Analysis
-
max time kernel
299s -
max time network
303s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
27-06-2024 23:11
Static task
static1
General
-
Target
a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exe
-
Size
1.8MB
-
MD5
b60d82b8244e964110f66e7ad34dc37b
-
SHA1
413eb99c2ab5ea8f43d651b0100e76fc53aeba70
-
SHA256
a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c
-
SHA512
0641d19e3f3b71f0a8def8eeb19ac9364abc9f9f12762272a41331f3ee7e2a2ef5f96ca7ccbe879c21c3abefb8eafac2a46ac4901c0791be9b391dde754f5bb4
-
SSDEEP
49152:+cGpBBa72Cb7j7sMC8uB5cOtr9OwGlFN:61ab33y5c0r9OvL
Malware Config
Extracted
amadey
8254624243
e76b71
http://77.91.77.81
-
install_dir
8254624243
-
install_file
axplong.exe
-
strings_key
90049e51fabf09df0d6748e0b271922e
-
url_paths
/Kiru9gu/index.php
Extracted
redline
123
185.215.113.67:40960
Extracted
stealc
jopa
http://65.21.175.0
-
url_path
/108e010e8f91c38c.php
Extracted
lumma
https://harmfullyelobardek.shop/api
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000110001\123.exe family_redline behavioral2/memory/4724-79-0x0000000000460000-0x00000000004B0000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
Processes:
axplong.exeaxplong.exea684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 196 powershell.exe 1424 powershell.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
axplong.exeaxplong.exeaxplong.exeaxplong.exea684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exeaxplong.exeaxplong.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe -
Executes dropped EXE 18 IoCs
Processes:
axplong.exeaxplong.execrypted.exeNewLatest.exeHkbsse.exe123.exeaxplong.exeHkbsse.exe1.exeaxplong.exeHkbsse.exeTpWWMUpe0LEV.exeHkbsse.exeaxplong.exeFirstZ.exeHkbsse.exeaxplong.exereakuqnanrkn.exepid process 1736 axplong.exe 1320 axplong.exe 4004 crypted.exe 3332 NewLatest.exe 2200 Hkbsse.exe 4724 123.exe 528 axplong.exe 4592 Hkbsse.exe 1908 1.exe 2400 axplong.exe 368 Hkbsse.exe 1896 TpWWMUpe0LEV.exe 5084 Hkbsse.exe 796 axplong.exe 3284 FirstZ.exe 1492 Hkbsse.exe 3848 axplong.exe 3804 reakuqnanrkn.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
axplong.exeaxplong.exeaxplong.exeaxplong.exea684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exeaxplong.exeaxplong.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exe Key opened \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine axplong.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/4168-432-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4168-434-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4168-435-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4168-433-0x0000000140000000-0x0000000140848000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
Processes:
flow ioc 109 bitbucket.org 112 pastebin.com 113 pastebin.com 31 bitbucket.org 32 bitbucket.org 92 bitbucket.org -
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
Processes:
powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepid process 4636 powercfg.exe 4164 powercfg.exe 4960 powercfg.exe 4284 powercfg.exe 3192 powercfg.exe 4372 powercfg.exe 668 powercfg.exe 4476 powercfg.exe -
Drops file in System32 directory 4 IoCs
Processes:
reakuqnanrkn.exeFirstZ.exepowershell.exedescription ioc process File opened for modification C:\Windows\system32\MRT.exe reakuqnanrkn.exe File opened for modification C:\Windows\system32\MRT.exe FirstZ.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exepid process 4892 a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exe 1736 axplong.exe 1320 axplong.exe 528 axplong.exe 2400 axplong.exe 796 axplong.exe 3848 axplong.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
crypted.exereakuqnanrkn.exedescription pid process target process PID 4004 set thread context of 716 4004 crypted.exe RegAsm.exe PID 3804 set thread context of 3636 3804 reakuqnanrkn.exe conhost.exe PID 3804 set thread context of 4168 3804 reakuqnanrkn.exe explorer.exe -
Drops file in Windows directory 2 IoCs
Processes:
a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exeNewLatest.exedescription ioc process File created C:\Windows\Tasks\axplong.job a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exe File created C:\Windows\Tasks\Hkbsse.job NewLatest.exe -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 2948 sc.exe 2228 sc.exe 1384 sc.exe 2164 sc.exe 1688 sc.exe 1864 sc.exe 3012 sc.exe 1624 sc.exe 4472 sc.exe 4476 sc.exe 4656 sc.exe 2156 sc.exe 4640 sc.exe 2480 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 688 4004 WerFault.exe crypted.exe 1704 1908 WerFault.exe 1.exe 612 4384 WerFault.exe aspnet_regiis.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
1.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
aspnet_regiis.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 aspnet_regiis.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString aspnet_regiis.exe -
Modifies data under HKEY_USERS 51 IoCs
Processes:
explorer.exepowershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exeaspnet_regiis.exeaxplong.exeFirstZ.exepowershell.exereakuqnanrkn.exepowershell.exeexplorer.exepid process 4892 a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exe 4892 a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exe 1736 axplong.exe 1736 axplong.exe 1320 axplong.exe 1320 axplong.exe 528 axplong.exe 528 axplong.exe 2400 axplong.exe 2400 axplong.exe 796 axplong.exe 796 axplong.exe 4384 aspnet_regiis.exe 4384 aspnet_regiis.exe 3848 axplong.exe 3848 axplong.exe 3284 FirstZ.exe 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 3284 FirstZ.exe 3284 FirstZ.exe 3284 FirstZ.exe 3284 FirstZ.exe 3284 FirstZ.exe 3284 FirstZ.exe 3284 FirstZ.exe 3284 FirstZ.exe 3284 FirstZ.exe 3284 FirstZ.exe 3284 FirstZ.exe 3284 FirstZ.exe 3284 FirstZ.exe 3284 FirstZ.exe 3804 reakuqnanrkn.exe 196 powershell.exe 196 powershell.exe 196 powershell.exe 3804 reakuqnanrkn.exe 3804 reakuqnanrkn.exe 3804 reakuqnanrkn.exe 3804 reakuqnanrkn.exe 3804 reakuqnanrkn.exe 3804 reakuqnanrkn.exe 3804 reakuqnanrkn.exe 3804 reakuqnanrkn.exe 3804 reakuqnanrkn.exe 3804 reakuqnanrkn.exe 3804 reakuqnanrkn.exe 3804 reakuqnanrkn.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
Processes:
powershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeexplorer.exedescription pid process Token: SeDebugPrivilege 1424 powershell.exe Token: SeIncreaseQuotaPrivilege 1424 powershell.exe Token: SeSecurityPrivilege 1424 powershell.exe Token: SeTakeOwnershipPrivilege 1424 powershell.exe Token: SeLoadDriverPrivilege 1424 powershell.exe Token: SeSystemProfilePrivilege 1424 powershell.exe Token: SeSystemtimePrivilege 1424 powershell.exe Token: SeProfSingleProcessPrivilege 1424 powershell.exe Token: SeIncBasePriorityPrivilege 1424 powershell.exe Token: SeCreatePagefilePrivilege 1424 powershell.exe Token: SeBackupPrivilege 1424 powershell.exe Token: SeRestorePrivilege 1424 powershell.exe Token: SeShutdownPrivilege 1424 powershell.exe Token: SeDebugPrivilege 1424 powershell.exe Token: SeSystemEnvironmentPrivilege 1424 powershell.exe Token: SeRemoteShutdownPrivilege 1424 powershell.exe Token: SeUndockPrivilege 1424 powershell.exe Token: SeManageVolumePrivilege 1424 powershell.exe Token: 33 1424 powershell.exe Token: 34 1424 powershell.exe Token: 35 1424 powershell.exe Token: 36 1424 powershell.exe Token: SeShutdownPrivilege 4960 powercfg.exe Token: SeCreatePagefilePrivilege 4960 powercfg.exe Token: SeShutdownPrivilege 4636 powercfg.exe Token: SeCreatePagefilePrivilege 4636 powercfg.exe Token: SeShutdownPrivilege 4284 powercfg.exe Token: SeCreatePagefilePrivilege 4284 powercfg.exe Token: SeShutdownPrivilege 4164 powercfg.exe Token: SeCreatePagefilePrivilege 4164 powercfg.exe Token: SeDebugPrivilege 196 powershell.exe Token: SeAssignPrimaryTokenPrivilege 196 powershell.exe Token: SeIncreaseQuotaPrivilege 196 powershell.exe Token: SeSecurityPrivilege 196 powershell.exe Token: SeTakeOwnershipPrivilege 196 powershell.exe Token: SeLoadDriverPrivilege 196 powershell.exe Token: SeSystemtimePrivilege 196 powershell.exe Token: SeBackupPrivilege 196 powershell.exe Token: SeRestorePrivilege 196 powershell.exe Token: SeShutdownPrivilege 196 powershell.exe Token: SeSystemEnvironmentPrivilege 196 powershell.exe Token: SeUndockPrivilege 196 powershell.exe Token: SeManageVolumePrivilege 196 powershell.exe Token: SeShutdownPrivilege 3192 powercfg.exe Token: SeCreatePagefilePrivilege 3192 powercfg.exe Token: SeShutdownPrivilege 668 powercfg.exe Token: SeCreatePagefilePrivilege 668 powercfg.exe Token: SeShutdownPrivilege 4372 powercfg.exe Token: SeCreatePagefilePrivilege 4372 powercfg.exe Token: SeShutdownPrivilege 4476 powercfg.exe Token: SeCreatePagefilePrivilege 4476 powercfg.exe Token: SeLockMemoryPrivilege 4168 explorer.exe -
Suspicious use of WriteProcessMemory 50 IoCs
Processes:
a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exeaxplong.execrypted.exeNewLatest.exeHkbsse.execmd.execmd.exereakuqnanrkn.exedescription pid process target process PID 4892 wrote to memory of 1736 4892 a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exe axplong.exe PID 4892 wrote to memory of 1736 4892 a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exe axplong.exe PID 4892 wrote to memory of 1736 4892 a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exe axplong.exe PID 1736 wrote to memory of 4004 1736 axplong.exe crypted.exe PID 1736 wrote to memory of 4004 1736 axplong.exe crypted.exe PID 1736 wrote to memory of 4004 1736 axplong.exe crypted.exe PID 4004 wrote to memory of 716 4004 crypted.exe RegAsm.exe PID 4004 wrote to memory of 716 4004 crypted.exe RegAsm.exe PID 4004 wrote to memory of 716 4004 crypted.exe RegAsm.exe PID 4004 wrote to memory of 716 4004 crypted.exe RegAsm.exe PID 4004 wrote to memory of 716 4004 crypted.exe RegAsm.exe PID 4004 wrote to memory of 716 4004 crypted.exe RegAsm.exe PID 4004 wrote to memory of 716 4004 crypted.exe RegAsm.exe PID 4004 wrote to memory of 716 4004 crypted.exe RegAsm.exe PID 4004 wrote to memory of 716 4004 crypted.exe RegAsm.exe PID 1736 wrote to memory of 3332 1736 axplong.exe NewLatest.exe PID 1736 wrote to memory of 3332 1736 axplong.exe NewLatest.exe PID 1736 wrote to memory of 3332 1736 axplong.exe NewLatest.exe PID 3332 wrote to memory of 2200 3332 NewLatest.exe Hkbsse.exe PID 3332 wrote to memory of 2200 3332 NewLatest.exe Hkbsse.exe PID 3332 wrote to memory of 2200 3332 NewLatest.exe Hkbsse.exe PID 1736 wrote to memory of 4724 1736 axplong.exe 123.exe PID 1736 wrote to memory of 4724 1736 axplong.exe 123.exe PID 1736 wrote to memory of 4724 1736 axplong.exe 123.exe PID 2200 wrote to memory of 1908 2200 Hkbsse.exe 1.exe PID 2200 wrote to memory of 1908 2200 Hkbsse.exe 1.exe PID 2200 wrote to memory of 1908 2200 Hkbsse.exe 1.exe PID 1736 wrote to memory of 1896 1736 axplong.exe TpWWMUpe0LEV.exe PID 1736 wrote to memory of 1896 1736 axplong.exe TpWWMUpe0LEV.exe PID 1736 wrote to memory of 1896 1736 axplong.exe TpWWMUpe0LEV.exe PID 2200 wrote to memory of 3284 2200 Hkbsse.exe FirstZ.exe PID 2200 wrote to memory of 3284 2200 Hkbsse.exe FirstZ.exe PID 4380 wrote to memory of 2644 4380 cmd.exe wusa.exe PID 4380 wrote to memory of 2644 4380 cmd.exe wusa.exe PID 1680 wrote to memory of 784 1680 cmd.exe wusa.exe PID 1680 wrote to memory of 784 1680 cmd.exe wusa.exe PID 3804 wrote to memory of 3636 3804 reakuqnanrkn.exe conhost.exe PID 3804 wrote to memory of 3636 3804 reakuqnanrkn.exe conhost.exe PID 3804 wrote to memory of 3636 3804 reakuqnanrkn.exe conhost.exe PID 3804 wrote to memory of 3636 3804 reakuqnanrkn.exe conhost.exe PID 3804 wrote to memory of 3636 3804 reakuqnanrkn.exe conhost.exe PID 3804 wrote to memory of 3636 3804 reakuqnanrkn.exe conhost.exe PID 3804 wrote to memory of 3636 3804 reakuqnanrkn.exe conhost.exe PID 3804 wrote to memory of 3636 3804 reakuqnanrkn.exe conhost.exe PID 3804 wrote to memory of 3636 3804 reakuqnanrkn.exe conhost.exe PID 3804 wrote to memory of 4168 3804 reakuqnanrkn.exe explorer.exe PID 3804 wrote to memory of 4168 3804 reakuqnanrkn.exe explorer.exe PID 3804 wrote to memory of 4168 3804 reakuqnanrkn.exe explorer.exe PID 3804 wrote to memory of 4168 3804 reakuqnanrkn.exe explorer.exe PID 3804 wrote to memory of 4168 3804 reakuqnanrkn.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exe"C:\Users\Admin\AppData\Local\Temp\a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000035001\crypted.exe"C:\Users\Admin\AppData\Local\Temp\1000035001\crypted.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 3244⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000020001\1.exe"C:\Users\Admin\AppData\Local\Temp\1000020001\1.exe"5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 5006⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000023001\FirstZ.exe"C:\Users\Admin\AppData\Local\Temp\1000023001\FirstZ.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart7⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc6⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "WSNKISKT"6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "WSNKISKT"6⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Local\Temp\1000110001\123.exe"C:\Users\Admin\AppData\Local\Temp\1000110001\123.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe"C:\Users\Admin\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe"3⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"4⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 10485⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\ProgramData\wikombernizc\reakuqnanrkn.exeC:\ProgramData\wikombernizc\reakuqnanrkn.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1000020001\1.exeFilesize
317KB
MD5e1b59d2805b38262b9967bce3e719dbf
SHA14081416cfaa76941981c34518d45b60e8d4b2013
SHA256d5bba713d11ebbb7a91be59dae0f2d4b818897fe756b854dfe40babe7664c173
SHA512bcea30a8f2a10aed0e2c97133734a34a850c18ee9447966ed8cdae8bbf72b98ebd2703a7cadf53b8991ef5eb3047d871242e990a4b7baf00eda8ca5f5f7dda35
-
C:\Users\Admin\AppData\Local\Temp\1000023001\FirstZ.exeFilesize
2.5MB
MD5ffada57f998ed6a72b6ba2f072d2690a
SHA16857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f
SHA256677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12
SHA5121de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f
-
C:\Users\Admin\AppData\Local\Temp\1000035001\crypted.exeFilesize
529KB
MD5efb9f7b4e6703ad5d5b179992a6c44f8
SHA16f51ff5a147570a141ec8ce662501c21ff8b3530
SHA2566ea5dc63bda788cd58bcbc5d9c736f7ba1d01371a9d05c53134616c2776c6314
SHA512389ea1f3881434c7aabad6c9ff4827cc595afb326d978de9dbf0cfd1f80d96f9d242e11da8025970f1cf594382f01b1c86e53476d5e7896ed802dd9c018d6dc0
-
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exeFilesize
415KB
MD507101cac5b9477ba636cd8ca7b9932cb
SHA159ea7fd9ae6ded8c1b7240a4bf9399b4eb3849f1
SHA256488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77
SHA51202240ff51a74966bc31cfcc901105096eb871f588efaa9be1a829b4ee6f245bd9dca37be7e2946ba6315feea75c3dce5f490847250e62081445cd25b0f406887
-
C:\Users\Admin\AppData\Local\Temp\1000110001\123.exeFilesize
297KB
MD5cd581d68ed550455444ee6e099c44266
SHA1f131d587578336651fd3e325b82b6c185a4b6429
SHA256a2ebb4bbf2ae4f7755b3ab604996e6c7e570ac8837ca544854ed696a81972505
SHA51233f94920032436cd45906c27cd5b39f47f9519ab5a1a6745bd8a69d81ce729d8e5e425a7538b5f4f6992bd3804e0376085f5da1c28cf9f4d664cabe64036d0b5
-
C:\Users\Admin\AppData\Local\Temp\1000111001\streamer.exeFilesize
944KB
MD5ef9ac311c67507efa5d617871163c11f
SHA173c8d3aed68c837474d44ee9518ad67becd18b54
SHA25639c3d69f90b21c200535a77a355623a9171a6c2925e7a9d0dd01ec92eabab57a
SHA512e188df4e7c649a183ce15c1d52b982e945c5414e7367c7ea10fd0671b8f91e96f56bcc31b3da0183b6f65a346b567f321a9efb7d4182a64d42c5829ec85525d9
-
C:\Users\Admin\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exeFilesize
1.2MB
MD5242214131486132e33ceda794d66ca1f
SHA14ce34fd91f5c9e35b8694007b286635663ef9bf2
SHA256bac402b5749b2da2211db6d2404c1c621ccd0c2e5d492eb6f973b3e2d38dd361
SHA512031e0904d949cec515f2d6f2b5e4b9c0df03637787ff14f20c58e711c54eec77d1f22aa0cf0f6efd65362c1fc0066645d5d005c6a77fe5b169427cdd42555d29
-
C:\Users\Admin\AppData\Local\Temp\1000115001\build.exeFilesize
1.8MB
MD51139354ff3c99fe83cdd7ef33f93599a
SHA163d4177e4ce0967058208231ab338923eef51b9d
SHA256a37dabf64f29b8ccac3edba64b1aae522e858ffe9856a8db96bc686e2fdb8d77
SHA512276ede80e9cfaa14c97c77db00796ebd249af3711a24e8d1b307431a3d7419da159c50d66b9c256e453862a94d3199470c7ff261bff418c43314e2f1ada4e512
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeFilesize
1.8MB
MD5b60d82b8244e964110f66e7ad34dc37b
SHA1413eb99c2ab5ea8f43d651b0100e76fc53aeba70
SHA256a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c
SHA5120641d19e3f3b71f0a8def8eeb19ac9364abc9f9f12762272a41331f3ee7e2a2ef5f96ca7ccbe879c21c3abefb8eafac2a46ac4901c0791be9b391dde754f5bb4
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tbzolxcz.glx.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
memory/196-335-0x000001E09FBA0000-0x000001E09FBAA000-memory.dmpFilesize
40KB
-
memory/196-302-0x000001E0A0080000-0x000001E0A0139000-memory.dmpFilesize
740KB
-
memory/196-296-0x000001E09FB80000-0x000001E09FB9C000-memory.dmpFilesize
112KB
-
memory/528-112-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/528-114-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/716-43-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/716-44-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/796-184-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/796-185-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1320-27-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1320-26-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1424-221-0x000001E7B6180000-0x000001E7B61F6000-memory.dmpFilesize
472KB
-
memory/1424-217-0x000001E7B5FC0000-0x000001E7B5FE2000-memory.dmpFilesize
136KB
-
memory/1736-131-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-15-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-16-0x0000000000EB1000-0x0000000000EDF000-memory.dmpFilesize
184KB
-
memory/1736-209-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-207-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-204-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-17-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-190-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-189-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-187-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-91-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-18-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-96-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-109-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-58-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-45-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-30-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-128-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-19-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-130-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-181-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-133-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-136-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-138-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-179-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-144-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-146-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-29-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-158-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-28-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1736-176-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/1896-174-0x0000000000A30000-0x0000000000ADE000-memory.dmpFilesize
696KB
-
memory/1908-129-0x0000000000400000-0x000000000236B000-memory.dmpFilesize
31.4MB
-
memory/2400-142-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/3636-425-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/3636-431-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/3636-424-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/3636-428-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/3636-426-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/3636-427-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/3848-212-0x0000000000EB0000-0x000000000134A000-memory.dmpFilesize
4.6MB
-
memory/4168-433-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4168-435-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4168-434-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4168-432-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4384-173-0x0000000000400000-0x000000000063C000-memory.dmpFilesize
2.2MB
-
memory/4724-86-0x0000000004FD0000-0x000000000500E000-memory.dmpFilesize
248KB
-
memory/4724-83-0x0000000005CB0000-0x00000000062B6000-memory.dmpFilesize
6.0MB
-
memory/4724-92-0x0000000005920000-0x0000000005986000-memory.dmpFilesize
408KB
-
memory/4724-87-0x0000000005010000-0x000000000505B000-memory.dmpFilesize
300KB
-
memory/4724-85-0x0000000004F60000-0x0000000004F72000-memory.dmpFilesize
72KB
-
memory/4724-84-0x00000000056A0000-0x00000000057AA000-memory.dmpFilesize
1.0MB
-
memory/4724-79-0x0000000000460000-0x00000000004B0000-memory.dmpFilesize
320KB
-
memory/4724-80-0x00000000051A0000-0x000000000569E000-memory.dmpFilesize
5.0MB
-
memory/4724-81-0x0000000004D40000-0x0000000004DD2000-memory.dmpFilesize
584KB
-
memory/4724-82-0x0000000004D10000-0x0000000004D1A000-memory.dmpFilesize
40KB
-
memory/4892-14-0x0000000000020000-0x00000000004BA000-memory.dmpFilesize
4.6MB
-
memory/4892-1-0x00000000773B4000-0x00000000773B5000-memory.dmpFilesize
4KB
-
memory/4892-2-0x0000000000021000-0x000000000004F000-memory.dmpFilesize
184KB
-
memory/4892-3-0x0000000000020000-0x00000000004BA000-memory.dmpFilesize
4.6MB
-
memory/4892-5-0x0000000000020000-0x00000000004BA000-memory.dmpFilesize
4.6MB
-
memory/4892-0-0x0000000000020000-0x00000000004BA000-memory.dmpFilesize
4.6MB