xmrig | fdd5608a073b30d1b875dec0de277613e2627e5b4ec6b17c225d1df5575eabc1

Analysis

max time kernel
308s
max time network
303s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
24-09-2022 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fdd5608a073b30d1b875dec0de277613e2627e5b4ec6b17c225d1df5575eabc1.exe
Size

56KB
MD5

a9403e3c4f99efb04d7ca8482a5fbcb5
SHA1

a37ae8c765a55a9b1ff1b52588bd5c1a8d422c28
SHA256

fdd5608a073b30d1b875dec0de277613e2627e5b4ec6b17c225d1df5575eabc1
SHA512

b54c4c7c9af2183d1edaea4ff64d47964fa366546e11cfd8cf72dc31906dafd1a66be6587f838f48ef662dfe8db2e690ab0c9fe72fedd4e55385e06d3505a3ef
SSDEEP

768:zkP9qIGw6fCoBse9fej+POciSb2GZjWsbxeGEUfxuDe+87V4uuu09Rgyx:2qIGw6qeeaPOq5Zj9bxvEdifAGu

Score

10^/10

xmrig miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
C:\ProgramData\Dllhost\winlogson.exe	xmrig
C:\ProgramData\Dllhost\winlogson.exe	xmrig

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

dllhost.exewinlogson.exe

pid process

4360 dllhost.exe
488 winlogson.exe

pid	process
4360	dllhost.exe
488	winlogson.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dllhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\ProgramData\\Dllhost\\dllhost.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe / file.exe"	dllhost.exe

Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3136 schtasks.exe
4308 schtasks.exe
2884 schtasks.exe
4304 schtasks.exe
4516 schtasks.exe
3380 schtasks.exe

pid	process
3136	schtasks.exe
4308	schtasks.exe
2884	schtasks.exe
4304	schtasks.exe
4516	schtasks.exe
3380	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fdd5608a073b30d1b875dec0de277613e2627e5b4ec6b17c225d1df5575eabc1.exepowershell.exepowershell.exepowershell.exedllhost.exe

pid	process
2660	fdd5608a073b30d1b875dec0de277613e2627e5b4ec6b17c225d1df5575eabc1.exe
2284	powershell.exe
2284	powershell.exe
2284	powershell.exe
1824	powershell.exe
1824	powershell.exe
1824	powershell.exe
4704	powershell.exe
4704	powershell.exe
4704	powershell.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe
4360	dllhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

632

pid	process
632

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

fdd5608a073b30d1b875dec0de277613e2627e5b4ec6b17c225d1df5575eabc1.exepowershell.exepowershell.exepowershell.exedllhost.exewinlogson.exe

description	pid	process
Token: SeDebugPrivilege	2660	fdd5608a073b30d1b875dec0de277613e2627e5b4ec6b17c225d1df5575eabc1.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	1824	powershell.exe
Token: SeDebugPrivilege	4704	powershell.exe
Token: SeDebugPrivilege	4360	dllhost.exe
Token: SeLockMemoryPrivilege	488	winlogson.exe
Token: SeLockMemoryPrivilege	488	winlogson.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

winlogson.exe

pid process

488 winlogson.exe

pid	process
488	winlogson.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fdd5608a073b30d1b875dec0de277613e2627e5b4ec6b17c225d1df5575eabc1.execmd.exedllhost.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2660 wrote to memory of 1536	2660	fdd5608a073b30d1b875dec0de277613e2627e5b4ec6b17c225d1df5575eabc1.exe	cmd.exe
PID 2660 wrote to memory of 1536	2660	fdd5608a073b30d1b875dec0de277613e2627e5b4ec6b17c225d1df5575eabc1.exe	cmd.exe
PID 2660 wrote to memory of 1536	2660	fdd5608a073b30d1b875dec0de277613e2627e5b4ec6b17c225d1df5575eabc1.exe	cmd.exe
PID 1536 wrote to memory of 3712	1536	cmd.exe	chcp.com
PID 1536 wrote to memory of 3712	1536	cmd.exe	chcp.com
PID 1536 wrote to memory of 3712	1536	cmd.exe	chcp.com
PID 1536 wrote to memory of 2284	1536	cmd.exe	powershell.exe
PID 1536 wrote to memory of 2284	1536	cmd.exe	powershell.exe
PID 1536 wrote to memory of 2284	1536	cmd.exe	powershell.exe
PID 1536 wrote to memory of 1824	1536	cmd.exe	powershell.exe
PID 1536 wrote to memory of 1824	1536	cmd.exe	powershell.exe
PID 1536 wrote to memory of 1824	1536	cmd.exe	powershell.exe
PID 1536 wrote to memory of 4704	1536	cmd.exe	powershell.exe
PID 1536 wrote to memory of 4704	1536	cmd.exe	powershell.exe
PID 1536 wrote to memory of 4704	1536	cmd.exe	powershell.exe
PID 2660 wrote to memory of 4360	2660	fdd5608a073b30d1b875dec0de277613e2627e5b4ec6b17c225d1df5575eabc1.exe	dllhost.exe
PID 2660 wrote to memory of 4360	2660	fdd5608a073b30d1b875dec0de277613e2627e5b4ec6b17c225d1df5575eabc1.exe	dllhost.exe
PID 2660 wrote to memory of 4360	2660	fdd5608a073b30d1b875dec0de277613e2627e5b4ec6b17c225d1df5575eabc1.exe	dllhost.exe
PID 4360 wrote to memory of 60	4360	dllhost.exe	cmd.exe
PID 4360 wrote to memory of 60	4360	dllhost.exe	cmd.exe
PID 4360 wrote to memory of 60	4360	dllhost.exe	cmd.exe
PID 4360 wrote to memory of 496	4360	dllhost.exe	cmd.exe
PID 4360 wrote to memory of 496	4360	dllhost.exe	cmd.exe
PID 4360 wrote to memory of 496	4360	dllhost.exe	cmd.exe
PID 4360 wrote to memory of 1384	4360	dllhost.exe	cmd.exe
PID 4360 wrote to memory of 1384	4360	dllhost.exe	cmd.exe
PID 4360 wrote to memory of 1384	4360	dllhost.exe	cmd.exe
PID 4360 wrote to memory of 1252	4360	dllhost.exe	cmd.exe
PID 4360 wrote to memory of 1252	4360	dllhost.exe	cmd.exe
PID 4360 wrote to memory of 1252	4360	dllhost.exe	cmd.exe
PID 4360 wrote to memory of 780	4360	dllhost.exe	cmd.exe
PID 4360 wrote to memory of 780	4360	dllhost.exe	cmd.exe
PID 4360 wrote to memory of 780	4360	dllhost.exe	cmd.exe
PID 4360 wrote to memory of 1640	4360	dllhost.exe	cmd.exe
PID 4360 wrote to memory of 1640	4360	dllhost.exe	cmd.exe
PID 4360 wrote to memory of 1640	4360	dllhost.exe	cmd.exe
PID 4360 wrote to memory of 4328	4360	dllhost.exe	cmd.exe
PID 4360 wrote to memory of 4328	4360	dllhost.exe	cmd.exe
PID 4360 wrote to memory of 4328	4360	dllhost.exe	cmd.exe
PID 4360 wrote to memory of 324	4360	dllhost.exe	cmd.exe
PID 4360 wrote to memory of 324	4360	dllhost.exe	cmd.exe
PID 4360 wrote to memory of 324	4360	dllhost.exe	cmd.exe
PID 4360 wrote to memory of 2248	4360	dllhost.exe	cmd.exe
PID 4360 wrote to memory of 2248	4360	dllhost.exe	cmd.exe
PID 4360 wrote to memory of 2248	4360	dllhost.exe	cmd.exe
PID 4360 wrote to memory of 584	4360	dllhost.exe	cmd.exe
PID 4360 wrote to memory of 584	4360	dllhost.exe	cmd.exe
PID 4360 wrote to memory of 584	4360	dllhost.exe	cmd.exe
PID 4360 wrote to memory of 2724	4360	dllhost.exe	cmd.exe
PID 4360 wrote to memory of 2724	4360	dllhost.exe	cmd.exe
PID 4360 wrote to memory of 2724	4360	dllhost.exe	cmd.exe
PID 4360 wrote to memory of 2020	4360	dllhost.exe	cmd.exe
PID 4360 wrote to memory of 2020	4360	dllhost.exe	cmd.exe
PID 4360 wrote to memory of 2020	4360	dllhost.exe	cmd.exe
PID 1384 wrote to memory of 3380	1384	cmd.exe	schtasks.exe
PID 1384 wrote to memory of 3380	1384	cmd.exe	schtasks.exe
PID 1384 wrote to memory of 3380	1384	cmd.exe	schtasks.exe
PID 60 wrote to memory of 4516	60	cmd.exe	schtasks.exe
PID 60 wrote to memory of 4516	60	cmd.exe	schtasks.exe
PID 60 wrote to memory of 4516	60	cmd.exe	schtasks.exe
PID 2020 wrote to memory of 3136	2020	cmd.exe	schtasks.exe
PID 2020 wrote to memory of 3136	2020	cmd.exe	schtasks.exe
PID 2020 wrote to memory of 3136	2020	cmd.exe	schtasks.exe
PID 496 wrote to memory of 4304	496	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\fdd5608a073b30d1b875dec0de277613e2627e5b4ec6b17c225d1df5575eabc1.exe
"C:\Users\Admin\AppData\Local\Temp\fdd5608a073b30d1b875dec0de277613e2627e5b4ec6b17c225d1df5575eabc1.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
2⤵
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\SysWOW64\chcp.com
chcp 1251
3⤵
PID:3712

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4704

C:\ProgramData\Dllhost\dllhost.exe
"C:\ProgramData\Dllhost\dllhost.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4360

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:60

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:4516

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:3380

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:1252

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:2884

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:780

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:4328

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:324

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk521" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:584

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk5838" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk5838" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:3136

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk5077" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:2724

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk4636" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:2248

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:1640

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:496

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
3⤵
PID:772

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
3⤵
PID:3360

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:3320

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe -c config.json
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:488

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
1⤵
- Creates scheduled task(s)
PID:4308

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
1⤵
- Creates scheduled task(s)
PID:4304

C:\Windows\SysWOW64\chcp.com
chcp 1251
1⤵
PID:4084

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe
Filesize
60KB

MD5
f7f7f2ae6258243cb403855a5e5c98e2

SHA1
d1d2b7efecb8065cdee21c0deef97ccff397a7a8

SHA256
3be57a7082ef64696aec16217c25377593338c9bd8d4847cb418d75bfb689219

SHA512
fabdc5df8980cd5b91a65a3794195e26461257099e0956ae226e55c75dc781169e858f60468124cf651cbc60a163e9c535d62b31a5a3cc078ed9195a166e3b0e

Download Submit
C:\ProgramData\Dllhost\dllhost.exe
Filesize
60KB

MD5
f7f7f2ae6258243cb403855a5e5c98e2

SHA1
d1d2b7efecb8065cdee21c0deef97ccff397a7a8

SHA256
3be57a7082ef64696aec16217c25377593338c9bd8d4847cb418d75bfb689219

SHA512
fabdc5df8980cd5b91a65a3794195e26461257099e0956ae226e55c75dc781169e858f60468124cf651cbc60a163e9c535d62b31a5a3cc078ed9195a166e3b0e

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
5.1MB

MD5
2a0d26b8b02bb2d17994d2a9a38d61db

SHA1
889a9cb0a044c1f675e63ea6ea065a8cf914e2ab

SHA256
3c54646213638e7bd8d0538c28e414824f5eaf31faf19a40eec608179b1074f1

SHA512
07245fb329b5fc9b68e1e88a52b7ab464bafd45442193e4b61cf6788ec0e10cdec2cfa2f59f49fe4a3f8a78a205d62ec0701a3b82a5e8f4257016821fee524ee

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
5.1MB

MD5
2a0d26b8b02bb2d17994d2a9a38d61db

SHA1
889a9cb0a044c1f675e63ea6ea065a8cf914e2ab

SHA256
3c54646213638e7bd8d0538c28e414824f5eaf31faf19a40eec608179b1074f1

SHA512
07245fb329b5fc9b68e1e88a52b7ab464bafd45442193e4b61cf6788ec0e10cdec2cfa2f59f49fe4a3f8a78a205d62ec0701a3b82a5e8f4257016821fee524ee

Download Submit
C:\ProgramData\SystemFiles\config.json
Filesize
313B

MD5
36bbcf8d2d2b5cccc53b86c7bafe362a

SHA1
8404f49f6e9b4dd5b71e75505f0a0832657bdad9

SHA256
9389db008d81d34bfdca9476ac83e7e8d18929ba0884a9f37caf389e96c60559

SHA512
11e5bc031d83e011e580cd7a0907f567539879fc477b32443709c2c3caed314cbab37c0ff73e382462dd2429f813ed70780cfe2edfc99e419e620c8bfb302aab

Download Submit
C:\ProgramData\SystemFiles\sys_rh.bin
Filesize
1KB

MD5
59a97a38dcac287f0c7f2a4cb64026af

SHA1
8f520f4aeab6ed0f176fc2deaad5608c92b76505

SHA256
cc9cffbe9e6cd74ebf26e5541ae8d3ffdc0de3a63bdff4afe1872eb83c6c7e7b

SHA512
8a3bb169fa87b8c80b3bc08ac902ee89ed6d4479030b41848a6550efbc55147ffeb46e5d6b0231bcdc02767fadf183b1199d0a5ef7558a9cf9a98635b305327d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
d3b5737b23405fb2ca873e07c77961e8

SHA1
bd35a510db1781c2938a3eabbbbc5b4ae533289c

SHA256
8252510472e80b12bdf8d032c29a36218f439fc5f4bc1e9824325e6581503b43

SHA512
5f42dc1109a0c6ca8816251617488ce836ff01d49110a4e7a7835661ce45946a5369200b12b2c179735e6ab764377ebd551501119c1d86f73eda5a56f14b94a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
b99b6c74c8da1c632a62d8457813adfb

SHA1
21e0679ce6965b8fccca9b9e09140180f769012a

SHA256
0dbf520f7376ebf1e0e15a57e8332070242ef0e9fca9b3d735d3ea02c82eb7eb

SHA512
9574a3b449099bba4fefd00cd9846ef1f33e8637f7096c0c65c916f2f3c2e217fb6d163439ead08b33e38e2a8748e12507d2cf37eb6d87a317d5e85247d9bd11

Download Submit
memory/60-1068-0x0000000000000000-mapping.dmp

Download
memory/324-1099-0x0000000000000000-mapping.dmp

Download
memory/488-1476-0x0000024173030000-0x0000024173050000-memory.dmp

Filesize
128KB

Download
memory/488-1475-0x0000024173030000-0x0000024173050000-memory.dmp

Filesize
128KB

Download
memory/488-1474-0x0000024171740000-0x0000024171780000-memory.dmp

Filesize
256KB

Download
memory/488-1469-0x0000000000000000-mapping.dmp

Download
memory/496-1070-0x0000000000000000-mapping.dmp

Download
memory/584-1112-0x0000000000000000-mapping.dmp

Download
memory/772-1413-0x0000000000000000-mapping.dmp

Download
memory/780-1081-0x0000000000000000-mapping.dmp

Download
memory/1252-1076-0x0000000000000000-mapping.dmp

Download
memory/1384-1072-0x0000000000000000-mapping.dmp

Download
memory/1536-191-0x0000000000000000-mapping.dmp

Download
memory/1640-1087-0x0000000000000000-mapping.dmp

Download
memory/1824-552-0x0000000000000000-mapping.dmp

Download
memory/2020-1125-0x0000000000000000-mapping.dmp

Download
memory/2248-1106-0x0000000000000000-mapping.dmp

Download
memory/2284-289-0x0000000009370000-0x000000000938E000-memory.dmp

Filesize
120KB

Download
memory/2284-271-0x0000000008510000-0x000000000855B000-memory.dmp

Filesize
300KB

Download
memory/2284-320-0x0000000009880000-0x0000000009914000-memory.dmp

Filesize
592KB

Download
memory/2284-304-0x00000000093F0000-0x0000000009495000-memory.dmp

Filesize
660KB

Download
memory/2284-534-0x0000000009810000-0x0000000009818000-memory.dmp

Filesize
32KB

Download
memory/2284-288-0x00000000093B0000-0x00000000093E3000-memory.dmp

Filesize
204KB

Download
memory/2284-275-0x0000000008450000-0x00000000084C6000-memory.dmp

Filesize
472KB

Download
memory/2284-529-0x0000000009820000-0x000000000983A000-memory.dmp

Filesize
104KB

Download
memory/2284-270-0x0000000007C40000-0x0000000007C5C000-memory.dmp

Filesize
112KB

Download
memory/2284-267-0x0000000007E90000-0x00000000081E0000-memory.dmp

Filesize
3.3MB

Download
memory/2284-265-0x0000000007AD0000-0x0000000007B36000-memory.dmp

Filesize
408KB

Download
memory/2284-261-0x00000000072F0000-0x0000000007312000-memory.dmp

Filesize
136KB

Download
memory/2284-246-0x00000000073B0000-0x00000000079D8000-memory.dmp

Filesize
6.2MB

Download
memory/2284-241-0x0000000004CD0000-0x0000000004D06000-memory.dmp

Filesize
216KB

Download
memory/2284-205-0x0000000000000000-mapping.dmp

Download
memory/2660-184-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-147-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-162-0x000000000A850000-0x000000000A8E2000-memory.dmp

Filesize
584KB

Download
memory/2660-163-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-164-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-165-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-166-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-168-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-171-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-170-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-169-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-167-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-172-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-173-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-174-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-175-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-176-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-177-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-178-0x000000000A7D0000-0x000000000A7DA000-memory.dmp

Filesize
40KB

Download
memory/2660-179-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-181-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-180-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-182-0x000000000AC00000-0x000000000AC66000-memory.dmp

Filesize
408KB

Download
memory/2660-119-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-185-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-186-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-187-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-188-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-183-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-160-0x000000000ACB0000-0x000000000B1AE000-memory.dmp

Filesize
5.0MB

Download
memory/2660-120-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-156-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-158-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-159-0x0000000001520000-0x0000000001526000-memory.dmp

Filesize
24KB

Download
memory/2660-157-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-155-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-154-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-153-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-152-0x0000000000A80000-0x0000000000A94000-memory.dmp

Filesize
80KB

Download
memory/2660-151-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-150-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-149-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-148-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-161-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-146-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-145-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-144-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-143-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-142-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-123-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-141-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-124-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-136-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-140-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-122-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-125-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-139-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-138-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-137-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-135-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-134-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-133-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-127-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-129-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-121-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-126-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-128-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-130-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-131-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2660-132-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2724-1119-0x0000000000000000-mapping.dmp

Download
memory/2884-1172-0x0000000000000000-mapping.dmp

Download
memory/3136-1161-0x0000000000000000-mapping.dmp

Download
memory/3320-1460-0x0000000000000000-mapping.dmp

Download
memory/3360-1454-0x0000000000000000-mapping.dmp

Download
memory/3380-1156-0x0000000000000000-mapping.dmp

Download
memory/3712-197-0x0000000000000000-mapping.dmp

Download
memory/4084-1419-0x0000000000000000-mapping.dmp

Download
memory/4304-1170-0x0000000000000000-mapping.dmp

Download
memory/4308-1174-0x0000000000000000-mapping.dmp

Download
memory/4328-1092-0x0000000000000000-mapping.dmp

Download
memory/4360-1427-0x0000000002580000-0x000000000258A000-memory.dmp

Filesize
40KB

Download
memory/4360-1018-0x0000000002620000-0x0000000002626000-memory.dmp

Filesize
24KB

Download
memory/4360-1001-0x0000000000420000-0x0000000000436000-memory.dmp

Filesize
88KB

Download
memory/4360-939-0x0000000000000000-mapping.dmp

Download
memory/4516-1157-0x0000000000000000-mapping.dmp

Download
memory/4704-863-0x0000000000000000-mapping.dmp

Download