088a9f665d0fdc9b2bb050ecd1524b1539010bbe1d9935f72343bb2bc5f98975

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240419-de
resource tags

arch:x64arch:x86image:win10v2004-20240419-delocale:de-deos:windows10-2004-x64systemwindows
submitted
28-04-2024 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Launcher.exe
Size

164.9MB
MD5

69297f39ec0be1969de6409a310264d1
SHA1

7c0e7ead5bd451a95cd6062eb0fb4a5c053f7190
SHA256

22117115927d13aee3314c659efe6253692ec3555b2b3e602d512067d71e0b98
SHA512

2c6b82ee7d76d227b35e75aed7521a6d939a1f8abe8a031202ec2c56832a3c131a82b006e53be05e0937b461e3a0cdeff8f1f71f1e4e61fb01bc592cd0ee5b57
SSDEEP

1572864:Ftc2cEGwGrRSREICCr3ka8YrcSAfII01aLadS5sDNd+Ipx9cF3LfxNEK2Ho8jlgY:b+CHrJIgIsV

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

Processes:

Launcher.exe

pid process

2708 Launcher.exe
2708 Launcher.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 ipinfo.io

flow	ioc
10	ipinfo.io

Drops file in System32 directory 2 IoCs

Processes:

Launcher.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	Launcher.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	Launcher.exe

Drops file in Windows directory 1 IoCs

Processes:

Launcher.exe

description ioc process

File opened for modification C:\Windows\INF\display.PNF Launcher.exe

description	ioc	process
File opened for modification	C:\Windows\INF\display.PNF	Launcher.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Launcher.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Launcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Launcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Launcher.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Launcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Launcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Launcher.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Launcher.exe

Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

11012 WMIC.exe

pid	process
11012	WMIC.exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	process
7560	tasklist.exe
7552	tasklist.exe
7804	tasklist.exe
8128	tasklist.exe
8048	tasklist.exe
7776	tasklist.exe
7748	tasklist.exe
7676	tasklist.exe
7460	tasklist.exe
7288	tasklist.exe
8232	tasklist.exe
7728	tasklist.exe
7528	tasklist.exe
7488	tasklist.exe
8208	tasklist.exe
8140	tasklist.exe
8112	tasklist.exe
8024	tasklist.exe
7932	tasklist.exe
7616	tasklist.exe
8416	tasklist.exe
7204	tasklist.exe
7412	tasklist.exe
7720	tasklist.exe
7888	tasklist.exe
7988	tasklist.exe
7664	tasklist.exe
7596	tasklist.exe
8432	tasklist.exe
8336	tasklist.exe
7372	tasklist.exe
7360	tasklist.exe
7344	tasklist.exe
8168	tasklist.exe
7948	tasklist.exe
7908	tasklist.exe
7756	tasklist.exe
7740	tasklist.exe
8524	tasklist.exe
7420	tasklist.exe
8220	tasklist.exe
7940	tasklist.exe
7924	tasklist.exe
8308	tasklist.exe
7544	tasklist.exe
8160	tasklist.exe
8588	tasklist.exe
8284	tasklist.exe
7496	tasklist.exe
8056	tasklist.exe
7580	tasklist.exe
7444	tasklist.exe
7436	tasklist.exe
7696	tasklist.exe
10904	tasklist.exe
1300	tasklist.exe
7352	tasklist.exe
7504	tasklist.exe
7572	tasklist.exe
7452	tasklist.exe
7624	tasklist.exe
8188	tasklist.exe
7900	tasklist.exe
7864	tasklist.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

Launcher.exepowershell.exepowershell.exeLauncher.exe

pid	process
2708	Launcher.exe
2708	Launcher.exe
2708	Launcher.exe
2708	Launcher.exe
2708	Launcher.exe
2708	Launcher.exe
11104	powershell.exe
11104	powershell.exe
11104	powershell.exe
9028	powershell.exe
9028	powershell.exe
9028	powershell.exe
8460	Launcher.exe
8460	Launcher.exe
8460	Launcher.exe
8460	Launcher.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

tasklist.exeWMIC.exeLauncher.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1300	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1404	WMIC.exe
Token: SeSecurityPrivilege	1404	WMIC.exe
Token: SeTakeOwnershipPrivilege	1404	WMIC.exe
Token: SeLoadDriverPrivilege	1404	WMIC.exe
Token: SeSystemProfilePrivilege	1404	WMIC.exe
Token: SeSystemtimePrivilege	1404	WMIC.exe
Token: SeProfSingleProcessPrivilege	1404	WMIC.exe
Token: SeIncBasePriorityPrivilege	1404	WMIC.exe
Token: SeCreatePagefilePrivilege	1404	WMIC.exe
Token: SeBackupPrivilege	1404	WMIC.exe
Token: SeRestorePrivilege	1404	WMIC.exe
Token: SeShutdownPrivilege	1404	WMIC.exe
Token: SeDebugPrivilege	1404	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1404	WMIC.exe
Token: SeRemoteShutdownPrivilege	1404	WMIC.exe
Token: SeUndockPrivilege	1404	WMIC.exe
Token: SeManageVolumePrivilege	1404	WMIC.exe
Token: 33	1404	WMIC.exe
Token: 34	1404	WMIC.exe
Token: 35	1404	WMIC.exe
Token: 36	1404	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1404	WMIC.exe
Token: SeSecurityPrivilege	1404	WMIC.exe
Token: SeTakeOwnershipPrivilege	1404	WMIC.exe
Token: SeLoadDriverPrivilege	1404	WMIC.exe
Token: SeSystemProfilePrivilege	1404	WMIC.exe
Token: SeSystemtimePrivilege	1404	WMIC.exe
Token: SeProfSingleProcessPrivilege	1404	WMIC.exe
Token: SeIncBasePriorityPrivilege	1404	WMIC.exe
Token: SeCreatePagefilePrivilege	1404	WMIC.exe
Token: SeBackupPrivilege	1404	WMIC.exe
Token: SeRestorePrivilege	1404	WMIC.exe
Token: SeShutdownPrivilege	1404	WMIC.exe
Token: SeDebugPrivilege	1404	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1404	WMIC.exe
Token: SeRemoteShutdownPrivilege	1404	WMIC.exe
Token: SeUndockPrivilege	1404	WMIC.exe
Token: SeManageVolumePrivilege	1404	WMIC.exe
Token: 33	1404	WMIC.exe
Token: 34	1404	WMIC.exe
Token: 35	1404	WMIC.exe
Token: 36	1404	WMIC.exe
Token: SeShutdownPrivilege	2708	Launcher.exe
Token: SeCreatePagefilePrivilege	2708	Launcher.exe
Token: SeShutdownPrivilege	2708	Launcher.exe
Token: SeCreatePagefilePrivilege	2708	Launcher.exe
Token: SeDebugPrivilege	7288	tasklist.exe
Token: SeDebugPrivilege	7204	tasklist.exe
Token: SeDebugPrivilege	7344	tasklist.exe
Token: SeDebugPrivilege	7372	tasklist.exe
Token: SeDebugPrivilege	7504	tasklist.exe
Token: SeDebugPrivilege	7528	tasklist.exe
Token: SeDebugPrivilege	7496	tasklist.exe
Token: SeDebugPrivilege	7360	tasklist.exe
Token: SeIncreaseQuotaPrivilege	7536	WMIC.exe
Token: SeSecurityPrivilege	7536	WMIC.exe
Token: SeTakeOwnershipPrivilege	7536	WMIC.exe
Token: SeLoadDriverPrivilege	7536	WMIC.exe
Token: SeSystemProfilePrivilege	7536	WMIC.exe
Token: SeSystemtimePrivilege	7536	WMIC.exe
Token: SeProfSingleProcessPrivilege	7536	WMIC.exe
Token: SeIncBasePriorityPrivilege	7536	WMIC.exe
Token: SeCreatePagefilePrivilege	7536	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Launcher.execmd.execmd.exe

description	pid	process	target process
PID 2708 wrote to memory of 1396	2708	Launcher.exe	cmd.exe
PID 2708 wrote to memory of 1396	2708	Launcher.exe	cmd.exe
PID 2708 wrote to memory of 3016	2708	Launcher.exe	Launcher.exe
PID 2708 wrote to memory of 3016	2708	Launcher.exe	Launcher.exe
PID 2708 wrote to memory of 3016	2708	Launcher.exe	Launcher.exe
PID 2708 wrote to memory of 3016	2708	Launcher.exe	Launcher.exe
PID 2708 wrote to memory of 3016	2708	Launcher.exe	Launcher.exe
PID 2708 wrote to memory of 3016	2708	Launcher.exe	Launcher.exe
PID 2708 wrote to memory of 3016	2708	Launcher.exe	Launcher.exe
PID 2708 wrote to memory of 3016	2708	Launcher.exe	Launcher.exe
PID 2708 wrote to memory of 3016	2708	Launcher.exe	Launcher.exe
PID 2708 wrote to memory of 3016	2708	Launcher.exe	Launcher.exe
PID 2708 wrote to memory of 3016	2708	Launcher.exe	Launcher.exe
PID 2708 wrote to memory of 3016	2708	Launcher.exe	Launcher.exe
PID 2708 wrote to memory of 3016	2708	Launcher.exe	Launcher.exe
PID 2708 wrote to memory of 3016	2708	Launcher.exe	Launcher.exe
PID 2708 wrote to memory of 3016	2708	Launcher.exe	Launcher.exe
PID 2708 wrote to memory of 3016	2708	Launcher.exe	Launcher.exe
PID 2708 wrote to memory of 3016	2708	Launcher.exe	Launcher.exe
PID 2708 wrote to memory of 3016	2708	Launcher.exe	Launcher.exe
PID 2708 wrote to memory of 3016	2708	Launcher.exe	Launcher.exe
PID 2708 wrote to memory of 3016	2708	Launcher.exe	Launcher.exe
PID 2708 wrote to memory of 3016	2708	Launcher.exe	Launcher.exe
PID 2708 wrote to memory of 3016	2708	Launcher.exe	Launcher.exe
PID 2708 wrote to memory of 3016	2708	Launcher.exe	Launcher.exe
PID 2708 wrote to memory of 3016	2708	Launcher.exe	Launcher.exe
PID 2708 wrote to memory of 3016	2708	Launcher.exe	Launcher.exe
PID 2708 wrote to memory of 3016	2708	Launcher.exe	Launcher.exe
PID 2708 wrote to memory of 3016	2708	Launcher.exe	Launcher.exe
PID 2708 wrote to memory of 3016	2708	Launcher.exe	Launcher.exe
PID 2708 wrote to memory of 3016	2708	Launcher.exe	Launcher.exe
PID 2708 wrote to memory of 3016	2708	Launcher.exe	Launcher.exe
PID 2708 wrote to memory of 3508	2708	Launcher.exe	Launcher.exe
PID 2708 wrote to memory of 3508	2708	Launcher.exe	Launcher.exe
PID 1396 wrote to memory of 1300	1396	cmd.exe	tasklist.exe
PID 1396 wrote to memory of 1300	1396	cmd.exe	tasklist.exe
PID 2708 wrote to memory of 5088	2708	Launcher.exe	cmd.exe
PID 2708 wrote to memory of 5088	2708	Launcher.exe	cmd.exe
PID 5088 wrote to memory of 1404	5088	cmd.exe	WMIC.exe
PID 5088 wrote to memory of 1404	5088	cmd.exe	WMIC.exe
PID 2708 wrote to memory of 1996	2708	Launcher.exe	cmd.exe
PID 2708 wrote to memory of 1996	2708	Launcher.exe	cmd.exe
PID 2708 wrote to memory of 1020	2708	Launcher.exe	cmd.exe
PID 2708 wrote to memory of 1020	2708	Launcher.exe	cmd.exe
PID 2708 wrote to memory of 1132	2708	Launcher.exe	cmd.exe
PID 2708 wrote to memory of 1132	2708	Launcher.exe	cmd.exe
PID 2708 wrote to memory of 2984	2708	Launcher.exe	cmd.exe
PID 2708 wrote to memory of 2984	2708	Launcher.exe	cmd.exe
PID 2708 wrote to memory of 1236	2708	Launcher.exe	cmd.exe
PID 2708 wrote to memory of 1236	2708	Launcher.exe	cmd.exe
PID 2708 wrote to memory of 2192	2708	Launcher.exe	cmd.exe
PID 2708 wrote to memory of 2192	2708	Launcher.exe	cmd.exe
PID 2708 wrote to memory of 3804	2708	Launcher.exe	cmd.exe
PID 2708 wrote to memory of 3804	2708	Launcher.exe	cmd.exe
PID 2708 wrote to memory of 3176	2708	Launcher.exe	cmd.exe
PID 2708 wrote to memory of 3176	2708	Launcher.exe	cmd.exe
PID 2708 wrote to memory of 4920	2708	Launcher.exe	cmd.exe
PID 2708 wrote to memory of 4920	2708	Launcher.exe	cmd.exe
PID 2708 wrote to memory of 1936	2708	Launcher.exe	cmd.exe
PID 2708 wrote to memory of 1936	2708	Launcher.exe	cmd.exe
PID 2708 wrote to memory of 1364	2708	Launcher.exe	cmd.exe
PID 2708 wrote to memory of 1364	2708	Launcher.exe	cmd.exe
PID 2708 wrote to memory of 4852	2708	Launcher.exe	cmd.exe
PID 2708 wrote to memory of 4852	2708	Launcher.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\theonlyscript" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1732 --field-trial-handle=1740,i,1897367237671205623,6114737793593188136,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
2⤵
PID:3016

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=de --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\theonlyscript" --mojo-platform-channel-handle=2168 --field-trial-handle=1740,i,1897367237671205623,6114737793593188136,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
2⤵
PID:3508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=2708 get ExecutablePath"
2⤵
- Suspicious use of WriteProcessMemory
PID:5088

C:\Windows\System32\Wbem\WMIC.exe
wmic process where processid=2708 get ExecutablePath
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1996

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:7360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1020

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1132

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:7288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2984

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1236

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2192

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3804

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:7344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3176

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4920

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1936

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1364

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4852

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4608

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:896

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1016

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3632

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4440

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4620

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:7204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2608

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:884

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1352

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4284

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3692

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1532

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:912

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3740

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:7372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3716

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:464

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4228

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3524

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4996

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2404

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2600

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1536

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2860

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1432

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:436

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3976

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2384

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2320

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:7496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3292

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2980

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4064

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1056

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3192

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2056

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2772

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2300

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3656

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4664

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4508

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3584

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4832

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3064

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4924

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4912

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1388

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2956

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4632

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3020

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1880

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1376

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2928

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4472

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4720

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2556

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:7504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1052

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2924

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2632

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4704

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1976

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3124

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4872

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:116

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1100

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:984

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4412

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4916

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4480

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4392

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:548

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1520

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3300

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1636

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1832

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1876

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4424

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4264

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1300

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4316

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3668

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:7528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1896

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "net session"
2⤵
PID:3184

C:\Windows\system32\net.exe
net session
3⤵
PID:8092

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
4⤵
PID:9088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\bind\main.exe"
2⤵
PID:1228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
2⤵
PID:5144

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:8328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
2⤵
PID:5168

C:\Windows\System32\Wbem\WMIC.exe
wmic OS get caption, osarchitecture
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7536

C:\Windows\system32\more.com
more +1
3⤵
PID:7656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
2⤵
PID:10868

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
3⤵
PID:10908

C:\Windows\system32\more.com
more +1
3⤵
PID:10916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
2⤵
PID:10972

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController get name
3⤵
- Detects videocard installed
PID:11012

C:\Windows\system32\more.com
more +1
3⤵
PID:11020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
2⤵
PID:11064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:11104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName"
2⤵
PID:9088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:9028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:10864

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:10904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=2708 get ExecutablePath"
2⤵
PID:11248

C:\Windows\System32\Wbem\WMIC.exe
wmic process where processid=2708 get ExecutablePath
3⤵
PID:11140

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\theonlyscript" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1204 --field-trial-handle=1740,i,1897367237671205623,6114737793593188136,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:8460

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Temp\096bd7ee-0cba-44e9-a5b8-e98271a32171.tmp.node
Filesize
151KB

MD5
bec0df3a37e6681b7eb29bd15904147a

SHA1
82a0869313ad7dcd86de3b5fa0e516d160c17013

SHA256
3d185f516d23d8c98a17e304b00b405b74dd7f3f6fb7d750bb7471deb1a9689f

SHA512
ae0639566f24e65a6a381862e020e39a32bec408b88eba60d3b01400c49535f09c6c67f424af406db78af2f197d79c3e262050ff5e17910c1ac1453561fffcd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\32018f3c-d7c2-423c-8e8c-6810343fd843.tmp.node
Filesize
1.4MB

MD5
56192831a7f808874207ba593f464415

SHA1
e0c18c72a62692d856da1f8988b0bc9c8088d2aa

SHA256
6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c

SHA512
c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mncfiygf.tlo.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/8460-158-0x000001C7C97C0000-0x000001C7C97C1000-memory.dmp

Filesize
4KB

Download
memory/8460-155-0x000001C7C97C0000-0x000001C7C97C1000-memory.dmp

Filesize
4KB

Download
memory/8460-152-0x000001C7C97C0000-0x000001C7C97C1000-memory.dmp

Filesize
4KB

Download
memory/8460-153-0x000001C7C97C0000-0x000001C7C97C1000-memory.dmp

Filesize
4KB

Download
memory/8460-147-0x000001C7C97C0000-0x000001C7C97C1000-memory.dmp

Filesize
4KB

Download
memory/8460-148-0x000001C7C97C0000-0x000001C7C97C1000-memory.dmp

Filesize
4KB

Download
memory/8460-146-0x000001C7C97C0000-0x000001C7C97C1000-memory.dmp

Filesize
4KB

Download
memory/8460-154-0x000001C7C97C0000-0x000001C7C97C1000-memory.dmp

Filesize
4KB

Download
memory/8460-157-0x000001C7C97C0000-0x000001C7C97C1000-memory.dmp

Filesize
4KB

Download
memory/8460-156-0x000001C7C97C0000-0x000001C7C97C1000-memory.dmp

Filesize
4KB

Download
memory/11104-31-0x0000022CF4DA0000-0x0000022CF4EA4000-memory.dmp

Filesize
1.0MB

Download
memory/11104-19-0x0000022CF4790000-0x0000022CF4816000-memory.dmp

Filesize
536KB

Download
memory/11104-30-0x0000022CF46D0000-0x0000022CF46E0000-memory.dmp

Filesize
64KB

Download
memory/11104-20-0x0000022CF4700000-0x0000022CF4722000-memory.dmp

Filesize
136KB

Download