xmrig | 26ef46e737087bf94204211d072b38b074d857389153b0dce16305efb05e3725

Analysis

max time kernel
300s
max time network
197s
platform
windows10_x64
resource
win10-20220414-en
submitted
22-05-2022 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26ef46e737087bf94204211d072b38b074d857389153b0dce16305efb05e3725.exe
Size

63KB
MD5

d7cf93cdc74ec7ee635a0ab5ad0dd573
SHA1

88eb48930852beeec6d810967506ad4462329253
SHA256

26ef46e737087bf94204211d072b38b074d857389153b0dce16305efb05e3725
SHA512

f158983b8cce0849c4947db54ce08519cb1aae1c8d00ac56c9b24bf988aceddd5842a2fbb34ae02c29d908b33e537fd7faeaeca6bc96d6710524d581f2bf9966

Score

10^/10

xmrig miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 6 IoCs

miner

Processes:

resource	yara_rule
C:\ProgramData\Dllhost\winlogson.exe	xmrig
C:\ProgramData\Dllhost\winlogson.exe	xmrig
C:\ProgramData\Dllhost\winlogson.exe	xmrig
C:\ProgramData\Dllhost\winlogson.exe	xmrig
C:\ProgramData\Dllhost\winlogson.exe	xmrig
C:\ProgramData\Dllhost\winlogson.exe	xmrig

Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

dllhost.exewinlogson.exewinlogson.exewinlogson.exewinlogson.exewinlogson.exewinlogson.exe

pid process

2816 dllhost.exe
4712 winlogson.exe
3916 winlogson.exe
4120 winlogson.exe
3888 winlogson.exe
220 winlogson.exe
4264 winlogson.exe

pid	process
2816	dllhost.exe
4712	winlogson.exe
3916	winlogson.exe
4120	winlogson.exe
3888	winlogson.exe
220	winlogson.exe
4264	winlogson.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dllhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\ProgramData\\Dllhost\\dllhost.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

4868 schtasks.exe
4908 schtasks.exe
4968 schtasks.exe

pid	process
4868	schtasks.exe
4908	schtasks.exe
4968	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exedllhost.exepowershell.exe

pid	process
4520	powershell.exe
4520	powershell.exe
4520	powershell.exe
516	powershell.exe
516	powershell.exe
516	powershell.exe
2816	dllhost.exe
1884	powershell.exe
2816	dllhost.exe
1884	powershell.exe
1884	powershell.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe
2816	dllhost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exe26ef46e737087bf94204211d072b38b074d857389153b0dce16305efb05e3725.exepowershell.exedllhost.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4520	powershell.exe
Token: SeDebugPrivilege	920	26ef46e737087bf94204211d072b38b074d857389153b0dce16305efb05e3725.exe
Token: SeDebugPrivilege	516	powershell.exe
Token: SeDebugPrivilege	2816	dllhost.exe
Token: SeDebugPrivilege	1884	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

26ef46e737087bf94204211d072b38b074d857389153b0dce16305efb05e3725.execmd.exedllhost.execmd.execmd.execmd.exe

description	pid	process	target process
PID 920 wrote to memory of 4252	920	26ef46e737087bf94204211d072b38b074d857389153b0dce16305efb05e3725.exe	cmd.exe
PID 920 wrote to memory of 4252	920	26ef46e737087bf94204211d072b38b074d857389153b0dce16305efb05e3725.exe	cmd.exe
PID 920 wrote to memory of 4252	920	26ef46e737087bf94204211d072b38b074d857389153b0dce16305efb05e3725.exe	cmd.exe
PID 4252 wrote to memory of 4272	4252	cmd.exe	chcp.com
PID 4252 wrote to memory of 4272	4252	cmd.exe	chcp.com
PID 4252 wrote to memory of 4272	4252	cmd.exe	chcp.com
PID 4252 wrote to memory of 4520	4252	cmd.exe	powershell.exe
PID 4252 wrote to memory of 4520	4252	cmd.exe	powershell.exe
PID 4252 wrote to memory of 4520	4252	cmd.exe	powershell.exe
PID 4252 wrote to memory of 516	4252	cmd.exe	powershell.exe
PID 4252 wrote to memory of 516	4252	cmd.exe	powershell.exe
PID 4252 wrote to memory of 516	4252	cmd.exe	powershell.exe
PID 920 wrote to memory of 2816	920	26ef46e737087bf94204211d072b38b074d857389153b0dce16305efb05e3725.exe	dllhost.exe
PID 920 wrote to memory of 2816	920	26ef46e737087bf94204211d072b38b074d857389153b0dce16305efb05e3725.exe	dllhost.exe
PID 920 wrote to memory of 2816	920	26ef46e737087bf94204211d072b38b074d857389153b0dce16305efb05e3725.exe	dllhost.exe
PID 4252 wrote to memory of 1884	4252	cmd.exe	powershell.exe
PID 4252 wrote to memory of 1884	4252	cmd.exe	powershell.exe
PID 4252 wrote to memory of 1884	4252	cmd.exe	powershell.exe
PID 2816 wrote to memory of 656	2816	dllhost.exe	cmd.exe
PID 2816 wrote to memory of 656	2816	dllhost.exe	cmd.exe
PID 2816 wrote to memory of 656	2816	dllhost.exe	cmd.exe
PID 2816 wrote to memory of 784	2816	dllhost.exe	cmd.exe
PID 2816 wrote to memory of 784	2816	dllhost.exe	cmd.exe
PID 2816 wrote to memory of 784	2816	dllhost.exe	cmd.exe
PID 2816 wrote to memory of 4504	2816	dllhost.exe	cmd.exe
PID 2816 wrote to memory of 4504	2816	dllhost.exe	cmd.exe
PID 2816 wrote to memory of 4504	2816	dllhost.exe	cmd.exe
PID 2816 wrote to memory of 2532	2816	dllhost.exe	cmd.exe
PID 2816 wrote to memory of 2532	2816	dllhost.exe	cmd.exe
PID 2816 wrote to memory of 2532	2816	dllhost.exe	cmd.exe
PID 2816 wrote to memory of 4804	2816	dllhost.exe	cmd.exe
PID 2816 wrote to memory of 4804	2816	dllhost.exe	cmd.exe
PID 2816 wrote to memory of 4804	2816	dllhost.exe	cmd.exe
PID 2816 wrote to memory of 4240	2816	dllhost.exe	cmd.exe
PID 2816 wrote to memory of 4240	2816	dllhost.exe	cmd.exe
PID 2816 wrote to memory of 4240	2816	dllhost.exe	cmd.exe
PID 2816 wrote to memory of 704	2816	dllhost.exe	cmd.exe
PID 2816 wrote to memory of 704	2816	dllhost.exe	cmd.exe
PID 2816 wrote to memory of 704	2816	dllhost.exe	cmd.exe
PID 2816 wrote to memory of 1128	2816	dllhost.exe	cmd.exe
PID 2816 wrote to memory of 1128	2816	dllhost.exe	cmd.exe
PID 2816 wrote to memory of 1128	2816	dllhost.exe	cmd.exe
PID 2816 wrote to memory of 1288	2816	dllhost.exe	cmd.exe
PID 2816 wrote to memory of 1288	2816	dllhost.exe	cmd.exe
PID 2816 wrote to memory of 1288	2816	dllhost.exe	cmd.exe
PID 2816 wrote to memory of 1816	2816	dllhost.exe	cmd.exe
PID 2816 wrote to memory of 1816	2816	dllhost.exe	cmd.exe
PID 2816 wrote to memory of 1816	2816	dllhost.exe	cmd.exe
PID 2816 wrote to memory of 1704	2816	dllhost.exe	cmd.exe
PID 2816 wrote to memory of 1704	2816	dllhost.exe	cmd.exe
PID 2816 wrote to memory of 1704	2816	dllhost.exe	cmd.exe
PID 2816 wrote to memory of 4300	2816	dllhost.exe	cmd.exe
PID 2816 wrote to memory of 4300	2816	dllhost.exe	cmd.exe
PID 2816 wrote to memory of 4300	2816	dllhost.exe	cmd.exe
PID 656 wrote to memory of 4868	656	cmd.exe	schtasks.exe
PID 656 wrote to memory of 4868	656	cmd.exe	schtasks.exe
PID 656 wrote to memory of 4868	656	cmd.exe	schtasks.exe
PID 4240 wrote to memory of 4908	4240	cmd.exe	schtasks.exe
PID 4240 wrote to memory of 4908	4240	cmd.exe	schtasks.exe
PID 4240 wrote to memory of 4908	4240	cmd.exe	schtasks.exe
PID 1816 wrote to memory of 4968	1816	cmd.exe	schtasks.exe
PID 1816 wrote to memory of 4968	1816	cmd.exe	schtasks.exe
PID 1816 wrote to memory of 4968	1816	cmd.exe	schtasks.exe
PID 2816 wrote to memory of 5008	2816	dllhost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\26ef46e737087bf94204211d072b38b074d857389153b0dce16305efb05e3725.exe
"C:\Users\Admin\AppData\Local\Temp\26ef46e737087bf94204211d072b38b074d857389153b0dce16305efb05e3725.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:920

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\HostData"
2⤵
- Suspicious use of WriteProcessMemory
PID:4252

C:\Windows\SysWOW64\chcp.com
chcp 1251
3⤵
PID:4272

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4520

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:516

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\HostData"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\ProgramData\Dllhost\dllhost.exe
"C:\ProgramData\Dllhost\dllhost.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:656

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:4868

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:784

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:4504

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:4804

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:2532

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4240

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:4908

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:1128

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk7821" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:1288

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk7878" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk7878" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:4968

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk94" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:4300

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk2005" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:1704

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:704

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
3⤵
PID:5008

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:1288

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
4⤵
- Executes dropped EXE
PID:4712

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
3⤵
PID:4476

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:5116

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
4⤵
- Executes dropped EXE
PID:3916

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
3⤵
PID:3136

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:4784

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
4⤵
- Executes dropped EXE
PID:4120

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
3⤵
PID:1344

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:1816

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
4⤵
- Executes dropped EXE
PID:3888

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
3⤵
PID:2216

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:2440

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
4⤵
- Executes dropped EXE
PID:220

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
3⤵
PID:3936

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:3836

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
4⤵
- Executes dropped EXE
PID:4264

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe
Filesize
80KB

MD5
0426f4269f3de8ffe4f85df9e8454b4b

SHA1
6fa3f292df8c849d10a21140f48d9d64d27870fe

SHA256
ee0a13f5d66a499fc53678ba0e4f55f769ecb8a883d90f6025cd62c7f4ddf0ad

SHA512
566b6711569011ac26294ff00ce8c06667b0dd387a89ef5e49847138ad5a25144f13a1f58bac763bc3d3d454f3ba068494e08b702f5d3e4005a5cb1feab54d02

Download Submit
C:\ProgramData\Dllhost\dllhost.exe
Filesize
80KB

MD5
0426f4269f3de8ffe4f85df9e8454b4b

SHA1
6fa3f292df8c849d10a21140f48d9d64d27870fe

SHA256
ee0a13f5d66a499fc53678ba0e4f55f769ecb8a883d90f6025cd62c7f4ddf0ad

SHA512
566b6711569011ac26294ff00ce8c06667b0dd387a89ef5e49847138ad5a25144f13a1f58bac763bc3d3d454f3ba068494e08b702f5d3e4005a5cb1feab54d02

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
7.9MB

MD5
ae6c92c8073b1239390369d3ed93538f

SHA1
a76ea83bdcfa472cd593363e9bb254df494a5577

SHA256
d8d0e8ce7d532250713c7ac9c3e3d144463ce9f47bbf5bd6fc3bb939c739c1a0

SHA512
59de08ea3849243addb3b6aaa2b3ebf71a271eee77239bea0dd190d446a6eec56fd7c5b4fa3668c14074f33f06ab1f011baa0ac2266f6d2d33eb59847841c350

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
7.9MB

MD5
ae6c92c8073b1239390369d3ed93538f

SHA1
a76ea83bdcfa472cd593363e9bb254df494a5577

SHA256
d8d0e8ce7d532250713c7ac9c3e3d144463ce9f47bbf5bd6fc3bb939c739c1a0

SHA512
59de08ea3849243addb3b6aaa2b3ebf71a271eee77239bea0dd190d446a6eec56fd7c5b4fa3668c14074f33f06ab1f011baa0ac2266f6d2d33eb59847841c350

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
7.9MB

MD5
ae6c92c8073b1239390369d3ed93538f

SHA1
a76ea83bdcfa472cd593363e9bb254df494a5577

SHA256
d8d0e8ce7d532250713c7ac9c3e3d144463ce9f47bbf5bd6fc3bb939c739c1a0

SHA512
59de08ea3849243addb3b6aaa2b3ebf71a271eee77239bea0dd190d446a6eec56fd7c5b4fa3668c14074f33f06ab1f011baa0ac2266f6d2d33eb59847841c350

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
7.9MB

MD5
ae6c92c8073b1239390369d3ed93538f

SHA1
a76ea83bdcfa472cd593363e9bb254df494a5577

SHA256
d8d0e8ce7d532250713c7ac9c3e3d144463ce9f47bbf5bd6fc3bb939c739c1a0

SHA512
59de08ea3849243addb3b6aaa2b3ebf71a271eee77239bea0dd190d446a6eec56fd7c5b4fa3668c14074f33f06ab1f011baa0ac2266f6d2d33eb59847841c350

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
7.9MB

MD5
ae6c92c8073b1239390369d3ed93538f

SHA1
a76ea83bdcfa472cd593363e9bb254df494a5577

SHA256
d8d0e8ce7d532250713c7ac9c3e3d144463ce9f47bbf5bd6fc3bb939c739c1a0

SHA512
59de08ea3849243addb3b6aaa2b3ebf71a271eee77239bea0dd190d446a6eec56fd7c5b4fa3668c14074f33f06ab1f011baa0ac2266f6d2d33eb59847841c350

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
7.9MB

MD5
ae6c92c8073b1239390369d3ed93538f

SHA1
a76ea83bdcfa472cd593363e9bb254df494a5577

SHA256
d8d0e8ce7d532250713c7ac9c3e3d144463ce9f47bbf5bd6fc3bb939c739c1a0

SHA512
59de08ea3849243addb3b6aaa2b3ebf71a271eee77239bea0dd190d446a6eec56fd7c5b4fa3668c14074f33f06ab1f011baa0ac2266f6d2d33eb59847841c350

Download Submit
C:\ProgramData\HostData\logs.uce
Filesize
483B

MD5
f18199cca935101bc69f32237311cd21

SHA1
9a997db9963ac2a32284871dd61b3deebc98dc64

SHA256
287957d2a31213e87fc7df350ccb935cc66764605a61a66032539d6b08431cf1

SHA512
f6770230ec32f440a65f78e5670bb6b99b3fdcecc923a6d96da06e9586ab2953726601367f78d3d087ab0aea886c833463b429a740b985028daded3de1c78606

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
7a04838bb344c245cf6eb330e05877b4

SHA1
2863cb6a19e26de50480749793ebaaa38936e8c5

SHA256
6f51bc89b4274e0b08dabf3efcc955c34389c8bdaf0dbd4ff4ad442b795528b7

SHA512
54b5c07bc1692767670bc0b888328b0bbdc2c13087f8055e7a4df66ff8c76aff166726749a00286b63ad49c443779c9555f08b7b1210db4a60cc0f02a0936a0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
58fa70bb0c1d6f297e57f30be575b813

SHA1
b1a0d5e3a54186c49eac92a87b1970b2e0b2817a

SHA256
a56256192c27a060793b6d2e828dd54ddd19636a96a60190ec8a558d9a8c054c

SHA512
e0649d99478bc49f67c9d4b31977600db17be815615fdb3d48c16930852448af0b553a0f2360399abfc53eee87c55b8ce925c0b0007e7e5c9cfe1d24a32f03d3

Download Submit
memory/220-1499-0x0000000000000000-mapping.dmp

Download
memory/516-541-0x0000000000000000-mapping.dmp

Download
memory/656-942-0x0000000000000000-mapping.dmp

Download
memory/704-968-0x0000000000000000-mapping.dmp

Download
memory/784-944-0x0000000000000000-mapping.dmp

Download
memory/920-158-0x00000000030F0000-0x00000000030F6000-memory.dmp

Filesize
24KB

Download
memory/920-168-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-137-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-138-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-139-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-140-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-141-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-142-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-143-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-144-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-145-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-146-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-147-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-148-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-149-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-150-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-151-0x0000000000DF0000-0x0000000000E06000-memory.dmp

Filesize
88KB

Download
memory/920-152-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-153-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-154-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-155-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-156-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-157-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-135-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-159-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-160-0x0000000009FC0000-0x000000000A4BE000-memory.dmp

Filesize
5.0MB

Download
memory/920-161-0x00000000057E0000-0x0000000005872000-memory.dmp

Filesize
584KB

Download
memory/920-162-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-163-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-164-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-165-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-166-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-167-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-136-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-169-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-170-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-171-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-172-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-173-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-174-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-175-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-176-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-177-0x0000000005610000-0x000000000561A000-memory.dmp

Filesize
40KB

Download
memory/920-178-0x0000000005880000-0x00000000058E6000-memory.dmp

Filesize
408KB

Download
memory/920-134-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-133-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-132-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-127-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-119-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-131-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-130-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-129-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-120-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-128-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-126-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-125-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-121-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-118-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-122-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-124-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/920-123-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/1128-972-0x0000000000000000-mapping.dmp

Download
memory/1288-977-0x0000000000000000-mapping.dmp

Download
memory/1288-1422-0x0000000000000000-mapping.dmp

Download
memory/1344-1468-0x0000000000000000-mapping.dmp

Download
memory/1704-989-0x0000000000000000-mapping.dmp

Download
memory/1816-1474-0x0000000000000000-mapping.dmp

Download
memory/1816-982-0x0000000000000000-mapping.dmp

Download
memory/1884-1154-0x0000000009550000-0x00000000095F5000-memory.dmp

Filesize
660KB

Download
memory/1884-889-0x0000000000000000-mapping.dmp

Download
memory/1884-1105-0x0000000008620000-0x000000000866B000-memory.dmp

Filesize
300KB

Download
memory/2216-1485-0x0000000000000000-mapping.dmp

Download
memory/2440-1491-0x0000000000000000-mapping.dmp

Download
memory/2532-952-0x0000000000000000-mapping.dmp

Download
memory/2816-905-0x0000000005310000-0x0000000005316000-memory.dmp

Filesize
24KB

Download
memory/2816-844-0x0000000000000000-mapping.dmp

Download
memory/2816-888-0x0000000000B80000-0x0000000000B9A000-memory.dmp

Filesize
104KB

Download
memory/3136-1451-0x0000000000000000-mapping.dmp

Download
memory/3836-1508-0x0000000000000000-mapping.dmp

Download
memory/3888-1482-0x0000000000000000-mapping.dmp

Download
memory/3916-1448-0x0000000000000000-mapping.dmp

Download
memory/3936-1502-0x0000000000000000-mapping.dmp

Download
memory/4120-1465-0x0000000000000000-mapping.dmp

Download
memory/4240-962-0x0000000000000000-mapping.dmp

Download
memory/4252-181-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/4252-184-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/4252-183-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/4252-182-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/4252-180-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/4252-179-0x0000000000000000-mapping.dmp

Download
memory/4264-1516-0x0000000000000000-mapping.dmp

Download
memory/4272-188-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/4272-187-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/4272-185-0x0000000000000000-mapping.dmp

Download
memory/4272-189-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/4272-186-0x0000000077010000-0x000000007719E000-memory.dmp

Filesize
1.6MB

Download
memory/4300-997-0x0000000000000000-mapping.dmp

Download
memory/4476-1434-0x0000000000000000-mapping.dmp

Download
memory/4504-947-0x0000000000000000-mapping.dmp

Download
memory/4520-265-0x0000000008840000-0x000000000888B000-memory.dmp

Filesize
300KB

Download
memory/4520-193-0x0000000000000000-mapping.dmp

Download
memory/4520-253-0x0000000007C30000-0x0000000007C52000-memory.dmp

Filesize
136KB

Download
memory/4520-518-0x0000000009A10000-0x0000000009A2A000-memory.dmp

Filesize
104KB

Download
memory/4520-523-0x0000000009A00000-0x0000000009A08000-memory.dmp

Filesize
32KB

Download
memory/4520-229-0x0000000004BA0000-0x0000000004BD6000-memory.dmp

Filesize
216KB

Download
memory/4520-302-0x0000000009560000-0x000000000957E000-memory.dmp

Filesize
120KB

Download
memory/4520-301-0x0000000009580000-0x00000000095B3000-memory.dmp

Filesize
204KB

Download
memory/4520-278-0x00000000086C0000-0x0000000008736000-memory.dmp

Filesize
472KB

Download
memory/4520-264-0x0000000007E30000-0x0000000007E4C000-memory.dmp

Filesize
112KB

Download
memory/4520-311-0x00000000095D0000-0x0000000009675000-memory.dmp

Filesize
660KB

Download
memory/4520-315-0x0000000009A70000-0x0000000009B04000-memory.dmp

Filesize
592KB

Download
memory/4520-234-0x00000000075D0000-0x0000000007BF8000-memory.dmp

Filesize
6.2MB

Download
memory/4520-254-0x0000000007CD0000-0x0000000007D36000-memory.dmp

Filesize
408KB

Download
memory/4520-255-0x0000000008030000-0x0000000008380000-memory.dmp

Filesize
3.3MB

Download
memory/4712-1431-0x0000000000000000-mapping.dmp

Download
memory/4784-1457-0x0000000000000000-mapping.dmp

Download
memory/4804-957-0x0000000000000000-mapping.dmp

Download
memory/4868-1034-0x0000000000000000-mapping.dmp

Download
memory/4908-1041-0x0000000000000000-mapping.dmp

Download
memory/4968-1047-0x0000000000000000-mapping.dmp

Download
memory/5008-1416-0x0000000000000000-mapping.dmp

Download
memory/5116-1440-0x0000000000000000-mapping.dmp

Download