xmrig | 5a2bd9fbb6c7cfde9dbdd52697478996129a8e7cd580f094afe747941d259718

Analysis

max time kernel
300s
max time network
283s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
24-09-2022 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a2bd9fbb6c7cfde9dbdd52697478996129a8e7cd580f094afe747941d259718.exe
Size

56KB
MD5

2ccf48338071a18c1a7377bf30831c8c
SHA1

31acd7880c6c73fe496574d082cb3a35ab1086f0
SHA256

5a2bd9fbb6c7cfde9dbdd52697478996129a8e7cd580f094afe747941d259718
SHA512

d17c486cd6ba7d66e1fb2e74e6316c61dd2c999a2dfbcb4628966ed7c6afe70d29dc43da450063b4ba046582d420ff0fc8a3a0d9da114a2536739d463a59c75d
SSDEEP

768:5d/ENsRzJS7M6Yh3VaXBM6oeeNfHR0aaCWnhxbgT88KeebHaqQRMJx3M:EeeM6Yho/oeentaCWLbgozOqQ48

Score

10^/10

xmrig miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
C:\ProgramData\Dllhost\winlogson.exe	xmrig
C:\ProgramData\Dllhost\winlogson.exe	xmrig

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

dllhost.exewinlogson.exe

pid process

3028 dllhost.exe
4416 winlogson.exe

pid	process
3028	dllhost.exe
4416	winlogson.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dllhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe / file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\ProgramData\\Dllhost\\dllhost.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	dllhost.exe

Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4280 schtasks.exe
4880 schtasks.exe
4192 schtasks.exe
4776 schtasks.exe
3528 schtasks.exe
1892 schtasks.exe
1700 schtasks.exe
3936 schtasks.exe

pid	process
4280	schtasks.exe
4880	schtasks.exe
4192	schtasks.exe
4776	schtasks.exe
3528	schtasks.exe
1892	schtasks.exe
1700	schtasks.exe
3936	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5a2bd9fbb6c7cfde9dbdd52697478996129a8e7cd580f094afe747941d259718.exepowershell.exepowershell.exepowershell.exedllhost.exe

pid	process
1776	5a2bd9fbb6c7cfde9dbdd52697478996129a8e7cd580f094afe747941d259718.exe
1876	powershell.exe
1876	powershell.exe
1876	powershell.exe
3508	powershell.exe
3508	powershell.exe
3508	powershell.exe
4812	powershell.exe
4812	powershell.exe
4812	powershell.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe
3028	dllhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

616

pid	process
616

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

5a2bd9fbb6c7cfde9dbdd52697478996129a8e7cd580f094afe747941d259718.exepowershell.exepowershell.exepowershell.exedllhost.exewinlogson.exe

description	pid	process
Token: SeDebugPrivilege	1776	5a2bd9fbb6c7cfde9dbdd52697478996129a8e7cd580f094afe747941d259718.exe
Token: SeDebugPrivilege	1876	powershell.exe
Token: SeDebugPrivilege	3508	powershell.exe
Token: SeDebugPrivilege	4812	powershell.exe
Token: SeDebugPrivilege	3028	dllhost.exe
Token: SeLockMemoryPrivilege	4416	winlogson.exe
Token: SeLockMemoryPrivilege	4416	winlogson.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

winlogson.exe

pid process

4416 winlogson.exe

pid	process
4416	winlogson.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5a2bd9fbb6c7cfde9dbdd52697478996129a8e7cd580f094afe747941d259718.execmd.exedllhost.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1776 wrote to memory of 4860	1776	5a2bd9fbb6c7cfde9dbdd52697478996129a8e7cd580f094afe747941d259718.exe	cmd.exe
PID 1776 wrote to memory of 4860	1776	5a2bd9fbb6c7cfde9dbdd52697478996129a8e7cd580f094afe747941d259718.exe	cmd.exe
PID 1776 wrote to memory of 4860	1776	5a2bd9fbb6c7cfde9dbdd52697478996129a8e7cd580f094afe747941d259718.exe	cmd.exe
PID 4860 wrote to memory of 4896	4860	cmd.exe	chcp.com
PID 4860 wrote to memory of 4896	4860	cmd.exe	chcp.com
PID 4860 wrote to memory of 4896	4860	cmd.exe	chcp.com
PID 4860 wrote to memory of 1876	4860	cmd.exe	powershell.exe
PID 4860 wrote to memory of 1876	4860	cmd.exe	powershell.exe
PID 4860 wrote to memory of 1876	4860	cmd.exe	powershell.exe
PID 4860 wrote to memory of 3508	4860	cmd.exe	powershell.exe
PID 4860 wrote to memory of 3508	4860	cmd.exe	powershell.exe
PID 4860 wrote to memory of 3508	4860	cmd.exe	powershell.exe
PID 4860 wrote to memory of 4812	4860	cmd.exe	powershell.exe
PID 4860 wrote to memory of 4812	4860	cmd.exe	powershell.exe
PID 4860 wrote to memory of 4812	4860	cmd.exe	powershell.exe
PID 1776 wrote to memory of 3028	1776	5a2bd9fbb6c7cfde9dbdd52697478996129a8e7cd580f094afe747941d259718.exe	dllhost.exe
PID 1776 wrote to memory of 3028	1776	5a2bd9fbb6c7cfde9dbdd52697478996129a8e7cd580f094afe747941d259718.exe	dllhost.exe
PID 1776 wrote to memory of 3028	1776	5a2bd9fbb6c7cfde9dbdd52697478996129a8e7cd580f094afe747941d259718.exe	dllhost.exe
PID 3028 wrote to memory of 2132	3028	dllhost.exe	cmd.exe
PID 3028 wrote to memory of 2132	3028	dllhost.exe	cmd.exe
PID 3028 wrote to memory of 2132	3028	dllhost.exe	cmd.exe
PID 3028 wrote to memory of 3312	3028	dllhost.exe	cmd.exe
PID 3028 wrote to memory of 3312	3028	dllhost.exe	cmd.exe
PID 3028 wrote to memory of 3312	3028	dllhost.exe	cmd.exe
PID 3028 wrote to memory of 160	3028	dllhost.exe	cmd.exe
PID 3028 wrote to memory of 160	3028	dllhost.exe	cmd.exe
PID 3028 wrote to memory of 160	3028	dllhost.exe	cmd.exe
PID 3028 wrote to memory of 208	3028	dllhost.exe	cmd.exe
PID 3028 wrote to memory of 208	3028	dllhost.exe	cmd.exe
PID 3028 wrote to memory of 208	3028	dllhost.exe	cmd.exe
PID 3028 wrote to memory of 2280	3028	dllhost.exe	cmd.exe
PID 3028 wrote to memory of 2280	3028	dllhost.exe	cmd.exe
PID 3028 wrote to memory of 2280	3028	dllhost.exe	cmd.exe
PID 3028 wrote to memory of 896	3028	dllhost.exe	cmd.exe
PID 3028 wrote to memory of 896	3028	dllhost.exe	cmd.exe
PID 3028 wrote to memory of 896	3028	dllhost.exe	cmd.exe
PID 3028 wrote to memory of 2256	3028	dllhost.exe	cmd.exe
PID 3028 wrote to memory of 2256	3028	dllhost.exe	cmd.exe
PID 3028 wrote to memory of 2256	3028	dllhost.exe	cmd.exe
PID 3028 wrote to memory of 2496	3028	dllhost.exe	cmd.exe
PID 3028 wrote to memory of 2496	3028	dllhost.exe	cmd.exe
PID 3028 wrote to memory of 2496	3028	dllhost.exe	cmd.exe
PID 3028 wrote to memory of 3044	3028	dllhost.exe	cmd.exe
PID 3028 wrote to memory of 3044	3028	dllhost.exe	cmd.exe
PID 3028 wrote to memory of 3044	3028	dllhost.exe	cmd.exe
PID 3028 wrote to memory of 2756	3028	dllhost.exe	cmd.exe
PID 3028 wrote to memory of 2756	3028	dllhost.exe	cmd.exe
PID 3028 wrote to memory of 2756	3028	dllhost.exe	cmd.exe
PID 3028 wrote to memory of 4180	3028	dllhost.exe	cmd.exe
PID 3028 wrote to memory of 4180	3028	dllhost.exe	cmd.exe
PID 3028 wrote to memory of 4180	3028	dllhost.exe	cmd.exe
PID 3028 wrote to memory of 4716	3028	dllhost.exe	cmd.exe
PID 3028 wrote to memory of 4716	3028	dllhost.exe	cmd.exe
PID 3028 wrote to memory of 4716	3028	dllhost.exe	cmd.exe
PID 4180 wrote to memory of 4880	4180	cmd.exe	schtasks.exe
PID 4180 wrote to memory of 4880	4180	cmd.exe	schtasks.exe
PID 4180 wrote to memory of 4880	4180	cmd.exe	schtasks.exe
PID 2132 wrote to memory of 4192	2132	cmd.exe	schtasks.exe
PID 2132 wrote to memory of 4192	2132	cmd.exe	schtasks.exe
PID 2132 wrote to memory of 4192	2132	cmd.exe	schtasks.exe
PID 3312 wrote to memory of 4280	3312	cmd.exe	schtasks.exe
PID 3312 wrote to memory of 4280	3312	cmd.exe	schtasks.exe
PID 3312 wrote to memory of 4280	3312	cmd.exe	schtasks.exe
PID 2256 wrote to memory of 4776	2256	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\5a2bd9fbb6c7cfde9dbdd52697478996129a8e7cd580f094afe747941d259718.exe
"C:\Users\Admin\AppData\Local\Temp\5a2bd9fbb6c7cfde9dbdd52697478996129a8e7cd580f094afe747941d259718.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
2⤵
- Suspicious use of WriteProcessMemory
PID:4860

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3508

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4812

C:\ProgramData\Dllhost\dllhost.exe
"C:\ProgramData\Dllhost\dllhost.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2132

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:4192

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:208

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:3528

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:2280

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:896

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:1700

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:2496

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk9629" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:3044

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk9629" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:3936

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk9300" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:2756

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk4831" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4180

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk4831" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:4880

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk2236" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:4716

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
3⤵
PID:2704

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:160

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3312

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
3⤵
PID:216

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:3756

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe -c config.json
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4416

C:\Windows\SysWOW64\chcp.com
chcp 1251
1⤵
PID:4896

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
1⤵
- Creates scheduled task(s)
PID:4776

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
1⤵
- Creates scheduled task(s)
PID:1892

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
1⤵
- Creates scheduled task(s)
PID:4280

C:\Windows\SysWOW64\chcp.com
chcp 1251
1⤵
PID:4260

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe
Filesize
61KB

MD5
d5a003e50c058f6474915597fe27bfea

SHA1
715a1a2b9d1ba6c886d2039089b94e96ea8bb687

SHA256
a3a9409c768e578c2beb391daf4e0fb697031be3942aff8402624cce659fcb07

SHA512
af591a1bc6e26d625f328f5d45ea31ce0e04b55b6d9ca614cd811c555a7defddbabaac48599e54ead0f9c46b3e33e7bae5c6013881daf560b4369f1f214499a5

Download Submit
C:\ProgramData\Dllhost\dllhost.exe
Filesize
61KB

MD5
d5a003e50c058f6474915597fe27bfea

SHA1
715a1a2b9d1ba6c886d2039089b94e96ea8bb687

SHA256
a3a9409c768e578c2beb391daf4e0fb697031be3942aff8402624cce659fcb07

SHA512
af591a1bc6e26d625f328f5d45ea31ce0e04b55b6d9ca614cd811c555a7defddbabaac48599e54ead0f9c46b3e33e7bae5c6013881daf560b4369f1f214499a5

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
5.1MB

MD5
2a0d26b8b02bb2d17994d2a9a38d61db

SHA1
889a9cb0a044c1f675e63ea6ea065a8cf914e2ab

SHA256
3c54646213638e7bd8d0538c28e414824f5eaf31faf19a40eec608179b1074f1

SHA512
07245fb329b5fc9b68e1e88a52b7ab464bafd45442193e4b61cf6788ec0e10cdec2cfa2f59f49fe4a3f8a78a205d62ec0701a3b82a5e8f4257016821fee524ee

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
5.1MB

MD5
2a0d26b8b02bb2d17994d2a9a38d61db

SHA1
889a9cb0a044c1f675e63ea6ea065a8cf914e2ab

SHA256
3c54646213638e7bd8d0538c28e414824f5eaf31faf19a40eec608179b1074f1

SHA512
07245fb329b5fc9b68e1e88a52b7ab464bafd45442193e4b61cf6788ec0e10cdec2cfa2f59f49fe4a3f8a78a205d62ec0701a3b82a5e8f4257016821fee524ee

Download Submit
C:\ProgramData\SystemFiles\config.json
Filesize
311B

MD5
f21bbbb8b322471c41bd9c440c21d0b8

SHA1
afc98f3558d0ab91417337d42afff2fc0ac3839c

SHA256
5b50e71df866db99b2e63e91ca443f93e3382d1688e419c3a0c18b81425257e3

SHA512
4f73c879cb0adf1388ee39bb80582860ca250088412e67e45c231403a5899c6f2ccc00567454127eb2472ebe757420574d5716c41feae4eed474759ff073f173

Download Submit
C:\ProgramData\SystemFiles\sys_rh.bin
Filesize
1KB

MD5
b2709bd7718f19e9dd4b2d1023fcc270

SHA1
d3dd2e8a3c0084998b4aca5d8e922b12b9108805

SHA256
33253eb25befb2899c1b952c9452b45b22f447286151f599b2e569485a5799ad

SHA512
34a225d8f91f16287389a95011be8b290f8e437681d6e534d9a4d1a5916ef690169f2127eba1d86afe3ec3027a67ec82db11e926c09d83a18b89ee059ffcfe9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
15b9116b0b389fdb97d582f64f978650

SHA1
ff173b1736d2801f17c65f25d8d3f8fa0094a622

SHA256
a218a675e2cf9de98a8cee51ff2922ca1f4ce80fe94af913b41c857e18a60ea9

SHA512
bed8fbc27d2f6e09b558350bfbb68d4f6758918b68b37a3d6485eac8881c3e2937dbf0db8a957e36e60acb7794758fc25c4b6952f3c2513930a09922f62601a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
556b689747f9fc6db0deaa1e3bdecab7

SHA1
f9f646e903381607522e90b800d19d209ccf6902

SHA256
ddf5694dab163d6fb4dd180cccdac30a5f856e32dbd15e14254eef156d91d99f

SHA512
5cf473af83f81fc005fc0ad1ab007bfe8c3e4ac81300e2ced0f65f2bdf36d803922eeefcef9476791bbfb2f44ebbcd670be1dd82ef7898d647a672f413b1d737

Download Submit
memory/160-1085-0x0000000000000000-mapping.dmp

Download
memory/208-1089-0x0000000000000000-mapping.dmp

Download
memory/216-1489-0x0000000000000000-mapping.dmp

Download
memory/896-1098-0x0000000000000000-mapping.dmp

Download
memory/1700-1190-0x0000000000000000-mapping.dmp

Download
memory/1776-180-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-121-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-117-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-138-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-137-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-136-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-134-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-140-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-141-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-142-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-139-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-143-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-144-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-133-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-131-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-145-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-146-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-147-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-149-0x0000000000160000-0x0000000000174000-memory.dmp

Filesize
80KB

Download
memory/1776-150-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-151-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-148-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-152-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-153-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-154-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-155-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-156-0x00000000024A0000-0x00000000024A6000-memory.dmp

Filesize
24KB

Download
memory/1776-157-0x000000000A360000-0x000000000A85E000-memory.dmp

Filesize
5.0MB

Download
memory/1776-158-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-159-0x0000000009F00000-0x0000000009F92000-memory.dmp

Filesize
584KB

Download
memory/1776-161-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-160-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-162-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-164-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-163-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-167-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-168-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-166-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-165-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-169-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-171-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-170-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-172-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-173-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-174-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-175-0x0000000009EB0000-0x0000000009EBA000-memory.dmp

Filesize
40KB

Download
memory/1776-176-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-177-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-178-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-179-0x000000000C1C0000-0x000000000C226000-memory.dmp

Filesize
408KB

Download
memory/1776-116-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-181-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-182-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-183-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-184-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-185-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-135-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-120-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-132-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-123-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-122-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-119-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-125-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-126-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-127-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-124-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-128-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-129-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-118-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-130-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1876-268-0x0000000008580000-0x00000000085CB000-memory.dmp

Filesize
300KB

Download
memory/1876-531-0x0000000007400000-0x0000000007408000-memory.dmp

Filesize
32KB

Download
memory/1876-319-0x0000000009C90000-0x0000000009D24000-memory.dmp

Filesize
592KB

Download
memory/1876-263-0x0000000007E90000-0x0000000007EF6000-memory.dmp

Filesize
408KB

Download
memory/1876-310-0x0000000009790000-0x0000000009835000-memory.dmp

Filesize
660KB

Download
memory/1876-294-0x0000000009710000-0x000000000972E000-memory.dmp

Filesize
120KB

Download
memory/1876-238-0x00000000070E0000-0x0000000007116000-memory.dmp

Filesize
216KB

Download
memory/1876-292-0x0000000009730000-0x0000000009763000-memory.dmp

Filesize
204KB

Download
memory/1876-202-0x0000000000000000-mapping.dmp

Download
memory/1876-272-0x0000000008800000-0x0000000008876000-memory.dmp

Filesize
472KB

Download
memory/1876-261-0x0000000007DF0000-0x0000000007E12000-memory.dmp

Filesize
136KB

Download
memory/1876-526-0x0000000009C10000-0x0000000009C2A000-memory.dmp

Filesize
104KB

Download
memory/1876-243-0x0000000007750000-0x0000000007D78000-memory.dmp

Filesize
6.2MB

Download
memory/1876-264-0x0000000008230000-0x0000000008580000-memory.dmp

Filesize
3.3MB

Download
memory/1876-267-0x0000000008030000-0x000000000804C000-memory.dmp

Filesize
112KB

Download
memory/1892-1173-0x0000000000000000-mapping.dmp

Download
memory/2132-1081-0x0000000000000000-mapping.dmp

Download
memory/2256-1103-0x0000000000000000-mapping.dmp

Download
memory/2280-1093-0x0000000000000000-mapping.dmp

Download
memory/2496-1108-0x0000000000000000-mapping.dmp

Download
memory/2704-1448-0x0000000000000000-mapping.dmp

Download
memory/2756-1118-0x0000000000000000-mapping.dmp

Download
memory/3028-1017-0x0000000000810000-0x0000000000826000-memory.dmp

Filesize
88KB

Download
memory/3028-1034-0x0000000004FA0000-0x0000000004FA6000-memory.dmp

Filesize
24KB

Download
memory/3028-1462-0x0000000002940000-0x000000000294A000-memory.dmp

Filesize
40KB

Download
memory/3028-947-0x0000000000000000-mapping.dmp

Download
memory/3044-1114-0x0000000000000000-mapping.dmp

Download
memory/3312-1083-0x0000000000000000-mapping.dmp

Download
memory/3508-549-0x0000000000000000-mapping.dmp

Download
memory/3528-1168-0x0000000000000000-mapping.dmp

Download
memory/3756-1495-0x0000000000000000-mapping.dmp

Download
memory/3936-1196-0x0000000000000000-mapping.dmp

Download
memory/4180-1124-0x0000000000000000-mapping.dmp

Download
memory/4192-1154-0x0000000000000000-mapping.dmp

Download
memory/4260-1454-0x0000000000000000-mapping.dmp

Download
memory/4280-1159-0x0000000000000000-mapping.dmp

Download
memory/4416-1510-0x000001EADD310000-0x000001EADD330000-memory.dmp

Filesize
128KB

Download
memory/4416-1504-0x0000000000000000-mapping.dmp

Download
memory/4416-1509-0x000001EB70D00000-0x000001EB70D40000-memory.dmp

Filesize
256KB

Download
memory/4416-1511-0x000001EADD310000-0x000001EADD330000-memory.dmp

Filesize
128KB

Download
memory/4716-1130-0x0000000000000000-mapping.dmp

Download
memory/4776-1163-0x0000000000000000-mapping.dmp

Download
memory/4812-860-0x0000000000000000-mapping.dmp

Download
memory/4860-188-0x0000000000000000-mapping.dmp

Download
memory/4880-1153-0x0000000000000000-mapping.dmp

Download
memory/4896-194-0x0000000000000000-mapping.dmp

Download