Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-06-2024 01:21
Static task
static1
Behavioral task
behavioral1
Sample
af77c0b6a10ac159b0e3c87c02e16a2b44daab8e67fe097327e90ae48f814403.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
af77c0b6a10ac159b0e3c87c02e16a2b44daab8e67fe097327e90ae48f814403.exe
Resource
win10v2004-20240508-en
General
-
Target
af77c0b6a10ac159b0e3c87c02e16a2b44daab8e67fe097327e90ae48f814403.exe
-
Size
36.5MB
-
MD5
0e12bdd2a8200d4c1f368750e2c87bfe
-
SHA1
6c8b533e2c7f6ebef027971c3a06f4c55ed64cfe
-
SHA256
af77c0b6a10ac159b0e3c87c02e16a2b44daab8e67fe097327e90ae48f814403
-
SHA512
909f15876f3a6cbe608eb53df4286927b013c45ff6acbc496a1590b9cc3fe47b1bb449ed45c3302f6d03cccb876cd2cc26f2b5e7c1ca4ff2d17dd4dee77bf75b
-
SSDEEP
393216:sYJEy4Te0rrigZ9BCbZPBKAgKBXSTzdOskYXXDeycerzHP+THt+/nDSpQg:sYJcrlZ9BGfg8XIJOkXXPCTV
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2284 powershell.exe 3988 powershell.exe 4100 powershell.exe 3688 powershell.exe 4796 powershell.exe 2284 powershell.exe 2520 powershell.exe 2108 powershell.exe 4540 powershell.exe 1624 powershell.exe 3988 powershell.exe 4008 powershell.exe 1112 powershell.exe 1792 powershell.exe 1932 powershell.exe -
Creates new service(s) 2 TTPs
-
Executes dropped EXE 5 IoCs
Processes:
af77c0b6a10ac159b0e3c87c02e16a2b44daab8e67fe097327e90ae48f814403.exewinsvc.exewinsvc.exeWINNET.EXEWINCFG.EXEpid process 5000 af77c0b6a10ac159b0e3c87c02e16a2b44daab8e67fe097327e90ae48f814403.exe 900 winsvc.exe 3544 winsvc.exe 2108 WINNET.EXE 3696 WINCFG.EXE -
Power Settings 1 TTPs 5 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
Processes:
powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepid process 3528 powercfg.exe 1716 powercfg.exe 3608 powercfg.exe 2616 powercfg.exe 4044 powercfg.exe -
Drops file in System32 directory 21 IoCs
Processes:
powershell.exeWINNET.EXEpowershell.exeaf77c0b6a10ac159b0e3c87c02e16a2b44daab8e67fe097327e90ae48f814403.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewinsvc.exepowershell.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\data\router.info WINNET.EXE File opened for modification C:\Windows\system32\data\router.info WINNET.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\.co9923.tmp af77c0b6a10ac159b0e3c87c02e16a2b44daab8e67fe097327e90ae48f814403.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\data\router.keys WINNET.EXE File opened for modification C:\Windows\System32\.co9923.tmp af77c0b6a10ac159b0e3c87c02e16a2b44daab8e67fe097327e90ae48f814403.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\data\ntcp2.keys WINNET.EXE File created C:\Windows\system32\data\ssu2.keys WINNET.EXE File created C:\Windows\system32\data\destinations\53cb4lcl3yllgfqgn2lq7oakcatxcwlj4vjizoo5wnwb3o5fsova.dat WINNET.EXE File opened for modification C:\Windows\system32\winsvc.exe af77c0b6a10ac159b0e3c87c02e16a2b44daab8e67fe097327e90ae48f814403.exe File opened for modification C:\Windows\system32\winnet.exe winsvc.exe File opened for modification C:\Windows\system32\wincfg.exe winsvc.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 4104 sc.exe 212 sc.exe 3564 sc.exe 2224 sc.exe -
Embeds OpenSSL 1 IoCs
Embeds OpenSSL, may be used to circumvent TLS interception.
Processes:
resource yara_rule C:\Windows\System32\winnet.exe embeds_openssl -
Kills process with taskkill 12 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 2592 taskkill.exe 60 taskkill.exe 4024 taskkill.exe 2896 taskkill.exe 936 taskkill.exe 4848 taskkill.exe 2876 taskkill.exe 4896 taskkill.exe 3288 taskkill.exe 864 taskkill.exe 3024 taskkill.exe 1192 taskkill.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewinsvc.exepid process 4540 powershell.exe 4540 powershell.exe 1112 powershell.exe 1112 powershell.exe 1624 powershell.exe 1624 powershell.exe 4100 powershell.exe 4100 powershell.exe 3988 powershell.exe 3988 powershell.exe 2284 powershell.exe 2284 powershell.exe 2520 powershell.exe 2520 powershell.exe 3688 powershell.exe 3688 powershell.exe 1792 powershell.exe 1792 powershell.exe 1932 powershell.exe 1932 powershell.exe 2108 powershell.exe 2108 powershell.exe 4008 powershell.exe 4008 powershell.exe 4796 powershell.exe 4796 powershell.exe 3544 winsvc.exe 3544 winsvc.exe 3544 winsvc.exe 3544 winsvc.exe 3544 winsvc.exe 3544 winsvc.exe 3544 winsvc.exe 3544 winsvc.exe 3544 winsvc.exe 3544 winsvc.exe 3544 winsvc.exe 3544 winsvc.exe 3544 winsvc.exe 3544 winsvc.exe 3544 winsvc.exe 3544 winsvc.exe 3544 winsvc.exe 3544 winsvc.exe 3544 winsvc.exe 3544 winsvc.exe 3544 winsvc.exe 3544 winsvc.exe 3544 winsvc.exe 3544 winsvc.exe 3544 winsvc.exe 3544 winsvc.exe 3544 winsvc.exe 3544 winsvc.exe 3544 winsvc.exe 3544 winsvc.exe 3544 winsvc.exe 3544 winsvc.exe 3544 winsvc.exe 3544 winsvc.exe 3544 winsvc.exe 3544 winsvc.exe 3544 winsvc.exe 3544 winsvc.exe -
Suspicious use of AdjustPrivilegeToken 59 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowercfg.exepowershell.exepowercfg.exepowershell.exepowercfg.exepowershell.exepowercfg.exepowershell.exepowercfg.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exepowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 4540 powershell.exe Token: SeDebugPrivilege 1112 powershell.exe Token: SeDebugPrivilege 1624 powershell.exe Token: SeDebugPrivilege 4100 powershell.exe Token: SeDebugPrivilege 3988 powershell.exe Token: SeDebugPrivilege 2284 powershell.exe Token: SeDebugPrivilege 2520 powershell.exe Token: SeShutdownPrivilege 2616 powercfg.exe Token: SeCreatePagefilePrivilege 2616 powercfg.exe Token: SeDebugPrivilege 3688 powershell.exe Token: SeShutdownPrivilege 4044 powercfg.exe Token: SeCreatePagefilePrivilege 4044 powercfg.exe Token: SeDebugPrivilege 1792 powershell.exe Token: SeShutdownPrivilege 3528 powercfg.exe Token: SeCreatePagefilePrivilege 3528 powercfg.exe Token: SeDebugPrivilege 1932 powershell.exe Token: SeShutdownPrivilege 1716 powercfg.exe Token: SeCreatePagefilePrivilege 1716 powercfg.exe Token: SeDebugPrivilege 2108 powershell.exe Token: SeShutdownPrivilege 3608 powercfg.exe Token: SeCreatePagefilePrivilege 3608 powercfg.exe Token: SeDebugPrivilege 4896 taskkill.exe Token: SeDebugPrivilege 3288 taskkill.exe Token: SeDebugPrivilege 2592 taskkill.exe Token: SeDebugPrivilege 864 taskkill.exe Token: SeDebugPrivilege 4008 powershell.exe Token: SeAssignPrimaryTokenPrivilege 4008 powershell.exe Token: SeIncreaseQuotaPrivilege 4008 powershell.exe Token: SeSecurityPrivilege 4008 powershell.exe Token: SeTakeOwnershipPrivilege 4008 powershell.exe Token: SeLoadDriverPrivilege 4008 powershell.exe Token: SeSystemtimePrivilege 4008 powershell.exe Token: SeBackupPrivilege 4008 powershell.exe Token: SeRestorePrivilege 4008 powershell.exe Token: SeShutdownPrivilege 4008 powershell.exe Token: SeSystemEnvironmentPrivilege 4008 powershell.exe Token: SeUndockPrivilege 4008 powershell.exe Token: SeManageVolumePrivilege 4008 powershell.exe Token: SeDebugPrivilege 4796 powershell.exe Token: SeAssignPrimaryTokenPrivilege 4796 powershell.exe Token: SeIncreaseQuotaPrivilege 4796 powershell.exe Token: SeSecurityPrivilege 4796 powershell.exe Token: SeTakeOwnershipPrivilege 4796 powershell.exe Token: SeLoadDriverPrivilege 4796 powershell.exe Token: SeSystemtimePrivilege 4796 powershell.exe Token: SeBackupPrivilege 4796 powershell.exe Token: SeRestorePrivilege 4796 powershell.exe Token: SeShutdownPrivilege 4796 powershell.exe Token: SeSystemEnvironmentPrivilege 4796 powershell.exe Token: SeUndockPrivilege 4796 powershell.exe Token: SeManageVolumePrivilege 4796 powershell.exe Token: SeDebugPrivilege 60 taskkill.exe Token: SeDebugPrivilege 4024 taskkill.exe Token: SeDebugPrivilege 2896 taskkill.exe Token: SeDebugPrivilege 3024 taskkill.exe Token: SeDebugPrivilege 1192 taskkill.exe Token: SeDebugPrivilege 936 taskkill.exe Token: SeDebugPrivilege 4848 taskkill.exe Token: SeDebugPrivilege 2876 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
af77c0b6a10ac159b0e3c87c02e16a2b44daab8e67fe097327e90ae48f814403.exeaf77c0b6a10ac159b0e3c87c02e16a2b44daab8e67fe097327e90ae48f814403.exewinsvc.exepowershell.exepowershell.exepowershell.exepowershell.exewinsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process target process PID 2444 wrote to memory of 5000 2444 af77c0b6a10ac159b0e3c87c02e16a2b44daab8e67fe097327e90ae48f814403.exe af77c0b6a10ac159b0e3c87c02e16a2b44daab8e67fe097327e90ae48f814403.exe PID 2444 wrote to memory of 5000 2444 af77c0b6a10ac159b0e3c87c02e16a2b44daab8e67fe097327e90ae48f814403.exe af77c0b6a10ac159b0e3c87c02e16a2b44daab8e67fe097327e90ae48f814403.exe PID 5000 wrote to memory of 900 5000 af77c0b6a10ac159b0e3c87c02e16a2b44daab8e67fe097327e90ae48f814403.exe winsvc.exe PID 5000 wrote to memory of 900 5000 af77c0b6a10ac159b0e3c87c02e16a2b44daab8e67fe097327e90ae48f814403.exe winsvc.exe PID 900 wrote to memory of 4540 900 winsvc.exe powershell.exe PID 900 wrote to memory of 4540 900 winsvc.exe powershell.exe PID 4540 wrote to memory of 212 4540 powershell.exe sc.exe PID 4540 wrote to memory of 212 4540 powershell.exe sc.exe PID 900 wrote to memory of 1112 900 winsvc.exe powershell.exe PID 900 wrote to memory of 1112 900 winsvc.exe powershell.exe PID 1112 wrote to memory of 3564 1112 powershell.exe sc.exe PID 1112 wrote to memory of 3564 1112 powershell.exe sc.exe PID 900 wrote to memory of 1624 900 winsvc.exe powershell.exe PID 900 wrote to memory of 1624 900 winsvc.exe powershell.exe PID 1624 wrote to memory of 2224 1624 powershell.exe sc.exe PID 1624 wrote to memory of 2224 1624 powershell.exe sc.exe PID 900 wrote to memory of 4100 900 winsvc.exe powershell.exe PID 900 wrote to memory of 4100 900 winsvc.exe powershell.exe PID 4100 wrote to memory of 4104 4100 powershell.exe sc.exe PID 4100 wrote to memory of 4104 4100 powershell.exe sc.exe PID 3544 wrote to memory of 3988 3544 winsvc.exe powershell.exe PID 3544 wrote to memory of 3988 3544 winsvc.exe powershell.exe PID 3544 wrote to memory of 2284 3544 winsvc.exe powershell.exe PID 3544 wrote to memory of 2284 3544 winsvc.exe powershell.exe PID 3544 wrote to memory of 2520 3544 winsvc.exe powershell.exe PID 3544 wrote to memory of 2520 3544 winsvc.exe powershell.exe PID 2520 wrote to memory of 2616 2520 powershell.exe powercfg.exe PID 2520 wrote to memory of 2616 2520 powershell.exe powercfg.exe PID 3544 wrote to memory of 3688 3544 winsvc.exe powershell.exe PID 3544 wrote to memory of 3688 3544 winsvc.exe powershell.exe PID 3688 wrote to memory of 4044 3688 powershell.exe powercfg.exe PID 3688 wrote to memory of 4044 3688 powershell.exe powercfg.exe PID 3544 wrote to memory of 1792 3544 winsvc.exe powershell.exe PID 3544 wrote to memory of 1792 3544 winsvc.exe powershell.exe PID 1792 wrote to memory of 3528 1792 powershell.exe powercfg.exe PID 1792 wrote to memory of 3528 1792 powershell.exe powercfg.exe PID 3544 wrote to memory of 1932 3544 winsvc.exe powershell.exe PID 3544 wrote to memory of 1932 3544 winsvc.exe powershell.exe PID 1932 wrote to memory of 1716 1932 powershell.exe powercfg.exe PID 1932 wrote to memory of 1716 1932 powershell.exe powercfg.exe PID 3544 wrote to memory of 2108 3544 winsvc.exe powershell.exe PID 3544 wrote to memory of 2108 3544 winsvc.exe powershell.exe PID 2108 wrote to memory of 3608 2108 powershell.exe powercfg.exe PID 2108 wrote to memory of 3608 2108 powershell.exe powercfg.exe PID 3544 wrote to memory of 4896 3544 winsvc.exe taskkill.exe PID 3544 wrote to memory of 4896 3544 winsvc.exe taskkill.exe PID 3544 wrote to memory of 3288 3544 winsvc.exe taskkill.exe PID 3544 wrote to memory of 3288 3544 winsvc.exe taskkill.exe PID 3544 wrote to memory of 2592 3544 winsvc.exe taskkill.exe PID 3544 wrote to memory of 2592 3544 winsvc.exe taskkill.exe PID 3544 wrote to memory of 864 3544 winsvc.exe taskkill.exe PID 3544 wrote to memory of 864 3544 winsvc.exe taskkill.exe PID 3544 wrote to memory of 4008 3544 winsvc.exe powershell.exe PID 3544 wrote to memory of 4008 3544 winsvc.exe powershell.exe PID 3544 wrote to memory of 4796 3544 winsvc.exe powershell.exe PID 3544 wrote to memory of 4796 3544 winsvc.exe powershell.exe PID 3544 wrote to memory of 60 3544 winsvc.exe taskkill.exe PID 3544 wrote to memory of 60 3544 winsvc.exe taskkill.exe PID 3544 wrote to memory of 4024 3544 winsvc.exe taskkill.exe PID 3544 wrote to memory of 4024 3544 winsvc.exe taskkill.exe PID 3544 wrote to memory of 2896 3544 winsvc.exe taskkill.exe PID 3544 wrote to memory of 2896 3544 winsvc.exe taskkill.exe PID 3544 wrote to memory of 3024 3544 winsvc.exe taskkill.exe PID 3544 wrote to memory of 3024 3544 winsvc.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\af77c0b6a10ac159b0e3c87c02e16a2b44daab8e67fe097327e90ae48f814403.exe"C:\Users\Admin\AppData\Local\Temp\af77c0b6a10ac159b0e3c87c02e16a2b44daab8e67fe097327e90ae48f814403.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\af77c0b6a10ac159b0e3c87c02e16a2b44daab8e67fe097327e90ae48f814403-0440de1e6f0af51b\af77c0b6a10ac159b0e3c87c02e16a2b44daab8e67fe097327e90ae48f814403.exe"C:\Users\Admin\AppData\Local\Temp\af77c0b6a10ac159b0e3c87c02e16a2b44daab8e67fe097327e90ae48f814403-0440de1e6f0af51b\af77c0b6a10ac159b0e3c87c02e16a2b44daab8e67fe097327e90ae48f814403.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\winsvc.exe"C:\Windows\system32\winsvc.exe" "C:\Users\Admin\AppData\Local\Temp\af77c0b6a10ac159b0e3c87c02e16a2b44daab8e67fe097327e90ae48f814403-0440de1e6f0af51b\af77c0b6a10ac159b0e3c87c02e16a2b44daab8e67fe097327e90ae48f814403.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "create" "winsvc" "type=own" "start=auto" "error=ignore" "binPath=\"C:\Windows\system32\winsvc.exe\"" "DisplayName=\"Windows System Service\""4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" create winsvc type=own start=auto error=ignore binPath=C:\Windows\system32\winsvc.exe "DisplayName=Windows System Service"5⤵
- Launches sc.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "failure" "winsvc" "reset=0" "actions=restart/0/restart/0/restart/0"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" failure winsvc reset=0 actions=restart/0/restart/0/restart/05⤵
- Launches sc.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "description" "winsvc" "\"Windows System Service is the main system supervision service.\""4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" description winsvc "Windows System Service is the main system supervision service."5⤵
- Launches sc.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "start" "winsvc"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" start winsvc5⤵
- Launches sc.exe
-
C:\Windows\system32\winsvc.exeC:\Windows\system32\winsvc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\system32\""2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\Temp\""2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-SETACTIVE" "8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c"2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exe"C:\Windows\system32\powercfg.exe" -SETACTIVE 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c3⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-ac" "0"2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exe"C:\Windows\system32\powercfg.exe" -change standby-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-dc" "0"2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exe"C:\Windows\system32\powercfg.exe" -change standby-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-ac" "0"2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exe"C:\Windows\system32\powercfg.exe" -change hibernate-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-dc" "0"2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exe"C:\Windows\system32\powercfg.exe" -change hibernate-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" "/F" "/IM" "winnet.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" "/F" "/IM" "winnet.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" "/F" "/IM" "wincfg.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" "/F" "/IM" "wincfg.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "Remove-NetFirewallRule" "-DisplayName" "\"Windows Network Manager\""2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "New-NetFirewallRule" "-DisplayName" "\"Windows Network Manager\"" "-Program" "\"C:\Windows\system32\winnet.exe\"" "-Action" "Allow" "-Direction" "Inbound" "-EdgeTraversalPolicy" "Allow" "-Enabled" "True"2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" "/F" "/IM" "WINNET.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" "/F" "/IM" "WINNET.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" "/F" "/IM" "WINCFG.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" "/F" "/IM" "WINCFG.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" "/F" "/IM" "WINNET.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" "/F" "/IM" "WINCFG.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" "/F" "/IM" "WINNET.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" "/F" "/IM" "WINCFG.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\WINDOWS\SYSTEM32\WINNET.EXE"C:\WINDOWS\SYSTEM32\WINNET.EXE" "--datadir=C:\Windows\system32\data" "--precomputation.elgamal=false" "--persist.profiles=false" "--persist.addressbook=false" "--cpuext.aesni" "--cpuext.avx" "--ipv4" "--ipv6" "--bandwidth=X" "--share=100" "--floodfill" "--nat" "--upnp.enabled=true" "--upnp.name=Microsoft" "--insomnia" "--nettime.enabled=true" "--nettime.ntpsyncinterval=1" "--sam.enabled=true" "--sam.singlethread=false" "--http.enabled=false" "--bob.enabled=false" "--httpproxy.enabled=false" "--socksproxy.enabled=false" "--i2cp.enabled=false" "--i2pcontrol.enabled=false" "--loglevel=none" "--log=stdout"2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\WINDOWS\SYSTEM32\WINCFG.EXE"C:\WINDOWS\SYSTEM32\WINCFG.EXE"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD53ca1082427d7b2cd417d7c0b7fd95e4e
SHA1b0482ff5b58ffff4f5242d77330b064190f269d3
SHA25631f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f
SHA512bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q0ik1hi0.nrm.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\af77c0b6a10ac159b0e3c87c02e16a2b44daab8e67fe097327e90ae48f814403-0440de1e6f0af51b\af77c0b6a10ac159b0e3c87c02e16a2b44daab8e67fe097327e90ae48f814403.exeFilesize
41.6MB
MD5312c3e03890f7d5242fe2158acabd4e8
SHA1d148cf18f876b55c03f2718bfff321b7d6287f87
SHA2566ac290f077cd4228dff7dc37a4c37e0a675207ad345543e8cd01008ce67ea751
SHA512da0e5c199a7ab586a17dd7b74cc4b6727ac5c9efcb3397b45f8806a6418c20bfc7515804ca10e2a9c52b207b56f3a56c86e3c3be646ffe27f988c59b0bc66971
-
C:\WINDOWS\SYSTEM32\WINCFG.EXEFilesize
34.1MB
MD5cd89e8bcf1dbd9fc74f86c82e7f86342
SHA1a3c83b002d1959507ea04c099eb64965e054819b
SHA256593600fd2242a51c5eef3f33d7c0df33e01f3b71f065faf403298898ef378a21
SHA5120f8fc35ead17930b2741771b15ec97a85b26db3e8a56e68ba67bea53e0e954af0754e79f22c31bbe8f52564759d456281d4fccb1a645d120f2dd938c88e00ab2
-
C:\Windows\System32\data\router.infoFilesize
931B
MD5dbce25fc9a9cf6bedbe006f9e6397797
SHA174dfa8c754c0fdbc8dd2ffa54f8dd01b9237df10
SHA2564bb5b19603bf0d87e4576bac38196256b12932e7aa7421df9a59c17c0fbe2696
SHA5123c6f9da510c22e1a0bec4e269936a928a562cb67a33adc24e363826269471b4c671cfb1e4415d580104e02e2c7a2334c0138cc6a9735303b37607612a2f14462
-
C:\Windows\System32\winnet.exeFilesize
9.1MB
MD52fdbf4ba6ab24cf44aa0cc08cd77ca66
SHA1df5e034ba45a932b9f5d3ed7adc4a71e0b376984
SHA256fcd362e0632b35dad13a87f09ea6da4d07fa89516f42d64236d2cc3e3b2b725b
SHA51281d73f7540ede7337922dc18fc6b110c87f621bc0349c3fa17f50d1cb924b0d9b30a4a772b2d548238b65a1be43d458f1991320e7308e608c6cf40ccc3e59a51
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
4KB
MD5bdb25c22d14ec917e30faf353826c5de
SHA16c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5b42c70c1dbf0d1d477ec86902db9e986
SHA11d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA2568ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA51257fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5a0398b194726affa822dcc7a83ebb067
SHA1f8d69e33223c17c0041351650b306cfea9f3b3bc
SHA256096dec426ccff4f4e80d445dd387bf77602c7b00038530e4598d0282a0dbf15d
SHA512aae9a588a2625d4a3ad866acdded330c6be5311c143f9aec13f058a5ea94ec8ea300f2adb5fed6758b2ba9b7f2348f9cbb34f1573deeb7176f40924de90b2051
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5e3900dfbc47be43620bf58ed784c3ea6
SHA1b8dafa06ad5f53fb05c87e4fe5ef38a4bc866638
SHA256e7588e7d09b349cce3cd0e79b6bbef8425d95cf0be84866f06fadd94db97916a
SHA512e118071555ee2fd7021bc0a2fbde391288d67d859ebfd3193452502226634c349a4048c3f1d4b80ff97db2e49c95d2a319d204a0face547abb3eba068d05a948
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD58857491a4a65a9a1d560c4705786a312
SHA14f3caf2ad5d66a2410c9cca0381d26a46e832cb4
SHA256b6e1a16a11075cb4e0bae0cebdb6ac15f5d66e0005f557703708a04cd11bd360
SHA512d9497c47898cdc4c4fc62158830dc931990e08bb4a28a5d19d4187a87a2afab8a4bd58ca346563210b476c9adb9a714bfe1057e0ebce85d1fd94731be6d02660
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5a316ebd4efa11d6b6daf6af0cc1aebce
SHA1ab338dd719969c70590dbc039b90e2758c741762
SHA256f7308f111e3910da5c34c4d06d78d692f44419f848f5bf886fd466d5a96ad014
SHA51267a9b94b704222a1bbe02fa8780c6b9bd364c8581b693ca28c6a444fde160df216304426bacf6b01909b80540cf0add79669b7a88ca260a6fbc93c4742f36c5a
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD53b8ef11aff69e43d47f234d5ee0a72b3
SHA13869fe51c123c88c1be43b11044b580097466f26
SHA2560025a82d5c9ef9b1786333fb007e72601dfbf9340d75230f8a3e687e6a107889
SHA512b46facc11d98c50dacbbd9f36d4715402356d95eed1c073615fcd680bfb142b39830311915fba16a7d8ec0e71640c5d4e9f78930916b8f6432a0f0c203f6fc2b
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD559e431d918e26fce1795e9234fceeb38
SHA1d7b7f2d60ce076466776db933ae3d6dc01f55cfc
SHA25662296b5a36c91bbebfa5f1571e19d4a636b027723293a500f9b265a9e1d94f87
SHA5120b6bf44d1ea421fa85bfa549016fac2268537ebc2d7873afde3e63a798eefd3c4da02bbbbed55fc882c706622d9de6564b8858bf14a46b68d078529870ac0a65
-
memory/2108-278-0x00007FF7492E0000-0x00007FF749C0C000-memory.dmpFilesize
9.2MB
-
memory/3544-69-0x00007FF665560000-0x00007FF665570000-memory.dmpFilesize
64KB
-
memory/3544-68-0x00007FF665550000-0x00007FF665560000-memory.dmpFilesize
64KB
-
memory/3988-93-0x0000011563A90000-0x0000011563B45000-memory.dmpFilesize
724KB
-
memory/3988-98-0x0000011563CA0000-0x0000011563CA8000-memory.dmpFilesize
32KB
-
memory/3988-97-0x0000011563CF0000-0x0000011563D0A000-memory.dmpFilesize
104KB
-
memory/3988-96-0x0000011563C90000-0x0000011563C9A000-memory.dmpFilesize
40KB
-
memory/3988-95-0x0000011563CB0000-0x0000011563CCC000-memory.dmpFilesize
112KB
-
memory/3988-94-0x0000011563A60000-0x0000011563A6A000-memory.dmpFilesize
40KB
-
memory/3988-100-0x0000011563CE0000-0x0000011563CEA000-memory.dmpFilesize
40KB
-
memory/3988-92-0x0000011563A70000-0x0000011563A8C000-memory.dmpFilesize
112KB
-
memory/3988-99-0x0000011563CD0000-0x0000011563CD6000-memory.dmpFilesize
24KB
-
memory/4008-214-0x000001D1AB0C0000-0x000001D1AB0CE000-memory.dmpFilesize
56KB
-
memory/4008-215-0x000001D1AB120000-0x000001D1AB13A000-memory.dmpFilesize
104KB
-
memory/4540-13-0x000001EB70790000-0x000001EB707B2000-memory.dmpFilesize
136KB