xmrig | 486336e87d288d8b951d20a95c3e33872691a1f9cd804cea5c7f4cf9763bd212

Analysis

max time kernel
38s
max time network
178s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
07/03/2023, 04:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

486336e87d288d8b951d20a95c3e33872691a1f9cd804cea5c7f4cf9763bd212.exe
Size

241KB
MD5

e411f5765a17f898e5859d59f1b856f3
SHA1

2b2a167e989162e530985484f7b9b04c212e532d
SHA256

486336e87d288d8b951d20a95c3e33872691a1f9cd804cea5c7f4cf9763bd212
SHA512

3d6e5c1d7f04b683e8812f41d31b738467631844ef5fa5bd04b2dcdbfbd26150f8b92b1175c165decdd7950bbbf5b2a4fc256ed0d992032a5c869d2e52d4cf60
SSDEEP

3072:gtgkXodx3JMiaAUBi11vcERQ8IazeUZrfY8Z4Eq+09IjPOX+32/Dv+fFGRFtK2wK:gt6a7iRQnAPvRfPOX+36zm4D1xVB

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 11 IoCs

miner

resource	yara_rule
behavioral2/files/0x000900000001af2a-1666.dat	xmrig
behavioral2/memory/2868-1668-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/files/0x000900000001af2a-1670.dat	xmrig
behavioral2/memory/2544-1672-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/files/0x000900000001af2a-1674.dat	xmrig
behavioral2/files/0x000900000001af2a-1673.dat	xmrig
behavioral2/memory/3424-1676-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/files/0x000900000001af2a-1678.dat	xmrig
behavioral2/memory/4340-1680-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/files/0x000900000001af2a-1682.dat	xmrig
behavioral2/memory/1248-1683-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	MSBuild.exe

Executes dropped EXE 1 IoCs

pid	Process
532	dllhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2020 set thread context of 2304	2020	486336e87d288d8b951d20a95c3e33872691a1f9cd804cea5c7f4cf9763bd212.exe	67

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1476	schtasks.exe
4924	schtasks.exe
2504	schtasks.exe
4972	schtasks.exe
2452	schtasks.exe
4660	schtasks.exe
1936	schtasks.exe
4100	schtasks.exe
1636	schtasks.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2304	MSBuild.exe
4616	powershell.exe
4616	powershell.exe
4616	powershell.exe
2312	powershell.exe
2312	powershell.exe
2884	powershell.exe
2884	powershell.exe
3008	powershell.exe
3008	powershell.exe
3880	powershell.exe
3880	powershell.exe
2880	powershell.exe
2880	powershell.exe
2312	powershell.exe
2884	powershell.exe
3008	powershell.exe
3880	powershell.exe
2880	powershell.exe
2312	powershell.exe
3880	powershell.exe
2884	powershell.exe
3008	powershell.exe
2880	powershell.exe
532	dllhost.exe
532	dllhost.exe
532	dllhost.exe
532	dllhost.exe
532	dllhost.exe
532	dllhost.exe
532	dllhost.exe
532	dllhost.exe
532	dllhost.exe
532	dllhost.exe
532	dllhost.exe
532	dllhost.exe
532	dllhost.exe
532	dllhost.exe
532	dllhost.exe
532	dllhost.exe
532	dllhost.exe
532	dllhost.exe
532	dllhost.exe
532	dllhost.exe
532	dllhost.exe
532	dllhost.exe
532	dllhost.exe
532	dllhost.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2304	MSBuild.exe
Token: SeDebugPrivilege	4616	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeShutdownPrivilege	4020	powercfg.exe
Token: SeCreatePagefilePrivilege	4020	powercfg.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	3880	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeShutdownPrivilege	4696	powercfg.exe
Token: SeCreatePagefilePrivilege	4696	powercfg.exe
Token: SeShutdownPrivilege	3924	powercfg.exe
Token: SeCreatePagefilePrivilege	3924	powercfg.exe
Token: SeDebugPrivilege	532	dllhost.exe
Token: SeShutdownPrivilege	4388	powercfg.exe
Token: SeCreatePagefilePrivilege	4388	powercfg.exe
Token: SeShutdownPrivilege	4836	powercfg.exe
Token: SeCreatePagefilePrivilege	4836	powercfg.exe
Token: SeShutdownPrivilege	4836	powercfg.exe
Token: SeCreatePagefilePrivilege	4836	powercfg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2304	2020	486336e87d288d8b951d20a95c3e33872691a1f9cd804cea5c7f4cf9763bd212.exe	67
PID 2020 wrote to memory of 2304	2020	486336e87d288d8b951d20a95c3e33872691a1f9cd804cea5c7f4cf9763bd212.exe	67
PID 2020 wrote to memory of 2304	2020	486336e87d288d8b951d20a95c3e33872691a1f9cd804cea5c7f4cf9763bd212.exe	67
PID 2020 wrote to memory of 2304	2020	486336e87d288d8b951d20a95c3e33872691a1f9cd804cea5c7f4cf9763bd212.exe	67
PID 2020 wrote to memory of 2304	2020	486336e87d288d8b951d20a95c3e33872691a1f9cd804cea5c7f4cf9763bd212.exe	67
PID 2304 wrote to memory of 3888	2304	MSBuild.exe	69
PID 2304 wrote to memory of 3888	2304	MSBuild.exe	69
PID 2304 wrote to memory of 3888	2304	MSBuild.exe	69
PID 3888 wrote to memory of 4616	3888	cmd.exe	71
PID 3888 wrote to memory of 4616	3888	cmd.exe	71
PID 3888 wrote to memory of 4616	3888	cmd.exe	71
PID 2304 wrote to memory of 532	2304	MSBuild.exe	72
PID 2304 wrote to memory of 532	2304	MSBuild.exe	72
PID 2304 wrote to memory of 532	2304	MSBuild.exe	72
PID 2304 wrote to memory of 1004	2304	MSBuild.exe	102
PID 2304 wrote to memory of 1004	2304	MSBuild.exe	102
PID 2304 wrote to memory of 1004	2304	MSBuild.exe	102
PID 2304 wrote to memory of 672	2304	MSBuild.exe	101
PID 2304 wrote to memory of 672	2304	MSBuild.exe	101
PID 2304 wrote to memory of 672	2304	MSBuild.exe	101
PID 2304 wrote to memory of 3460	2304	MSBuild.exe	99
PID 2304 wrote to memory of 3460	2304	MSBuild.exe	99
PID 2304 wrote to memory of 3460	2304	MSBuild.exe	99
PID 2304 wrote to memory of 3432	2304	MSBuild.exe	98
PID 2304 wrote to memory of 3432	2304	MSBuild.exe	98
PID 2304 wrote to memory of 3432	2304	MSBuild.exe	98
PID 2304 wrote to memory of 3424	2304	MSBuild.exe	96
PID 2304 wrote to memory of 3424	2304	MSBuild.exe	96
PID 2304 wrote to memory of 3424	2304	MSBuild.exe	96
PID 2304 wrote to memory of 4072	2304	MSBuild.exe	95
PID 2304 wrote to memory of 4072	2304	MSBuild.exe	95
PID 2304 wrote to memory of 4072	2304	MSBuild.exe	95
PID 2304 wrote to memory of 684	2304	MSBuild.exe	94
PID 2304 wrote to memory of 684	2304	MSBuild.exe	94
PID 2304 wrote to memory of 684	2304	MSBuild.exe	94
PID 2304 wrote to memory of 924	2304	MSBuild.exe	93
PID 2304 wrote to memory of 924	2304	MSBuild.exe	93
PID 2304 wrote to memory of 924	2304	MSBuild.exe	93
PID 2304 wrote to memory of 4132	2304	MSBuild.exe	92
PID 2304 wrote to memory of 4132	2304	MSBuild.exe	92
PID 2304 wrote to memory of 4132	2304	MSBuild.exe	92
PID 2304 wrote to memory of 4508	2304	MSBuild.exe	73
PID 2304 wrote to memory of 4508	2304	MSBuild.exe	73
PID 2304 wrote to memory of 4508	2304	MSBuild.exe	73
PID 2304 wrote to memory of 4364	2304	MSBuild.exe	74
PID 2304 wrote to memory of 4364	2304	MSBuild.exe	74
PID 2304 wrote to memory of 4364	2304	MSBuild.exe	74
PID 2304 wrote to memory of 228	2304	MSBuild.exe	88
PID 2304 wrote to memory of 228	2304	MSBuild.exe	88
PID 2304 wrote to memory of 228	2304	MSBuild.exe	88
PID 2304 wrote to memory of 224	2304	MSBuild.exe	87
PID 2304 wrote to memory of 224	2304	MSBuild.exe	87
PID 2304 wrote to memory of 224	2304	MSBuild.exe	87
PID 2304 wrote to memory of 2188	2304	MSBuild.exe	85
PID 2304 wrote to memory of 2188	2304	MSBuild.exe	85
PID 2304 wrote to memory of 2188	2304	MSBuild.exe	85
PID 4364 wrote to memory of 2312	4364	cmd.exe	97
PID 4364 wrote to memory of 2312	4364	cmd.exe	97
PID 4364 wrote to memory of 2312	4364	cmd.exe	97
PID 3424 wrote to memory of 2452	3424	cmd.exe	100
PID 3424 wrote to memory of 2452	3424	cmd.exe	100
PID 3424 wrote to memory of 2452	3424	cmd.exe	100
PID 1004 wrote to memory of 1636	1004	cmd.exe	103
PID 1004 wrote to memory of 1636	1004	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\486336e87d288d8b951d20a95c3e33872691a1f9cd804cea5c7f4cf9763bd212.exe
"C:\Users\Admin\AppData\Local\Temp\486336e87d288d8b951d20a95c3e33872691a1f9cd804cea5c7f4cf9763bd212.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - Drops file in Drivers directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjAHUAYQBKAHkATwBOADYAUwBGADAAMABKAHYARgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAdgAwAGEANgBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAEsAZwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA0AHoASwA0AGsARwA4AEwAQwAwACMAPgA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3888
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjAHUAYQBKAHkATwBOADYAUwBGADAAMABKAHYARgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAdgAwAGEANgBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAEsAZwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA0AHoASwA0AGsARwA4AEwAQwAwACMAPgA="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4616
- - C:\ProgramData\Dllhost\dllhost.exe
    "C:\ProgramData\Dllhost\dllhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:532
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
      4⤵
      PID:1452
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
      4⤵
      PID:2592
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:2840
    - - C:\ProgramData\Dllhost\winlogson.exe
        
        C:\ProgramData\Dllhost\winlogson.exe -c config.json
        5⤵
        
        PID:2868
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
      4⤵
      PID:4708
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:8
    - - C:\ProgramData\Dllhost\winlogson.exe
        
        C:\ProgramData\Dllhost\winlogson.exe -c config.json
        5⤵
        
        PID:2544
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
      4⤵
      PID:2084
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:1004
    - - C:\ProgramData\Dllhost\winlogson.exe
        
        C:\ProgramData\Dllhost\winlogson.exe -c config.json
        5⤵
        
        PID:3424
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
      4⤵
      PID:4772
    - - C:\ProgramData\Dllhost\winlogson.exe
        
        C:\ProgramData\Dllhost\winlogson.exe -c config.json
        5⤵
        
        PID:4340
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:4660
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
      4⤵
      PID:1440
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:2164
    - - C:\ProgramData\Dllhost\winlogson.exe
        
        C:\ProgramData\Dllhost\winlogson.exe -c config.json
        5⤵
        
        PID:1248
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjAFYAVgAtBEIEawAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIANQBYABgEKQRhAE8EcgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAPARLBBYEYgBEBCIEFgRUACMAPgAgAEAAKAAgADwAIwB1ABMEMgA1BCYELgQjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAQQRHBCMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwAzAEwAOQArBDIASwQwACgEUwBLADQEIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMALwQtBFEAbQBDBEIEEgRzAEsANgAjAD4A"
    3⤵
    PID:4508
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjAFYAVgAtBEIEawAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIANQBYABgEKQRhAE8EcgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAPARLBBYEYgBEBCIEFgRUACMAPgAgAEAAKAAgADwAIwB1ABMEMgA1BCYELgQjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAQQRHBCMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwAzAEwAOQArBDIASwQwACgEUwBLADQEIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMALwQtBFEAbQBDBEIEEgRzAEsANgAjAD4A"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2880
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjAEsESQQjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAMAQ8BFgAHARwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwARBEEEeABCABkEOAAjAD4AIABAACgAIAA8ACMAdwB2AEkEagA2BEoEEgQjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAeAA0BDkASwAlBDMEWgAiBEoAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAEsAcwBJBBMEbQAcBFAAPQRHACEEQwBzACAEIwQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA0ABgEbwAbBCcEIwA+AA=="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4364
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjAEsESQQjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAMAQ8BFgAHARwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwARBEEEeABCABkEOAAjAD4AIABAACgAIAA8ACMAdwB2AEkEagA2BEoEEgQjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAeAA0BDkASwAlBDMEWgAiBEoAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAEsAcwBJBBMEbQAcBFAAPQRHACEEQwBzACAEIwQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA0ABgEbwAbBCcEIwA+AA=="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2312
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off & echo ЖndGФe0Bd & SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo
    3⤵
    PID:2188
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -hibernate-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4020
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -hibernate-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4696
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -standby-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3924
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -standby-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4388
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /hibernate off
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4836
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:4100
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjABoEEwRBADAAcgAdBBEERQAaBCMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdABNBEIAJgQjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAGgQQBGUAUgBJAGoAKwRHBHgAdQBLACYERQRkABkEIwA+ACAAQAAoACAAPAAjAC8EHQQhBCMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBEBGkAIwQ4AG8AQQBnAB8EIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAEIANwBYAGoAZABFAEcEIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMANQRFBCMAPgA="
    3⤵
    PID:224
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjABoEEwRBADAAcgAdBBEERQAaBCMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdABNBEIAJgQjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAGgQQBGUAUgBJAGoAKwRHBHgAdQBLACYERQRkABkEIwA+ACAAQAAoACAAPAAjAC8EHQQhBCMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBEBGkAIwQ4AG8AQQBnAB8EIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAEIANwBYAGoAZABFAEcEIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMANQRFBCMAPgA="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2884
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjACIEMQA9BDEAZgAUBE0ESwAaBEUEQgQbBFAANQBRACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAVgBqADIETgRxAFAAFgRKAGYAIwRCBGYAVwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMASwBqAFIAHAROAEIEYwBVAGcAZwAjAD4AIABAACgAIAA8ACMARgA4AFUARgRFAEkETQAUBEQESgRmACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwB5ACgEOwRGBEcAVwAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAeAA/BBsEegBLACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEkEVQBzADAEKgRiAGMASARrAB8EKwQjAD4A"
    3⤵
    PID:228
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjACIEMQA9BDEAZgAUBE0ESwAaBEUEQgQbBFAANQBRACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAVgBqADIETgRxAFAAFgRKAGYAIwRCBGYAVwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMASwBqAFIAHAROAEIEYwBVAGcAZwAjAD4AIABAACgAIAA8ACMARgA4AFUARgRFAEkETQAUBEQESgRmACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwB5ACgEOwRGBEcAVwAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAeAA/BBsEegBLACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEkEVQBzADAEKgRiAGMASARrAB8EKwQjAD4A"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3008
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjABYESgBpACIEIARGBGUALgRCBDUAOQAYBDkAZABGBCMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAVwAxADsEHAR2AG8AdgAyAGwAcwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMANAQwBBMEMQRaACMAPgAgAEAAKAAgADwAIwBTADcEbgA+BEUEMAAYBBcEIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAFoANwQ6BGoASARHAE4ERgA3AEUEMAQjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAFwQoBCMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEAEHwQxBCMAPgA="
    3⤵
    PID:4132
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjABYESgBpACIEIARGBGUALgRCBDUAOQAYBDkAZABGBCMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAVwAxADsEHAR2AG8AdgAyAGwAcwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMANAQwBBMEMQRaACMAPgAgAEAAKAAgADwAIwBTADcEbgA+BEUEMAAYBBcEIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAFoANwQ6BGoASARHAE4ERgA3AEUEMAQjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAFwQoBCMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEAEHwQxBCMAPgA="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3880
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo ВВЮG & SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo
    3⤵
    PID:924
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:2504
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo Д7дбжцR8Xи & SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo M6ВэpdbefK
    3⤵
    PID:684
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:4924
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo ЯьoЩЪD & SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo 3qy
    3⤵
    PID:4072
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:4660
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo НтU & SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo Хt7цmjdЧ6Vxt6ХцО
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3424
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:2452
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo vоВBоV & SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo ГrцBuцПГr
    3⤵
    PID:3432
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:1476
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo аТюZырiNfл45 & SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo
    3⤵
    PID:3460
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:1936
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo ХТ3ШОРn & SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo sRБnЗоxГasЦезn
    3⤵
    PID:672
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:4972
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo п3ZBiHСЭСGЧRЩJaКТн & SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo OTкЪНFPВRLПЧОс
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1004
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:1636

C:\ProgramData\Dllhost\dllhost.exe
C:\ProgramData\Dllhost\dllhost.exe
1⤵
PID:3900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe

Filesize
62KB

MD5
e72d497c94bb1ed882ac98931f70e82e

SHA1
85c2c44e4addbdde87b49b33e252772126f9544e

SHA256
d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443

SHA512
78c71c5dc299146358140498d77a162e05265e40041aabdec0fd1a18624278117032f1a62918d1041b430dac3664658a37ec49fe2de5bae3bfe6d6cb7a5c3c4e

Download Submit
C:\ProgramData\Dllhost\dllhost.exe

Filesize
62KB

MD5
e72d497c94bb1ed882ac98931f70e82e

SHA1
85c2c44e4addbdde87b49b33e252772126f9544e

SHA256
d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443

SHA512
78c71c5dc299146358140498d77a162e05265e40041aabdec0fd1a18624278117032f1a62918d1041b430dac3664658a37ec49fe2de5bae3bfe6d6cb7a5c3c4e

Download Submit
C:\ProgramData\Dllhost\dllhost.exe

Filesize
62KB

MD5
e72d497c94bb1ed882ac98931f70e82e

SHA1
85c2c44e4addbdde87b49b33e252772126f9544e

SHA256
d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443

SHA512
78c71c5dc299146358140498d77a162e05265e40041aabdec0fd1a18624278117032f1a62918d1041b430dac3664658a37ec49fe2de5bae3bfe6d6cb7a5c3c4e

Download Submit
C:\ProgramData\Dllhost\winlogson.exe

Filesize
7.8MB

MD5
5385a40c6af4c73f43cfa5de46b9f05a

SHA1
aec914b73e3c7b4efe0971d1a87e62de2b0776a4

SHA256
21bc43587dc1f19ec6271e69fe709b18fdefdfbfc5971a3edf00e92cb1b77995

SHA512
2273c25dcd4eb20c5cdf2d941a523362a680bbb341f2b64dcd17bbc40e66e60b2319fa0804cfa6303299b17ed6cd8d57b7e8efb465417b680370d922d8c89dd7

Download Submit
C:\ProgramData\Dllhost\winlogson.exe

Filesize
7.8MB

MD5
5385a40c6af4c73f43cfa5de46b9f05a

SHA1
aec914b73e3c7b4efe0971d1a87e62de2b0776a4

SHA256
21bc43587dc1f19ec6271e69fe709b18fdefdfbfc5971a3edf00e92cb1b77995

SHA512
2273c25dcd4eb20c5cdf2d941a523362a680bbb341f2b64dcd17bbc40e66e60b2319fa0804cfa6303299b17ed6cd8d57b7e8efb465417b680370d922d8c89dd7

Download Submit
C:\ProgramData\Dllhost\winlogson.exe

Filesize
7.8MB

MD5
5385a40c6af4c73f43cfa5de46b9f05a

SHA1
aec914b73e3c7b4efe0971d1a87e62de2b0776a4

SHA256
21bc43587dc1f19ec6271e69fe709b18fdefdfbfc5971a3edf00e92cb1b77995

SHA512
2273c25dcd4eb20c5cdf2d941a523362a680bbb341f2b64dcd17bbc40e66e60b2319fa0804cfa6303299b17ed6cd8d57b7e8efb465417b680370d922d8c89dd7

Download Submit
C:\ProgramData\Dllhost\winlogson.exe

Filesize
7.8MB

MD5
5385a40c6af4c73f43cfa5de46b9f05a

SHA1
aec914b73e3c7b4efe0971d1a87e62de2b0776a4

SHA256
21bc43587dc1f19ec6271e69fe709b18fdefdfbfc5971a3edf00e92cb1b77995

SHA512
2273c25dcd4eb20c5cdf2d941a523362a680bbb341f2b64dcd17bbc40e66e60b2319fa0804cfa6303299b17ed6cd8d57b7e8efb465417b680370d922d8c89dd7

Download Submit
C:\ProgramData\Dllhost\winlogson.exe

Filesize
7.8MB

MD5
5385a40c6af4c73f43cfa5de46b9f05a

SHA1
aec914b73e3c7b4efe0971d1a87e62de2b0776a4

SHA256
21bc43587dc1f19ec6271e69fe709b18fdefdfbfc5971a3edf00e92cb1b77995

SHA512
2273c25dcd4eb20c5cdf2d941a523362a680bbb341f2b64dcd17bbc40e66e60b2319fa0804cfa6303299b17ed6cd8d57b7e8efb465417b680370d922d8c89dd7

Download Submit
C:\ProgramData\Dllhost\winlogson.exe

Filesize
7.8MB

MD5
5385a40c6af4c73f43cfa5de46b9f05a

SHA1
aec914b73e3c7b4efe0971d1a87e62de2b0776a4

SHA256
21bc43587dc1f19ec6271e69fe709b18fdefdfbfc5971a3edf00e92cb1b77995

SHA512
2273c25dcd4eb20c5cdf2d941a523362a680bbb341f2b64dcd17bbc40e66e60b2319fa0804cfa6303299b17ed6cd8d57b7e8efb465417b680370d922d8c89dd7

Download Submit
C:\ProgramData\HostData\logs.uce

Filesize
343B

MD5
5a2812b775b17bc721ec808fe46cccdc

SHA1
b186895e093bffa131a3a7f936d75c8314f7ae2f

SHA256
72e122375917d4465af3bcd15d2dc5e0f6cb96a3a2f1fa5681d4fd512de79bba

SHA512
8693113b17a106f73cc3563dc8894d65a6a215d5de72547bf64791b04f734749c34b242a0c87651d1374eb30938ec134ce120fe4fb15292dffa44b294c9afce7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
44KB

MD5
7247129cd0644457905b7d6bf17fd078

SHA1
dbf9139b5a1b72141f170d2eae911bbbe7e128c8

SHA256
dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4

SHA512
9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
44KB

MD5
7247129cd0644457905b7d6bf17fd078

SHA1
dbf9139b5a1b72141f170d2eae911bbbe7e128c8

SHA256
dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4

SHA512
9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
44KB

MD5
7247129cd0644457905b7d6bf17fd078

SHA1
dbf9139b5a1b72141f170d2eae911bbbe7e128c8

SHA256
dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4

SHA512
9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
a9d80ad2399cc849da76dc919db73b72

SHA1
aacab141c8f32adc13c51e569e285adf1dfae08f

SHA256
d0d6bbfa893feb94e7557a34acb297b9d0df3432c739a60c0fa7b72242892f11

SHA512
b340adc8fdb418fe6b96f6b49206f57649ccf0f24e90742078a8ef3b7b6c80098a0e11f615688ac022c8697f2d28adc178c4f3f903822a2e55cc9e177e957da5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
e0052a302ee6314ed49983f2cfba2ecc

SHA1
8d32e874ffd433f85a5ef9371db95d1042372728

SHA256
4cc7c433fe9d38aa78967286739ef7161b82f1d5aaf80f2bc1797ab6489554d9

SHA512
a61aedd58316efc64c10708fdf094ce631d74fb7df8a2161cdefdd0703af39ca1a1cdbe75b1c7c18b4ddad095c1e4e73aa64e0956a53fd30e043ab98638ac175

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
25e1b59f2c921cc06ba2f1e1872a2be4

SHA1
ce3170bbe039a097ec1efa3e03598a328f07a3b9

SHA256
6869e9ff71d43f8b51c57a86d6f3658be22ab81ee2c9f14102a7ab9ec502b0c5

SHA512
409ac1c3c0b40ebc4f8b29d10fab29430e276a1a05ba90ea2744c28f5b8062dd1b8a915ede00406d38b8ba9036057730a4ba1ed13469afb1e90fa03a49f599e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
a6fc3c5294d94bf071674b1be973d4fc

SHA1
6e1b96c9bdb831ebeb569a7b8051be5062272c06

SHA256
60dd78a7751d7efe201041dbe5d2de77dc28a7a6e5270b64d6414a3ba7d57e05

SHA512
00a534de055d47da8520ebbee746280f272c06377d66f97fa3eb864e630ac226ca5ec1b01766a5aa1672a929f38442cbb4a6223591a268873a42d72636a070c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
d4189e64d6a74063ee6452ef044e2ee3

SHA1
3d641812aee82807d5f2f8400dafb5ed36e2f8d6

SHA256
2e7b98533956f56fcd981361e89d5b82f41640aff60ebdb66b68d2c24e3dbd96

SHA512
0190ebed1b12315b7afe7a9a3585a0b86ed315d238f0a72827a4cdc181405fbf9992b8dee661002e5a35cbd64ee81ed7a7918dcdaa75a3c9277522f852984894

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y1qeeqg4.nyo.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/532-406-0x0000000006F80000-0x0000000006F90000-memory.dmp

Filesize
64KB

Download
memory/532-709-0x0000000006F80000-0x0000000006F90000-memory.dmp

Filesize
64KB

Download
memory/532-393-0x00000000000B0000-0x00000000000C6000-memory.dmp

Filesize
88KB

Download
memory/1248-1683-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/2304-387-0x0000000007EE0000-0x0000000007EF0000-memory.dmp

Filesize
64KB

Download
memory/2304-131-0x0000000007EE0000-0x0000000007EF0000-memory.dmp

Filesize
64KB

Download
memory/2304-130-0x0000000007D00000-0x0000000007D66000-memory.dmp

Filesize
408KB

Download
memory/2304-129-0x0000000007A80000-0x0000000007A8A000-memory.dmp

Filesize
40KB

Download
memory/2304-122-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2304-128-0x0000000007B90000-0x0000000007C22000-memory.dmp

Filesize
584KB

Download
memory/2304-127-0x0000000007F90000-0x000000000848E000-memory.dmp

Filesize
5.0MB

Download
memory/2312-504-0x0000000009610000-0x00000000096B5000-memory.dmp

Filesize
660KB

Download
memory/2312-958-0x000000007F0E0000-0x000000007F0F0000-memory.dmp

Filesize
64KB

Download
memory/2312-408-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/2312-409-0x0000000007F60000-0x00000000082B0000-memory.dmp

Filesize
3.3MB

Download
memory/2312-721-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/2312-715-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/2312-407-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/2312-419-0x0000000008790000-0x00000000087DB000-memory.dmp

Filesize
300KB

Download
memory/2312-548-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/2312-510-0x000000007F0E0000-0x000000007F0F0000-memory.dmp

Filesize
64KB

Download
memory/2544-1672-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/2868-1667-0x00000000001A0000-0x00000000001C0000-memory.dmp

Filesize
128KB

Download
memory/2868-1668-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/2880-763-0x0000000004B60000-0x0000000004B70000-memory.dmp

Filesize
64KB

Download
memory/2880-545-0x000000007EB70000-0x000000007EB80000-memory.dmp

Filesize
64KB

Download
memory/2880-768-0x0000000004B60000-0x0000000004B70000-memory.dmp

Filesize
64KB

Download
memory/2880-416-0x0000000004B60000-0x0000000004B70000-memory.dmp

Filesize
64KB

Download
memory/2880-565-0x0000000004B60000-0x0000000004B70000-memory.dmp

Filesize
64KB

Download
memory/2880-417-0x0000000004B60000-0x0000000004B70000-memory.dmp

Filesize
64KB

Download
memory/2884-964-0x000000007F470000-0x000000007F480000-memory.dmp

Filesize
64KB

Download
memory/2884-516-0x000000007F470000-0x000000007F480000-memory.dmp

Filesize
64KB

Download
memory/2884-739-0x00000000049D0000-0x00000000049E0000-memory.dmp

Filesize
64KB

Download
memory/2884-569-0x00000000049D0000-0x00000000049E0000-memory.dmp

Filesize
64KB

Download
memory/2884-413-0x00000000049D0000-0x00000000049E0000-memory.dmp

Filesize
64KB

Download
memory/2884-745-0x00000000049D0000-0x00000000049E0000-memory.dmp

Filesize
64KB

Download
memory/2884-412-0x00000000049D0000-0x00000000049E0000-memory.dmp

Filesize
64KB

Download
memory/3008-1021-0x000000007EE80000-0x000000007EE90000-memory.dmp

Filesize
64KB

Download
memory/3008-415-0x0000000006CD0000-0x0000000006CE0000-memory.dmp

Filesize
64KB

Download
memory/3008-414-0x0000000006CD0000-0x0000000006CE0000-memory.dmp

Filesize
64KB

Download
memory/3008-750-0x0000000006CD0000-0x0000000006CE0000-memory.dmp

Filesize
64KB

Download
memory/3008-756-0x0000000006CD0000-0x0000000006CE0000-memory.dmp

Filesize
64KB

Download
memory/3008-515-0x000000007EE80000-0x000000007EE90000-memory.dmp

Filesize
64KB

Download
memory/3008-559-0x0000000006CD0000-0x0000000006CE0000-memory.dmp

Filesize
64KB

Download
memory/3424-1676-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3880-513-0x000000007EFC0000-0x000000007EFD0000-memory.dmp

Filesize
64KB

Download
memory/3880-553-0x0000000004870000-0x0000000004880000-memory.dmp

Filesize
64KB

Download
memory/3880-1016-0x000000007EFC0000-0x000000007EFD0000-memory.dmp

Filesize
64KB

Download
memory/3880-733-0x0000000004870000-0x0000000004880000-memory.dmp

Filesize
64KB

Download
memory/3880-727-0x0000000004870000-0x0000000004880000-memory.dmp

Filesize
64KB

Download
memory/3880-411-0x0000000004870000-0x0000000004880000-memory.dmp

Filesize
64KB

Download
memory/3880-410-0x0000000004870000-0x0000000004880000-memory.dmp

Filesize
64KB

Download
memory/4340-1680-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/4616-237-0x0000000006B50000-0x0000000006B60000-memory.dmp

Filesize
64KB

Download
memory/4616-140-0x0000000007AF0000-0x0000000007E40000-memory.dmp

Filesize
3.3MB

Download
memory/4616-167-0x0000000009580000-0x0000000009614000-memory.dmp

Filesize
592KB

Download
memory/4616-166-0x00000000093D0000-0x0000000009475000-memory.dmp

Filesize
660KB

Download
memory/4616-161-0x0000000009030000-0x000000000904E000-memory.dmp

Filesize
120KB

Download
memory/4616-160-0x0000000009050000-0x0000000009083000-memory.dmp

Filesize
204KB

Download
memory/4616-143-0x00000000081E0000-0x0000000008256000-memory.dmp

Filesize
472KB

Download
memory/4616-142-0x0000000007FA0000-0x0000000007FEB000-memory.dmp

Filesize
300KB

Download
memory/4616-141-0x0000000007960000-0x000000000797C000-memory.dmp

Filesize
112KB

Download
memory/4616-236-0x000000007F010000-0x000000007F020000-memory.dmp

Filesize
64KB

Download
memory/4616-139-0x0000000007830000-0x0000000007896000-memory.dmp

Filesize
408KB

Download
memory/4616-138-0x0000000007100000-0x0000000007122000-memory.dmp

Filesize
136KB

Download
memory/4616-365-0x0000000009520000-0x000000000953A000-memory.dmp

Filesize
104KB

Download
memory/4616-137-0x0000000006B50000-0x0000000006B60000-memory.dmp

Filesize
64KB

Download
memory/4616-370-0x0000000009510000-0x0000000009518000-memory.dmp

Filesize
32KB

Download
memory/4616-136-0x0000000007190000-0x00000000077B8000-memory.dmp

Filesize
6.2MB

Download
memory/4616-135-0x0000000006B50000-0x0000000006B60000-memory.dmp

Filesize
64KB

Download
memory/4616-134-0x00000000049E0000-0x0000000004A16000-memory.dmp

Filesize
216KB

Download