xmrig | 932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2

Analysis

max time kernel
301s
max time network
199s
platform
windows10_x64
resource
win10-20220414-en
submitted
16-05-2022 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe
Size

16KB
MD5

23c8b23571c065c1d8c65beb2899cc42
SHA1

fd7f51575ccaeba2cd6cb0d2195e2be966c0fecf
SHA256

932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2
SHA512

af1df92b60d1cff475deb7688b7a8baff26feb240a0d48a9cd73df3d1a5b9acff72d353f686de259d3bd77c0df1a7f7b269434789189a26c46a02313bdb5e64c

Score

10^/10

xmrig miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 6 IoCs

miner

Processes:

resource	yara_rule
C:\ProgramData\Dllhost\winlogson.exe	xmrig
C:\ProgramData\Dllhost\winlogson.exe	xmrig
C:\ProgramData\Dllhost\winlogson.exe	xmrig
C:\ProgramData\Dllhost\winlogson.exe	xmrig
C:\ProgramData\Dllhost\winlogson.exe	xmrig
C:\ProgramData\Dllhost\winlogson.exe	xmrig

Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

dllhost.exewinlogson.exewinlogson.exewinlogson.exewinlogson.exewinlogson.exewinlogson.exe

pid process

4596 dllhost.exe
4100 winlogson.exe
4484 winlogson.exe
648 winlogson.exe
776 winlogson.exe
1272 winlogson.exe
4180 winlogson.exe

pid	process
4596	dllhost.exe
4100	winlogson.exe
4484	winlogson.exe
648	winlogson.exe
776	winlogson.exe
1272	winlogson.exe
4180	winlogson.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dllhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\ProgramData\\Dllhost\\dllhost.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4488 schtasks.exe
4208 schtasks.exe
4420 schtasks.exe
4204 schtasks.exe
4408 schtasks.exe

pid	process
4488	schtasks.exe
4208	schtasks.exe
4420	schtasks.exe
4204	schtasks.exe
4408	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exedllhost.exe

pid	process
4304	powershell.exe
4304	powershell.exe
4304	powershell.exe
584	powershell.exe
584	powershell.exe
584	powershell.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe
4596	dllhost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exe932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exepowershell.exedllhost.exe

description	pid	process
Token: SeDebugPrivilege	4304	powershell.exe
Token: SeDebugPrivilege	1020	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe
Token: SeDebugPrivilege	584	powershell.exe
Token: SeDebugPrivilege	4596	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.execmd.exedllhost.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1020 wrote to memory of 3004	1020	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe	cmd.exe
PID 1020 wrote to memory of 3004	1020	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe	cmd.exe
PID 1020 wrote to memory of 3004	1020	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe	cmd.exe
PID 3004 wrote to memory of 4032	3004	cmd.exe	chcp.com
PID 3004 wrote to memory of 4032	3004	cmd.exe	chcp.com
PID 3004 wrote to memory of 4032	3004	cmd.exe	chcp.com
PID 3004 wrote to memory of 4304	3004	cmd.exe	powershell.exe
PID 3004 wrote to memory of 4304	3004	cmd.exe	powershell.exe
PID 3004 wrote to memory of 4304	3004	cmd.exe	powershell.exe
PID 3004 wrote to memory of 584	3004	cmd.exe	powershell.exe
PID 3004 wrote to memory of 584	3004	cmd.exe	powershell.exe
PID 3004 wrote to memory of 584	3004	cmd.exe	powershell.exe
PID 1020 wrote to memory of 4596	1020	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe	dllhost.exe
PID 1020 wrote to memory of 4596	1020	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe	dllhost.exe
PID 1020 wrote to memory of 4596	1020	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe	dllhost.exe
PID 4596 wrote to memory of 5116	4596	dllhost.exe	cmd.exe
PID 4596 wrote to memory of 5116	4596	dllhost.exe	cmd.exe
PID 4596 wrote to memory of 5116	4596	dllhost.exe	cmd.exe
PID 4596 wrote to memory of 5060	4596	dllhost.exe	cmd.exe
PID 4596 wrote to memory of 5060	4596	dllhost.exe	cmd.exe
PID 4596 wrote to memory of 5060	4596	dllhost.exe	cmd.exe
PID 4596 wrote to memory of 988	4596	dllhost.exe	cmd.exe
PID 4596 wrote to memory of 988	4596	dllhost.exe	cmd.exe
PID 4596 wrote to memory of 988	4596	dllhost.exe	cmd.exe
PID 4596 wrote to memory of 4180	4596	dllhost.exe	cmd.exe
PID 4596 wrote to memory of 4180	4596	dllhost.exe	cmd.exe
PID 4596 wrote to memory of 4180	4596	dllhost.exe	cmd.exe
PID 4596 wrote to memory of 984	4596	dllhost.exe	cmd.exe
PID 4596 wrote to memory of 984	4596	dllhost.exe	cmd.exe
PID 4596 wrote to memory of 984	4596	dllhost.exe	cmd.exe
PID 4596 wrote to memory of 3408	4596	dllhost.exe	cmd.exe
PID 4596 wrote to memory of 3408	4596	dllhost.exe	cmd.exe
PID 4596 wrote to memory of 3408	4596	dllhost.exe	cmd.exe
PID 4596 wrote to memory of 3652	4596	dllhost.exe	cmd.exe
PID 4596 wrote to memory of 3652	4596	dllhost.exe	cmd.exe
PID 4596 wrote to memory of 3652	4596	dllhost.exe	cmd.exe
PID 4596 wrote to memory of 3736	4596	dllhost.exe	cmd.exe
PID 4596 wrote to memory of 3736	4596	dllhost.exe	cmd.exe
PID 4596 wrote to memory of 3736	4596	dllhost.exe	cmd.exe
PID 4596 wrote to memory of 1696	4596	dllhost.exe	cmd.exe
PID 4596 wrote to memory of 1696	4596	dllhost.exe	cmd.exe
PID 4596 wrote to memory of 1696	4596	dllhost.exe	cmd.exe
PID 4596 wrote to memory of 2152	4596	dllhost.exe	cmd.exe
PID 4596 wrote to memory of 2152	4596	dllhost.exe	cmd.exe
PID 4596 wrote to memory of 2152	4596	dllhost.exe	cmd.exe
PID 4596 wrote to memory of 4140	4596	dllhost.exe	cmd.exe
PID 4596 wrote to memory of 4140	4596	dllhost.exe	cmd.exe
PID 4596 wrote to memory of 4140	4596	dllhost.exe	cmd.exe
PID 4596 wrote to memory of 4128	4596	dllhost.exe	cmd.exe
PID 4596 wrote to memory of 4128	4596	dllhost.exe	cmd.exe
PID 4596 wrote to memory of 4128	4596	dllhost.exe	cmd.exe
PID 4140 wrote to memory of 4204	4140	cmd.exe	schtasks.exe
PID 4140 wrote to memory of 4204	4140	cmd.exe	schtasks.exe
PID 4140 wrote to memory of 4204	4140	cmd.exe	schtasks.exe
PID 5060 wrote to memory of 4408	5060	cmd.exe	schtasks.exe
PID 5060 wrote to memory of 4408	5060	cmd.exe	schtasks.exe
PID 5060 wrote to memory of 4408	5060	cmd.exe	schtasks.exe
PID 4180 wrote to memory of 4488	4180	cmd.exe	schtasks.exe
PID 4180 wrote to memory of 4488	4180	cmd.exe	schtasks.exe
PID 4180 wrote to memory of 4488	4180	cmd.exe	schtasks.exe
PID 3408 wrote to memory of 4420	3408	cmd.exe	schtasks.exe
PID 3408 wrote to memory of 4420	3408	cmd.exe	schtasks.exe
PID 3408 wrote to memory of 4420	3408	cmd.exe	schtasks.exe
PID 988 wrote to memory of 4208	988	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe
"C:\Users\Admin\AppData\Local\Temp\932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\HostData"
2⤵
- Suspicious use of WriteProcessMemory
PID:3004

C:\Windows\SysWOW64\chcp.com
chcp 1251
3⤵
PID:4032

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4304

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:584

C:\ProgramData\Dllhost\dllhost.exe
"C:\ProgramData\Dllhost\dllhost.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4596

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:5116

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:5060

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:4408

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:988

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:4208

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4180

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:4488

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:984

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3408

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:4420

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:3736

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk9043" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:1696

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk8051" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:2152

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk7573" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:4128

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk3966" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4140

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk3966" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:4204

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:3652

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
3⤵
PID:188

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:2432

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
4⤵
- Executes dropped EXE
PID:4100

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
3⤵
PID:2792

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:3960

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
4⤵
- Executes dropped EXE
PID:4484

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
3⤵
PID:3732

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:160

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
4⤵
- Executes dropped EXE
PID:648

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
3⤵
PID:2636

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:4468

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
4⤵
- Executes dropped EXE
PID:776

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
3⤵
PID:856

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:1128

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
4⤵
- Executes dropped EXE
PID:1272

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
3⤵
PID:1424

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:1836

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
4⤵
- Executes dropped EXE
PID:4180

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe
Filesize
80KB

MD5
0426f4269f3de8ffe4f85df9e8454b4b

SHA1
6fa3f292df8c849d10a21140f48d9d64d27870fe

SHA256
ee0a13f5d66a499fc53678ba0e4f55f769ecb8a883d90f6025cd62c7f4ddf0ad

SHA512
566b6711569011ac26294ff00ce8c06667b0dd387a89ef5e49847138ad5a25144f13a1f58bac763bc3d3d454f3ba068494e08b702f5d3e4005a5cb1feab54d02

Download Submit
C:\ProgramData\Dllhost\dllhost.exe
Filesize
80KB

MD5
0426f4269f3de8ffe4f85df9e8454b4b

SHA1
6fa3f292df8c849d10a21140f48d9d64d27870fe

SHA256
ee0a13f5d66a499fc53678ba0e4f55f769ecb8a883d90f6025cd62c7f4ddf0ad

SHA512
566b6711569011ac26294ff00ce8c06667b0dd387a89ef5e49847138ad5a25144f13a1f58bac763bc3d3d454f3ba068494e08b702f5d3e4005a5cb1feab54d02

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
7.9MB

MD5
ae6c92c8073b1239390369d3ed93538f

SHA1
a76ea83bdcfa472cd593363e9bb254df494a5577

SHA256
d8d0e8ce7d532250713c7ac9c3e3d144463ce9f47bbf5bd6fc3bb939c739c1a0

SHA512
59de08ea3849243addb3b6aaa2b3ebf71a271eee77239bea0dd190d446a6eec56fd7c5b4fa3668c14074f33f06ab1f011baa0ac2266f6d2d33eb59847841c350

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
7.9MB

MD5
ae6c92c8073b1239390369d3ed93538f

SHA1
a76ea83bdcfa472cd593363e9bb254df494a5577

SHA256
d8d0e8ce7d532250713c7ac9c3e3d144463ce9f47bbf5bd6fc3bb939c739c1a0

SHA512
59de08ea3849243addb3b6aaa2b3ebf71a271eee77239bea0dd190d446a6eec56fd7c5b4fa3668c14074f33f06ab1f011baa0ac2266f6d2d33eb59847841c350

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
7.9MB

MD5
ae6c92c8073b1239390369d3ed93538f

SHA1
a76ea83bdcfa472cd593363e9bb254df494a5577

SHA256
d8d0e8ce7d532250713c7ac9c3e3d144463ce9f47bbf5bd6fc3bb939c739c1a0

SHA512
59de08ea3849243addb3b6aaa2b3ebf71a271eee77239bea0dd190d446a6eec56fd7c5b4fa3668c14074f33f06ab1f011baa0ac2266f6d2d33eb59847841c350

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
7.9MB

MD5
ae6c92c8073b1239390369d3ed93538f

SHA1
a76ea83bdcfa472cd593363e9bb254df494a5577

SHA256
d8d0e8ce7d532250713c7ac9c3e3d144463ce9f47bbf5bd6fc3bb939c739c1a0

SHA512
59de08ea3849243addb3b6aaa2b3ebf71a271eee77239bea0dd190d446a6eec56fd7c5b4fa3668c14074f33f06ab1f011baa0ac2266f6d2d33eb59847841c350

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
7.9MB

MD5
ae6c92c8073b1239390369d3ed93538f

SHA1
a76ea83bdcfa472cd593363e9bb254df494a5577

SHA256
d8d0e8ce7d532250713c7ac9c3e3d144463ce9f47bbf5bd6fc3bb939c739c1a0

SHA512
59de08ea3849243addb3b6aaa2b3ebf71a271eee77239bea0dd190d446a6eec56fd7c5b4fa3668c14074f33f06ab1f011baa0ac2266f6d2d33eb59847841c350

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
7.9MB

MD5
ae6c92c8073b1239390369d3ed93538f

SHA1
a76ea83bdcfa472cd593363e9bb254df494a5577

SHA256
d8d0e8ce7d532250713c7ac9c3e3d144463ce9f47bbf5bd6fc3bb939c739c1a0

SHA512
59de08ea3849243addb3b6aaa2b3ebf71a271eee77239bea0dd190d446a6eec56fd7c5b4fa3668c14074f33f06ab1f011baa0ac2266f6d2d33eb59847841c350

Download Submit
C:\ProgramData\HostData\logs.uce
Filesize
503B

MD5
8b078b9c907544907733f5f47030bcb7

SHA1
0c45a6f025053768758df477c4812c5933a8e366

SHA256
d8c7f0f440d786c3ebc13a59eb5e99d31e34c89cb47603f4f790da54707c34df

SHA512
3ab98331ab7913bdafac180a3976b9c8bb24c68c1aeb109f5c18939d5725f4c38d81565551f9b2dba297e16d71c7ece671cda2ca3d101ec20d957cc7a160db41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
b2b0d469af780df07c81815e1487a50f

SHA1
fc355ef4b657f5eb8987d2dbd0fd2902b95accb8

SHA256
944c87235f9739f583a555abf1262de52e1241f4666097e33b568e1f71dbb6b6

SHA512
b2debae3c05bc80f715b23391834d59ca239a20d08db9355374f1d3093f983745f28efc0a4d39bcdee1e16e9ef2541336096166693f415fff5bb63f8e90973f9

Download Submit
memory/160-1164-0x0000000000000000-mapping.dmp

Download
memory/188-1123-0x0000000000000000-mapping.dmp

Download
memory/584-538-0x0000000000000000-mapping.dmp

Download
memory/648-1172-0x0000000000000000-mapping.dmp

Download
memory/776-1189-0x0000000000000000-mapping.dmp

Download
memory/856-1192-0x0000000000000000-mapping.dmp

Download
memory/984-760-0x0000000000000000-mapping.dmp

Download
memory/988-751-0x0000000000000000-mapping.dmp

Download
memory/1020-158-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-168-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-139-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-140-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-141-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-142-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-143-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-144-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-145-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-146-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-147-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-148-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-149-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-150-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-151-0x00000000007E0000-0x00000000007EA000-memory.dmp

Filesize
40KB

Download
memory/1020-152-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-153-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-154-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-155-0x0000000005530000-0x0000000005A2E000-memory.dmp

Filesize
5.0MB

Download
memory/1020-156-0x0000000005030000-0x00000000050C2000-memory.dmp

Filesize
584KB

Download
memory/1020-157-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-137-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-159-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-160-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-161-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-162-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-163-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-164-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-165-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-166-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-167-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-138-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-169-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-170-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-171-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-172-0x00000000051A0000-0x00000000051AA000-memory.dmp

Filesize
40KB

Download
memory/1020-173-0x0000000005220000-0x0000000005286000-memory.dmp

Filesize
408KB

Download
memory/1020-136-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-119-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-120-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-135-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-121-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-122-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-134-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-133-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-132-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-131-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-130-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-129-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-128-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-127-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-126-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-125-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-123-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-118-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1020-124-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1128-1198-0x0000000000000000-mapping.dmp

Download
memory/1272-1206-0x0000000000000000-mapping.dmp

Download
memory/1424-1209-0x0000000000000000-mapping.dmp

Download
memory/1696-785-0x0000000000000000-mapping.dmp

Download
memory/1836-1215-0x0000000000000000-mapping.dmp

Download
memory/2152-791-0x0000000000000000-mapping.dmp

Download
memory/2432-1129-0x0000000000000000-mapping.dmp

Download
memory/2636-1175-0x0000000000000000-mapping.dmp

Download
memory/2792-1141-0x0000000000000000-mapping.dmp

Download
memory/3004-177-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/3004-176-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/3004-178-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/3004-179-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/3004-174-0x0000000000000000-mapping.dmp

Download
memory/3004-175-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/3408-766-0x0000000000000000-mapping.dmp

Download
memory/3652-773-0x0000000000000000-mapping.dmp

Download
memory/3732-1158-0x0000000000000000-mapping.dmp

Download
memory/3736-779-0x0000000000000000-mapping.dmp

Download
memory/3960-1147-0x0000000000000000-mapping.dmp

Download
memory/4032-180-0x0000000000000000-mapping.dmp

Download
memory/4032-187-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/4032-182-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/4032-183-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/4032-184-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/4032-181-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/4032-186-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/4032-185-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/4100-1138-0x0000000000000000-mapping.dmp

Download
memory/4128-802-0x0000000000000000-mapping.dmp

Download
memory/4140-797-0x0000000000000000-mapping.dmp

Download
memory/4180-755-0x0000000000000000-mapping.dmp

Download
memory/4180-1223-0x0000000000000000-mapping.dmp

Download
memory/4204-828-0x0000000000000000-mapping.dmp

Download
memory/4208-835-0x0000000000000000-mapping.dmp

Download
memory/4304-249-0x0000000007820000-0x0000000007842000-memory.dmp

Filesize
136KB

Download
memory/4304-229-0x0000000007910000-0x0000000007F38000-memory.dmp

Filesize
6.2MB

Download
memory/4304-188-0x0000000000000000-mapping.dmp

Download
memory/4304-299-0x0000000009790000-0x00000000097AE000-memory.dmp

Filesize
120KB

Download
memory/4304-224-0x0000000004DC0000-0x0000000004DF6000-memory.dmp

Filesize
216KB

Download
memory/4304-253-0x0000000007F40000-0x0000000007FA6000-memory.dmp

Filesize
408KB

Download
memory/4304-258-0x0000000008260000-0x00000000085B0000-memory.dmp

Filesize
3.3MB

Download
memory/4304-189-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/4304-270-0x0000000008060000-0x000000000807C000-memory.dmp

Filesize
112KB

Download
memory/4304-272-0x0000000008AF0000-0x0000000008B3B000-memory.dmp

Filesize
300KB

Download
memory/4304-281-0x00000000088A0000-0x0000000008916000-memory.dmp

Filesize
472KB

Download
memory/4304-298-0x00000000097B0000-0x00000000097E3000-memory.dmp

Filesize
204KB

Download
memory/4304-520-0x0000000009C50000-0x0000000009C58000-memory.dmp

Filesize
32KB

Download
memory/4304-515-0x0000000009C60000-0x0000000009C7A000-memory.dmp

Filesize
104KB

Download
memory/4304-312-0x0000000009CB0000-0x0000000009D44000-memory.dmp

Filesize
592KB

Download
memory/4304-308-0x0000000009800000-0x00000000098A5000-memory.dmp

Filesize
660KB

Download
memory/4408-829-0x0000000000000000-mapping.dmp

Download
memory/4420-831-0x0000000000000000-mapping.dmp

Download
memory/4468-1181-0x0000000000000000-mapping.dmp

Download
memory/4484-1155-0x0000000000000000-mapping.dmp

Download
memory/4488-830-0x0000000000000000-mapping.dmp

Download
memory/4596-710-0x00000000052C0000-0x00000000052C6000-memory.dmp

Filesize
24KB

Download
memory/4596-693-0x0000000000A30000-0x0000000000A4A000-memory.dmp

Filesize
104KB

Download
memory/4596-626-0x0000000000000000-mapping.dmp

Download
memory/5060-750-0x0000000000000000-mapping.dmp

Download
memory/5116-748-0x0000000000000000-mapping.dmp

Download