813e47e8509cd212f5a9ef778505ab84af15deb6ec9d37f5c9177399c570a521

Analysis

max time kernel
142s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/02/2024, 15:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

consumer.exe
Size

158.3MB
MD5

5ab9b9bfb04e96b4b58749cc37c1b583
SHA1

30de3216cd48392c864590c7160590fab2344845
SHA256

0102b32a39c1d7972cf0bd45786072c884fa6bfa50730b16292c1944518fb4a0
SHA512

e8704fe993e0a0f851156f443dae1b011cb8c0b057111969e6e90aede53d89714ef675d432dee37da28e0b0613118323db457a90f8d5cfd60fb14961dd350e91
SSDEEP

1572864:CdPcKUXsjgWcPlYufjnCtdTG1pTkvqN3PN5g9qPKFTQyun+9qS/ALy/s88IcgDFf:11os5I8Ax

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
1336	consumer.exe
1336	consumer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
63	raw.githubusercontent.com
57	raw.githubusercontent.com
58	raw.githubusercontent.com
59	raw.githubusercontent.com
60	raw.githubusercontent.com
61	raw.githubusercontent.com
62	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
41	ipinfo.io
42	ipinfo.io

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	consumer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	consumer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	consumer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	consumer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	consumer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	consumer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	consumer.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
11080	WMIC.exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

Process Discovery

T1057

pid	Process
7924	tasklist.exe
7596	tasklist.exe
7884	tasklist.exe
8040	tasklist.exe
7676	tasklist.exe
7656	tasklist.exe
7548	tasklist.exe
7732	tasklist.exe
8628	tasklist.exe
8384	tasklist.exe
8112	tasklist.exe
8084	tasklist.exe
8056	tasklist.exe
7428	tasklist.exe
7876	tasklist.exe
8512	tasklist.exe
8140	tasklist.exe
8064	tasklist.exe
7708	tasklist.exe
8400	tasklist.exe
8272	tasklist.exe
8480	tasklist.exe
8636	tasklist.exe
8204	tasklist.exe
7612	tasklist.exe
7556	tasklist.exe
7760	tasklist.exe
7848	tasklist.exe
11044	tasklist.exe
8668	tasklist.exe
8372	tasklist.exe
8244	tasklist.exe
8032	tasklist.exe
7692	tasklist.exe
7748	tasklist.exe
7836	tasklist.exe
8520	tasklist.exe
8104	tasklist.exe
7684	tasklist.exe
7668	tasklist.exe
7580	tasklist.exe
7572	tasklist.exe
7812	tasklist.exe
8148	tasklist.exe
7716	tasklist.exe
7628	tasklist.exe
7604	tasklist.exe
7420	tasklist.exe
7864	tasklist.exe
8496	tasklist.exe
7980	tasklist.exe
7904	tasklist.exe
8132	tasklist.exe
7800	tasklist.exe
8472	tasklist.exe
8772	tasklist.exe
8660	tasklist.exe
8644	tasklist.exe
8300	tasklist.exe
7640	tasklist.exe
7824	tasklist.exe
7700	tasklist.exe
8220	tasklist.exe
7784	tasklist.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1336	consumer.exe
1336	consumer.exe
1336	consumer.exe
1336	consumer.exe
1336	consumer.exe
1336	consumer.exe
11180	powershell.exe
11180	powershell.exe
11180	powershell.exe
8160	powershell.exe
8160	powershell.exe
8160	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4632	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3940	WMIC.exe
Token: SeSecurityPrivilege	3940	WMIC.exe
Token: SeTakeOwnershipPrivilege	3940	WMIC.exe
Token: SeLoadDriverPrivilege	3940	WMIC.exe
Token: SeSystemProfilePrivilege	3940	WMIC.exe
Token: SeSystemtimePrivilege	3940	WMIC.exe
Token: SeProfSingleProcessPrivilege	3940	WMIC.exe
Token: SeIncBasePriorityPrivilege	3940	WMIC.exe
Token: SeCreatePagefilePrivilege	3940	WMIC.exe
Token: SeBackupPrivilege	3940	WMIC.exe
Token: SeRestorePrivilege	3940	WMIC.exe
Token: SeShutdownPrivilege	3940	WMIC.exe
Token: SeDebugPrivilege	3940	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3940	WMIC.exe
Token: SeRemoteShutdownPrivilege	3940	WMIC.exe
Token: SeUndockPrivilege	3940	WMIC.exe
Token: SeManageVolumePrivilege	3940	WMIC.exe
Token: 33	3940	WMIC.exe
Token: 34	3940	WMIC.exe
Token: 35	3940	WMIC.exe
Token: 36	3940	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3940	WMIC.exe
Token: SeSecurityPrivilege	3940	WMIC.exe
Token: SeTakeOwnershipPrivilege	3940	WMIC.exe
Token: SeLoadDriverPrivilege	3940	WMIC.exe
Token: SeSystemProfilePrivilege	3940	WMIC.exe
Token: SeSystemtimePrivilege	3940	WMIC.exe
Token: SeProfSingleProcessPrivilege	3940	WMIC.exe
Token: SeIncBasePriorityPrivilege	3940	WMIC.exe
Token: SeCreatePagefilePrivilege	3940	WMIC.exe
Token: SeBackupPrivilege	3940	WMIC.exe
Token: SeRestorePrivilege	3940	WMIC.exe
Token: SeShutdownPrivilege	3940	WMIC.exe
Token: SeDebugPrivilege	3940	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3940	WMIC.exe
Token: SeRemoteShutdownPrivilege	3940	WMIC.exe
Token: SeUndockPrivilege	3940	WMIC.exe
Token: SeManageVolumePrivilege	3940	WMIC.exe
Token: 33	3940	WMIC.exe
Token: 34	3940	WMIC.exe
Token: 35	3940	WMIC.exe
Token: 36	3940	WMIC.exe
Token: SeShutdownPrivilege	1336	consumer.exe
Token: SeCreatePagefilePrivilege	1336	consumer.exe
Token: SeShutdownPrivilege	1336	consumer.exe
Token: SeCreatePagefilePrivilege	1336	consumer.exe
Token: SeDebugPrivilege	7556	tasklist.exe
Token: SeDebugPrivilege	7572	tasklist.exe
Token: SeDebugPrivilege	7620	tasklist.exe
Token: SeDebugPrivilege	7580	tasklist.exe
Token: SeDebugPrivilege	7640	tasklist.exe
Token: SeDebugPrivilege	7536	tasklist.exe
Token: SeDebugPrivilege	7700	tasklist.exe
Token: SeDebugPrivilege	7824	tasklist.exe
Token: SeDebugPrivilege	7692	tasklist.exe
Token: SeDebugPrivilege	7676	tasklist.exe
Token: SeDebugPrivilege	8252	tasklist.exe
Token: SeDebugPrivilege	7760	tasklist.exe
Token: SeDebugPrivilege	7684	tasklist.exe
Token: SeDebugPrivilege	7800	tasklist.exe
Token: SeDebugPrivilege	7448	tasklist.exe
Token: SeDebugPrivilege	7596	tasklist.exe
Token: SeDebugPrivilege	7604	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 2452	1336	consumer.exe	89
PID 1336 wrote to memory of 2452	1336	consumer.exe	89
PID 2452 wrote to memory of 4632	2452	cmd.exe	91
PID 2452 wrote to memory of 4632	2452	cmd.exe	91
PID 1336 wrote to memory of 1940	1336	consumer.exe	92
PID 1336 wrote to memory of 1940	1336	consumer.exe	92
PID 1336 wrote to memory of 1940	1336	consumer.exe	92
PID 1336 wrote to memory of 1940	1336	consumer.exe	92
PID 1336 wrote to memory of 1940	1336	consumer.exe	92
PID 1336 wrote to memory of 1940	1336	consumer.exe	92
PID 1336 wrote to memory of 1940	1336	consumer.exe	92
PID 1336 wrote to memory of 1940	1336	consumer.exe	92
PID 1336 wrote to memory of 1940	1336	consumer.exe	92
PID 1336 wrote to memory of 1940	1336	consumer.exe	92
PID 1336 wrote to memory of 1940	1336	consumer.exe	92
PID 1336 wrote to memory of 1940	1336	consumer.exe	92
PID 1336 wrote to memory of 1940	1336	consumer.exe	92
PID 1336 wrote to memory of 1940	1336	consumer.exe	92
PID 1336 wrote to memory of 1940	1336	consumer.exe	92
PID 1336 wrote to memory of 1940	1336	consumer.exe	92
PID 1336 wrote to memory of 1940	1336	consumer.exe	92
PID 1336 wrote to memory of 1940	1336	consumer.exe	92
PID 1336 wrote to memory of 1940	1336	consumer.exe	92
PID 1336 wrote to memory of 1940	1336	consumer.exe	92
PID 1336 wrote to memory of 1940	1336	consumer.exe	92
PID 1336 wrote to memory of 1940	1336	consumer.exe	92
PID 1336 wrote to memory of 1940	1336	consumer.exe	92
PID 1336 wrote to memory of 1940	1336	consumer.exe	92
PID 1336 wrote to memory of 1940	1336	consumer.exe	92
PID 1336 wrote to memory of 1940	1336	consumer.exe	92
PID 1336 wrote to memory of 1940	1336	consumer.exe	92
PID 1336 wrote to memory of 1940	1336	consumer.exe	92
PID 1336 wrote to memory of 1940	1336	consumer.exe	92
PID 1336 wrote to memory of 1940	1336	consumer.exe	92
PID 1336 wrote to memory of 4200	1336	consumer.exe	93
PID 1336 wrote to memory of 4200	1336	consumer.exe	93
PID 1336 wrote to memory of 3320	1336	consumer.exe	95
PID 1336 wrote to memory of 3320	1336	consumer.exe	95
PID 3320 wrote to memory of 3940	3320	cmd.exe	97
PID 3320 wrote to memory of 3940	3320	cmd.exe	97
PID 1336 wrote to memory of 2284	1336	consumer.exe	98
PID 1336 wrote to memory of 2284	1336	consumer.exe	98
PID 1336 wrote to memory of 4424	1336	consumer.exe	99
PID 1336 wrote to memory of 4424	1336	consumer.exe	99
PID 1336 wrote to memory of 1532	1336	consumer.exe	233
PID 1336 wrote to memory of 1532	1336	consumer.exe	233
PID 1336 wrote to memory of 4600	1336	consumer.exe	232
PID 1336 wrote to memory of 4600	1336	consumer.exe	232
PID 1336 wrote to memory of 2812	1336	consumer.exe	231
PID 1336 wrote to memory of 2812	1336	consumer.exe	231
PID 1336 wrote to memory of 3696	1336	consumer.exe	230
PID 1336 wrote to memory of 3696	1336	consumer.exe	230
PID 1336 wrote to memory of 4484	1336	consumer.exe	229
PID 1336 wrote to memory of 4484	1336	consumer.exe	229
PID 1336 wrote to memory of 3484	1336	consumer.exe	227
PID 1336 wrote to memory of 3484	1336	consumer.exe	227
PID 1336 wrote to memory of 2900	1336	consumer.exe	225
PID 1336 wrote to memory of 2900	1336	consumer.exe	225
PID 1336 wrote to memory of 1592	1336	consumer.exe	224
PID 1336 wrote to memory of 1592	1336	consumer.exe	224
PID 1336 wrote to memory of 4852	1336	consumer.exe	222
PID 1336 wrote to memory of 4852	1336	consumer.exe	222
PID 1336 wrote to memory of 3592	1336	consumer.exe	220
PID 1336 wrote to memory of 3592	1336	consumer.exe	220

C:\Users\Admin\AppData\Local\Temp\consumer.exe
"C:\Users\Admin\AppData\Local\Temp\consumer.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4632
- C:\Users\Admin\AppData\Local\Temp\consumer.exe
  "C:\Users\Admin\AppData\Local\Temp\consumer.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1724 --field-trial-handle=1728,i,11225187926951651032,3876133148752129118,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:1940
- C:\Users\Admin\AppData\Local\Temp\consumer.exe
  "C:\Users\Admin\AppData\Local\Temp\consumer.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=1908 --field-trial-handle=1728,i,11225187926951651032,3876133148752129118,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  PID:4200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=1336 get ExecutablePath"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3320
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where processid=1336 get ExecutablePath
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2284
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4424
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:7640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3112
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1016
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5364
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5380
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5336
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5316
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5284
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5260
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:7824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5248
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5220
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5204
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5176
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5160
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5152
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5144
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5128
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3940
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3284
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2840
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4296
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5388
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:752
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1980
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2412
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1992
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1708
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4912
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4512
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4344
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4316
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2108
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:7700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1364
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4460
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3916
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:7604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5052
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4016
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3244
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2588
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3384
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3312
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5020
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5396
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3588
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4112
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4592
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3776
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3608
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3436
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:7596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3476
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:7676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:764
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2168
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1740
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3360
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2064
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2712
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5112
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:7580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4176
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:116
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:7760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3956
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1196
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2016
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:996
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:7556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1692
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1428
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2708
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5404
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:656
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4416
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2304
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:668
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2724
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4808
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3428
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:7684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3592
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4852
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1592
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2900
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3484
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4484
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3696
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2812
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:7572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4600
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1532
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:7692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5412
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5420
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:7800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5428
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5436
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
  2⤵
  PID:5596
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:8160
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic OS get caption, osarchitecture
    3⤵
    PID:7956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  PID:5568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\bind\main.exe"
  2⤵
  PID:5548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "net session"
  2⤵
  PID:5520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
  2⤵
  PID:10944
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:10992
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    PID:10984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
  2⤵
  PID:11040
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:11088
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:11080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
  2⤵
  PID:11132
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:11180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName"
  2⤵
  PID:7956
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:8160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:11112
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:11044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=1336 get ExecutablePath"
  2⤵
  PID:7544
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where processid=1336 get ExecutablePath
    3⤵
    PID:10444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
  2⤵
  PID:11052
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
    3⤵
    PID:9504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
  2⤵
  PID:4640
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7876
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
    3⤵
    PID:10232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip""
  2⤵
  PID:8320
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip"
    3⤵
    PID:1404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook""
  2⤵
  PID:10708
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"
    3⤵
    PID:10064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager""
  2⤵
  PID:11252
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"
    3⤵
    PID:7052

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7904

C:\Windows\system32\net.exe
net session
1⤵
PID:8528
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 session
  2⤵
  PID:9532

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
1⤵
PID:8420

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8756

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2a2c88ef-cc33-40a0-8146-6bacd2adbf29.tmp.node

Filesize
1.4MB

MD5
56192831a7f808874207ba593f464415

SHA1
e0c18c72a62692d856da1f8988b0bc9c8088d2aa

SHA256
6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c

SHA512
c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b960651-469a-4c27-94dc-57a91bbb364a.tmp.node

Filesize
154KB

MD5
2a8bea339a1e55d82a4c153104757a98

SHA1
27381cf6ef36719b1266d5663fc6991e1447fe1c

SHA256
86beb103631759f06004b67a2d21dce2ab2c86ca6c35459cb959ab079006c0fd

SHA512
dabc73dca545a07e459534a5080dbdd10fc0964c5b88b29219f33e53f2afda4b27ea25b232a0e0b9c9b979cf8f84172083916932a10317f405eb1d1b4da1e826

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_34xyqtxz.u30.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/8160-39-0x00007FFDA1F20000-0x00007FFDA29E1000-memory.dmp

Filesize
10.8MB

Download
memory/8160-40-0x000002303EC20000-0x000002303EC30000-memory.dmp

Filesize
64KB

Download
memory/8160-46-0x000002303EC20000-0x000002303EC30000-memory.dmp

Filesize
64KB

Download
memory/8160-54-0x00007FFDA1F20000-0x00007FFDA29E1000-memory.dmp

Filesize
10.8MB

Download
memory/11180-29-0x00000236F99B0000-0x00000236F99C0000-memory.dmp

Filesize
64KB

Download
memory/11180-36-0x00007FFDA1F20000-0x00007FFDA29E1000-memory.dmp

Filesize
10.8MB

Download
memory/11180-30-0x00000236F99B0000-0x00000236F99C0000-memory.dmp

Filesize
64KB

Download
memory/11180-28-0x00007FFDA1F20000-0x00007FFDA29E1000-memory.dmp

Filesize
10.8MB

Download
memory/11180-18-0x00000236F9440000-0x00000236F9462000-memory.dmp

Filesize
136KB

Download