52ec41e428b630194915d3f5e1016e58147c7ae3202cdd1c6d6a4d20c76ea0b5

Analysis

max time kernel
14s
max time network
24s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2024 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PlutoBETA.2/PlutoBETA.exe
Size

37.6MB
MD5

529f707d764d2da27d2b8f982e5c3c37
SHA1

e4ab7395a54777c310259b975e6ccbd1cc934d37
SHA256

90473bef6e0137f9d543260dec681ee7ce0f0e833f4084b4d427c1fea3f49045
SHA512

67e551b165f02fabd406afaa5a88cf75aa69cec689b544d41d093656783828236813102cbab8d8868457eec070039d381fe544c9215d07f66730fe4e97ceef63
SSDEEP

393216:JQgHDlanaGBXvDKtz+bhPWES4tiNQPNrIKc4gaPbUAgrO4mgh96l+ZArYsFRl7du:J3on1HvSzxAMNhFZArYsSPvp7OZuF

Score

8^/10

execution spyware stealer

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

4344 powershell.exe
2604 powershell.exe
4752 powershell.exe

pid	process
4344	powershell.exe
2604	powershell.exe
4752	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PlutoBETA.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	PlutoBETA.exe

Loads dropped DLL 1 IoCs

Processes:

PlutoBETA.exe

pid process

4764 PlutoBETA.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

24 discord.com
17 discord.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 api.ipify.org
An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs

Processes:

cmd.execmd.exe

pid process

3264 cmd.exe
3732 cmd.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2540 schtasks.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

4748 tasklist.exe
536 tasklist.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3872 taskkill.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

4344 powershell.exe
4344 powershell.exe
1768 powershell.exe
1768 powershell.exe
912 powershell.exe

pid	process
4764	PlutoBETA.exe

flow	ioc
24	discord.com
17	discord.com

flow	ioc
18	api.ipify.org

pid	process
3264	cmd.exe
3732	cmd.exe

pid	process
2540	schtasks.exe

pid	process
4748	tasklist.exe
536	tasklist.exe

pid	process
3872	taskkill.exe

pid	process
4344	powershell.exe
4344	powershell.exe
1768	powershell.exe
1768	powershell.exe
912	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exetasklist.exetaskkill.exetasklist.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4344	powershell.exe
Token: SeDebugPrivilege	4748	tasklist.exe
Token: SeDebugPrivilege	3872	taskkill.exe
Token: SeDebugPrivilege	536	tasklist.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	912	powershell.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

PlutoBETA.execmd.exepowershell.execsc.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4764 wrote to memory of 1620	4764	PlutoBETA.exe	cmd.exe
PID 4764 wrote to memory of 1620	4764	PlutoBETA.exe	cmd.exe
PID 1620 wrote to memory of 4532	1620	cmd.exe	cmd.exe
PID 1620 wrote to memory of 4532	1620	cmd.exe	cmd.exe
PID 1620 wrote to memory of 4344	1620	cmd.exe	powershell.exe
PID 1620 wrote to memory of 4344	1620	cmd.exe	powershell.exe
PID 4344 wrote to memory of 4956	4344	powershell.exe	csc.exe
PID 4344 wrote to memory of 4956	4344	powershell.exe	csc.exe
PID 4956 wrote to memory of 4240	4956	csc.exe	cvtres.exe
PID 4956 wrote to memory of 4240	4956	csc.exe	cvtres.exe
PID 4764 wrote to memory of 4056	4764	PlutoBETA.exe	cmd.exe
PID 4764 wrote to memory of 4056	4764	PlutoBETA.exe	cmd.exe
PID 4056 wrote to memory of 1680	4056	cmd.exe	curl.exe
PID 4056 wrote to memory of 1680	4056	cmd.exe	curl.exe
PID 4764 wrote to memory of 3140	4764	PlutoBETA.exe	cmd.exe
PID 4764 wrote to memory of 3140	4764	PlutoBETA.exe	cmd.exe
PID 3140 wrote to memory of 4748	3140	cmd.exe	tasklist.exe
PID 3140 wrote to memory of 4748	3140	cmd.exe	tasklist.exe
PID 4764 wrote to memory of 3320	4764	PlutoBETA.exe	cmd.exe
PID 4764 wrote to memory of 3320	4764	PlutoBETA.exe	cmd.exe
PID 3320 wrote to memory of 3872	3320	cmd.exe	taskkill.exe
PID 3320 wrote to memory of 3872	3320	cmd.exe	taskkill.exe
PID 4764 wrote to memory of 5052	4764	PlutoBETA.exe	cmd.exe
PID 4764 wrote to memory of 5052	4764	PlutoBETA.exe	cmd.exe
PID 4764 wrote to memory of 3264	4764	PlutoBETA.exe	cmd.exe
PID 4764 wrote to memory of 3264	4764	PlutoBETA.exe	cmd.exe
PID 5052 wrote to memory of 536	5052	cmd.exe	tasklist.exe
PID 5052 wrote to memory of 536	5052	cmd.exe	tasklist.exe
PID 3264 wrote to memory of 1768	3264	cmd.exe	powershell.exe
PID 3264 wrote to memory of 1768	3264	cmd.exe	powershell.exe
PID 4764 wrote to memory of 3732	4764	PlutoBETA.exe	cmd.exe
PID 4764 wrote to memory of 3732	4764	PlutoBETA.exe	cmd.exe
PID 3732 wrote to memory of 912	3732	cmd.exe	powershell.exe
PID 3732 wrote to memory of 912	3732	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\PlutoBETA.2\PlutoBETA.exe
"C:\Users\Admin\AppData\Local\Temp\PlutoBETA.2\PlutoBETA.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"
2⤵
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "
3⤵
PID:4532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -noprofile -
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4344

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ftvuyq3s\ftvuyq3s.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:4956

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3B7D.tmp" "c:\Users\Admin\AppData\Local\Temp\ftvuyq3s\CSC45660C1C70D4BE4AF69C0E0D8DEDD33.TMP"
5⤵
PID:4240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
2⤵
- Suspicious use of WriteProcessMemory
PID:4056

C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
3⤵
PID:1680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
- Suspicious use of WriteProcessMemory
PID:3140

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"
2⤵
- Suspicious use of WriteProcessMemory
PID:3320

C:\Windows\system32\taskkill.exe
taskkill /IM msedge.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
- Suspicious use of WriteProcessMemory
PID:5052

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,62,21,214,225,79,56,69,78,166,59,95,27,253,149,23,2,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,226,241,92,66,174,187,6,38,209,193,142,166,116,244,248,31,73,3,124,122,132,249,215,184,221,61,142,63,81,31,235,133,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,131,228,65,214,200,163,167,4,113,222,37,206,252,183,179,243,139,246,96,173,127,6,13,187,15,183,207,98,67,208,33,241,48,0,0,0,149,231,106,81,112,102,41,127,125,162,67,100,183,39,147,134,104,182,155,155,80,150,49,84,30,123,115,253,164,30,208,57,168,236,10,216,222,207,149,153,9,220,3,233,51,202,182,161,64,0,0,0,165,23,67,63,92,175,41,154,37,17,89,91,54,206,178,76,58,178,32,96,55,61,68,213,172,26,220,113,216,72,144,138,217,131,17,196,132,54,25,154,207,53,11,7,244,44,83,247,206,53,182,251,206,70,40,32,195,82,216,215,113,156,204,19), $null, 'CurrentUser')"
2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:3264

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,62,21,214,225,79,56,69,78,166,59,95,27,253,149,23,2,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,226,241,92,66,174,187,6,38,209,193,142,166,116,244,248,31,73,3,124,122,132,249,215,184,221,61,142,63,81,31,235,133,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,131,228,65,214,200,163,167,4,113,222,37,206,252,183,179,243,139,246,96,173,127,6,13,187,15,183,207,98,67,208,33,241,48,0,0,0,149,231,106,81,112,102,41,127,125,162,67,100,183,39,147,134,104,182,155,155,80,150,49,84,30,123,115,253,164,30,208,57,168,236,10,216,222,207,149,153,9,220,3,233,51,202,182,161,64,0,0,0,165,23,67,63,92,175,41,154,37,17,89,91,54,206,178,76,58,178,32,96,55,61,68,213,172,26,220,113,216,72,144,138,217,131,17,196,132,54,25,154,207,53,11,7,244,44,83,247,206,53,182,251,206,70,40,32,195,82,216,215,113,156,204,19), $null, 'CurrentUser')
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,62,21,214,225,79,56,69,78,166,59,95,27,253,149,23,2,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,75,224,184,76,157,250,188,130,108,229,138,189,98,185,67,71,111,56,70,154,244,127,26,155,214,10,233,88,249,228,27,53,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,80,239,60,117,163,245,216,197,128,140,242,78,114,104,121,128,175,173,106,99,250,184,54,54,70,107,9,226,118,10,105,19,48,0,0,0,203,212,173,170,182,199,53,12,180,201,186,4,188,235,32,199,87,74,16,165,54,214,229,174,67,103,45,75,146,186,153,191,142,215,180,91,153,55,167,95,44,24,236,191,81,124,187,0,64,0,0,0,103,41,150,7,218,73,134,52,24,45,180,202,162,90,107,3,147,157,109,230,60,148,33,147,41,31,57,239,160,162,90,226,139,214,184,17,95,144,69,231,195,75,88,171,145,188,21,18,100,218,122,17,183,20,64,126,133,15,160,76,114,159,213,134), $null, 'CurrentUser')"
2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:3732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,62,21,214,225,79,56,69,78,166,59,95,27,253,149,23,2,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,75,224,184,76,157,250,188,130,108,229,138,189,98,185,67,71,111,56,70,154,244,127,26,155,214,10,233,88,249,228,27,53,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,80,239,60,117,163,245,216,197,128,140,242,78,114,104,121,128,175,173,106,99,250,184,54,54,70,107,9,226,118,10,105,19,48,0,0,0,203,212,173,170,182,199,53,12,180,201,186,4,188,235,32,199,87,74,16,165,54,214,229,174,67,103,45,75,146,186,153,191,142,215,180,91,153,55,167,95,44,24,236,191,81,124,187,0,64,0,0,0,103,41,150,7,218,73,134,52,24,45,180,202,162,90,107,3,147,157,109,230,60,148,33,147,41,31,57,239,160,162,90,226,139,214,184,17,95,144,69,231,195,75,88,171,145,188,21,18,100,218,122,17,183,20,64,126,133,15,160,76,114,159,213,134), $null, 'CurrentUser')
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
2⤵
PID:4424

C:\Windows\System32\Wbem\WMIC.exe
wmic diskdrive get serialnumber
3⤵
PID:2196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"
2⤵
PID:832

C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f
3⤵
PID:4268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"
2⤵
PID:3456

C:\Windows\system32\schtasks.exe
schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM
3⤵
- Creates scheduled task(s)
PID:2540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""
2⤵
PID:748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"
3⤵
- Command and Scripting Interpreter: PowerShell
PID:2604

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mxj0j0s0\mxj0j0s0.cmdline"
4⤵
PID:4636

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES530D.tmp" "c:\Users\Admin\AppData\Local\Temp\mxj0j0s0\CSC815B6FC0BF754C0B8052AFFDE2A205D.TMP"
5⤵
PID:1120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
2⤵
PID:4356

C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
3⤵
PID:2980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs""
2⤵
PID:2556

C:\Windows\system32\cscript.exe
cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs"
3⤵
PID:3684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "
4⤵
PID:1172

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
5⤵
- Command and Scripting Interpreter: PowerShell
PID:4752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
2⤵
PID:4484

C:\Windows\System32\Wbem\WMIC.exe
wmic baseboard get serialnumber
3⤵
PID:2676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
2⤵
PID:2788

C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
3⤵
PID:3488

C:\Windows\system32\find.exe
find /i "Speed"
3⤵
PID:2688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
2⤵
PID:4900

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_computersystemproduct get uuid
3⤵
PID:4244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell wininit.exe"
2⤵
PID:4620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell wininit.exe
3⤵
PID:5000

C:\Windows\system32\wininit.exe
"C:\Windows\system32\wininit.exe"
4⤵
PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat

Filesize
1KB

MD5
745cd559fffd2d5f70b73648edf9b3f6

SHA1
5e947c85945a3c4d530896d478abc066c04a2ac0

SHA256
40f1cb4b2a31741d50f3ddd3023096f94f18b5457a45d96e79cb0f4f786c96bd

SHA512
eb0c6ce871348073278e30c35b58e58020dc1ae27aa2ac27d74304f6914605ad08b7fec80f4e1996a5d073570f79b030ddbfad6568918e85717bb11065e31834

Download Submit
C:\ProgramData\edge\Updater\Get-Clipboard.ps1

Filesize
3KB

MD5
a8834c224450d76421d8e4a34b08691f

SHA1
73ed4011bc60ba616b7b81ff9c9cad82fb517c68

SHA256
817c184e6a3e7d1ff60b33ec777e23e8e0697e84efde8e422833f05584e00ea5

SHA512
672b3eca54dff4316db904d16c2333247e816e0cd8ef2d866111ddb49ab491568cc12d7263891707403dd14962326404c13855d5de1ae148114a51cb7d5e5596

Download Submit
C:\ProgramData\edge\Updater\RunBatHidden.vbs

Filesize
146B

MD5
14a9867ec0265ebf974e440fcd67d837

SHA1
ae0e43c2daf4c913f5db17f4d9197f34ab52e254

SHA256
cca09191a1a96d288a4873f79a0916d9984bd6be8dcbd0c25d60436d46a15ca1

SHA512
36c69c26fd84b9637b370a5fe214a90778c9ade3b11664e961fe14226e0300f29c2f43d3a1d1c655d9f2951918769259928bbbc5a9d83596a1afc42420fc1a54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3f01549ee3e4c18244797530b588dad9

SHA1
3e87863fc06995fe4b741357c68931221d6cc0b9

SHA256
36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a

SHA512
73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
46d6c89b6a449ce91c1a3691c516e10e

SHA1
dedf2c05d83a8fc311e39fa86af575866f9f7ece

SHA256
f6841440d2949cf97fb621923a2f931fca567382856cb60fa4c8ce3f9b81e55f

SHA512
bd222cc430c28abe832787973ed2a7a07d58d92f34eed1ebfe69fc4cd8ed59443ed93799979fd39d1b76ef6ff247f3ceb12b3c537de09ffba72ebec748f3e1cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
06e34f3452ae6c053904d7343f126701

SHA1
7bfb7596d47ba7ea84862cfedd33c41618731d98

SHA256
071347c9d34d09b6d30c236bfad4b6134e6846f89d8debe1830317c08640ba48

SHA512
450108b315012c3a422b046805c666670e96aea234d2d2974669bbed439abf0b6a3c25bb52f3b632fb263ce9cfe07189fb83c9c8339d053cab8e05be6690795a

Download Submit
C:\Users\Admin\AppData\Local\Temp\PlutoBETA.2\temp.ps1

Filesize
379B

MD5
18047e197c6820559730d01035b2955a

SHA1
277179be54bba04c0863aebd496f53b129d47464

SHA256
348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3

SHA512
1942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3B7D.tmp

Filesize
1KB

MD5
4d0a00d17bb66ec4c6f87aeffafe9ab7

SHA1
9238c02e554a759f30564f9db2f7189e6767ae65

SHA256
bf1703a0976e3ed847febea7687964dac1284d07ec892ac94a846dd745f8b7ee

SHA512
1d4aaec9659f2add5d6ae252b4fd60535f713ce386f252773bde24591f43ee32a0d88b7eccdf225f57c4096cf21722fac5964b3f06671cf897b25b085299494f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES530D.tmp

Filesize
1KB

MD5
90d59215bde2b71ef2d83863acbc4eab

SHA1
ec49b14706a14e5cdea8fb7cd3abb1109d30f4f5

SHA256
fe79cb5a23fe6349bd15e02a1846badac982ae52e07e3b7368be85830df3fbf5

SHA512
c27c819ed1c04613700954c694b9f6d5dab016e324e0b36560d72b6828db0b16ff0084bb85d5ff1ad8aa4a55f59910288186fc8e5e9622abd82b5e724c2e93fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zirbij3w.yhv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ftvuyq3s\ftvuyq3s.dll

Filesize
3KB

MD5
9d703c7fbbbd79af58536de83c388155

SHA1
cdaa59e818e0dbf98e24ef82419fcb5e7fa74c80

SHA256
0e5f31b6ecb1a210698ec322af10bd55e9e6907502096bc71ca2a451fc018042

SHA512
bb62ec1dc18642e46169f6ee4f10a9334e36fd75d6916e8b5f905835e431efb0448d66507789c42746106ad59e19df1f214014c49e79a87564c5eed87b4a334e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mxj0j0s0\mxj0j0s0.dll

Filesize
3KB

MD5
33094ac39ff9a73e7c2866e3495c92f5

SHA1
7a8ff28194a97aea1c62b155b1b9900ae6daddff

SHA256
6274f710bb29eee281933cd2ed7ae0a74dca5f9e3e944682a24503ce4ee7a178

SHA512
1602dd56b38e66ced8d268549d986b2da7e2b928f1938c3550771af101f167dac393c712004c63728c280127a3afcf65faee8a3b7d9d880a4b179910b1ebf2ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

Filesize
1.8MB

MD5
66a65322c9d362a23cf3d3f7735d5430

SHA1
ed59f3e4b0b16b759b866ef7293d26a1512b952e

SHA256
f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c

SHA512
0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ftvuyq3s\CSC45660C1C70D4BE4AF69C0E0D8DEDD33.TMP

Filesize
652B

MD5
87b06c23ef307ee05183edcdea76f034

SHA1
c4e63ec14b1a76e5105c7621cca1354b134fa349

SHA256
abcf75422d737c86c76eeff2713dde3671f4c992a94a8d26a9a68cdf0b5f6a38

SHA512
3f732456ad7120d20efe5c963c05be8fb9ce8a4ea821f152ca6b15a02848f9720e16f430913e1af9c6059494618536b1a2174e93f435afcd3284052d4ffaddde

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ftvuyq3s\ftvuyq3s.0.cs

Filesize
311B

MD5
7bc8de6ac8041186ed68c07205656943

SHA1
673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75

SHA256
36865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697

SHA512
0495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ftvuyq3s\ftvuyq3s.cmdline

Filesize
369B

MD5
fd88ceaf21ae27e736dc06e4a7c4c46b

SHA1
925e2c969ff9ca030d5e11ea735724b3bc291b88

SHA256
c61bc73d5ba916f320421eaa791f00b55b34ae64a9ae18b35a92fb19c034f302

SHA512
e6da49d314f2012ea80bdd0296df458d1a1cb6bfcb75fed20e7b87dfe636f965a3efc087bfb90563a4903b654d952aa0c272d47226c5317bfdc543977e0f9a6d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mxj0j0s0\CSC815B6FC0BF754C0B8052AFFDE2A205D.TMP

Filesize
652B

MD5
4c16f5651e6fdab306f4f999cb3a0a99

SHA1
a97415cd90368b64d09e401074170cdb7ae27812

SHA256
3984a0180ed359f3b678230e69d7bee615bcef5387a46095898ac03658340271

SHA512
9a72ea1229a85845e68ba70c2dccd69df4af22ea174071a00fa56c5a06dbb16607557dc79d32d6d16e4a8dd453dcfb37c24655f06a3b24a793707be597eb1558

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mxj0j0s0\mxj0j0s0.0.cs

Filesize
426B

MD5
b462a7b0998b386a2047c941506f7c1b

SHA1
61e8aa007164305a51fa2f1cebaf3f8e60a6a59f

SHA256
a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35

SHA512
eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mxj0j0s0\mxj0j0s0.cmdline

Filesize
369B

MD5
dd22fa5e8e93f54290a441ef7ed17dc2

SHA1
789d3539c0e746619894f99425f98e5bd8fda40c

SHA256
5543789c0be3e1534e518e8da946eb1e939fcd38e4e822e0365280a101d94810

SHA512
8b0aead87819add9b3b03439055ac35b4bdaf5b3c5cc84a92bc674a0da91384ce56c1b72fe1c165166249411990cc5d56a01895086e61ba2597dc16c8f4646a7

Download Submit
memory/1768-117-0x000001A6C7460000-0x000001A6C74B0000-memory.dmp

Filesize
320KB

Download
memory/2604-210-0x0000027E1B680000-0x0000027E1B688000-memory.dmp

Filesize
32KB

Download
memory/4344-85-0x00007FFCA2F20000-0x00007FFCA39E1000-memory.dmp

Filesize
10.8MB

Download
memory/4344-104-0x00007FFCA2F20000-0x00007FFCA39E1000-memory.dmp

Filesize
10.8MB

Download
memory/4344-100-0x00000209B5530000-0x00000209B5538000-memory.dmp

Filesize
32KB

Download
memory/4344-87-0x00000209B7B70000-0x00000209B7BE6000-memory.dmp

Filesize
472KB

Download
memory/4344-86-0x00000209B7AA0000-0x00000209B7AE4000-memory.dmp

Filesize
272KB

Download
memory/4344-84-0x00007FFCA2F20000-0x00007FFCA39E1000-memory.dmp

Filesize
10.8MB

Download
memory/4344-83-0x00007FFCA2F20000-0x00007FFCA39E1000-memory.dmp

Filesize
10.8MB

Download
memory/4344-77-0x00000209B54E0000-0x00000209B5502000-memory.dmp

Filesize
136KB

Download
memory/4344-72-0x00007FFCA2F23000-0x00007FFCA2F25000-memory.dmp

Filesize
8KB

Download