tcp
US 74.102.219.9:80 tcp
CN 14.208.48.253:80 tcp
EG 156.186.220.178:80 tcp
NL 23.111.231.68:80 tcp
US 12.46.160.10:80 tcp
US 22.83.22.177:80 tcp
US 50.106.27.86:80 tcp
KR 106.98.80.170:80 tcp
UG 102.86.243.67:80 tcp
CN 222.88.84.118:80 tcp
ES 80.224.76.49:80 tcp
US 214.122.223.174:80 tcp
US 15.225.115.237:80 tcp
CN 106.46.245.201:80 tcp
CN 123.133.90.244:80 tcp
US 205.234.114.106:80 tcp
US 29.238.11.91:80 tcp
US 24.21.77.156:80 tcp
CN 120.200.83.184:80 tcp
BR 179.152.191.8:80 tcp
FR 213.151.171.186:80 tcp
US 71.113.212.217:80 tcp
IN 20.207.163.94:80 tcp
US 107.216.52.103:80 tcp
US 204.232.48.52:80 tcp
SE 212.100.121.149:80 tcp
US 204.178.181.68:80 tcp
US 73.91.40.200:80 tcp
US 135.202.7.67:80 tcp
JP 163.44.143.83:80 tcp
IN 14.142.9.195:80 tcp
US 136.181.15.19:80 tcp
US 199.184.156.159:80 tcp
US 44.255.195.162:80 tcp
IR 5.74.220.8:80 tcp
US 24.17.88.46:80 tcp
MX 201.157.122.55:80 tcp
MX 189.175.67.244:80 tcp
DE 134.171.51.147:80 tcp
DE 2.240.98.50:80 tcp
US 205.3.64.50:80 tcp
US 150.133.87.135:80 tcp
PT 213.228.162.22:80 tcp
GB 25.153.20.34:80 tcp
PT 213.228.162.22:80 213.228.162.22 tcp
US 107.240.132.147:80 tcp
RO 82.208.164.54:80 tcp
ZA 105.184.32.187:80 tcp
KW 195.226.255.114:80 tcp
US 8.8.8.8:53 22.162.228.213.in-addr.arpa udp
DE 194.163.176.21:80 tcp
DE 194.163.176.21:80 194.163.176.21 tcp
ZA 41.85.243.157:80 tcp
CN 223.151.107.65:80 tcp
NL 45.13.165.28:80 tcp
EC 186.71.255.172:80 tcp
AU 144.133.117.13:80 tcp
IN 120.59.152.129:80 tcp
DE 53.206.213.211:80 tcp
DE 94.223.169.149:80 tcp
US 56.160.185.246:80 tcp
FR 90.127.218.136:80 tcp
US 8.8.8.8:53 21.176.163.194.in-addr.arpa udp
US 162.60.185.122:80 tcp
US 30.5.145.161:80 tcp
US 205.39.232.85:80 tcp
US 65.5.113.34:80 tcp
US 148.36.149.41:80 tcp
US 6.13.43.157:80 tcp
CN 42.88.76.5:80 tcp
JP 220.107.190.119:80 tcp
US 33.21.216.199:80 tcp
GB 82.23.89.216:80 tcp
MX 187.223.107.154:80 tcp
KR 203.243.253.24:80 tcp
US 30.46.122.113:80 tcp
RS 93.87.38.31:80 tcp
KR 175.246.245.228:80 tcp
NZ 118.93.99.142:80 tcp
KR 58.148.240.100:80 tcp
BR 177.114.99.7:80 tcp
CN 122.96.207.194:80 tcp
KR 124.194.56.15:80 tcp
BR 181.217.207.211:80 tcp
IN 117.200.179.128:80 tcp
US 204.107.70.174:80 tcp
CN 124.22.35.186:80 tcp
CA 65.61.232.186:80 tcp
US 44.99.111.102:80 tcp
US 143.4.46.236:80 tcp
US 169.190.216.134:80 tcp
US 132.162.18.7:80 tcp
US 132.170.214.60:80 tcp
HK 175.159.103.58:80 tcp
ZA 164.149.77.87:80 tcp
US 166.212.161.129:80 tcp
US 13.222.144.157:80 tcp
JP 211.12.194.181:80 tcp
US 143.82.27.161:80 tcp
US 165.119.209.214:80 tcp
US 107.253.96.214:80 tcp
PT 194.210.176.175:80 tcp
CN 113.16.252.19:80 tcp
CN 60.172.102.24:80 tcp
AU 124.191.240.181:80 tcp
US 215.120.72.1:80 tcp
US 130.156.10.189:80 tcp
FI 157.24.174.192:80 tcp
JP 218.42.48.67:80 tcp
US 21.125.81.53:80 tcp
US 20.171.184.230:80 tcp
IN 223.231.1.88:80 tcp
BR 170.0.47.142:80 tcp
US 15.5.209.66:80 tcp
US 73.117.55.146:80 tcp
US 15.65.171.213:80 tcp
US 98.233.54.64:80 tcp
IN 101.218.110.72:80 tcp
TW 59.114.224.82:80 tcp
ES 188.171.178.176:80 tcp
DE 3.68.106.168:80 tcp
US 4.110.131.7:80 tcp
NO 31.45.123.163:80 tcp
JP 58.112.6.10:80 tcp
JP 126.76.73.12:80 tcp
TW 203.71.168.108:80 tcp
US 17.31.132.181:80 tcp
US 35.209.100.238:80 tcp
US 30.224.246.219:80 tcp
KR 39.112.139.197:80 tcp
AU 49.184.48.79:80 tcp
N/A 127.100.145.65:80 tcp
TN 102.27.44.255:80 tcp
US 71.208.40.111:80 tcp
ES 85.63.154.128:80 tcp
CN 58.255.94.2:80 tcp
FR 185.21.153.205:80 tcp
N/A 10.243.4.2:80 tcp
CN 211.97.43.112:80 tcp
IT 176.207.52.204:80 tcp
US 198.171.39.12:80 tcp
DE 93.214.87.46:80 tcp
FR 86.255.39.90:80 tcp
JP 219.104.5.200:80 tcp
CN 221.183.98.98:80 tcp
GB 185.85.41.49:80 tcp
US 6.200.31.114:80 tcp
US 18.30.106.22:80 tcp
SG 148.145.162.61:80 tcp
US 136.133.86.100:80 tcp
US 63.243.228.247:80 tcp
US 74.87.253.15:80 tcp
BR 187.83.158.6:80 tcp
US 148.156.200.60:80 tcp
JP 14.10.240.92:80 tcp
US 129.15.239.87:80 tcp
RU 77.236.233.51:80 tcp
US 136.19.232.64:80 tcp
US 162.6.237.54:80 tcp
BR 200.139.247.78:80 tcp
CN 219.229.235.74:80 tcp
US 29.174.38.172:80 tcp
NG 102.94.60.23:80 tcp
CM 165.211.39.150:80 tcp
BR 177.209.121.245:80 tcp
US 4.100.216.73:80 tcp
NL 37.74.183.213:80 tcp
CA 142.179.207.233:80 tcp
EG 196.144.106.134:80 tcp
CA 198.245.54.108:80 tcp
US 174.55.6.54:80 tcp
US 38.0.117.22:80 tcp
IR 178.239.154.233:80 tcp
US 184.175.106.16:80 tcp
EC 186.46.60.233:80 tcp
CN 106.83.139.12:80 tcp
CL 164.96.136.1:80 tcp
CN 106.233.49.139:80 tcp
PK 39.38.0.36:80 tcp
DK 130.226.22.218:80 tcp
JP 36.55.106.11:80 tcp
KR 27.164.14.229:80 tcp
JP 60.68.125.199:80 tcp
US 66.169.154.246:80 tcp
US 166.63.60.167:80 tcp
US 162.5.132.46:80 tcp
JP 180.145.58.255:80 tcp
CN 182.42.69.229:80 tcp
JP 115.126.136.219:80 tcp
CN 112.25.89.108:80 tcp
US 200.234.149.184:80 tcp
US 138.123.34.50:80 tcp
US 169.237.184.104:80 tcp
US 129.99.247.173:80 tcp
PL 178.182.160.203:80 tcp
FR 81.194.40.248:80 tcp
US 104.2.182.46:80 tcp
US 108.47.99.47:80 tcp
RU 178.49.192.93:80 tcp
US 9.235.174.203:80 tcp
CN 59.52.21.91:80 tcp
PH 203.87.187.254:80 tcp
ID 39.240.163.180:80 tcp
US 184.38.185.105:80 tcp
CN 27.153.70.252:80 tcp
US 38.186.215.81:80 tcp
LV 85.15.245.27:80 tcp
US 57.80.31.141:80 tcp
GB 87.114.103.211:80 tcp
US 204.225.39.6:80 tcp
BR 191.242.228.86:80 tcp
IT 158.47.148.81:80 tcp
US 50.146.148.105:80 tcp
GB 159.86.215.238:80 tcp
CN 116.7.16.95:80 tcp
US 143.30.70.111:80 tcp
GT 201.247.254.224:80 tcp
IT 79.5.4.191:80 tcp
US 130.180.224.92:80 tcp
MA 196.70.73.85:80 tcp
US 96.252.3.212:80 tcp
US 131.142.127.237:80 tcp
US 71.177.90.177:80 tcp
US 73.10.65.201:80 tcp
US 198.4.254.177:80 tcp
US 174.161.68.120:80 tcp
GB 25.89.71.199:80 tcp
CN 123.58.82.74:80 tcp
N/A 127.182.16.207:80 tcp
US 75.27.162.157:80 tcp
DE 53.84.101.197:80 tcp
US 6.140.244.35:80 tcp
RU 37.113.214.119:80 tcp
US 158.221.23.246:80 tcp
CN 222.203.200.96:80 tcp
SE 85.194.138.34:80 tcp
US 33.97.49.15:80 tcp
JP 64.104.56.59:80 tcp
BD 114.130.198.153:80 tcp
US 19.118.40.133:80 tcp
US 107.131.46.172:80 tcp
US 94.39.208.26:80 tcp
US 167.145.204.93:80 tcp
US 75.174.119.32:80 tcp
IR 5.120.225.47:80 tcp
ES 217.18.165.198:80 tcp
TW 1.174.238.41:80 tcp
GB 25.115.231.248:80 tcp
US 65.199.137.192:80 tcp
US 155.225.132.139:80 tcp
BR 128.201.240.248:80 tcp
US 44.119.68.156:80 tcp
US 199.210.67.62:80 tcp
JP 218.138.38.80:80 tcp
US 199.14.134.254:80 tcp
DE 93.233.98.191:80 tcp
CH 51.34.199.160:80 tcp
US 20.153.158.152:80 tcp
KR 113.216.137.206:80 tcp
RU 62.5.191.118:80 tcp
AU 1.157.201.64:80 tcp
FR 37.187.199.179:80 tcp
KR 222.238.12.252:80 tcp
US 47.205.192.123:80 tcp
US 134.192.182.26:80 tcp
US 33.42.122.233:80 tcp
TW 218.168.130.138:80 tcp
US 193.123.17.85:80 tcp
KR 27.162.111.178:80 tcp
CN 114.250.142.28:80 tcp
BG 46.237.65.6:80 tcp
AU 163.8.7.153:80 tcp
CN 8.148.134.157:80 tcp
ES 90.77.65.254:80 tcp
CR 185.185.249.221:80 tcp
NL 134.188.158.213:80 tcp
FR 88.122.164.148:80 tcp
ZA 154.119.166.247:80 tcp
US 162.149.37.107:80 tcp
US 192.62.245.32:80 tcp
CN 118.26.204.117:80 tcp
US 174.96.242.137:80 tcp
AU 20.53.82.48:80 tcp
US 144.62.204.61:80 tcp
BR 187.47.66.239:80 tcp
AU 103.14.254.146:80 tcp
CZ 89.102.60.245:80 tcp
KR 220.116.59.113:80 tcp
IN 223.189.80.58:80 tcp
AU 192.232.150.129:80 tcp
NO 139.118.221.26:80 tcp
US 214.120.80.240:80 tcp
KZ 95.56.149.50:80 tcp
AU 172.197.232.225:80 tcp
GB 31.116.9.21:80 tcp
ZA 105.209.49.222:80 tcp
US 67.236.61.63:80 tcp
PL 178.235.127.101:80 tcp
DK 93.166.140.27:80 tcp
CN 58.44.212.142:80 tcp
US 15.46.188.30:80 tcp
N/A 10.224.126.107:80 tcp
US 214.64.91.42:80 tcp
US 198.125.0.244:80 tcp
US 89.116.48.232:80 tcp
US 55.208.220.117:80 tcp
N/A 82.177.96.94:80 tcp
N/A 197.106.209.156:80 tcp
N/A 22.195.134.92:80 tcp
N/A 44.247.90.195:80 tcp
N/A 56.178.160.42:80 tcp
N/A 60.157.129.127:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI25882\python310.dll

MD5 63a1fa9259a35eaeac04174cecb90048
SHA1 0dc0c91bcd6f69b80dcdd7e4020365dd7853885a
SHA256 14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed
SHA512 896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

C:\Users\Admin\AppData\Local\Temp\_MEI25882\VCRUNTIME140.dll

MD5 f34eb034aa4a9735218686590cba2e8b
SHA1 2bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA256 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512 d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

C:\Users\Admin\AppData\Local\Temp\_MEI25882\libcrypto-1_1.dll

MD5 9d7a0c99256c50afd5b0560ba2548930
SHA1 76bd9f13597a46f5283aa35c30b53c21976d0824
SHA256 9b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939
SHA512 cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2

C:\Users\Admin\AppData\Local\Temp\_MEI25882\_socket.pyd

MD5 819166054fec07efcd1062f13c2147ee
SHA1 93868ebcd6e013fda9cd96d8065a1d70a66a2a26
SHA256 e6deb751039cd5424a139708475ce83f9c042d43e650765a716cb4a924b07e4f
SHA512 da3a440c94cb99b8af7d2bc8f8f0631ae9c112bd04badf200edbf7ea0c48d012843b4a9fb9f1e6d3a9674fd3d4eb6f0fa78fd1121fad1f01f3b981028538b666

C:\Users\Admin\AppData\Local\Temp\_MEI25882\_lzma.pyd

MD5 7447efd8d71e8a1929be0fac722b42dc
SHA1 6080c1b84c2dcbf03dcc2d95306615ff5fce49a6
SHA256 60793c8592193cfbd00fd3e5263be4315d650ba4f9e4fda9c45a10642fd998be
SHA512 c6295d45ed6c4f7534c1a38d47ddc55fea8b9f62bbdc0743e4d22e8ad0484984f8ab077b73e683d0a92d11bf6588a1ae395456cfa57da94bb2a6c4a1b07984de

C:\Users\Admin\AppData\Local\Temp\_MEI25882\_hashlib.pyd

MD5 d4674750c732f0db4c4dd6a83a9124fe
SHA1 fd8d76817abc847bb8359a7c268acada9d26bfd5
SHA256 caa4d2f8795e9a55e128409cc016e2cc5c694cb026d7058fc561e4dd131ed1c9
SHA512 97d57cfb80dd9dd822f2f30f836e13a52f771ee8485bc0fd29236882970f6bfbdfaac3f2e333bba5c25c20255e8c0f5ad82d8bc8a6b6e2f7a07ea94a9149c81e

C:\Users\Admin\AppData\Local\Temp\_MEI25882\_decimal.pyd

MD5 20c77203ddf9ff2ff96d6d11dea2edcf
SHA1 0d660b8d1161e72c993c6e2ab0292a409f6379a5
SHA256 9aac010a424c757c434c460c3c0a6515d7720966ab64bad667539282a17b4133
SHA512 2b24346ece2cbd1e9472a0e70768a8b4a5d2c12b3d83934f22ebdc9392d9023dcb44d2322ada9edbe2eb0e2c01b5742d2a83fa57ca23054080909ec6eb7cf3ca

C:\Users\Admin\AppData\Local\Temp\_MEI25882\_bz2.pyd

MD5 86d1b2a9070cd7d52124126a357ff067
SHA1 18e30446fe51ced706f62c3544a8c8fdc08de503
SHA256 62173a8fadd4bf4dd71ab89ea718754aa31620244372f0c5bbbae102e641a60e
SHA512 7db4b7e0c518a02ae901f4b24e3860122acc67e38e73f98f993fe99eb20bb3aa539db1ed40e63d6021861b54f34a5f5a364907ffd7da182adea68bbdd5c2b535

C:\Users\Admin\AppData\Local\Temp\_MEI25882\unicodedata.pyd

MD5 81d62ad36cbddb4e57a91018f3c0816e
SHA1 fe4a4fc35df240b50db22b35824e4826059a807b
SHA256 1fb2d66c056f69e8bbdd8c6c910e72697874dae680264f8fb4b4df19af98aa2e
SHA512 7d15d741378e671591356dfaad4e1e03d3f5456cbdf87579b61d02a4a52ab9b6ecbffad3274cede8c876ea19eaeb8ba4372ad5986744d430a29f50b9caffb75d

C:\Users\Admin\AppData\Local\Temp\_MEI25882\select.pyd

MD5 a653f35d05d2f6debc5d34daddd3dfa1
SHA1 1a2ceec28ea44388f412420425665c3781af2435
SHA256 db85f2f94d4994283e1055057372594538ae11020389d966e45607413851d9e9
SHA512 5aede99c3be25b1a962261b183ae7a7fb92cb0cb866065dc9cd7bb5ff6f41cc8813d2cc9de54670a27b3ad07a33b833eaa95a5b46dad7763ca97dfa0c1ce54c9

C:\Users\Admin\AppData\Local\Temp\_MEI25882\s.exe

MD5 c3ce667a9cc72a2177539a1c6a56d497
SHA1 724cb32ba6d00731d3c86ef93ccdb67e2218711a
SHA256 aa8fe5692f9327c2e7d8c68f4704eddc3683de8e3f9a551bc143e08617dcf255
SHA512 a5d493455e839072da357a0f480cef7065755a8ffaa1efaacb0baaaf068edd08be33e8d75604e3aa3387afebbf8dcc63bf842a4664847b06b5771f9575d6aceb

C:\Users\Admin\AppData\Local\Temp\_MEI25882\base_library.zip

MD5 c4989bceb9e7e83078812c9532baeea7
SHA1 aafb66ebdb5edc327d7cb6632eb80742be1ad2eb
SHA256 a0f5c7f0bac1ea9dc86d60d20f903cc42cff3f21737426d69d47909fc28b6dcd
SHA512 fb6d431d0f2c8543af8df242337797f981d108755712ec6c134d451aa777d377df085b4046970cc5ac0991922ddf1f37445a51be1a63ef46b0d80841222fb671

C:\ProgramData\main.exe

MD5 3d3c49dd5d13a242b436e0a065cd6837
SHA1 e38a773ffa08452c449ca5a880d89cfad24b6f1b
SHA256 e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf
SHA512 dd0e590310392b0543d47a2d24d55f6f091ba59acc0d7ea533039ffb48f1b8938587889bcfa19b0538a62ba26fcde2172253860ceab34af40fd7bf65b6587b00

C:\ProgramData\svchost.exe

MD5 45c59202dce8ed255b4dbd8ba74c630f
SHA1 60872781ed51d9bc22a36943da5f7be42c304130
SHA256 d07c47f759245d34a5b94786637c3d2424c7e3f3dea3d738d95bf4721dbf3b16
SHA512 fff5b16ae38681ed56782c0f0423560dab45065685d7272424206f43c80486318180aa22d66bd197c8c530e4c24dbaaaa020beb76b619dc767ee59faa27e23ed

memory/4348-53-0x00007FF9D3533000-0x00007FF9D3535000-memory.dmp

memory/4348-61-0x000001EAFE9A0000-0x000001EAFEF40000-memory.dmp

C:\ProgramData\crss.exe

MD5 af7c523acfdfc98b945b8092170a5fd3
SHA1 cc8131cdbaeceaa28a757f8289077d3214938176
SHA256 cd4ebc4942faf22d6b41d8d0d41aad0570807e7dc484f35010a903caa5a1adb7
SHA512 3dd365665594fddb3e64e3ef3af25ae858538522f2ca61706d0708ca927230f54da23088e578b3ccc11c3f10a8498647b1d701769944fdd17690d2f239777acf

C:\ProgramData\setup.exe

MD5 1274cbcd6329098f79a3be6d76ab8b97
SHA1 53c870d62dcd6154052445dc03888cdc6cffd370
SHA256 bbe5544c408a6eb95dd9980c61a63c4ebc8ccbeecade4de4fae8332361e27278
SHA512 a0febbd4915791d3c32531fb3cf177ee288dd80ce1c8a1e71fa9ad59a4ebddeef69b6be7f3d19e687b96dc59c8a8fa80afff8378a71431c3133f361b28e0d967

C:\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

MD5 65ccd6ecb99899083d43f7c24eb8f869
SHA1 27037a9470cc5ed177c0b6688495f3a51996a023
SHA256 aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4
SHA512 533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

memory/4348-101-0x000001EAFFED0000-0x000001EAFFF46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe

MD5 d6da6166258e23c9170ee2a4ff73c725
SHA1 c3c9d6925553e266fe6f20387feee665ce3e4ba9
SHA256 78ee67a8ae359f697979f4cd3c7228d3235c32d3b611303e070b71414591ba1e
SHA512 37a5a18acbb56e5458baebb12a4d3b3229b218eb606be3535d1c30e8e0d4fa969543889c587078456321209fe4503688432f45ff35a7af598b770393e7ae3b05

C:\Users\Admin\AppData\Local\Temp\_MEI37602\setuptools\_vendor\importlib_resources-6.4.0.dist-info\INSTALLER

MD5 365c9bfeb7d89244f2ce01c1de44cb85
SHA1 d7a03141d5d6b1e88b6b59ef08b6681df212c599
SHA256 ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508
SHA512 d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

memory/4348-127-0x000001EAFF300000-0x000001EAFF31E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI37602\setuptools\_vendor\jaraco.functools-4.0.1.dist-info\LICENSE

MD5 141643e11c48898150daa83802dbc65f
SHA1 0445ed0f69910eeaee036f09a39a13c6e1f37e12
SHA256 86da0f01aeae46348a3c3d465195dc1ceccde79f79e87769a64b8da04b2a4741
SHA512 ef62311602b466397baf0b23caca66114f8838f9e78e1b067787ceb709d09e0530e85a47bbcd4c5a0905b74fdb30df0cc640910c6cc2e67886e5b18794a3583f

C:\Users\Admin\AppData\Local\Temp\_MEI37602\setuptools\_vendor\jaraco.text-3.12.1.dist-info\WHEEL

MD5 43136dde7dd276932f6197bb6d676ef4
SHA1 6b13c105452c519ea0b65ac1a975bd5e19c50122
SHA256 189eedfe4581172c1b6a02b97a8f48a14c0b5baa3239e4ca990fbd8871553714
SHA512 e7712ba7d36deb083ebcc3b641ad3e7d19fb071ee64ae3a35ad6a50ee882b20cd2e60ca1319199df12584fe311a6266ec74f96a3fb67e59f90c7b5909668aee1

C:\Users\Admin\AppData\Local\Temp\_MEI37602\python3.DLL

MD5 fd4a39e7c1f7f07cf635145a2af0dc3a
SHA1 05292ba14acc978bb195818499a294028ab644bd
SHA256 dc909eb798a23ba8ee9f8e3f307d97755bc0d2dc0cb342cedae81fbbad32a8a9
SHA512 37d3218bc767c44e8197555d3fa18d5aad43a536cfe24ac17bf8a3084fb70bd4763ccfd16d2df405538b657f720871e0cd312dfeb7f592f3aac34d9d00d5a643

C:\Users\Admin\AppData\Local\Temp\_MEI37602\_ctypes.pyd

MD5 1635a0c5a72df5ae64072cbb0065aebe
SHA1 c975865208b3369e71e3464bbcc87b65718b2b1f
SHA256 1ea3dd3df393fa9b27bf6595be4ac859064cd8ef9908a12378a6021bba1cb177
SHA512 6e34346ea8a0aacc29ccd480035da66e280830a7f3d220fd2f12d4cfa3e1c03955d58c0b95c2674aea698a36a1b674325d3588483505874c2ce018135320ff99

C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\oGgyulsi03j6EO3sjCC.bat

MD5 77218ae27e9ad896918d9a081c61b1be
SHA1 3c8ebaa8fa858b82e513ccf482e11172b0f52ce0
SHA256 e09540a47f3647a9fdf9673281e2664441bbaee8d3236d22b1875b9d23abacab
SHA512 6a16b367a762132172830fd81c41c58ac49de788eed93d4c5526f8f0e6859703b336a137fd8d4fe7088b4110d72e5f4767b6462bc4651769924b67305719f30a

C:\Users\Admin\AppData\Local\Temp\_MEI37602\_queue.pyd

MD5 d8c1b81bbc125b6ad1f48a172181336e
SHA1 3ff1d8dcec04ce16e97e12263b9233fbf982340c
SHA256 925f05255f4aae0997dc4ec94d900fd15950fd840685d5b8aa755427c7422b14
SHA512 ccc9f0d3aca66729832f26be12f8e7021834bbee1f4a45da9451b1aa5c2e63126c0031d223af57cf71fad2c85860782a56d78d8339b35720194df139076e0772

C:\Users\Admin\AppData\Local\Temp\_MEI37602\pyexpat.pyd

MD5 1118c1329f82ce9072d908cbd87e197c
SHA1 c59382178fe695c2c5576dca47c96b6de4bbcffd
SHA256 4a2d59993bce76790c6d923af81bf404f8e2cb73552e320113663b14cf78748c
SHA512 29f1b74e96a95b0b777ef00448da8bd0844e2f1d8248788a284ec868ae098c774a694d234a00bd991b2d22c2372c34f762cdbd9ec523234861e39c0ca752dcaa

C:\Users\Admin\AppData\Local\Temp\_MEI37602\_ssl.pyd

MD5 7910fb2af40e81bee211182cffec0a06
SHA1 251482ed44840b3c75426dd8e3280059d2ca06c6
SHA256 d2a7999e234e33828888ad455baa6ab101d90323579abc1095b8c42f0f723b6f
SHA512 bfe6506feb27a592fe9cf1db7d567d0d07f148ef1a2c969f1e4f7f29740c6bb8ccf946131e65fe5aa8ede371686c272b0860bd4c0c223195aaa1a44f59301b27

C:\Users\Admin\AppData\Local\Temp\_MEI37602\_pytransform.dll

MD5 23376a4df02c2bb0b770930449355acb
SHA1 05878e4a25b07c74b03ee9c2396e15e9933f1c98
SHA256 e999f10f53a09ddd5c6e05ad8bd3635c43d1035eb70afd32463875a1aef030cd
SHA512 b7a96e6fa0744201e54edf748fb89ed243834b3569867222857a1c03c30f485ea4faff4901cca57f699353771fb7f053a2afe1e6fd2c3687b0073a3e9ed9602d

C:\Users\Admin\AppData\Local\Temp\_MEI37602\_overlapped.pyd

MD5 fdf8663b99959031780583cce98e10f5
SHA1 6c0bafc48646841a91625d74d6b7d1d53656944d
SHA256 2ebbb0583259528a5178dd37439a64affcb1ab28cf323c6dc36a8c30362aa992
SHA512 a5371d6f6055b92ac119a3e3b52b21e2d17604e5a5ac241c008ec60d1db70b3ce4507d82a3c7ce580ed2eb7d83bb718f4edc2943d10cb1d377fa006f4d0026b6

C:\Users\Admin\AppData\Local\Temp\_MEI37602\_multiprocessing.pyd

MD5 a9a0588711147e01eed59be23c7944a9
SHA1 122494f75e8bb083ddb6545740c4fae1f83970c9
SHA256 7581edea33c1db0a49b8361e51e6291688601640e57d75909fb2007b2104fa4c
SHA512 6b580f5c53000db5954deb5b2400c14cb07f5f8bbcfc069b58c2481719a0f22f0d40854ca640ef8425c498fbae98c9de156b5cc04b168577f0da0c6b13846a88

C:\Users\Admin\AppData\Local\Temp\_MEI37602\_cffi_backend.cp310-win_amd64.pyd

MD5 2baaa98b744915339ae6c016b17c3763
SHA1 483c11673b73698f20ca2ff0748628c789b4dc68
SHA256 4f1ce205c2be986c9d38b951b6bcb6045eb363e06dacc069a41941f80be9068c
SHA512 2ae8df6e764c0813a4c9f7ac5a08e045b44daac551e8ff5f8aa83286be96aa0714d373b8d58e6d3aa4b821786a919505b74f118013d9fcd1ebc5a9e4876c2b5f

C:\Users\Admin\AppData\Local\Temp\_MEI37602\_brotli.cp310-win_amd64.pyd

MD5 ee3d454883556a68920caaedefbc1f83
SHA1 45b4d62a6e7db022e52c6159eef17e9d58bec858
SHA256 791e7195d7df47a21466868f3d7386cff13f16c51fcd0350bf4028e96278dff1
SHA512 e404adf831076d27680cc38d3879af660a96afc8b8e22ffd01647248c601f3c6c4585d7d7dc6bbd187660595f6a48f504792106869d329aa1a0f3707d7f777c6

C:\Users\Admin\AppData\Local\Temp\_MEI37602\_asyncio.pyd

MD5 33d0b6de555ddbbbd5ca229bfa91c329
SHA1 03034826675ac93267ce0bf0eaec9c8499e3fe17
SHA256 a9a99a2b847e46c0efce7fcfefd27f4bce58baf9207277c17bffd09ef4d274e5
SHA512 dbbd1ddfa445e22a0170a628387fcf3cb95e6f8b09465d76595555c4a67da4274974ba7b348c4c81fe71c68d735c13aacb8063d3a964a8a0556fb000d68686b7

C:\Users\Admin\AppData\Local\Temp\_MEI37602\VCRUNTIME140_1.dll

MD5 135359d350f72ad4bf716b764d39e749
SHA1 2e59d9bbcce356f0fece56c9c4917a5cacec63d7
SHA256 34048abaa070ecc13b318cea31425f4ca3edd133d350318ac65259e6058c8b32
SHA512 cf23513d63ab2192c78cae98bd3fea67d933212b630be111fa7e03be3e92af38e247eb2d3804437fd0fda70fdc87916cd24cf1d3911e9f3bfb2cc4ab72b459ba

C:\Users\Admin\AppData\Local\Temp\_MEI37602\libssl-1_1.dll

MD5 bec0f86f9da765e2a02c9237259a7898
SHA1 3caa604c3fff88e71f489977e4293a488fb5671c
SHA256 d74ce01319ae6f54483a19375524aa39d9f5fd91f06cf7df238ca25e043130fd
SHA512 ffbc4e5ffdb49704e7aa6d74533e5af76bbe5db297713d8e59bd296143fe5f145fbb616b343eed3c48eceaccccc2431630470d8975a4a17c37eafcc12edd19f4

C:\Users\Admin\AppData\Local\Temp\_MEI37602\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI37602\base_library.zip

MD5 39ee03fdaaeeab50415acf71fa86589a
SHA1 d181497c9eceffbcb55d0a1b76b56aa300142dd5
SHA256 7033ab039d46c8156eac0948f7c4779bd070b52e017aa655d480befd982c9feb
SHA512 b9bebc06b9e601d40dc41d1999b8c60bbe9e8a1355fa5e26c149677aeeae9b641a4be4ce7ffa84dcabe6e61a58b99da2e82d595a83df7f4aabb6b592256c2b5b

memory/4460-768-0x0000000000470000-0x0000000000802000-memory.dmp

memory/420-357-0x0000021212170000-0x0000021212171000-memory.dmp

memory/420-355-0x0000021212170000-0x0000021212171000-memory.dmp

memory/420-353-0x0000021212170000-0x0000021212171000-memory.dmp

memory/420-351-0x0000021212170000-0x0000021212171000-memory.dmp

memory/420-349-0x0000021212170000-0x0000021212171000-memory.dmp

memory/420-347-0x0000021212170000-0x0000021212171000-memory.dmp

memory/420-345-0x0000021212170000-0x0000021212171000-memory.dmp

memory/420-343-0x0000021212170000-0x0000021212171000-memory.dmp

memory/420-341-0x0000021212170000-0x0000021212171000-memory.dmp

memory/420-339-0x0000021212170000-0x0000021212171000-memory.dmp

memory/420-337-0x0000021212170000-0x0000021212171000-memory.dmp

memory/420-335-0x0000021212170000-0x0000021212171000-memory.dmp

memory/420-333-0x0000021212170000-0x0000021212171000-memory.dmp

memory/420-331-0x0000021212170000-0x0000021212171000-memory.dmp

memory/420-329-0x0000021212170000-0x0000021212171000-memory.dmp

memory/420-327-0x0000021212170000-0x0000021212171000-memory.dmp

memory/420-325-0x0000021212170000-0x0000021212171000-memory.dmp

memory/420-323-0x0000021212170000-0x0000021212171000-memory.dmp

memory/420-321-0x0000021212170000-0x0000021212171000-memory.dmp

memory/420-319-0x0000021212170000-0x0000021212171000-memory.dmp

memory/420-317-0x0000021212170000-0x0000021212171000-memory.dmp

memory/420-315-0x0000021212170000-0x0000021212171000-memory.dmp

memory/420-313-0x0000021212170000-0x0000021212171000-memory.dmp

memory/420-311-0x0000021212170000-0x0000021212171000-memory.dmp

memory/420-309-0x0000021212170000-0x0000021212171000-memory.dmp

memory/420-307-0x0000021212170000-0x0000021212171000-memory.dmp

memory/420-305-0x0000021212170000-0x0000021212171000-memory.dmp

memory/420-303-0x0000021212170000-0x0000021212171000-memory.dmp

memory/420-301-0x0000021212170000-0x0000021212171000-memory.dmp

memory/420-299-0x0000021212170000-0x0000021212171000-memory.dmp

memory/420-297-0x0000021212170000-0x0000021212171000-memory.dmp

memory/420-295-0x0000021212170000-0x0000021212171000-memory.dmp

memory/420-294-0x0000021212160000-0x0000021212161000-memory.dmp

memory/4460-1556-0x0000000002A50000-0x0000000002A76000-memory.dmp

memory/4460-1558-0x0000000001020000-0x000000000102E000-memory.dmp

memory/4460-1560-0x0000000002A80000-0x0000000002A9C000-memory.dmp

memory/4460-1561-0x000000001B4D0000-0x000000001B520000-memory.dmp

memory/4460-1563-0x0000000001030000-0x0000000001040000-memory.dmp

memory/4460-1565-0x0000000002AA0000-0x0000000002AB8000-memory.dmp

memory/4460-1567-0x0000000001040000-0x0000000001050000-memory.dmp

memory/4460-1569-0x0000000001050000-0x0000000001060000-memory.dmp

memory/4460-1571-0x0000000002AC0000-0x0000000002ACE000-memory.dmp

memory/4460-1573-0x0000000002AD0000-0x0000000002ADE000-memory.dmp

memory/4460-1575-0x000000001B750000-0x000000001B762000-memory.dmp

memory/4460-1577-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

memory/4460-1579-0x000000001B770000-0x000000001B786000-memory.dmp

memory/4460-1581-0x000000001B790000-0x000000001B7A2000-memory.dmp

memory/4460-1583-0x000000001BCE0000-0x000000001C208000-memory.dmp

memory/4460-1585-0x000000001B730000-0x000000001B73E000-memory.dmp

memory/4460-1590-0x000000001B740000-0x000000001B750000-memory.dmp

memory/4460-1592-0x000000001B7B0000-0x000000001B7C0000-memory.dmp

memory/4460-1594-0x000000001B820000-0x000000001B87A000-memory.dmp

memory/4460-1596-0x000000001B7C0000-0x000000001B7CE000-memory.dmp

memory/4460-1598-0x000000001B7D0000-0x000000001B7E0000-memory.dmp

memory/4460-1600-0x000000001B7E0000-0x000000001B7EE000-memory.dmp

memory/4460-1602-0x000000001B880000-0x000000001B898000-memory.dmp

memory/4460-1604-0x000000001B8F0000-0x000000001B93E000-memory.dmp

C:\ProgramData\шева.txt

MD5 17bcf11dc5f1fa6c48a1a856a72f1119
SHA1 873ec0cbd312762df3510b8cccf260dc0a23d709
SHA256 a7bf504871a46343c2feab9d923e01b9dca4e980b2e122ad55fd4dbb3f6c16d9
SHA512 9c12db4c6a105e767ff27048d2f8f19de5c9721ce6503dbb497aedcc1fc8b910a6fa43ec987fecd26794aff7440cb984744698fec5741dd73400a299dc3b2a25

C:\Users\Admin\AppData\Local\Temp\geeesNrn1f.bat

MD5 204e942f8cb4777af55e8a3385a99145
SHA1 586ef5fa4fc1be8768c8db5a95d2fdb4fbcfc709
SHA256 455233ae96f51f28dc77a163c4318c1277e160528a5f16fa1b34f0a67bae6cd1
SHA512 92ca49b5c87e1421a00095723bd7fdfb11bb6982b34d5b12d004e5894731c5c062d7f21556679c7c1e09920b2af3c347dafc6717d42c18f5843e957952e0f3b0

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hui2hlr3.42c.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4796-1644-0x00000268A58D0000-0x00000268A58F2000-memory.dmp

memory/2900-1654-0x0000022133730000-0x000002213373A000-memory.dmp

memory/2900-1655-0x0000022133CB0000-0x0000022133D1A000-memory.dmp

memory/2900-1656-0x0000022134990000-0x00000221349CA000-memory.dmp

memory/2900-1657-0x000002211AE90000-0x000002211AEB6000-memory.dmp

memory/2900-1658-0x00000221349D0000-0x0000022134A82000-memory.dmp

memory/2900-1659-0x0000022134B50000-0x0000022134E7E000-memory.dmp

memory/2900-1661-0x0000022134A80000-0x0000022134A92000-memory.dmp

memory/8248-1988-0x0000000000C60000-0x0000000000FF2000-memory.dmp

memory/5608-2162-0x0000024651F90000-0x0000024651FAC000-memory.dmp

memory/5608-2163-0x0000024651FB0000-0x0000024652065000-memory.dmp

memory/5608-2164-0x0000024652070000-0x000002465207A000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

MD5 b708d0bcd646043eeb80761ef7b879cc
SHA1 40660f6b08640fef56c915b30465ee0a5fb51e4d
SHA256 bc8a0d6f18f964bd094e1ff5e1b23028c067580089af59a8ae92683deaae1562
SHA512 8148b776dd3d03b12cff70bebf84e27d54c037ddff02dd92dbe33e73b6662e28bfe75ed8b58a5708ae2bd583f1bd0e63ce7bbf7a71a4bc748dc586e2fcfc5421