xmrig | 75359481a80ae7253f5a8859cc9d899020a24af197b95f8ef2716a9f011dc3b1

Analysis

max time kernel
147s
max time network
103s
platform
windows10_x64
resource
win10v20210408
submitted
26-09-2021 21:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86a06db94a3a3536566f8214033e5abd.exe
Size

112KB
MD5

86a06db94a3a3536566f8214033e5abd
SHA1

505c3d741abf69813b4ceb825b628fc8e416ae10
SHA256

75359481a80ae7253f5a8859cc9d899020a24af197b95f8ef2716a9f011dc3b1
SHA512

4e661a0f42fefeac1f42428172ea834739cf023ab24045c7d84ded85c5de4d8a8a66d745f02c35553fded7a540d259824bd120339ce1c727448173d879a56fcb

Score

10^/10

xmrig discovery miner spyware stealer

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

fl.exesvchost32.exebsdedit.exesvchost32.exesihost32.exe

pid process

1980 fl.exe
4076 svchost32.exe
2344 bsdedit.exe
1336 svchost32.exe
2792 sihost32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1980	fl.exe
4076	svchost32.exe
2344	bsdedit.exe
1336	svchost32.exe
2792	sihost32.exe

Drops file in System32 directory 3 IoCs

Processes:

svchost32.exesvchost32.exe

description	ioc	process
File created	C:\Windows\system32\bsdedit.exe	svchost32.exe
File opened for modification	C:\Windows\system32\bsdedit.exe	svchost32.exe
File created	C:\Windows\system32\Microsoft\Telemetry\sihost32.exe	svchost32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

504 schtasks.exe
1092 schtasks.exe

pid	process
504	schtasks.exe
1092	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

86a06db94a3a3536566f8214033e5abd.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost32.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost32.exe

pid	process
740	86a06db94a3a3536566f8214033e5abd.exe
740	86a06db94a3a3536566f8214033e5abd.exe
2592	powershell.exe
2592	powershell.exe
2592	powershell.exe
3932	powershell.exe
3932	powershell.exe
3932	powershell.exe
2688	powershell.exe
2688	powershell.exe
2688	powershell.exe
904	powershell.exe
904	powershell.exe
904	powershell.exe
4076	svchost32.exe
3700	powershell.exe
3700	powershell.exe
3700	powershell.exe
3976	powershell.exe
3976	powershell.exe
3976	powershell.exe
2952	powershell.exe
2952	powershell.exe
2952	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
1336	svchost32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

86a06db94a3a3536566f8214033e5abd.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	740	86a06db94a3a3536566f8214033e5abd.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeIncreaseQuotaPrivilege	2592	powershell.exe
Token: SeSecurityPrivilege	2592	powershell.exe
Token: SeTakeOwnershipPrivilege	2592	powershell.exe
Token: SeLoadDriverPrivilege	2592	powershell.exe
Token: SeSystemProfilePrivilege	2592	powershell.exe
Token: SeSystemtimePrivilege	2592	powershell.exe
Token: SeProfSingleProcessPrivilege	2592	powershell.exe
Token: SeIncBasePriorityPrivilege	2592	powershell.exe
Token: SeCreatePagefilePrivilege	2592	powershell.exe
Token: SeBackupPrivilege	2592	powershell.exe
Token: SeRestorePrivilege	2592	powershell.exe
Token: SeShutdownPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeSystemEnvironmentPrivilege	2592	powershell.exe
Token: SeRemoteShutdownPrivilege	2592	powershell.exe
Token: SeUndockPrivilege	2592	powershell.exe
Token: SeManageVolumePrivilege	2592	powershell.exe
Token: 33	2592	powershell.exe
Token: 34	2592	powershell.exe
Token: 35	2592	powershell.exe
Token: 36	2592	powershell.exe
Token: SeDebugPrivilege	3932	powershell.exe
Token: SeIncreaseQuotaPrivilege	3932	powershell.exe
Token: SeSecurityPrivilege	3932	powershell.exe
Token: SeTakeOwnershipPrivilege	3932	powershell.exe
Token: SeLoadDriverPrivilege	3932	powershell.exe
Token: SeSystemProfilePrivilege	3932	powershell.exe
Token: SeSystemtimePrivilege	3932	powershell.exe
Token: SeProfSingleProcessPrivilege	3932	powershell.exe
Token: SeIncBasePriorityPrivilege	3932	powershell.exe
Token: SeCreatePagefilePrivilege	3932	powershell.exe
Token: SeBackupPrivilege	3932	powershell.exe
Token: SeRestorePrivilege	3932	powershell.exe
Token: SeShutdownPrivilege	3932	powershell.exe
Token: SeDebugPrivilege	3932	powershell.exe
Token: SeSystemEnvironmentPrivilege	3932	powershell.exe
Token: SeRemoteShutdownPrivilege	3932	powershell.exe
Token: SeUndockPrivilege	3932	powershell.exe
Token: SeManageVolumePrivilege	3932	powershell.exe
Token: 33	3932	powershell.exe
Token: 34	3932	powershell.exe
Token: 35	3932	powershell.exe
Token: 36	3932	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeIncreaseQuotaPrivilege	2688	powershell.exe
Token: SeSecurityPrivilege	2688	powershell.exe
Token: SeTakeOwnershipPrivilege	2688	powershell.exe
Token: SeLoadDriverPrivilege	2688	powershell.exe
Token: SeSystemProfilePrivilege	2688	powershell.exe
Token: SeSystemtimePrivilege	2688	powershell.exe
Token: SeProfSingleProcessPrivilege	2688	powershell.exe
Token: SeIncBasePriorityPrivilege	2688	powershell.exe
Token: SeCreatePagefilePrivilege	2688	powershell.exe
Token: SeBackupPrivilege	2688	powershell.exe
Token: SeRestorePrivilege	2688	powershell.exe
Token: SeShutdownPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeSystemEnvironmentPrivilege	2688	powershell.exe
Token: SeRemoteShutdownPrivilege	2688	powershell.exe
Token: SeUndockPrivilege	2688	powershell.exe
Token: SeManageVolumePrivilege	2688	powershell.exe
Token: 33	2688	powershell.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

86a06db94a3a3536566f8214033e5abd.exefl.execmd.execmd.exesvchost32.execmd.exebsdedit.execmd.execmd.execmd.exesvchost32.execmd.execmd.exe

description	pid	process	target process
PID 740 wrote to memory of 1980	740	86a06db94a3a3536566f8214033e5abd.exe	fl.exe
PID 740 wrote to memory of 1980	740	86a06db94a3a3536566f8214033e5abd.exe	fl.exe
PID 1980 wrote to memory of 2144	1980	fl.exe	cmd.exe
PID 1980 wrote to memory of 2144	1980	fl.exe	cmd.exe
PID 2144 wrote to memory of 2592	2144	cmd.exe	powershell.exe
PID 2144 wrote to memory of 2592	2144	cmd.exe	powershell.exe
PID 2144 wrote to memory of 3932	2144	cmd.exe	powershell.exe
PID 2144 wrote to memory of 3932	2144	cmd.exe	powershell.exe
PID 2144 wrote to memory of 2688	2144	cmd.exe	powershell.exe
PID 2144 wrote to memory of 2688	2144	cmd.exe	powershell.exe
PID 2144 wrote to memory of 904	2144	cmd.exe	powershell.exe
PID 2144 wrote to memory of 904	2144	cmd.exe	powershell.exe
PID 1980 wrote to memory of 3812	1980	fl.exe	cmd.exe
PID 1980 wrote to memory of 3812	1980	fl.exe	cmd.exe
PID 3812 wrote to memory of 4076	3812	cmd.exe	svchost32.exe
PID 3812 wrote to memory of 4076	3812	cmd.exe	svchost32.exe
PID 4076 wrote to memory of 3160	4076	svchost32.exe	cmd.exe
PID 4076 wrote to memory of 3160	4076	svchost32.exe	cmd.exe
PID 3160 wrote to memory of 504	3160	cmd.exe	schtasks.exe
PID 3160 wrote to memory of 504	3160	cmd.exe	schtasks.exe
PID 4076 wrote to memory of 2344	4076	svchost32.exe	bsdedit.exe
PID 4076 wrote to memory of 2344	4076	svchost32.exe	bsdedit.exe
PID 4076 wrote to memory of 764	4076	svchost32.exe	cmd.exe
PID 4076 wrote to memory of 764	4076	svchost32.exe	cmd.exe
PID 2344 wrote to memory of 2148	2344	bsdedit.exe	cmd.exe
PID 2344 wrote to memory of 2148	2344	bsdedit.exe	cmd.exe
PID 764 wrote to memory of 3020	764	cmd.exe	choice.exe
PID 764 wrote to memory of 3020	764	cmd.exe	choice.exe
PID 2148 wrote to memory of 3700	2148	cmd.exe	powershell.exe
PID 2148 wrote to memory of 3700	2148	cmd.exe	powershell.exe
PID 2148 wrote to memory of 3976	2148	cmd.exe	powershell.exe
PID 2148 wrote to memory of 3976	2148	cmd.exe	powershell.exe
PID 2148 wrote to memory of 2952	2148	cmd.exe	powershell.exe
PID 2148 wrote to memory of 2952	2148	cmd.exe	powershell.exe
PID 2148 wrote to memory of 3836	2148	cmd.exe	powershell.exe
PID 2148 wrote to memory of 3836	2148	cmd.exe	powershell.exe
PID 2344 wrote to memory of 2604	2344	bsdedit.exe	cmd.exe
PID 2344 wrote to memory of 2604	2344	bsdedit.exe	cmd.exe
PID 2604 wrote to memory of 1336	2604	cmd.exe	svchost32.exe
PID 2604 wrote to memory of 1336	2604	cmd.exe	svchost32.exe
PID 1336 wrote to memory of 3816	1336	svchost32.exe	cmd.exe
PID 1336 wrote to memory of 3816	1336	svchost32.exe	cmd.exe
PID 3816 wrote to memory of 1092	3816	cmd.exe	schtasks.exe
PID 3816 wrote to memory of 1092	3816	cmd.exe	schtasks.exe
PID 1336 wrote to memory of 2792	1336	svchost32.exe	sihost32.exe
PID 1336 wrote to memory of 2792	1336	svchost32.exe	sihost32.exe
PID 1336 wrote to memory of 1388	1336	svchost32.exe	cmd.exe
PID 1336 wrote to memory of 1388	1336	svchost32.exe	cmd.exe
PID 1388 wrote to memory of 1168	1388	cmd.exe	choice.exe
PID 1388 wrote to memory of 1168	1388	cmd.exe	choice.exe

C:\Users\Admin\AppData\Local\Temp\86a06db94a3a3536566f8214033e5abd.exe
"C:\Users\Admin\AppData\Local\Temp\86a06db94a3a3536566f8214033e5abd.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:740

C:\Users\Admin\AppData\Local\Temp\fl.exe
"C:\Users\Admin\AppData\Local\Temp\fl.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2144

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:904

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\fl.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3812

C:\Users\Admin\AppData\Local\Temp\svchost32.exe
C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\fl.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4076

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "bsdedit" /tr '"C:\Windows\system32\bsdedit.exe"' & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:3160

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "bsdedit" /tr '"C:\Windows\system32\bsdedit.exe"'
6⤵
- Creates scheduled task(s)
PID:504

C:\Windows\system32\bsdedit.exe
"C:\Windows\system32\bsdedit.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344

C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
6⤵
- Suspicious use of WriteProcessMemory
PID:2148

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2952

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3836

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\bsdedit.exe"
6⤵
- Suspicious use of WriteProcessMemory
PID:2604

C:\Users\Admin\AppData\Local\Temp\svchost32.exe
C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\bsdedit.exe"
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "bsdedit" /tr '"C:\Windows\system32\bsdedit.exe"' & exit
8⤵
- Suspicious use of WriteProcessMemory
PID:3816

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "bsdedit" /tr '"C:\Windows\system32\bsdedit.exe"'
9⤵
- Creates scheduled task(s)
PID:1092

C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
"C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
8⤵
- Executes dropped EXE
PID:2792

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
8⤵
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
9⤵
PID:1168

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
6⤵
PID:3020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost32.exe.log
MD5
84f2160705ac9a032c002f966498ef74

SHA1
e9f3db2e1ad24a4f7e5c203af03bbc07235e704c

SHA256
7840ca7ea27e8a24ebc4877774be6013ab4f81d1eb83c121e4c3290ceb532d93

SHA512
f41c289770d8817ee612e53880d3f6492d50d08fb5104bf76440c2a93539dd25f6f15179b318e67b9202aabbe802941f80ac2dbadfd6ff1081b0d37c33f9da57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d1d6e1effcf13ee2a0c791bb72e42377

SHA1
d94cfc99c6b88fa27660cb5ed63c110d9777eb35

SHA256
1e73a48ea5440f3a6169ad7a904bbdd94bdde857b6415dede3a6aacf7119ac68

SHA512
119e225a3a614078219f415e233ae2e4736ebd14a02489ce7b6876e2d7851312b35109f0506826fa71eeaaa12f298abefca35cfbaf858e2015c753285dc08723

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c20402c2c8fe76a9ba90b46e7bc65753

SHA1
da588822b8eb95d6ab4130415c3c2e4536ab8e83

SHA256
a6066d55c823250b1d30c3c187a8c65714f5db6e6dcde32db4eb80c075ef421a

SHA512
8e845e81c1cc563a22ea1af32ff5421bb3ea83d9c396f1c13f2426ba6c7f933b4f70a89bb90e78550b02c81f1a010819589a3e50c2043e73cb915be4584e47c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
13e633e64dcad4a58d8342eb454a47ac

SHA1
b1ab8b2d831442d15551939b5105bd87a9da382e

SHA256
01a7633560933408ddaa59d708bfe7eff3431db7f0faaf345315536e1a7929f7

SHA512
027aeabdad215855a2dcb6d9dcc1bef3e318da694f349a1e6e89f433cd580e4b0f13a63659fcfacaf717b878a9cd59e44c415346321551e4f86d8a6299079860

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
cf1586f3d792aec09a7adf136b502696

SHA1
e64f30744c961a6f29398eb3e8fa9eda75d8f306

SHA256
bffef2a706688b2314a44dddd825415f1a2b7eb3f3ec706deb6ecd40e6b832e1

SHA512
e139085f367d0428e36420436fdf7dbaff0aef520e1a08226f042b44a7d8a371335464f2ec6db3e9c6632c04c0e81c2c902ade1d8e4f8c7817366bed88a4fbbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
2f81741c1f33098eb4930957956cdd85

SHA1
0daddefee36a3d97fc46e7e9eba0e1cf9445b16b

SHA256
dc349bffb4988f0111ef77628d9c6b739c6d4000f71538800ca1cfdf4d0f5923

SHA512
81ce4475ffad42e8c2ee536727885778e27c9ade3aa4ffb5d114a8b9d0e3c415cc2ffea850247f1fddb0e0a00d13659687c328eed324505176fe6af939292251

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
9e250437068d25bea8c843feb5f3db8f

SHA1
d831e830dbffcd2e3f641c7b697eb1d19dff953c

SHA256
6d892ff883ae4e1d757628ee5efdc443ccbbccc874960200fdc2c7f6e0521661

SHA512
90f6b3b1951788b6bf7510d24af45f5d5159f1f536d134fbbcbd4beebed34c3c06975cebae4397f154c9acaac5b8755977408bdb8b3a7f18dead790a672aa25a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
574eb0c845d2e77c334b9facd4b275b8

SHA1
3a7c18e55db1dbef960a61579af40049ebeaafb8

SHA256
3dabab4994775746cfa507a53f5f0e9396b7eafb8bcac8e863ac0ade8edc20ee

SHA512
2d23143802baeb1e48a852a01059e42dc71c1030d3923ad444411bde64dece733cb092187a8cc51d3f3fa9b5316ab1e41b8d27d1aa6a539394791e5df8b375df

Download Submit
C:\Users\Admin\AppData\Local\Temp\fl.exe
MD5
605299ab524fe98acbe5628e341482e3

SHA1
92ee737f936b3b8d811c8169839415cb6f97142b

SHA256
3a4b5c0c302fdd8b9980e6d497ea2477ecc10357dcc73108d62f3a0f97fd356b

SHA512
eaa7282a628c9d4a3365c777354d7174dd5cbaca61f9a2e2428ec5264d33c40fbe8e5eec5b07f5422196925aa198739d6b7f7d04c669f6ea69a4d90073192140

Download Submit
C:\Users\Admin\AppData\Local\Temp\fl.exe
MD5
605299ab524fe98acbe5628e341482e3

SHA1
92ee737f936b3b8d811c8169839415cb6f97142b

SHA256
3a4b5c0c302fdd8b9980e6d497ea2477ecc10357dcc73108d62f3a0f97fd356b

SHA512
eaa7282a628c9d4a3365c777354d7174dd5cbaca61f9a2e2428ec5264d33c40fbe8e5eec5b07f5422196925aa198739d6b7f7d04c669f6ea69a4d90073192140

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost32.exe
MD5
3d97c858e1f5fae2e00520c40fc1ce4c

SHA1
2e8605f20278d4e32244dfe2b98422df24fa798e

SHA256
741782ef9c8f092ad20c2f80695a7788126953d37adbeb59e8a232ad41f54586

SHA512
f8f79bb95b42bbbbc98e1008897853ab9d884cfa3ed48e33426dbe41624a32aea8dc96614590dfd121c128cb3500c56c9455407ba456712750efdb0d241f5b0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost32.exe
MD5
3d97c858e1f5fae2e00520c40fc1ce4c

SHA1
2e8605f20278d4e32244dfe2b98422df24fa798e

SHA256
741782ef9c8f092ad20c2f80695a7788126953d37adbeb59e8a232ad41f54586

SHA512
f8f79bb95b42bbbbc98e1008897853ab9d884cfa3ed48e33426dbe41624a32aea8dc96614590dfd121c128cb3500c56c9455407ba456712750efdb0d241f5b0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost32.exe
MD5
3d97c858e1f5fae2e00520c40fc1ce4c

SHA1
2e8605f20278d4e32244dfe2b98422df24fa798e

SHA256
741782ef9c8f092ad20c2f80695a7788126953d37adbeb59e8a232ad41f54586

SHA512
f8f79bb95b42bbbbc98e1008897853ab9d884cfa3ed48e33426dbe41624a32aea8dc96614590dfd121c128cb3500c56c9455407ba456712750efdb0d241f5b0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost32.exe
MD5
3d97c858e1f5fae2e00520c40fc1ce4c

SHA1
2e8605f20278d4e32244dfe2b98422df24fa798e

SHA256
741782ef9c8f092ad20c2f80695a7788126953d37adbeb59e8a232ad41f54586

SHA512
f8f79bb95b42bbbbc98e1008897853ab9d884cfa3ed48e33426dbe41624a32aea8dc96614590dfd121c128cb3500c56c9455407ba456712750efdb0d241f5b0e

Download Submit
C:\Windows\System32\Microsoft\Telemetry\sihost32.exe
MD5
683cd4c3d0949d6095b54a19ef081314

SHA1
0bcaec9aa2617c8f81efe755c3bb808e8d3c941a

SHA256
3f6dca67fca9ea9ac8327191c3b3c89b0121d8c8f2d2b335ff15c309448133e2

SHA512
d0affd177417bfd0dadc5d998cb4d8cdae018b3b7f13fcf63ce5b3fba734b7b65612d20072e76ac11f49367fa02fa4bcce468f1fe8629c8b2444f8aadc75a90b

Download Submit
C:\Windows\System32\bsdedit.exe
MD5
605299ab524fe98acbe5628e341482e3

SHA1
92ee737f936b3b8d811c8169839415cb6f97142b

SHA256
3a4b5c0c302fdd8b9980e6d497ea2477ecc10357dcc73108d62f3a0f97fd356b

SHA512
eaa7282a628c9d4a3365c777354d7174dd5cbaca61f9a2e2428ec5264d33c40fbe8e5eec5b07f5422196925aa198739d6b7f7d04c669f6ea69a4d90073192140

Download Submit
C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
MD5
683cd4c3d0949d6095b54a19ef081314

SHA1
0bcaec9aa2617c8f81efe755c3bb808e8d3c941a

SHA256
3f6dca67fca9ea9ac8327191c3b3c89b0121d8c8f2d2b335ff15c309448133e2

SHA512
d0affd177417bfd0dadc5d998cb4d8cdae018b3b7f13fcf63ce5b3fba734b7b65612d20072e76ac11f49367fa02fa4bcce468f1fe8629c8b2444f8aadc75a90b

Download Submit
C:\Windows\system32\bsdedit.exe
MD5
605299ab524fe98acbe5628e341482e3

SHA1
92ee737f936b3b8d811c8169839415cb6f97142b

SHA256
3a4b5c0c302fdd8b9980e6d497ea2477ecc10357dcc73108d62f3a0f97fd356b

SHA512
eaa7282a628c9d4a3365c777354d7174dd5cbaca61f9a2e2428ec5264d33c40fbe8e5eec5b07f5422196925aa198739d6b7f7d04c669f6ea69a4d90073192140

Download Submit
memory/504-301-0x0000000000000000-mapping.dmp

Download
memory/740-114-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/740-122-0x0000000006B60000-0x0000000006B61000-memory.dmp

Filesize
4KB

Download
memory/740-116-0x0000000005650000-0x0000000005651000-memory.dmp

Filesize
4KB

Download
memory/740-117-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/740-118-0x0000000005220000-0x0000000005221000-memory.dmp

Filesize
4KB

Download
memory/740-119-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/740-120-0x0000000005040000-0x0000000005646000-memory.dmp

Filesize
6.0MB

Download
memory/740-121-0x0000000005190000-0x0000000005191000-memory.dmp

Filesize
4KB

Download
memory/740-123-0x0000000007260000-0x0000000007261000-memory.dmp

Filesize
4KB

Download
memory/740-129-0x00000000079F0000-0x00000000079F1000-memory.dmp

Filesize
4KB

Download
memory/740-128-0x0000000006FD0000-0x0000000006FD1000-memory.dmp

Filesize
4KB

Download
memory/740-127-0x0000000007010000-0x0000000007011000-memory.dmp

Filesize
4KB

Download
memory/740-126-0x0000000006EF0000-0x0000000006EF1000-memory.dmp

Filesize
4KB

Download
memory/740-124-0x0000000006AA0000-0x0000000006AA1000-memory.dmp

Filesize
4KB

Download
memory/740-125-0x0000000007C90000-0x0000000007C91000-memory.dmp

Filesize
4KB

Download
memory/764-307-0x0000000000000000-mapping.dmp

Download
memory/904-286-0x000001AC4D2E0000-0x000001AC4D2E2000-memory.dmp

Filesize
8KB

Download
memory/904-292-0x000001AC4D2E8000-0x000001AC4D2E9000-memory.dmp

Filesize
4KB

Download
memory/904-287-0x000001AC4D2E3000-0x000001AC4D2E5000-memory.dmp

Filesize
8KB

Download
memory/904-288-0x000001AC4D2E6000-0x000001AC4D2E8000-memory.dmp

Filesize
8KB

Download
memory/904-254-0x0000000000000000-mapping.dmp

Download
memory/1092-477-0x0000000000000000-mapping.dmp

Download
memory/1168-486-0x0000000000000000-mapping.dmp

Download
memory/1336-469-0x0000000000000000-mapping.dmp

Download
memory/1336-483-0x000000001C430000-0x000000001C432000-memory.dmp

Filesize
8KB

Download
memory/1388-485-0x0000000000000000-mapping.dmp

Download
memory/1980-133-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/1980-130-0x0000000000000000-mapping.dmp

Download
memory/1980-147-0x00000000039F0000-0x00000000039F2000-memory.dmp

Filesize
8KB

Download
memory/2144-135-0x0000000000000000-mapping.dmp

Download
memory/2148-309-0x0000000000000000-mapping.dmp

Download
memory/2344-319-0x000000001CCC0000-0x000000001CCC2000-memory.dmp

Filesize
8KB

Download
memory/2344-303-0x0000000000000000-mapping.dmp

Download
memory/2592-149-0x000001B20E7D3000-0x000001B20E7D5000-memory.dmp

Filesize
8KB

Download
memory/2592-148-0x000001B20E7D0000-0x000001B20E7D2000-memory.dmp

Filesize
8KB

Download
memory/2592-136-0x0000000000000000-mapping.dmp

Download
memory/2592-141-0x000001B226DC0000-0x000001B226DC1000-memory.dmp

Filesize
4KB

Download
memory/2592-144-0x000001B226F70000-0x000001B226F71000-memory.dmp

Filesize
4KB

Download
memory/2592-201-0x000001B20E7D8000-0x000001B20E7D9000-memory.dmp

Filesize
4KB

Download
memory/2592-170-0x000001B20E7D6000-0x000001B20E7D8000-memory.dmp

Filesize
8KB

Download
memory/2604-468-0x0000000000000000-mapping.dmp

Download
memory/2688-252-0x00000270F9E16000-0x00000270F9E18000-memory.dmp

Filesize
8KB

Download
memory/2688-253-0x00000270F9E18000-0x00000270F9E19000-memory.dmp

Filesize
4KB

Download
memory/2688-225-0x00000270F9E10000-0x00000270F9E12000-memory.dmp

Filesize
8KB

Download
memory/2688-226-0x00000270F9E13000-0x00000270F9E15000-memory.dmp

Filesize
8KB

Download
memory/2688-214-0x0000000000000000-mapping.dmp

Download
memory/2792-478-0x0000000000000000-mapping.dmp

Download
memory/2792-481-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2792-484-0x000000001BE80000-0x000000001BE82000-memory.dmp

Filesize
8KB

Download
memory/2952-401-0x000001AAAC003000-0x000001AAAC005000-memory.dmp

Filesize
8KB

Download
memory/2952-400-0x000001AAAC000000-0x000001AAAC002000-memory.dmp

Filesize
8KB

Download
memory/2952-436-0x000001AAAC006000-0x000001AAAC008000-memory.dmp

Filesize
8KB

Download
memory/2952-438-0x000001AAAC008000-0x000001AAAC009000-memory.dmp

Filesize
4KB

Download
memory/2952-389-0x0000000000000000-mapping.dmp

Download
memory/3020-310-0x0000000000000000-mapping.dmp

Download
memory/3160-300-0x0000000000000000-mapping.dmp

Download
memory/3700-321-0x000001D11C850000-0x000001D11C852000-memory.dmp

Filesize
8KB

Download
memory/3700-349-0x000001D11C858000-0x000001D11C859000-memory.dmp

Filesize
4KB

Download
memory/3700-311-0x0000000000000000-mapping.dmp

Download
memory/3700-348-0x000001D11C856000-0x000001D11C858000-memory.dmp

Filesize
8KB

Download
memory/3700-322-0x000001D11C853000-0x000001D11C855000-memory.dmp

Filesize
8KB

Download
memory/3812-293-0x0000000000000000-mapping.dmp

Download
memory/3816-476-0x0000000000000000-mapping.dmp

Download
memory/3836-439-0x0000022FE6120000-0x0000022FE6122000-memory.dmp

Filesize
8KB

Download
memory/3836-466-0x0000022FE6126000-0x0000022FE6128000-memory.dmp

Filesize
8KB

Download
memory/3836-467-0x0000022FE6128000-0x0000022FE6129000-memory.dmp

Filesize
4KB

Download
memory/3836-427-0x0000000000000000-mapping.dmp

Download
memory/3836-440-0x0000022FE6123000-0x0000022FE6125000-memory.dmp

Filesize
8KB

Download
memory/3932-174-0x0000000000000000-mapping.dmp

Download
memory/3932-224-0x00000127F48C8000-0x00000127F48C9000-memory.dmp

Filesize
4KB

Download
memory/3932-205-0x00000127F48C3000-0x00000127F48C5000-memory.dmp

Filesize
8KB

Download
memory/3932-206-0x00000127F48C6000-0x00000127F48C8000-memory.dmp

Filesize
8KB

Download
memory/3932-202-0x00000127F48C0000-0x00000127F48C2000-memory.dmp

Filesize
8KB

Download
memory/3976-364-0x00000272B0083000-0x00000272B0085000-memory.dmp

Filesize
8KB

Download
memory/3976-351-0x0000000000000000-mapping.dmp

Download
memory/3976-365-0x00000272B0086000-0x00000272B0088000-memory.dmp

Filesize
8KB

Download
memory/3976-363-0x00000272B0080000-0x00000272B0082000-memory.dmp

Filesize
8KB

Download
memory/3976-399-0x00000272B0088000-0x00000272B0089000-memory.dmp

Filesize
4KB

Download
memory/4076-294-0x0000000000000000-mapping.dmp

Download
memory/4076-297-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/4076-299-0x0000000001630000-0x0000000001631000-memory.dmp

Filesize
4KB

Download
memory/4076-302-0x00000000039F0000-0x00000000039F2000-memory.dmp

Filesize
8KB

Download