xmrig | 31ef0139218354a140f9feba6fc3ef036ce910a84babf8f27cccfa944dee1ccb

Analysis

max time kernel
142s
max time network
52s
platform
windows7_x64
resource
win7v20210408
submitted
26-09-2021 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Variant.Razy.934040.7155.9937.exe
Size

2.4MB
MD5

5dc19fa9db54a8b2fbac18a1412165eb
SHA1

d2300eacdcc517cfa065238d13355011cbf3b382
SHA256

31ef0139218354a140f9feba6fc3ef036ce910a84babf8f27cccfa944dee1ccb
SHA512

c71948e4e69a31ad324d0817305b8926e9f1d7d0610dae56f4894a5ac0a7307278e9ef749380793411d802174424ccb731044d6e64bc4fc9f05f5adc100b5f92

Score

10^/10

xmrig discovery evasion miner spyware stealer themida trojan

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

fl.exesvchost32.exedascHost.exesvchost32.exesihost32.exe

pid process

1780 fl.exe
1956 svchost32.exe
1768 dascHost.exe
280 svchost32.exe
1288 sihost32.exe

pid	process
1780	fl.exe
1956	svchost32.exe
1768	dascHost.exe
280	svchost32.exe
1288	sihost32.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SecuriteInfo.com.Variant.Razy.934040.7155.9937.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SecuriteInfo.com.Variant.Razy.934040.7155.9937.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SecuriteInfo.com.Variant.Razy.934040.7155.9937.exe

Loads dropped DLL 5 IoCs

Processes:

SecuriteInfo.com.Variant.Razy.934040.7155.9937.execmd.exesvchost32.execmd.exesvchost32.exe

pid process

1240 SecuriteInfo.com.Variant.Razy.934040.7155.9937.exe
1656 cmd.exe
1956 svchost32.exe
1816 cmd.exe
280 svchost32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1240-62-0x0000000000D80000-0x0000000000D81000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

SecuriteInfo.com.Variant.Razy.934040.7155.9937.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SecuriteInfo.com.Variant.Razy.934040.7155.9937.exe

Drops file in System32 directory 7 IoCs

Processes:

svchost32.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost32.exe

description	ioc	process
File created	C:\Windows\system32\dascHost.exe	svchost32.exe
File opened for modification	C:\Windows\system32\dascHost.exe	svchost32.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\Microsoft\Telemetry\sihost32.exe	svchost32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

SecuriteInfo.com.Variant.Razy.934040.7155.9937.exe

pid process

1240 SecuriteInfo.com.Variant.Razy.934040.7155.9937.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1860 schtasks.exe
1296 schtasks.exe

pid	process
1860	schtasks.exe
1296	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

SecuriteInfo.com.Variant.Razy.934040.7155.9937.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost32.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost32.exe

pid	process
1240	SecuriteInfo.com.Variant.Razy.934040.7155.9937.exe
1240	SecuriteInfo.com.Variant.Razy.934040.7155.9937.exe
1240	SecuriteInfo.com.Variant.Razy.934040.7155.9937.exe
788	powershell.exe
788	powershell.exe
1292	powershell.exe
1292	powershell.exe
928	powershell.exe
928	powershell.exe
1152	powershell.exe
1152	powershell.exe
1956	svchost32.exe
1724	powershell.exe
1724	powershell.exe
1376	powershell.exe
1376	powershell.exe
1532	powershell.exe
1532	powershell.exe
1640	powershell.exe
1640	powershell.exe
280	svchost32.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

SecuriteInfo.com.Variant.Razy.934040.7155.9937.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost32.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost32.exe

description	pid	process
Token: SeDebugPrivilege	1240	SecuriteInfo.com.Variant.Razy.934040.7155.9937.exe
Token: SeDebugPrivilege	788	powershell.exe
Token: SeDebugPrivilege	1292	powershell.exe
Token: SeDebugPrivilege	928	powershell.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeDebugPrivilege	1956	svchost32.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	280	svchost32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SecuriteInfo.com.Variant.Razy.934040.7155.9937.exefl.execmd.execmd.exesvchost32.execmd.exedascHost.execmd.execmd.execmd.exesvchost32.exe

description	pid	process	target process
PID 1240 wrote to memory of 1780	1240	SecuriteInfo.com.Variant.Razy.934040.7155.9937.exe	fl.exe
PID 1240 wrote to memory of 1780	1240	SecuriteInfo.com.Variant.Razy.934040.7155.9937.exe	fl.exe
PID 1240 wrote to memory of 1780	1240	SecuriteInfo.com.Variant.Razy.934040.7155.9937.exe	fl.exe
PID 1240 wrote to memory of 1780	1240	SecuriteInfo.com.Variant.Razy.934040.7155.9937.exe	fl.exe
PID 1780 wrote to memory of 748	1780	fl.exe	cmd.exe
PID 1780 wrote to memory of 748	1780	fl.exe	cmd.exe
PID 1780 wrote to memory of 748	1780	fl.exe	cmd.exe
PID 748 wrote to memory of 788	748	cmd.exe	powershell.exe
PID 748 wrote to memory of 788	748	cmd.exe	powershell.exe
PID 748 wrote to memory of 788	748	cmd.exe	powershell.exe
PID 748 wrote to memory of 1292	748	cmd.exe	powershell.exe
PID 748 wrote to memory of 1292	748	cmd.exe	powershell.exe
PID 748 wrote to memory of 1292	748	cmd.exe	powershell.exe
PID 748 wrote to memory of 928	748	cmd.exe	powershell.exe
PID 748 wrote to memory of 928	748	cmd.exe	powershell.exe
PID 748 wrote to memory of 928	748	cmd.exe	powershell.exe
PID 748 wrote to memory of 1152	748	cmd.exe	powershell.exe
PID 748 wrote to memory of 1152	748	cmd.exe	powershell.exe
PID 748 wrote to memory of 1152	748	cmd.exe	powershell.exe
PID 1780 wrote to memory of 1656	1780	fl.exe	cmd.exe
PID 1780 wrote to memory of 1656	1780	fl.exe	cmd.exe
PID 1780 wrote to memory of 1656	1780	fl.exe	cmd.exe
PID 1656 wrote to memory of 1956	1656	cmd.exe	svchost32.exe
PID 1656 wrote to memory of 1956	1656	cmd.exe	svchost32.exe
PID 1656 wrote to memory of 1956	1656	cmd.exe	svchost32.exe
PID 1956 wrote to memory of 2044	1956	svchost32.exe	cmd.exe
PID 1956 wrote to memory of 2044	1956	svchost32.exe	cmd.exe
PID 1956 wrote to memory of 2044	1956	svchost32.exe	cmd.exe
PID 2044 wrote to memory of 1860	2044	cmd.exe	schtasks.exe
PID 2044 wrote to memory of 1860	2044	cmd.exe	schtasks.exe
PID 2044 wrote to memory of 1860	2044	cmd.exe	schtasks.exe
PID 1956 wrote to memory of 1768	1956	svchost32.exe	dascHost.exe
PID 1956 wrote to memory of 1768	1956	svchost32.exe	dascHost.exe
PID 1956 wrote to memory of 1768	1956	svchost32.exe	dascHost.exe
PID 1956 wrote to memory of 932	1956	svchost32.exe	cmd.exe
PID 1956 wrote to memory of 932	1956	svchost32.exe	cmd.exe
PID 1956 wrote to memory of 932	1956	svchost32.exe	cmd.exe
PID 1768 wrote to memory of 1692	1768	dascHost.exe	cmd.exe
PID 1768 wrote to memory of 1692	1768	dascHost.exe	cmd.exe
PID 1768 wrote to memory of 1692	1768	dascHost.exe	cmd.exe
PID 932 wrote to memory of 1320	932	cmd.exe	choice.exe
PID 932 wrote to memory of 1320	932	cmd.exe	choice.exe
PID 932 wrote to memory of 1320	932	cmd.exe	choice.exe
PID 1692 wrote to memory of 1724	1692	cmd.exe	powershell.exe
PID 1692 wrote to memory of 1724	1692	cmd.exe	powershell.exe
PID 1692 wrote to memory of 1724	1692	cmd.exe	powershell.exe
PID 1692 wrote to memory of 1376	1692	cmd.exe	powershell.exe
PID 1692 wrote to memory of 1376	1692	cmd.exe	powershell.exe
PID 1692 wrote to memory of 1376	1692	cmd.exe	powershell.exe
PID 1692 wrote to memory of 1532	1692	cmd.exe	powershell.exe
PID 1692 wrote to memory of 1532	1692	cmd.exe	powershell.exe
PID 1692 wrote to memory of 1532	1692	cmd.exe	powershell.exe
PID 1692 wrote to memory of 1640	1692	cmd.exe	powershell.exe
PID 1692 wrote to memory of 1640	1692	cmd.exe	powershell.exe
PID 1692 wrote to memory of 1640	1692	cmd.exe	powershell.exe
PID 1768 wrote to memory of 1816	1768	dascHost.exe	cmd.exe
PID 1768 wrote to memory of 1816	1768	dascHost.exe	cmd.exe
PID 1768 wrote to memory of 1816	1768	dascHost.exe	cmd.exe
PID 1816 wrote to memory of 280	1816	cmd.exe	svchost32.exe
PID 1816 wrote to memory of 280	1816	cmd.exe	svchost32.exe
PID 1816 wrote to memory of 280	1816	cmd.exe	svchost32.exe
PID 280 wrote to memory of 1784	280	svchost32.exe	cmd.exe
PID 280 wrote to memory of 1784	280	svchost32.exe	cmd.exe
PID 280 wrote to memory of 1784	280	svchost32.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Razy.934040.7155.9937.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Razy.934040.7155.9937.exe"
1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Users\Admin\AppData\Local\Temp\fl.exe
  "C:\Users\Admin\AppData\Local\Temp\fl.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Windows\system32\cmd.exe
    "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:748
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:788
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1292
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:928
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1152
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\fl.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1656
  - - C:\Users\Admin\AppData\Local\Temp\svchost32.exe
      C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\fl.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1956
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "dascHost" /tr '"C:\Windows\system32\dascHost.exe"' & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2044
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "dascHost" /tr '"C:\Windows\system32\dascHost.exe"'
        6⤵
        Creates scheduled task(s)
        
        PID:1860
    - - C:\Windows\system32\dascHost.exe
        
        "C:\Windows\system32\dascHost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1768
      - C:\Windows\system32\cmd.exe
        
        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        7⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        7⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        7⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
        7⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\dascHost.exe"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\svchost32.exe
        
        C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\dascHost.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:280
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "dascHost" /tr '"C:\Windows\system32\dascHost.exe"' & exit
        8⤵
        
        PID:1784
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "dascHost" /tr '"C:\Windows\system32\dascHost.exe"'
        9⤵
        Creates scheduled task(s)
        
        PID:1296
        
        C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
        
        "C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
        8⤵
        Executes dropped EXE
        
        PID:1288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
        8⤵
        
        PID:1648
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        9⤵
        
        PID:616
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:932
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:1320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5dba4fb4-5d37-4bf6-bd61-5694dc1bf581

MD5
faa37917b36371249ac9fcf93317bf97

SHA1
a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4

SHA256
b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132

SHA512
614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6971f447-61a9-45b8-b019-1991b989cad1

MD5
7f79b990cb5ed648f9e583fe35527aa7

SHA1
71b177b48c8bd745ef02c2affad79ca222da7c33

SHA256
080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683

SHA512
20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_69f155a1-7d3f-49af-874b-473f0080d6c6

MD5
6f0d509e28be1af95ba237d4f43adab4

SHA1
c665febe79e435843553bee86a6cea731ce6c5e4

SHA256
f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e

SHA512
8dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_8c745273-4a47-45d6-ad1f-ce1047f378c2

MD5
d89968acfbd0cd60b51df04860d99896

SHA1
b3c29916ccb81ce98f95bbf3aa8a73de16298b29

SHA256
1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9

SHA512
b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9205bf6f-b935-48b0-ad2c-ff31eb747f61

MD5
a70ee38af4bb2b5ed3eeb7cbd1a12fa3

SHA1
81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9

SHA256
dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d

SHA512
8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a36627dd-ce72-4abd-a112-8bce5082670b

MD5
2d5cd190b5db0620cd62e3cd6ba1dcd3

SHA1
ff4f229f4fbacccdf11d98c04ba756bda80aac7a

SHA256
ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d

SHA512
edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ba7575bf-2c9c-4757-8206-3c05d6bba8c9

MD5
e5b3ba61c3cf07deda462c9b27eb4166

SHA1
b324dad73048be6e27467315f82b7a5c1438a1f9

SHA256
b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925

SHA512
a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5
06c9e240c1da4b0b20330f19c34893fb

SHA1
cb499c6d292b5c6314605a51f1ce97b1721c113d

SHA256
824318aa54964db06c319cd9ef75ad8498640841ffc924f192d216661e571ebc

SHA512
f9446675c36c5ae6534a275adaf078b6a12f4ce8468ccded38da4a44f6e600353453ca5fe503ccb6818f1eb612cc2c8ddf3c41f23be79ca6a7af66462c41fd3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fl.exe

MD5
863c021ab6d46dcc5f5b8a2cdab814fd

SHA1
fb1f5831b886e702a0a6e994188ce3e102935192

SHA256
25fa15664bb857af7bd264779f9d1d7b898cae1afcb992e0e3a6923f0c1d1992

SHA512
23dcac03b2f030fda00624c6b8eec18be72e4a47dd2c8006a227bccd11875767804c67fc295b9933ac82e52fec451318ae61a50c9c71ac6398fb6d76a25b2cf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\fl.exe

MD5
863c021ab6d46dcc5f5b8a2cdab814fd

SHA1
fb1f5831b886e702a0a6e994188ce3e102935192

SHA256
25fa15664bb857af7bd264779f9d1d7b898cae1afcb992e0e3a6923f0c1d1992

SHA512
23dcac03b2f030fda00624c6b8eec18be72e4a47dd2c8006a227bccd11875767804c67fc295b9933ac82e52fec451318ae61a50c9c71ac6398fb6d76a25b2cf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost32.exe

MD5
bc74a0b1eeeced279cd2088b27f8ffe2

SHA1
308d89755701eb813436560393d37173c04dc646

SHA256
692300a92b7741887214d6578af1ddac7a123fb058e6af0e2cab5d6dfa096ba2

SHA512
f81e8bbf854191d70d69d55c044d1ce7e2c271e76adb34406415db11ce029b6e614a06d12bf53779fb6aac85756e7d8b15411c053386e22b1dcc914e80098f0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost32.exe

MD5
bc74a0b1eeeced279cd2088b27f8ffe2

SHA1
308d89755701eb813436560393d37173c04dc646

SHA256
692300a92b7741887214d6578af1ddac7a123fb058e6af0e2cab5d6dfa096ba2

SHA512
f81e8bbf854191d70d69d55c044d1ce7e2c271e76adb34406415db11ce029b6e614a06d12bf53779fb6aac85756e7d8b15411c053386e22b1dcc914e80098f0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost32.exe

MD5
bc74a0b1eeeced279cd2088b27f8ffe2

SHA1
308d89755701eb813436560393d37173c04dc646

SHA256
692300a92b7741887214d6578af1ddac7a123fb058e6af0e2cab5d6dfa096ba2

SHA512
f81e8bbf854191d70d69d55c044d1ce7e2c271e76adb34406415db11ce029b6e614a06d12bf53779fb6aac85756e7d8b15411c053386e22b1dcc914e80098f0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost32.exe

MD5
bc74a0b1eeeced279cd2088b27f8ffe2

SHA1
308d89755701eb813436560393d37173c04dc646

SHA256
692300a92b7741887214d6578af1ddac7a123fb058e6af0e2cab5d6dfa096ba2

SHA512
f81e8bbf854191d70d69d55c044d1ce7e2c271e76adb34406415db11ce029b6e614a06d12bf53779fb6aac85756e7d8b15411c053386e22b1dcc914e80098f0e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
8eb5c48846798273a67ce582d5b8954e

SHA1
f59473e84b835c5976de8fcea655de63e80fe310

SHA256
abafc13667f6bbb1a0fbbbf446d7c2a2867b65d02352455bf39a50845ac5300a

SHA512
9a11d16d796c9dcd6c1b3023d1e64a89e111833bc5a1dc19dad11db90efa948be4ad5b83a9db64046d3b0badb575f77b7884bc7a86a784003d5cae4c5dda77f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
65a0fed53213bd7d88b2af2b8f53fed4

SHA1
39774538771c42d283caac29a8ed6d0c2c2e36c1

SHA256
b9005ee6c6b96a53266214fa68ba3c3bce34bb7e7bbcd46d965aa1f84a7933b0

SHA512
27b11e2924705e95051b7014cb029e28f1d078dd7aefacd7022438badfc96c02b826eff5ce8114512f48f1a1bb4ef7c260e7e0faee298e6565a2a1c25c444981

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
8eb5c48846798273a67ce582d5b8954e

SHA1
f59473e84b835c5976de8fcea655de63e80fe310

SHA256
abafc13667f6bbb1a0fbbbf446d7c2a2867b65d02352455bf39a50845ac5300a

SHA512
9a11d16d796c9dcd6c1b3023d1e64a89e111833bc5a1dc19dad11db90efa948be4ad5b83a9db64046d3b0badb575f77b7884bc7a86a784003d5cae4c5dda77f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
8eb5c48846798273a67ce582d5b8954e

SHA1
f59473e84b835c5976de8fcea655de63e80fe310

SHA256
abafc13667f6bbb1a0fbbbf446d7c2a2867b65d02352455bf39a50845ac5300a

SHA512
9a11d16d796c9dcd6c1b3023d1e64a89e111833bc5a1dc19dad11db90efa948be4ad5b83a9db64046d3b0badb575f77b7884bc7a86a784003d5cae4c5dda77f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
8eb5c48846798273a67ce582d5b8954e

SHA1
f59473e84b835c5976de8fcea655de63e80fe310

SHA256
abafc13667f6bbb1a0fbbbf446d7c2a2867b65d02352455bf39a50845ac5300a

SHA512
9a11d16d796c9dcd6c1b3023d1e64a89e111833bc5a1dc19dad11db90efa948be4ad5b83a9db64046d3b0badb575f77b7884bc7a86a784003d5cae4c5dda77f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
65a0fed53213bd7d88b2af2b8f53fed4

SHA1
39774538771c42d283caac29a8ed6d0c2c2e36c1

SHA256
b9005ee6c6b96a53266214fa68ba3c3bce34bb7e7bbcd46d965aa1f84a7933b0

SHA512
27b11e2924705e95051b7014cb029e28f1d078dd7aefacd7022438badfc96c02b826eff5ce8114512f48f1a1bb4ef7c260e7e0faee298e6565a2a1c25c444981

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
65a0fed53213bd7d88b2af2b8f53fed4

SHA1
39774538771c42d283caac29a8ed6d0c2c2e36c1

SHA256
b9005ee6c6b96a53266214fa68ba3c3bce34bb7e7bbcd46d965aa1f84a7933b0

SHA512
27b11e2924705e95051b7014cb029e28f1d078dd7aefacd7022438badfc96c02b826eff5ce8114512f48f1a1bb4ef7c260e7e0faee298e6565a2a1c25c444981

Download Submit
C:\Windows\System32\Microsoft\Telemetry\sihost32.exe

MD5
84d1e96c80f25a1a9256b468a9f8257f

SHA1
b310707940a721bf8aaa310c141edb0df53cdc76

SHA256
24409df45885818a92793183122b07298d66508d552d4d3be07108448e891ca1

SHA512
3a36fe0486c4560b43314e67aa7bbb60f29343ef2e01e33f1c7ce74c81810609eec200f954d8c82313ed11a198343e092ef216b86725271f0fd06a0e9773d993

Download Submit
C:\Windows\System32\dascHost.exe

MD5
863c021ab6d46dcc5f5b8a2cdab814fd

SHA1
fb1f5831b886e702a0a6e994188ce3e102935192

SHA256
25fa15664bb857af7bd264779f9d1d7b898cae1afcb992e0e3a6923f0c1d1992

SHA512
23dcac03b2f030fda00624c6b8eec18be72e4a47dd2c8006a227bccd11875767804c67fc295b9933ac82e52fec451318ae61a50c9c71ac6398fb6d76a25b2cf3

Download Submit
C:\Windows\system32\Microsoft\Telemetry\sihost32.exe

MD5
84d1e96c80f25a1a9256b468a9f8257f

SHA1
b310707940a721bf8aaa310c141edb0df53cdc76

SHA256
24409df45885818a92793183122b07298d66508d552d4d3be07108448e891ca1

SHA512
3a36fe0486c4560b43314e67aa7bbb60f29343ef2e01e33f1c7ce74c81810609eec200f954d8c82313ed11a198343e092ef216b86725271f0fd06a0e9773d993

Download Submit
C:\Windows\system32\dascHost.exe

MD5
863c021ab6d46dcc5f5b8a2cdab814fd

SHA1
fb1f5831b886e702a0a6e994188ce3e102935192

SHA256
25fa15664bb857af7bd264779f9d1d7b898cae1afcb992e0e3a6923f0c1d1992

SHA512
23dcac03b2f030fda00624c6b8eec18be72e4a47dd2c8006a227bccd11875767804c67fc295b9933ac82e52fec451318ae61a50c9c71ac6398fb6d76a25b2cf3

Download Submit
\Users\Admin\AppData\Local\Temp\fl.exe

MD5
863c021ab6d46dcc5f5b8a2cdab814fd

SHA1
fb1f5831b886e702a0a6e994188ce3e102935192

SHA256
25fa15664bb857af7bd264779f9d1d7b898cae1afcb992e0e3a6923f0c1d1992

SHA512
23dcac03b2f030fda00624c6b8eec18be72e4a47dd2c8006a227bccd11875767804c67fc295b9933ac82e52fec451318ae61a50c9c71ac6398fb6d76a25b2cf3

Download Submit
\Users\Admin\AppData\Local\Temp\svchost32.exe

MD5
bc74a0b1eeeced279cd2088b27f8ffe2

SHA1
308d89755701eb813436560393d37173c04dc646

SHA256
692300a92b7741887214d6578af1ddac7a123fb058e6af0e2cab5d6dfa096ba2

SHA512
f81e8bbf854191d70d69d55c044d1ce7e2c271e76adb34406415db11ce029b6e614a06d12bf53779fb6aac85756e7d8b15411c053386e22b1dcc914e80098f0e

Download Submit
\Users\Admin\AppData\Local\Temp\svchost32.exe

MD5
bc74a0b1eeeced279cd2088b27f8ffe2

SHA1
308d89755701eb813436560393d37173c04dc646

SHA256
692300a92b7741887214d6578af1ddac7a123fb058e6af0e2cab5d6dfa096ba2

SHA512
f81e8bbf854191d70d69d55c044d1ce7e2c271e76adb34406415db11ce029b6e614a06d12bf53779fb6aac85756e7d8b15411c053386e22b1dcc914e80098f0e

Download Submit
\Windows\System32\Microsoft\Telemetry\sihost32.exe

MD5
84d1e96c80f25a1a9256b468a9f8257f

SHA1
b310707940a721bf8aaa310c141edb0df53cdc76

SHA256
24409df45885818a92793183122b07298d66508d552d4d3be07108448e891ca1

SHA512
3a36fe0486c4560b43314e67aa7bbb60f29343ef2e01e33f1c7ce74c81810609eec200f954d8c82313ed11a198343e092ef216b86725271f0fd06a0e9773d993

Download Submit
\Windows\System32\dascHost.exe

MD5
863c021ab6d46dcc5f5b8a2cdab814fd

SHA1
fb1f5831b886e702a0a6e994188ce3e102935192

SHA256
25fa15664bb857af7bd264779f9d1d7b898cae1afcb992e0e3a6923f0c1d1992

SHA512
23dcac03b2f030fda00624c6b8eec18be72e4a47dd2c8006a227bccd11875767804c67fc295b9933ac82e52fec451318ae61a50c9c71ac6398fb6d76a25b2cf3

Download Submit
memory/280-191-0x0000000000000000-mapping.dmp

Download
memory/280-204-0x000000001AB90000-0x000000001AB92000-memory.dmp

Filesize
8KB

Download
memory/616-207-0x0000000000000000-mapping.dmp

Download
memory/748-71-0x0000000000000000-mapping.dmp

Download
memory/788-77-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/788-81-0x00000000026C0000-0x00000000026C1000-memory.dmp

Filesize
4KB

Download
memory/788-72-0x0000000000000000-mapping.dmp

Download
memory/788-97-0x000000001B460000-0x000000001B461000-memory.dmp

Filesize
4KB

Download
memory/788-73-0x000007FEFB681000-0x000007FEFB683000-memory.dmp

Filesize
8KB

Download
memory/788-96-0x000000001B450000-0x000000001B451000-memory.dmp

Filesize
4KB

Download
memory/788-75-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/788-76-0x000000001AA50000-0x000000001AA51000-memory.dmp

Filesize
4KB

Download
memory/788-78-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/788-84-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/788-79-0x0000000002790000-0x0000000002792000-memory.dmp

Filesize
8KB

Download
memory/788-80-0x0000000002794000-0x0000000002796000-memory.dmp

Filesize
8KB

Download
memory/928-120-0x000000001ADA0000-0x000000001ADA2000-memory.dmp

Filesize
8KB

Download
memory/928-121-0x000000001ADA4000-0x000000001ADA6000-memory.dmp

Filesize
8KB

Download
memory/928-115-0x0000000000000000-mapping.dmp

Download
memory/932-147-0x0000000000000000-mapping.dmp

Download
memory/1152-131-0x000000001ACA4000-0x000000001ACA6000-memory.dmp

Filesize
8KB

Download
memory/1152-130-0x000000001ACA0000-0x000000001ACA2000-memory.dmp

Filesize
8KB

Download
memory/1152-124-0x0000000000000000-mapping.dmp

Download
memory/1240-60-0x0000000074D91000-0x0000000074D93000-memory.dmp

Filesize
8KB

Download
memory/1240-64-0x0000000005310000-0x0000000005311000-memory.dmp

Filesize
4KB

Download
memory/1240-62-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/1288-198-0x0000000000000000-mapping.dmp

Download
memory/1288-205-0x0000000002370000-0x0000000002372000-memory.dmp

Filesize
8KB

Download
memory/1292-98-0x0000000000000000-mapping.dmp

Download
memory/1292-106-0x0000000002610000-0x0000000002611000-memory.dmp

Filesize
4KB

Download
memory/1292-101-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/1292-102-0x000000001AC10000-0x000000001AC11000-memory.dmp

Filesize
4KB

Download
memory/1292-103-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/1292-104-0x000000001AB90000-0x000000001AB92000-memory.dmp

Filesize
8KB

Download
memory/1292-105-0x000000001AB94000-0x000000001AB96000-memory.dmp

Filesize
8KB

Download
memory/1296-200-0x0000000000000000-mapping.dmp

Download
memory/1320-151-0x0000000000000000-mapping.dmp

Download
memory/1376-162-0x0000000000000000-mapping.dmp

Download
memory/1376-169-0x000000001AC60000-0x000000001AC62000-memory.dmp

Filesize
8KB

Download
memory/1376-170-0x000000001AC64000-0x000000001AC66000-memory.dmp

Filesize
8KB

Download
memory/1532-176-0x000000001AB20000-0x000000001AB22000-memory.dmp

Filesize
8KB

Download
memory/1532-171-0x0000000000000000-mapping.dmp

Download
memory/1532-177-0x000000001AB24000-0x000000001AB26000-memory.dmp

Filesize
8KB

Download
memory/1640-180-0x0000000000000000-mapping.dmp

Download
memory/1640-188-0x000000001AE24000-0x000000001AE26000-memory.dmp

Filesize
8KB

Download
memory/1640-187-0x000000001AE20000-0x000000001AE22000-memory.dmp

Filesize
8KB

Download
memory/1648-206-0x0000000000000000-mapping.dmp

Download
memory/1656-133-0x0000000000000000-mapping.dmp

Download
memory/1692-150-0x0000000000000000-mapping.dmp

Download
memory/1724-152-0x0000000000000000-mapping.dmp

Download
memory/1724-158-0x000000001AB90000-0x000000001AB92000-memory.dmp

Filesize
8KB

Download
memory/1724-160-0x000000001AB94000-0x000000001AB96000-memory.dmp

Filesize
8KB

Download
memory/1768-157-0x0000000002240000-0x0000000002242000-memory.dmp

Filesize
8KB

Download
memory/1768-144-0x0000000000000000-mapping.dmp

Download
memory/1768-148-0x000000013FCC0000-0x000000013FCC1000-memory.dmp

Filesize
4KB

Download
memory/1780-74-0x000000001BDF0000-0x000000001BDF2000-memory.dmp

Filesize
8KB

Download
memory/1780-69-0x000000013FCF0000-0x000000013FCF1000-memory.dmp

Filesize
4KB

Download
memory/1780-66-0x0000000000000000-mapping.dmp

Download
memory/1784-196-0x0000000000000000-mapping.dmp

Download
memory/1816-189-0x0000000000000000-mapping.dmp

Download
memory/1860-142-0x0000000000000000-mapping.dmp

Download
memory/1956-135-0x0000000000000000-mapping.dmp

Download
memory/1956-138-0x000000013F030000-0x000000013F031000-memory.dmp

Filesize
4KB

Download
memory/1956-140-0x0000000002370000-0x0000000002372000-memory.dmp

Filesize
8KB

Download
memory/2044-141-0x0000000000000000-mapping.dmp

Download