c8e8b8530e40267cf2ca4634b3b2aecc5a4d437a52161439542061a38fa04fb9

General

Target

c8e8b8530e40267cf2ca4634b3b2aecc5a4d437a52161439542061a38fa04fb9.exe
Size

685KB
MD5

707437ee8246fe4f032770adef8da36d
SHA1

e55b6f232189be6aede028421ff1f8861d0d1913
SHA256

c8e8b8530e40267cf2ca4634b3b2aecc5a4d437a52161439542061a38fa04fb9
SHA512

80663ca3a751f4bb7125b465cc8919125214408562903cd56c82f39df3377c1f5e27cb89c4b6c536661e42d752126733b6f15a579ee562ac7a278c2871477ea2

Score

8^/10

persistence

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

dllhost.exe

pid process

3488 dllhost.exe

pid	process
3488	dllhost.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dllhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\ProgramData\\Dllhost\\dllhost.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	dllhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 10 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4300	schtasks.exe
1792	schtasks.exe
208	schtasks.exe
3344	schtasks.exe
4616	schtasks.exe
116	schtasks.exe
1564	schtasks.exe
2776	schtasks.exe
2652	schtasks.exe
4544	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exedllhost.exe

pid	process
5008	powershell.exe
5008	powershell.exe
2648	powershell.exe
2648	powershell.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exec8e8b8530e40267cf2ca4634b3b2aecc5a4d437a52161439542061a38fa04fb9.exepowershell.exedllhost.exe

description	pid	process
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeDebugPrivilege	3468	c8e8b8530e40267cf2ca4634b3b2aecc5a4d437a52161439542061a38fa04fb9.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	3488	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c8e8b8530e40267cf2ca4634b3b2aecc5a4d437a52161439542061a38fa04fb9.execmd.exedllhost.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3468 wrote to memory of 3712	3468	c8e8b8530e40267cf2ca4634b3b2aecc5a4d437a52161439542061a38fa04fb9.exe	cmd.exe
PID 3468 wrote to memory of 3712	3468	c8e8b8530e40267cf2ca4634b3b2aecc5a4d437a52161439542061a38fa04fb9.exe	cmd.exe
PID 3468 wrote to memory of 3712	3468	c8e8b8530e40267cf2ca4634b3b2aecc5a4d437a52161439542061a38fa04fb9.exe	cmd.exe
PID 3712 wrote to memory of 2148	3712	cmd.exe	chcp.com
PID 3712 wrote to memory of 2148	3712	cmd.exe	chcp.com
PID 3712 wrote to memory of 2148	3712	cmd.exe	chcp.com
PID 3712 wrote to memory of 5008	3712	cmd.exe	powershell.exe
PID 3712 wrote to memory of 5008	3712	cmd.exe	powershell.exe
PID 3712 wrote to memory of 5008	3712	cmd.exe	powershell.exe
PID 3712 wrote to memory of 2648	3712	cmd.exe	powershell.exe
PID 3712 wrote to memory of 2648	3712	cmd.exe	powershell.exe
PID 3712 wrote to memory of 2648	3712	cmd.exe	powershell.exe
PID 3468 wrote to memory of 3488	3468	c8e8b8530e40267cf2ca4634b3b2aecc5a4d437a52161439542061a38fa04fb9.exe	dllhost.exe
PID 3468 wrote to memory of 3488	3468	c8e8b8530e40267cf2ca4634b3b2aecc5a4d437a52161439542061a38fa04fb9.exe	dllhost.exe
PID 3468 wrote to memory of 3488	3468	c8e8b8530e40267cf2ca4634b3b2aecc5a4d437a52161439542061a38fa04fb9.exe	dllhost.exe
PID 3488 wrote to memory of 1376	3488	dllhost.exe	cmd.exe
PID 3488 wrote to memory of 1376	3488	dllhost.exe	cmd.exe
PID 3488 wrote to memory of 1376	3488	dllhost.exe	cmd.exe
PID 3488 wrote to memory of 2664	3488	dllhost.exe	cmd.exe
PID 3488 wrote to memory of 2664	3488	dllhost.exe	cmd.exe
PID 3488 wrote to memory of 2664	3488	dllhost.exe	cmd.exe
PID 3488 wrote to memory of 3052	3488	dllhost.exe	cmd.exe
PID 3488 wrote to memory of 3052	3488	dllhost.exe	cmd.exe
PID 3488 wrote to memory of 3052	3488	dllhost.exe	cmd.exe
PID 3488 wrote to memory of 2104	3488	dllhost.exe	cmd.exe
PID 3488 wrote to memory of 2104	3488	dllhost.exe	cmd.exe
PID 3488 wrote to memory of 2104	3488	dllhost.exe	cmd.exe
PID 3488 wrote to memory of 4212	3488	dllhost.exe	cmd.exe
PID 3488 wrote to memory of 4212	3488	dllhost.exe	cmd.exe
PID 3488 wrote to memory of 4212	3488	dllhost.exe	cmd.exe
PID 3488 wrote to memory of 3660	3488	dllhost.exe	cmd.exe
PID 3488 wrote to memory of 3660	3488	dllhost.exe	cmd.exe
PID 3488 wrote to memory of 3660	3488	dllhost.exe	cmd.exe
PID 3488 wrote to memory of 2412	3488	dllhost.exe	cmd.exe
PID 3488 wrote to memory of 2412	3488	dllhost.exe	cmd.exe
PID 3488 wrote to memory of 2412	3488	dllhost.exe	cmd.exe
PID 3488 wrote to memory of 2260	3488	dllhost.exe	cmd.exe
PID 3488 wrote to memory of 2260	3488	dllhost.exe	cmd.exe
PID 3488 wrote to memory of 2260	3488	dllhost.exe	cmd.exe
PID 3488 wrote to memory of 3408	3488	dllhost.exe	cmd.exe
PID 3488 wrote to memory of 3408	3488	dllhost.exe	cmd.exe
PID 3488 wrote to memory of 3408	3488	dllhost.exe	cmd.exe
PID 3488 wrote to memory of 3708	3488	dllhost.exe	cmd.exe
PID 3488 wrote to memory of 3708	3488	dllhost.exe	cmd.exe
PID 3488 wrote to memory of 3708	3488	dllhost.exe	cmd.exe
PID 3488 wrote to memory of 4392	3488	dllhost.exe	cmd.exe
PID 3488 wrote to memory of 4392	3488	dllhost.exe	cmd.exe
PID 3488 wrote to memory of 4392	3488	dllhost.exe	cmd.exe
PID 3488 wrote to memory of 1140	3488	dllhost.exe	cmd.exe
PID 3488 wrote to memory of 1140	3488	dllhost.exe	cmd.exe
PID 3488 wrote to memory of 1140	3488	dllhost.exe	cmd.exe
PID 1376 wrote to memory of 4544	1376	cmd.exe	schtasks.exe
PID 1376 wrote to memory of 4544	1376	cmd.exe	schtasks.exe
PID 1376 wrote to memory of 4544	1376	cmd.exe	schtasks.exe
PID 3408 wrote to memory of 3344	3408	cmd.exe	schtasks.exe
PID 3408 wrote to memory of 3344	3408	cmd.exe	schtasks.exe
PID 3408 wrote to memory of 3344	3408	cmd.exe	schtasks.exe
PID 4392 wrote to memory of 2652	4392	cmd.exe	schtasks.exe
PID 4392 wrote to memory of 2652	4392	cmd.exe	schtasks.exe
PID 4392 wrote to memory of 2652	4392	cmd.exe	schtasks.exe
PID 3708 wrote to memory of 1792	3708	cmd.exe	schtasks.exe
PID 3708 wrote to memory of 1792	3708	cmd.exe	schtasks.exe
PID 3708 wrote to memory of 1792	3708	cmd.exe	schtasks.exe
PID 4212 wrote to memory of 1564	4212	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\c8e8b8530e40267cf2ca4634b3b2aecc5a4d437a52161439542061a38fa04fb9.exe
"C:\Users\Admin\AppData\Local\Temp\c8e8b8530e40267cf2ca4634b3b2aecc5a4d437a52161439542061a38fa04fb9.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3468

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\HostData"
2⤵
- Suspicious use of WriteProcessMemory
PID:3712

C:\Windows\SysWOW64\chcp.com
chcp 1251
3⤵
PID:2148

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5008

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\ProgramData\Dllhost\dllhost.exe
"C:\ProgramData\Dllhost\dllhost.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3488

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:4544

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:2664

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:2776

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:3052

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:2104

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:3660

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:208

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4212

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:1564

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:2412

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:4300

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:2260

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:116

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk8561" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3408

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk8561" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:3344

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk8700" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3708

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk8700" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:1792

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk3237" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4392

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk3237" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:2652

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk6486" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:1140

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk6486" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:4616

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
3⤵
PID:1772

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:3384

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
3⤵
PID:1944

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:4392

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
3⤵
PID:5084

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:1092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

Web Service

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe
Filesize
772KB

MD5
df3aaad73329e23cc133840595be5516

SHA1
f652635416a5e2bb3ceac0ef10119457f9b9a2d7

SHA256
38b2efab3e14bfb804b413447e404355aa399dc92cb8f3cdf125b8407d7cfc67

SHA512
269e64f1f9ece8ab0849f51bceadd55ed9e34209ec8d296ab9c7d5038b6dfec3321ca64727c49dccb01877a3a93f1972eef907c32144a85f5e391600a0cf8a1a

Download Submit
C:\ProgramData\Dllhost\dllhost.exe
Filesize
772KB

MD5
df3aaad73329e23cc133840595be5516

SHA1
f652635416a5e2bb3ceac0ef10119457f9b9a2d7

SHA256
38b2efab3e14bfb804b413447e404355aa399dc92cb8f3cdf125b8407d7cfc67

SHA512
269e64f1f9ece8ab0849f51bceadd55ed9e34209ec8d296ab9c7d5038b6dfec3321ca64727c49dccb01877a3a93f1972eef907c32144a85f5e391600a0cf8a1a

Download Submit
C:\ProgramData\HostData\logs.uce
Filesize
497B

MD5
13fda2ab01b83a5130842a5bab3892d3

SHA1
6e18e4b467cde054a63a95d4dfc030f156ecd215

SHA256
76973d42c8fceceab7ec85b3d01b218db92564993e93a9bea31c52aa73aeee9e

SHA512
c51f9fd6e452fbeeedd4dfaba3c7c887e337f01e68abdd27d4032f8be85def7ef3cf0c77bf60e425b085b76c0539464c6b6e5e805a69397c5519e8ccf9fffccc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
ba246bd2d86f16b8e701e797989d424b

SHA1
048769be2e48bd66ddedbfcf9d40addb6168fc16

SHA256
37c38ce312bc65167a7a6208217dedc66559bd6dd149472fd7001a8e9db310ad

SHA512
473fedc38e188d36b1f2f3db119a5c6c1e8676a24392a64b60198ab38c6725a909b8564892608760cc2dfc6a1b4f72cf4370740f97dcb0722d3fd4e0faa57bec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
18856488c47b39323898eb4f38c9fc3e

SHA1
536bdd701971e0d7c701bf47663e85d26ef7810b

SHA256
4296300d22ba0530a01cc10ad9516c3238a3d4b1245abd19dc6519200bf78cfb

SHA512
76e33b2ce1cd7fc8d5793be85550f816bce79570e29d4c8d08d075ba6515094af85d4fc36695a5e790378ffdba2747cdbb2ef216f472c1350e780eb69319270d

Download Submit
memory/116-184-0x0000000000000000-mapping.dmp

Download
memory/208-183-0x0000000000000000-mapping.dmp

Download
memory/1092-191-0x0000000000000000-mapping.dmp

Download
memory/1140-174-0x0000000000000000-mapping.dmp

Download
memory/1376-163-0x0000000000000000-mapping.dmp

Download
memory/1564-179-0x0000000000000000-mapping.dmp

Download
memory/1772-186-0x0000000000000000-mapping.dmp

Download
memory/1792-178-0x0000000000000000-mapping.dmp

Download
memory/1944-188-0x0000000000000000-mapping.dmp

Download
memory/2104-166-0x0000000000000000-mapping.dmp

Download
memory/2148-138-0x0000000000000000-mapping.dmp

Download
memory/2260-170-0x0000000000000000-mapping.dmp

Download
memory/2412-169-0x0000000000000000-mapping.dmp

Download
memory/2648-158-0x0000000071080000-0x00000000710CC000-memory.dmp

Filesize
304KB

Download
memory/2648-155-0x0000000000000000-mapping.dmp

Download
memory/2652-177-0x0000000000000000-mapping.dmp

Download
memory/2664-164-0x0000000000000000-mapping.dmp

Download
memory/2776-180-0x0000000000000000-mapping.dmp

Download
memory/3052-165-0x0000000000000000-mapping.dmp

Download
memory/3344-176-0x0000000000000000-mapping.dmp

Download
memory/3384-187-0x0000000000000000-mapping.dmp

Download
memory/3408-171-0x0000000000000000-mapping.dmp

Download
memory/3468-132-0x0000000000A20000-0x0000000000AC8000-memory.dmp

Filesize
672KB

Download
memory/3468-136-0x00000000056C0000-0x0000000005726000-memory.dmp

Filesize
408KB

Download
memory/3468-135-0x0000000005520000-0x000000000552A000-memory.dmp

Filesize
40KB

Download
memory/3468-134-0x0000000005480000-0x0000000005512000-memory.dmp

Filesize
584KB

Download
memory/3468-133-0x0000000005A30000-0x0000000005FD4000-memory.dmp

Filesize
5.6MB

Download
memory/3488-159-0x0000000000000000-mapping.dmp

Download
memory/3488-162-0x00000000009D0000-0x0000000000A80000-memory.dmp

Filesize
704KB

Download
memory/3660-168-0x0000000000000000-mapping.dmp

Download
memory/3708-172-0x0000000000000000-mapping.dmp

Download
memory/3712-137-0x0000000000000000-mapping.dmp

Download
memory/4212-167-0x0000000000000000-mapping.dmp

Download
memory/4300-181-0x0000000000000000-mapping.dmp

Download
memory/4392-189-0x0000000000000000-mapping.dmp

Download
memory/4392-173-0x0000000000000000-mapping.dmp

Download
memory/4544-175-0x0000000000000000-mapping.dmp

Download
memory/4616-182-0x0000000000000000-mapping.dmp

Download
memory/5008-146-0x0000000071080000-0x00000000710CC000-memory.dmp

Filesize
304KB

Download
memory/5008-144-0x0000000005980000-0x000000000599E000-memory.dmp

Filesize
120KB

Download
memory/5008-150-0x0000000006DC0000-0x0000000006DCA000-memory.dmp

Filesize
40KB

Download
memory/5008-149-0x0000000006D70000-0x0000000006D8A000-memory.dmp

Filesize
104KB

Download
memory/5008-148-0x00000000073D0000-0x0000000007A4A000-memory.dmp

Filesize
6.5MB

Download
memory/5008-147-0x0000000005FE0000-0x0000000005FFE000-memory.dmp

Filesize
120KB

Download
memory/5008-154-0x0000000007080000-0x0000000007088000-memory.dmp

Filesize
32KB

Download
memory/5008-145-0x00000000069E0000-0x0000000006A12000-memory.dmp

Filesize
200KB

Download
memory/5008-152-0x0000000006FA0000-0x0000000006FAE000-memory.dmp

Filesize
56KB

Download
memory/5008-151-0x0000000006FD0000-0x0000000007066000-memory.dmp

Filesize
600KB

Download
memory/5008-143-0x0000000005350000-0x00000000053B6000-memory.dmp

Filesize
408KB

Download
memory/5008-142-0x0000000005130000-0x0000000005152000-memory.dmp

Filesize
136KB

Download
memory/5008-141-0x0000000004B00000-0x0000000005128000-memory.dmp

Filesize
6.2MB

Download
memory/5008-140-0x0000000004470000-0x00000000044A6000-memory.dmp

Filesize
216KB

Download
memory/5008-153-0x0000000007090000-0x00000000070AA000-memory.dmp

Filesize
104KB

Download
memory/5008-139-0x0000000000000000-mapping.dmp

Download
memory/5084-190-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads