f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1

Analysis

max time kernel
162s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25-06-2024 02:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe
Size

38.8MB
MD5

de78f05822b58389a08df867280df451
SHA1

d27954678d26afb60dd51750f69520a79bf8b997
SHA256

f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1
SHA512

8374e56d7d3e8ced16e15cd8c34e7059feacb94964b4a50c22cbf6d3045f2c52119d0393f218d0d4b445afa6ce12f607c85b09b82859275d81ebc91880ebe5d2
SSDEEP

786432:DCyIg99ycT/7t7OB2K4oX5Znw0e7s0sjgTTb2:DCxg99yaTt7G2K4opd3e7s0sjy

Score

8^/10

execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2264	powershell.exe
3264	powershell.exe
540	powershell.exe
2544	powershell.exe
2440	powershell.exe
3196	powershell.exe
4716	powershell.exe
4668	powershell.exe
1752	powershell.exe
840	powershell.exe
4276	powershell.exe
3812	powershell.exe
1364	powershell.exe
4668	powershell.exe
2264	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Executes dropped EXE 3 IoCs

Processes:

f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exewinsvc.exewinsvc.exe

pid process

4676 f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe
796 winsvc.exe
4336 winsvc.exe
Power Settings 1 TTPs 5 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
persistence

T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid process

532 powercfg.exe
4060 powercfg.exe
3308 powercfg.exe
4232 powercfg.exe
3876 powercfg.exe

pid	process
4676	f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe
796	winsvc.exe
4336	winsvc.exe

pid	process
532	powercfg.exe
4060	powercfg.exe
3308	powercfg.exe
4232	powercfg.exe
3876	powercfg.exe

Drops file in System32 directory 17 IoCs

Processes:

powershell.exewinsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exef589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\wincfg.exe	winsvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\winsvc.exe	f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\winnet.exe	winsvc.exe
File opened for modification	C:\Windows\System32\.co824A.tmp	f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\.co824A.tmp	f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

3876 sc.exe
4448 sc.exe
2880 sc.exe
3396 sc.exe
Kills process with taskkill 8 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1380 taskkill.exe
3504 taskkill.exe
3660 taskkill.exe
1464 taskkill.exe
3084 taskkill.exe
3008 taskkill.exe
2432 taskkill.exe
1440 taskkill.exe

pid	process
3876	sc.exe
4448	sc.exe
2880	sc.exe
3396	sc.exe

pid	process
1380	taskkill.exe
3504	taskkill.exe
3660	taskkill.exe
1464	taskkill.exe
3084	taskkill.exe
3008	taskkill.exe
2432	taskkill.exe
1440	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewinsvc.exe

pid	process
3196	powershell.exe
3196	powershell.exe
3196	powershell.exe
4716	powershell.exe
4716	powershell.exe
4716	powershell.exe
840	powershell.exe
840	powershell.exe
840	powershell.exe
4276	powershell.exe
4276	powershell.exe
4276	powershell.exe
4668	powershell.exe
4668	powershell.exe
4668	powershell.exe
2264	powershell.exe
2264	powershell.exe
2264	powershell.exe
3264	powershell.exe
3264	powershell.exe
540	powershell.exe
540	powershell.exe
1752	powershell.exe
1752	powershell.exe
2440	powershell.exe
2440	powershell.exe
2544	powershell.exe
2544	powershell.exe
3812	powershell.exe
3812	powershell.exe
1364	powershell.exe
1364	powershell.exe
4336	winsvc.exe
4336	winsvc.exe
4336	winsvc.exe
4336	winsvc.exe
4336	winsvc.exe
4336	winsvc.exe
4336	winsvc.exe
4336	winsvc.exe
4336	winsvc.exe
4336	winsvc.exe
4336	winsvc.exe
4336	winsvc.exe
4336	winsvc.exe
4336	winsvc.exe
4336	winsvc.exe
4336	winsvc.exe
4336	winsvc.exe
4336	winsvc.exe
4336	winsvc.exe
4336	winsvc.exe
4336	winsvc.exe
4336	winsvc.exe
4336	winsvc.exe
4336	winsvc.exe
4336	winsvc.exe
4336	winsvc.exe
4336	winsvc.exe
4336	winsvc.exe
4336	winsvc.exe
4336	winsvc.exe
4336	winsvc.exe
4336	winsvc.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowercfg.exepowershell.exepowercfg.exepowershell.exepowercfg.exepowershell.exepowercfg.exepowershell.exepowercfg.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exepowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	3196	powershell.exe
Token: SeDebugPrivilege	4716	powershell.exe
Token: SeDebugPrivilege	840	powershell.exe
Token: SeDebugPrivilege	4276	powershell.exe
Token: SeDebugPrivilege	4668	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	3264	powershell.exe
Token: SeShutdownPrivilege	532	powercfg.exe
Token: SeCreatePagefilePrivilege	532	powercfg.exe
Token: SeDebugPrivilege	540	powershell.exe
Token: SeShutdownPrivilege	4060	powercfg.exe
Token: SeCreatePagefilePrivilege	4060	powercfg.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeShutdownPrivilege	3308	powercfg.exe
Token: SeCreatePagefilePrivilege	3308	powercfg.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeShutdownPrivilege	4232	powercfg.exe
Token: SeCreatePagefilePrivilege	4232	powercfg.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeShutdownPrivilege	3876	powercfg.exe
Token: SeCreatePagefilePrivilege	3876	powercfg.exe
Token: SeDebugPrivilege	3084	taskkill.exe
Token: SeDebugPrivilege	3008	taskkill.exe
Token: SeDebugPrivilege	2432	taskkill.exe
Token: SeDebugPrivilege	1440	taskkill.exe
Token: SeDebugPrivilege	3812	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	3812	powershell.exe
Token: SeIncreaseQuotaPrivilege	3812	powershell.exe
Token: SeSecurityPrivilege	3812	powershell.exe
Token: SeTakeOwnershipPrivilege	3812	powershell.exe
Token: SeLoadDriverPrivilege	3812	powershell.exe
Token: SeSystemtimePrivilege	3812	powershell.exe
Token: SeBackupPrivilege	3812	powershell.exe
Token: SeRestorePrivilege	3812	powershell.exe
Token: SeShutdownPrivilege	3812	powershell.exe
Token: SeSystemEnvironmentPrivilege	3812	powershell.exe
Token: SeUndockPrivilege	3812	powershell.exe
Token: SeManageVolumePrivilege	3812	powershell.exe
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	1364	powershell.exe
Token: SeIncreaseQuotaPrivilege	1364	powershell.exe
Token: SeSecurityPrivilege	1364	powershell.exe
Token: SeTakeOwnershipPrivilege	1364	powershell.exe
Token: SeLoadDriverPrivilege	1364	powershell.exe
Token: SeSystemtimePrivilege	1364	powershell.exe
Token: SeBackupPrivilege	1364	powershell.exe
Token: SeRestorePrivilege	1364	powershell.exe
Token: SeShutdownPrivilege	1364	powershell.exe
Token: SeSystemEnvironmentPrivilege	1364	powershell.exe
Token: SeUndockPrivilege	1364	powershell.exe
Token: SeManageVolumePrivilege	1364	powershell.exe
Token: SeDebugPrivilege	1380	taskkill.exe
Token: SeDebugPrivilege	3504	taskkill.exe
Token: SeDebugPrivilege	3660	taskkill.exe
Token: SeDebugPrivilege	1464	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exef589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exewinsvc.exepowershell.exepowershell.exepowershell.exepowershell.exewinsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2220 wrote to memory of 4676	2220	f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe	f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe
PID 2220 wrote to memory of 4676	2220	f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe	f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe
PID 4676 wrote to memory of 796	4676	f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe	winsvc.exe
PID 4676 wrote to memory of 796	4676	f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe	winsvc.exe
PID 796 wrote to memory of 3196	796	winsvc.exe	powershell.exe
PID 796 wrote to memory of 3196	796	winsvc.exe	powershell.exe
PID 3196 wrote to memory of 3876	3196	powershell.exe	sc.exe
PID 3196 wrote to memory of 3876	3196	powershell.exe	sc.exe
PID 796 wrote to memory of 4716	796	winsvc.exe	powershell.exe
PID 796 wrote to memory of 4716	796	winsvc.exe	powershell.exe
PID 4716 wrote to memory of 4448	4716	powershell.exe	sc.exe
PID 4716 wrote to memory of 4448	4716	powershell.exe	sc.exe
PID 796 wrote to memory of 840	796	winsvc.exe	powershell.exe
PID 796 wrote to memory of 840	796	winsvc.exe	powershell.exe
PID 840 wrote to memory of 2880	840	powershell.exe	sc.exe
PID 840 wrote to memory of 2880	840	powershell.exe	sc.exe
PID 796 wrote to memory of 4276	796	winsvc.exe	powershell.exe
PID 796 wrote to memory of 4276	796	winsvc.exe	powershell.exe
PID 4276 wrote to memory of 3396	4276	powershell.exe	sc.exe
PID 4276 wrote to memory of 3396	4276	powershell.exe	sc.exe
PID 4336 wrote to memory of 4668	4336	winsvc.exe	powershell.exe
PID 4336 wrote to memory of 4668	4336	winsvc.exe	powershell.exe
PID 4336 wrote to memory of 2264	4336	winsvc.exe	powershell.exe
PID 4336 wrote to memory of 2264	4336	winsvc.exe	powershell.exe
PID 4336 wrote to memory of 3264	4336	winsvc.exe	powershell.exe
PID 4336 wrote to memory of 3264	4336	winsvc.exe	powershell.exe
PID 3264 wrote to memory of 532	3264	powershell.exe	powercfg.exe
PID 3264 wrote to memory of 532	3264	powershell.exe	powercfg.exe
PID 4336 wrote to memory of 540	4336	winsvc.exe	powershell.exe
PID 4336 wrote to memory of 540	4336	winsvc.exe	powershell.exe
PID 540 wrote to memory of 4060	540	powershell.exe	powercfg.exe
PID 540 wrote to memory of 4060	540	powershell.exe	powercfg.exe
PID 4336 wrote to memory of 1752	4336	winsvc.exe	powershell.exe
PID 4336 wrote to memory of 1752	4336	winsvc.exe	powershell.exe
PID 1752 wrote to memory of 3308	1752	powershell.exe	powercfg.exe
PID 1752 wrote to memory of 3308	1752	powershell.exe	powercfg.exe
PID 4336 wrote to memory of 2440	4336	winsvc.exe	powershell.exe
PID 4336 wrote to memory of 2440	4336	winsvc.exe	powershell.exe
PID 2440 wrote to memory of 4232	2440	powershell.exe	powercfg.exe
PID 2440 wrote to memory of 4232	2440	powershell.exe	powercfg.exe
PID 4336 wrote to memory of 2544	4336	winsvc.exe	powershell.exe
PID 4336 wrote to memory of 2544	4336	winsvc.exe	powershell.exe
PID 2544 wrote to memory of 3876	2544	powershell.exe	powercfg.exe
PID 2544 wrote to memory of 3876	2544	powershell.exe	powercfg.exe
PID 4336 wrote to memory of 3084	4336	winsvc.exe	taskkill.exe
PID 4336 wrote to memory of 3084	4336	winsvc.exe	taskkill.exe
PID 4336 wrote to memory of 3008	4336	winsvc.exe	taskkill.exe
PID 4336 wrote to memory of 3008	4336	winsvc.exe	taskkill.exe
PID 4336 wrote to memory of 2432	4336	winsvc.exe	taskkill.exe
PID 4336 wrote to memory of 2432	4336	winsvc.exe	taskkill.exe
PID 4336 wrote to memory of 1440	4336	winsvc.exe	taskkill.exe
PID 4336 wrote to memory of 1440	4336	winsvc.exe	taskkill.exe
PID 4336 wrote to memory of 3812	4336	winsvc.exe	powershell.exe
PID 4336 wrote to memory of 3812	4336	winsvc.exe	powershell.exe
PID 4336 wrote to memory of 1364	4336	winsvc.exe	powershell.exe
PID 4336 wrote to memory of 1364	4336	winsvc.exe	powershell.exe
PID 4336 wrote to memory of 1380	4336	winsvc.exe	taskkill.exe
PID 4336 wrote to memory of 1380	4336	winsvc.exe	taskkill.exe
PID 4336 wrote to memory of 3504	4336	winsvc.exe	taskkill.exe
PID 4336 wrote to memory of 3504	4336	winsvc.exe	taskkill.exe
PID 4336 wrote to memory of 3660	4336	winsvc.exe	taskkill.exe
PID 4336 wrote to memory of 3660	4336	winsvc.exe	taskkill.exe
PID 4336 wrote to memory of 1464	4336	winsvc.exe	taskkill.exe
PID 4336 wrote to memory of 1464	4336	winsvc.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe
"C:\Users\Admin\AppData\Local\Temp\f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2220

C:\Users\Admin\AppData\Local\Temp\f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1-bd6f5f0a0b41ae38\f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe
"C:\Users\Admin\AppData\Local\Temp\f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1-bd6f5f0a0b41ae38\f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4676

C:\Windows\system32\winsvc.exe
"C:\Windows\system32\winsvc.exe" "C:\Users\Admin\AppData\Local\Temp\f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1-bd6f5f0a0b41ae38\f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "create" "winsvc" "type=own" "start=auto" "error=ignore" "binPath=\"C:\Windows\system32\winsvc.exe\"" "DisplayName=\"Windows System Service\""
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3196

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" create winsvc type=own start=auto error=ignore binPath=C:\Windows\system32\winsvc.exe "DisplayName=Windows System Service"
5⤵
- Launches sc.exe
PID:3876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "failure" "winsvc" "reset=0" "actions=restart/0/restart/0/restart/0"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4716

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" failure winsvc reset=0 actions=restart/0/restart/0/restart/0
5⤵
- Launches sc.exe
PID:4448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "description" "winsvc" "\"Windows System Service is the main system supervision service.\""
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" description winsvc "Windows System Service is the main system supervision service."
5⤵
- Launches sc.exe
PID:2880

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "start" "winsvc"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4276

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" start winsvc
5⤵
- Launches sc.exe
PID:3396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4256 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:3600

C:\Windows\system32\winsvc.exe
C:\Windows\system32\winsvc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\system32\""
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\Temp\""
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2264

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-SETACTIVE" "8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c"
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3264

C:\Windows\system32\powercfg.exe
"C:\Windows\system32\powercfg.exe" -SETACTIVE 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
3⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-ac" "0"
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\system32\powercfg.exe
"C:\Windows\system32\powercfg.exe" -change standby-timeout-ac 0
3⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-dc" "0"
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\system32\powercfg.exe
"C:\Windows\system32\powercfg.exe" -change standby-timeout-dc 0
3⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-ac" "0"
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440

C:\Windows\system32\powercfg.exe
"C:\Windows\system32\powercfg.exe" -change hibernate-timeout-ac 0
3⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-dc" "0"
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\system32\powercfg.exe
"C:\Windows\system32\powercfg.exe" -change hibernate-timeout-dc 0
3⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3876

C:\Windows\system32\taskkill.exe
"taskkill.exe" "/F" "/IM" "winnet.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3084

C:\Windows\system32\taskkill.exe
"taskkill.exe" "/F" "/IM" "winnet.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3008

C:\Windows\system32\taskkill.exe
"taskkill.exe" "/F" "/IM" "wincfg.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2432

C:\Windows\system32\taskkill.exe
"taskkill.exe" "/F" "/IM" "wincfg.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "Remove-NetFirewallRule" "-DisplayName" "\"Windows Network Manager\""
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" "-WindowStyle" "Hidden" "-Command" "New-NetFirewallRule" "-DisplayName" "\"Windows Network Manager\"" "-Program" "\"C:\Windows\system32\winnet.exe\"" "-Action" "Allow" "-Direction" "Inbound" "-EdgeTraversalPolicy" "Allow" "-Enabled" "True"
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Windows\system32\taskkill.exe
"taskkill.exe" "/F" "/IM" "WINNET.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1380

C:\Windows\system32\taskkill.exe
"taskkill.exe" "/F" "/IM" "WINNET.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3504

C:\Windows\system32\taskkill.exe
"taskkill.exe" "/F" "/IM" "WINCFG.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3660

C:\Windows\system32\taskkill.exe
"taskkill.exe" "/F" "/IM" "WINCFG.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1464

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
a6c9d692ed2826ecb12c09356e69cc09

SHA1
def728a6138cf083d8a7c61337f3c9dade41a37f

SHA256
a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b

SHA512
2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mf33p315.cfw.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1-bd6f5f0a0b41ae38\f589fcc7eadd141cd236de03b7fd786668017655a0adeb057cd343f95117a6f1.exe
Filesize
42.5MB

MD5
18c3c899c9a4b44417d8153a948ae5ca

SHA1
8560c64c60ce15cb849b031d0690793e8b8793ec

SHA256
01e5fb6db31037b5e6f6ac1839d556c806b3fbdb31c2b4f5a7c19734e5420c70

SHA512
d058c166ca467978ce69b5a7ae16bd85c190ff9de562c020214c81e255e1ea0cecd132683d38302ac1cdb8f1399d89dd85d33fdf3b5a243812dd510fb1556cf4

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
fbf83ce5db4e8ec31051a66a5f004b31

SHA1
c1bcc0d34830889f2d55588b0b5bb0bcf2cf4bf0

SHA256
ea5e76b2ac2ed8a72ab23a8af39714921af941047eb807a223b123824859d39d

SHA512
92c287d4497dae16c83e52ddcef17f55ef98fc5d75497a0acf463ba046371a79f7d8959eddb716fdd5a3c4f61d4b685f27af57135c2d231310d4808311229595

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
61db0f0403342aa37e4ffde6ff9c1972

SHA1
86776748a4569b0f6e4a26efa320e0934f5c5a70

SHA256
c793173cb8b8d0509f1065a918bc0292c85ef9252f663dad2afd70bd2d23b0af

SHA512
3efb0607f24d09fb4bfa48ac2aa4aced0f252c071cd38aa7bc5dcb8b4d59a3d47e784aa0394ee2356edf1a94e83ce9f9c5d4b21328ff0769deab908ef028852b

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
eb9cfc947f868f0045300bb60d2bf6c5

SHA1
f4ee4c4860d95c2adf714026b02cb795b3ac0fcb

SHA256
2e74a46f49ecbb58b104e4a0e146b3cefb4610f027f72cff456c35581d612fdb

SHA512
1b89a49ecd0f63e572d5e8ec37e5e808d93566670fec3b3df4868b610f21d5c452608adc30b87f050b9ddb3739eecb85d17bf6e8800004146ccefb663b058c83

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
8857491a4a65a9a1d560c4705786a312

SHA1
4f3caf2ad5d66a2410c9cca0381d26a46e832cb4

SHA256
b6e1a16a11075cb4e0bae0cebdb6ac15f5d66e0005f557703708a04cd11bd360

SHA512
d9497c47898cdc4c4fc62158830dc931990e08bb4a28a5d19d4187a87a2afab8a4bd58ca346563210b476c9adb9a714bfe1057e0ebce85d1fd94731be6d02660

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
a316ebd4efa11d6b6daf6af0cc1aebce

SHA1
ab338dd719969c70590dbc039b90e2758c741762

SHA256
f7308f111e3910da5c34c4d06d78d692f44419f848f5bf886fd466d5a96ad014

SHA512
67a9b94b704222a1bbe02fa8780c6b9bd364c8581b693ca28c6a444fde160df216304426bacf6b01909b80540cf0add79669b7a88ca260a6fbc93c4742f36c5a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
62a943f295e3015080318dd3afd77632

SHA1
be9ad2b2cce5a6ca331662a8cec3ba343f427ccd

SHA256
a5faa541247293725b525b5d864d833df981a1f4195f260b1961dd976f4f5253

SHA512
33849e83c7015d8ad4946d95bf9570ce3c5d44158bf3bf137cf575aabb3d46f03579e8c648a36f7e91b34e2cbcf3e8fe7595993d0f51f491c2ca5d1f50f1c883

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
b98cf4ca327d4a7848b0799f796835ef

SHA1
f080fc252eea740cb720c769452fe099fc2480a6

SHA256
439a8a1aa5c09ab478a25226f008670a71b1d2215a8ba71317df380f56b72a3c

SHA512
44c76b5cf2116e7dcfb8adc0b2ef83c4cd5609a2cd9412717f6ba9d9585c6e33c18b64ba9e9efe085eaa8067805b5c48d9fd94651e06efa5e0be4d62f262fc63

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4df95eec22d749bad5494251daece1ec

SHA1
8ea58127e5c2f6e474c4b19ee128d1781044aa0b

SHA256
550159a76a76a7134a28cf53a6ea6ebc2995d1c3d23d87f0dd89b520935f1ac3

SHA512
c70a53e7eed3f48955dd96169f47284ad33174648106346842783735fb3a83301e56d3e841d50b8f19fc71fd9e42acf271b782db951d3cc8fe6b2ebafaa336e1

Download Submit
memory/3196-22-0x0000013FBC120000-0x0000013FBC142000-memory.dmp

Filesize
136KB

Download
memory/3812-199-0x000002A4E6280000-0x000002A4E628E000-memory.dmp

Filesize
56KB

Download
memory/3812-200-0x000002A4E65F0000-0x000002A4E660A000-memory.dmp

Filesize
104KB

Download
memory/4336-69-0x00007FF640520000-0x00007FF640530000-memory.dmp

Filesize
64KB

Download
memory/4336-68-0x00007FF640510000-0x00007FF640520000-memory.dmp

Filesize
64KB

Download
memory/4668-101-0x000001E3ACCE0000-0x000001E3ACCEA000-memory.dmp

Filesize
40KB

Download
memory/4668-100-0x000001E3ACCD0000-0x000001E3ACCD6000-memory.dmp

Filesize
24KB

Download
memory/4668-99-0x000001E3ACCA0000-0x000001E3ACCA8000-memory.dmp

Filesize
32KB

Download
memory/4668-98-0x000001E3ACCF0000-0x000001E3ACD0A000-memory.dmp

Filesize
104KB

Download
memory/4668-97-0x000001E3ACC90000-0x000001E3ACC9A000-memory.dmp

Filesize
40KB

Download
memory/4668-95-0x000001E3ACCB0000-0x000001E3ACCCC000-memory.dmp

Filesize
112KB

Download
memory/4668-94-0x000001E3ACB40000-0x000001E3ACB4A000-memory.dmp

Filesize
40KB

Download
memory/4668-93-0x000001E3ACA80000-0x000001E3ACB35000-memory.dmp

Filesize
724KB

Download
memory/4668-92-0x000001E3ACA60000-0x000001E3ACA7C000-memory.dmp

Filesize
112KB

Download