xmrig | e79572b925992e2c01e4e47c83a2d3796cb2fab7eb716d146f4551ecb5e95024

Analysis

max time kernel
306s
max time network
266s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
24-09-2022 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e79572b925992e2c01e4e47c83a2d3796cb2fab7eb716d146f4551ecb5e95024.exe
Size

71KB
MD5

1a9a8f5167110e1fbc55ab294d1ce876
SHA1

3c3ea653a37eff8b2b4214a4c6ecca3de5f33e99
SHA256

e79572b925992e2c01e4e47c83a2d3796cb2fab7eb716d146f4551ecb5e95024
SHA512

7ec52829af747146fe1fbc74e15d0919687a3a08f0b6e3371a8c0ba446373a1748883d4452702a65f32f2740a4167eed1b18e11fa8c900fec7255e47356dd277
SSDEEP

768:FpaTRtS/y3YNYHFqJe4cplUf3/281s8TnJbR8YcdX2t3Ux4sbDZ+kAwl0dBKvl:+TmkDlqJJcc281s8dbRxZpGDb1HAwr9

Score

10^/10

xmrig miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
C:\ProgramData\Dllhost\winlogson.exe	xmrig
C:\ProgramData\Dllhost\winlogson.exe	xmrig

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

dllhost.exewinlogson.exe

pid process

2936 dllhost.exe
3100 winlogson.exe

pid	process
2936	dllhost.exe
3100	winlogson.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dllhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe / file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\ProgramData\\Dllhost\\dllhost.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	dllhost.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1824 schtasks.exe
4820 schtasks.exe
4908 schtasks.exe
4840 schtasks.exe
808 schtasks.exe

pid	process
1824	schtasks.exe
4820	schtasks.exe
4908	schtasks.exe
4840	schtasks.exe
808	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e79572b925992e2c01e4e47c83a2d3796cb2fab7eb716d146f4551ecb5e95024.exepowershell.exepowershell.exepowershell.exedllhost.exe

pid	process
3844	e79572b925992e2c01e4e47c83a2d3796cb2fab7eb716d146f4551ecb5e95024.exe
4368	powershell.exe
4368	powershell.exe
4368	powershell.exe
1288	powershell.exe
1288	powershell.exe
1288	powershell.exe
2348	powershell.exe
2348	powershell.exe
2348	powershell.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe
2936	dllhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

600

pid	process
600

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

e79572b925992e2c01e4e47c83a2d3796cb2fab7eb716d146f4551ecb5e95024.exepowershell.exepowershell.exepowershell.exedllhost.exewinlogson.exe

description	pid	process
Token: SeDebugPrivilege	3844	e79572b925992e2c01e4e47c83a2d3796cb2fab7eb716d146f4551ecb5e95024.exe
Token: SeDebugPrivilege	4368	powershell.exe
Token: SeDebugPrivilege	1288	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	2936	dllhost.exe
Token: SeLockMemoryPrivilege	3100	winlogson.exe
Token: SeLockMemoryPrivilege	3100	winlogson.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

winlogson.exe

pid process

3100 winlogson.exe

pid	process
3100	winlogson.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e79572b925992e2c01e4e47c83a2d3796cb2fab7eb716d146f4551ecb5e95024.execmd.exedllhost.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3844 wrote to memory of 4324	3844	e79572b925992e2c01e4e47c83a2d3796cb2fab7eb716d146f4551ecb5e95024.exe	cmd.exe
PID 3844 wrote to memory of 4324	3844	e79572b925992e2c01e4e47c83a2d3796cb2fab7eb716d146f4551ecb5e95024.exe	cmd.exe
PID 3844 wrote to memory of 4324	3844	e79572b925992e2c01e4e47c83a2d3796cb2fab7eb716d146f4551ecb5e95024.exe	cmd.exe
PID 4324 wrote to memory of 4452	4324	cmd.exe	chcp.com
PID 4324 wrote to memory of 4452	4324	cmd.exe	chcp.com
PID 4324 wrote to memory of 4452	4324	cmd.exe	chcp.com
PID 4324 wrote to memory of 4368	4324	cmd.exe	powershell.exe
PID 4324 wrote to memory of 4368	4324	cmd.exe	powershell.exe
PID 4324 wrote to memory of 4368	4324	cmd.exe	powershell.exe
PID 4324 wrote to memory of 1288	4324	cmd.exe	powershell.exe
PID 4324 wrote to memory of 1288	4324	cmd.exe	powershell.exe
PID 4324 wrote to memory of 1288	4324	cmd.exe	powershell.exe
PID 4324 wrote to memory of 2348	4324	cmd.exe	powershell.exe
PID 4324 wrote to memory of 2348	4324	cmd.exe	powershell.exe
PID 4324 wrote to memory of 2348	4324	cmd.exe	powershell.exe
PID 3844 wrote to memory of 2936	3844	e79572b925992e2c01e4e47c83a2d3796cb2fab7eb716d146f4551ecb5e95024.exe	dllhost.exe
PID 3844 wrote to memory of 2936	3844	e79572b925992e2c01e4e47c83a2d3796cb2fab7eb716d146f4551ecb5e95024.exe	dllhost.exe
PID 3844 wrote to memory of 2936	3844	e79572b925992e2c01e4e47c83a2d3796cb2fab7eb716d146f4551ecb5e95024.exe	dllhost.exe
PID 2936 wrote to memory of 996	2936	dllhost.exe	cmd.exe
PID 2936 wrote to memory of 996	2936	dllhost.exe	cmd.exe
PID 2936 wrote to memory of 996	2936	dllhost.exe	cmd.exe
PID 2936 wrote to memory of 992	2936	dllhost.exe	cmd.exe
PID 2936 wrote to memory of 992	2936	dllhost.exe	cmd.exe
PID 2936 wrote to memory of 992	2936	dllhost.exe	cmd.exe
PID 2936 wrote to memory of 4680	2936	dllhost.exe	cmd.exe
PID 2936 wrote to memory of 4680	2936	dllhost.exe	cmd.exe
PID 2936 wrote to memory of 4680	2936	dllhost.exe	cmd.exe
PID 2936 wrote to memory of 4000	2936	dllhost.exe	cmd.exe
PID 2936 wrote to memory of 4000	2936	dllhost.exe	cmd.exe
PID 2936 wrote to memory of 4000	2936	dllhost.exe	cmd.exe
PID 2936 wrote to memory of 2480	2936	dllhost.exe	cmd.exe
PID 2936 wrote to memory of 2480	2936	dllhost.exe	cmd.exe
PID 2936 wrote to memory of 2480	2936	dllhost.exe	cmd.exe
PID 2936 wrote to memory of 3712	2936	dllhost.exe	cmd.exe
PID 2936 wrote to memory of 3712	2936	dllhost.exe	cmd.exe
PID 2936 wrote to memory of 3712	2936	dllhost.exe	cmd.exe
PID 2936 wrote to memory of 4084	2936	dllhost.exe	cmd.exe
PID 2936 wrote to memory of 4084	2936	dllhost.exe	cmd.exe
PID 2936 wrote to memory of 4084	2936	dllhost.exe	cmd.exe
PID 2936 wrote to memory of 4360	2936	dllhost.exe	cmd.exe
PID 2936 wrote to memory of 4360	2936	dllhost.exe	cmd.exe
PID 2936 wrote to memory of 4360	2936	dllhost.exe	cmd.exe
PID 2936 wrote to memory of 2072	2936	dllhost.exe	cmd.exe
PID 2936 wrote to memory of 2072	2936	dllhost.exe	cmd.exe
PID 2936 wrote to memory of 2072	2936	dllhost.exe	cmd.exe
PID 2936 wrote to memory of 4216	2936	dllhost.exe	cmd.exe
PID 2936 wrote to memory of 4216	2936	dllhost.exe	cmd.exe
PID 2936 wrote to memory of 4216	2936	dllhost.exe	cmd.exe
PID 2936 wrote to memory of 3604	2936	dllhost.exe	cmd.exe
PID 2936 wrote to memory of 3604	2936	dllhost.exe	cmd.exe
PID 2936 wrote to memory of 3604	2936	dllhost.exe	cmd.exe
PID 2936 wrote to memory of 4644	2936	dllhost.exe	cmd.exe
PID 2936 wrote to memory of 4644	2936	dllhost.exe	cmd.exe
PID 2936 wrote to memory of 4644	2936	dllhost.exe	cmd.exe
PID 4000 wrote to memory of 4840	4000	cmd.exe	schtasks.exe
PID 4000 wrote to memory of 4840	4000	cmd.exe	schtasks.exe
PID 4000 wrote to memory of 4840	4000	cmd.exe	schtasks.exe
PID 996 wrote to memory of 4908	996	cmd.exe	schtasks.exe
PID 996 wrote to memory of 4908	996	cmd.exe	schtasks.exe
PID 996 wrote to memory of 4908	996	cmd.exe	schtasks.exe
PID 992 wrote to memory of 4820	992	cmd.exe	schtasks.exe
PID 992 wrote to memory of 4820	992	cmd.exe	schtasks.exe
PID 992 wrote to memory of 4820	992	cmd.exe	schtasks.exe
PID 2480 wrote to memory of 808	2480	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\e79572b925992e2c01e4e47c83a2d3796cb2fab7eb716d146f4551ecb5e95024.exe
"C:\Users\Admin\AppData\Local\Temp\e79572b925992e2c01e4e47c83a2d3796cb2fab7eb716d146f4551ecb5e95024.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3844

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
2⤵
- Suspicious use of WriteProcessMemory
PID:4324

C:\Windows\SysWOW64\chcp.com
chcp 1251
3⤵
PID:4452

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4368

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\ProgramData\Dllhost\dllhost.exe
"C:\ProgramData\Dllhost\dllhost.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:4908

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:4820

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:4680

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4000

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:4840

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2480

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:808

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:3712

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:4084

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:4360

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:1824

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk6656" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:4216

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk8812" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:2072

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk2545" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:3604

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk1689" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:4644

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
3⤵
PID:2560

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:2412

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
3⤵
PID:4832

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:4728

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe -c config.json
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3100

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe
Filesize
80KB

MD5
55c37445d312c77f534f4797f1034248

SHA1
06ca76148e27fed0db2328a52538f261265ad311

SHA256
8783d5a7a4510df0798adf05fc09b2ebf65c9966f34425ba8642e1c843d2d050

SHA512
c620d684ecac2f5a2ed37442de00e4b50f30cf2d132ad940b7091e96c033e47fd3d5ad93f7a3a00289fc4f5c381fbec510541170a3341db8e88425a8d6eb4f34

Download Submit
C:\ProgramData\Dllhost\dllhost.exe
Filesize
80KB

MD5
55c37445d312c77f534f4797f1034248

SHA1
06ca76148e27fed0db2328a52538f261265ad311

SHA256
8783d5a7a4510df0798adf05fc09b2ebf65c9966f34425ba8642e1c843d2d050

SHA512
c620d684ecac2f5a2ed37442de00e4b50f30cf2d132ad940b7091e96c033e47fd3d5ad93f7a3a00289fc4f5c381fbec510541170a3341db8e88425a8d6eb4f34

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
5.1MB

MD5
2a0d26b8b02bb2d17994d2a9a38d61db

SHA1
889a9cb0a044c1f675e63ea6ea065a8cf914e2ab

SHA256
3c54646213638e7bd8d0538c28e414824f5eaf31faf19a40eec608179b1074f1

SHA512
07245fb329b5fc9b68e1e88a52b7ab464bafd45442193e4b61cf6788ec0e10cdec2cfa2f59f49fe4a3f8a78a205d62ec0701a3b82a5e8f4257016821fee524ee

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
5.1MB

MD5
2a0d26b8b02bb2d17994d2a9a38d61db

SHA1
889a9cb0a044c1f675e63ea6ea065a8cf914e2ab

SHA256
3c54646213638e7bd8d0538c28e414824f5eaf31faf19a40eec608179b1074f1

SHA512
07245fb329b5fc9b68e1e88a52b7ab464bafd45442193e4b61cf6788ec0e10cdec2cfa2f59f49fe4a3f8a78a205d62ec0701a3b82a5e8f4257016821fee524ee

Download Submit
C:\ProgramData\SystemFiles\config.json
Filesize
309B

MD5
9c6352127ee26ba6f62bb3b67b59fcd6

SHA1
5ddf8edf9d35388c262898cf011fc6e7f7d5990b

SHA256
26bac69ec6a46a74b49e6d421eadc631d51183dfdde9f23810b12d20b865aca4

SHA512
67f6c1f8535ec800e8c674b527b0f3cb85817416728e0b721136826afeba42f1d4f82f28569e362fe3a37296b1014d15bcf9ed27b11d559ec3083112035b9ace

Download Submit
C:\ProgramData\SystemFiles\sys_rh.bin
Filesize
1KB

MD5
285a14e3e9532f7a81fb8379e1b4a41c

SHA1
8f65af1a6ec5bfa30c0c6545ea4f2d95e9a29b8a

SHA256
0c744f0bcf82e9a3e63f241d9da847b24bc78d8ddd56af10e29d38218a4b58f8

SHA512
c57c3210d6ec89cb18997951ad25a5e4fdc7a076eb02090524e8820ad193fa30a94189bb39e26db4f491080262651cf49b4a71f61add603a17cd69c146ba866d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
f5872727acd00f1692d75729ab0429b2

SHA1
8291e075c879c596911ed60cc2485a0478316049

SHA256
e21ffc7972d65400cb0a7d07a2a522e4f1039ab26102d08b7ed4fa0bb7b48c50

SHA512
c4d7aca269657ed26f693dbb6263df25aad1e13099f601b4344d1618eb48abb09d0619daaa75eab44af7c63521ec15a1c46ad9e93d89b71c52231094969b108a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
2b6b8ba43f945edca52ff2ddc88bc0fa

SHA1
0c146ff76bbbb57da0c4b03730cb4426e379cc5d

SHA256
dbd7b0900f88464eae30f17d6d65f7d3b5249a17f36332449d43617c7535d034

SHA512
fcb011d66c261526cf71659ea16af6f6261e4eb50e3560910b1a5189d7c2e3823bd77979cb4c73fccd9c25ca39bd5e94768f88a019091b77d04747584a2f5423

Download Submit
memory/808-1317-0x0000000000000000-mapping.dmp

Download
memory/992-1234-0x0000000000000000-mapping.dmp

Download
memory/996-1232-0x0000000000000000-mapping.dmp

Download
memory/1288-548-0x0000000000000000-mapping.dmp

Download
memory/1824-1325-0x0000000000000000-mapping.dmp

Download
memory/2072-1262-0x0000000000000000-mapping.dmp

Download
memory/2348-859-0x0000000000000000-mapping.dmp

Download
memory/2412-1381-0x0000000000000000-mapping.dmp

Download
memory/2480-1244-0x0000000000000000-mapping.dmp

Download
memory/2560-1375-0x0000000000000000-mapping.dmp

Download
memory/2936-1156-0x0000000000000000-mapping.dmp

Download
memory/2936-1212-0x0000000001310000-0x0000000001316000-memory.dmp

Filesize
24KB

Download
memory/2936-1205-0x0000000000980000-0x000000000099A000-memory.dmp

Filesize
104KB

Download
memory/3100-1429-0x0000000000000000-mapping.dmp

Download
memory/3100-1434-0x000002CBC2350000-0x000002CBC2390000-memory.dmp

Filesize
256KB

Download
memory/3100-1435-0x000002CBC27B0000-0x000002CBC27D0000-memory.dmp

Filesize
128KB

Download
memory/3100-1436-0x000002CBC27B0000-0x000002CBC27D0000-memory.dmp

Filesize
128KB

Download
memory/3604-1273-0x0000000000000000-mapping.dmp

Download
memory/3712-1248-0x0000000000000000-mapping.dmp

Download
memory/3844-146-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-130-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-145-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-115-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-147-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-149-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-148-0x0000000000A90000-0x0000000000AA8000-memory.dmp

Filesize
96KB

Download
memory/3844-150-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-151-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-152-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-153-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-154-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-155-0x0000000001100000-0x0000000001106000-memory.dmp

Filesize
24KB

Download
memory/3844-156-0x0000000009D00000-0x000000000A1FE000-memory.dmp

Filesize
5.0MB

Download
memory/3844-157-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-158-0x0000000005480000-0x0000000005512000-memory.dmp

Filesize
584KB

Download
memory/3844-160-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-159-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-161-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-162-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-164-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-163-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-165-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-166-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-167-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-168-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-169-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-170-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-171-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-172-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-174-0x00000000052C0000-0x00000000052CA000-memory.dmp

Filesize
40KB

Download
memory/3844-173-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-175-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-176-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-177-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-178-0x0000000006210000-0x0000000006276000-memory.dmp

Filesize
408KB

Download
memory/3844-179-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-180-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-182-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-181-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-183-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-184-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-119-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-118-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-117-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-120-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-121-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-122-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-124-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-126-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-127-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-128-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-125-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-123-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-116-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-129-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-143-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-131-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-133-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-144-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-142-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-141-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-139-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-140-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-138-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-136-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-137-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-135-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-134-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-132-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/4000-1241-0x0000000000000000-mapping.dmp

Download
memory/4084-1253-0x0000000000000000-mapping.dmp

Download
memory/4216-1267-0x0000000000000000-mapping.dmp

Download
memory/4324-187-0x0000000000000000-mapping.dmp

Download
memory/4360-1257-0x0000000000000000-mapping.dmp

Download
memory/4368-284-0x00000000094C0000-0x00000000094F3000-memory.dmp

Filesize
204KB

Download
memory/4368-262-0x0000000007B20000-0x0000000007B86000-memory.dmp

Filesize
408KB

Download
memory/4368-294-0x0000000009510000-0x00000000095B5000-memory.dmp

Filesize
660KB

Download
memory/4368-285-0x00000000094A0000-0x00000000094BE000-memory.dmp

Filesize
120KB

Download
memory/4368-308-0x00000000097B0000-0x0000000009844000-memory.dmp

Filesize
592KB

Download
memory/4368-525-0x0000000009760000-0x000000000977A000-memory.dmp

Filesize
104KB

Download
memory/4368-201-0x0000000000000000-mapping.dmp

Download
memory/4368-237-0x0000000004C10000-0x0000000004C46000-memory.dmp

Filesize
216KB

Download
memory/4368-242-0x00000000073F0000-0x0000000007A18000-memory.dmp

Filesize
6.2MB

Download
memory/4368-530-0x0000000009750000-0x0000000009758000-memory.dmp

Filesize
32KB

Download
memory/4368-271-0x00000000086F0000-0x0000000008766000-memory.dmp

Filesize
472KB

Download
memory/4368-267-0x00000000081C0000-0x000000000820B000-memory.dmp

Filesize
300KB

Download
memory/4368-266-0x00000000080D0000-0x00000000080EC000-memory.dmp

Filesize
112KB

Download
memory/4368-263-0x0000000007D40000-0x0000000008090000-memory.dmp

Filesize
3.3MB

Download
memory/4368-260-0x0000000007330000-0x0000000007352000-memory.dmp

Filesize
136KB

Download
memory/4452-193-0x0000000000000000-mapping.dmp

Download
memory/4644-1279-0x0000000000000000-mapping.dmp

Download
memory/4680-1237-0x0000000000000000-mapping.dmp

Download
memory/4728-1420-0x0000000000000000-mapping.dmp

Download
memory/4820-1304-0x0000000000000000-mapping.dmp

Download
memory/4832-1414-0x0000000000000000-mapping.dmp

Download
memory/4840-1302-0x0000000000000000-mapping.dmp

Download
memory/4908-1303-0x0000000000000000-mapping.dmp

Download