a54cc3766dc4b1270fb203d8a6fe237952c640c7a116c2bbc948026323d5642b

Analysis

max time kernel
600s
max time network
586s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
28-04-2024 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

update.exe
Size

164.7MB
MD5

e797f43c14812e2d2a8635cb208b1b4a
SHA1

e47dfbd6b0c44e8bdc51eb201f6227c5ee9fb22f
SHA256

934d4dbacab813549ae7d96c1278d84c0fdeecf09cd920ff9c24f5074605fc10
SHA512

29398f346a81cca87e3ccf25b8b7bb49a0700d181b4d5643ed3bc017187a3ec86e8942cc8b2090fb6fe86d751c03bc163dae32b904168334ba29c3231bb99c52
SSDEEP

1572864:Dtc2cEGwGrRSREICCr3ka8YrcSAfII01aLadS5sDNd+Ipx9cF3LfxNEK2Ho8jlgY:V+CHrJIgIsV

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

Processes:

update.exe

pid process

828 update.exe
828 update.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 ipinfo.io

flow	ioc
8	ipinfo.io

Drops file in System32 directory 2 IoCs

Processes:

update.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	update.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	update.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

update.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	update.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	update.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	update.exe

Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

11128 WMIC.exe

pid	process
11128	WMIC.exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	process
7940	tasklist.exe
8264	tasklist.exe
496	tasklist.exe
6652	tasklist.exe
7816	tasklist.exe
7588	tasklist.exe
7564	tasklist.exe
8272	tasklist.exe
8352	tasklist.exe
7280	tasklist.exe
7692	tasklist.exe
7668	tasklist.exe
7676	tasklist.exe
7768	tasklist.exe
11140	tasklist.exe
8180	tasklist.exe
7992	tasklist.exe
7604	tasklist.exe
7620	tasklist.exe
7416	tasklist.exe
7424	tasklist.exe
7896	tasklist.exe
8064	tasklist.exe
8280	tasklist.exe
8152	tasklist.exe
7384	tasklist.exe
7792	tasklist.exe
7784	tasklist.exe
8384	tasklist.exe
7744	tasklist.exe
7760	tasklist.exe
7752	tasklist.exe
8048	tasklist.exe
8024	tasklist.exe
8220	tasklist.exe
7048	tasklist.exe
7028	tasklist.exe
7612	tasklist.exe
8552	tasklist.exe
7776	tasklist.exe
7476	tasklist.exe
8008	tasklist.exe
8676	tasklist.exe
6720	tasklist.exe
7596	tasklist.exe
7524	tasklist.exe
552	tasklist.exe
8228	tasklist.exe
8000	tasklist.exe
7960	tasklist.exe
7872	tasklist.exe
8368	tasklist.exe
6440	tasklist.exe
7540	tasklist.exe
7728	tasklist.exe
7736	tasklist.exe
7440	tasklist.exe
8112	tasklist.exe
8172	tasklist.exe
8392	tasklist.exe
7448	tasklist.exe
7556	tasklist.exe
7800	tasklist.exe
8092	tasklist.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

update.exepowershell.exepowershell.exeupdate.exe

pid	process
828	update.exe
828	update.exe
828	update.exe
828	update.exe
828	update.exe
828	update.exe
11220	powershell.exe
11220	powershell.exe
11220	powershell.exe
5240	powershell.exe
5240	powershell.exe
5240	powershell.exe
996	update.exe
996	update.exe
996	update.exe
996	update.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

tasklist.exeupdate.exeWMIC.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	496	tasklist.exe
Token: SeShutdownPrivilege	828	update.exe
Token: SeCreatePagefilePrivilege	828	update.exe
Token: SeIncreaseQuotaPrivilege	4036	WMIC.exe
Token: SeSecurityPrivilege	4036	WMIC.exe
Token: SeTakeOwnershipPrivilege	4036	WMIC.exe
Token: SeLoadDriverPrivilege	4036	WMIC.exe
Token: SeSystemProfilePrivilege	4036	WMIC.exe
Token: SeSystemtimePrivilege	4036	WMIC.exe
Token: SeProfSingleProcessPrivilege	4036	WMIC.exe
Token: SeIncBasePriorityPrivilege	4036	WMIC.exe
Token: SeCreatePagefilePrivilege	4036	WMIC.exe
Token: SeBackupPrivilege	4036	WMIC.exe
Token: SeRestorePrivilege	4036	WMIC.exe
Token: SeShutdownPrivilege	4036	WMIC.exe
Token: SeDebugPrivilege	4036	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4036	WMIC.exe
Token: SeRemoteShutdownPrivilege	4036	WMIC.exe
Token: SeUndockPrivilege	4036	WMIC.exe
Token: SeManageVolumePrivilege	4036	WMIC.exe
Token: 33	4036	WMIC.exe
Token: 34	4036	WMIC.exe
Token: 35	4036	WMIC.exe
Token: 36	4036	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4036	WMIC.exe
Token: SeSecurityPrivilege	4036	WMIC.exe
Token: SeTakeOwnershipPrivilege	4036	WMIC.exe
Token: SeLoadDriverPrivilege	4036	WMIC.exe
Token: SeSystemProfilePrivilege	4036	WMIC.exe
Token: SeSystemtimePrivilege	4036	WMIC.exe
Token: SeProfSingleProcessPrivilege	4036	WMIC.exe
Token: SeIncBasePriorityPrivilege	4036	WMIC.exe
Token: SeCreatePagefilePrivilege	4036	WMIC.exe
Token: SeBackupPrivilege	4036	WMIC.exe
Token: SeRestorePrivilege	4036	WMIC.exe
Token: SeShutdownPrivilege	4036	WMIC.exe
Token: SeDebugPrivilege	4036	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4036	WMIC.exe
Token: SeRemoteShutdownPrivilege	4036	WMIC.exe
Token: SeUndockPrivilege	4036	WMIC.exe
Token: SeManageVolumePrivilege	4036	WMIC.exe
Token: 33	4036	WMIC.exe
Token: 34	4036	WMIC.exe
Token: 35	4036	WMIC.exe
Token: 36	4036	WMIC.exe
Token: SeShutdownPrivilege	828	update.exe
Token: SeCreatePagefilePrivilege	828	update.exe
Token: SeDebugPrivilege	6440	tasklist.exe
Token: SeDebugPrivilege	7048	tasklist.exe
Token: SeShutdownPrivilege	828	update.exe
Token: SeCreatePagefilePrivilege	828	update.exe
Token: SeDebugPrivilege	6652	tasklist.exe
Token: SeDebugPrivilege	7288	tasklist.exe
Token: SeDebugPrivilege	6636	tasklist.exe
Token: SeDebugPrivilege	7264	tasklist.exe
Token: SeDebugPrivilege	6720	tasklist.exe
Token: SeDebugPrivilege	552	tasklist.exe
Token: SeDebugPrivilege	7564	tasklist.exe
Token: SeDebugPrivilege	7280	tasklist.exe
Token: SeDebugPrivilege	7448	tasklist.exe
Token: SeDebugPrivilege	7028	tasklist.exe
Token: SeDebugPrivilege	7440	tasklist.exe
Token: SeDebugPrivilege	7516	tasklist.exe
Token: SeDebugPrivilege	7456	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

update.execmd.execmd.exe

description	pid	process	target process
PID 828 wrote to memory of 4088	828	update.exe	cmd.exe
PID 828 wrote to memory of 4088	828	update.exe	cmd.exe
PID 828 wrote to memory of 3400	828	update.exe	update.exe
PID 828 wrote to memory of 3400	828	update.exe	update.exe
PID 828 wrote to memory of 3400	828	update.exe	update.exe
PID 828 wrote to memory of 3400	828	update.exe	update.exe
PID 828 wrote to memory of 3400	828	update.exe	update.exe
PID 828 wrote to memory of 3400	828	update.exe	update.exe
PID 828 wrote to memory of 3400	828	update.exe	update.exe
PID 828 wrote to memory of 3400	828	update.exe	update.exe
PID 828 wrote to memory of 3400	828	update.exe	update.exe
PID 828 wrote to memory of 3400	828	update.exe	update.exe
PID 828 wrote to memory of 3400	828	update.exe	update.exe
PID 828 wrote to memory of 3400	828	update.exe	update.exe
PID 828 wrote to memory of 3400	828	update.exe	update.exe
PID 828 wrote to memory of 3400	828	update.exe	update.exe
PID 828 wrote to memory of 3400	828	update.exe	update.exe
PID 828 wrote to memory of 3400	828	update.exe	update.exe
PID 828 wrote to memory of 3400	828	update.exe	update.exe
PID 828 wrote to memory of 3400	828	update.exe	update.exe
PID 828 wrote to memory of 3400	828	update.exe	update.exe
PID 828 wrote to memory of 3400	828	update.exe	update.exe
PID 828 wrote to memory of 3400	828	update.exe	update.exe
PID 828 wrote to memory of 3400	828	update.exe	update.exe
PID 828 wrote to memory of 3400	828	update.exe	update.exe
PID 828 wrote to memory of 3400	828	update.exe	update.exe
PID 828 wrote to memory of 3400	828	update.exe	update.exe
PID 828 wrote to memory of 3400	828	update.exe	update.exe
PID 828 wrote to memory of 3400	828	update.exe	update.exe
PID 828 wrote to memory of 3400	828	update.exe	update.exe
PID 828 wrote to memory of 3400	828	update.exe	update.exe
PID 828 wrote to memory of 3400	828	update.exe	update.exe
PID 828 wrote to memory of 4544	828	update.exe	update.exe
PID 828 wrote to memory of 4544	828	update.exe	update.exe
PID 4088 wrote to memory of 496	4088	cmd.exe	tasklist.exe
PID 4088 wrote to memory of 496	4088	cmd.exe	tasklist.exe
PID 828 wrote to memory of 2484	828	update.exe	cmd.exe
PID 828 wrote to memory of 2484	828	update.exe	cmd.exe
PID 2484 wrote to memory of 4036	2484	cmd.exe	WMIC.exe
PID 2484 wrote to memory of 4036	2484	cmd.exe	WMIC.exe
PID 828 wrote to memory of 3580	828	update.exe	cmd.exe
PID 828 wrote to memory of 3580	828	update.exe	cmd.exe
PID 828 wrote to memory of 1828	828	update.exe	cmd.exe
PID 828 wrote to memory of 1828	828	update.exe	cmd.exe
PID 828 wrote to memory of 4976	828	update.exe	cmd.exe
PID 828 wrote to memory of 4976	828	update.exe	cmd.exe
PID 828 wrote to memory of 1272	828	update.exe	cmd.exe
PID 828 wrote to memory of 1272	828	update.exe	cmd.exe
PID 828 wrote to memory of 5036	828	update.exe	cmd.exe
PID 828 wrote to memory of 5036	828	update.exe	cmd.exe
PID 828 wrote to memory of 4304	828	update.exe	cmd.exe
PID 828 wrote to memory of 4304	828	update.exe	cmd.exe
PID 828 wrote to memory of 2612	828	update.exe	cmd.exe
PID 828 wrote to memory of 2612	828	update.exe	cmd.exe
PID 828 wrote to memory of 3928	828	update.exe	cmd.exe
PID 828 wrote to memory of 3928	828	update.exe	cmd.exe
PID 828 wrote to memory of 2268	828	update.exe	cmd.exe
PID 828 wrote to memory of 2268	828	update.exe	cmd.exe
PID 828 wrote to memory of 4444	828	update.exe	cmd.exe
PID 828 wrote to memory of 4444	828	update.exe	cmd.exe
PID 828 wrote to memory of 916	828	update.exe	cmd.exe
PID 828 wrote to memory of 916	828	update.exe	cmd.exe
PID 828 wrote to memory of 1924	828	update.exe	cmd.exe
PID 828 wrote to memory of 1924	828	update.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\update.exe
"C:\Users\Admin\AppData\Local\Temp\update.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
- Suspicious use of WriteProcessMemory
PID:4088

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:496

C:\Users\Admin\AppData\Local\Temp\update.exe
"C:\Users\Admin\AppData\Local\Temp\update.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\theonlyscript" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1700 --field-trial-handle=1704,i,426716138284597054,11156278445343043304,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
2⤵
PID:3400

C:\Users\Admin\AppData\Local\Temp\update.exe
"C:\Users\Admin\AppData\Local\Temp\update.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\theonlyscript" --mojo-platform-channel-handle=2100 --field-trial-handle=1704,i,426716138284597054,11156278445343043304,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
2⤵
PID:4544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=828 get ExecutablePath"
2⤵
- Suspicious use of WriteProcessMemory
PID:2484

C:\Windows\System32\Wbem\WMIC.exe
wmic process where processid=828 get ExecutablePath
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3580

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1828

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4976

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1272

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:7280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5036

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4304

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2612

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3928

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2268

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4444

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:916

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1924

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3300

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:940

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4972

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4672

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3340

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5084

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4612

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1500

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:6652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3624

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1048

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4988

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:7440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1208

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3936

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4652

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1304

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1836

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1932

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4360

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:7028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1476

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4228

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4108

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1192

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2760

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1160

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1580

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4468

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4880

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3812

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2488

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2724

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3536

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3552

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1184

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3344

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3348

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3352

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1380

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:7448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4232

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2100

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5004

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:7048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4860

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2152

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3356

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2936

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3152

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2992

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:228

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:500

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1764

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4400

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2912

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:6440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2504

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:7564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2140

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3512

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4940

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3632

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2296

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4764

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3884

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3092

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4484

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4712

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2704

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3836

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4260

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2344

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:6720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1292

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2076

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2088

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4088

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1096

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3548

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4616

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1308

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1668

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2964

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2480

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1124

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5128

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5144

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "net session"
2⤵
PID:5172

C:\Windows\system32\net.exe
net session
3⤵
PID:7912

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
4⤵
PID:9108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\bind\main.exe"
2⤵
PID:5196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
2⤵
PID:5216

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:7920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
2⤵
PID:5236

C:\Windows\System32\Wbem\WMIC.exe
wmic OS get caption, osarchitecture
3⤵
PID:7888

C:\Windows\system32\more.com
more +1
3⤵
PID:8188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
2⤵
PID:10992

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
3⤵
PID:11032

C:\Windows\system32\more.com
more +1
3⤵
PID:11040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
2⤵
PID:11084

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController get name
3⤵
- Detects videocard installed
PID:11128

C:\Windows\system32\more.com
more +1
3⤵
PID:11136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
2⤵
PID:11180

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:11220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName"
2⤵
PID:8196

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:11000

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:11140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=828 get ExecutablePath"
2⤵
PID:8772

C:\Windows\System32\Wbem\WMIC.exe
wmic process where processid=828 get ExecutablePath
3⤵
PID:11200

C:\Users\Admin\AppData\Local\Temp\update.exe
"C:\Users\Admin\AppData\Local\Temp\update.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\theonlyscript" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1528 --field-trial-handle=1704,i,426716138284597054,11156278445343043304,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:996

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\f5981e71c59048f1\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
Filesize
64KB

MD5
3ee62083b7659434aaa8c11abce09f8e

SHA1
d70b1b5880947cd480d18ef3ca1503cc89b42507

SHA256
a8c713e9a101a1b8bc3f1019c27f4251470a4c381844105cb979c2d36486c222

SHA512
eee3feaf528ac46fc89a73e67c4fe57aa6e4407b0e7789097e757918ebc13bb68ab96a5be8a7d0468d5922052d9846470454e4d60706e10ff8c73a1ad0bb407f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\f5981e71c59048f1\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\f5981e71c59048f1\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
Filesize
992B

MD5
dae69c343ae413cf943c17ae894a2419

SHA1
31affddc5b878cc215498b9c522e0ad9498373b6

SHA256
f180c115ee156b086340eb79c34683ab62fb50f720173d1e2946beed4d15e95b

SHA512
715895173add0b0c8603d218249f66e5d303659fc32f6f94ee6a712d3d4a930601418bad3e7c9a5d50aa12d06f72b01d6dff73db2c9cbe77bd9fe42a7a33fdf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
88dc70c361a22feac57b031dd9c1f02f

SHA1
a9b4732260c2a323750022a73480f229ce25d46d

SHA256
43244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59

SHA512
19c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ikinniaj.4w2.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\f200526f-3cbf-430d-a6cb-19e150997a38.tmp.node
Filesize
151KB

MD5
2ed0b4456880f58db652b89f3a0fd975

SHA1
e6a469d4a501e1fe12a479e11e061a01bb918bfe

SHA256
01167887e86a97e5655d381971bf882e82b464d09dea38d69d2652053e336cf0

SHA512
693694935051f8abf278067eb843c839f3c8469666caf1ac7e81636c3e18c7da346500c7e63cd3a3ad69de561ee65f4e7e20c6ce8396e2235a5310d92715247d

Download Submit
C:\Users\Admin\AppData\Local\Temp\f350fa0e-c3a3-4218-b390-f77e391dce9d.tmp.node
Filesize
1.4MB

MD5
56192831a7f808874207ba593f464415

SHA1
e0c18c72a62692d856da1f8988b0bc9c8088d2aa

SHA256
6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c

SHA512
c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33

Download Submit
memory/996-142-0x0000014361FF0000-0x0000014361FF1000-memory.dmp

Filesize
4KB

Download
memory/996-149-0x0000014361FF0000-0x0000014361FF1000-memory.dmp

Filesize
4KB

Download
memory/996-153-0x0000014361FF0000-0x0000014361FF1000-memory.dmp

Filesize
4KB

Download
memory/996-152-0x0000014361FF0000-0x0000014361FF1000-memory.dmp

Filesize
4KB

Download
memory/996-151-0x0000014361FF0000-0x0000014361FF1000-memory.dmp

Filesize
4KB

Download
memory/996-150-0x0000014361FF0000-0x0000014361FF1000-memory.dmp

Filesize
4KB

Download
memory/996-148-0x0000014361FF0000-0x0000014361FF1000-memory.dmp

Filesize
4KB

Download
memory/996-147-0x0000014361FF0000-0x0000014361FF1000-memory.dmp

Filesize
4KB

Download
memory/996-143-0x0000014361FF0000-0x0000014361FF1000-memory.dmp

Filesize
4KB

Download
memory/996-141-0x0000014361FF0000-0x0000014361FF1000-memory.dmp

Filesize
4KB

Download
memory/11220-27-0x000001AE36C20000-0x000001AE36C42000-memory.dmp

Filesize
136KB

Download