1208fb1c3cbdcbfc5089d46f4ab339d494139ba904e84a41a1707f7723edb7e2

Resubmissions

20/02/2024, 07:34

240220-jd756adc61 7

20/02/2024, 07:31

240220-jcwezadc4z 7

Analysis

max time kernel
83s
max time network
84s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
20/02/2024, 07:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cpuminer-gw64-core2.exe
Size

1.4MB
MD5

d2a4d1247752fb186841ff4c2985341b
SHA1

7aa259b88e8bfd27d033bed11ca30d3c1a2c35aa
SHA256

3ea2a09be5cffc0501fc07f6744233a351371e2cf93f544768581ee1e6613454
SHA512

a1a34d78bf7c1c7a0ffcad36ddb219253ce3a9fef70f86d273ab86ad092f07a63831b001c169d839162edb654ed3701ac5a5f0d9733a748554d1aada40015f40
SSDEEP

24576:5fzE0V4k8BGvovKKn1k6x3qyr9ExYdZhrC6N5NUJSq+VHLIjYteaqp5tt+GTCEWE:Vz1b8wvovluCjrmKzrXqt+dLMuqTtt+U

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3896	ccminer-x64.exe
3940	ccminer-x64.exe
5836	ccminer-x64.exe

Loads dropped DLL 3 IoCs

pid	Process
3896	ccminer-x64.exe
3940	ccminer-x64.exe
5836	ccminer-x64.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5076-0-0x0000000000400000-0x00000000007B4000-memory.dmp	upx
behavioral2/memory/5076-1-0x0000000000400000-0x00000000007B4000-memory.dmp	upx
behavioral2/files/0x000500000001e59c-928.dat	upx
behavioral2/memory/3896-932-0x00007FF6337C0000-0x00007FF6347C0000-memory.dmp	upx
behavioral2/memory/3940-939-0x00007FF6337C0000-0x00007FF6347C0000-memory.dmp	upx
behavioral2/memory/5836-1078-0x00007FF6337C0000-0x00007FF6347C0000-memory.dmp	upx

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\ccminer-2.3.1-cuda10.7z:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5576	msedge.exe
5576	msedge.exe
880	msedge.exe
880	msedge.exe
1512	identity_helper.exe
1512	identity_helper.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5188	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
880	msedge.exe
880	msedge.exe
880	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4060	firefox.exe
Token: SeDebugPrivilege	4060	firefox.exe
Token: SeDebugPrivilege	4060	firefox.exe
Token: SeRestorePrivilege	5188	7zFM.exe
Token: 35	5188	7zFM.exe
Token: SeSecurityPrivilege	5188	7zFM.exe

Suspicious use of FindShellTrayWindow 32 IoCs

pid	Process
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe
5188	7zFM.exe
5188	7zFM.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe
4060	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3448 wrote to memory of 4060	3448	firefox.exe	94
PID 3448 wrote to memory of 4060	3448	firefox.exe	94
PID 3448 wrote to memory of 4060	3448	firefox.exe	94
PID 3448 wrote to memory of 4060	3448	firefox.exe	94
PID 3448 wrote to memory of 4060	3448	firefox.exe	94
PID 3448 wrote to memory of 4060	3448	firefox.exe	94
PID 3448 wrote to memory of 4060	3448	firefox.exe	94
PID 3448 wrote to memory of 4060	3448	firefox.exe	94
PID 3448 wrote to memory of 4060	3448	firefox.exe	94
PID 3448 wrote to memory of 4060	3448	firefox.exe	94
PID 3448 wrote to memory of 4060	3448	firefox.exe	94
PID 4060 wrote to memory of 1720	4060	firefox.exe	95
PID 4060 wrote to memory of 1720	4060	firefox.exe	95
PID 4060 wrote to memory of 4172	4060	firefox.exe	96
PID 4060 wrote to memory of 4172	4060	firefox.exe	96
PID 4060 wrote to memory of 4172	4060	firefox.exe	96
PID 4060 wrote to memory of 4172	4060	firefox.exe	96
PID 4060 wrote to memory of 4172	4060	firefox.exe	96
PID 4060 wrote to memory of 4172	4060	firefox.exe	96
PID 4060 wrote to memory of 4172	4060	firefox.exe	96
PID 4060 wrote to memory of 4172	4060	firefox.exe	96
PID 4060 wrote to memory of 4172	4060	firefox.exe	96
PID 4060 wrote to memory of 4172	4060	firefox.exe	96
PID 4060 wrote to memory of 4172	4060	firefox.exe	96
PID 4060 wrote to memory of 4172	4060	firefox.exe	96
PID 4060 wrote to memory of 4172	4060	firefox.exe	96
PID 4060 wrote to memory of 4172	4060	firefox.exe	96
PID 4060 wrote to memory of 4172	4060	firefox.exe	96
PID 4060 wrote to memory of 4172	4060	firefox.exe	96
PID 4060 wrote to memory of 4172	4060	firefox.exe	96
PID 4060 wrote to memory of 4172	4060	firefox.exe	96
PID 4060 wrote to memory of 4172	4060	firefox.exe	96
PID 4060 wrote to memory of 4172	4060	firefox.exe	96
PID 4060 wrote to memory of 4172	4060	firefox.exe	96
PID 4060 wrote to memory of 4172	4060	firefox.exe	96
PID 4060 wrote to memory of 4172	4060	firefox.exe	96
PID 4060 wrote to memory of 4172	4060	firefox.exe	96
PID 4060 wrote to memory of 4172	4060	firefox.exe	96
PID 4060 wrote to memory of 4172	4060	firefox.exe	96
PID 4060 wrote to memory of 4172	4060	firefox.exe	96
PID 4060 wrote to memory of 4172	4060	firefox.exe	96
PID 4060 wrote to memory of 4172	4060	firefox.exe	96
PID 4060 wrote to memory of 4172	4060	firefox.exe	96
PID 4060 wrote to memory of 4172	4060	firefox.exe	96
PID 4060 wrote to memory of 4172	4060	firefox.exe	96
PID 4060 wrote to memory of 4172	4060	firefox.exe	96
PID 4060 wrote to memory of 4172	4060	firefox.exe	96
PID 4060 wrote to memory of 4172	4060	firefox.exe	96
PID 4060 wrote to memory of 4172	4060	firefox.exe	96
PID 4060 wrote to memory of 4172	4060	firefox.exe	96
PID 4060 wrote to memory of 4172	4060	firefox.exe	96
PID 4060 wrote to memory of 4172	4060	firefox.exe	96
PID 4060 wrote to memory of 4172	4060	firefox.exe	96
PID 4060 wrote to memory of 4172	4060	firefox.exe	96
PID 4060 wrote to memory of 4172	4060	firefox.exe	96
PID 4060 wrote to memory of 4172	4060	firefox.exe	96
PID 4060 wrote to memory of 4172	4060	firefox.exe	96
PID 4060 wrote to memory of 4172	4060	firefox.exe	96
PID 4060 wrote to memory of 4172	4060	firefox.exe	96
PID 4060 wrote to memory of 4172	4060	firefox.exe	96
PID 4060 wrote to memory of 4172	4060	firefox.exe	96
PID 4060 wrote to memory of 1988	4060	firefox.exe	97
PID 4060 wrote to memory of 1988	4060	firefox.exe	97
PID 4060 wrote to memory of 1988	4060	firefox.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cpuminer-gw64-core2.exe
"C:\Users\Admin\AppData\Local\Temp\cpuminer-gw64-core2.exe"
1⤵
PID:5076

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3448
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4060
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4060.0.1919894582\343800763" -parentBuildID 20221007134813 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 20671 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {03196ee3-2eed-48c4-9596-81f60b1d9856} 4060 "\\.\pipe\gecko-crash-server-pipe.4060" 1980 2625b2d9e58 gpu
    3⤵
    PID:1720
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4060.1.1803356806\1865008177" -parentBuildID 20221007134813 -prefsHandle 2368 -prefMapHandle 2364 -prefsLen 20707 -prefMapSize 233414 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a0bd5ca-029d-4ec5-9098-7c335d294561} 4060 "\\.\pipe\gecko-crash-server-pipe.4060" 2380 2625b1fbd58 socket
    3⤵
    PID:4172
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4060.2.1891795140\270674950" -childID 1 -isForBrowser -prefsHandle 3196 -prefMapHandle 3032 -prefsLen 20810 -prefMapSize 233414 -jsInitHandle 1144 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {71bb0541-472b-48b6-ab50-e1728deaf2ff} 4060 "\\.\pipe\gecko-crash-server-pipe.4060" 3016 2625f3a7458 tab
    3⤵
    PID:1988
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4060.4.1649013192\1737159969" -childID 3 -isForBrowser -prefsHandle 4088 -prefMapHandle 4084 -prefsLen 26047 -prefMapSize 233414 -jsInitHandle 1144 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {110f159b-704f-4064-855f-554c558ed467} 4060 "\\.\pipe\gecko-crash-server-pipe.4060" 4104 262606df058 tab
    3⤵
    PID:1084
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4060.3.485867342\1670837548" -childID 2 -isForBrowser -prefsHandle 3556 -prefMapHandle 3552 -prefsLen 25988 -prefMapSize 233414 -jsInitHandle 1144 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02e47871-3a39-4994-9506-ca3423967f83} 4060 "\\.\pipe\gecko-crash-server-pipe.4060" 3564 2624eb62b58 tab
    3⤵
    PID:4000
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4060.5.454366034\947744046" -childID 4 -isForBrowser -prefsHandle 5076 -prefMapHandle 5100 -prefsLen 26047 -prefMapSize 233414 -jsInitHandle 1144 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {587c1a79-3969-4a18-8482-d5a40fea4c6b} 4060 "\\.\pipe\gecko-crash-server-pipe.4060" 5052 2625f998058 tab
    3⤵
    PID:2216
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4060.7.1039278166\273320290" -childID 6 -isForBrowser -prefsHandle 5308 -prefMapHandle 5312 -prefsLen 26047 -prefMapSize 233414 -jsInitHandle 1144 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {27cf3279-2e6f-46c8-a435-8d42df6452df} 4060 "\\.\pipe\gecko-crash-server-pipe.4060" 5300 26261144158 tab
    3⤵
    PID:3860
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4060.6.38506162\2002956557" -childID 5 -isForBrowser -prefsHandle 4520 -prefMapHandle 4460 -prefsLen 26047 -prefMapSize 233414 -jsInitHandle 1144 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e84b6bb-05bf-455f-ace9-9701c8768544} 4060 "\\.\pipe\gecko-crash-server-pipe.4060" 5028 26261143858 tab
    3⤵
    PID:212
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4060.8.666185515\134054184" -childID 7 -isForBrowser -prefsHandle 5864 -prefMapHandle 5856 -prefsLen 26222 -prefMapSize 233414 -jsInitHandle 1144 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {458df820-a038-424e-9411-8688c8f51420} 4060 "\\.\pipe\gecko-crash-server-pipe.4060" 5876 26262a77858 tab
    3⤵
    PID:5452
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4060.9.272955052\1490915138" -childID 8 -isForBrowser -prefsHandle 5132 -prefMapHandle 3212 -prefsLen 26301 -prefMapSize 233414 -jsInitHandle 1144 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {342da869-5c61-4065-bac5-256fa334cda1} 4060 "\\.\pipe\gecko-crash-server-pipe.4060" 5820 26262530558 tab
    3⤵
    PID:5400
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4060.10.554946419\557377466" -childID 9 -isForBrowser -prefsHandle 5516 -prefMapHandle 5300 -prefsLen 26301 -prefMapSize 233414 -jsInitHandle 1144 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d59ee586-daa5-4553-9be5-606a9917c9c4} 4060 "\\.\pipe\gecko-crash-server-pipe.4060" 4344 26262db6f58 tab
    3⤵
    PID:3156
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4060.11.248712629\800865642" -childID 10 -isForBrowser -prefsHandle 5428 -prefMapHandle 5432 -prefsLen 26301 -prefMapSize 233414 -jsInitHandle 1144 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {682a6581-f071-48b7-b3fb-accac20bddcc} 4060 "\\.\pipe\gecko-crash-server-pipe.4060" 5440 26262db7558 tab
    3⤵
    PID:1128
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4060.13.569722990\210889105" -childID 12 -isForBrowser -prefsHandle 9068 -prefMapHandle 9064 -prefsLen 26301 -prefMapSize 233414 -jsInitHandle 1144 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0f941e6-f843-4612-b520-9ad0275c47ab} 4060 "\\.\pipe\gecko-crash-server-pipe.4060" 9264 2626455b558 tab
    3⤵
    PID:3380
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4060.12.430663013\694270074" -childID 11 -isForBrowser -prefsHandle 9284 -prefMapHandle 9276 -prefsLen 26301 -prefMapSize 233414 -jsInitHandle 1144 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {518796e6-6507-42ec-b5b6-2a4fed1254ae} 4060 "\\.\pipe\gecko-crash-server-pipe.4060" 9208 26264414958 tab
    3⤵
    PID:6076

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\ccminer-2.3.1-cuda10.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5188

C:\Users\Admin\Desktop\ccminer-x64.exe
"C:\Users\Admin\Desktop\ccminer-x64.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3896

C:\Users\Admin\Desktop\ccminer-x64.exe
"C:\Users\Admin\Desktop\ccminer-x64.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3940

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\api\websocket.htm
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xfc,0x128,0x7ff82c0146f8,0x7ff82c014708,0x7ff82c014718
  2⤵
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,18012245220476238880,9345597821501236823,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,18012245220476238880,9345597821501236823,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2020 /prefetch:2
  2⤵
  PID:5148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2008,18012245220476238880,9345597821501236823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
  2⤵
  PID:5156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18012245220476238880,9345597821501236823,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:5340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18012245220476238880,9345597821501236823,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18012245220476238880,9345597821501236823,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1
  2⤵
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2008,18012245220476238880,9345597821501236823,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:8
  2⤵
  PID:2536
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2008,18012245220476238880,9345597821501236823,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5320

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5792

C:\Users\Admin\Desktop\ccminer-x64.exe
"C:\Users\Admin\Desktop\ccminer-x64.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e71d66ce903fcba6050e4b99b624fa7

SHA1
139d274762405b422eab698da8cc85f405922de5

SHA256
53b34e24e3fbb6a7f473192fc4dec2ae668974494f5636f0359b6ca27d7c65e3

SHA512
17e2f1400000dd6c54c8dc067b31bcb0a3111e44a9d2c5c779f484a51ada92d88f5b6e6847270faae8ff881117b7ceaaf8dfe9df427cbb8d9449ceacd0480388

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9fb8d9c07b1f16b20e84503fd0108970

SHA1
fd4863ed44e1ea487a264b4bd1ed2feb6bc39627

SHA256
31af3c5fe41158d21dc187a468e9dbfa721f4e4e4b2719a63d633fd58db48b29

SHA512
16d964393e64874053a6be798a4f61a2d18b76299fea8b10c44aa69061387dca2420c5e480e6aa1abbbead8d9cc1345600594eb48a86f64fafb3d7293639f630

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cf4db59adb00f343d3e52095ee02bf37

SHA1
c73485976ad635b88d294f438026aed0e6c2a75e

SHA256
0f46393c7847e86e7f25d044e5cece075645a4b69e03a25376b4a3cd864bb4a8

SHA512
8d4ab37d3d50f68be45cad8cf9eaf67908fcce45d0dbac981b88094cf731488490c780bffff2ca7448e10f1f9f23ce0a73147fb6c4e945e044efd2436cc5947d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
d52dc2ca09d662937e3e669200ec0cb9

SHA1
d61e36c11bd13511e35c2221ce2d82f509d38e91

SHA256
288af9448609160db5ae774bb18de8d77e367e51f21919a22f85fc1954140fed

SHA512
dc294f662521adec1ae09bf0e53de9de7ea1f17f8cfa5ed42b1310d0127709e2755d586e6329fcbdd65a10654d5157f895809fdd95bfdaf2c72b704d70843eb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8b67176b27c96ee5af1d27d14a6091e1

SHA1
5d976a7076813e6d2c7b3dc85cda0a21187d9e6d

SHA256
76b0743e36a5881b31efc40ebcd2e4da68a57e4a80a9131edaa5c330de0467bf

SHA512
6f67bec567d28933b8a49f3b6651cd0feebfea2e86c8489406a9f2e9574fd9ed3ac2e360a60d7a92a553d2f10f50f0d577034f9cf6dd83324765dfb3eb8b0a8a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\59q4zd6z.default-release\cache2\doomed\4124

Filesize
12KB

MD5
2169e65da3ac500c4ee8f37a4c868ab4

SHA1
d5994eef6f8aa7ce47dfef4f3845a34650e68503

SHA256
30f8eca9b955ebd2a85b9360b8ca90e26c797496c984ca92ca3d8389b09b61e6

SHA512
c2afc56e201b7392de8f24b1a974b4eb637ea58919defd413132dd22715b22aa232340bffbdb1f43a73d0c508dbe01a1598b17816fd8b104a10f8304fe2eff27

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\59q4zd6z.default-release\cache2\entries\46C625DB4964C00323A8EF4C60828B52A454EBB4

Filesize
1.1MB

MD5
c402bb3f26f2c982f9f70a7c6a9a8bf2

SHA1
e8853bcdb74b935249f94d9a8fc10f2060e9221e

SHA256
9ef8eb0c47fb8c76d380c292d2327b33f3f06bae79f171ade0965b9bd68da636

SHA512
beb2b240703c81c32123abc05509b791124acd2e3870ebc835e1397b393c17251e422ddcba479f5923b08799261cbba743802c803df8b357ac538400f1ba3876

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\59q4zd6z.default-release\cache2\entries\5AE6D89F9E02E65CE57A707F37A56F985F9BE4BA

Filesize
68KB

MD5
e31e49a1cf6e9247453bb75f56e4afa1

SHA1
3b33ffefdabdbaf75f61839ef11f041620f2cbfc

SHA256
cde86b42294a57eb444549aee47540063dd9f62a2e1629ec9a1c19d108dcd325

SHA512
4b367b986309ac981712c888c7f3bba714429b62f2310640be1697d15fb9dad78a4d165c6083c5f9aa906681921b1101b595388324f17293f2c1178f55ba3f9e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\59q4zd6z.default-release\cache2\entries\80BB96996C8133B0FE5E0D6E5EA21B26135E8EA2

Filesize
111KB

MD5
6162478ebe809a226c7b1095c36528bf

SHA1
618202dc95a97b6ac678f78c192a22ac5a566377

SHA256
25d351ff8d1e568be242369ca596f1997c0f71673919441b3d263e0512cd3d5b

SHA512
77e8462452f4bf081f3f02b1f15e6704b0b82e62650e97d9835ad68a292484f785d7000293172d16f82ced63b4ec7af4714cf44448eeddd9974b6a9439e41515

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\59q4zd6z.default-release\cache2\entries\971254C7341460E85C93D0821B91E9985A0B32D6

Filesize
2.0MB

MD5
4028e94e6065084e5ef159aeefdc12db

SHA1
8e19bffec9b8bbe9eb58f1b348c47157f2e57e20

SHA256
5b222e88777059cc19e6d942ef30c31c9e3096b0a77723f28ca6264c24e0c915

SHA512
cba84e8d7435005b8a922ab718dda271f1d47064e9236033b7051b66b804b443f1b3bdd0836f85c46def6a48f71c86f88c034904a1bcb844199871ece6e77f5a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\59q4zd6z.default-release\cache2\entries\EFA5961038C7165DCEA062446BB74783C749B259

Filesize
82KB

MD5
92462b3e8c0ec4003e05200e018e18b8

SHA1
82c12f64ab81ecc14d0bb17cc674f494078aa8bc

SHA256
8743ecc23789fc01983004c196ad139a7f732de87d5b35d170aea41d55cd33d2

SHA512
b588bc2c62c4a87b23fc5e1808299f647c6e50746d29668b8be8eef22bfbd01ef5fff59a0ed015511699abdc7803807e863675cd023476359c7f99602ec3d12b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
29ae903018aa7a76fd284b8b00d44625

SHA1
8c97ceae5aaf38995f5340e52f40d102d1f516af

SHA256
629ac3294bf70a0a4b9acda7b87b368e6a1084fe6ec6bd4031049389c95683b7

SHA512
6052898d8c3465ec6c1070b70a2dff28966adac7e25800f10cf5cc3de6ad0ae42d004cf4a428fa601704ab326a5f32765f6cc3eb41274b8ef2600c72b093f5ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\datareporting\glean\pending_pings\72951e89-6e9f-43dd-9d0b-3a14c35c6654

Filesize
10KB

MD5
48fe820cb89012354f8e42f679d30ba4

SHA1
227bc9b0177fc3be7b1e99cef81877d3a8e3ae54

SHA256
7943f5978196af3dd7924191df27c933fd9e02e5b5edcac9bde06c309573036a

SHA512
2346a5f90613d8163c78c195a82b96a89182dc280924ecbd9d11d2e3b076f690afa3d0d2f40fdaf9520a90f091f523c68f02e6b9d07cd51eafe614b351ce8718

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\datareporting\glean\pending_pings\a0b3646f-7fd2-4820-8fe3-a57472548389

Filesize
746B

MD5
36084c69075c0c17b3eb2d61cfbcbac0

SHA1
290d6958af2cd84c26cae0d9a400b01d9f762db5

SHA256
2e564ac41a549d98873bd2f5b018aefb44ece113cae1d4cef70a4c59af6378f4

SHA512
42add79adc92f19a04fb5299215fe6a1fa1621e6318f2b6a8cc079e2e5d84fa7ff0415c29166ca6ffdd221a3e2dc451e862437297a6486e4d29f7decfda05b1c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\prefs-1.js

Filesize
6KB

MD5
e8e5accc4e9904b89736fc021780085a

SHA1
9ed83f018a01d7a1df822ca22032b03184156589

SHA256
1c389a8d852032bc6e7d9d509060ef72edec0e5588b342e52d8fca88d7942374

SHA512
0259ad99f7a3575d956b692e2ce016dd40bc153042c551c05fb07539e090ece4822139ba621ab6deac89319b8f70bd4fc26e4989cce7f9d3d33f7b4c23a447af

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\prefs-1.js

Filesize
6KB

MD5
f2c559751d91d22f14e9f861f1313f01

SHA1
12e23c5888320225721ed501c97b9acd6b5433cf

SHA256
25bbad10ca519af87fa7638cfeeb28796851f9fc6bbabeaf5bf41fc9b5a26bd3

SHA512
8b9e37505e33c0953016a9f7f7cd64946ad2ad1cc993667d09ceb111a050938b684fc79843a3a91374a322db358195acef45e2d3f2a1b0e8e7b20566b3eabb3e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
8KB

MD5
dc2cb92ab2610253962a5a89bb993149

SHA1
74c206d589e1e534376c2da5a7c5da13d22dd199

SHA256
16bea4a785ea6bc6db7cf02c20fa4795d14999dfe0470a45a20a5ddc3466ea34

SHA512
8ae1e9065950391d1f9d2d9dec691baf74ad702b8aba102d92b0f3fa0123d7eb65dc447dcde7d6f9f9a04949007d6fdb53a4cf8fc975d9aaa75580ebdcc455aa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
c377a5d9fce7a25e1b21d1c6742f0dae

SHA1
8710c235fa6dc0c81e6b50d4d39bbc628b6ddc42

SHA256
633f8bc97d9a09c997764edf635af4731de307049bd6c59ad6afb1fdcf3c5a70

SHA512
d9f117646695f82230414356daf80393b84325231f562d7cae30a07fd4d5e203b2aeafc00868ffcbd199767035c9bdf4011bb8cfd4500c99d0e76cd2d4436cb3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
00748b9c13dba6440fba77eea0d9da4f

SHA1
78a77a2a4f15e59362641803ee0ddf76595d064c

SHA256
651698367d535961b6d68cdeb9783af688f4e6461869b0b110e31f5d9a101e1c

SHA512
cf69e14405839c1dc65e06f2a2fd0656c8430ac6996b527bd5b046ba66148b674cc66e54a429ea64dbe066072b918a5bbf91c954ce6f7624a382583330507733

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
c55f9f3a1a36c04cd14816cfdb46e0b6

SHA1
71f5953914ab870bc2b4035a21ebce67a2c735c1

SHA256
e7743d91839c0cf409a30309e94da1bf371f32948fd2a826f7cfebee2011b5b7

SHA512
fbdf512512db386c63ee540cc77b59943aa0774981fe7315438807c29ab8d04e8ffe81cc97a7227c6fef4cea65c5bde2c71ea7e507ef83fbc008894697e23644

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
d45112043b8107bbf1f8dc6da1a51a67

SHA1
08a23d281107ec94713d3b40b4266e98685a0086

SHA256
58064f9b3273d5de6bd15163dac6a09fc10d6818f40f875eb33da4d4a39f1375

SHA512
b254f39751cd31730b241cf2372a90538043cd0724723a2ae0d32aa70f211e56ac42cc5c1d81341bbeb1ee0329f6010774dcb3c8dd1351e05693a29a124e322c

Download Submit
C:\Users\Admin\Desktop\api\websocket.htm

Filesize
2KB

MD5
47301250aea99b31b279668e6f739afe

SHA1
6f29ada37a7868332efb83dceb35a521f8fd890c

SHA256
b74dbd952dd9c0efa6e7c1414ba28feda161100dc3bfece061bcf0447ec9ce65

SHA512
6d8662a803e4792f984e718d22053d39c64bdf0a278130e0d5f03a421a44a5da721a9a78d74f4cbbaa625ce3f6138712e763a163767fad51efd52065783f17b2

Download Submit
C:\Users\Admin\Desktop\ccminer-x64.exe

Filesize
17.5MB

MD5
fdf47242aff6ca580c476224bcc10511

SHA1
76aad5b9d99626f6b49b3335f2ea1d90e00397d1

SHA256
d82269a66f8495fc5113ea6b333b45ec5a282be0e148db956d3660e3aab919b1

SHA512
bbe8611b760381332b62b5ffe3d1fddf27430832a7338e7fc5a5819e28e365c6e37a07b4f9e6ddf132ecc11085e010a0e03e48a505fc6459f6499e1550b3176e

Download Submit
C:\Users\Admin\Desktop\msvcr120.dll

Filesize
940KB

MD5
9c861c079dd81762b6c54e37597b7712

SHA1
62cb65a1d79e2c5ada0c7bfc04c18693567c90d0

SHA256
ad32240bb1de55c3f5fcac8789f583a17057f9d14914c538c2a7a5ad346b341c

SHA512
3aa770d6fba8590fdcf5d263cb2b3d2fae859e29d31ad482fbfbd700bcd602a013ac2568475999ef9fb06ae666d203d97f42181ec7344cba023a8534fb13acb7

Download Submit
C:\Users\Admin\Downloads\ccminer-2.3.1-cuda10.7z

Filesize
17.2MB

MD5
65d1b92d00707374278be638f62547a9

SHA1
414d47742d588d5ca68554ad4938858d11748e0a

SHA256
759500084e7c82a50150fc1e6c6b1222772a437463ba034f030e09249a402540

SHA512
7d386885ee52426bac843e665ec865b9b12725de9bcf7788f916f7ff007cbe114db1384f14e052f5ea059a988137887349031d50a73848a876f01c2842dc484d

Download Submit
C:\Users\Admin\Downloads\ccminer-2.5IqM3zXB.3.1-cuda10.7z.part

Filesize
7.3MB

MD5
3f724bfb0225eb3f776a73cd07f4c220

SHA1
0839f7971f2ebec38e1fd7cc45cd647240516343

SHA256
192a4d7dd54300a334cbc9b955df9536ce0ce722191d35f50b3e71de9346a69e

SHA512
b5b8c7281e255b58f3b5bf13bd084c4a03b4b28cc4acbba952b8c984bb813a7ede8bbc1215c0e109ef27a7c40590e573b769f16e0290b5ac64743106d931ae8d

Download Submit
memory/3896-932-0x00007FF6337C0000-0x00007FF6347C0000-memory.dmp

Filesize
16.0MB

Download
memory/3940-939-0x00007FF6337C0000-0x00007FF6347C0000-memory.dmp

Filesize
16.0MB

Download
memory/5076-0-0x0000000000400000-0x00000000007B4000-memory.dmp

Filesize
3.7MB

Download
memory/5076-1-0x0000000000400000-0x00000000007B4000-memory.dmp

Filesize
3.7MB

Download
memory/5836-1078-0x00007FF6337C0000-0x00007FF6347C0000-memory.dmp

Filesize
16.0MB

Download