Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
-
submitted
23-06-2024 10:25
General
-
Target
af77c0b6a10ac159b0e3c87c02e16a2b44daab8e67fe097327e90ae48f814403.exe
-
Size
36.5MB
-
MD5
0e12bdd2a8200d4c1f368750e2c87bfe
-
SHA1
6c8b533e2c7f6ebef027971c3a06f4c55ed64cfe
-
SHA256
af77c0b6a10ac159b0e3c87c02e16a2b44daab8e67fe097327e90ae48f814403
-
SHA512
909f15876f3a6cbe608eb53df4286927b013c45ff6acbc496a1590b9cc3fe47b1bb449ed45c3302f6d03cccb876cd2cc26f2b5e7c1ca4ff2d17dd4dee77bf75b
-
SSDEEP
393216:sYJEy4Te0rrigZ9BCbZPBKAgKBXSTzdOskYXXDeycerzHP+THt+/nDSpQg:sYJcrlZ9BGfg8XIJOkXXPCTV
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs
Run Powershell and hide display window.
-
Creates new service(s) 2 TTPs
-
Executes dropped EXE 5 IoCs
-
Power Settings 1 TTPs 5 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory 21 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Embeds OpenSSL 1 IoCs
Embeds OpenSSL, may be used to circumvent TLS interception.
-
Kills process with taskkill 12 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 59 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\af77c0b6a10ac159b0e3c87c02e16a2b44daab8e67fe097327e90ae48f814403.exe"C:\Users\Admin\AppData\Local\Temp\af77c0b6a10ac159b0e3c87c02e16a2b44daab8e67fe097327e90ae48f814403.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\af77c0b6a10ac159b0e3c87c02e16a2b44daab8e67fe097327e90ae48f814403-3c749898b82cad66\af77c0b6a10ac159b0e3c87c02e16a2b44daab8e67fe097327e90ae48f814403.exe"C:\Users\Admin\AppData\Local\Temp\af77c0b6a10ac159b0e3c87c02e16a2b44daab8e67fe097327e90ae48f814403-3c749898b82cad66\af77c0b6a10ac159b0e3c87c02e16a2b44daab8e67fe097327e90ae48f814403.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\winsvc.exe"C:\Windows\system32\winsvc.exe" "C:\Users\Admin\AppData\Local\Temp\af77c0b6a10ac159b0e3c87c02e16a2b44daab8e67fe097327e90ae48f814403-3c749898b82cad66\af77c0b6a10ac159b0e3c87c02e16a2b44daab8e67fe097327e90ae48f814403.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "create" "winsvc" "type=own" "start=auto" "error=ignore" "binPath=\"C:\Windows\system32\winsvc.exe\"" "DisplayName=\"Windows System Service\""4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" create winsvc type=own start=auto error=ignore binPath=C:\Windows\system32\winsvc.exe "DisplayName=Windows System Service"5⤵
- Launches sc.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "failure" "winsvc" "reset=0" "actions=restart/0/restart/0/restart/0"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" failure winsvc reset=0 actions=restart/0/restart/0/restart/05⤵
- Launches sc.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "description" "winsvc" "\"Windows System Service is the main system supervision service.\""4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" description winsvc "Windows System Service is the main system supervision service."5⤵
- Launches sc.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "start" "winsvc"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" start winsvc5⤵
- Launches sc.exe
-
C:\Windows\system32\winsvc.exeC:\Windows\system32\winsvc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\system32\""2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\Temp\""2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-SETACTIVE" "8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c"2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exe"C:\Windows\system32\powercfg.exe" -SETACTIVE 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c3⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-ac" "0"2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exe"C:\Windows\system32\powercfg.exe" -change standby-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-dc" "0"2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exe"C:\Windows\system32\powercfg.exe" -change standby-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-ac" "0"2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exe"C:\Windows\system32\powercfg.exe" -change hibernate-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-dc" "0"2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exe"C:\Windows\system32\powercfg.exe" -change hibernate-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" "/F" "/IM" "winnet.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" "/F" "/IM" "winnet.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" "/F" "/IM" "wincfg.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" "/F" "/IM" "wincfg.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "Remove-NetFirewallRule" "-DisplayName" "\"Windows Network Manager\""2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "New-NetFirewallRule" "-DisplayName" "\"Windows Network Manager\"" "-Program" "\"C:\Windows\system32\winnet.exe\"" "-Action" "Allow" "-Direction" "Inbound" "-EdgeTraversalPolicy" "Allow" "-Enabled" "True"2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" "/F" "/IM" "WINNET.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" "/F" "/IM" "WINNET.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" "/F" "/IM" "WINCFG.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" "/F" "/IM" "WINCFG.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" "/F" "/IM" "WINNET.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" "/F" "/IM" "WINCFG.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" "/F" "/IM" "WINCFG.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" "/F" "/IM" "WINNET.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\WINDOWS\SYSTEM32\WINCFG.EXE"C:\WINDOWS\SYSTEM32\WINCFG.EXE"2⤵
- Executes dropped EXE
-
C:\WINDOWS\SYSTEM32\WINNET.EXE"C:\WINDOWS\SYSTEM32\WINNET.EXE" "--datadir=C:\Windows\system32\data" "--precomputation.elgamal=false" "--persist.profiles=false" "--persist.addressbook=false" "--cpuext.aesni" "--cpuext.avx" "--ipv4" "--ipv6" "--bandwidth=X" "--share=100" "--floodfill" "--nat" "--upnp.enabled=true" "--upnp.name=Microsoft" "--insomnia" "--nettime.enabled=true" "--nettime.ntpsyncinterval=1" "--sam.enabled=true" "--sam.singlethread=false" "--http.enabled=false" "--bob.enabled=false" "--httpproxy.enabled=false" "--socksproxy.enabled=false" "--i2cp.enabled=false" "--i2pcontrol.enabled=false" "--loglevel=none" "--log=stdout"2⤵
- Executes dropped EXE
- Drops file in System32 directory
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD55ba388a6597d5e09191c2c88d2fdf598
SHA113516f8ec5a99298f6952438055c39330feae5d8
SHA256e6b6223094e8fc598ad12b3849e49f03a141ccd21e0eaa336f81791ad8443eca
SHA512ead2a2b5a1c2fad70c1cf570b2c9bfcb7364dd9f257a834eb819e55b8fee78e3f191f93044f07d51c259ca77a90ee8530f9204cbae080fba1d5705e1209f5b19
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5d8b9a260789a22d72263ef3bb119108c
SHA1376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zy5clix3.zj4.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\af77c0b6a10ac159b0e3c87c02e16a2b44daab8e67fe097327e90ae48f814403-3c749898b82cad66\af77c0b6a10ac159b0e3c87c02e16a2b44daab8e67fe097327e90ae48f814403.exeFilesize
41.6MB
MD5312c3e03890f7d5242fe2158acabd4e8
SHA1d148cf18f876b55c03f2718bfff321b7d6287f87
SHA2566ac290f077cd4228dff7dc37a4c37e0a675207ad345543e8cd01008ce67ea751
SHA512da0e5c199a7ab586a17dd7b74cc4b6727ac5c9efcb3397b45f8806a6418c20bfc7515804ca10e2a9c52b207b56f3a56c86e3c3be646ffe27f988c59b0bc66971
-
C:\Windows\System32\data\router.infoFilesize
931B
MD5a462f220860d6c420bc57945ec1b369b
SHA190f9d54ab70158dd69ef6c7adfb0024004a2d1eb
SHA256b4e3984f04a69bd4501b1ab4cdbeb9c866e0614daa316ce6819884bb8e913561
SHA5126ba6690daeb90a91f24a7f4c7fd5ae2df5d6df3a18796168b59e352a05536ca7964c04008395533de914e820eb2934deb11936df3a0921cab3db27ccf49c4c5c
-
C:\Windows\System32\wincfg.exeFilesize
34.1MB
MD5cd89e8bcf1dbd9fc74f86c82e7f86342
SHA1a3c83b002d1959507ea04c099eb64965e054819b
SHA256593600fd2242a51c5eef3f33d7c0df33e01f3b71f065faf403298898ef378a21
SHA5120f8fc35ead17930b2741771b15ec97a85b26db3e8a56e68ba67bea53e0e954af0754e79f22c31bbe8f52564759d456281d4fccb1a645d120f2dd938c88e00ab2
-
C:\Windows\System32\winnet.exeFilesize
9.1MB
MD52fdbf4ba6ab24cf44aa0cc08cd77ca66
SHA1df5e034ba45a932b9f5d3ed7adc4a71e0b376984
SHA256fcd362e0632b35dad13a87f09ea6da4d07fa89516f42d64236d2cc3e3b2b725b
SHA51281d73f7540ede7337922dc18fc6b110c87f621bc0349c3fa17f50d1cb924b0d9b30a4a772b2d548238b65a1be43d458f1991320e7308e608c6cf40ccc3e59a51
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
4KB
MD5dbbd2d4458d7e8094846420da595dfc3
SHA1267cb47b904f14a519d2bd73abfdb30e1a06e1a6
SHA256e27390d57580e3dfba07bec3d8e430203bbc91e90f6937079b3fd52abc721bd4
SHA512480e7ca865b811f79f35fcfe7a9ac0280b48d1f9459873d18f000db55c72d53345cf3a10075c1ac407439545f699ce2a7bef38b00b4e19439edf384b00045531
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5f2dd68ab8e611f0143c6ad176f223ae9
SHA130f580175773f251a9572fe757de6eaef6844abc
SHA256f935809085e90f8fc2c003afb46e81de28f3312ec097cf46f2bdc2488cb893e7
SHA512f664b850c2fc6773e48171be5c180d8bc5c3a27945f5e6604605006a3c93e0bf3a516b647d6411a4d6b75bdf0a5e15b4f3621bf5702bbc3c46f9b517cb69dd04
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5ffac5be2fbee5585d8814e867c1b0fa8
SHA1b050ba621770b9b19a0724e9f0b733126d2be484
SHA256ada158a1a5acf96f496879286e1354f8be86201c8d5329712cc52836f2ade906
SHA5125a727e8fda75ce9bcedb0811aa75572eb77c1f79e80919790b8cb2e137e589ca2148f34ebc7820b7421cad59a16327985a489ffbc0cdf984861cdf112301ed1d
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5db58473f1c8de0535150b143e0f83032
SHA1c876f77f6fcea039bb1833fe1194439d018d61b3
SHA256cf2c716974160473d141b5e6f59da185d555608a51c546a6b54110de61bfa70c
SHA512f168b906f6bedb9f045a3fd1fc4f93465f45ddd2a717f38a9c7163499f9851802619f33565009e225e6754908db08c0601949e475e159b1b3a93051247759ed0
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD553fbb36e3de882ade26ea8b023b9a6ce
SHA1ff48acf3b1475f0933c950856f58aebb26ca4af9
SHA256c1ed4103218a9267eb4c0266f7a5d599950aa178523cc33357e49b727bb65130
SHA512a2536a0500b3075e9f87ea66fee73061d6660af246637d04cfb7d80d51ddaa35692682a08663c21db9533cecc0e140a6b610d8656cc1aa02d3969b5d2a83f2c9
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5b680078f8f3eebef30aa416a5c6cde3e
SHA1f0a81dbe9678bde16f1c21108bc0e7c76d712def
SHA256740a2911a17db45b27ad7cdf3b240e6320be79204f096f6caae535c9179cdddd
SHA512a3cb38dcda920bd6565c0ece10a4c5270bf665e660dd05fff322421a236e1e67ff88c4b82c90e397307e4d21eeee46ff789fe5defe2ef92c3e8f2d0c8ccfd758
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5e16230c01991373e9431ebee63505e40
SHA1352ff273303185e7fd3e1c7b8bdec40b5315b3c3
SHA25607632f6f4a596d9119a5c4fde348a9b6c001646849c2409937c42d45e5abc77d
SHA51299f240645697825aefaa83d7928044475e5f7866370eedc9ed1dff7891725ec052d974c0a1bf5245367f29774c3694090b2b03f89c0d0270d8cf1eefb30fa034
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59e9cde84e97360fb39f64e3697c25587
SHA102f67f54c54a08320a5331e464dc77b2816fbc97
SHA2561bdc4f0e8c0845ba527337f1e791da5873c34dff15eb33c71a5aba89e4db4c80
SHA512c719f5adf610599f0e57df5241da9b3fb595839fcbf955acbf4007ebc75d400916cec75cf9f24f72be6118237641c7800ae9b4c28b585b71a63d02a5789ca044
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58be843388da64ecf2afcc33faa0b9d59
SHA16be7b49d97936a9aaaca35d5974ba4cdf9af2104
SHA2564671b556fa107608ada0682304bf07844cef99e87166690ebde6803784ecb975
SHA512575249e175099653b14a85a4013ed59c25da08ae4584788c02fa02f0c351fc96bfa2018ddf68ed3d13119278a52dc34954c0fe59e6fbc824f4fff7db73f2c5e5
-
memory/1660-86-0x00000244F0690000-0x00000244F06AC000-memory.dmpFilesize
112KB
-
memory/1660-88-0x00000244F0680000-0x00000244F068A000-memory.dmpFilesize
40KB
-
memory/1660-93-0x00000244F0A00000-0x00000244F0A06000-memory.dmpFilesize
24KB
-
memory/1660-92-0x00000244F09D0000-0x00000244F09D8000-memory.dmpFilesize
32KB
-
memory/1660-91-0x00000244F0A20000-0x00000244F0A3A000-memory.dmpFilesize
104KB
-
memory/1660-90-0x00000244F09C0000-0x00000244F09CA000-memory.dmpFilesize
40KB
-
memory/1660-89-0x00000244F09E0000-0x00000244F09FC000-memory.dmpFilesize
112KB
-
memory/1660-94-0x00000244F0A10000-0x00000244F0A1A000-memory.dmpFilesize
40KB
-
memory/1660-87-0x00000244F06B0000-0x00000244F0763000-memory.dmpFilesize
716KB
-
memory/3320-200-0x00000256A9CA0000-0x00000256A9CAE000-memory.dmpFilesize
56KB
-
memory/3320-201-0x00000256A9F40000-0x00000256A9F5A000-memory.dmpFilesize
104KB
-
memory/3320-199-0x00000256A9BD0000-0x00000256A9C83000-memory.dmpFilesize
716KB
-
memory/3888-65-0x00007FF634190000-0x00007FF6341A0000-memory.dmpFilesize
64KB
-
memory/3888-64-0x00007FF634180000-0x00007FF634190000-memory.dmpFilesize
64KB
-
memory/4600-262-0x00007FF6165E0000-0x00007FF616F0C000-memory.dmpFilesize
9.2MB
-
memory/4816-21-0x000001E2E2FE0000-0x000001E2E3002000-memory.dmpFilesize
136KB