xmrig | 2f8c61532e3be1aae0adf359bd0798a79ee43694dec2313cf297ca61631a5e14

Analysis

max time kernel
301s
max time network
304s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
19-09-2022 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f8c61532e3be1aae0adf359bd0798a79ee43694dec2313cf297ca61631a5e14.exe
Size

71KB
MD5

8b264482101619c94e2038b40d1de144
SHA1

f6992a198e88c5dd353077c5634effb646bf02c8
SHA256

2f8c61532e3be1aae0adf359bd0798a79ee43694dec2313cf297ca61631a5e14
SHA512

bf377e47d5e9949004081e6345e513c4850da1b3b5fad83ee5a775d19794ef7c9b430cad286c9f6e67dd46f1daf4fff5f831f444715c6cdd7f8124abc9a03e7a
SSDEEP

768:JdALm4DtuYxRAs3qFuR/JP7XNzrlvEJfUAQplMvpbSHqIY/oS/5HfIoGLkv1:vALNcuAsaFmFr5KfUAyl6bSKDAS5IIN

Score

10^/10

xmrig miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral2/files/0x000600000001a4df-1194.dat	xmrig
behavioral2/files/0x000600000001a4df-1193.dat	xmrig

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1312	dllhost.exe
2436	winlogson.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\ProgramData\\Dllhost\\dllhost.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe / file.exe"	dllhost.exe

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
428	schtasks.exe
4668	schtasks.exe
4388	schtasks.exe
4456	schtasks.exe
4428	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2700	2f8c61532e3be1aae0adf359bd0798a79ee43694dec2313cf297ca61631a5e14.exe
4884	powershell.exe
4884	powershell.exe
4884	powershell.exe
2640	powershell.exe
2640	powershell.exe
2640	powershell.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe
1312	dllhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
624	Process not Found

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	2f8c61532e3be1aae0adf359bd0798a79ee43694dec2313cf297ca61631a5e14.exe
Token: SeDebugPrivilege	4884	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	1312	dllhost.exe
Token: SeLockMemoryPrivilege	2436	winlogson.exe
Token: SeLockMemoryPrivilege	2436	winlogson.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2436	winlogson.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 1296	2700	2f8c61532e3be1aae0adf359bd0798a79ee43694dec2313cf297ca61631a5e14.exe	68
PID 2700 wrote to memory of 1296	2700	2f8c61532e3be1aae0adf359bd0798a79ee43694dec2313cf297ca61631a5e14.exe	68
PID 2700 wrote to memory of 1296	2700	2f8c61532e3be1aae0adf359bd0798a79ee43694dec2313cf297ca61631a5e14.exe	68
PID 1296 wrote to memory of 4312	1296	cmd.exe	70
PID 1296 wrote to memory of 4312	1296	cmd.exe	70
PID 1296 wrote to memory of 4312	1296	cmd.exe	70
PID 1296 wrote to memory of 4884	1296	cmd.exe	71
PID 1296 wrote to memory of 4884	1296	cmd.exe	71
PID 1296 wrote to memory of 4884	1296	cmd.exe	71
PID 1296 wrote to memory of 2640	1296	cmd.exe	72
PID 1296 wrote to memory of 2640	1296	cmd.exe	72
PID 1296 wrote to memory of 2640	1296	cmd.exe	72
PID 2700 wrote to memory of 1312	2700	2f8c61532e3be1aae0adf359bd0798a79ee43694dec2313cf297ca61631a5e14.exe	73
PID 2700 wrote to memory of 1312	2700	2f8c61532e3be1aae0adf359bd0798a79ee43694dec2313cf297ca61631a5e14.exe	73
PID 2700 wrote to memory of 1312	2700	2f8c61532e3be1aae0adf359bd0798a79ee43694dec2313cf297ca61631a5e14.exe	73
PID 1312 wrote to memory of 4464	1312	dllhost.exe	74
PID 1312 wrote to memory of 4464	1312	dllhost.exe	74
PID 1312 wrote to memory of 4464	1312	dllhost.exe	74
PID 1312 wrote to memory of 3792	1312	dllhost.exe	75
PID 1312 wrote to memory of 3792	1312	dllhost.exe	75
PID 1312 wrote to memory of 3792	1312	dllhost.exe	75
PID 1312 wrote to memory of 4764	1312	dllhost.exe	76
PID 1312 wrote to memory of 4764	1312	dllhost.exe	76
PID 1312 wrote to memory of 4764	1312	dllhost.exe	76
PID 1312 wrote to memory of 4704	1312	dllhost.exe	77
PID 1312 wrote to memory of 4704	1312	dllhost.exe	77
PID 1312 wrote to memory of 4704	1312	dllhost.exe	77
PID 1312 wrote to memory of 4776	1312	dllhost.exe	78
PID 1312 wrote to memory of 4776	1312	dllhost.exe	78
PID 1312 wrote to memory of 4776	1312	dllhost.exe	78
PID 1312 wrote to memory of 1980	1312	dllhost.exe	84
PID 1312 wrote to memory of 1980	1312	dllhost.exe	84
PID 1312 wrote to memory of 1980	1312	dllhost.exe	84
PID 1312 wrote to memory of 4644	1312	dllhost.exe	82
PID 1312 wrote to memory of 4644	1312	dllhost.exe	82
PID 1312 wrote to memory of 4644	1312	dllhost.exe	82
PID 1312 wrote to memory of 5048	1312	dllhost.exe	81
PID 1312 wrote to memory of 5048	1312	dllhost.exe	81
PID 1312 wrote to memory of 5048	1312	dllhost.exe	81
PID 1312 wrote to memory of 3480	1312	dllhost.exe	85
PID 1312 wrote to memory of 3480	1312	dllhost.exe	85
PID 1312 wrote to memory of 3480	1312	dllhost.exe	85
PID 1312 wrote to memory of 4244	1312	dllhost.exe	92
PID 1312 wrote to memory of 4244	1312	dllhost.exe	92
PID 1312 wrote to memory of 4244	1312	dllhost.exe	92
PID 1312 wrote to memory of 4224	1312	dllhost.exe	88
PID 1312 wrote to memory of 4224	1312	dllhost.exe	88
PID 1312 wrote to memory of 4224	1312	dllhost.exe	88
PID 1312 wrote to memory of 2068	1312	dllhost.exe	89
PID 1312 wrote to memory of 2068	1312	dllhost.exe	89
PID 1312 wrote to memory of 2068	1312	dllhost.exe	89
PID 3792 wrote to memory of 4388	3792	cmd.exe	98
PID 3792 wrote to memory of 4388	3792	cmd.exe	98
PID 3792 wrote to memory of 4388	3792	cmd.exe	98
PID 4764 wrote to memory of 4456	4764	cmd.exe	99
PID 4764 wrote to memory of 4456	4764	cmd.exe	99
PID 4764 wrote to memory of 4456	4764	cmd.exe	99
PID 2068 wrote to memory of 4428	2068	cmd.exe	100
PID 2068 wrote to memory of 4428	2068	cmd.exe	100
PID 2068 wrote to memory of 4428	2068	cmd.exe	100
PID 4776 wrote to memory of 428	4776	cmd.exe	101
PID 4776 wrote to memory of 428	4776	cmd.exe	101
PID 4776 wrote to memory of 428	4776	cmd.exe	101
PID 1980 wrote to memory of 4668	1980	cmd.exe	102

C:\Users\Admin\AppData\Local\Temp\2f8c61532e3be1aae0adf359bd0798a79ee43694dec2313cf297ca61631a5e14.exe
"C:\Users\Admin\AppData\Local\Temp\2f8c61532e3be1aae0adf359bd0798a79ee43694dec2313cf297ca61631a5e14.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Windows\SysWOW64\chcp.com
    chcp 1251
    3⤵
    PID:4312
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4884
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2640
- C:\ProgramData\Dllhost\dllhost.exe
  "C:\ProgramData\Dllhost\dllhost.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
    3⤵
    PID:4464
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3792
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      Creates scheduled task(s)
      PID:4388
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4764
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      Creates scheduled task(s)
      PID:4456
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
    3⤵
    PID:4704
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4776
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      Creates scheduled task(s)
      PID:428
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
    3⤵
    PID:5048
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
    3⤵
    PID:4644
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1980
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      Creates scheduled task(s)
      PID:4668
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk7277" /TR "C:\ProgramData\Dllhost\dllhost.exe"
    3⤵
    PID:3480
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk3815" /TR "C:\ProgramData\Dllhost\dllhost.exe"
    3⤵
    PID:4224
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk3063" /TR "C:\ProgramData\Dllhost\dllhost.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2068
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk3063" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      Creates scheduled task(s)
      PID:4428
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk9449" /TR "C:\ProgramData\Dllhost\dllhost.exe"
    3⤵
    PID:4244
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
    3⤵
    PID:4740
  - - C:\Windows\SysWOW64\chcp.com
      chcp 1251
      4⤵
      PID:3056
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
    3⤵
    PID:3560
  - - C:\Windows\SysWOW64\chcp.com
      chcp 1251
      4⤵
      PID:4580
  - - C:\ProgramData\Dllhost\winlogson.exe
      C:\ProgramData\Dllhost\winlogson.exe -c config.json
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:2436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe

Filesize
80KB

MD5
867daf758e471cf769fd32fd29d9f492

SHA1
c92a3fe10ccba22318a4d2b1dafc41f58dc46ab9

SHA256
7377aa70b1775c0a5fd0ad6d274b2d9ce11e5a0a417eaca88924d619ab294054

SHA512
96447dad486a55c0f2c4e6286e350e6557f00031f850c39cec38a127257bcda42910669a6b06fe02b747f3ffb59ee70f2bb535682735a5f084ed4f64570bf671

Download Submit
C:\ProgramData\Dllhost\dllhost.exe

Filesize
80KB

MD5
867daf758e471cf769fd32fd29d9f492

SHA1
c92a3fe10ccba22318a4d2b1dafc41f58dc46ab9

SHA256
7377aa70b1775c0a5fd0ad6d274b2d9ce11e5a0a417eaca88924d619ab294054

SHA512
96447dad486a55c0f2c4e6286e350e6557f00031f850c39cec38a127257bcda42910669a6b06fe02b747f3ffb59ee70f2bb535682735a5f084ed4f64570bf671

Download Submit
C:\ProgramData\Dllhost\winlogson.exe

Filesize
5.1MB

MD5
2a0d26b8b02bb2d17994d2a9a38d61db

SHA1
889a9cb0a044c1f675e63ea6ea065a8cf914e2ab

SHA256
3c54646213638e7bd8d0538c28e414824f5eaf31faf19a40eec608179b1074f1

SHA512
07245fb329b5fc9b68e1e88a52b7ab464bafd45442193e4b61cf6788ec0e10cdec2cfa2f59f49fe4a3f8a78a205d62ec0701a3b82a5e8f4257016821fee524ee

Download Submit
C:\ProgramData\Dllhost\winlogson.exe

Filesize
5.1MB

MD5
2a0d26b8b02bb2d17994d2a9a38d61db

SHA1
889a9cb0a044c1f675e63ea6ea065a8cf914e2ab

SHA256
3c54646213638e7bd8d0538c28e414824f5eaf31faf19a40eec608179b1074f1

SHA512
07245fb329b5fc9b68e1e88a52b7ab464bafd45442193e4b61cf6788ec0e10cdec2cfa2f59f49fe4a3f8a78a205d62ec0701a3b82a5e8f4257016821fee524ee

Download Submit
C:\ProgramData\SystemFiles\config.json

Filesize
310B

MD5
4ae1aac09bc96e19c644c60984da86d8

SHA1
c8eac4e8c197f9be2940f8cdd1eb5d1af16d4c83

SHA256
8bf4a958fb817ffe9b4238b12f1f64ce489fb42f5e6143efdf6035199fdae769

SHA512
a86f5a8f45ea1b53cbee62618b46f698662a8b71de8edfd427989f83126f9938e21b3e140ad8ef74a76da9cddb258636189f1a8a11ac7df339ba3ebe9b874ea4

Download Submit
C:\ProgramData\SystemFiles\sys_rh.bin

Filesize
1KB

MD5
9d484931af66d7d71225cac056f8171f

SHA1
1cdaa180bb3cfef41d9347ba3507fb1a6b48481c

SHA256
b5a8e84b2f9328c40f2bedaf77ee0f3ec04a499cb043558e2f2fbaa83974f47c

SHA512
0be8f09049e91423db8ec8957a49ba678c67005a28546e27573cd8b535cf43f2cf9c02b28ad7eedf799de4abc4897c46e3a2d69e2a9393de6b2376aeb8d0ab48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
decd0b5df2b979254031612ee206c758

SHA1
b33c670ff9dfe0f31d4c9bc298cde4335d3162c1

SHA256
db1773491bbf3ff944bfd9b6bf992715bfda6ec4d6dd5848072996a763a3fc67

SHA512
bb35f4e1eb6ebc2de19489a9de1e04bbebed18a885b1bacdb1aea842248582213dde17794b7e24ff20646a9f69d7c57bef90a07746a29b01adf0a8d2c121c0cb

Download Submit
memory/1312-812-0x0000000000AA0000-0x0000000000ABA000-memory.dmp

Filesize
104KB

Download
memory/1312-828-0x0000000002BF0000-0x0000000002BF6000-memory.dmp

Filesize
24KB

Download
memory/2436-1198-0x00000194EAFD0000-0x00000194EAFF0000-memory.dmp

Filesize
128KB

Download
memory/2436-1199-0x00000194EAFD0000-0x00000194EAFF0000-memory.dmp

Filesize
128KB

Download
memory/2436-1197-0x00000194EAF90000-0x00000194EAFD0000-memory.dmp

Filesize
256KB

Download
memory/2700-146-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-172-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-137-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-138-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-139-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-140-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-141-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-142-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-143-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-144-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-145-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-115-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-147-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-148-0x0000000000310000-0x0000000000328000-memory.dmp

Filesize
96KB

Download
memory/2700-149-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-150-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-151-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-152-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-153-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-154-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-155-0x0000000000910000-0x0000000000916000-memory.dmp

Filesize
24KB

Download
memory/2700-156-0x00000000095A0000-0x0000000009A9E000-memory.dmp

Filesize
5.0MB

Download
memory/2700-157-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-158-0x0000000004DC0000-0x0000000004E52000-memory.dmp

Filesize
584KB

Download
memory/2700-159-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-160-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-161-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-162-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-163-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-164-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-165-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-166-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-167-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-168-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-170-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-169-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-171-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-126-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-173-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-174-0x00000000046A0000-0x00000000046AA000-memory.dmp

Filesize
40KB

Download
memory/2700-175-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-177-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-176-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-178-0x0000000005A90000-0x0000000005AF6000-memory.dmp

Filesize
408KB

Download
memory/2700-179-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-180-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-181-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-182-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-183-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-184-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-135-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-136-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-116-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-117-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-118-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-119-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-120-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-121-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-122-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-128-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-127-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-123-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-124-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-129-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-130-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-125-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-131-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-134-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-132-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-133-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4884-525-0x0000000009A00000-0x0000000009A1A000-memory.dmp

Filesize
104KB

Download
memory/4884-267-0x0000000008880000-0x00000000088CB000-memory.dmp

Filesize
300KB

Download
memory/4884-302-0x0000000009550000-0x000000000956E000-memory.dmp

Filesize
120KB

Download
memory/4884-321-0x0000000009A50000-0x0000000009AE4000-memory.dmp

Filesize
592KB

Download
memory/4884-301-0x0000000009570000-0x00000000095A3000-memory.dmp

Filesize
204KB

Download
memory/4884-530-0x00000000099F0000-0x00000000099F8000-memory.dmp

Filesize
32KB

Download
memory/4884-271-0x00000000085F0000-0x0000000008666000-memory.dmp

Filesize
472KB

Download
memory/4884-314-0x00000000095B0000-0x0000000009655000-memory.dmp

Filesize
660KB

Download
memory/4884-266-0x0000000007F30000-0x0000000007F4C000-memory.dmp

Filesize
112KB

Download
memory/4884-263-0x0000000008050000-0x00000000083A0000-memory.dmp

Filesize
3.3MB

Download
memory/4884-262-0x00000000075B0000-0x0000000007616000-memory.dmp

Filesize
408KB

Download
memory/4884-258-0x00000000074E0000-0x0000000007502000-memory.dmp

Filesize
136KB

Download
memory/4884-242-0x00000000076A0000-0x0000000007CC8000-memory.dmp

Filesize
6.2MB

Download
memory/4884-237-0x0000000006EE0000-0x0000000006F16000-memory.dmp

Filesize
216KB

Download