Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
24-06-2024 06:09
Static task
static1
Behavioral task
behavioral1
Sample
f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral2
Sample
f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe
Resource
win11-20240611-en
General
-
Target
f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe
-
Size
38.8MB
-
MD5
de78f05822b58389a08df867280df451
-
SHA1
d27954678d26afb60dd51750f69520a79bf8b997
-
SHA256
f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1
-
SHA512
8374e56d7d3e8ced16e15cd8c34e7059feacb94964b4a50c22cbf6d3045f2c52119d0393f218d0d4b445afa6ce12f607c85b09b82859275d81ebc91880ebe5d2
-
SSDEEP
786432:DCyIg99ycT/7t7OB2K4oX5Znw0e7s0sjgTTb2:DCxg99yaTt7G2K4opd3e7s0sjy
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 5104 powershell.exe 3332 powershell.exe 1852 powershell.exe 1720 powershell.exe 4704 powershell.exe 4552 powershell.exe 400 powershell.exe 2480 powershell.exe 2684 powershell.exe 2288 powershell.exe 2812 powershell.exe 2608 powershell.exe 1580 powershell.exe 400 powershell.exe 2480 powershell.exe -
Creates new service(s) 2 TTPs
-
Executes dropped EXE 5 IoCs
Processes:
f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exewinsvc.exewinsvc.exeWINCFG.EXEWINNET.EXEpid process 1544 f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe 4368 winsvc.exe 4460 winsvc.exe 576 WINCFG.EXE 2884 WINNET.EXE -
Power Settings 1 TTPs 5 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
Processes:
powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepid process 2348 powercfg.exe 4296 powercfg.exe 3840 powercfg.exe 240 powercfg.exe 2268 powercfg.exe -
Drops file in System32 directory 20 IoCs
Processes:
f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exepowershell.exepowershell.exewinsvc.exeWINNET.EXEpowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\system32\.coB536.tmp f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\wincfg.exe winsvc.exe File created C:\Windows\system32\data\ntcp2.keys WINNET.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\data\ssu2.keys WINNET.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\data\router.keys WINNET.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\data\router.info WINNET.EXE File opened for modification C:\Windows\System32\.coB536.tmp f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe File opened for modification C:\Windows\system32\winsvc.exe f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\winnet.exe winsvc.exe File opened for modification C:\Windows\system32\data\router.info WINNET.EXE -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 448 sc.exe 4900 sc.exe 5020 sc.exe 2896 sc.exe -
Embeds OpenSSL 1 IoCs
Embeds OpenSSL, may be used to circumvent TLS interception.
Processes:
resource yara_rule C:\Windows\System32\winnet.exe embeds_openssl -
Kills process with taskkill 8 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 4712 taskkill.exe 1796 taskkill.exe 3512 taskkill.exe 1004 taskkill.exe 436 taskkill.exe 648 taskkill.exe 2108 taskkill.exe 4628 taskkill.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewinsvc.exepid process 4704 powershell.exe 4704 powershell.exe 4552 powershell.exe 4552 powershell.exe 5104 powershell.exe 5104 powershell.exe 2288 powershell.exe 2288 powershell.exe 400 powershell.exe 400 powershell.exe 2480 powershell.exe 2480 powershell.exe 3332 powershell.exe 3332 powershell.exe 2812 powershell.exe 2812 powershell.exe 2608 powershell.exe 2608 powershell.exe 1720 powershell.exe 1720 powershell.exe 1852 powershell.exe 1852 powershell.exe 2684 powershell.exe 2684 powershell.exe 1580 powershell.exe 1580 powershell.exe 4460 winsvc.exe 4460 winsvc.exe 4460 winsvc.exe 4460 winsvc.exe 4460 winsvc.exe 4460 winsvc.exe 4460 winsvc.exe 4460 winsvc.exe 4460 winsvc.exe 4460 winsvc.exe 4460 winsvc.exe 4460 winsvc.exe 4460 winsvc.exe 4460 winsvc.exe 4460 winsvc.exe 4460 winsvc.exe 4460 winsvc.exe 4460 winsvc.exe 4460 winsvc.exe 4460 winsvc.exe 4460 winsvc.exe 4460 winsvc.exe 4460 winsvc.exe 4460 winsvc.exe 4460 winsvc.exe 4460 winsvc.exe 4460 winsvc.exe 4460 winsvc.exe 4460 winsvc.exe 4460 winsvc.exe 4460 winsvc.exe 4460 winsvc.exe 4460 winsvc.exe 4460 winsvc.exe 4460 winsvc.exe 4460 winsvc.exe 4460 winsvc.exe 4460 winsvc.exe -
Suspicious use of AdjustPrivilegeToken 55 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowercfg.exepowershell.exepowercfg.exepowershell.exepowercfg.exepowershell.exepowercfg.exepowershell.exepowercfg.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exepowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 4704 powershell.exe Token: SeDebugPrivilege 4552 powershell.exe Token: SeDebugPrivilege 5104 powershell.exe Token: SeDebugPrivilege 2288 powershell.exe Token: SeDebugPrivilege 400 powershell.exe Token: SeDebugPrivilege 2480 powershell.exe Token: SeDebugPrivilege 3332 powershell.exe Token: SeShutdownPrivilege 2348 powercfg.exe Token: SeCreatePagefilePrivilege 2348 powercfg.exe Token: SeDebugPrivilege 2812 powershell.exe Token: SeShutdownPrivilege 4296 powercfg.exe Token: SeCreatePagefilePrivilege 4296 powercfg.exe Token: SeDebugPrivilege 2608 powershell.exe Token: SeShutdownPrivilege 3840 powercfg.exe Token: SeCreatePagefilePrivilege 3840 powercfg.exe Token: SeDebugPrivilege 1720 powershell.exe Token: SeShutdownPrivilege 240 powercfg.exe Token: SeCreatePagefilePrivilege 240 powercfg.exe Token: SeDebugPrivilege 1852 powershell.exe Token: SeShutdownPrivilege 2268 powercfg.exe Token: SeCreatePagefilePrivilege 2268 powercfg.exe Token: SeDebugPrivilege 2108 taskkill.exe Token: SeDebugPrivilege 4628 taskkill.exe Token: SeDebugPrivilege 4712 taskkill.exe Token: SeDebugPrivilege 1796 taskkill.exe Token: SeDebugPrivilege 2684 powershell.exe Token: SeAssignPrimaryTokenPrivilege 2684 powershell.exe Token: SeIncreaseQuotaPrivilege 2684 powershell.exe Token: SeSecurityPrivilege 2684 powershell.exe Token: SeTakeOwnershipPrivilege 2684 powershell.exe Token: SeLoadDriverPrivilege 2684 powershell.exe Token: SeSystemtimePrivilege 2684 powershell.exe Token: SeBackupPrivilege 2684 powershell.exe Token: SeRestorePrivilege 2684 powershell.exe Token: SeShutdownPrivilege 2684 powershell.exe Token: SeSystemEnvironmentPrivilege 2684 powershell.exe Token: SeUndockPrivilege 2684 powershell.exe Token: SeManageVolumePrivilege 2684 powershell.exe Token: SeDebugPrivilege 1580 powershell.exe Token: SeAssignPrimaryTokenPrivilege 1580 powershell.exe Token: SeIncreaseQuotaPrivilege 1580 powershell.exe Token: SeSecurityPrivilege 1580 powershell.exe Token: SeTakeOwnershipPrivilege 1580 powershell.exe Token: SeLoadDriverPrivilege 1580 powershell.exe Token: SeSystemtimePrivilege 1580 powershell.exe Token: SeBackupPrivilege 1580 powershell.exe Token: SeRestorePrivilege 1580 powershell.exe Token: SeShutdownPrivilege 1580 powershell.exe Token: SeSystemEnvironmentPrivilege 1580 powershell.exe Token: SeUndockPrivilege 1580 powershell.exe Token: SeManageVolumePrivilege 1580 powershell.exe Token: SeDebugPrivilege 3512 taskkill.exe Token: SeDebugPrivilege 1004 taskkill.exe Token: SeDebugPrivilege 436 taskkill.exe Token: SeDebugPrivilege 648 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exef589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exewinsvc.exepowershell.exepowershell.exepowershell.exepowershell.exewinsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process target process PID 3828 wrote to memory of 1544 3828 f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe PID 3828 wrote to memory of 1544 3828 f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe PID 1544 wrote to memory of 4368 1544 f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe winsvc.exe PID 1544 wrote to memory of 4368 1544 f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe winsvc.exe PID 4368 wrote to memory of 4704 4368 winsvc.exe powershell.exe PID 4368 wrote to memory of 4704 4368 winsvc.exe powershell.exe PID 4704 wrote to memory of 4900 4704 powershell.exe sc.exe PID 4704 wrote to memory of 4900 4704 powershell.exe sc.exe PID 4368 wrote to memory of 4552 4368 winsvc.exe powershell.exe PID 4368 wrote to memory of 4552 4368 winsvc.exe powershell.exe PID 4552 wrote to memory of 5020 4552 powershell.exe sc.exe PID 4552 wrote to memory of 5020 4552 powershell.exe sc.exe PID 4368 wrote to memory of 5104 4368 winsvc.exe powershell.exe PID 4368 wrote to memory of 5104 4368 winsvc.exe powershell.exe PID 5104 wrote to memory of 2896 5104 powershell.exe sc.exe PID 5104 wrote to memory of 2896 5104 powershell.exe sc.exe PID 4368 wrote to memory of 2288 4368 winsvc.exe powershell.exe PID 4368 wrote to memory of 2288 4368 winsvc.exe powershell.exe PID 2288 wrote to memory of 448 2288 powershell.exe sc.exe PID 2288 wrote to memory of 448 2288 powershell.exe sc.exe PID 4460 wrote to memory of 400 4460 winsvc.exe powershell.exe PID 4460 wrote to memory of 400 4460 winsvc.exe powershell.exe PID 4460 wrote to memory of 2480 4460 winsvc.exe powershell.exe PID 4460 wrote to memory of 2480 4460 winsvc.exe powershell.exe PID 4460 wrote to memory of 3332 4460 winsvc.exe powershell.exe PID 4460 wrote to memory of 3332 4460 winsvc.exe powershell.exe PID 3332 wrote to memory of 2348 3332 powershell.exe powercfg.exe PID 3332 wrote to memory of 2348 3332 powershell.exe powercfg.exe PID 4460 wrote to memory of 2812 4460 winsvc.exe powershell.exe PID 4460 wrote to memory of 2812 4460 winsvc.exe powershell.exe PID 2812 wrote to memory of 4296 2812 powershell.exe powercfg.exe PID 2812 wrote to memory of 4296 2812 powershell.exe powercfg.exe PID 4460 wrote to memory of 2608 4460 winsvc.exe powershell.exe PID 4460 wrote to memory of 2608 4460 winsvc.exe powershell.exe PID 2608 wrote to memory of 3840 2608 powershell.exe powercfg.exe PID 2608 wrote to memory of 3840 2608 powershell.exe powercfg.exe PID 4460 wrote to memory of 1720 4460 winsvc.exe powershell.exe PID 4460 wrote to memory of 1720 4460 winsvc.exe powershell.exe PID 1720 wrote to memory of 240 1720 powershell.exe powercfg.exe PID 1720 wrote to memory of 240 1720 powershell.exe powercfg.exe PID 4460 wrote to memory of 1852 4460 winsvc.exe powershell.exe PID 4460 wrote to memory of 1852 4460 winsvc.exe powershell.exe PID 1852 wrote to memory of 2268 1852 powershell.exe powercfg.exe PID 1852 wrote to memory of 2268 1852 powershell.exe powercfg.exe PID 4460 wrote to memory of 2108 4460 winsvc.exe taskkill.exe PID 4460 wrote to memory of 2108 4460 winsvc.exe taskkill.exe PID 4460 wrote to memory of 4628 4460 winsvc.exe taskkill.exe PID 4460 wrote to memory of 4628 4460 winsvc.exe taskkill.exe PID 4460 wrote to memory of 4712 4460 winsvc.exe taskkill.exe PID 4460 wrote to memory of 4712 4460 winsvc.exe taskkill.exe PID 4460 wrote to memory of 1796 4460 winsvc.exe taskkill.exe PID 4460 wrote to memory of 1796 4460 winsvc.exe taskkill.exe PID 4460 wrote to memory of 2684 4460 winsvc.exe powershell.exe PID 4460 wrote to memory of 2684 4460 winsvc.exe powershell.exe PID 4460 wrote to memory of 1580 4460 winsvc.exe powershell.exe PID 4460 wrote to memory of 1580 4460 winsvc.exe powershell.exe PID 4460 wrote to memory of 3512 4460 winsvc.exe taskkill.exe PID 4460 wrote to memory of 3512 4460 winsvc.exe taskkill.exe PID 4460 wrote to memory of 1004 4460 winsvc.exe taskkill.exe PID 4460 wrote to memory of 1004 4460 winsvc.exe taskkill.exe PID 4460 wrote to memory of 436 4460 winsvc.exe taskkill.exe PID 4460 wrote to memory of 436 4460 winsvc.exe taskkill.exe PID 4460 wrote to memory of 648 4460 winsvc.exe taskkill.exe PID 4460 wrote to memory of 648 4460 winsvc.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe"C:\Users\Admin\AppData\Local\Temp\f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1-3d4366d74ed14ccd\f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe"C:\Users\Admin\AppData\Local\Temp\f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1-3d4366d74ed14ccd\f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\winsvc.exe"C:\Windows\system32\winsvc.exe" "C:\Users\Admin\AppData\Local\Temp\f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1-3d4366d74ed14ccd\f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "create" "winsvc" "type=own" "start=auto" "error=ignore" "binPath=\"C:\Windows\system32\winsvc.exe\"" "DisplayName=\"Windows System Service\""4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" create winsvc type=own start=auto error=ignore binPath=C:\Windows\system32\winsvc.exe "DisplayName=Windows System Service"5⤵
- Launches sc.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "failure" "winsvc" "reset=0" "actions=restart/0/restart/0/restart/0"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" failure winsvc reset=0 actions=restart/0/restart/0/restart/05⤵
- Launches sc.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "description" "winsvc" "\"Windows System Service is the main system supervision service.\""4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" description winsvc "Windows System Service is the main system supervision service."5⤵
- Launches sc.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "start" "winsvc"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" start winsvc5⤵
- Launches sc.exe
-
C:\Windows\system32\winsvc.exeC:\Windows\system32\winsvc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\system32\""2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\Temp\""2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-SETACTIVE" "8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c"2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exe"C:\Windows\system32\powercfg.exe" -SETACTIVE 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c3⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-ac" "0"2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exe"C:\Windows\system32\powercfg.exe" -change standby-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-dc" "0"2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exe"C:\Windows\system32\powercfg.exe" -change standby-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-ac" "0"2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exe"C:\Windows\system32\powercfg.exe" -change hibernate-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-dc" "0"2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exe"C:\Windows\system32\powercfg.exe" -change hibernate-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" "/F" "/IM" "winnet.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" "/F" "/IM" "winnet.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" "/F" "/IM" "wincfg.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" "/F" "/IM" "wincfg.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "Remove-NetFirewallRule" "-DisplayName" "\"Windows Network Manager\""2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "New-NetFirewallRule" "-DisplayName" "\"Windows Network Manager\"" "-Program" "\"C:\Windows\system32\winnet.exe\"" "-Action" "Allow" "-Direction" "Inbound" "-EdgeTraversalPolicy" "Allow" "-Enabled" "True"2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" "/F" "/IM" "WINNET.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" "/F" "/IM" "WINCFG.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" "/F" "/IM" "WINCFG.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" "/F" "/IM" "WINNET.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\WINDOWS\SYSTEM32\WINCFG.EXE"C:\WINDOWS\SYSTEM32\WINCFG.EXE"2⤵
- Executes dropped EXE
-
C:\WINDOWS\SYSTEM32\WINNET.EXE"C:\WINDOWS\SYSTEM32\WINNET.EXE" "--datadir=C:\Windows\system32\data" "--precomputation.elgamal=false" "--persist.profiles=false" "--persist.addressbook=false" "--cpuext.aesni" "--cpuext.avx" "--ipv4" "--ipv6" "--bandwidth=X" "--share=100" "--floodfill" "--nat" "--upnp.enabled=true" "--upnp.name=Microsoft" "--insomnia" "--nettime.enabled=true" "--nettime.ntpsyncinterval=1" "--sam.enabled=true" "--sam.singlethread=false" "--http.enabled=false" "--bob.enabled=false" "--httpproxy.enabled=false" "--socksproxy.enabled=false" "--i2cp.enabled=false" "--i2pcontrol.enabled=false" "--loglevel=none" "--log=stdout"2⤵
- Executes dropped EXE
- Drops file in System32 directory
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD55caad758326454b5788ec35315c4c304
SHA13aef8dba8042662a7fcf97e51047dc636b4d4724
SHA25683e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA5124e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5f33xjp0.rlt.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1-3d4366d74ed14ccd\f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exeFilesize
42.5MB
MD518c3c899c9a4b44417d8153a948ae5ca
SHA18560c64c60ce15cb849b031d0690793e8b8793ec
SHA25601e5fb6db31037b5e6f6ac1839d556c806b3fbdb31c2b4f5a7c19734e5420c70
SHA512d058c166ca467978ce69b5a7ae16bd85c190ff9de562c020214c81e255e1ea0cecd132683d38302ac1cdb8f1399d89dd85d33fdf3b5a243812dd510fb1556cf4
-
C:\WINDOWS\SYSTEM32\WINCFG.EXEFilesize
34.7MB
MD5b969b295f08994b53015e7b0807ed43f
SHA1e67a88f291df370105130dbe28e4798a8a8906ae
SHA256513db022bfe45ca351ca8eb72b22389703b0d4932a64d144d00d616d89c24b83
SHA5123fc4577ad19deeb5a39691ff58e4190dd3b1447a308cbddb8193301605e124ed7a59c91a63007fc9a04d46da2b7bb50d992a7a5ad50d2b9723252c9f687e7a7b
-
C:\Windows\System32\data\router.infoFilesize
931B
MD5aeee3f9f4c2c12e2fb437033052c11a6
SHA1c2ae6162317b8186e9d64a43a105628860899c00
SHA2569df2351b3616bdcb2acb4157ff096c87eb383f8cb0a38ab8f98e798032815685
SHA512714d85bf5f81f489248e9a7e2d866b109a5f5f0f4e9c925a2d50fc9b09162fd1c3a9253703c4d97b19bde4c00e0e0438a2367684307e00ffd5ba4f3d26e1eebe
-
C:\Windows\System32\winnet.exeFilesize
9.1MB
MD52fdbf4ba6ab24cf44aa0cc08cd77ca66
SHA1df5e034ba45a932b9f5d3ed7adc4a71e0b376984
SHA256fcd362e0632b35dad13a87f09ea6da4d07fa89516f42d64236d2cc3e3b2b725b
SHA51281d73f7540ede7337922dc18fc6b110c87f621bc0349c3fa17f50d1cb924b0d9b30a4a772b2d548238b65a1be43d458f1991320e7308e608c6cf40ccc3e59a51
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
4KB
MD5dbbd2d4458d7e8094846420da595dfc3
SHA1267cb47b904f14a519d2bd73abfdb30e1a06e1a6
SHA256e27390d57580e3dfba07bec3d8e430203bbc91e90f6937079b3fd52abc721bd4
SHA512480e7ca865b811f79f35fcfe7a9ac0280b48d1f9459873d18f000db55c72d53345cf3a10075c1ac407439545f699ce2a7bef38b00b4e19439edf384b00045531
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5f2dd68ab8e611f0143c6ad176f223ae9
SHA130f580175773f251a9572fe757de6eaef6844abc
SHA256f935809085e90f8fc2c003afb46e81de28f3312ec097cf46f2bdc2488cb893e7
SHA512f664b850c2fc6773e48171be5c180d8bc5c3a27945f5e6604605006a3c93e0bf3a516b647d6411a4d6b75bdf0a5e15b4f3621bf5702bbc3c46f9b517cb69dd04
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5dea88d224e264dee313090c0dedbbf24
SHA1925409182c6612dee899d394071711d8561f673c
SHA2560afb343316f4d06aaaf1902e5b8f96fe73799becb4d58451dd3c5cfdc5368781
SHA5127956beca6b65b6a2421a0a0075985e4694bb4ba1acf612095aa3849242c754b180f4442fe53e88866a52ac619e92b7e6daf5bc07de14649b631f26d6dc0d2a3f
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD558b7e19a4c91ea198969357d8d14deb8
SHA1174fe9fa64e451a47b5562ae3e74e9b237425d1c
SHA256150774e04d20d1259512136d70d543bc1f5daf6f67ad9efb9d210f4a9f77e202
SHA5122dddbf4e48195a2e9094bf5706f60a1553e2c312a70f24ae51d2567c80c57dbc5cf3a813e5c2000adaaaeb321f22821338894a5ddc85978feafdb49e1ca4fffe
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD553fbb36e3de882ade26ea8b023b9a6ce
SHA1ff48acf3b1475f0933c950856f58aebb26ca4af9
SHA256c1ed4103218a9267eb4c0266f7a5d599950aa178523cc33357e49b727bb65130
SHA512a2536a0500b3075e9f87ea66fee73061d6660af246637d04cfb7d80d51ddaa35692682a08663c21db9533cecc0e140a6b610d8656cc1aa02d3969b5d2a83f2c9
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD53398bf1168a9f89d5b7512bb3ae38c3a
SHA1990bac740c4e9e69fcb57421aee5c17e719c0dbb
SHA2568f280b231e77e4aa53a85917f0604e4e31b0e8fe362d36e40c2396d5a7654e84
SHA512325a2294cdf61f988274f27587180a5433719647d2bd03c2b5c36d6be629cac338c0f2c0d9347b22aa70c10db13686f35e81d63c20eaae5df4cca710f123e700
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD58b658f6a218b204d6021ca308313c203
SHA16559cb3390f7c6a9179cd75fd255147096d519df
SHA256285640f02e3c7b880dd412f08a8893505e05dc5e289f31f1e54723d649b4b63e
SHA5121817852faef10427d16af1409f9faad4b397bbaad1019bae941ce6a64f1f83c9146af95af05c931047709f03cf556e1859acee9663ba84630736491629ca7410
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD51a2b75442e69ad677ca3192e41ffe669
SHA1896b3ddf45a57d2300db389ad039fe882bfc7636
SHA2564243ec9e4321cd754503d9fdf24fc9ea91c03e714682ae5f4407a1174dacf2e2
SHA51203fafb009b3539cd4a0077518b743b3261cc585d78a7011bf777e6e04fc5ec5f5be32a024d11e849e0f75a05680edf95e27fc47d1f4d434318c5ba84ce7aae19
-
memory/400-92-0x0000019A42EF0000-0x0000019A42EF8000-memory.dmpFilesize
32KB
-
memory/400-87-0x0000019A42BD0000-0x0000019A42C83000-memory.dmpFilesize
716KB
-
memory/400-93-0x0000019A42F20000-0x0000019A42F26000-memory.dmpFilesize
24KB
-
memory/400-91-0x0000019A42F40000-0x0000019A42F5A000-memory.dmpFilesize
104KB
-
memory/400-90-0x0000019A42EE0000-0x0000019A42EEA000-memory.dmpFilesize
40KB
-
memory/400-89-0x0000019A42F00000-0x0000019A42F1C000-memory.dmpFilesize
112KB
-
memory/400-88-0x0000019A42990000-0x0000019A4299A000-memory.dmpFilesize
40KB
-
memory/400-94-0x0000019A42F30000-0x0000019A42F3A000-memory.dmpFilesize
40KB
-
memory/400-86-0x0000019A42BB0000-0x0000019A42BCC000-memory.dmpFilesize
112KB
-
memory/2684-200-0x000001B26B920000-0x000001B26B92E000-memory.dmpFilesize
56KB
-
memory/2684-201-0x000001B26B980000-0x000001B26B99A000-memory.dmpFilesize
104KB
-
memory/2684-199-0x000001B26B600000-0x000001B26B6B3000-memory.dmpFilesize
716KB
-
memory/4460-65-0x00007FF7DA0D0000-0x00007FF7DA0E0000-memory.dmpFilesize
64KB
-
memory/4460-64-0x00007FF7DA0C0000-0x00007FF7DA0D0000-memory.dmpFilesize
64KB
-
memory/4704-17-0x0000027525490000-0x00000275254B2000-memory.dmpFilesize
136KB