2dc3154ffa4a3fc2533b7b221f215b41d6c21b70acb780fa8f46b212cb798b94

Analysis

max time kernel
150s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
10/09/2022, 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8069f3dbd6914f712b4be5ad6efc9a58.exe
Size

364KB
MD5

8069f3dbd6914f712b4be5ad6efc9a58
SHA1

4e82153122962ae506e1afe4580024d04ff9217d
SHA256

2dc3154ffa4a3fc2533b7b221f215b41d6c21b70acb780fa8f46b212cb798b94
SHA512

6769f23a9f8e7e927319e6353956c577db8386ddaa8e7f52672b0f4299cc49454635b157a607d275f2f169277b3f714f7255be1376f04103e45fa42d35fb295d
SSDEEP

6144:Up+gg5PJgKl4jw8pmR/G1+eDUlKoWxveUHK+k1v5dW2qkdt+CtkavR9O:0igKl9yIm+eVoWBT5k1vn1dcKnvC

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 64 IoCs

pid	Process
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe
4916	8069f3dbd6914f712b4be5ad6efc9a58.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\whees\Nationalsocialistiskes\Miraculise.ini	8069f3dbd6914f712b4be5ad6efc9a58.exe
File opened for modification	C:\Windows\resources\disowns\Vandfogeders\Baldrianoliens.Rec	8069f3dbd6914f712b4be5ad6efc9a58.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4116	powershell.exe
4116	powershell.exe
5028	powershell.exe
5028	powershell.exe
4132	powershell.exe
4132	powershell.exe
4984	powershell.exe
4984	powershell.exe
1372	powershell.exe
1372	powershell.exe
3776	powershell.exe
3776	powershell.exe
1932	powershell.exe
1932	powershell.exe
4396	powershell.exe
4396	powershell.exe
684	powershell.exe
684	powershell.exe
3400	powershell.exe
3400	powershell.exe
1136	powershell.exe
1136	powershell.exe
4792	powershell.exe
4792	powershell.exe
904	powershell.exe
904	powershell.exe
3132	powershell.exe
3132	powershell.exe
3332	powershell.exe
3332	powershell.exe
2944	powershell.exe
2944	powershell.exe
4720	powershell.exe
4720	powershell.exe
4736	powershell.exe
4736	powershell.exe
3916	powershell.exe
3916	powershell.exe
5104	powershell.exe
5104	powershell.exe
3552	powershell.exe
3552	powershell.exe
4244	powershell.exe
4244	powershell.exe
1136	powershell.exe
1136	powershell.exe
2056	powershell.exe
2056	powershell.exe
332	powershell.exe
332	powershell.exe
376	powershell.exe
376	powershell.exe
2260	powershell.exe
2260	powershell.exe
4656	powershell.exe
4656	powershell.exe
1772	powershell.exe
1772	powershell.exe
1508	powershell.exe
1508	powershell.exe
1968	powershell.exe
1968	powershell.exe
4884	powershell.exe
4884	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4116	powershell.exe
Token: SeDebugPrivilege	5028	powershell.exe
Token: SeDebugPrivilege	4132	powershell.exe
Token: SeDebugPrivilege	4984	powershell.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	3776	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	4396	powershell.exe
Token: SeDebugPrivilege	684	powershell.exe
Token: SeDebugPrivilege	3400	powershell.exe
Token: SeDebugPrivilege	1136	powershell.exe
Token: SeDebugPrivilege	4792	powershell.exe
Token: SeDebugPrivilege	904	powershell.exe
Token: SeDebugPrivilege	3132	powershell.exe
Token: SeDebugPrivilege	3332	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	4720	powershell.exe
Token: SeDebugPrivilege	4736	powershell.exe
Token: SeDebugPrivilege	3916	powershell.exe
Token: SeDebugPrivilege	5104	powershell.exe
Token: SeDebugPrivilege	3552	powershell.exe
Token: SeDebugPrivilege	4244	powershell.exe
Token: SeDebugPrivilege	1136	powershell.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	332	powershell.exe
Token: SeDebugPrivilege	376	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	4884	powershell.exe
Token: SeDebugPrivilege	4876	powershell.exe
Token: SeDebugPrivilege	3624	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	4680	powershell.exe
Token: SeDebugPrivilege	3440	powershell.exe
Token: SeDebugPrivilege	4976	powershell.exe
Token: SeDebugPrivilege	3904	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	4500	powershell.exe
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeDebugPrivilege	684	powershell.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeDebugPrivilege	4268	powershell.exe
Token: SeDebugPrivilege	3140	powershell.exe
Token: SeDebugPrivilege	4420	powershell.exe
Token: SeDebugPrivilege	4032	powershell.exe
Token: SeDebugPrivilege	3776	powershell.exe
Token: SeDebugPrivilege	3108	powershell.exe
Token: SeDebugPrivilege	4468	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	4380	powershell.exe
Token: SeDebugPrivilege	4400	powershell.exe
Token: SeDebugPrivilege	4260	powershell.exe
Token: SeDebugPrivilege	1428	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	532	powershell.exe
Token: SeDebugPrivilege	260	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 4116	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	83
PID 4916 wrote to memory of 4116	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	83
PID 4916 wrote to memory of 4116	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	83
PID 4916 wrote to memory of 5028	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	87
PID 4916 wrote to memory of 5028	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	87
PID 4916 wrote to memory of 5028	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	87
PID 4916 wrote to memory of 4132	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	90
PID 4916 wrote to memory of 4132	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	90
PID 4916 wrote to memory of 4132	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	90
PID 4916 wrote to memory of 4984	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	92
PID 4916 wrote to memory of 4984	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	92
PID 4916 wrote to memory of 4984	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	92
PID 4916 wrote to memory of 1372	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	94
PID 4916 wrote to memory of 1372	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	94
PID 4916 wrote to memory of 1372	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	94
PID 4916 wrote to memory of 3776	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	96
PID 4916 wrote to memory of 3776	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	96
PID 4916 wrote to memory of 3776	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	96
PID 4916 wrote to memory of 1932	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	99
PID 4916 wrote to memory of 1932	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	99
PID 4916 wrote to memory of 1932	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	99
PID 4916 wrote to memory of 4396	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	101
PID 4916 wrote to memory of 4396	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	101
PID 4916 wrote to memory of 4396	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	101
PID 4916 wrote to memory of 684	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	103
PID 4916 wrote to memory of 684	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	103
PID 4916 wrote to memory of 684	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	103
PID 4916 wrote to memory of 3400	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	107
PID 4916 wrote to memory of 3400	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	107
PID 4916 wrote to memory of 3400	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	107
PID 4916 wrote to memory of 1136	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	109
PID 4916 wrote to memory of 1136	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	109
PID 4916 wrote to memory of 1136	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	109
PID 4916 wrote to memory of 4792	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	111
PID 4916 wrote to memory of 4792	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	111
PID 4916 wrote to memory of 4792	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	111
PID 4916 wrote to memory of 904	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	113
PID 4916 wrote to memory of 904	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	113
PID 4916 wrote to memory of 904	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	113
PID 4916 wrote to memory of 3132	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	115
PID 4916 wrote to memory of 3132	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	115
PID 4916 wrote to memory of 3132	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	115
PID 4916 wrote to memory of 3332	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	117
PID 4916 wrote to memory of 3332	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	117
PID 4916 wrote to memory of 3332	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	117
PID 4916 wrote to memory of 2944	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	119
PID 4916 wrote to memory of 2944	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	119
PID 4916 wrote to memory of 2944	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	119
PID 4916 wrote to memory of 4720	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	121
PID 4916 wrote to memory of 4720	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	121
PID 4916 wrote to memory of 4720	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	121
PID 4916 wrote to memory of 4736	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	123
PID 4916 wrote to memory of 4736	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	123
PID 4916 wrote to memory of 4736	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	123
PID 4916 wrote to memory of 3916	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	125
PID 4916 wrote to memory of 3916	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	125
PID 4916 wrote to memory of 3916	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	125
PID 4916 wrote to memory of 5104	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	127
PID 4916 wrote to memory of 5104	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	127
PID 4916 wrote to memory of 5104	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	127
PID 4916 wrote to memory of 3552	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	129
PID 4916 wrote to memory of 3552	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	129
PID 4916 wrote to memory of 3552	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	129
PID 4916 wrote to memory of 4244	4916	8069f3dbd6914f712b4be5ad6efc9a58.exe	131

C:\Users\Admin\AppData\Local\Temp\8069f3dbd6914f712b4be5ad6efc9a58.exe
"C:\Users\Admin\AppData\Local\Temp\8069f3dbd6914f712b4be5ad6efc9a58.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x05 -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4116
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x0B -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5028
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x1C -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4132
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x00 -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4984
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x0B -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1372
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x02 -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3776
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7D -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1932
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7C -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4396
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x74 -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:684
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x74 -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3400
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x0D -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1136
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x3C -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4792
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x2B -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:904
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x2F -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3132
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x3A -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3332
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x2B -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2944
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x08 -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4720
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x27 -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4736
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x22 -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3916
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x2B -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5104
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x0F -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3552
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x66 -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4244
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x23 -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1136
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x6E -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2056
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x3C -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:332
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7A -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:376
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x6E -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2260
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x62 -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4656
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x6E -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1772
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x27 -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1508
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x6E -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1968
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7E -bxor 78
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4884
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x36 -bxor 78
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4876
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x76 -bxor 78
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3624
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7E -bxor 78
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1764
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7E -bxor 78
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1960
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7E -bxor 78
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7E -bxor 78
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4680
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7E -bxor 78
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3440
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7E -bxor 78
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4976
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7E -bxor 78
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3904
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x62 -bxor 78
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x6E -bxor 78
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1864
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x27 -bxor 78
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4500
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x6E -bxor 78
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4784
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7E -bxor 78
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:684
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x62 -bxor 78
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1892
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x6E -bxor 78
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5036
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x3E -bxor 78
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4268
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x6E -bxor 78
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3140
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7E -bxor 78
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4420
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x62 -bxor 78
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4032
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x6E -bxor 78
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3776
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x27 -bxor 78
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3108
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x6E -bxor 78
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4468
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7A -bxor 78
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2944
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x62 -bxor 78
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4380
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x6E -bxor 78
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4400
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x27 -bxor 78
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4260
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x6E -bxor 78
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1428
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7E -bxor 78
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2472
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x36 -bxor 78
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:532
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x76 -bxor 78
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:260
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7E -bxor 78
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2260
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x62 -bxor 78
  2⤵
  PID:4816
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x6E -bxor 78
  2⤵
  PID:4200
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x27 -bxor 78
  2⤵
  PID:764
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x6E -bxor 78
  2⤵
  PID:4924
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7E -bxor 78
  2⤵
  PID:1252
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x67 -bxor 78
  2⤵
  PID:4380
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x27 -bxor 78
  2⤵
  PID:708
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x60 -bxor 78
  2⤵
  PID:2412
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x3C -bxor 78
  2⤵
  PID:4684
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7B -bxor 78
  2⤵
  PID:3272
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x3F -bxor 78
  2⤵
  PID:956
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x05 -bxor 78
  2⤵
  PID:440
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x0B -bxor 78
  2⤵
  PID:4232
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x1C -bxor 78
  2⤵
  PID:4652
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x00 -bxor 78
  2⤵
  PID:4472
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x0B -bxor 78
  2⤵
  PID:4656
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x02 -bxor 78
  2⤵
  PID:3016
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7D -bxor 78
  2⤵
  PID:3428
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7C -bxor 78
  2⤵
  PID:4004
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x74 -bxor 78
  2⤵
  PID:4124
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x74 -bxor 78
  2⤵
  PID:4632
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x18 -bxor 78
  2⤵
  PID:4840
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x27 -bxor 78
  2⤵
  PID:1344
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x3C -bxor 78
  2⤵
  PID:360
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x3A -bxor 78
  2⤵
  PID:876
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x3B -bxor 78
  2⤵
  PID:1872
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x2F -bxor 78
  2⤵
  PID:2528
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x22 -bxor 78
  2⤵
  PID:3912
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x0F -bxor 78
  2⤵
  PID:4348
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x22 -bxor 78
  2⤵
  PID:4728
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x22 -bxor 78
  2⤵
  PID:3424
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x21 -bxor 78
  2⤵
  PID:4292
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x2D -bxor 78
  2⤵
  PID:1508
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x66 -bxor 78
  2⤵
  PID:4608
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x27 -bxor 78
  2⤵
  PID:4432
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x6E -bxor 78
  2⤵
  PID:4952
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7E -bxor 78
  2⤵
  PID:4400
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x62 -bxor 78
  2⤵
  PID:3492
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x27 -bxor 78
  2⤵
  PID:4340
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x6E -bxor 78
  2⤵
  PID:360
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7E -bxor 78
  2⤵
  PID:4508
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x36 -bxor 78
  2⤵
  PID:4948
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7F -bxor 78
  2⤵
  PID:380
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7E -bxor 78
  2⤵
  PID:4548
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7E -bxor 78
  2⤵
  PID:4976
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7E -bxor 78
  2⤵
  PID:3776
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7E -bxor 78
  2⤵
  PID:4864
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7E -bxor 78
  2⤵
  PID:1668
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x62 -bxor 78
  2⤵
  PID:1652
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x6E -bxor 78
  2⤵
  PID:4064
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x27 -bxor 78
  2⤵
  PID:4748
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x6E -bxor 78
  2⤵
  PID:4840
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7E -bxor 78
  2⤵
  PID:1592
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x36 -bxor 78
  2⤵
  PID:3292
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7D -bxor 78
  2⤵
  PID:4132
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7E -bxor 78
  2⤵
  PID:3984
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7E -bxor 78
  2⤵
  PID:5084
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7E -bxor 78
  2⤵
  PID:4692
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x62 -bxor 78
  2⤵
  PID:4468
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x6E -bxor 78
  2⤵
  PID:3564
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x27 -bxor 78
  2⤵
  PID:2860
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x6E -bxor 78
  2⤵
  PID:3448
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7E -bxor 78
  2⤵
  PID:1004
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x36 -bxor 78
  2⤵
  PID:4788
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7A -bxor 78
  2⤵
  PID:3456
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7E -bxor 78
  2⤵
  PID:3896
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x67 -bxor 78
  2⤵
  PID:332
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x3E -bxor 78
  2⤵
  PID:1204
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x60 -bxor 78
  2⤵
  PID:4768
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x3C -bxor 78
  2⤵
  PID:1028
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7F -bxor 78
  2⤵
  PID:3100
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x3F -bxor 78
  2⤵
  PID:1608
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x05 -bxor 78
  2⤵
  PID:1396
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x0B -bxor 78
  2⤵
  PID:1128
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x1C -bxor 78
  2⤵
  PID:2408
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x00 -bxor 78
  2⤵
  PID:4784
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x0B -bxor 78
  2⤵
  PID:3992
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x02 -bxor 78
  2⤵
  PID:4300
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7D -bxor 78
  2⤵
  PID:216
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7C -bxor 78
  2⤵
  PID:3380
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x74 -bxor 78
  2⤵
  PID:3912
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x74 -bxor 78
  2⤵
  PID:4304
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x1D -bxor 78
  2⤵
  PID:4184
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x2B -bxor 78
  2⤵
  PID:2360
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x3A -bxor 78
  2⤵
  PID:4032
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x08 -bxor 78
  2⤵
  PID:1628
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x27 -bxor 78
  2⤵
  PID:4888
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x22 -bxor 78
  2⤵
  PID:3868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
33b19d75aa77114216dbc23f43b195e3

SHA1
36a6c3975e619e0c5232aa4f5b7dc1fec9525535

SHA256
b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2

SHA512
676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
f56736e43b82ba2f72d37f37da951188

SHA1
3a8e451f7ee024f9e31bcebba1c8986bf53f6bf4

SHA256
152c36768c5b568a0144a14da97f32e83275ea8325bb5b2a4c5abd69cdd61ad0

SHA512
cbd7817947ab2152027fd8b641e8a1d852e4129df5e80c3732b8dfa24895b9ba451dec069d73ac0bd4be0c2326b21163f04699539690c562468d4f4995ca4065

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
e654848a6c55b7cb305e89915d243443

SHA1
516c9349f9111b5fbf667d02f4871225dca336da

SHA256
d09a000a45042b14cc8ef82428fd8875f643e216b01ba3028d3279ff1b577f04

SHA512
36f3d658d6004ed0f0ede0f4ddc2392ac963419984acbfb8ef7f97d86ed9b2641e049c422534729cdd73531b91c1d8c7b18ffe731b766e3ad1f124762d26fa7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
05e6f55258d914fadf35c21133e29351

SHA1
222dfad247e6de76d055d60bcdae8d0414d32e59

SHA256
fbf660918c703099f43608832d7dee092cb088b7b4aeb4b1baaa6feb8f7f3746

SHA512
6cd042d7d0f016ae901d512e6a69c48407a4eba0b3db44100cc0e94d98bcdcc3e585d8f541abd9ede015300a6d43ab00d625c4f4d74c0d8036dd8f965a7f73c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
ef2948ac183bffa027f2b287e91b3e04

SHA1
7a5f07bb98b1d0085b0c412ade1bbbd9e6743389

SHA256
6d65b9a48439fe460e63745a96c9ba1005e423a81e3b52a0f043feabf9561291

SHA512
05551f705932e5da8302600aa14e05df9ff631a416e0a774ec72d29976052d2d7c565cb09b0e93f057bd788b111c9065d6df5573ed6f1570b25886d81b529594

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
7ea2ec6b31804c0fd9fe50cc281fc09e

SHA1
cfc48357bf4f7ea069cadeb2b7c9f688d040857a

SHA256
74df9a1cddc8071b09bfb2b08e37d69029217242d9c6c1ba443b8b76c23a263c

SHA512
063102083b730642e9ad56c4cf1eb9be9e0cbb14ce346e795993631baec4d8a9c614b1fdc201e3f4bd10089cd4d4edeac3b08524224c70a8efc4bc285e54086f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
e6b2da115f59a5cd26b35298b7a9ceb4

SHA1
0962811b312509b657f7a9ca6fea789e0b1f23e3

SHA256
1da9e4d93da54ae27d47806229e2694d51d8beb26a8324f9b25b0c409eda4a00

SHA512
72ee8b0b734db0222c09761712f29fd5ac1cb6be42e061cfeb31ddae59f2699b24308bfc81c6c20b1098066fcc0e4520fc61094eb6840b05033b95dea8254f99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
c23e129a6719dbefb75f24d53131f75c

SHA1
208f100c64cf10f9ea5c37b95a6a06882af94e57

SHA256
30dd97f3a35d500aafea52223abdff489e422bedda0f8674be6c1e0bf8a8c5b4

SHA512
870726cee2196aec0b66765b1f26603606b24e38d803ccbe184d7007d1b09db892ee7ae6c759c6ddf9b841f2de67b05bc6e5f8ef462f0977e7aca07828a27610

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
aa5a80bb8f46a9f3eff28e0da8bf81ed

SHA1
79fbbbd8c09fc58a37e90c09b7c135c50caeba12

SHA256
c102853b663ec393ab7ac19a8122ec630732c81e8721112e0e48560e60413c11

SHA512
6525c3abb8423ce1f7c83a17e98cfdee8d54eacd67a49fc27d5ff18abf6f47ef6df8aa146f2b148b90a93bc885acdd92eca4f36602c28c40ef0af8ae7cc91072

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
84a5ba5fd2359260e71bd45daf9a2448

SHA1
887c89cd322370931d6e587ea357c72522166cb9

SHA256
5546c53c0cb8bd2167b5f8395c3ba5ccfcbe1e6d2e749252974530b78603392b

SHA512
3474d348788d722e04e4f98d8b908144eaed6067400803f06ae6844f53c6acd39f4eb8e0afbd5839518ed05dae31651b3ab397de7ffb77b6fd280aff07ec6b8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
dba175ea4d8e80a80577b98b0935a5ca

SHA1
3aae8d2c17748bab3bf37e5233817f7307721fbe

SHA256
152c39c2763af2d6479491022611d335431542245c2b8222ec09d5b202f69d15

SHA512
cf5e66fb59a5e5b1e8c3db4f3b7a128753a01f9738f7c7a4abb40c3b673a46b249f539d299a2af32a1ef6d7e829fac9b5b805ed736a853d37965b2aa92ab1420

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
78623f738568fb178edcc72e1b917629

SHA1
846e19ff2ff8d236da5f51613873a90d65ff8a3e

SHA256
ab7a8cab25eec8fa35f42d74cc17a266837dc60fa0f40b7ffc61dd13cb8970b5

SHA512
fb2046c4fc5efd2e9d4896f5b911539afeb6672e31e0419daf17894ba2d969d55ae8e4883e9dde6bea9dc58464e3a4a3b781907bc66c0bee699fd5e557b19a45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
481c51836509168ec0f7af6347b1458a

SHA1
3b49d4dc5fd5f8e9ef1c60ab8f824d3e54d405a0

SHA256
39f4a276e9cd84b2a518163e33b3513acbd351d9fb402a676a9d2ffabb560364

SHA512
6f08fa45aa9aa39512f6d5a634a64792dc58c308c32e35f6de4f263613e9f955777c4612854ed2a09245b43693ed53d476f0ed16295109eaaf44695be37b020b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
3d961988e6efe958229322bfa13c88e1

SHA1
e95f5b9c7baec993cd24d01a8340a4b5f71be42f

SHA256
62bb966c2debe82950a77df187abef7976cffd25705c63701353eb3cc659cdde

SHA512
3d8c56815575d2544a6b6242f895e9ac23ee557705a3e4482747b61b087cfb6b31a40e91093dfb4982283b9dcdfd4f8decd57845cd21cf94ccb16bd00607cee6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
bc3ac22cd0a5984fecd201ce2bef6f06

SHA1
34d03dcd32701daf7c0e7d7696dabb0deeb68c38

SHA256
3d04952070eebaccd6790fa51b5ca3118c3776e28085f52614aad2593873635d

SHA512
9c475bf470e12b1d9e1f58ee6cf70ec0a79781dc9c7f000d576b8ace60c0f99fd364d9b48b220dea6171dc72f90fad75bad7a2ce485df415dbb723c9e9a96847

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
a51ec43a8f3a4bcc54bdfcbb7307a04e

SHA1
c720f9df918de7408578db58686cd53b7b0da7e7

SHA256
52742aac4edd60617b54703a422ecfd4a917e2facf77d520a251ffc8fe86d852

SHA512
a44cccf384936be7521efe1a6b47d15b6e609d77217331739042d110a09ecf01cf4da4bbd3228be4345e4bc4ffea2d8a12fbc839c7b93cbf1f40a1cdae89fd18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
aa6dc59ef1988f2cfc09af19387a8eef

SHA1
f2a7ba4a401c429c273f6901765ce6dd4130f3c2

SHA256
1916347e2b4196d4012b109e459777b879dbc250b41a60a5c2428216d27d7740

SHA512
4445c0f6cecde53d003b50036afd0a2570e1d24010f31f922250776c1b7104b76bb920267169c876dca853fe897718ef1cbf95be9f7c6fa4f51e2c5d6b0618dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
992c96a33ce97cc8bbe7e9579176a232

SHA1
165d592709295f9390a87caf9b1ba50bb58679e6

SHA256
d617066fec49f2570cab76ee72fb19b4f2ccbf08aa40b259c4621a430bd83900

SHA512
0a0607fba3c227a434f056691b287df9eeb30c0bbea30d85da6e5c935de1e2be199d90067860c2b903f2a45cf544479d0876ccfed91f7a16b92a21c121eeed11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
93f7378fb0097879b7858c066a885320

SHA1
04a34ba3e9386b86d721e2ff94bac4a3afa8c023

SHA256
48649b1cab503cea613228a13bbc194a00991c90a34e76d1011d1a46087bc0fa

SHA512
d5dc7d0c67548bd9bd76938a48b7542b291a9e5f0f9b98738972689682f64fa96d13a0aa06698502f0277aa24892541fc12961f56a3583a9481982369fc50085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
dc5b1e1cf396104d0410505b4b5a7ec7

SHA1
56b45eba42849e6fcf55e7adedb3dd64d70d89c4

SHA256
7a8a20e74dbc2517cd8d51d83c3f44101f418e5fc9845f703a5690714d9435e6

SHA512
d6287aeee834b65202057f767568254e2b2f77018d16585296dadfd3419ba81ec9404a0b33d980b5a73774e9bf703297813f7e4e6a8ee3dda234adc140992952

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
ed20ebe9436acb573b151f6b91194da4

SHA1
2f16fe71ec9351d51e4fc08728dab86e21bac8ee

SHA256
d7fc72d29be17b95a8af0716a01d955c7c3c2dc69b16f5daa5761cb03d03ed0d

SHA512
1a4b67009b836c8fad8b49da68dc87d2b485d2dc65337536698bc6b2862c300dcc9972252f7eb168d4426eb630626cad027bfb323ae62348b1fcec1429c36481

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
433b7c1d6b6df4843515b6b030b6a9a0

SHA1
30e5701e66ac2487f31c097a70a13a0cd2804278

SHA256
40377975177cd6ce60aae6ec7c61cc6963e8d91877fab055685ad2663b86aa39

SHA512
b09689047cdbe6968d3fc7caf2a86ce57e712cc164d77df59b146a73a13471b0402bf30d90e0660a2dd1b90e919cb547718fe5037fe52098ebb81deafd9a508f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
f42a4026aab264c45f3c77130f34fb92

SHA1
6def25315f39d45657dd5d4f48b4482117f29de3

SHA256
454aafa190628cdef2df2757743fac135fd2a875be9cf09dad54efe3c32181b0

SHA512
ea777e90e54adfbfd8463ff4337aeb2c481561011aa11e01cb73efd2512fe967e5ea0bded653f0335a481f7ed34c754127827448d2b2f4798dcdf3b622a20084

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
45acead445b2bebe7b361c414189e3d6

SHA1
ace3e08844e98548d23d0144565c70d2579aea4b

SHA256
4ec5c11ba5134e019c5bb6279561d616d420dd9b4819399c64bbc88131f9e0e2

SHA512
fb5d142960d9a00f4886882eb965d8aea9c416f1f4ccdbd77f9382d87ab432cb8efcad4d03369f3a7fcaa097bac0f035e076e4f344e40e64d17cbb5861cb233c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
e1c0cfba6445eb6e71a78196592287e8

SHA1
fc4be370a26b403aebe4e44f279019936814343d

SHA256
cf6db995271f5f0147f562fd8838449477dd59b527690c43712095664fa8cb0a

SHA512
32a097eed284967d64151d39f9ea2f3785be726bc30a07d8d802b0b97e5620354696f46743b25cda69720b23cfa9003d973adaf6878010246c9470d719eb7a4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
71c732307212f12f556d7547032583f1

SHA1
c1c94b47ef92450f1968455a99aa2ffc298e5ef2

SHA256
afdec58e5511118e585e5f7995aa737303383fa954660ffd1f09c3676c5d50db

SHA512
e6f9b501a792309b6781985a370275e17116d9b70933d3f16f46cd865923a03f1724344d497bb749f0a5a96cdf4e8634a077bdd7b1e85bc7cef70e5d11aba1a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
255fda9f6728da76aae562d1923bbee1

SHA1
984af5d7ee081672d07953392e83ee3ff0056a09

SHA256
03f56be4070c089bd5357e04db0cb842a51f6403c59b2b4ffc06676157bd3697

SHA512
b3358b2112d565d978b2cba1e01977fcf3ffdac8bd2ba9c69408e9bcee8c1141eb8514706514c53f5bfb2dfd84c305e0cabe26ab43ecf01c6627df5f010781a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
67210bd618a4b888e4073b9f973a198a

SHA1
1c56022990d4446119e21b1cf858d5b45cc60369

SHA256
df2f13a027b851a16c02ff0d1e127a51899a0e55d412afb75c01dfdb6b4b3ef8

SHA512
9bbc8c1755340cdedf115fea506469b407bfc0d390c888e85b38d7c6d011a52ae11b93ffe5f011a20711aa2209401cb3ecc006fcb369c4f4f5289086004e7d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
0a963dbf977af765b165ca25d959cf4f

SHA1
f7ca8264089219dec1bf6df46fd5d4decd4efad9

SHA256
a45b4ed364b427f23df8e36a75b8c343e381225821893732273fcc43d354f47f

SHA512
16f251528bfdac6c51f95c8c3e25013d21e3eedbacc09b847f39dbe50596e3a8ec273c1f3e82569f4aa9897cc06e59024d28df66ee6e5064ec60b7ae2d6918dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
afca98942534d591f8f6c0a06edc0363

SHA1
2107ff30bc99b0b8c3616c7589c78e260d0e26c6

SHA256
49e8af84324ced6429cc897b3fd8b67487d8151d4f93d2a6eae1dcf87fc80398

SHA512
88590220e3b36db52c2497ac56473c889e9ddc7a0eb7e9e036eef388d7b6545ada1de8a2802df58f11c553798287a49a4b70aef3ac8568c5fc31a11961f2622b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
7253644e9dd891daf15a4a1d2257f02f

SHA1
0d3072b9e8f826da76c0b95ab65e45aea56fe8eb

SHA256
6d3f7f7360346a8eb2f2e0eb6ffd116a148f5f624304b884bde36b03793d48b7

SHA512
da2faededb27ff5fa8c66831ed11416815993241e1f01f4220c9c71eb666f046c6d41216024fc84feab47fba6a5705140cbd1d907f1619dbdc73e1479abb9289

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
5c04e48b8b48a4c1a1de3681561940f0

SHA1
0839c7a1c77b13dbaef603abb2c29298c08cddc0

SHA256
0d0aacbd763b591ad0351e713bb82a308b0acbd07fcf18abd286d5b5aafe3e39

SHA512
d4bb50187527250a1cb81854844d5a0271ea4dde0a7337eb5f899117ad5bda11568189b42c3e05d3f6c0278df6245bd9d4f764e1788b24a2a722c9baa0460248

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7D27.tmp\nsExec.dll

Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7D27.tmp\nsExec.dll

Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7D27.tmp\nsExec.dll

Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7D27.tmp\nsExec.dll

Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7D27.tmp\nsExec.dll

Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7D27.tmp\nsExec.dll

Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7D27.tmp\nsExec.dll

Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7D27.tmp\nsExec.dll

Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7D27.tmp\nsExec.dll

Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7D27.tmp\nsExec.dll

Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7D27.tmp\nsExec.dll

Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7D27.tmp\nsExec.dll

Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7D27.tmp\nsExec.dll

Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7D27.tmp\nsExec.dll

Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7D27.tmp\nsExec.dll

Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7D27.tmp\nsExec.dll

Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7D27.tmp\nsExec.dll

Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7D27.tmp\nsExec.dll

Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7D27.tmp\nsExec.dll

Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7D27.tmp\nsExec.dll

Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7D27.tmp\nsExec.dll

Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7D27.tmp\nsExec.dll

Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7D27.tmp\nsExec.dll

Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7D27.tmp\nsExec.dll

Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7D27.tmp\nsExec.dll

Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7D27.tmp\nsExec.dll

Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7D27.tmp\nsExec.dll

Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7D27.tmp\nsExec.dll

Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7D27.tmp\nsExec.dll

Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7D27.tmp\nsExec.dll

Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7D27.tmp\nsExec.dll

Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7D27.tmp\nsExec.dll

Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
memory/4116-137-0x0000000005D30000-0x0000000005D96000-memory.dmp

Filesize
408KB

Download
memory/4116-136-0x0000000005450000-0x0000000005472000-memory.dmp

Filesize
136KB

Download
memory/4116-139-0x00000000063F0000-0x000000000640E000-memory.dmp

Filesize
120KB

Download
memory/4116-134-0x0000000002B10000-0x0000000002B46000-memory.dmp

Filesize
216KB

Download
memory/4116-135-0x0000000005510000-0x0000000005B38000-memory.dmp

Filesize
6.2MB

Download
memory/4116-138-0x0000000005E10000-0x0000000005E76000-memory.dmp

Filesize
408KB

Download