guloader | 21852b2ff6ff17e36e045883dbd5c30aabf801db69a5fed6451aaec120ad2391

Analysis

max time kernel
111s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/10/2022, 14:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Doc_009846464.exe
Size

344KB
MD5

b66c56a275326ea35e437242c8c8d871
SHA1

0d2c46927c341ff5541bc6dd5af43cfc79dcbb5e
SHA256

21852b2ff6ff17e36e045883dbd5c30aabf801db69a5fed6451aaec120ad2391
SHA512

7f3f58b6e263d653a12dad7856cb66004fc87ca7448b0ebcb5f505d60d0979a2e8373a4f14d4ff938c8c2e0612bedaf0fcb9105a6c18648bd01154878ef05e5e
SSDEEP

6144:RhRm2R6I+wKhsbacJKU20JLxuooOnTKPp7qcoC6jnwYduiiqRt:LU2+wrbrJKUzJUooOn2P9LoBjw1iHRt

Score

10^/10

guloader discovery downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 64 IoCs

pid	Process
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe
4752	Doc_009846464.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Afkrftede\Redbay.ini	Doc_009846464.exe
File opened for modification	C:\Program Files (x86)\Common Files\Skjortelinnings\Globes\Hermaphrodism\Straalingsmngde.Pyr	Doc_009846464.exe
File opened for modification	C:\Program Files (x86)\Effektiviteterne247\Festmaaltids\Nedfaldenes.Fox	Doc_009846464.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\resources\Abhorrent\Criticship\Tudsefiskens\Hardheadedness76.ini	Doc_009846464.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4156	powershell.exe
4156	powershell.exe
3924	powershell.exe
3924	powershell.exe
532	powershell.exe
532	powershell.exe
2360	powershell.exe
2360	powershell.exe
5100	powershell.exe
5100	powershell.exe
5000	powershell.exe
5000	powershell.exe
4732	powershell.exe
4732	powershell.exe
4348	powershell.exe
4348	powershell.exe
4992	powershell.exe
4992	powershell.exe
4796	powershell.exe
4796	powershell.exe
3556	powershell.exe
3556	powershell.exe
1316	powershell.exe
1316	powershell.exe
3424	powershell.exe
3424	powershell.exe
368	powershell.exe
368	powershell.exe
1756	powershell.exe
1756	powershell.exe
1028	powershell.exe
1028	powershell.exe
3348	powershell.exe
3348	powershell.exe
5000	powershell.exe
5000	powershell.exe
2316	powershell.exe
2316	powershell.exe
4064	powershell.exe
4064	powershell.exe
3464	powershell.exe
3464	powershell.exe
2524	powershell.exe
2524	powershell.exe
3836	powershell.exe
3836	powershell.exe
5064	powershell.exe
5064	powershell.exe
2648	powershell.exe
2648	powershell.exe
544	powershell.exe
544	powershell.exe
4952	powershell.exe
4952	powershell.exe
4948	powershell.exe
4948	powershell.exe
4660	powershell.exe
4660	powershell.exe
4108	powershell.exe
4108	powershell.exe
4076	powershell.exe
4076	powershell.exe
4396	powershell.exe
4396	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4156	powershell.exe
Token: SeDebugPrivilege	3924	powershell.exe
Token: SeDebugPrivilege	532	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	5100	powershell.exe
Token: SeDebugPrivilege	5000	powershell.exe
Token: SeDebugPrivilege	4732	powershell.exe
Token: SeDebugPrivilege	4348	powershell.exe
Token: SeDebugPrivilege	4992	powershell.exe
Token: SeDebugPrivilege	4796	powershell.exe
Token: SeDebugPrivilege	3556	powershell.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	3424	powershell.exe
Token: SeDebugPrivilege	368	powershell.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	3348	powershell.exe
Token: SeDebugPrivilege	5000	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	4064	powershell.exe
Token: SeDebugPrivilege	3464	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	3836	powershell.exe
Token: SeDebugPrivilege	5064	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	544	powershell.exe
Token: SeDebugPrivilege	4952	powershell.exe
Token: SeDebugPrivilege	4948	powershell.exe
Token: SeDebugPrivilege	4660	powershell.exe
Token: SeDebugPrivilege	4108	powershell.exe
Token: SeDebugPrivilege	4076	powershell.exe
Token: SeDebugPrivilege	4396	powershell.exe
Token: SeDebugPrivilege	60	powershell.exe
Token: SeDebugPrivilege	4028	powershell.exe
Token: SeDebugPrivilege	1292	powershell.exe
Token: SeDebugPrivilege	3716	powershell.exe
Token: SeDebugPrivilege	4000	powershell.exe
Token: SeDebugPrivilege	4172	powershell.exe
Token: SeDebugPrivilege	4824	powershell.exe
Token: SeDebugPrivilege	3208	powershell.exe
Token: SeDebugPrivilege	4408	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeDebugPrivilege	3612	powershell.exe
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	1096	powershell.exe
Token: SeDebugPrivilege	5068	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	3460	powershell.exe
Token: SeDebugPrivilege	1112	powershell.exe
Token: SeDebugPrivilege	3092	powershell.exe
Token: SeDebugPrivilege	920	powershell.exe
Token: SeDebugPrivilege	4392	powershell.exe
Token: SeDebugPrivilege	428	powershell.exe
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeDebugPrivilege	612	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	508	powershell.exe
Token: SeDebugPrivilege	3548	powershell.exe
Token: SeDebugPrivilege	4612	powershell.exe
Token: SeDebugPrivilege	3900	powershell.exe
Token: SeDebugPrivilege	4956	powershell.exe
Token: SeDebugPrivilege	3204	powershell.exe
Token: SeDebugPrivilege	3760	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 4156	4752	Doc_009846464.exe	83
PID 4752 wrote to memory of 4156	4752	Doc_009846464.exe	83
PID 4752 wrote to memory of 4156	4752	Doc_009846464.exe	83
PID 4752 wrote to memory of 3924	4752	Doc_009846464.exe	86
PID 4752 wrote to memory of 3924	4752	Doc_009846464.exe	86
PID 4752 wrote to memory of 3924	4752	Doc_009846464.exe	86
PID 4752 wrote to memory of 532	4752	Doc_009846464.exe	88
PID 4752 wrote to memory of 532	4752	Doc_009846464.exe	88
PID 4752 wrote to memory of 532	4752	Doc_009846464.exe	88
PID 4752 wrote to memory of 2360	4752	Doc_009846464.exe	89
PID 4752 wrote to memory of 2360	4752	Doc_009846464.exe	89
PID 4752 wrote to memory of 2360	4752	Doc_009846464.exe	89
PID 4752 wrote to memory of 5100	4752	Doc_009846464.exe	91
PID 4752 wrote to memory of 5100	4752	Doc_009846464.exe	91
PID 4752 wrote to memory of 5100	4752	Doc_009846464.exe	91
PID 4752 wrote to memory of 5000	4752	Doc_009846464.exe	94
PID 4752 wrote to memory of 5000	4752	Doc_009846464.exe	94
PID 4752 wrote to memory of 5000	4752	Doc_009846464.exe	94
PID 4752 wrote to memory of 4732	4752	Doc_009846464.exe	95
PID 4752 wrote to memory of 4732	4752	Doc_009846464.exe	95
PID 4752 wrote to memory of 4732	4752	Doc_009846464.exe	95
PID 4752 wrote to memory of 4348	4752	Doc_009846464.exe	98
PID 4752 wrote to memory of 4348	4752	Doc_009846464.exe	98
PID 4752 wrote to memory of 4348	4752	Doc_009846464.exe	98
PID 4752 wrote to memory of 4992	4752	Doc_009846464.exe	99
PID 4752 wrote to memory of 4992	4752	Doc_009846464.exe	99
PID 4752 wrote to memory of 4992	4752	Doc_009846464.exe	99
PID 4752 wrote to memory of 4796	4752	Doc_009846464.exe	101
PID 4752 wrote to memory of 4796	4752	Doc_009846464.exe	101
PID 4752 wrote to memory of 4796	4752	Doc_009846464.exe	101
PID 4752 wrote to memory of 3556	4752	Doc_009846464.exe	103
PID 4752 wrote to memory of 3556	4752	Doc_009846464.exe	103
PID 4752 wrote to memory of 3556	4752	Doc_009846464.exe	103
PID 4752 wrote to memory of 1316	4752	Doc_009846464.exe	105
PID 4752 wrote to memory of 1316	4752	Doc_009846464.exe	105
PID 4752 wrote to memory of 1316	4752	Doc_009846464.exe	105
PID 4752 wrote to memory of 3424	4752	Doc_009846464.exe	107
PID 4752 wrote to memory of 3424	4752	Doc_009846464.exe	107
PID 4752 wrote to memory of 3424	4752	Doc_009846464.exe	107
PID 4752 wrote to memory of 368	4752	Doc_009846464.exe	112
PID 4752 wrote to memory of 368	4752	Doc_009846464.exe	112
PID 4752 wrote to memory of 368	4752	Doc_009846464.exe	112
PID 4752 wrote to memory of 1756	4752	Doc_009846464.exe	114
PID 4752 wrote to memory of 1756	4752	Doc_009846464.exe	114
PID 4752 wrote to memory of 1756	4752	Doc_009846464.exe	114
PID 4752 wrote to memory of 1028	4752	Doc_009846464.exe	116
PID 4752 wrote to memory of 1028	4752	Doc_009846464.exe	116
PID 4752 wrote to memory of 1028	4752	Doc_009846464.exe	116
PID 4752 wrote to memory of 3348	4752	Doc_009846464.exe	120
PID 4752 wrote to memory of 3348	4752	Doc_009846464.exe	120
PID 4752 wrote to memory of 3348	4752	Doc_009846464.exe	120
PID 4752 wrote to memory of 5000	4752	Doc_009846464.exe	122
PID 4752 wrote to memory of 5000	4752	Doc_009846464.exe	122
PID 4752 wrote to memory of 5000	4752	Doc_009846464.exe	122
PID 4752 wrote to memory of 2316	4752	Doc_009846464.exe	124
PID 4752 wrote to memory of 2316	4752	Doc_009846464.exe	124
PID 4752 wrote to memory of 2316	4752	Doc_009846464.exe	124
PID 4752 wrote to memory of 4064	4752	Doc_009846464.exe	128
PID 4752 wrote to memory of 4064	4752	Doc_009846464.exe	128
PID 4752 wrote to memory of 4064	4752	Doc_009846464.exe	128
PID 4752 wrote to memory of 3464	4752	Doc_009846464.exe	130
PID 4752 wrote to memory of 3464	4752	Doc_009846464.exe	130
PID 4752 wrote to memory of 3464	4752	Doc_009846464.exe	130
PID 4752 wrote to memory of 2524	4752	Doc_009846464.exe	132

C:\Users\Admin\AppData\Local\Temp\Doc_009846464.exe
"C:\Users\Admin\AppData\Local\Temp\Doc_009846464.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x6B6570CB -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4156
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x656C3197 -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3924
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x3A3A41D7 -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:532
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x656176C0 -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2360
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x46696EC0 -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5100
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x41286F85 -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5000
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x72342289 -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4732
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x20692295 -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4348
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x78383295 -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4992
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x30303295 -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4796
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x302C22CC -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3556
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x20302E85 -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1316
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x70203289 -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3424
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x20692291 -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:368
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x2C206B85 -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1756
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x30783A95 -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1028
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x2C206B85 -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3348
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x30296B8B -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5000
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x723322FC -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2316
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x6B6570CB -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4064
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x656C3197 -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3464
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x3A3A54CC -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2524
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x727477C4 -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3836
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x6C416EC9 -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5064
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x6F632ACC -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x302C6B85 -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:544
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x30783395 -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4952
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x30303295 -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4948
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x2C206B85 -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4660
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x30783195 -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4108
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x30302E85 -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4076
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x692032DD -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4396
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x34302BD5 -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:60
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x2E7233FC -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4028
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x6B6570CB -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1292
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x656C3197 -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3716
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x3A3A51C0 -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4000
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x74466BC9 -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4172
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x65506DCC -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4824
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x6E7467D7 -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3208
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x28697096 -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4408
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x2C206B85 -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2440
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x31343091 -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1076
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x202C22CC -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3612
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x20302ECC -bxor 677
  2⤵
  PID:3776
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x20302BCC -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:888
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x2E7230FC -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1096
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x6B6570CB -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5068
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x656C3197 -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2540
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x3A3A50C0 -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3460
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x616444CC -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1112
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x6C652ACC -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3092
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x72332E85 -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:920
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x69207094 -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4392
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x2C206B85 -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:428
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x30783395 -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4572
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x30303295 -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:612
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x2C2A6B85 -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1764
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x302C22CC -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:508
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x20302BCC -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3548
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x2E7230FC -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4612
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x757367D7 -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3900
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x3332389F -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4956
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x43616EC9 -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3204
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x57696CC1 -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3760
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x6F7752D7 -bxor 677
  2⤵
  PID:4824
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x6F63438D -bxor 677
  2⤵
  PID:3860
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x69723385 -bxor 677
  2⤵
  PID:3404
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x2C692295 -bxor 677
  2⤵
  PID:5040
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x2C692295 -bxor 677
  2⤵
  PID:4736
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x2C206B85 -bxor 677
  2⤵
  PID:4292
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x302C22CC -bxor 677
  2⤵
  PID:2476
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x20302BFC -bxor 677
  2⤵
  PID:1764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
33b19d75aa77114216dbc23f43b195e3

SHA1
36a6c3975e619e0c5232aa4f5b7dc1fec9525535

SHA256
b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2

SHA512
676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
479c95a5532e2db54d337abb2bad4902

SHA1
ad1d426c7f2599597122c7aaa5c7bcab7ad68ae0

SHA256
9588a87dc4e967ab3cdd5c464bff1c13a605e30e2c7f779ddd9b5fb0e4edac9f

SHA512
20014327a1c68c02ec8b9c956cb31a41aa68a5ad029c4171c0799e0623375eb20547a1090bf0ed56bbf5395b7f3259db11aca812b39f58a622d90854effbd755

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
92c09c5de0c600124ca233b4a034e17c

SHA1
c70acaadb6890fa2e79a7c072a1466ff608f6bde

SHA256
c3ba6d1c4423e72794cfb5017d6ee5fab0c1959f86004e43449503994a6a4ec3

SHA512
195b10e925356110316a3119c6ee88371cba10d8f69186dc57321b82118d853eee6245fd880ae7e09b134ea4e29212123035dee418fcc394091eabf25b0c750c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
2f90bd97ba164663ab0877494682f869

SHA1
4764b7718714c011929bd17ed914e2ac24baf5f9

SHA256
34c7e83553d9f05cd1410180f062f3ef7883fe74b99dde26fbe17c375f505d65

SHA512
13572029a6aab364381cd621930a91255020dbc841dc82d9d8bfa35299abc54b2380cafbd753a84673a8ee43f0280ea42066964ad5bd337a984012360d52c3ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
abe52b98a2192528475db26977f91097

SHA1
deb2d4089645c794a45da4627d6a7184988be69c

SHA256
0dde884e1f2bbf3b4376554ff1c5ea61d59a7914d75b9d14ec88cb6890c72787

SHA512
afd426de3715681f1c59db59e48e196ed4c74802e101943985500f08c35af5782a39550a1f4bf9d768d873019735c3722838f8261b986bc01d52616248e672e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
d53c75a24c26127a5968559a618b92e4

SHA1
e0dae3de0aee2aebe1bf9c504c36958d244ad1d8

SHA256
c5b5fbd9be7896366088032ff3bf1d5481fed4688751f39b7a82a07427054536

SHA512
43295792af1010e6d965a16b6ad1ec13c784a61e6e10401a5d37af98b1c0fe1f74ea9a5352fd316b19fc1f3a0720d6c843595af68c72392fb3b018a61d208878

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
c9fdc6ed66095e69397407762973a38c

SHA1
5ce9e93e82d6c37ca0dce5933afc3dc457e9326a

SHA256
29d6f4cd7a8eb4c9879fe02ac6541fb5e1aa8f72fe4f3412bf5d2e7e4481978a

SHA512
353e54be2f3b433ec539efaf3fe6173bfab3637dc23a0da2a8a1f10d4b2b4fc7fc7fad16176b7880f258825e690bc5ee74d71e3e0d45b41d3f8f819aafd6cce6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
0f48684c104a59bb8245ff33f4ba8e3c

SHA1
8561de40ad8b5150a2173c2167c1884535d2d839

SHA256
ee0166158e4b412f8063bfcecb96b8c010528d33e26abd936a1f8cfffb600dc9

SHA512
b1cc053ce179ab526cc871bd239638575e9dc6c71e4aeca7e9f8c66a978d505d34faea9709ed713e0cb2bdd21d5214e3e27081fd24807b7f221519d0e1175a03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
c3793c5ee55701f1899674693d66988f

SHA1
5a01eb98eeee3ee2f40986dce4a08e8d2db5752c

SHA256
d073444cba9a499630a428c953cb21765cdfb1abe5ece36837c7b2fbaa4cbbf1

SHA512
c2e794601812c0af9849ba5905dc9cf4531aca5f07a15696d4da9a8a8ec30b43def85859b401c0770c1b0038737966b4eebb49bb149c91dcca98c7fa66e2997f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
c2284b9edc7ce14ae8855451bffa8a35

SHA1
ced27c02df0885b433125ca8b07d59c17588ab1e

SHA256
2851060c24a46058b38375adad2c23fa51ff6fc0eb8cf699b2ea5285daeea2a0

SHA512
9dc22134fae4f2b8c026046c287f385ddd84c1be1a721ac7b33205755e7e358ca5f70da63302f725001619ff40d355690a33189e79c443087074428838036a65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
eabcc7ca1e67d9bd897457c3a10d5a94

SHA1
5a49106a3d1d2223f42598c0e52cf608ca1b5ec8

SHA256
dd918fb5a3b34f289f10180acc76783a30063ecf201321399c44245be264cfde

SHA512
362b87b3c32c8979bd9c08bb0e4205278c3670951686db6fd0133ab224824dd259a29b55e4a69794c1841563021df6e2c1ae07404215f694baa0efaa3186217b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
ab4fd79b108206053b8367b4d9247dd1

SHA1
d5b01ea1cea7be041ff1b48d4b9c9d923228bd5d

SHA256
78e95b3ceff6d80c5bb0dbd9a310cf5c2be4c7d03a01cc47d6b8f43ae0449536

SHA512
3de5827ad143908e4f8b7c1f0d868592373b86d3260019d8e34fb5d98248171d81af7e3c4ba3f32fe58fd87ffde4a426afc834b527ec19ff1ee6919486baf2f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
fe5a39fcf358ac9988594e50010a9fff

SHA1
8f3345e90406af53a96564f93326bc63064174d3

SHA256
a8898cb82954ecc9dd7c1df706ec91c53fc385c6b315e1b70b4e843403c04336

SHA512
d4032593581c02d333724b699b0ecc885a4fec9f726b0d499fd87d1570e0d0870c7dfd56850ca0c0f204fdf75b1ad5986b545853741c33ed998cbf5f636b8c33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
cc5cff4a1df119abc7a016a63fd6dc5a

SHA1
86dbeb5fb4fbe6f41bf187472118b704ad8b1a93

SHA256
b7527a704ca1c3a06112e55cf3a06c84f817ec9f9669e06dc19a985af22ed421

SHA512
5a4e7995a89e870c9e3f793b6442ac586a09c542c02e63ae8dd78f09ccf9036ba382d63986c921535fea3c14b10d107074508c88c3cd98929a880ad17e7e96bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
219d0338ff42e7cb3690d83a62aad60e

SHA1
37dd50a6fa18a317afb9652f44f966953fba08a4

SHA256
0fafbfff57e89791a0f4deab87dea4602e22d433d010f185edc867c0cf9cadf1

SHA512
8f287ad7c6a0f4d8b5390b62289622fbf64b98e21a43979e3c694664c1638f08f185fa433eef005b1b8b3b90cc1e1411381e0a6512eaf8b44008a47748e5d297

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
f1bfaa466ad8ea0326571722df56561e

SHA1
2720aa1281030be5c8413906d62deba250972fe5

SHA256
8d26696a756b9853cf913d61cdb80a9cc8607f5b2cd077f97b70e1f01f93dd02

SHA512
bec3a5b476246eabf95ccdaa41171ead972c84f3a1bfeefac0dc2d4a7d4bb582d17153dfc29fb8751f4617978068204896be551bacdb316c7e774c2cd11ec809

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
19241dfe045dcbc2562f6fe7baf92b2a

SHA1
9d7517f51001ca8f06563256d76a3f9c35ecff2b

SHA256
5a4c935e801f49e6576b10e827a0997176b395570fbefe447402a0fe91a12f50

SHA512
c500b0b33c5d615caaf518f535ffcb83aa39e705a4466ee1784de8ca6e53dec69536a593ba308c450dda451c553f236a31f901763a5323bebba3c50cdec9896b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
e22bdf46e6c402f6ac9119cf710a9344

SHA1
d4fef457cf732ba0050fcbd3da4965c6a6033195

SHA256
4003e57f1cba611bb588006ec58b9d68d9d06ef360e15ef0e0fb0d753eb57472

SHA512
b3de03cb261e6e68b388c9ec2c8e7f5ca96b91efffb9a3a8f44b3c292b7ea6f3bc6a38eabd495a382e162b4dbbb3845cacf81139a9dc284d0d399aba6f9fa659

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
b275935e6e36ac5eae83a09ef9200b07

SHA1
961ec7c845589e65c5d5f832f0a203180f93ddf1

SHA256
fccaedca374d3ce301fa590d6cce18d206118d2ca9b748d600b3d40786672fdf

SHA512
fe840625cea3e2b98182bfde535e3b41dad36f04104f45b861e9ed7d58d2ccc4e0576e5bcdf0d104d919e87ba527752298bacbfdda65017dada50cc307533873

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
136fe4a9f34a26722c0983193d53d2fb

SHA1
662d0d33de0f762f2aaad6a6d1d342b37df95897

SHA256
2a6329f8be839a836daca925fb7d28b1757deec8c78114f1c6757c0dc4f59f63

SHA512
cd0627a445a03c77a657eb9ad7b5d0276f68acd343e0893210904296d3965985f1bb7e52e4131381753b81cb7b4b0955e92bb12c4b7688e1b3eef9f0ac2dcbdb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
077f8e7e422dfc19cedc2c720f5cfc10

SHA1
689fea8b1729658fa3614cbda60ac08849972c70

SHA256
59e588703c21ad221a113af00fe942b0c53ba05e09edb43a7f3dd8adca52cb2f

SHA512
8b9f4e0d8ab10faa39e55dc67bce1733315a495cbee92f6226ef36e75efd04d68a44bdfe85590793f0e26b6b0327cf7ad7d5ad87358b64df9673cae198477974

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
569a5618f09e4513387017254ec25325

SHA1
2661400e124566cde4cf1ea9252027deeb033839

SHA256
270f4dcdbc00cb4eef1deffacff67ef037a1b7671b44fbede5825cf5db8318f8

SHA512
12b921389edd40e87069525b81d300febe1c4061066462dd0ba291099f35f0ad22c6da64f02c813cc1f60bdfde01dad45c67bb8c8d46b10be652503220cca10b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
9466391c19e90a77440730d0e78efdc6

SHA1
e1b8601ace41383de98de3e9257679c86cce54cd

SHA256
7118967d89389d96941885e345657b1b8043534096b9b6cb3831d4a6c110a500

SHA512
99cdfc993cd79eec9508edd28014fb882f5e9f05e63426da2677c92fe75b299fb8b4cbd926e7698cbf80248f53be16dcb9aa8bb77fc0fe2854791a483e089754

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
c07a46d5169589384711edd91b269d79

SHA1
176148802fb97416d844158b50fa26f06f0e867b

SHA256
11be6cced33e8684d2c8691a93093d15ca1af971ca3107216afb0a128f40e2fa

SHA512
d8b557f3619ad9c3c4400745201da3232280051c4c788942074f0cd302c26de0683ecfc2db2be681bcd3ee8e4440c4bcd4eb6c4b327fbe77956b6ac33aaee7d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
07503490f2b59553260fe9d170fa023c

SHA1
a2b2b88071a243bd0cf484b43b29b158ee658847

SHA256
807ce0b2ce1aec1c716f8a38d8d34b69e7f80cbd8d1f440e021e6a8032dbe86d

SHA512
cbc811417a4bfebfffee748c03a7ea466da46dbf2533684019cd9f8ea2e72b545ed76afea5c0a93f89d8639305c7ca3000d0ad7059518aa0bd480cce020a9751

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
7f443c2677b2cfd9056c47adc4793042

SHA1
13fc3b7d6f5eced0c220c065906d00bb64d55d3e

SHA256
bb71e423dad36538d9e85f14672e4a49f66974e238820ceb2a57e0e2b80af18a

SHA512
d8beea590a903c360103377a7259fe2635a1ef572cb66e2a2acb2848e68711f944934e3e9e7bbc602cb20f1d1cb3c8662f447cb07e8702b88815cf52f1572f3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
a054e863d5095cb6ea3956ba49be2608

SHA1
676f9e3dfe2ed0efcd5db6d9c78384c12aaa6234

SHA256
da1f3fab9630a3dcfdbb60e213a26db4250743265bfc4d793abaef814e8c439c

SHA512
4bd6cedb73e8dc86bbba96c7e7304413178bf32fd37cb854daa107a7c240764edcfb6f104b7a66df2cb1a0cd16f8d7157621ff26927a1144b8f0182df613a4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslA407.tmp\System.dll

Filesize
11KB

MD5
c9473cb90d79a374b2ba6040ca16e45c

SHA1
ab95b54f12796dce57210d65f05124a6ed81234a

SHA256
b80a5cba69d1853ed5979b0ca0352437bf368a5cfb86cb4528edadd410e11352

SHA512
eafe7d5894622bc21f663bca4dd594392ee0f5b29270b6b56b0187093d6a3a103545464ff6398ad32d2cf15dab79b1f133218ba9ba337ddc01330b5ada804d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslA407.tmp\nsExec.dll

Filesize
6KB

MD5
0a6f707fa22c3f3e5d1abb54b0894ad6

SHA1
610cb2c3623199d0d7461fc775297e23cef88c4e

SHA256
370e47364561fa501b1300b056fb53fae12b1639fdf5f113275bee03546081c0

SHA512
af0c8ca0c892f1b757fbd700061f3d81417dff11d89bdff45e977de81ad51c97862406cf7e230e76cf99497f93f57bf09609740953cd81b0d795465ac2623ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslA407.tmp\nsExec.dll

Filesize
6KB

MD5
0a6f707fa22c3f3e5d1abb54b0894ad6

SHA1
610cb2c3623199d0d7461fc775297e23cef88c4e

SHA256
370e47364561fa501b1300b056fb53fae12b1639fdf5f113275bee03546081c0

SHA512
af0c8ca0c892f1b757fbd700061f3d81417dff11d89bdff45e977de81ad51c97862406cf7e230e76cf99497f93f57bf09609740953cd81b0d795465ac2623ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslA407.tmp\nsExec.dll

Filesize
6KB

MD5
0a6f707fa22c3f3e5d1abb54b0894ad6

SHA1
610cb2c3623199d0d7461fc775297e23cef88c4e

SHA256
370e47364561fa501b1300b056fb53fae12b1639fdf5f113275bee03546081c0

SHA512
af0c8ca0c892f1b757fbd700061f3d81417dff11d89bdff45e977de81ad51c97862406cf7e230e76cf99497f93f57bf09609740953cd81b0d795465ac2623ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslA407.tmp\nsExec.dll

Filesize
6KB

MD5
0a6f707fa22c3f3e5d1abb54b0894ad6

SHA1
610cb2c3623199d0d7461fc775297e23cef88c4e

SHA256
370e47364561fa501b1300b056fb53fae12b1639fdf5f113275bee03546081c0

SHA512
af0c8ca0c892f1b757fbd700061f3d81417dff11d89bdff45e977de81ad51c97862406cf7e230e76cf99497f93f57bf09609740953cd81b0d795465ac2623ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslA407.tmp\nsExec.dll

Filesize
6KB

MD5
0a6f707fa22c3f3e5d1abb54b0894ad6

SHA1
610cb2c3623199d0d7461fc775297e23cef88c4e

SHA256
370e47364561fa501b1300b056fb53fae12b1639fdf5f113275bee03546081c0

SHA512
af0c8ca0c892f1b757fbd700061f3d81417dff11d89bdff45e977de81ad51c97862406cf7e230e76cf99497f93f57bf09609740953cd81b0d795465ac2623ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslA407.tmp\nsExec.dll

Filesize
6KB

MD5
0a6f707fa22c3f3e5d1abb54b0894ad6

SHA1
610cb2c3623199d0d7461fc775297e23cef88c4e

SHA256
370e47364561fa501b1300b056fb53fae12b1639fdf5f113275bee03546081c0

SHA512
af0c8ca0c892f1b757fbd700061f3d81417dff11d89bdff45e977de81ad51c97862406cf7e230e76cf99497f93f57bf09609740953cd81b0d795465ac2623ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslA407.tmp\nsExec.dll

Filesize
6KB

MD5
0a6f707fa22c3f3e5d1abb54b0894ad6

SHA1
610cb2c3623199d0d7461fc775297e23cef88c4e

SHA256
370e47364561fa501b1300b056fb53fae12b1639fdf5f113275bee03546081c0

SHA512
af0c8ca0c892f1b757fbd700061f3d81417dff11d89bdff45e977de81ad51c97862406cf7e230e76cf99497f93f57bf09609740953cd81b0d795465ac2623ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslA407.tmp\nsExec.dll

Filesize
6KB

MD5
0a6f707fa22c3f3e5d1abb54b0894ad6

SHA1
610cb2c3623199d0d7461fc775297e23cef88c4e

SHA256
370e47364561fa501b1300b056fb53fae12b1639fdf5f113275bee03546081c0

SHA512
af0c8ca0c892f1b757fbd700061f3d81417dff11d89bdff45e977de81ad51c97862406cf7e230e76cf99497f93f57bf09609740953cd81b0d795465ac2623ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslA407.tmp\nsExec.dll

Filesize
6KB

MD5
0a6f707fa22c3f3e5d1abb54b0894ad6

SHA1
610cb2c3623199d0d7461fc775297e23cef88c4e

SHA256
370e47364561fa501b1300b056fb53fae12b1639fdf5f113275bee03546081c0

SHA512
af0c8ca0c892f1b757fbd700061f3d81417dff11d89bdff45e977de81ad51c97862406cf7e230e76cf99497f93f57bf09609740953cd81b0d795465ac2623ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslA407.tmp\nsExec.dll

Filesize
6KB

MD5
0a6f707fa22c3f3e5d1abb54b0894ad6

SHA1
610cb2c3623199d0d7461fc775297e23cef88c4e

SHA256
370e47364561fa501b1300b056fb53fae12b1639fdf5f113275bee03546081c0

SHA512
af0c8ca0c892f1b757fbd700061f3d81417dff11d89bdff45e977de81ad51c97862406cf7e230e76cf99497f93f57bf09609740953cd81b0d795465ac2623ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslA407.tmp\nsExec.dll

Filesize
6KB

MD5
0a6f707fa22c3f3e5d1abb54b0894ad6

SHA1
610cb2c3623199d0d7461fc775297e23cef88c4e

SHA256
370e47364561fa501b1300b056fb53fae12b1639fdf5f113275bee03546081c0

SHA512
af0c8ca0c892f1b757fbd700061f3d81417dff11d89bdff45e977de81ad51c97862406cf7e230e76cf99497f93f57bf09609740953cd81b0d795465ac2623ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslA407.tmp\nsExec.dll

Filesize
6KB

MD5
0a6f707fa22c3f3e5d1abb54b0894ad6

SHA1
610cb2c3623199d0d7461fc775297e23cef88c4e

SHA256
370e47364561fa501b1300b056fb53fae12b1639fdf5f113275bee03546081c0

SHA512
af0c8ca0c892f1b757fbd700061f3d81417dff11d89bdff45e977de81ad51c97862406cf7e230e76cf99497f93f57bf09609740953cd81b0d795465ac2623ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslA407.tmp\nsExec.dll

Filesize
6KB

MD5
0a6f707fa22c3f3e5d1abb54b0894ad6

SHA1
610cb2c3623199d0d7461fc775297e23cef88c4e

SHA256
370e47364561fa501b1300b056fb53fae12b1639fdf5f113275bee03546081c0

SHA512
af0c8ca0c892f1b757fbd700061f3d81417dff11d89bdff45e977de81ad51c97862406cf7e230e76cf99497f93f57bf09609740953cd81b0d795465ac2623ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslA407.tmp\nsExec.dll

Filesize
6KB

MD5
0a6f707fa22c3f3e5d1abb54b0894ad6

SHA1
610cb2c3623199d0d7461fc775297e23cef88c4e

SHA256
370e47364561fa501b1300b056fb53fae12b1639fdf5f113275bee03546081c0

SHA512
af0c8ca0c892f1b757fbd700061f3d81417dff11d89bdff45e977de81ad51c97862406cf7e230e76cf99497f93f57bf09609740953cd81b0d795465ac2623ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslA407.tmp\nsExec.dll

Filesize
6KB

MD5
0a6f707fa22c3f3e5d1abb54b0894ad6

SHA1
610cb2c3623199d0d7461fc775297e23cef88c4e

SHA256
370e47364561fa501b1300b056fb53fae12b1639fdf5f113275bee03546081c0

SHA512
af0c8ca0c892f1b757fbd700061f3d81417dff11d89bdff45e977de81ad51c97862406cf7e230e76cf99497f93f57bf09609740953cd81b0d795465ac2623ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslA407.tmp\nsExec.dll

Filesize
6KB

MD5
0a6f707fa22c3f3e5d1abb54b0894ad6

SHA1
610cb2c3623199d0d7461fc775297e23cef88c4e

SHA256
370e47364561fa501b1300b056fb53fae12b1639fdf5f113275bee03546081c0

SHA512
af0c8ca0c892f1b757fbd700061f3d81417dff11d89bdff45e977de81ad51c97862406cf7e230e76cf99497f93f57bf09609740953cd81b0d795465ac2623ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslA407.tmp\nsExec.dll

Filesize
6KB

MD5
0a6f707fa22c3f3e5d1abb54b0894ad6

SHA1
610cb2c3623199d0d7461fc775297e23cef88c4e

SHA256
370e47364561fa501b1300b056fb53fae12b1639fdf5f113275bee03546081c0

SHA512
af0c8ca0c892f1b757fbd700061f3d81417dff11d89bdff45e977de81ad51c97862406cf7e230e76cf99497f93f57bf09609740953cd81b0d795465ac2623ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslA407.tmp\nsExec.dll

Filesize
6KB

MD5
0a6f707fa22c3f3e5d1abb54b0894ad6

SHA1
610cb2c3623199d0d7461fc775297e23cef88c4e

SHA256
370e47364561fa501b1300b056fb53fae12b1639fdf5f113275bee03546081c0

SHA512
af0c8ca0c892f1b757fbd700061f3d81417dff11d89bdff45e977de81ad51c97862406cf7e230e76cf99497f93f57bf09609740953cd81b0d795465ac2623ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslA407.tmp\nsExec.dll

Filesize
6KB

MD5
0a6f707fa22c3f3e5d1abb54b0894ad6

SHA1
610cb2c3623199d0d7461fc775297e23cef88c4e

SHA256
370e47364561fa501b1300b056fb53fae12b1639fdf5f113275bee03546081c0

SHA512
af0c8ca0c892f1b757fbd700061f3d81417dff11d89bdff45e977de81ad51c97862406cf7e230e76cf99497f93f57bf09609740953cd81b0d795465ac2623ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslA407.tmp\nsExec.dll

Filesize
6KB

MD5
0a6f707fa22c3f3e5d1abb54b0894ad6

SHA1
610cb2c3623199d0d7461fc775297e23cef88c4e

SHA256
370e47364561fa501b1300b056fb53fae12b1639fdf5f113275bee03546081c0

SHA512
af0c8ca0c892f1b757fbd700061f3d81417dff11d89bdff45e977de81ad51c97862406cf7e230e76cf99497f93f57bf09609740953cd81b0d795465ac2623ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslA407.tmp\nsExec.dll

Filesize
6KB

MD5
0a6f707fa22c3f3e5d1abb54b0894ad6

SHA1
610cb2c3623199d0d7461fc775297e23cef88c4e

SHA256
370e47364561fa501b1300b056fb53fae12b1639fdf5f113275bee03546081c0

SHA512
af0c8ca0c892f1b757fbd700061f3d81417dff11d89bdff45e977de81ad51c97862406cf7e230e76cf99497f93f57bf09609740953cd81b0d795465ac2623ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslA407.tmp\nsExec.dll

Filesize
6KB

MD5
0a6f707fa22c3f3e5d1abb54b0894ad6

SHA1
610cb2c3623199d0d7461fc775297e23cef88c4e

SHA256
370e47364561fa501b1300b056fb53fae12b1639fdf5f113275bee03546081c0

SHA512
af0c8ca0c892f1b757fbd700061f3d81417dff11d89bdff45e977de81ad51c97862406cf7e230e76cf99497f93f57bf09609740953cd81b0d795465ac2623ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslA407.tmp\nsExec.dll

Filesize
6KB

MD5
0a6f707fa22c3f3e5d1abb54b0894ad6

SHA1
610cb2c3623199d0d7461fc775297e23cef88c4e

SHA256
370e47364561fa501b1300b056fb53fae12b1639fdf5f113275bee03546081c0

SHA512
af0c8ca0c892f1b757fbd700061f3d81417dff11d89bdff45e977de81ad51c97862406cf7e230e76cf99497f93f57bf09609740953cd81b0d795465ac2623ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslA407.tmp\nsExec.dll

Filesize
6KB

MD5
0a6f707fa22c3f3e5d1abb54b0894ad6

SHA1
610cb2c3623199d0d7461fc775297e23cef88c4e

SHA256
370e47364561fa501b1300b056fb53fae12b1639fdf5f113275bee03546081c0

SHA512
af0c8ca0c892f1b757fbd700061f3d81417dff11d89bdff45e977de81ad51c97862406cf7e230e76cf99497f93f57bf09609740953cd81b0d795465ac2623ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslA407.tmp\nsExec.dll

Filesize
6KB

MD5
0a6f707fa22c3f3e5d1abb54b0894ad6

SHA1
610cb2c3623199d0d7461fc775297e23cef88c4e

SHA256
370e47364561fa501b1300b056fb53fae12b1639fdf5f113275bee03546081c0

SHA512
af0c8ca0c892f1b757fbd700061f3d81417dff11d89bdff45e977de81ad51c97862406cf7e230e76cf99497f93f57bf09609740953cd81b0d795465ac2623ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslA407.tmp\nsExec.dll

Filesize
6KB

MD5
0a6f707fa22c3f3e5d1abb54b0894ad6

SHA1
610cb2c3623199d0d7461fc775297e23cef88c4e

SHA256
370e47364561fa501b1300b056fb53fae12b1639fdf5f113275bee03546081c0

SHA512
af0c8ca0c892f1b757fbd700061f3d81417dff11d89bdff45e977de81ad51c97862406cf7e230e76cf99497f93f57bf09609740953cd81b0d795465ac2623ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslA407.tmp\nsExec.dll

Filesize
6KB

MD5
0a6f707fa22c3f3e5d1abb54b0894ad6

SHA1
610cb2c3623199d0d7461fc775297e23cef88c4e

SHA256
370e47364561fa501b1300b056fb53fae12b1639fdf5f113275bee03546081c0

SHA512
af0c8ca0c892f1b757fbd700061f3d81417dff11d89bdff45e977de81ad51c97862406cf7e230e76cf99497f93f57bf09609740953cd81b0d795465ac2623ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslA407.tmp\nsExec.dll

Filesize
6KB

MD5
0a6f707fa22c3f3e5d1abb54b0894ad6

SHA1
610cb2c3623199d0d7461fc775297e23cef88c4e

SHA256
370e47364561fa501b1300b056fb53fae12b1639fdf5f113275bee03546081c0

SHA512
af0c8ca0c892f1b757fbd700061f3d81417dff11d89bdff45e977de81ad51c97862406cf7e230e76cf99497f93f57bf09609740953cd81b0d795465ac2623ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslA407.tmp\nsExec.dll

Filesize
6KB

MD5
0a6f707fa22c3f3e5d1abb54b0894ad6

SHA1
610cb2c3623199d0d7461fc775297e23cef88c4e

SHA256
370e47364561fa501b1300b056fb53fae12b1639fdf5f113275bee03546081c0

SHA512
af0c8ca0c892f1b757fbd700061f3d81417dff11d89bdff45e977de81ad51c97862406cf7e230e76cf99497f93f57bf09609740953cd81b0d795465ac2623ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslA407.tmp\nsExec.dll

Filesize
6KB

MD5
0a6f707fa22c3f3e5d1abb54b0894ad6

SHA1
610cb2c3623199d0d7461fc775297e23cef88c4e

SHA256
370e47364561fa501b1300b056fb53fae12b1639fdf5f113275bee03546081c0

SHA512
af0c8ca0c892f1b757fbd700061f3d81417dff11d89bdff45e977de81ad51c97862406cf7e230e76cf99497f93f57bf09609740953cd81b0d795465ac2623ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslA407.tmp\nsExec.dll

Filesize
6KB

MD5
0a6f707fa22c3f3e5d1abb54b0894ad6

SHA1
610cb2c3623199d0d7461fc775297e23cef88c4e

SHA256
370e47364561fa501b1300b056fb53fae12b1639fdf5f113275bee03546081c0

SHA512
af0c8ca0c892f1b757fbd700061f3d81417dff11d89bdff45e977de81ad51c97862406cf7e230e76cf99497f93f57bf09609740953cd81b0d795465ac2623ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslA407.tmp\nsExec.dll

Filesize
6KB

MD5
0a6f707fa22c3f3e5d1abb54b0894ad6

SHA1
610cb2c3623199d0d7461fc775297e23cef88c4e

SHA256
370e47364561fa501b1300b056fb53fae12b1639fdf5f113275bee03546081c0

SHA512
af0c8ca0c892f1b757fbd700061f3d81417dff11d89bdff45e977de81ad51c97862406cf7e230e76cf99497f93f57bf09609740953cd81b0d795465ac2623ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslA407.tmp\nsExec.dll

Filesize
6KB

MD5
0a6f707fa22c3f3e5d1abb54b0894ad6

SHA1
610cb2c3623199d0d7461fc775297e23cef88c4e

SHA256
370e47364561fa501b1300b056fb53fae12b1639fdf5f113275bee03546081c0

SHA512
af0c8ca0c892f1b757fbd700061f3d81417dff11d89bdff45e977de81ad51c97862406cf7e230e76cf99497f93f57bf09609740953cd81b0d795465ac2623ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslA407.tmp\nsExec.dll

Filesize
6KB

MD5
0a6f707fa22c3f3e5d1abb54b0894ad6

SHA1
610cb2c3623199d0d7461fc775297e23cef88c4e

SHA256
370e47364561fa501b1300b056fb53fae12b1639fdf5f113275bee03546081c0

SHA512
af0c8ca0c892f1b757fbd700061f3d81417dff11d89bdff45e977de81ad51c97862406cf7e230e76cf99497f93f57bf09609740953cd81b0d795465ac2623ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslA407.tmp\nsExec.dll

Filesize
6KB

MD5
0a6f707fa22c3f3e5d1abb54b0894ad6

SHA1
610cb2c3623199d0d7461fc775297e23cef88c4e

SHA256
370e47364561fa501b1300b056fb53fae12b1639fdf5f113275bee03546081c0

SHA512
af0c8ca0c892f1b757fbd700061f3d81417dff11d89bdff45e977de81ad51c97862406cf7e230e76cf99497f93f57bf09609740953cd81b0d795465ac2623ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslA407.tmp\nsExec.dll

Filesize
6KB

MD5
0a6f707fa22c3f3e5d1abb54b0894ad6

SHA1
610cb2c3623199d0d7461fc775297e23cef88c4e

SHA256
370e47364561fa501b1300b056fb53fae12b1639fdf5f113275bee03546081c0

SHA512
af0c8ca0c892f1b757fbd700061f3d81417dff11d89bdff45e977de81ad51c97862406cf7e230e76cf99497f93f57bf09609740953cd81b0d795465ac2623ea8

Download Submit
memory/4156-134-0x00000000046A0000-0x00000000046D6000-memory.dmp

Filesize
216KB

Download
memory/4156-139-0x0000000005CE0000-0x0000000005CFE000-memory.dmp

Filesize
120KB

Download
memory/4156-138-0x0000000005630000-0x0000000005696000-memory.dmp

Filesize
408KB

Download
memory/4156-137-0x00000000055C0000-0x0000000005626000-memory.dmp

Filesize
408KB

Download
memory/4156-136-0x0000000004CC0000-0x0000000004CE2000-memory.dmp

Filesize
136KB

Download
memory/4156-135-0x0000000004E20000-0x0000000005448000-memory.dmp

Filesize
6.2MB

Download
memory/4752-266-0x0000000003230000-0x0000000003330000-memory.dmp

Filesize
1024KB

Download
memory/4752-267-0x0000000003230000-0x0000000003330000-memory.dmp

Filesize
1024KB

Download