088a9f665d0fdc9b2bb050ecd1524b1539010bbe1d9935f72343bb2bc5f98975

General

Target

Launcher.exe
Size

164.9MB
MD5

69297f39ec0be1969de6409a310264d1
SHA1

7c0e7ead5bd451a95cd6062eb0fb4a5c053f7190
SHA256

22117115927d13aee3314c659efe6253692ec3555b2b3e602d512067d71e0b98
SHA512

2c6b82ee7d76d227b35e75aed7521a6d939a1f8abe8a031202ec2c56832a3c131a82b006e53be05e0937b461e3a0cdeff8f1f71f1e4e61fb01bc592cd0ee5b57
SSDEEP

1572864:Ftc2cEGwGrRSREICCr3ka8YrcSAfII01aLadS5sDNd+Ipx9cF3LfxNEK2Ho8jlgY:b+CHrJIgIsV

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

Processes:

Launcher.exe

pid process

2640 Launcher.exe
2640 Launcher.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

Processes:

flow	ioc
17	raw.githubusercontent.com
18	raw.githubusercontent.com
19	raw.githubusercontent.com
20	raw.githubusercontent.com
14	raw.githubusercontent.com
15	raw.githubusercontent.com
16	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 ipinfo.io
11 ipinfo.io

flow	ioc
10	ipinfo.io
11	ipinfo.io

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Launcher.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Launcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Launcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Launcher.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Launcher.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Launcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Launcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Launcher.exe

Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

10516 WMIC.exe

pid	process
10516	WMIC.exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	process
6868	tasklist.exe
7528	tasklist.exe
7376	tasklist.exe
7312	tasklist.exe
7760	tasklist.exe
6540	tasklist.exe
7028	tasklist.exe
6920	tasklist.exe
6476	tasklist.exe
7104	tasklist.exe
6100	tasklist.exe
7120	tasklist.exe
6736	tasklist.exe
6972	tasklist.exe
7408	tasklist.exe
7384	tasklist.exe
7352	tasklist.exe
7832	tasklist.exe
7720	tasklist.exe
7152	tasklist.exe
6356	tasklist.exe
7556	tasklist.exe
7492	tasklist.exe
7368	tasklist.exe
7632	tasklist.exe
6600	tasklist.exe
7696	tasklist.exe
7192	tasklist.exe
6416	tasklist.exe
6980	tasklist.exe
6916	tasklist.exe
6932	tasklist.exe
6812	tasklist.exe
6988	tasklist.exe
6648	tasklist.exe
7752	tasklist.exe
7712	tasklist.exe
7320	tasklist.exe
7704	tasklist.exe
6616	tasklist.exe
6900	tasklist.exe
6664	tasklist.exe
6632	tasklist.exe
7432	tasklist.exe
7096	tasklist.exe
11064	tasklist.exe
7064	tasklist.exe
7036	tasklist.exe
7020	tasklist.exe
7232	tasklist.exe
4244	tasklist.exe
6860	tasklist.exe
6656	tasklist.exe
7268	tasklist.exe
6964	tasklist.exe
6696	tasklist.exe
7476	tasklist.exe
7768	tasklist.exe
7276	tasklist.exe
6908	tasklist.exe
7052	tasklist.exe
6624	tasklist.exe
7744	tasklist.exe
6468	tasklist.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

Launcher.exepowershell.exepowershell.exe

pid	process
2640	Launcher.exe
2640	Launcher.exe
2640	Launcher.exe
2640	Launcher.exe
2640	Launcher.exe
2640	Launcher.exe
10612	powershell.exe
10612	powershell.exe
10612	powershell.exe
10612	powershell.exe
10836	powershell.exe
10836	powershell.exe
10836	powershell.exe
10836	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

tasklist.exeLauncher.exeWMIC.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	4008	tasklist.exe
Token: SeShutdownPrivilege	2640	Launcher.exe
Token: SeCreatePagefilePrivilege	2640	Launcher.exe
Token: SeIncreaseQuotaPrivilege	4744	WMIC.exe
Token: SeSecurityPrivilege	4744	WMIC.exe
Token: SeTakeOwnershipPrivilege	4744	WMIC.exe
Token: SeLoadDriverPrivilege	4744	WMIC.exe
Token: SeSystemProfilePrivilege	4744	WMIC.exe
Token: SeSystemtimePrivilege	4744	WMIC.exe
Token: SeProfSingleProcessPrivilege	4744	WMIC.exe
Token: SeIncBasePriorityPrivilege	4744	WMIC.exe
Token: SeCreatePagefilePrivilege	4744	WMIC.exe
Token: SeBackupPrivilege	4744	WMIC.exe
Token: SeRestorePrivilege	4744	WMIC.exe
Token: SeShutdownPrivilege	4744	WMIC.exe
Token: SeDebugPrivilege	4744	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4744	WMIC.exe
Token: SeRemoteShutdownPrivilege	4744	WMIC.exe
Token: SeUndockPrivilege	4744	WMIC.exe
Token: SeManageVolumePrivilege	4744	WMIC.exe
Token: 33	4744	WMIC.exe
Token: 34	4744	WMIC.exe
Token: 35	4744	WMIC.exe
Token: 36	4744	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4744	WMIC.exe
Token: SeSecurityPrivilege	4744	WMIC.exe
Token: SeTakeOwnershipPrivilege	4744	WMIC.exe
Token: SeLoadDriverPrivilege	4744	WMIC.exe
Token: SeSystemProfilePrivilege	4744	WMIC.exe
Token: SeSystemtimePrivilege	4744	WMIC.exe
Token: SeProfSingleProcessPrivilege	4744	WMIC.exe
Token: SeIncBasePriorityPrivilege	4744	WMIC.exe
Token: SeCreatePagefilePrivilege	4744	WMIC.exe
Token: SeBackupPrivilege	4744	WMIC.exe
Token: SeRestorePrivilege	4744	WMIC.exe
Token: SeShutdownPrivilege	4744	WMIC.exe
Token: SeDebugPrivilege	4744	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4744	WMIC.exe
Token: SeRemoteShutdownPrivilege	4744	WMIC.exe
Token: SeUndockPrivilege	4744	WMIC.exe
Token: SeManageVolumePrivilege	4744	WMIC.exe
Token: 33	4744	WMIC.exe
Token: 34	4744	WMIC.exe
Token: 35	4744	WMIC.exe
Token: 36	4744	WMIC.exe
Token: SeShutdownPrivilege	2640	Launcher.exe
Token: SeCreatePagefilePrivilege	2640	Launcher.exe
Token: SeDebugPrivilege	6416	tasklist.exe
Token: SeDebugPrivilege	6624	tasklist.exe
Token: SeDebugPrivilege	6476	tasklist.exe
Token: SeDebugPrivilege	6576	tasklist.exe
Token: SeDebugPrivilege	6648	tasklist.exe
Token: SeDebugPrivilege	6656	tasklist.exe
Token: SeDebugPrivilege	6468	tasklist.exe
Token: SeDebugPrivilege	6616	tasklist.exe
Token: SeShutdownPrivilege	2640	Launcher.exe
Token: SeCreatePagefilePrivilege	2640	Launcher.exe
Token: SeDebugPrivilege	6640	tasklist.exe
Token: SeDebugPrivilege	6892	tasklist.exe
Token: SeDebugPrivilege	6632	tasklist.exe
Token: SeDebugPrivilege	6908	tasklist.exe
Token: SeDebugPrivilege	6744	tasklist.exe
Token: SeDebugPrivilege	6540	tasklist.exe
Token: SeDebugPrivilege	6812	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Launcher.execmd.execmd.exe

description	pid	process	target process
PID 2640 wrote to memory of 3300	2640	Launcher.exe	cmd.exe
PID 2640 wrote to memory of 3300	2640	Launcher.exe	cmd.exe
PID 3300 wrote to memory of 4008	3300	cmd.exe	tasklist.exe
PID 3300 wrote to memory of 4008	3300	cmd.exe	tasklist.exe
PID 2640 wrote to memory of 4460	2640	Launcher.exe	Launcher.exe
PID 2640 wrote to memory of 4460	2640	Launcher.exe	Launcher.exe
PID 2640 wrote to memory of 4460	2640	Launcher.exe	Launcher.exe
PID 2640 wrote to memory of 4460	2640	Launcher.exe	Launcher.exe
PID 2640 wrote to memory of 4460	2640	Launcher.exe	Launcher.exe
PID 2640 wrote to memory of 4460	2640	Launcher.exe	Launcher.exe
PID 2640 wrote to memory of 4460	2640	Launcher.exe	Launcher.exe
PID 2640 wrote to memory of 4460	2640	Launcher.exe	Launcher.exe
PID 2640 wrote to memory of 4460	2640	Launcher.exe	Launcher.exe
PID 2640 wrote to memory of 4460	2640	Launcher.exe	Launcher.exe
PID 2640 wrote to memory of 4460	2640	Launcher.exe	Launcher.exe
PID 2640 wrote to memory of 4460	2640	Launcher.exe	Launcher.exe
PID 2640 wrote to memory of 4460	2640	Launcher.exe	Launcher.exe
PID 2640 wrote to memory of 4460	2640	Launcher.exe	Launcher.exe
PID 2640 wrote to memory of 4460	2640	Launcher.exe	Launcher.exe
PID 2640 wrote to memory of 4460	2640	Launcher.exe	Launcher.exe
PID 2640 wrote to memory of 4460	2640	Launcher.exe	Launcher.exe
PID 2640 wrote to memory of 4460	2640	Launcher.exe	Launcher.exe
PID 2640 wrote to memory of 4460	2640	Launcher.exe	Launcher.exe
PID 2640 wrote to memory of 4460	2640	Launcher.exe	Launcher.exe
PID 2640 wrote to memory of 4460	2640	Launcher.exe	Launcher.exe
PID 2640 wrote to memory of 4460	2640	Launcher.exe	Launcher.exe
PID 2640 wrote to memory of 4460	2640	Launcher.exe	Launcher.exe
PID 2640 wrote to memory of 4460	2640	Launcher.exe	Launcher.exe
PID 2640 wrote to memory of 4460	2640	Launcher.exe	Launcher.exe
PID 2640 wrote to memory of 4460	2640	Launcher.exe	Launcher.exe
PID 2640 wrote to memory of 4460	2640	Launcher.exe	Launcher.exe
PID 2640 wrote to memory of 4460	2640	Launcher.exe	Launcher.exe
PID 2640 wrote to memory of 4460	2640	Launcher.exe	Launcher.exe
PID 2640 wrote to memory of 4460	2640	Launcher.exe	Launcher.exe
PID 2640 wrote to memory of 3976	2640	Launcher.exe	Launcher.exe
PID 2640 wrote to memory of 3976	2640	Launcher.exe	Launcher.exe
PID 2640 wrote to memory of 2620	2640	Launcher.exe	cmd.exe
PID 2640 wrote to memory of 2620	2640	Launcher.exe	cmd.exe
PID 2620 wrote to memory of 4744	2620	cmd.exe	WMIC.exe
PID 2620 wrote to memory of 4744	2620	cmd.exe	WMIC.exe
PID 2640 wrote to memory of 4264	2640	Launcher.exe	cmd.exe
PID 2640 wrote to memory of 4264	2640	Launcher.exe	cmd.exe
PID 2640 wrote to memory of 4548	2640	Launcher.exe	cmd.exe
PID 2640 wrote to memory of 4548	2640	Launcher.exe	cmd.exe
PID 2640 wrote to memory of 4400	2640	Launcher.exe	cmd.exe
PID 2640 wrote to memory of 4400	2640	Launcher.exe	cmd.exe
PID 2640 wrote to memory of 4556	2640	Launcher.exe	cmd.exe
PID 2640 wrote to memory of 4556	2640	Launcher.exe	cmd.exe
PID 2640 wrote to memory of 2352	2640	Launcher.exe	cmd.exe
PID 2640 wrote to memory of 2352	2640	Launcher.exe	cmd.exe
PID 2640 wrote to memory of 1476	2640	Launcher.exe	cmd.exe
PID 2640 wrote to memory of 1476	2640	Launcher.exe	cmd.exe
PID 2640 wrote to memory of 2972	2640	Launcher.exe	cmd.exe
PID 2640 wrote to memory of 2972	2640	Launcher.exe	cmd.exe
PID 2640 wrote to memory of 2356	2640	Launcher.exe	cmd.exe
PID 2640 wrote to memory of 2356	2640	Launcher.exe	cmd.exe
PID 2640 wrote to memory of 708	2640	Launcher.exe	cmd.exe
PID 2640 wrote to memory of 708	2640	Launcher.exe	cmd.exe
PID 2640 wrote to memory of 1828	2640	Launcher.exe	cmd.exe
PID 2640 wrote to memory of 1828	2640	Launcher.exe	cmd.exe
PID 2640 wrote to memory of 3840	2640	Launcher.exe	cmd.exe
PID 2640 wrote to memory of 3840	2640	Launcher.exe	cmd.exe
PID 2640 wrote to memory of 1164	2640	Launcher.exe	cmd.exe
PID 2640 wrote to memory of 1164	2640	Launcher.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
- Suspicious use of WriteProcessMemory
PID:3300

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4008

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\theonlyscript" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1672 --field-trial-handle=1676,i,17569966972134052227,12964556222973287722,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
2⤵
PID:4460

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\theonlyscript" --mojo-platform-channel-handle=2036 --field-trial-handle=1676,i,17569966972134052227,12964556222973287722,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
2⤵
PID:3976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=2640 get ExecutablePath"
2⤵
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\System32\Wbem\WMIC.exe
wmic process where processid=2640 get ExecutablePath
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4264

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:6468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4548

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:6476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4400

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:6608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4556

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:6616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2352

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:6588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1476

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:6600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2972

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2356

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:6688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:708

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1828

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:6696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3840

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:6980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1164

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:6868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3724

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5084

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:6988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4760

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:6416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4588

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:6812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4756

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:6972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2816

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5052

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:6680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1320

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4456

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:6932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4636

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:6916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:956

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:6908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5112

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:6920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4204

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:6900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:792

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:6876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4728

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:6884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1588

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:6540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4396

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4500

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2804

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:652

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:6624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4364

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5100

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:6656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:988

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4600

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3684

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1312

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:6860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2724

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4960

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:932

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4428

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3660

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:6964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1548

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:6648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4128

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3040

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:6664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:396

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:504

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:6100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:196

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:6672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1296

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:6736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2588

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5076

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1056

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3752

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4484

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3920

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:6060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4680

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4432

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4988

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3760

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4168

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:4244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4716

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4948

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2732

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4912

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2528

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4916

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1976

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4964

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3048

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:628

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4076

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3176

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:824

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4976

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1732

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4444

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2016

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4468

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4116

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3080

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2196

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1796

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4764

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4744

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5028

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3416

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:6356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:372

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5128

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5140

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:6632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5156

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5180

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "net session"
2⤵
PID:5204

C:\Windows\system32\net.exe
net session
3⤵
PID:7284

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
4⤵
PID:8100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\bind\main.exe"
2⤵
PID:5220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
2⤵
PID:5244

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:7224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
2⤵
PID:5260

C:\Windows\System32\Wbem\WMIC.exe
wmic OS get caption, osarchitecture
3⤵
PID:6036

C:\Windows\system32\more.com
more +1
3⤵
PID:7344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
2⤵
PID:10392

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
3⤵
PID:10424

C:\Windows\system32\more.com
more +1
3⤵
PID:10432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
2⤵
PID:10476

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController get name
3⤵
- Detects videocard installed
PID:10516

C:\Windows\system32\more.com
more +1
3⤵
PID:10528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
2⤵
PID:10576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:10612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName"
2⤵
PID:10804

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:10836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:11028

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:11064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=2640 get ExecutablePath"
2⤵
PID:5244

C:\Windows\System32\Wbem\WMIC.exe
wmic process where processid=2640 get ExecutablePath
3⤵
PID:6124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
2⤵
PID:10456

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
3⤵
PID:10432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
2⤵
PID:10484

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
3⤵
PID:10520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip""
2⤵
PID:10516

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Process Discovery

1

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
17286868c0a043ae5d2ff5798b6a3163

SHA1
b83b23cd57c7fb2c937f5bc18aeb7ddc955b5401

SHA256
40321e18ed0b9eb7e3bc937d3e207ea2039ff45267483ddb4a51f7974475dac6

SHA512
e15c11982c0569a389a7dbd0889edd1ef9a8ffb21c0e8ffadebc10e1353f4485524b18ca8e041c66c98d05fb984544da122755e6c2a25728453aeaf4175bdee1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
c005deaf1321582849de6cf4246376cf

SHA1
9718c4cc7cdb627fe5e1624a4f114d5a0f544b97

SHA256
85a5aadd48f33fedb1ad488f1aea57d7514bb61871e26e292653b2fbe737c8c2

SHA512
b4596f24971d9d5762b2373d9ba65c00904ef967868ead0ef0234f6b61ad3042a929bb5b053cd9625752d66a9e4b179da07aae8f1ccfc1614cddd19dd9c8f05e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ngh3la3c.pj2.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\Users\Admin\AppData\Local\Temp\1f9fd7c8-7519-48b4-8782-0a9c9d04e69d.tmp.node
Filesize
151KB

MD5
bec0df3a37e6681b7eb29bd15904147a

SHA1
82a0869313ad7dcd86de3b5fa0e516d160c17013

SHA256
3d185f516d23d8c98a17e304b00b405b74dd7f3f6fb7d750bb7471deb1a9689f

SHA512
ae0639566f24e65a6a381862e020e39a32bec408b88eba60d3b01400c49535f09c6c67f424af406db78af2f197d79c3e262050ff5e17910c1ac1453561fffcd1

Download Submit
\Users\Admin\AppData\Local\Temp\5b6fb2bf-7af6-42aa-a5f5-c2c66e819848.tmp.node
Filesize
1.4MB

MD5
56192831a7f808874207ba593f464415

SHA1
e0c18c72a62692d856da1f8988b0bc9c8088d2aa

SHA256
6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c

SHA512
c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33

Download Submit
memory/10612-37-0x0000018C64D70000-0x0000018C64D92000-memory.dmp

Filesize
136KB

Download
memory/10612-40-0x0000018C64EA0000-0x0000018C64F16000-memory.dmp

Filesize
472KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads