1e6b66ee8cd8d3093dcb297130b2b5f5883cd78e8816917ea1a6e4b400431bf5

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2022, 11:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e6b66ee8cd8d3093dcb297130b2b5f5883cd78e8816917ea1a6e4b400431bf5.exe
Size

731KB
MD5

c119c3c9045ade693d983a12ec96787c
SHA1

a09aab4828ae92a64807655590dedeb8ef9260f9
SHA256

1e6b66ee8cd8d3093dcb297130b2b5f5883cd78e8816917ea1a6e4b400431bf5
SHA512

1eb4d60d50ca84a539fe36d241e7211483d671e3774c00961b7c6e91a341c5e38cc9b6ddd1deed47e1c9a82217fb38aa2ef79fc8f5a0ec9255808fbdb4126f23
SSDEEP

768:rZmchlXKGREW6VA6joSRhFH+C9Pe2auEqainmngYWxuv8Gwmwoe9R4ZstojtfcWv:schl6M+lpDCUoHid0bIrlyR

Score

8^/10

persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
3680	dllhost.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\ProgramData\\Dllhost\\dllhost.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 10 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4176	schtasks.exe
3232	schtasks.exe
3584	schtasks.exe
5112	schtasks.exe
4008	schtasks.exe
832	schtasks.exe
2844	schtasks.exe
3552	schtasks.exe
536	schtasks.exe
2364	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1604	powershell.exe
1604	powershell.exe
1104	powershell.exe
1104	powershell.exe
1740	powershell.exe
1740	powershell.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe
3680	dllhost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	4124	1e6b66ee8cd8d3093dcb297130b2b5f5883cd78e8816917ea1a6e4b400431bf5.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	3680	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4124 wrote to memory of 1084	4124	1e6b66ee8cd8d3093dcb297130b2b5f5883cd78e8816917ea1a6e4b400431bf5.exe	80
PID 4124 wrote to memory of 1084	4124	1e6b66ee8cd8d3093dcb297130b2b5f5883cd78e8816917ea1a6e4b400431bf5.exe	80
PID 4124 wrote to memory of 1084	4124	1e6b66ee8cd8d3093dcb297130b2b5f5883cd78e8816917ea1a6e4b400431bf5.exe	80
PID 1084 wrote to memory of 1484	1084	cmd.exe	82
PID 1084 wrote to memory of 1484	1084	cmd.exe	82
PID 1084 wrote to memory of 1484	1084	cmd.exe	82
PID 1084 wrote to memory of 1604	1084	cmd.exe	83
PID 1084 wrote to memory of 1604	1084	cmd.exe	83
PID 1084 wrote to memory of 1604	1084	cmd.exe	83
PID 1084 wrote to memory of 1104	1084	cmd.exe	89
PID 1084 wrote to memory of 1104	1084	cmd.exe	89
PID 1084 wrote to memory of 1104	1084	cmd.exe	89
PID 1084 wrote to memory of 1740	1084	cmd.exe	92
PID 1084 wrote to memory of 1740	1084	cmd.exe	92
PID 1084 wrote to memory of 1740	1084	cmd.exe	92
PID 4124 wrote to memory of 3680	4124	1e6b66ee8cd8d3093dcb297130b2b5f5883cd78e8816917ea1a6e4b400431bf5.exe	93
PID 4124 wrote to memory of 3680	4124	1e6b66ee8cd8d3093dcb297130b2b5f5883cd78e8816917ea1a6e4b400431bf5.exe	93
PID 4124 wrote to memory of 3680	4124	1e6b66ee8cd8d3093dcb297130b2b5f5883cd78e8816917ea1a6e4b400431bf5.exe	93
PID 3680 wrote to memory of 3144	3680	dllhost.exe	94
PID 3680 wrote to memory of 3144	3680	dllhost.exe	94
PID 3680 wrote to memory of 3144	3680	dllhost.exe	94
PID 3680 wrote to memory of 4960	3680	dllhost.exe	95
PID 3680 wrote to memory of 4960	3680	dllhost.exe	95
PID 3680 wrote to memory of 4960	3680	dllhost.exe	95
PID 3680 wrote to memory of 1612	3680	dllhost.exe	96
PID 3680 wrote to memory of 1612	3680	dllhost.exe	96
PID 3680 wrote to memory of 1612	3680	dllhost.exe	96
PID 3680 wrote to memory of 4452	3680	dllhost.exe	97
PID 3680 wrote to memory of 4452	3680	dllhost.exe	97
PID 3680 wrote to memory of 4452	3680	dllhost.exe	97
PID 3680 wrote to memory of 528	3680	dllhost.exe	98
PID 3680 wrote to memory of 528	3680	dllhost.exe	98
PID 3680 wrote to memory of 528	3680	dllhost.exe	98
PID 3680 wrote to memory of 3488	3680	dllhost.exe	104
PID 3680 wrote to memory of 3488	3680	dllhost.exe	104
PID 3680 wrote to memory of 3488	3680	dllhost.exe	104
PID 3680 wrote to memory of 1860	3680	dllhost.exe	106
PID 3680 wrote to memory of 1860	3680	dllhost.exe	106
PID 3680 wrote to memory of 1860	3680	dllhost.exe	106
PID 3680 wrote to memory of 1284	3680	dllhost.exe	107
PID 3680 wrote to memory of 1284	3680	dllhost.exe	107
PID 3680 wrote to memory of 1284	3680	dllhost.exe	107
PID 3680 wrote to memory of 4240	3680	dllhost.exe	108
PID 3680 wrote to memory of 4240	3680	dllhost.exe	108
PID 3680 wrote to memory of 4240	3680	dllhost.exe	108
PID 3680 wrote to memory of 1488	3680	dllhost.exe	110
PID 3680 wrote to memory of 1488	3680	dllhost.exe	110
PID 3680 wrote to memory of 1488	3680	dllhost.exe	110
PID 3680 wrote to memory of 3576	3680	dllhost.exe	113
PID 3680 wrote to memory of 3576	3680	dllhost.exe	113
PID 3680 wrote to memory of 3576	3680	dllhost.exe	113
PID 3680 wrote to memory of 2168	3680	dllhost.exe	115
PID 3680 wrote to memory of 2168	3680	dllhost.exe	115
PID 3680 wrote to memory of 2168	3680	dllhost.exe	115
PID 3144 wrote to memory of 4176	3144	cmd.exe	119
PID 3144 wrote to memory of 4176	3144	cmd.exe	119
PID 3144 wrote to memory of 4176	3144	cmd.exe	119
PID 1284 wrote to memory of 832	1284	cmd.exe	118
PID 1284 wrote to memory of 832	1284	cmd.exe	118
PID 1284 wrote to memory of 832	1284	cmd.exe	118
PID 1612 wrote to memory of 3232	1612	cmd.exe	121
PID 1612 wrote to memory of 3232	1612	cmd.exe	121
PID 1612 wrote to memory of 3232	1612	cmd.exe	121
PID 4960 wrote to memory of 2844	4960	cmd.exe	120

C:\Users\Admin\AppData\Local\Temp\1e6b66ee8cd8d3093dcb297130b2b5f5883cd78e8816917ea1a6e4b400431bf5.exe
"C:\Users\Admin\AppData\Local\Temp\1e6b66ee8cd8d3093dcb297130b2b5f5883cd78e8816917ea1a6e4b400431bf5.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4124
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\HostData"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1084
- - C:\Windows\SysWOW64\chcp.com
    chcp 1251
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1604
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1104
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\HostData"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1740
- C:\ProgramData\Dllhost\dllhost.exe
  "C:\ProgramData\Dllhost\dllhost.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3680
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3144
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      Creates scheduled task(s)
      PID:4176
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4960
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      Creates scheduled task(s)
      PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1612
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      Creates scheduled task(s)
      PID:3232
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
    3⤵
    PID:4452
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
    3⤵
    PID:528
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      Creates scheduled task(s)
      PID:536
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
    3⤵
    PID:3488
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      Creates scheduled task(s)
      PID:3552
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
    3⤵
    PID:1860
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      Creates scheduled task(s)
      PID:5112
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1284
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      Creates scheduled task(s)
      PID:832
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk8036" /TR "C:\ProgramData\Dllhost\dllhost.exe"
    3⤵
    PID:4240
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk8036" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      Creates scheduled task(s)
      PID:2364
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk5121" /TR "C:\ProgramData\Dllhost\dllhost.exe"
    3⤵
    PID:1488
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk5121" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      Creates scheduled task(s)
      PID:3584
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk9526" /TR "C:\ProgramData\Dllhost\dllhost.exe"
    3⤵
    PID:3576
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk6161" /TR "C:\ProgramData\Dllhost\dllhost.exe"
    3⤵
    PID:2168
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk6161" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      Creates scheduled task(s)
      PID:4008
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
    3⤵
    PID:4224
  - - C:\Windows\SysWOW64\chcp.com
      chcp 1251
      4⤵
      PID:2656
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
    3⤵
    PID:544
  - - C:\Windows\SysWOW64\chcp.com
      chcp 1251
      4⤵
      PID:4300
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
    3⤵
    PID:1028
  - - C:\Windows\SysWOW64\chcp.com
      chcp 1251
      4⤵
      PID:3764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe

Filesize
950KB

MD5
2ca6cb0ee861dd79c0a7ce667d70d4a4

SHA1
dbb534e346fdcb1d23d8f66dc59e7572a9906a05

SHA256
6b00096c89a3ff6cbe551a37534b3b49bbf5d27874e80f84d1f1a26f047b45df

SHA512
271b2429e119ac2a423d07b4718997f18fbf37a16f700d155ecc1a7f912145260730c6a7137294ec7f69637581e34b5399d2e58fa7ee0f5cf3cc2b419fa645bd

Download Submit
C:\ProgramData\Dllhost\dllhost.exe

Filesize
950KB

MD5
2ca6cb0ee861dd79c0a7ce667d70d4a4

SHA1
dbb534e346fdcb1d23d8f66dc59e7572a9906a05

SHA256
6b00096c89a3ff6cbe551a37534b3b49bbf5d27874e80f84d1f1a26f047b45df

SHA512
271b2429e119ac2a423d07b4718997f18fbf37a16f700d155ecc1a7f912145260730c6a7137294ec7f69637581e34b5399d2e58fa7ee0f5cf3cc2b419fa645bd

Download Submit
C:\ProgramData\HostData\logs.uce

Filesize
497B

MD5
13fda2ab01b83a5130842a5bab3892d3

SHA1
6e18e4b467cde054a63a95d4dfc030f156ecd215

SHA256
76973d42c8fceceab7ec85b3d01b218db92564993e93a9bea31c52aa73aeee9e

SHA512
c51f9fd6e452fbeeedd4dfaba3c7c887e337f01e68abdd27d4032f8be85def7ef3cf0c77bf60e425b085b76c0539464c6b6e5e805a69397c5519e8ccf9fffccc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
1bd731ae94f6b20f841bca0d34d48974

SHA1
e89072777793afdbb18c375fff8a88431fbb38d1

SHA256
ec8ccfb75050edfba06e61682a881539f4bd0eecf0ec9758b518e535dec4f772

SHA512
c63152c92907630cc8bf65cc61626e7cf4d247ffe23b71019e5752c0b55aab32a115eac77306d397e4895d8ef2be6463f1566e7fa58f944a972ddeb64b711d0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ded5cd8bb54252668f95c75ab9a1390f

SHA1
65e1dbf6c6da8782868e251110d64f1ab7ed09ad

SHA256
06a446cd233ddb73317e91b2c1c0c56416ea17d6419abc9cb922309055c6345b

SHA512
ad5fc6f63c014a7028a2072aa1ffef0a7f24287a832a09815ebd6700b122da0a4cc20f5859533dd3ad0325e962ec4a1b95f699dbf15f24977bd69d6f3a31f4d7

Download Submit
memory/1104-158-0x0000000070CA0000-0x0000000070CEC000-memory.dmp

Filesize
304KB

Download
memory/1604-147-0x0000000006970000-0x000000000698E000-memory.dmp

Filesize
120KB

Download
memory/1604-146-0x0000000070CA0000-0x0000000070CEC000-memory.dmp

Filesize
304KB

Download
memory/1604-151-0x0000000007950000-0x00000000079E6000-memory.dmp

Filesize
600KB

Download
memory/1604-152-0x00000000078F0000-0x00000000078FE000-memory.dmp

Filesize
56KB

Download
memory/1604-153-0x00000000079F0000-0x0000000007A0A000-memory.dmp

Filesize
104KB

Download
memory/1604-154-0x0000000007930000-0x0000000007938000-memory.dmp

Filesize
32KB

Download
memory/1604-149-0x00000000076D0000-0x00000000076EA000-memory.dmp

Filesize
104KB

Download
memory/1604-148-0x0000000007D30000-0x00000000083AA000-memory.dmp

Filesize
6.5MB

Download
memory/1604-142-0x00000000053D0000-0x00000000053F2000-memory.dmp

Filesize
136KB

Download
memory/1604-150-0x0000000007720000-0x000000000772A000-memory.dmp

Filesize
40KB

Download
memory/1604-145-0x0000000007380000-0x00000000073B2000-memory.dmp

Filesize
200KB

Download
memory/1604-141-0x0000000005530000-0x0000000005B58000-memory.dmp

Filesize
6.2MB

Download
memory/1604-140-0x0000000002DC0000-0x0000000002DF6000-memory.dmp

Filesize
216KB

Download
memory/1604-144-0x0000000006390000-0x00000000063AE000-memory.dmp

Filesize
120KB

Download
memory/1604-143-0x0000000005C50000-0x0000000005CB6000-memory.dmp

Filesize
408KB

Download
memory/1740-161-0x0000000070CA0000-0x0000000070CEC000-memory.dmp

Filesize
304KB

Download
memory/3680-165-0x00000000008B0000-0x0000000000960000-memory.dmp

Filesize
704KB

Download
memory/4124-136-0x0000000004DB0000-0x0000000004E16000-memory.dmp

Filesize
408KB

Download
memory/4124-132-0x00000000000E0000-0x0000000000188000-memory.dmp

Filesize
672KB

Download
memory/4124-135-0x0000000004B30000-0x0000000004B3A000-memory.dmp

Filesize
40KB

Download
memory/4124-134-0x0000000004B80000-0x0000000004C12000-memory.dmp

Filesize
584KB

Download
memory/4124-133-0x0000000005130000-0x00000000056D4000-memory.dmp

Filesize
5.6MB

Download