bd257601a2e601e8dd72158039b8b9e57d2bb6faba8f7953b80547c0ace22447

Analysis

max time kernel
140s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-10-2024 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IDM Activation Script 1.2.cmd
Size

31KB
MD5

cd219449e7472b4e6f35c612824635bd
SHA1

f6db923ee2dbb3ae2ade5e0511533506962a689b
SHA256

87e810d116c7a4d2f3baae3c98715047c901fd581fef72f3c3b218c03231f944
SHA512

fa92d80645c1bc6ff55238322ce69144b4550aa6256efe3c334c0c343a937185a9ce18a1ad4c8e55e5ac42e6d937582738441d443f01f4a0590d64ac1453ec55
SSDEEP

384:mNnhCo3piIUTUq5rrfmJbnl7+qK14TEJYab:mNn/ZiBAq5rrfmFl7G4gJYab

Score

6^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4936	powershell.exe
2288	powershell.exe
1552	powershell.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1560	sc.exe
3164	sc.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2428	cmd.exe
1240	PING.EXE

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Wow6432Node\CLSID\IAS_TEST	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\CLSID\IAS_TEST\	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\CLSID\IAS_TEST	reg.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
3860	reg.exe
4464	reg.exe
4736	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1240	PING.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4936	powershell.exe
4936	powershell.exe
2288	powershell.exe
2288	powershell.exe
1552	powershell.exe
1552	powershell.exe
1496	powershell.exe
1496	powershell.exe
4756	powershell.exe
4756	powershell.exe
2604	powershell.exe
2604	powershell.exe
2604	powershell.exe
2604	powershell.exe
2604	powershell.exe
2604	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4936	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	1552	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	4756	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4024	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3912 wrote to memory of 1560	3912	cmd.exe	85
PID 3912 wrote to memory of 1560	3912	cmd.exe	85
PID 3912 wrote to memory of 880	3912	cmd.exe	86
PID 3912 wrote to memory of 880	3912	cmd.exe	86
PID 3912 wrote to memory of 3596	3912	cmd.exe	87
PID 3912 wrote to memory of 3596	3912	cmd.exe	87
PID 3912 wrote to memory of 2736	3912	cmd.exe	89
PID 3912 wrote to memory of 2736	3912	cmd.exe	89
PID 3912 wrote to memory of 4512	3912	cmd.exe	90
PID 3912 wrote to memory of 4512	3912	cmd.exe	90
PID 3912 wrote to memory of 3764	3912	cmd.exe	91
PID 3912 wrote to memory of 3764	3912	cmd.exe	91
PID 3912 wrote to memory of 2156	3912	cmd.exe	92
PID 3912 wrote to memory of 2156	3912	cmd.exe	92
PID 2156 wrote to memory of 4168	2156	cmd.exe	93
PID 2156 wrote to memory of 4168	2156	cmd.exe	93
PID 2156 wrote to memory of 3860	2156	cmd.exe	94
PID 2156 wrote to memory of 3860	2156	cmd.exe	94
PID 3912 wrote to memory of 4212	3912	cmd.exe	95
PID 3912 wrote to memory of 4212	3912	cmd.exe	95
PID 3912 wrote to memory of 2596	3912	cmd.exe	96
PID 3912 wrote to memory of 2596	3912	cmd.exe	96
PID 3912 wrote to memory of 4936	3912	cmd.exe	97
PID 3912 wrote to memory of 4936	3912	cmd.exe	97
PID 3912 wrote to memory of 4800	3912	cmd.exe	98
PID 3912 wrote to memory of 4800	3912	cmd.exe	98
PID 3912 wrote to memory of 3468	3912	cmd.exe	99
PID 3912 wrote to memory of 3468	3912	cmd.exe	99
PID 3912 wrote to memory of 4024	3912	cmd.exe	100
PID 3912 wrote to memory of 4024	3912	cmd.exe	100
PID 4024 wrote to memory of 2288	4024	conhost.exe	101
PID 4024 wrote to memory of 2288	4024	conhost.exe	101
PID 2288 wrote to memory of 4544	2288	powershell.exe	103
PID 2288 wrote to memory of 4544	2288	powershell.exe	103
PID 4544 wrote to memory of 3164	4544	cmd.exe	104
PID 4544 wrote to memory of 3164	4544	cmd.exe	104
PID 4544 wrote to memory of 224	4544	cmd.exe	105
PID 4544 wrote to memory of 224	4544	cmd.exe	105
PID 4544 wrote to memory of 1948	4544	cmd.exe	106
PID 4544 wrote to memory of 1948	4544	cmd.exe	106
PID 4544 wrote to memory of 1388	4544	cmd.exe	108
PID 4544 wrote to memory of 1388	4544	cmd.exe	108
PID 4544 wrote to memory of 4012	4544	cmd.exe	109
PID 4544 wrote to memory of 4012	4544	cmd.exe	109
PID 4544 wrote to memory of 1524	4544	cmd.exe	110
PID 4544 wrote to memory of 1524	4544	cmd.exe	110
PID 4544 wrote to memory of 4172	4544	cmd.exe	111
PID 4544 wrote to memory of 4172	4544	cmd.exe	111
PID 4172 wrote to memory of 2332	4172	cmd.exe	112
PID 4172 wrote to memory of 2332	4172	cmd.exe	112
PID 4172 wrote to memory of 4696	4172	cmd.exe	113
PID 4172 wrote to memory of 4696	4172	cmd.exe	113
PID 4544 wrote to memory of 5104	4544	cmd.exe	114
PID 4544 wrote to memory of 5104	4544	cmd.exe	114
PID 4544 wrote to memory of 3300	4544	cmd.exe	115
PID 4544 wrote to memory of 3300	4544	cmd.exe	115
PID 4544 wrote to memory of 1552	4544	cmd.exe	116
PID 4544 wrote to memory of 1552	4544	cmd.exe	116
PID 4544 wrote to memory of 4112	4544	cmd.exe	117
PID 4544 wrote to memory of 4112	4544	cmd.exe	117
PID 4544 wrote to memory of 2508	4544	cmd.exe	118
PID 4544 wrote to memory of 2508	4544	cmd.exe	118
PID 4544 wrote to memory of 2428	4544	cmd.exe	119
PID 4544 wrote to memory of 2428	4544	cmd.exe	119

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\IDM Activation Script 1.2.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:3912
- C:\Windows\System32\sc.exe
  sc query Null
  2⤵
  - Launches sc.exe
  PID:1560
- C:\Windows\System32\find.exe
  find /i "RUNNING"
  2⤵
  PID:880
- C:\Windows\System32\findstr.exe
  findstr /v "$" "IDM Activation Script 1.2.cmd"
  2⤵
  PID:3596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:2736
- C:\Windows\System32\reg.exe
  reg query "HKCU\Console" /v ForceV2
  2⤵
  PID:4512
- C:\Windows\System32\find.exe
  find /i "0x0"
  2⤵
  PID:3764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
    3⤵
    PID:4168
- - C:\Windows\System32\cmd.exe
    cmd
    3⤵
    PID:3860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\AppData\Local\Temp\IDM Activation Script 1.2.cmd" "
  2⤵
  PID:4212
- C:\Windows\System32\find.exe
  find /i "C:\Users\Admin\AppData\Local\Temp"
  2⤵
  PID:2596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\IDM Activation Script 1.2.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4936
- C:\Windows\System32\find.exe
  find /i "FullLanguage"
  2⤵
  PID:4800
- C:\Windows\System32\fltMC.exe
  fltmc
  2⤵
  PID:3468
- C:\Windows\System32\conhost.exe
  conhost.exe powershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '"""C:\Users\Admin\AppData\Local\Temp\IDM Activation Script 1.2.cmd""" -el -qedit'"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4024
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '\"C:\Users\Admin\AppData\Local\Temp\IDM Activation Script 1.2.cmd\" -el -qedit'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ""C:\Users\Admin\AppData\Local\Temp\IDM Activation Script 1.2.cmd" -el -qedit"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4544
    - - C:\Windows\System32\sc.exe
        
        sc query Null
        5⤵
        Launches sc.exe
        
        PID:3164
    - - C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        5⤵
        
        PID:224
    - - C:\Windows\System32\findstr.exe
        
        findstr /v "$" "IDM Activation Script 1.2.cmd"
        5⤵
        
        PID:1948
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        5⤵
        
        PID:1388
    - - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Console" /v ForceV2
        5⤵
        
        PID:4012
    - - C:\Windows\System32\find.exe
        
        find /i "0x0"
        5⤵
        
        PID:1524
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4172
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
        6⤵
        
        PID:2332
      - C:\Windows\System32\cmd.exe
        
        cmd
        6⤵
        
        PID:4696
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\AppData\Local\Temp\IDM Activation Script 1.2.cmd" "
        5⤵
        
        PID:5104
    - - C:\Windows\System32\find.exe
        
        find /i "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        
        PID:3300
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\IDM Activation Script 1.2.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552
    - - C:\Windows\System32\find.exe
        
        find /i "FullLanguage"
        5⤵
        
        PID:4112
    - - C:\Windows\System32\fltMC.exe
        
        fltmc
        5⤵
        
        PID:2508
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -4 -n 1 iasupdatecheck.massgrave.dev
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2428
      - C:\Windows\System32\PING.EXE
        
        ping -4 -n 1 iasupdatecheck.massgrave.dev
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1240
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "Get-WmiObject -Class Win32_ComputerSystem | Select-Object -Property CreationClassName"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
    - - C:\Windows\System32\find.exe
        
        find /i "computersystem"
        5⤵
        
        PID:2928
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell.exe "([System.Security.Principal.NTAccount](Get-WmiObject -Class Win32_ComputerSystem).UserName).Translate([System.Security.Principal.SecurityIdentifier]).Value" 2>nul
        5⤵
        
        PID:2040
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "([System.Security.Principal.NTAccount](Get-WmiObject -Class Win32_ComputerSystem).UserName).Translate([System.Security.Principal.SecurityIdentifier]).Value"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4756
    - - C:\Windows\System32\reg.exe
        
        reg query HKU\\Software
        5⤵
        
        PID:5036
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell.exe "$explorerProc = Get-Process -Name explorer | Where-Object {$_.SessionId -eq (Get-Process -Id $pid).SessionId} | Select-Object -First 1; $sid = (gwmi -Query ('Select * From Win32_Process Where ProcessID=' + $explorerProc.Id)).GetOwnerSid().Sid; $sid" 2>nul
        5⤵
        
        PID:4352
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$explorerProc = Get-Process -Name explorer | Where-Object {$_.SessionId -eq (Get-Process -Id $pid).SessionId} | Select-Object -First 1; $sid = (gwmi -Query ('Select * From Win32_Process Where ProcessID=' + $explorerProc.Id)).GetOwnerSid().Sid; $sid"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
    - - C:\Windows\System32\reg.exe
        
        reg query HKU\S-1-5-21-3442511616-637977696-3186306149-1000\Software
        5⤵
        
        PID:2308
    - - C:\Windows\System32\reg.exe
        
        reg delete HKCU\IAS_TEST /f
        5⤵
        Modifies registry key
        
        PID:3860
    - - C:\Windows\System32\reg.exe
        
        reg delete HKU\S-1-5-21-3442511616-637977696-3186306149-1000\IAS_TEST /f
        5⤵
        
        PID:4132
    - - C:\Windows\System32\reg.exe
        
        reg add HKCU\IAS_TEST
        5⤵
        Modifies registry key
        
        PID:4464
    - - C:\Windows\System32\reg.exe
        
        reg query HKU\S-1-5-21-3442511616-637977696-3186306149-1000\IAS_TEST
        5⤵
        
        PID:1000
    - - C:\Windows\System32\reg.exe
        
        reg delete HKCU\IAS_TEST /f
        5⤵
        Modifies registry key
        
        PID:4736
    - - C:\Windows\System32\reg.exe
        
        reg delete HKU\S-1-5-21-3442511616-637977696-3186306149-1000\IAS_TEST /f
        5⤵
        
        PID:2232
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
        5⤵
        
        PID:1968
      - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
        6⤵
        
        PID:2260
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKU\S-1-5-21-3442511616-637977696-3186306149-1000\Software\DownloadManager" /v ExePath 2>nul
        5⤵
        
        PID:3564
      - C:\Windows\System32\reg.exe
        
        reg query "HKU\S-1-5-21-3442511616-637977696-3186306149-1000\Software\DownloadManager" /v ExePath
        6⤵
        
        PID:1764
    - - C:\Windows\System32\reg.exe
        
        reg add HKU\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Classes\Wow6432Node\CLSID\IAS_TEST
        5⤵
        Modifies registry class
        
        PID:2248
    - - C:\Windows\System32\reg.exe
        
        reg query HKU\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Classes\Wow6432Node\CLSID\IAS_TEST
        5⤵
        
        PID:4936
    - - C:\Windows\System32\reg.exe
        
        reg delete HKU\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Classes\Wow6432Node\CLSID\IAS_TEST /f
        5⤵
        Modifies registry class
        
        PID:3468
    - - C:\Windows\System32\mode.com
        
        mode 75, 28
        5⤵
        
        PID:3832
    - - C:\Windows\System32\choice.exe
        
        choice /C:123450 /N
        5⤵
        
        PID:4436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e89c193840c8fb53fc3de104b1c4b092

SHA1
8b41b6a392780e48cc33e673cf4412080c42981e

SHA256
920b0533da0c372d9d48d36e09d752c369aec8f67c334e98940909bfcb6c0e6c

SHA512
865667a22e741c738c62582f0f06ea4559bb63a1f0410065c6fb3da80667582697aba2e233e91068c02d9ab4fb5db282a681fe8234f4c77a5309b689a37ac3a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ce1a679b33c93b99ca354011ee994587

SHA1
8dc48d6d7716b4e1099d8fef19f48795d652adc9

SHA256
7b9b7e9bfd7214a01859ff20ff6ffc55c096fba333e3582c38b792faef282a39

SHA512
210bc9653d7ca49dcab7009cf976050c35f87fef8eb27e9337cdf94c1343fcbf9c4f358a9aa60b2e005f26f0e9735a65262ba2d453ec31d139b7842df1a1b944

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
88dbc4ea02d5955553aa0829b4633951

SHA1
cdcac352cbba1845bb4157214a8c915822514e50

SHA256
99ef7da23364302609c71345fc2524e8b7f2cf59e2dc50c3b794e61e68489e05

SHA512
56534d6f5c601d16400f61f3c6ecf9a823a37c90e80e4355b78959b2922fa301e938903a55b683b0c0beca0d0ead8b642bc3ffbd8b964637f9eeaeb04fa4d0a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
380c5577608cea1171aec5bb642be68f

SHA1
6246a27767fc2d46f3a7c15d8eda791f50d430bf

SHA256
81393ddeb2ae3cd66f4c241be776663ca49eed20ab11ec76a63e19f6fe717f18

SHA512
008295cd2c190a1f456f1c19c7dac027d721e4a1ebae28821d04eb633afd063c374e2538b3c081f0e491bc3c7f4693da768b6eab91f2872dda491ad211eb1d6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oit0plpa.thz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4936-5-0x0000019438610000-0x0000019438632000-memory.dmp

Filesize
136KB

Download