xmrig | 932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2

Analysis

max time kernel
301s
max time network
198s
platform
windows7_x64
resource
win7-20220414-en
submitted
17-05-2022 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe
Size

16KB
MD5

23c8b23571c065c1d8c65beb2899cc42
SHA1

fd7f51575ccaeba2cd6cb0d2195e2be966c0fecf
SHA256

932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2
SHA512

af1df92b60d1cff475deb7688b7a8baff26feb240a0d48a9cd73df3d1a5b9acff72d353f686de259d3bd77c0df1a7f7b269434789189a26c46a02313bdb5e64c

Score

10^/10

xmrig miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 7 IoCs

miner

Processes:

resource	yara_rule
\ProgramData\Dllhost\winlogson.exe	xmrig
C:\ProgramData\Dllhost\winlogson.exe	xmrig
C:\ProgramData\Dllhost\winlogson.exe	xmrig
C:\ProgramData\Dllhost\winlogson.exe	xmrig
C:\ProgramData\Dllhost\winlogson.exe	xmrig
C:\ProgramData\Dllhost\winlogson.exe	xmrig
C:\ProgramData\Dllhost\winlogson.exe	xmrig

Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

dllhost.exewinlogson.exewinlogson.exewinlogson.exewinlogson.exewinlogson.exewinlogson.exe

pid process

1468 dllhost.exe
1928 winlogson.exe
1736 winlogson.exe
1980 winlogson.exe
1692 winlogson.exe
972 winlogson.exe
1740 winlogson.exe
Loads dropped DLL 2 IoCs

Processes:

932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.execmd.exe

pid process

1800 932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe
1132 cmd.exe

pid	process
1468	dllhost.exe
1928	winlogson.exe
1736	winlogson.exe
1980	winlogson.exe
1692	winlogson.exe
972	winlogson.exe
1740	winlogson.exe

pid	process
1800	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe
1132	cmd.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dllhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\ProgramData\\Dllhost\\dllhost.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	dllhost.exe

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1756	schtasks.exe
580	schtasks.exe
1552	schtasks.exe
1668	schtasks.exe
1788	schtasks.exe
1728	schtasks.exe
1592	schtasks.exe
1528	schtasks.exe
364	schtasks.exe
1964	schtasks.exe
1828	schtasks.exe
1480	schtasks.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exedllhost.exe

pid	process
1716	powershell.exe
1400	powershell.exe
268	powershell.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exe932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exedllhost.exe

description	pid	process
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	1400	powershell.exe
Token: SeDebugPrivilege	268	powershell.exe
Token: SeDebugPrivilege	1800	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe
Token: SeDebugPrivilege	1468	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.execmd.exedllhost.execmd.execmd.exe

description	pid	process	target process
PID 1800 wrote to memory of 1612	1800	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe	cmd.exe
PID 1800 wrote to memory of 1612	1800	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe	cmd.exe
PID 1800 wrote to memory of 1612	1800	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe	cmd.exe
PID 1800 wrote to memory of 1612	1800	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe	cmd.exe
PID 1612 wrote to memory of 948	1612	cmd.exe	chcp.com
PID 1612 wrote to memory of 948	1612	cmd.exe	chcp.com
PID 1612 wrote to memory of 948	1612	cmd.exe	chcp.com
PID 1612 wrote to memory of 948	1612	cmd.exe	chcp.com
PID 1612 wrote to memory of 1716	1612	cmd.exe	powershell.exe
PID 1612 wrote to memory of 1716	1612	cmd.exe	powershell.exe
PID 1612 wrote to memory of 1716	1612	cmd.exe	powershell.exe
PID 1612 wrote to memory of 1716	1612	cmd.exe	powershell.exe
PID 1612 wrote to memory of 1400	1612	cmd.exe	powershell.exe
PID 1612 wrote to memory of 1400	1612	cmd.exe	powershell.exe
PID 1612 wrote to memory of 1400	1612	cmd.exe	powershell.exe
PID 1612 wrote to memory of 1400	1612	cmd.exe	powershell.exe
PID 1612 wrote to memory of 268	1612	cmd.exe	powershell.exe
PID 1612 wrote to memory of 268	1612	cmd.exe	powershell.exe
PID 1612 wrote to memory of 268	1612	cmd.exe	powershell.exe
PID 1612 wrote to memory of 268	1612	cmd.exe	powershell.exe
PID 1800 wrote to memory of 1468	1800	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe	dllhost.exe
PID 1800 wrote to memory of 1468	1800	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe	dllhost.exe
PID 1800 wrote to memory of 1468	1800	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe	dllhost.exe
PID 1800 wrote to memory of 1468	1800	932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe	dllhost.exe
PID 1468 wrote to memory of 812	1468	dllhost.exe	cmd.exe
PID 1468 wrote to memory of 812	1468	dllhost.exe	cmd.exe
PID 1468 wrote to memory of 812	1468	dllhost.exe	cmd.exe
PID 1468 wrote to memory of 812	1468	dllhost.exe	cmd.exe
PID 1468 wrote to memory of 1212	1468	dllhost.exe	cmd.exe
PID 1468 wrote to memory of 1212	1468	dllhost.exe	cmd.exe
PID 1468 wrote to memory of 1212	1468	dllhost.exe	cmd.exe
PID 1468 wrote to memory of 1212	1468	dllhost.exe	cmd.exe
PID 1468 wrote to memory of 1892	1468	dllhost.exe	cmd.exe
PID 1468 wrote to memory of 1892	1468	dllhost.exe	cmd.exe
PID 1468 wrote to memory of 1892	1468	dllhost.exe	cmd.exe
PID 1468 wrote to memory of 1892	1468	dllhost.exe	cmd.exe
PID 1468 wrote to memory of 1380	1468	dllhost.exe	cmd.exe
PID 1468 wrote to memory of 1380	1468	dllhost.exe	cmd.exe
PID 1468 wrote to memory of 1380	1468	dllhost.exe	cmd.exe
PID 1468 wrote to memory of 1380	1468	dllhost.exe	cmd.exe
PID 1468 wrote to memory of 608	1468	dllhost.exe	cmd.exe
PID 1468 wrote to memory of 608	1468	dllhost.exe	cmd.exe
PID 1468 wrote to memory of 608	1468	dllhost.exe	cmd.exe
PID 1468 wrote to memory of 608	1468	dllhost.exe	cmd.exe
PID 1468 wrote to memory of 568	1468	dllhost.exe	cmd.exe
PID 1468 wrote to memory of 568	1468	dllhost.exe	cmd.exe
PID 1468 wrote to memory of 568	1468	dllhost.exe	cmd.exe
PID 1468 wrote to memory of 568	1468	dllhost.exe	cmd.exe
PID 812 wrote to memory of 1480	812	cmd.exe	schtasks.exe
PID 812 wrote to memory of 1480	812	cmd.exe	schtasks.exe
PID 812 wrote to memory of 1480	812	cmd.exe	schtasks.exe
PID 812 wrote to memory of 1480	812	cmd.exe	schtasks.exe
PID 1468 wrote to memory of 1632	1468	dllhost.exe	cmd.exe
PID 1468 wrote to memory of 1632	1468	dllhost.exe	cmd.exe
PID 1468 wrote to memory of 1632	1468	dllhost.exe	cmd.exe
PID 1468 wrote to memory of 1632	1468	dllhost.exe	cmd.exe
PID 1468 wrote to memory of 864	1468	dllhost.exe	cmd.exe
PID 1468 wrote to memory of 864	1468	dllhost.exe	cmd.exe
PID 1468 wrote to memory of 864	1468	dllhost.exe	cmd.exe
PID 1468 wrote to memory of 864	1468	dllhost.exe	cmd.exe
PID 1892 wrote to memory of 1728	1892	cmd.exe	schtasks.exe
PID 1892 wrote to memory of 1728	1892	cmd.exe	schtasks.exe
PID 1892 wrote to memory of 1728	1892	cmd.exe	schtasks.exe
PID 1892 wrote to memory of 1728	1892	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe
"C:\Users\Admin\AppData\Local\Temp\932b589a050018c47609fa544370f1382525764c3ed1df2b844ffaa05297d4e2.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\HostData"
2⤵
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\chcp.com
chcp 1251
3⤵
PID:948

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\HostData"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:268

C:\ProgramData\Dllhost\dllhost.exe
"C:\ProgramData\Dllhost\dllhost.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:1480

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:1380

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:1592

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1892

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:1728

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:1212

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:1668

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:568

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:1964

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:608

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:1528

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:1632

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:1788

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk460" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:1780

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk460" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:1828

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk1320" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:2044

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk8605" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:2004

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk7434" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:1508

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:864

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
3⤵
- Loads dropped DLL
PID:1132

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:268

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
4⤵
- Executes dropped EXE
PID:1928

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
3⤵
PID:1588

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:1728

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
4⤵
- Executes dropped EXE
PID:1736

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
3⤵
PID:2028

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:608

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
4⤵
- Executes dropped EXE
PID:1980

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
3⤵
PID:1628

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:776

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
4⤵
- Executes dropped EXE
PID:1692

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
3⤵
PID:1680

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:888

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
4⤵
- Executes dropped EXE
PID:972

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
3⤵
PID:1768

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:1072

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
4⤵
- Executes dropped EXE
PID:1740

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk8605" /TR "C:\ProgramData\Dllhost\dllhost.exe"
1⤵
- Creates scheduled task(s)
PID:364

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
1⤵
- Creates scheduled task(s)
PID:1756

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk7434" /TR "C:\ProgramData\Dllhost\dllhost.exe"
1⤵
- Creates scheduled task(s)
PID:580

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk1320" /TR "C:\ProgramData\Dllhost\dllhost.exe"
1⤵
- Creates scheduled task(s)
PID:1552

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe
Filesize
80KB

MD5
0426f4269f3de8ffe4f85df9e8454b4b

SHA1
6fa3f292df8c849d10a21140f48d9d64d27870fe

SHA256
ee0a13f5d66a499fc53678ba0e4f55f769ecb8a883d90f6025cd62c7f4ddf0ad

SHA512
566b6711569011ac26294ff00ce8c06667b0dd387a89ef5e49847138ad5a25144f13a1f58bac763bc3d3d454f3ba068494e08b702f5d3e4005a5cb1feab54d02

Download Submit
C:\ProgramData\Dllhost\dllhost.exe
Filesize
80KB

MD5
0426f4269f3de8ffe4f85df9e8454b4b

SHA1
6fa3f292df8c849d10a21140f48d9d64d27870fe

SHA256
ee0a13f5d66a499fc53678ba0e4f55f769ecb8a883d90f6025cd62c7f4ddf0ad

SHA512
566b6711569011ac26294ff00ce8c06667b0dd387a89ef5e49847138ad5a25144f13a1f58bac763bc3d3d454f3ba068494e08b702f5d3e4005a5cb1feab54d02

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
7.9MB

MD5
ae6c92c8073b1239390369d3ed93538f

SHA1
a76ea83bdcfa472cd593363e9bb254df494a5577

SHA256
d8d0e8ce7d532250713c7ac9c3e3d144463ce9f47bbf5bd6fc3bb939c739c1a0

SHA512
59de08ea3849243addb3b6aaa2b3ebf71a271eee77239bea0dd190d446a6eec56fd7c5b4fa3668c14074f33f06ab1f011baa0ac2266f6d2d33eb59847841c350

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
7.9MB

MD5
ae6c92c8073b1239390369d3ed93538f

SHA1
a76ea83bdcfa472cd593363e9bb254df494a5577

SHA256
d8d0e8ce7d532250713c7ac9c3e3d144463ce9f47bbf5bd6fc3bb939c739c1a0

SHA512
59de08ea3849243addb3b6aaa2b3ebf71a271eee77239bea0dd190d446a6eec56fd7c5b4fa3668c14074f33f06ab1f011baa0ac2266f6d2d33eb59847841c350

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
7.9MB

MD5
ae6c92c8073b1239390369d3ed93538f

SHA1
a76ea83bdcfa472cd593363e9bb254df494a5577

SHA256
d8d0e8ce7d532250713c7ac9c3e3d144463ce9f47bbf5bd6fc3bb939c739c1a0

SHA512
59de08ea3849243addb3b6aaa2b3ebf71a271eee77239bea0dd190d446a6eec56fd7c5b4fa3668c14074f33f06ab1f011baa0ac2266f6d2d33eb59847841c350

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
7.9MB

MD5
ae6c92c8073b1239390369d3ed93538f

SHA1
a76ea83bdcfa472cd593363e9bb254df494a5577

SHA256
d8d0e8ce7d532250713c7ac9c3e3d144463ce9f47bbf5bd6fc3bb939c739c1a0

SHA512
59de08ea3849243addb3b6aaa2b3ebf71a271eee77239bea0dd190d446a6eec56fd7c5b4fa3668c14074f33f06ab1f011baa0ac2266f6d2d33eb59847841c350

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
7.9MB

MD5
ae6c92c8073b1239390369d3ed93538f

SHA1
a76ea83bdcfa472cd593363e9bb254df494a5577

SHA256
d8d0e8ce7d532250713c7ac9c3e3d144463ce9f47bbf5bd6fc3bb939c739c1a0

SHA512
59de08ea3849243addb3b6aaa2b3ebf71a271eee77239bea0dd190d446a6eec56fd7c5b4fa3668c14074f33f06ab1f011baa0ac2266f6d2d33eb59847841c350

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
7.9MB

MD5
ae6c92c8073b1239390369d3ed93538f

SHA1
a76ea83bdcfa472cd593363e9bb254df494a5577

SHA256
d8d0e8ce7d532250713c7ac9c3e3d144463ce9f47bbf5bd6fc3bb939c739c1a0

SHA512
59de08ea3849243addb3b6aaa2b3ebf71a271eee77239bea0dd190d446a6eec56fd7c5b4fa3668c14074f33f06ab1f011baa0ac2266f6d2d33eb59847841c350

Download Submit
C:\ProgramData\HostData\logs.uce
Filesize
503B

MD5
8b078b9c907544907733f5f47030bcb7

SHA1
0c45a6f025053768758df477c4812c5933a8e366

SHA256
d8c7f0f440d786c3ebc13a59eb5e99d31e34c89cb47603f4f790da54707c34df

SHA512
3ab98331ab7913bdafac180a3976b9c8bb24c68c1aeb109f5c18939d5725f4c38d81565551f9b2dba297e16d71c7ece671cda2ca3d101ec20d957cc7a160db41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
60KB

MD5
b9f21d8db36e88831e5352bb82c438b3

SHA1
4a3c330954f9f65a2f5fd7e55800e46ce228a3e2

SHA256
998e0209690a48ed33b79af30fc13851e3e3416bed97e3679b6030c10cab361e

SHA512
d4a2ac7c14227fbaf8b532398fb69053f0a0d913273f6917027c8cadbba80113fdbec20c2a7eb31b7bb57c99f9fdeccf8576be5f39346d8b564fc72fb1699476

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b67380f3e255b48b2bbd9e32f36d3c45

SHA1
85db36c37054e300a748413aa163a8faf58e48f2

SHA256
bce9fd9c6ebd00cbec8f084cd7f464bdf6b2f880a57e4c77039f00fd73ee9262

SHA512
f525fb8f0fd27d607975eab3ef8e74082bf98259696c5ea02999f31667f45b962aa690db675670700cfcbd3265b483a26b1bd8782c6a73966b58247fd20c4a5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
86ab11a330bc43527bb9a7a27e6b71bd

SHA1
4238c33b8197b20a927f87b6de51d9dd343e6c7d

SHA256
25c0e1a3aa25291f0f6edfb616a42fadedaea844578814733e1431720c21ed2d

SHA512
a82a53ac5ccbcb69ff79f4d6f12ffe89d83d7bb99e382e782acc373d53ec8313c55348073ebfbc70b044c89903a8731ddaf66cc09e9565650ef4814e455e5506

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
86ab11a330bc43527bb9a7a27e6b71bd

SHA1
4238c33b8197b20a927f87b6de51d9dd343e6c7d

SHA256
25c0e1a3aa25291f0f6edfb616a42fadedaea844578814733e1431720c21ed2d

SHA512
a82a53ac5ccbcb69ff79f4d6f12ffe89d83d7bb99e382e782acc373d53ec8313c55348073ebfbc70b044c89903a8731ddaf66cc09e9565650ef4814e455e5506

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\ProgramData\Dllhost\dllhost.exe
Filesize
80KB

MD5
0426f4269f3de8ffe4f85df9e8454b4b

SHA1
6fa3f292df8c849d10a21140f48d9d64d27870fe

SHA256
ee0a13f5d66a499fc53678ba0e4f55f769ecb8a883d90f6025cd62c7f4ddf0ad

SHA512
566b6711569011ac26294ff00ce8c06667b0dd387a89ef5e49847138ad5a25144f13a1f58bac763bc3d3d454f3ba068494e08b702f5d3e4005a5cb1feab54d02

Download Submit
\ProgramData\Dllhost\winlogson.exe
Filesize
7.9MB

MD5
ae6c92c8073b1239390369d3ed93538f

SHA1
a76ea83bdcfa472cd593363e9bb254df494a5577

SHA256
d8d0e8ce7d532250713c7ac9c3e3d144463ce9f47bbf5bd6fc3bb939c739c1a0

SHA512
59de08ea3849243addb3b6aaa2b3ebf71a271eee77239bea0dd190d446a6eec56fd7c5b4fa3668c14074f33f06ab1f011baa0ac2266f6d2d33eb59847841c350

Download Submit
memory/268-69-0x000000006F2C0000-0x000000006F86B000-memory.dmp

Filesize
5.7MB

Download
memory/268-65-0x0000000000000000-mapping.dmp

Download
memory/268-105-0x0000000000000000-mapping.dmp

Download
memory/364-98-0x0000000000000000-mapping.dmp

Download
memory/568-82-0x0000000000000000-mapping.dmp

Download
memory/580-95-0x0000000000000000-mapping.dmp

Download
memory/608-81-0x0000000000000000-mapping.dmp

Download
memory/608-116-0x0000000000000000-mapping.dmp

Download
memory/776-121-0x0000000000000000-mapping.dmp

Download
memory/812-77-0x0000000000000000-mapping.dmp

Download
memory/864-85-0x0000000000000000-mapping.dmp

Download
memory/888-126-0x0000000000000000-mapping.dmp

Download
memory/948-57-0x0000000000000000-mapping.dmp

Download
memory/972-127-0x0000000000000000-mapping.dmp

Download
memory/1072-131-0x0000000000000000-mapping.dmp

Download
memory/1132-104-0x0000000000000000-mapping.dmp

Download
memory/1212-78-0x0000000000000000-mapping.dmp

Download
memory/1380-80-0x0000000000000000-mapping.dmp

Download
memory/1400-64-0x000000006F670000-0x000000006FC1B000-memory.dmp

Filesize
5.7MB

Download
memory/1400-60-0x0000000000000000-mapping.dmp

Download
memory/1468-75-0x00000000003C0000-0x00000000003C6000-memory.dmp

Filesize
24KB

Download
memory/1468-74-0x0000000001330000-0x000000000134A000-memory.dmp

Filesize
104KB

Download
memory/1468-71-0x0000000000000000-mapping.dmp

Download
memory/1480-83-0x0000000000000000-mapping.dmp

Download
memory/1508-87-0x0000000000000000-mapping.dmp

Download
memory/1528-90-0x0000000000000000-mapping.dmp

Download
memory/1552-99-0x0000000000000000-mapping.dmp

Download
memory/1588-110-0x0000000000000000-mapping.dmp

Download
memory/1592-89-0x0000000000000000-mapping.dmp

Download
memory/1612-56-0x0000000000000000-mapping.dmp

Download
memory/1628-120-0x0000000000000000-mapping.dmp

Download
memory/1632-84-0x0000000000000000-mapping.dmp

Download
memory/1668-88-0x0000000000000000-mapping.dmp

Download
memory/1680-125-0x0000000000000000-mapping.dmp

Download
memory/1692-122-0x0000000000000000-mapping.dmp

Download
memory/1716-61-0x000000006F570000-0x000000006FB1B000-memory.dmp

Filesize
5.7MB

Download
memory/1716-58-0x0000000000000000-mapping.dmp

Download
memory/1728-111-0x0000000000000000-mapping.dmp

Download
memory/1728-86-0x0000000000000000-mapping.dmp

Download
memory/1736-112-0x0000000000000000-mapping.dmp

Download
memory/1740-132-0x0000000000000000-mapping.dmp

Download
memory/1756-97-0x0000000000000000-mapping.dmp

Download
memory/1768-130-0x0000000000000000-mapping.dmp

Download
memory/1780-94-0x0000000000000000-mapping.dmp

Download
memory/1788-91-0x0000000000000000-mapping.dmp

Download
memory/1800-54-0x0000000000A90000-0x0000000000A9A000-memory.dmp

Filesize
40KB

Download
memory/1800-55-0x0000000074E91000-0x0000000074E93000-memory.dmp

Filesize
8KB

Download
memory/1828-100-0x0000000000000000-mapping.dmp

Download
memory/1892-79-0x0000000000000000-mapping.dmp

Download
memory/1928-107-0x0000000000000000-mapping.dmp

Download
memory/1928-109-0x00000000002F0000-0x0000000000310000-memory.dmp

Filesize
128KB

Download
memory/1964-96-0x0000000000000000-mapping.dmp

Download
memory/1980-117-0x0000000000000000-mapping.dmp

Download
memory/2004-92-0x0000000000000000-mapping.dmp

Download
memory/2028-115-0x0000000000000000-mapping.dmp

Download
memory/2044-93-0x0000000000000000-mapping.dmp

Download