xmrig | 78e3ff8a08208d3b5c7f7b8397fdfa4ede7ce0717546167b3d5635074922fd4c

Analysis

max time kernel
300s
max time network
257s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
24-09-2022 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78e3ff8a08208d3b5c7f7b8397fdfa4ede7ce0717546167b3d5635074922fd4c.exe
Size

72KB
MD5

077d5c3447d5e03cd4ad1bb68033ec03
SHA1

290b6cce8788511265be31c2fbe4739fe9fc2132
SHA256

78e3ff8a08208d3b5c7f7b8397fdfa4ede7ce0717546167b3d5635074922fd4c
SHA512

4efad46544565ac336594a8c14add1657ad202afe225e50afb566e8922d0d356ff60e1b0e2061ffd6ec238c1657ded38428294e0886ec7feb9231e84228cf1a6
SSDEEP

1536:etLdc+ExFESZwrNqYkHDceTJwD4CTG/7owsbhr4BLeWD1ME:etLdcgLrNILJwD4CTm2bhr4BLeWRV

Score

10^/10

xmrig miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
C:\ProgramData\Dllhost\winlogson.exe	xmrig
C:\ProgramData\Dllhost\winlogson.exe	xmrig

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

dllhost.exewinlogson.exe

pid process

3316 dllhost.exe
5068 winlogson.exe

pid	process
3316	dllhost.exe
5068	winlogson.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dllhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe / file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\ProgramData\\Dllhost\\dllhost.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	dllhost.exe

Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4448 schtasks.exe
4884 schtasks.exe
4104 schtasks.exe
584 schtasks.exe
2520 schtasks.exe
3220 schtasks.exe
1316 schtasks.exe

pid	process
4448	schtasks.exe
4884	schtasks.exe
4104	schtasks.exe
584	schtasks.exe
2520	schtasks.exe
3220	schtasks.exe
1316	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

78e3ff8a08208d3b5c7f7b8397fdfa4ede7ce0717546167b3d5635074922fd4c.exepowershell.exepowershell.exepowershell.exedllhost.exe

pid	process
4248	78e3ff8a08208d3b5c7f7b8397fdfa4ede7ce0717546167b3d5635074922fd4c.exe
4052	powershell.exe
4052	powershell.exe
4052	powershell.exe
4604	powershell.exe
4604	powershell.exe
4604	powershell.exe
4668	powershell.exe
4668	powershell.exe
4668	powershell.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe
3316	dllhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

624

pid	process
624

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

78e3ff8a08208d3b5c7f7b8397fdfa4ede7ce0717546167b3d5635074922fd4c.exepowershell.exepowershell.exepowershell.exedllhost.exewinlogson.exe

description	pid	process
Token: SeDebugPrivilege	4248	78e3ff8a08208d3b5c7f7b8397fdfa4ede7ce0717546167b3d5635074922fd4c.exe
Token: SeDebugPrivilege	4052	powershell.exe
Token: SeDebugPrivilege	4604	powershell.exe
Token: SeDebugPrivilege	4668	powershell.exe
Token: SeDebugPrivilege	3316	dllhost.exe
Token: SeLockMemoryPrivilege	5068	winlogson.exe
Token: SeLockMemoryPrivilege	5068	winlogson.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

winlogson.exe

pid process

5068 winlogson.exe

pid	process
5068	winlogson.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

78e3ff8a08208d3b5c7f7b8397fdfa4ede7ce0717546167b3d5635074922fd4c.execmd.exedllhost.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4248 wrote to memory of 3688	4248	78e3ff8a08208d3b5c7f7b8397fdfa4ede7ce0717546167b3d5635074922fd4c.exe	cmd.exe
PID 4248 wrote to memory of 3688	4248	78e3ff8a08208d3b5c7f7b8397fdfa4ede7ce0717546167b3d5635074922fd4c.exe	cmd.exe
PID 4248 wrote to memory of 3688	4248	78e3ff8a08208d3b5c7f7b8397fdfa4ede7ce0717546167b3d5635074922fd4c.exe	cmd.exe
PID 3688 wrote to memory of 1004	3688	cmd.exe	chcp.com
PID 3688 wrote to memory of 1004	3688	cmd.exe	chcp.com
PID 3688 wrote to memory of 1004	3688	cmd.exe	chcp.com
PID 3688 wrote to memory of 4052	3688	cmd.exe	powershell.exe
PID 3688 wrote to memory of 4052	3688	cmd.exe	powershell.exe
PID 3688 wrote to memory of 4052	3688	cmd.exe	powershell.exe
PID 3688 wrote to memory of 4604	3688	cmd.exe	powershell.exe
PID 3688 wrote to memory of 4604	3688	cmd.exe	powershell.exe
PID 3688 wrote to memory of 4604	3688	cmd.exe	powershell.exe
PID 3688 wrote to memory of 4668	3688	cmd.exe	powershell.exe
PID 3688 wrote to memory of 4668	3688	cmd.exe	powershell.exe
PID 3688 wrote to memory of 4668	3688	cmd.exe	powershell.exe
PID 4248 wrote to memory of 3316	4248	78e3ff8a08208d3b5c7f7b8397fdfa4ede7ce0717546167b3d5635074922fd4c.exe	dllhost.exe
PID 4248 wrote to memory of 3316	4248	78e3ff8a08208d3b5c7f7b8397fdfa4ede7ce0717546167b3d5635074922fd4c.exe	dllhost.exe
PID 4248 wrote to memory of 3316	4248	78e3ff8a08208d3b5c7f7b8397fdfa4ede7ce0717546167b3d5635074922fd4c.exe	dllhost.exe
PID 3316 wrote to memory of 2512	3316	dllhost.exe	cmd.exe
PID 3316 wrote to memory of 2512	3316	dllhost.exe	cmd.exe
PID 3316 wrote to memory of 2512	3316	dllhost.exe	cmd.exe
PID 3316 wrote to memory of 2440	3316	dllhost.exe	cmd.exe
PID 3316 wrote to memory of 2440	3316	dllhost.exe	cmd.exe
PID 3316 wrote to memory of 2440	3316	dllhost.exe	cmd.exe
PID 3316 wrote to memory of 2624	3316	dllhost.exe	cmd.exe
PID 3316 wrote to memory of 2624	3316	dllhost.exe	cmd.exe
PID 3316 wrote to memory of 2624	3316	dllhost.exe	cmd.exe
PID 3316 wrote to memory of 1208	3316	dllhost.exe	cmd.exe
PID 3316 wrote to memory of 1208	3316	dllhost.exe	cmd.exe
PID 3316 wrote to memory of 1208	3316	dllhost.exe	cmd.exe
PID 3316 wrote to memory of 2500	3316	dllhost.exe	cmd.exe
PID 3316 wrote to memory of 2500	3316	dllhost.exe	cmd.exe
PID 3316 wrote to memory of 2500	3316	dllhost.exe	cmd.exe
PID 3316 wrote to memory of 4980	3316	dllhost.exe	cmd.exe
PID 3316 wrote to memory of 4980	3316	dllhost.exe	cmd.exe
PID 3316 wrote to memory of 4980	3316	dllhost.exe	cmd.exe
PID 3316 wrote to memory of 3744	3316	dllhost.exe	cmd.exe
PID 3316 wrote to memory of 3744	3316	dllhost.exe	cmd.exe
PID 3316 wrote to memory of 3744	3316	dllhost.exe	cmd.exe
PID 3316 wrote to memory of 2820	3316	dllhost.exe	cmd.exe
PID 3316 wrote to memory of 2820	3316	dllhost.exe	cmd.exe
PID 3316 wrote to memory of 2820	3316	dllhost.exe	cmd.exe
PID 3316 wrote to memory of 4996	3316	dllhost.exe	cmd.exe
PID 3316 wrote to memory of 4996	3316	dllhost.exe	cmd.exe
PID 3316 wrote to memory of 4996	3316	dllhost.exe	cmd.exe
PID 3316 wrote to memory of 4416	3316	dllhost.exe	cmd.exe
PID 3316 wrote to memory of 4416	3316	dllhost.exe	cmd.exe
PID 3316 wrote to memory of 4416	3316	dllhost.exe	cmd.exe
PID 3316 wrote to memory of 4688	3316	dllhost.exe	cmd.exe
PID 3316 wrote to memory of 4688	3316	dllhost.exe	cmd.exe
PID 3316 wrote to memory of 4688	3316	dllhost.exe	cmd.exe
PID 3316 wrote to memory of 1728	3316	dllhost.exe	cmd.exe
PID 3316 wrote to memory of 1728	3316	dllhost.exe	cmd.exe
PID 3316 wrote to memory of 1728	3316	dllhost.exe	cmd.exe
PID 2440 wrote to memory of 4448	2440	cmd.exe	schtasks.exe
PID 2440 wrote to memory of 4448	2440	cmd.exe	schtasks.exe
PID 2440 wrote to memory of 4448	2440	cmd.exe	schtasks.exe
PID 2820 wrote to memory of 1316	2820	cmd.exe	schtasks.exe
PID 2820 wrote to memory of 1316	2820	cmd.exe	schtasks.exe
PID 2820 wrote to memory of 1316	2820	cmd.exe	schtasks.exe
PID 4996 wrote to memory of 3220	4996	cmd.exe	schtasks.exe
PID 4996 wrote to memory of 3220	4996	cmd.exe	schtasks.exe
PID 4996 wrote to memory of 3220	4996	cmd.exe	schtasks.exe
PID 2624 wrote to memory of 2520	2624	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\78e3ff8a08208d3b5c7f7b8397fdfa4ede7ce0717546167b3d5635074922fd4c.exe
"C:\Users\Admin\AppData\Local\Temp\78e3ff8a08208d3b5c7f7b8397fdfa4ede7ce0717546167b3d5635074922fd4c.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4248

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
2⤵
- Suspicious use of WriteProcessMemory
PID:3688

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4604

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4668

C:\ProgramData\Dllhost\dllhost.exe
"C:\ProgramData\Dllhost\dllhost.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3316

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:2512

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:1208

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:4884

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2820

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:1316

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk8632" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:4416

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk1277" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:4688

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk7262" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:1728

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk87" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4996

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:3744

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
3⤵
PID:2596

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:4980

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:2500

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2624

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2440

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
3⤵
PID:1968

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe -c config.json
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5068

C:\Windows\SysWOW64\chcp.com
chcp 1251
1⤵
PID:1004

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
1⤵
- Creates scheduled task(s)
PID:4448

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
1⤵
- Creates scheduled task(s)
PID:4104

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
1⤵
- Creates scheduled task(s)
PID:584

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
1⤵
- Creates scheduled task(s)
PID:2520

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk87" /TR "C:\ProgramData\Dllhost\dllhost.exe"
1⤵
- Creates scheduled task(s)
PID:3220

C:\Windows\SysWOW64\chcp.com
chcp 1251
1⤵
PID:4424

C:\Windows\SysWOW64\chcp.com
chcp 1251
1⤵
PID:4496

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe
Filesize
80KB

MD5
55c37445d312c77f534f4797f1034248

SHA1
06ca76148e27fed0db2328a52538f261265ad311

SHA256
8783d5a7a4510df0798adf05fc09b2ebf65c9966f34425ba8642e1c843d2d050

SHA512
c620d684ecac2f5a2ed37442de00e4b50f30cf2d132ad940b7091e96c033e47fd3d5ad93f7a3a00289fc4f5c381fbec510541170a3341db8e88425a8d6eb4f34

Download Submit
C:\ProgramData\Dllhost\dllhost.exe
Filesize
80KB

MD5
55c37445d312c77f534f4797f1034248

SHA1
06ca76148e27fed0db2328a52538f261265ad311

SHA256
8783d5a7a4510df0798adf05fc09b2ebf65c9966f34425ba8642e1c843d2d050

SHA512
c620d684ecac2f5a2ed37442de00e4b50f30cf2d132ad940b7091e96c033e47fd3d5ad93f7a3a00289fc4f5c381fbec510541170a3341db8e88425a8d6eb4f34

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
5.1MB

MD5
2a0d26b8b02bb2d17994d2a9a38d61db

SHA1
889a9cb0a044c1f675e63ea6ea065a8cf914e2ab

SHA256
3c54646213638e7bd8d0538c28e414824f5eaf31faf19a40eec608179b1074f1

SHA512
07245fb329b5fc9b68e1e88a52b7ab464bafd45442193e4b61cf6788ec0e10cdec2cfa2f59f49fe4a3f8a78a205d62ec0701a3b82a5e8f4257016821fee524ee

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
5.1MB

MD5
2a0d26b8b02bb2d17994d2a9a38d61db

SHA1
889a9cb0a044c1f675e63ea6ea065a8cf914e2ab

SHA256
3c54646213638e7bd8d0538c28e414824f5eaf31faf19a40eec608179b1074f1

SHA512
07245fb329b5fc9b68e1e88a52b7ab464bafd45442193e4b61cf6788ec0e10cdec2cfa2f59f49fe4a3f8a78a205d62ec0701a3b82a5e8f4257016821fee524ee

Download Submit
C:\ProgramData\SystemFiles\config.json
Filesize
309B

MD5
c0aeb1145af5a17a7cbaca85fcb7dcaf

SHA1
cbe5614df4ef98ea402d82e7c2cd9e1a5d5c1c13

SHA256
98c7da9871a8aecede542ebbad398a65b7b46b9356dc0354c3d7c70be7b9a5dc

SHA512
2d7ed7c953d32eba0a089be0303fadf4096124d40ecf175c9296f272ec21ff3a212a22e1d7fad530e0ae2b9a4575defbc9b10e1da24cdcdda7899ec1d7c027c4

Download Submit
C:\ProgramData\SystemFiles\sys_rh.bin
Filesize
1KB

MD5
b555c3646387dfb63d731d105d489ee5

SHA1
96c19c4871de6e7f3c89c6ae5353193ce72677af

SHA256
3b3a3c5b6f45dccaacaab7c50a3ecc5bdf440c9c99240108ebdb5dd46a4c7447

SHA512
0547ef1c1436b66feaeeb80fc36d215ad34ad6cd23a061336db4cb91607e43ae8cd1452a1fa11709e9bdf061daaae3fa40c6a1644e6374c67c89926ca3309a47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
34c09eff1f3e3727e4b3e1afb629e8d0

SHA1
c6cfda095a10e5b979b01b40af887d8b6e553c47

SHA256
90eff294377543afe6b63e451cf265a921e33a3ffd7691f91c7a99dadb5d6c46

SHA512
f6ccc6aad2c7d9abc3fad80e61e670292e2ed426a3107d7154a1f6a8ed7d7c206df66de8e4ae89154444d0d2c553eb361f93f2343c8f5766114a37c7691d6995

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
d349c335686feae92e32f193fca18404

SHA1
feb992c0c76ef49858622105fc8520d1d98a8a97

SHA256
3cb43e6ac4372f5780f4bb194be9445c8aa96621bbc309077395258234ffcb15

SHA512
d820689ddac7e1aef0c0ffb9c2363b9524f890bfc10daf459ded4d4117e37314d26bd38c124858a9395f611b3f0c47372a56fc5db0788936b604700fede35a49

Download Submit
memory/584-1291-0x0000000000000000-mapping.dmp

Download
memory/1004-197-0x0000000000000000-mapping.dmp

Download
memory/1208-1160-0x0000000000000000-mapping.dmp

Download
memory/1316-1260-0x0000000000000000-mapping.dmp

Download
memory/1728-1209-0x0000000000000000-mapping.dmp

Download
memory/1968-1482-0x0000000000000000-mapping.dmp

Download
memory/2440-1154-0x0000000000000000-mapping.dmp

Download
memory/2500-1166-0x0000000000000000-mapping.dmp

Download
memory/2512-1152-0x0000000000000000-mapping.dmp

Download
memory/2520-1266-0x0000000000000000-mapping.dmp

Download
memory/2596-1442-0x0000000000000000-mapping.dmp

Download
memory/2624-1156-0x0000000000000000-mapping.dmp

Download
memory/2820-1182-0x0000000000000000-mapping.dmp

Download
memory/3220-1262-0x0000000000000000-mapping.dmp

Download
memory/3316-1085-0x0000000000220000-0x000000000023A000-memory.dmp

Filesize
104KB

Download
memory/3316-1103-0x0000000000A50000-0x0000000000A56000-memory.dmp

Filesize
24KB

Download
memory/3316-1025-0x0000000000000000-mapping.dmp

Download
memory/3688-191-0x0000000000000000-mapping.dmp

Download
memory/3744-1177-0x0000000000000000-mapping.dmp

Download
memory/4052-300-0x0000000009030000-0x00000000090D5000-memory.dmp

Filesize
660KB

Download
memory/4052-271-0x0000000008320000-0x000000000836B000-memory.dmp

Filesize
300KB

Download
memory/4052-316-0x00000000094E0000-0x0000000009574000-memory.dmp

Filesize
592KB

Download
memory/4052-534-0x0000000009480000-0x0000000009488000-memory.dmp

Filesize
32KB

Download
memory/4052-289-0x0000000008FD0000-0x0000000008FEE000-memory.dmp

Filesize
120KB

Download
memory/4052-288-0x0000000008FF0000-0x0000000009023000-memory.dmp

Filesize
204KB

Download
memory/4052-275-0x00000000080C0000-0x0000000008136000-memory.dmp

Filesize
472KB

Download
memory/4052-529-0x0000000009490000-0x00000000094AA000-memory.dmp

Filesize
104KB

Download
memory/4052-270-0x0000000007890000-0x00000000078AC000-memory.dmp

Filesize
112KB

Download
memory/4052-267-0x0000000007900000-0x0000000007C50000-memory.dmp

Filesize
3.3MB

Download
memory/4052-265-0x0000000007100000-0x0000000007166000-memory.dmp

Filesize
408KB

Download
memory/4052-261-0x0000000006F60000-0x0000000006F82000-memory.dmp

Filesize
136KB

Download
memory/4052-246-0x0000000007190000-0x00000000077B8000-memory.dmp

Filesize
6.2MB

Download
memory/4052-241-0x0000000001190000-0x00000000011C6000-memory.dmp

Filesize
216KB

Download
memory/4052-205-0x0000000000000000-mapping.dmp

Download
memory/4104-1276-0x0000000000000000-mapping.dmp

Download
memory/4248-152-0x0000000000100000-0x0000000000118000-memory.dmp

Filesize
96KB

Download
memory/4248-148-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-165-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-166-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-169-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-168-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-171-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-170-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-167-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-172-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-173-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-174-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-175-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-177-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-176-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-178-0x0000000009EF0000-0x0000000009EFA000-memory.dmp

Filesize
40KB

Download
memory/4248-179-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-180-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-181-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-182-0x000000000C1D0000-0x000000000C236000-memory.dmp

Filesize
408KB

Download
memory/4248-183-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-185-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-184-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-186-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-187-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-188-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-164-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-162-0x0000000009E50000-0x0000000009EE2000-memory.dmp

Filesize
584KB

Download
memory/4248-161-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-160-0x000000000A270000-0x000000000A76E000-memory.dmp

Filesize
5.0MB

Download
memory/4248-159-0x0000000002400000-0x0000000002406000-memory.dmp

Filesize
24KB

Download
memory/4248-158-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-157-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-156-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-155-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-154-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-153-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-151-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-119-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-150-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-149-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-163-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-146-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-120-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-147-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-144-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-121-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-145-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-143-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-142-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-141-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-140-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-139-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-138-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-137-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-136-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-135-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-122-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-134-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-133-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-123-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-132-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-131-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-124-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-130-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-129-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-128-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-127-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-125-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4248-126-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4416-1195-0x0000000000000000-mapping.dmp

Download
memory/4424-1448-0x0000000000000000-mapping.dmp

Download
memory/4448-1250-0x0000000000000000-mapping.dmp

Download
memory/4496-1488-0x0000000000000000-mapping.dmp

Download
memory/4604-552-0x0000000000000000-mapping.dmp

Download
memory/4668-863-0x0000000000000000-mapping.dmp

Download
memory/4688-1202-0x0000000000000000-mapping.dmp

Download
memory/4884-1267-0x0000000000000000-mapping.dmp

Download
memory/4980-1171-0x0000000000000000-mapping.dmp

Download
memory/4996-1189-0x0000000000000000-mapping.dmp

Download
memory/5068-1497-0x0000000000000000-mapping.dmp

Download
memory/5068-1502-0x000001CF78B60000-0x000001CF78BA0000-memory.dmp

Filesize
256KB

Download
memory/5068-1503-0x000001CF78B20000-0x000001CF78B40000-memory.dmp

Filesize
128KB

Download
memory/5068-1504-0x000001CF78B20000-0x000001CF78B40000-memory.dmp

Filesize
128KB

Download