xmrig | 932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2

Analysis

max time kernel
300s
max time network
198s
platform
windows7_x64
resource
win7-20220414-en
submitted
16-05-2022 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe
Size

16KB
MD5

23c8b23571c065c1d8c65beb2899cc42
SHA1

fd7f51575ccaeba2cd6cb0d2195e2be966c0fecf
SHA256

932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2
SHA512

af1df92b60d1cff475deb7688b7a8baff26feb240a0d48a9cd73df3d1a5b9acff72d353f686de259d3bd77c0df1a7f7b269434789189a26c46a02313bdb5e64c

Score

10^/10

xmrig miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 7 IoCs

miner

Processes:

resource	yara_rule
\ProgramData\Dllhost\winlogson.exe	xmrig
C:\ProgramData\Dllhost\winlogson.exe	xmrig
C:\ProgramData\Dllhost\winlogson.exe	xmrig
C:\ProgramData\Dllhost\winlogson.exe	xmrig
C:\ProgramData\Dllhost\winlogson.exe	xmrig
C:\ProgramData\Dllhost\winlogson.exe	xmrig
C:\ProgramData\Dllhost\winlogson.exe	xmrig

Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

dllhost.exewinlogson.exewinlogson.exewinlogson.exewinlogson.exewinlogson.exewinlogson.exe

pid process

1112 dllhost.exe
1364 winlogson.exe
952 winlogson.exe
1596 winlogson.exe
1740 winlogson.exe
1708 winlogson.exe
2036 winlogson.exe
Loads dropped DLL 2 IoCs

Processes:

932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.execmd.exe

pid process

536 932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe
928 cmd.exe

pid	process
1112	dllhost.exe
1364	winlogson.exe
952	winlogson.exe
1596	winlogson.exe
1740	winlogson.exe
1708	winlogson.exe
2036	winlogson.exe

pid	process
536	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe
928	cmd.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dllhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\ProgramData\\Dllhost\\dllhost.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	dllhost.exe

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1268	schtasks.exe
1924	schtasks.exe
952	schtasks.exe
1604	schtasks.exe
632	schtasks.exe
992	schtasks.exe
240	schtasks.exe
928	schtasks.exe
1448	schtasks.exe
1488	schtasks.exe
572	schtasks.exe
1720	schtasks.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exedllhost.exe

pid	process
1424	powershell.exe
1324	powershell.exe
1980	powershell.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe
1112	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dw20.exe

pid process

1164 dw20.exe

pid	process
1164	dw20.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exe932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exedllhost.exe

description	pid	process
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	1324	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	536	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe
Token: SeDebugPrivilege	1112	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.execmd.exepowershell.exedllhost.execmd.exe

description	pid	process	target process
PID 536 wrote to memory of 1724	536	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe	cmd.exe
PID 536 wrote to memory of 1724	536	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe	cmd.exe
PID 536 wrote to memory of 1724	536	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe	cmd.exe
PID 536 wrote to memory of 1724	536	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe	cmd.exe
PID 1724 wrote to memory of 1636	1724	cmd.exe	chcp.com
PID 1724 wrote to memory of 1636	1724	cmd.exe	chcp.com
PID 1724 wrote to memory of 1636	1724	cmd.exe	chcp.com
PID 1724 wrote to memory of 1636	1724	cmd.exe	chcp.com
PID 1724 wrote to memory of 1424	1724	cmd.exe	powershell.exe
PID 1724 wrote to memory of 1424	1724	cmd.exe	powershell.exe
PID 1724 wrote to memory of 1424	1724	cmd.exe	powershell.exe
PID 1724 wrote to memory of 1424	1724	cmd.exe	powershell.exe
PID 1724 wrote to memory of 1324	1724	cmd.exe	powershell.exe
PID 1724 wrote to memory of 1324	1724	cmd.exe	powershell.exe
PID 1724 wrote to memory of 1324	1724	cmd.exe	powershell.exe
PID 1724 wrote to memory of 1324	1724	cmd.exe	powershell.exe
PID 1724 wrote to memory of 1980	1724	cmd.exe	powershell.exe
PID 1724 wrote to memory of 1980	1724	cmd.exe	powershell.exe
PID 1724 wrote to memory of 1980	1724	cmd.exe	powershell.exe
PID 1724 wrote to memory of 1980	1724	cmd.exe	powershell.exe
PID 1980 wrote to memory of 1164	1980	powershell.exe	dw20.exe
PID 1980 wrote to memory of 1164	1980	powershell.exe	dw20.exe
PID 1980 wrote to memory of 1164	1980	powershell.exe	dw20.exe
PID 1980 wrote to memory of 1164	1980	powershell.exe	dw20.exe
PID 536 wrote to memory of 1112	536	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe	dllhost.exe
PID 536 wrote to memory of 1112	536	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe	dllhost.exe
PID 536 wrote to memory of 1112	536	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe	dllhost.exe
PID 536 wrote to memory of 1112	536	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe	dllhost.exe
PID 1112 wrote to memory of 300	1112	dllhost.exe	cmd.exe
PID 1112 wrote to memory of 300	1112	dllhost.exe	cmd.exe
PID 1112 wrote to memory of 300	1112	dllhost.exe	cmd.exe
PID 1112 wrote to memory of 300	1112	dllhost.exe	cmd.exe
PID 1112 wrote to memory of 1932	1112	dllhost.exe	cmd.exe
PID 1112 wrote to memory of 1932	1112	dllhost.exe	cmd.exe
PID 1112 wrote to memory of 1932	1112	dllhost.exe	cmd.exe
PID 1112 wrote to memory of 1932	1112	dllhost.exe	cmd.exe
PID 1112 wrote to memory of 1244	1112	dllhost.exe	cmd.exe
PID 1112 wrote to memory of 1244	1112	dllhost.exe	cmd.exe
PID 1112 wrote to memory of 1244	1112	dllhost.exe	cmd.exe
PID 1112 wrote to memory of 1244	1112	dllhost.exe	cmd.exe
PID 1112 wrote to memory of 1500	1112	dllhost.exe	cmd.exe
PID 1112 wrote to memory of 1500	1112	dllhost.exe	cmd.exe
PID 1112 wrote to memory of 1500	1112	dllhost.exe	cmd.exe
PID 1112 wrote to memory of 1500	1112	dllhost.exe	cmd.exe
PID 1112 wrote to memory of 1392	1112	dllhost.exe	cmd.exe
PID 1112 wrote to memory of 1392	1112	dllhost.exe	cmd.exe
PID 1112 wrote to memory of 1392	1112	dllhost.exe	cmd.exe
PID 1112 wrote to memory of 1392	1112	dllhost.exe	cmd.exe
PID 1112 wrote to memory of 1668	1112	dllhost.exe	cmd.exe
PID 1112 wrote to memory of 1668	1112	dllhost.exe	cmd.exe
PID 1112 wrote to memory of 1668	1112	dllhost.exe	cmd.exe
PID 1112 wrote to memory of 1668	1112	dllhost.exe	cmd.exe
PID 300 wrote to memory of 928	300	cmd.exe	schtasks.exe
PID 300 wrote to memory of 928	300	cmd.exe	schtasks.exe
PID 300 wrote to memory of 928	300	cmd.exe	schtasks.exe
PID 300 wrote to memory of 928	300	cmd.exe	schtasks.exe
PID 1112 wrote to memory of 1644	1112	dllhost.exe	cmd.exe
PID 1112 wrote to memory of 1644	1112	dllhost.exe	cmd.exe
PID 1112 wrote to memory of 1644	1112	dllhost.exe	cmd.exe
PID 1112 wrote to memory of 1644	1112	dllhost.exe	cmd.exe
PID 1112 wrote to memory of 1620	1112	dllhost.exe	cmd.exe
PID 1112 wrote to memory of 1620	1112	dllhost.exe	cmd.exe
PID 1112 wrote to memory of 1620	1112	dllhost.exe	cmd.exe
PID 1112 wrote to memory of 1620	1112	dllhost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe
"C:\Users\Admin\AppData\Local\Temp\932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:536

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\HostData"
2⤵
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\chcp.com
chcp 1251
3⤵
PID:1636

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\HostData"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 788
4⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1164

C:\ProgramData\Dllhost\dllhost.exe
"C:\ProgramData\Dllhost\dllhost.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:300

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:928

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:1244

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:1268

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:1932

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:240

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:1500

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:1448

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:1392

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:1604

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:1668

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:1924

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:1644

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:632

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk2498" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:1632

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk2498" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:1488

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:1620

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:572

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk5772" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:1364

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk5772" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:992

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk97" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:1404

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk97" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:952

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk3944" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:892

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk3944" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:1720

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
3⤵
- Loads dropped DLL
PID:928

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:1984

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
4⤵
- Executes dropped EXE
PID:1364

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
3⤵
PID:2008

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:816

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
4⤵
- Executes dropped EXE
PID:952

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
3⤵
PID:1108

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:1228

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
4⤵
- Executes dropped EXE
PID:1596

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
3⤵
PID:1720

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:1072

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
4⤵
- Executes dropped EXE
PID:1740

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
3⤵
PID:288

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:1532

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
4⤵
- Executes dropped EXE
PID:1708

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
3⤵
PID:1364

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:1808

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
4⤵
- Executes dropped EXE
PID:2036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe
Filesize
80KB

MD5
0426f4269f3de8ffe4f85df9e8454b4b

SHA1
6fa3f292df8c849d10a21140f48d9d64d27870fe

SHA256
ee0a13f5d66a499fc53678ba0e4f55f769ecb8a883d90f6025cd62c7f4ddf0ad

SHA512
566b6711569011ac26294ff00ce8c06667b0dd387a89ef5e49847138ad5a25144f13a1f58bac763bc3d3d454f3ba068494e08b702f5d3e4005a5cb1feab54d02

Download Submit
C:\ProgramData\Dllhost\dllhost.exe
Filesize
80KB

MD5
0426f4269f3de8ffe4f85df9e8454b4b

SHA1
6fa3f292df8c849d10a21140f48d9d64d27870fe

SHA256
ee0a13f5d66a499fc53678ba0e4f55f769ecb8a883d90f6025cd62c7f4ddf0ad

SHA512
566b6711569011ac26294ff00ce8c06667b0dd387a89ef5e49847138ad5a25144f13a1f58bac763bc3d3d454f3ba068494e08b702f5d3e4005a5cb1feab54d02

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
7.9MB

MD5
ae6c92c8073b1239390369d3ed93538f

SHA1
a76ea83bdcfa472cd593363e9bb254df494a5577

SHA256
d8d0e8ce7d532250713c7ac9c3e3d144463ce9f47bbf5bd6fc3bb939c739c1a0

SHA512
59de08ea3849243addb3b6aaa2b3ebf71a271eee77239bea0dd190d446a6eec56fd7c5b4fa3668c14074f33f06ab1f011baa0ac2266f6d2d33eb59847841c350

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
7.9MB

MD5
ae6c92c8073b1239390369d3ed93538f

SHA1
a76ea83bdcfa472cd593363e9bb254df494a5577

SHA256
d8d0e8ce7d532250713c7ac9c3e3d144463ce9f47bbf5bd6fc3bb939c739c1a0

SHA512
59de08ea3849243addb3b6aaa2b3ebf71a271eee77239bea0dd190d446a6eec56fd7c5b4fa3668c14074f33f06ab1f011baa0ac2266f6d2d33eb59847841c350

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
7.9MB

MD5
ae6c92c8073b1239390369d3ed93538f

SHA1
a76ea83bdcfa472cd593363e9bb254df494a5577

SHA256
d8d0e8ce7d532250713c7ac9c3e3d144463ce9f47bbf5bd6fc3bb939c739c1a0

SHA512
59de08ea3849243addb3b6aaa2b3ebf71a271eee77239bea0dd190d446a6eec56fd7c5b4fa3668c14074f33f06ab1f011baa0ac2266f6d2d33eb59847841c350

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
7.9MB

MD5
ae6c92c8073b1239390369d3ed93538f

SHA1
a76ea83bdcfa472cd593363e9bb254df494a5577

SHA256
d8d0e8ce7d532250713c7ac9c3e3d144463ce9f47bbf5bd6fc3bb939c739c1a0

SHA512
59de08ea3849243addb3b6aaa2b3ebf71a271eee77239bea0dd190d446a6eec56fd7c5b4fa3668c14074f33f06ab1f011baa0ac2266f6d2d33eb59847841c350

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
7.9MB

MD5
ae6c92c8073b1239390369d3ed93538f

SHA1
a76ea83bdcfa472cd593363e9bb254df494a5577

SHA256
d8d0e8ce7d532250713c7ac9c3e3d144463ce9f47bbf5bd6fc3bb939c739c1a0

SHA512
59de08ea3849243addb3b6aaa2b3ebf71a271eee77239bea0dd190d446a6eec56fd7c5b4fa3668c14074f33f06ab1f011baa0ac2266f6d2d33eb59847841c350

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
7.9MB

MD5
ae6c92c8073b1239390369d3ed93538f

SHA1
a76ea83bdcfa472cd593363e9bb254df494a5577

SHA256
d8d0e8ce7d532250713c7ac9c3e3d144463ce9f47bbf5bd6fc3bb939c739c1a0

SHA512
59de08ea3849243addb3b6aaa2b3ebf71a271eee77239bea0dd190d446a6eec56fd7c5b4fa3668c14074f33f06ab1f011baa0ac2266f6d2d33eb59847841c350

Download Submit
C:\ProgramData\HostData\logs.uce
Filesize
503B

MD5
8b078b9c907544907733f5f47030bcb7

SHA1
0c45a6f025053768758df477c4812c5933a8e366

SHA256
d8c7f0f440d786c3ebc13a59eb5e99d31e34c89cb47603f4f790da54707c34df

SHA512
3ab98331ab7913bdafac180a3976b9c8bb24c68c1aeb109f5c18939d5725f4c38d81565551f9b2dba297e16d71c7ece671cda2ca3d101ec20d957cc7a160db41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
60KB

MD5
b9f21d8db36e88831e5352bb82c438b3

SHA1
4a3c330954f9f65a2f5fd7e55800e46ce228a3e2

SHA256
998e0209690a48ed33b79af30fc13851e3e3416bed97e3679b6030c10cab361e

SHA512
d4a2ac7c14227fbaf8b532398fb69053f0a0d913273f6917027c8cadbba80113fdbec20c2a7eb31b7bb57c99f9fdeccf8576be5f39346d8b564fc72fb1699476

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
6572000d525ba9bf91a766420928f23e

SHA1
05945d1a348757c2e22f15a6a8f4883d0cd12a67

SHA256
072689b2e0bc1267acdd9f6afaf2adf84d3527bcb2b46b8b1e480ce02844454c

SHA512
d626ae03945e79065b386c22e608e5239fa62ef4f7cde88ba5abab9be398089a387545cd83ee6408c2d95259064570728cefa3bce94ca37fe276d0b609aaee34

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
0672ee0ca92848a5791ae68a6874fde8

SHA1
e99f81e61ad47b3e848de2d84de635d30c70ca48

SHA256
dc7fc3f116c57c244fbb6b2b2043cc162c6e3edc0be379693a86860a45cfbcd2

SHA512
b9cf58f28b99e9974b110c87efd2d22490916d2cbd1702c1ed548dbd71aee1d8f93321f34988f35dc2504821bd0f2338c4c8ebf3862334c4f3422d04e8c7949e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
0672ee0ca92848a5791ae68a6874fde8

SHA1
e99f81e61ad47b3e848de2d84de635d30c70ca48

SHA256
dc7fc3f116c57c244fbb6b2b2043cc162c6e3edc0be379693a86860a45cfbcd2

SHA512
b9cf58f28b99e9974b110c87efd2d22490916d2cbd1702c1ed548dbd71aee1d8f93321f34988f35dc2504821bd0f2338c4c8ebf3862334c4f3422d04e8c7949e

Download Submit
\ProgramData\Dllhost\dllhost.exe
Filesize
80KB

MD5
0426f4269f3de8ffe4f85df9e8454b4b

SHA1
6fa3f292df8c849d10a21140f48d9d64d27870fe

SHA256
ee0a13f5d66a499fc53678ba0e4f55f769ecb8a883d90f6025cd62c7f4ddf0ad

SHA512
566b6711569011ac26294ff00ce8c06667b0dd387a89ef5e49847138ad5a25144f13a1f58bac763bc3d3d454f3ba068494e08b702f5d3e4005a5cb1feab54d02

Download Submit
\ProgramData\Dllhost\winlogson.exe
Filesize
7.9MB

MD5
ae6c92c8073b1239390369d3ed93538f

SHA1
a76ea83bdcfa472cd593363e9bb254df494a5577

SHA256
d8d0e8ce7d532250713c7ac9c3e3d144463ce9f47bbf5bd6fc3bb939c739c1a0

SHA512
59de08ea3849243addb3b6aaa2b3ebf71a271eee77239bea0dd190d446a6eec56fd7c5b4fa3668c14074f33f06ab1f011baa0ac2266f6d2d33eb59847841c350

Download Submit
memory/240-91-0x0000000000000000-mapping.dmp

Download
memory/288-126-0x0000000000000000-mapping.dmp

Download
memory/300-78-0x0000000000000000-mapping.dmp

Download
memory/536-55-0x0000000075B61000-0x0000000075B63000-memory.dmp

Filesize
8KB

Download
memory/536-54-0x0000000000E20000-0x0000000000E2A000-memory.dmp

Filesize
40KB

Download
memory/572-96-0x0000000000000000-mapping.dmp

Download
memory/632-94-0x0000000000000000-mapping.dmp

Download
memory/816-112-0x0000000000000000-mapping.dmp

Download
memory/892-90-0x0000000000000000-mapping.dmp

Download
memory/928-105-0x0000000000000000-mapping.dmp

Download
memory/928-84-0x0000000000000000-mapping.dmp

Download
memory/952-92-0x0000000000000000-mapping.dmp

Download
memory/952-113-0x0000000000000000-mapping.dmp

Download
memory/992-93-0x0000000000000000-mapping.dmp

Download
memory/1072-122-0x0000000000000000-mapping.dmp

Download
memory/1108-116-0x0000000000000000-mapping.dmp

Download
memory/1112-75-0x0000000000820000-0x000000000083A000-memory.dmp

Filesize
104KB

Download
memory/1112-76-0x00000000004C0000-0x00000000004C6000-memory.dmp

Filesize
24KB

Download
memory/1112-72-0x0000000000000000-mapping.dmp

Download
memory/1164-68-0x0000000000000000-mapping.dmp

Download
memory/1228-117-0x0000000000000000-mapping.dmp

Download
memory/1244-80-0x0000000000000000-mapping.dmp

Download
memory/1268-101-0x0000000000000000-mapping.dmp

Download
memory/1324-61-0x0000000000000000-mapping.dmp

Download
memory/1324-64-0x000000006F330000-0x000000006F8DB000-memory.dmp

Filesize
5.7MB

Download
memory/1364-131-0x0000000000000000-mapping.dmp

Download
memory/1364-110-0x00000000000F0000-0x0000000000110000-memory.dmp

Filesize
128KB

Download
memory/1364-88-0x0000000000000000-mapping.dmp

Download
memory/1364-108-0x0000000000000000-mapping.dmp

Download
memory/1392-82-0x0000000000000000-mapping.dmp

Download
memory/1404-89-0x0000000000000000-mapping.dmp

Download
memory/1424-58-0x0000000000000000-mapping.dmp

Download
memory/1424-60-0x000000006F230000-0x000000006F7DB000-memory.dmp

Filesize
5.7MB

Download
memory/1448-99-0x0000000000000000-mapping.dmp

Download
memory/1488-95-0x0000000000000000-mapping.dmp

Download
memory/1500-81-0x0000000000000000-mapping.dmp

Download
memory/1532-127-0x0000000000000000-mapping.dmp

Download
memory/1596-118-0x0000000000000000-mapping.dmp

Download
memory/1604-100-0x0000000000000000-mapping.dmp

Download
memory/1620-86-0x0000000000000000-mapping.dmp

Download
memory/1632-87-0x0000000000000000-mapping.dmp

Download
memory/1636-57-0x0000000000000000-mapping.dmp

Download
memory/1644-85-0x0000000000000000-mapping.dmp

Download
memory/1668-83-0x0000000000000000-mapping.dmp

Download
memory/1708-128-0x0000000000000000-mapping.dmp

Download
memory/1720-98-0x0000000000000000-mapping.dmp

Download
memory/1720-121-0x0000000000000000-mapping.dmp

Download
memory/1724-56-0x0000000000000000-mapping.dmp

Download
memory/1740-123-0x0000000000000000-mapping.dmp

Download
memory/1808-132-0x0000000000000000-mapping.dmp

Download
memory/1924-97-0x0000000000000000-mapping.dmp

Download
memory/1932-79-0x0000000000000000-mapping.dmp

Download
memory/1980-65-0x0000000000000000-mapping.dmp

Download
memory/1980-70-0x000000006EF80000-0x000000006F52B000-memory.dmp

Filesize
5.7MB

Download
memory/1984-106-0x0000000000000000-mapping.dmp

Download
memory/2008-111-0x0000000000000000-mapping.dmp

Download
memory/2036-133-0x0000000000000000-mapping.dmp

Download