Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/06/2024, 23:42

General

  • Target

    3ce2deed846543f4b039f43c99406ad949053816d492761c271bb796e32d5e7a.exe

  • Size

    40.8MB

  • MD5

    4e518b01f1a03136dd9add70b1896771

  • SHA1

    5067bf77aa4237d8af1f32bcf1290f2ac93df50c

  • SHA256

    3ce2deed846543f4b039f43c99406ad949053816d492761c271bb796e32d5e7a

  • SHA512

    31f7b845fd787a7b05f481f8fec4cb9a9915e062e79d6896e96704c85b48e4dad4f3fcf2b4f92924e5f1c360af5dd71f37602b1cdfadf590814c2c1cff581298

  • SSDEEP

    786432:U4XcPJcRbQxx6Ed3MBFAFUqq63budRfPY73B:rXWJ2ux6YMoq63bsRfPY73B

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

    Run Powershell and hide display window.

  • Creates new service(s) 2 TTPs
  • Executes dropped EXE 5 IoCs
  • Drops file in System32 directory 21 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Kills process with taskkill 8 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 55 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3ce2deed846543f4b039f43c99406ad949053816d492761c271bb796e32d5e7a.exe
    "C:\Users\Admin\AppData\Local\Temp\3ce2deed846543f4b039f43c99406ad949053816d492761c271bb796e32d5e7a.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4996
    • C:\Users\Admin\AppData\Local\Temp\3ce2deed846543f4b039f43c99406ad949053816d492761c271bb796e32d5e7a-73e8691c8e7d3f8c\3ce2deed846543f4b039f43c99406ad949053816d492761c271bb796e32d5e7a.exe
      "C:\Users\Admin\AppData\Local\Temp\3ce2deed846543f4b039f43c99406ad949053816d492761c271bb796e32d5e7a-73e8691c8e7d3f8c\3ce2deed846543f4b039f43c99406ad949053816d492761c271bb796e32d5e7a.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4356
      • C:\Windows\system32\winsvc.exe
        "C:\Windows\system32\winsvc.exe" "C:\Users\Admin\AppData\Local\Temp\3ce2deed846543f4b039f43c99406ad949053816d492761c271bb796e32d5e7a-73e8691c8e7d3f8c\3ce2deed846543f4b039f43c99406ad949053816d492761c271bb796e32d5e7a.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3952
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "create" "winsvc" "type=own" "start=auto" "error=ignore" "binPath=\"C:\Windows\system32\winsvc.exe\"" "DisplayName=\"Windows System Service\""
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1236
          • C:\Windows\system32\sc.exe
            "C:\Windows\system32\sc.exe" create winsvc type=own start=auto error=ignore binPath=C:\Windows\system32\winsvc.exe "DisplayName=Windows System Service"
            5⤵
            • Launches sc.exe
            PID:1232
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "failure" "winsvc" "reset=0" "actions=restart/0/restart/0/restart/0"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1540
          • C:\Windows\system32\sc.exe
            "C:\Windows\system32\sc.exe" failure winsvc reset=0 actions=restart/0/restart/0/restart/0
            5⤵
            • Launches sc.exe
            PID:3260
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "description" "winsvc" "\"Windows System Service is the main system supervision service.\""
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3080
          • C:\Windows\system32\sc.exe
            "C:\Windows\system32\sc.exe" description winsvc "Windows System Service is the main system supervision service."
            5⤵
            • Launches sc.exe
            PID:4040
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "start" "winsvc"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3292
          • C:\Windows\system32\sc.exe
            "C:\Windows\system32\sc.exe" start winsvc
            5⤵
            • Launches sc.exe
            PID:3956
  • C:\Windows\system32\winsvc.exe
    C:\Windows\system32\winsvc.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:316
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\system32\""
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1364
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\Temp\""
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:652
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-SETACTIVE" "8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4256
      • C:\Windows\system32\powercfg.exe
        "C:\Windows\system32\powercfg.exe" -SETACTIVE 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4168
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-ac" "0"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1232
      • C:\Windows\system32\powercfg.exe
        "C:\Windows\system32\powercfg.exe" -change standby-timeout-ac 0
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2176
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-dc" "0"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5100
      • C:\Windows\system32\powercfg.exe
        "C:\Windows\system32\powercfg.exe" -change standby-timeout-dc 0
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1852
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-ac" "0"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1508
      • C:\Windows\system32\powercfg.exe
        "C:\Windows\system32\powercfg.exe" -change hibernate-timeout-ac 0
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1708
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-dc" "0"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2692
      • C:\Windows\system32\powercfg.exe
        "C:\Windows\system32\powercfg.exe" -change hibernate-timeout-dc 0
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2008
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" "/F" "/IM" "winnet.exe"
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2168
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" "/F" "/IM" "winnet.exe"
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3224
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" "/F" "/IM" "wincfg.exe"
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4472
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" "/F" "/IM" "wincfg.exe"
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2440
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" "-WindowStyle" "Hidden" "-Command" "Remove-NetFirewallRule" "-DisplayName" "\"Windows Network Manager\""
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3304
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" "-WindowStyle" "Hidden" "-Command" "New-NetFirewallRule" "-DisplayName" "\"Windows Network Manager\"" "-Program" "\"C:\Windows\system32\winnet.exe\"" "-Action" "Allow" "-Direction" "Inbound" "-EdgeTraversalPolicy" "Allow" "-Enabled" "True"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:808
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" "/F" "/IM" "WINNET.exe"
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1496
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" "/F" "/IM" "WINCFG.exe"
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4072
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" "/F" "/IM" "WINCFG.exe"
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3324
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" "/F" "/IM" "WINNET.exe"
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1708
    • C:\WINDOWS\SYSTEM32\WINCFG.EXE
      "C:\WINDOWS\SYSTEM32\WINCFG.EXE"
      2⤵
      • Executes dropped EXE
      PID:4312
    • C:\WINDOWS\SYSTEM32\WINNET.EXE
      "C:\WINDOWS\SYSTEM32\WINNET.EXE" "--datadir=C:\Windows\system32\data" "--precomputation.elgamal=false" "--persist.profiles=false" "--persist.addressbook=false" "--cpuext.aesni" "--cpuext.avx" "--ipv4" "--ipv6" "--bandwidth=X" "--share=100" "--floodfill" "--nat" "--upnp.enabled=true" "--upnp.name=Microsoft" "--insomnia" "--nettime.enabled=true" "--nettime.ntpsyncinterval=1" "--sam.enabled=true" "--sam.singlethread=false" "--http.enabled=false" "--bob.enabled=false" "--httpproxy.enabled=false" "--socksproxy.enabled=false" "--i2cp.enabled=false" "--i2pcontrol.enabled=false" "--loglevel=none" "--log=stdout"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      PID:2904

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    64B

    MD5

    5caad758326454b5788ec35315c4c304

    SHA1

    3aef8dba8042662a7fcf97e51047dc636b4d4724

    SHA256

    83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

    SHA512

    4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    64B

    MD5

    446dd1cf97eaba21cf14d03aebc79f27

    SHA1

    36e4cc7367e0c7b40f4a8ace272941ea46373799

    SHA256

    a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

    SHA512

    a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

  • C:\Users\Admin\AppData\Local\Temp\3ce2deed846543f4b039f43c99406ad949053816d492761c271bb796e32d5e7a-73e8691c8e7d3f8c\3ce2deed846543f4b039f43c99406ad949053816d492761c271bb796e32d5e7a.exe

    Filesize

    42.1MB

    MD5

    4a15c9ac14e06e947b55109965362682

    SHA1

    cbf8291f6d001ce82fbbbdf181501b1b607fc5f2

    SHA256

    5d344800fc9aca2c8ab4447bc73d695e4abbe9a5a02a00b17c4fffd112406469

    SHA512

    16472fa5f924cab82044559cc1309308090031745df537807e01f714fa11cb33ae722e148764efd0fa01f58c3364f0dff4ac056cf010d0a378802ad148d51060

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xh2gbuqc.52s.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Windows\System32\data\router.info

    Filesize

    931B

    MD5

    f0cbb9567ba0127a2a04291d48b4eef6

    SHA1

    835a8f00c4c6829e3809cb295953cb5a6d14c117

    SHA256

    1f9af2d23946480e236a3a2e51b31a5068fcdd622cbdb4b08318bd714126a073

    SHA512

    f50b5fb7f54d4c9c3b07233ec4f4e5882f860e1e2a1974a08da837baebb224ae85088bb75c05608f7eb475b26809e18e90d629be62f73dcd8eaf39a7d5f15636

  • C:\Windows\System32\wincfg.exe

    Filesize

    34.1MB

    MD5

    7b9ec19cabffb397ec7c4cd8abf9540c

    SHA1

    530430c7f7b99a447a2a5d35935ff332d1b6d065

    SHA256

    0f7daa7cbbe5b22bc7a7926470ccd51ed1e80fcfaccff86dec337bdb6e0167bb

    SHA512

    ac18b032013524600f5a6208c21b1dd171016c616ad552a522861b8aaeeab134f1e37ac15efbc6a3f836979233685ca36a728f685da982f50d12f739be2c471d

  • C:\Windows\System32\winnet.exe

    Filesize

    9.1MB

    MD5

    2fdbf4ba6ab24cf44aa0cc08cd77ca66

    SHA1

    df5e034ba45a932b9f5d3ed7adc4a71e0b376984

    SHA256

    fcd362e0632b35dad13a87f09ea6da4d07fa89516f42d64236d2cc3e3b2b725b

    SHA512

    81d73f7540ede7337922dc18fc6b110c87f621bc0349c3fa17f50d1cb924b0d9b30a4a772b2d548238b65a1be43d458f1991320e7308e608c6cf40ccc3e59a51

  • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    4KB

    MD5

    bdb25c22d14ec917e30faf353826c5de

    SHA1

    6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

    SHA256

    e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

    SHA512

    b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

  • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    b42c70c1dbf0d1d477ec86902db9e986

    SHA1

    1d1c0a670748b3d10bee8272e5d67a4fabefd31f

    SHA256

    8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

    SHA512

    57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

  • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    299328894bfe5663f0f475b78554b8a0

    SHA1

    6a743a5a25d68a38a3dbced744db333a0fe27e6e

    SHA256

    b1affa872beee742a2da3a5fc4cba5337e8d051c08ebcbeb73475d94f66d3514

    SHA512

    144deabffaaaf58f1bdbcb0e820d555ba6f4e6a6e2649ffefdbb0d1c8e9f31d421a6e03b468f1816029cd4394dd8d4ee906fb668be45059ef44f067301d491f6

  • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    64B

    MD5

    77e157d3234d5c19ce3e0e01d07e2939

    SHA1

    bef3ab351c7ed84f6e6d9292607073846534ac08

    SHA256

    82d3b1553406dd12eea1ab8f1f732b521db4146c7fe12cfa60104e52394c7833

    SHA512

    e08176c52b1af7de73323e9bdf186530f1936e1ae4bb8ffd3c0f6b3264a364138a3bb8488e6b992d6a662d0acb5a4b7eadf808300301576339e832f22bffaceb

  • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    8857491a4a65a9a1d560c4705786a312

    SHA1

    4f3caf2ad5d66a2410c9cca0381d26a46e832cb4

    SHA256

    b6e1a16a11075cb4e0bae0cebdb6ac15f5d66e0005f557703708a04cd11bd360

    SHA512

    d9497c47898cdc4c4fc62158830dc931990e08bb4a28a5d19d4187a87a2afab8a4bd58ca346563210b476c9adb9a714bfe1057e0ebce85d1fd94731be6d02660

  • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    2ad33642f863ae14ee53bc6853ee330e

    SHA1

    ca81cc7d8c33a46ebe97bc1d3db55e41a813029e

    SHA256

    17c7b3c895766071a0d87318ec4134a9032ed113b46d3ba75889819a61a9cc19

    SHA512

    52c59a7bde3751e07da53f3942c15cc3e19a4bf1929fbc28ae568ed96531852747b4f724e01438e159c4c98bf2d846db205c48e32f4b5984e9fddeb936eb8aa9

  • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    3b8ef11aff69e43d47f234d5ee0a72b3

    SHA1

    3869fe51c123c88c1be43b11044b580097466f26

    SHA256

    0025a82d5c9ef9b1786333fb007e72601dfbf9340d75230f8a3e687e6a107889

    SHA512

    b46facc11d98c50dacbbd9f36d4715402356d95eed1c073615fcd680bfb142b39830311915fba16a7d8ec0e71640c5d4e9f78930916b8f6432a0f0c203f6fc2b

  • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    a316ebd4efa11d6b6daf6af0cc1aebce

    SHA1

    ab338dd719969c70590dbc039b90e2758c741762

    SHA256

    f7308f111e3910da5c34c4d06d78d692f44419f848f5bf886fd466d5a96ad014

    SHA512

    67a9b94b704222a1bbe02fa8780c6b9bd364c8581b693ca28c6a444fde160df216304426bacf6b01909b80540cf0add79669b7a88ca260a6fbc93c4742f36c5a

  • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    df876271ac9045e52c2c143d23f8b096

    SHA1

    f9af2b141dca573237d9935c69f101d26acc20ce

    SHA256

    4b3a72641942f67575fde4cae04bda41c165030a2552d9608ccbb6fddd56d38c

    SHA512

    c72174f910a686daa09c7a6dc1be0ad53ab34b6d08bef03fca19fc1d0f93fcfe5900caa6d588f90dd7dac6f88cccfd99d166da7917c00cf9f3d01b195458ae39

  • memory/316-69-0x00007FF7D7B20000-0x00007FF7D7B30000-memory.dmp

    Filesize

    64KB

  • memory/316-68-0x00007FF7D7B10000-0x00007FF7D7B20000-memory.dmp

    Filesize

    64KB

  • memory/1236-18-0x0000026824A10000-0x0000026824A32000-memory.dmp

    Filesize

    136KB

  • memory/1364-92-0x00000210B3190000-0x00000210B31AC000-memory.dmp

    Filesize

    112KB

  • memory/1364-100-0x00000210B3410000-0x00000210B341A000-memory.dmp

    Filesize

    40KB

  • memory/1364-99-0x00000210B3400000-0x00000210B3406000-memory.dmp

    Filesize

    24KB

  • memory/1364-98-0x00000210B33D0000-0x00000210B33D8000-memory.dmp

    Filesize

    32KB

  • memory/1364-97-0x00000210B3420000-0x00000210B343A000-memory.dmp

    Filesize

    104KB

  • memory/1364-96-0x00000210B33C0000-0x00000210B33CA000-memory.dmp

    Filesize

    40KB

  • memory/1364-95-0x00000210B33E0000-0x00000210B33FC000-memory.dmp

    Filesize

    112KB

  • memory/1364-94-0x00000210B3270000-0x00000210B327A000-memory.dmp

    Filesize

    40KB

  • memory/1364-93-0x00000210B31B0000-0x00000210B3265000-memory.dmp

    Filesize

    724KB

  • memory/2904-267-0x00007FF71F940000-0x00007FF72026C000-memory.dmp

    Filesize

    9.2MB

  • memory/3304-214-0x000001361F3C0000-0x000001361F3CE000-memory.dmp

    Filesize

    56KB

  • memory/3304-215-0x000001361F420000-0x000001361F43A000-memory.dmp

    Filesize

    104KB