xmrig | 92c5e473b763ca880890ffbef2e78133c797084465a3ee2427edf7c6e17e767d

Analysis

max time kernel
301s
max time network
246s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
09-10-2022 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92c5e473b763ca880890ffbef2e78133c797084465a3ee2427edf7c6e17e767d.exe
Size

56KB
MD5

bfc2b4cbcfdbf8eb31dc173f5b9d97f0
SHA1

e5ac6c5d068cd6537ebd842757bb1b628c4792fd
SHA256

92c5e473b763ca880890ffbef2e78133c797084465a3ee2427edf7c6e17e767d
SHA512

4b7d1972f337f31db6bc0a0541e68f4c70007099b35166ca45bdf3d6a484e47f3ed8a75e1ae0b2929903edecde2a763d011a2725577aae5678c63b0c967b8f5b
SSDEEP

768:dAvNyKQFHpZQzGFkW5Gedepz4KRCRFVnb+Opu2nh6ixrkvTnEtPw:ky9EMkW5tUqV1b++1h6ixrwEy

Score

10^/10

xmrig miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
C:\ProgramData\Dllhost\winlogson.exe	xmrig
C:\ProgramData\Dllhost\winlogson.exe	xmrig

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

dllhost.exewinlogson.exe

pid process

8 dllhost.exe
4156 winlogson.exe

pid	process
8	dllhost.exe
4156	winlogson.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dllhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\ProgramData\\Dllhost\\dllhost.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe / file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2140 schtasks.exe
2608 schtasks.exe
2264 schtasks.exe
2068 schtasks.exe

pid	process
2140	schtasks.exe
2608	schtasks.exe
2264	schtasks.exe
2068	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

92c5e473b763ca880890ffbef2e78133c797084465a3ee2427edf7c6e17e767d.exepowershell.exedllhost.exepowershell.exewermgr.exe

pid	process
2628	92c5e473b763ca880890ffbef2e78133c797084465a3ee2427edf7c6e17e767d.exe
4860	powershell.exe
4860	powershell.exe
4860	powershell.exe
8	dllhost.exe
8	dllhost.exe
3220	powershell.exe
4824	wermgr.exe
4824	wermgr.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe
8	dllhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

656

pid	process
656

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

92c5e473b763ca880890ffbef2e78133c797084465a3ee2427edf7c6e17e767d.exepowershell.exedllhost.exepowershell.exewinlogson.exe

description	pid	process
Token: SeDebugPrivilege	2628	92c5e473b763ca880890ffbef2e78133c797084465a3ee2427edf7c6e17e767d.exe
Token: SeDebugPrivilege	4860	powershell.exe
Token: SeDebugPrivilege	8	dllhost.exe
Token: SeDebugPrivilege	3220	powershell.exe
Token: SeRestorePrivilege	3220	powershell.exe
Token: SeBackupPrivilege	3220	powershell.exe
Token: SeLockMemoryPrivilege	4156	winlogson.exe
Token: SeLockMemoryPrivilege	4156	winlogson.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

winlogson.exe

pid process

4156 winlogson.exe

pid	process
4156	winlogson.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

92c5e473b763ca880890ffbef2e78133c797084465a3ee2427edf7c6e17e767d.execmd.exedllhost.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2628 wrote to memory of 4340	2628	92c5e473b763ca880890ffbef2e78133c797084465a3ee2427edf7c6e17e767d.exe	cmd.exe
PID 2628 wrote to memory of 4340	2628	92c5e473b763ca880890ffbef2e78133c797084465a3ee2427edf7c6e17e767d.exe	cmd.exe
PID 2628 wrote to memory of 4340	2628	92c5e473b763ca880890ffbef2e78133c797084465a3ee2427edf7c6e17e767d.exe	cmd.exe
PID 4340 wrote to memory of 2260	4340	cmd.exe	chcp.com
PID 4340 wrote to memory of 2260	4340	cmd.exe	chcp.com
PID 4340 wrote to memory of 2260	4340	cmd.exe	chcp.com
PID 4340 wrote to memory of 4860	4340	cmd.exe	powershell.exe
PID 4340 wrote to memory of 4860	4340	cmd.exe	powershell.exe
PID 4340 wrote to memory of 4860	4340	cmd.exe	powershell.exe
PID 2628 wrote to memory of 8	2628	92c5e473b763ca880890ffbef2e78133c797084465a3ee2427edf7c6e17e767d.exe	dllhost.exe
PID 2628 wrote to memory of 8	2628	92c5e473b763ca880890ffbef2e78133c797084465a3ee2427edf7c6e17e767d.exe	dllhost.exe
PID 2628 wrote to memory of 8	2628	92c5e473b763ca880890ffbef2e78133c797084465a3ee2427edf7c6e17e767d.exe	dllhost.exe
PID 4340 wrote to memory of 3220	4340	cmd.exe	powershell.exe
PID 4340 wrote to memory of 3220	4340	cmd.exe	powershell.exe
PID 4340 wrote to memory of 3220	4340	cmd.exe	powershell.exe
PID 8 wrote to memory of 4508	8	dllhost.exe	cmd.exe
PID 8 wrote to memory of 4508	8	dllhost.exe	cmd.exe
PID 8 wrote to memory of 4508	8	dllhost.exe	cmd.exe
PID 8 wrote to memory of 792	8	dllhost.exe	cmd.exe
PID 8 wrote to memory of 792	8	dllhost.exe	cmd.exe
PID 8 wrote to memory of 792	8	dllhost.exe	cmd.exe
PID 8 wrote to memory of 4444	8	dllhost.exe	cmd.exe
PID 8 wrote to memory of 4444	8	dllhost.exe	cmd.exe
PID 8 wrote to memory of 4444	8	dllhost.exe	cmd.exe
PID 8 wrote to memory of 3540	8	dllhost.exe	cmd.exe
PID 8 wrote to memory of 3540	8	dllhost.exe	cmd.exe
PID 8 wrote to memory of 3540	8	dllhost.exe	cmd.exe
PID 8 wrote to memory of 5048	8	dllhost.exe	cmd.exe
PID 8 wrote to memory of 5048	8	dllhost.exe	cmd.exe
PID 8 wrote to memory of 5048	8	dllhost.exe	cmd.exe
PID 8 wrote to memory of 1960	8	dllhost.exe	cmd.exe
PID 8 wrote to memory of 1960	8	dllhost.exe	cmd.exe
PID 8 wrote to memory of 1960	8	dllhost.exe	cmd.exe
PID 8 wrote to memory of 5040	8	dllhost.exe	cmd.exe
PID 8 wrote to memory of 5040	8	dllhost.exe	cmd.exe
PID 8 wrote to memory of 5040	8	dllhost.exe	cmd.exe
PID 8 wrote to memory of 4100	8	dllhost.exe	cmd.exe
PID 8 wrote to memory of 4100	8	dllhost.exe	cmd.exe
PID 8 wrote to memory of 4100	8	dllhost.exe	cmd.exe
PID 8 wrote to memory of 4988	8	dllhost.exe	cmd.exe
PID 8 wrote to memory of 4988	8	dllhost.exe	cmd.exe
PID 8 wrote to memory of 4988	8	dllhost.exe	cmd.exe
PID 8 wrote to memory of 4120	8	dllhost.exe	cmd.exe
PID 8 wrote to memory of 4120	8	dllhost.exe	cmd.exe
PID 8 wrote to memory of 4120	8	dllhost.exe	cmd.exe
PID 8 wrote to memory of 1788	8	dllhost.exe	cmd.exe
PID 8 wrote to memory of 1788	8	dllhost.exe	cmd.exe
PID 8 wrote to memory of 1788	8	dllhost.exe	cmd.exe
PID 8 wrote to memory of 1296	8	dllhost.exe	cmd.exe
PID 8 wrote to memory of 1296	8	dllhost.exe	cmd.exe
PID 8 wrote to memory of 1296	8	dllhost.exe	cmd.exe
PID 792 wrote to memory of 2140	792	cmd.exe	schtasks.exe
PID 792 wrote to memory of 2140	792	cmd.exe	schtasks.exe
PID 792 wrote to memory of 2140	792	cmd.exe	schtasks.exe
PID 4988 wrote to memory of 2608	4988	cmd.exe	schtasks.exe
PID 4988 wrote to memory of 2608	4988	cmd.exe	schtasks.exe
PID 4988 wrote to memory of 2608	4988	cmd.exe	schtasks.exe
PID 5040 wrote to memory of 2264	5040	cmd.exe	schtasks.exe
PID 5040 wrote to memory of 2264	5040	cmd.exe	schtasks.exe
PID 5040 wrote to memory of 2264	5040	cmd.exe	schtasks.exe
PID 4444 wrote to memory of 2068	4444	cmd.exe	schtasks.exe
PID 4444 wrote to memory of 2068	4444	cmd.exe	schtasks.exe
PID 4444 wrote to memory of 2068	4444	cmd.exe	schtasks.exe
PID 8 wrote to memory of 4276	8	dllhost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\92c5e473b763ca880890ffbef2e78133c797084465a3ee2427edf7c6e17e767d.exe
"C:\Users\Admin\AppData\Local\Temp\92c5e473b763ca880890ffbef2e78133c797084465a3ee2427edf7c6e17e767d.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
2⤵
- Suspicious use of WriteProcessMemory
PID:4340

C:\Windows\SysWOW64\chcp.com
chcp 1251
3⤵
PID:2260

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3220

C:\Windows\SysWOW64\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "3220" "1748" "1704" "1744" "0" "0" "1752" "0" "0" "0" "0" "0"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4824

C:\ProgramData\Dllhost\dllhost.exe
"C:\ProgramData\Dllhost\dllhost.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:8

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:4508

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:2140

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4444

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:2068

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:3540

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:5048

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:5040

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:2264

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:4100

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk1366" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:4120

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk7845" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4988

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk7845" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:2608

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:1960

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk725" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:1296

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk1830" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:1788

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
3⤵
PID:4276

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:4404

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
3⤵
PID:608

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:1472

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe -c config.json
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4156

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe
Filesize
60KB

MD5
9a4febef8d60ba3a7039d023231c6dec

SHA1
2b94634c21c98db8a77d3ceef4a57ea8009afd50

SHA256
efc5f8d9cf611f8f8857840f49a111bac24b16966fc69a17f3757cbcf7f3bbe0

SHA512
bfe7dca34d63289b56288dc6171b58951c3ef27c90e316ca5ce6da812a6a887b30c9967fff59067b23d68fe02d6ff746037c9b2563077f092f2a2abade3cea62

Download Submit
C:\ProgramData\Dllhost\dllhost.exe
Filesize
60KB

MD5
9a4febef8d60ba3a7039d023231c6dec

SHA1
2b94634c21c98db8a77d3ceef4a57ea8009afd50

SHA256
efc5f8d9cf611f8f8857840f49a111bac24b16966fc69a17f3757cbcf7f3bbe0

SHA512
bfe7dca34d63289b56288dc6171b58951c3ef27c90e316ca5ce6da812a6a887b30c9967fff59067b23d68fe02d6ff746037c9b2563077f092f2a2abade3cea62

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
5.1MB

MD5
2a0d26b8b02bb2d17994d2a9a38d61db

SHA1
889a9cb0a044c1f675e63ea6ea065a8cf914e2ab

SHA256
3c54646213638e7bd8d0538c28e414824f5eaf31faf19a40eec608179b1074f1

SHA512
07245fb329b5fc9b68e1e88a52b7ab464bafd45442193e4b61cf6788ec0e10cdec2cfa2f59f49fe4a3f8a78a205d62ec0701a3b82a5e8f4257016821fee524ee

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
5.1MB

MD5
2a0d26b8b02bb2d17994d2a9a38d61db

SHA1
889a9cb0a044c1f675e63ea6ea065a8cf914e2ab

SHA256
3c54646213638e7bd8d0538c28e414824f5eaf31faf19a40eec608179b1074f1

SHA512
07245fb329b5fc9b68e1e88a52b7ab464bafd45442193e4b61cf6788ec0e10cdec2cfa2f59f49fe4a3f8a78a205d62ec0701a3b82a5e8f4257016821fee524ee

Download Submit
C:\ProgramData\SystemFiles\config.json
Filesize
316B

MD5
6a858c18ab16c21852f93ecf45cd0cab

SHA1
5ade25d15a07d7f948679fdd30451cb5dc26d150

SHA256
d182a68c312818029cf381af91751e8d7025e059cd8f3f0e021bc69d7e5d9117

SHA512
fc2b1528641b4fca73e5a06fc1480b6be19921c2e08f50344e2f576197edd9a26d1881e8338c3d696ca713f352797dcd963b52eb2d5ee2063f8b4d909dd6500a

Download Submit
C:\ProgramData\SystemFiles\sys_rh.bin
Filesize
1KB

MD5
66c38abccc04ed1fa7700e5c15f042d7

SHA1
71f65bdfafc943a72bc7b46b5af16b84762586cb

SHA256
aecc35b3fbe567fc97792ab63f54c7d91421f1423969da4d98d628113a502ad9

SHA512
d553f49620bedf34cc92953bd65c0e8e0110e661ee133ef26207901509630f383dc5b458effdcf82eb7d98917fcffe7044fcb9de3be5817d71c48cdd2e643383

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
memory/8-545-0x0000000000000000-mapping.dmp

Download
memory/8-587-0x00000000005B0000-0x00000000005C6000-memory.dmp

Filesize
88KB

Download
memory/8-594-0x0000000002810000-0x0000000002816000-memory.dmp

Filesize
24KB

Download
memory/608-895-0x0000000000000000-mapping.dmp

Download
memory/792-632-0x0000000000000000-mapping.dmp

Download
memory/1296-684-0x0000000000000000-mapping.dmp

Download
memory/1472-901-0x0000000000000000-mapping.dmp

Download
memory/1788-676-0x0000000000000000-mapping.dmp

Download
memory/1960-646-0x0000000000000000-mapping.dmp

Download
memory/2068-736-0x0000000000000000-mapping.dmp

Download
memory/2140-722-0x0000000000000000-mapping.dmp

Download
memory/2260-198-0x0000000000000000-mapping.dmp

Download
memory/2264-731-0x0000000000000000-mapping.dmp

Download
memory/2608-728-0x0000000000000000-mapping.dmp

Download
memory/2628-182-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-120-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-143-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-144-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-145-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-146-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-147-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-148-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-149-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-150-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-151-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-152-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-153-0x0000000000FA0000-0x0000000000FB4000-memory.dmp

Filesize
80KB

Download
memory/2628-154-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-155-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-156-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-157-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-158-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-159-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-160-0x0000000003230000-0x0000000003236000-memory.dmp

Filesize
24KB

Download
memory/2628-161-0x000000000B2A0000-0x000000000B79E000-memory.dmp

Filesize
5.0MB

Download
memory/2628-162-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-163-0x0000000005AA0000-0x0000000005B32000-memory.dmp

Filesize
584KB

Download
memory/2628-164-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-165-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-166-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-167-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-168-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-169-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-170-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-171-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-172-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-173-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-174-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-175-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-176-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-177-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-178-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-179-0x0000000005950000-0x000000000595A000-memory.dmp

Filesize
40KB

Download
memory/2628-180-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-181-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-132-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-183-0x000000000D030000-0x000000000D096000-memory.dmp

Filesize
408KB

Download
memory/2628-184-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-185-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-186-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-187-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-188-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-189-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-133-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-142-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-134-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-131-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-130-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-121-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-122-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-123-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-141-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-124-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-125-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-135-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-129-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-136-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-126-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-127-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-128-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-140-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-139-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-138-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-137-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/3220-801-0x0000000007EA0000-0x00000000081F0000-memory.dmp

Filesize
3.3MB

Download
memory/3220-610-0x0000000000000000-mapping.dmp

Download
memory/3540-640-0x0000000000000000-mapping.dmp

Download
memory/4100-655-0x0000000000000000-mapping.dmp

Download
memory/4120-670-0x0000000000000000-mapping.dmp

Download
memory/4156-910-0x0000000000000000-mapping.dmp

Download
memory/4156-915-0x000001C5D9FB0000-0x000001C5D9FD0000-memory.dmp

Filesize
128KB

Download
memory/4156-916-0x000001C66C540000-0x000001C66C560000-memory.dmp

Filesize
128KB

Download
memory/4156-917-0x000001C66C540000-0x000001C66C560000-memory.dmp

Filesize
128KB

Download
memory/4276-810-0x0000000000000000-mapping.dmp

Download
memory/4340-192-0x0000000000000000-mapping.dmp

Download
memory/4404-827-0x0000000000000000-mapping.dmp

Download
memory/4444-635-0x0000000000000000-mapping.dmp

Download
memory/4508-629-0x0000000000000000-mapping.dmp

Download
memory/4824-818-0x0000000000000000-mapping.dmp

Download
memory/4860-313-0x00000000097F0000-0x0000000009823000-memory.dmp

Filesize
204KB

Download
memory/4860-276-0x0000000008900000-0x0000000008976000-memory.dmp

Filesize
472KB

Download
memory/4860-535-0x0000000009C10000-0x0000000009C18000-memory.dmp

Filesize
32KB

Download
memory/4860-530-0x0000000009C20000-0x0000000009C3A000-memory.dmp

Filesize
104KB

Download
memory/4860-327-0x0000000009D20000-0x0000000009DB4000-memory.dmp

Filesize
592KB

Download
memory/4860-323-0x0000000009830000-0x00000000098D5000-memory.dmp

Filesize
660KB

Download
memory/4860-314-0x00000000097D0000-0x00000000097EE000-memory.dmp

Filesize
120KB

Download
memory/4860-206-0x0000000000000000-mapping.dmp

Download
memory/4860-242-0x0000000007140000-0x0000000007176000-memory.dmp

Filesize
216KB

Download
memory/4860-247-0x0000000007830000-0x0000000007E58000-memory.dmp

Filesize
6.2MB

Download
memory/4860-272-0x0000000008B20000-0x0000000008B6B000-memory.dmp

Filesize
300KB

Download
memory/4860-271-0x00000000080A0000-0x00000000080BC000-memory.dmp

Filesize
112KB

Download
memory/4860-268-0x0000000008210000-0x0000000008560000-memory.dmp

Filesize
3.3MB

Download
memory/4860-267-0x0000000007F50000-0x0000000007FB6000-memory.dmp

Filesize
408KB

Download
memory/4860-262-0x0000000007750000-0x0000000007772000-memory.dmp

Filesize
136KB

Download
memory/4988-662-0x0000000000000000-mapping.dmp

Download
memory/5040-651-0x0000000000000000-mapping.dmp

Download
memory/5048-642-0x0000000000000000-mapping.dmp

Download