hxxps://cdn[.]unmineable[.]download/unMiner[.]2[.]7[.]1-beta-mfi[.]exe

Analysis

max time kernel
103s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2024, 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.unmineable.download/unMiner.2.7.1-beta-mfi.exe

Score

8^/10

discovery execution

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	unMiner.exe

Executes dropped EXE 5 IoCs

pid	Process
532	unMiner.2.7.1-beta-mfi.exe
5352	unMiner.exe
5700	unMiner.exe
2684	unMiner.exe
5900	unMiner.exe

Loads dropped DLL 17 IoCs

pid	Process
532	unMiner.2.7.1-beta-mfi.exe
532	unMiner.2.7.1-beta-mfi.exe
532	unMiner.2.7.1-beta-mfi.exe
532	unMiner.2.7.1-beta-mfi.exe
532	unMiner.2.7.1-beta-mfi.exe
532	unMiner.2.7.1-beta-mfi.exe
532	unMiner.2.7.1-beta-mfi.exe
532	unMiner.2.7.1-beta-mfi.exe
532	unMiner.2.7.1-beta-mfi.exe
532	unMiner.2.7.1-beta-mfi.exe
5352	unMiner.exe
5700	unMiner.exe
5700	unMiner.exe
5700	unMiner.exe
5700	unMiner.exe
2684	unMiner.exe
5900	unMiner.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
4304	tasklist.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5280	powershell.exe
5236	powershell.exe
1272	powershell.exe
5820	powershell.exe
2168	powershell.exe
4760	powershell.exe
3804	powershell.exe
2248	powershell.exe
4892	powershell.exe
3796	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unMiner.2.7.1-beta-mfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	unMiner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	unMiner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	unMiner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	unMiner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	unMiner.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	unMiner.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	unMiner.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	unMiner.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	unMiner.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	unMiner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	unMiner.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	unMiner.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	unMiner.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 662184.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Local\unmineable-miner-mfi-updater\installer.exe\:SmartScreen:$DATA	unMiner.2.7.1-beta-mfi.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
3396	msedge.exe
3396	msedge.exe
1544	msedge.exe
1544	msedge.exe
1864	identity_helper.exe
1864	identity_helper.exe
6068	msedge.exe
6068	msedge.exe
532	unMiner.2.7.1-beta-mfi.exe
532	unMiner.2.7.1-beta-mfi.exe
4304	tasklist.exe
4304	tasklist.exe
2684	unMiner.exe
2684	unMiner.exe
5900	unMiner.exe
5900	unMiner.exe
5820	powershell.exe
5820	powershell.exe
1272	powershell.exe
1272	powershell.exe
5280	powershell.exe
5280	powershell.exe
5236	powershell.exe
5236	powershell.exe
4760	powershell.exe
4760	powershell.exe
3804	powershell.exe
3804	powershell.exe
1272	powershell.exe
2168	powershell.exe
2168	powershell.exe
5820	powershell.exe
4760	powershell.exe
2168	powershell.exe
5280	powershell.exe
5236	powershell.exe
3804	powershell.exe
2248	powershell.exe
2248	powershell.exe
4892	powershell.exe
4892	powershell.exe
3796	powershell.exe
3796	powershell.exe
4892	powershell.exe
2248	powershell.exe
3796	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4304	tasklist.exe
Token: SeSecurityPrivilege	532	unMiner.2.7.1-beta-mfi.exe
Token: SeDebugPrivilege	5820	powershell.exe
Token: SeDebugPrivilege	1272	powershell.exe
Token: SeDebugPrivilege	5280	powershell.exe
Token: SeDebugPrivilege	5236	powershell.exe
Token: SeDebugPrivilege	4760	powershell.exe
Token: SeDebugPrivilege	3804	powershell.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeIncreaseQuotaPrivilege	5820	powershell.exe
Token: SeSecurityPrivilege	5820	powershell.exe
Token: SeTakeOwnershipPrivilege	5820	powershell.exe
Token: SeLoadDriverPrivilege	5820	powershell.exe
Token: SeSystemProfilePrivilege	5820	powershell.exe
Token: SeSystemtimePrivilege	5820	powershell.exe
Token: SeProfSingleProcessPrivilege	5820	powershell.exe
Token: SeIncBasePriorityPrivilege	5820	powershell.exe
Token: SeCreatePagefilePrivilege	5820	powershell.exe
Token: SeBackupPrivilege	5820	powershell.exe
Token: SeRestorePrivilege	5820	powershell.exe
Token: SeShutdownPrivilege	5820	powershell.exe
Token: SeDebugPrivilege	5820	powershell.exe
Token: SeSystemEnvironmentPrivilege	5820	powershell.exe
Token: SeRemoteShutdownPrivilege	5820	powershell.exe
Token: SeUndockPrivilege	5820	powershell.exe
Token: SeManageVolumePrivilege	5820	powershell.exe
Token: 33	5820	powershell.exe
Token: 34	5820	powershell.exe
Token: 35	5820	powershell.exe
Token: 36	5820	powershell.exe
Token: SeIncreaseQuotaPrivilege	2168	powershell.exe
Token: SeSecurityPrivilege	2168	powershell.exe
Token: SeTakeOwnershipPrivilege	2168	powershell.exe
Token: SeLoadDriverPrivilege	2168	powershell.exe
Token: SeSystemProfilePrivilege	2168	powershell.exe
Token: SeSystemtimePrivilege	2168	powershell.exe
Token: SeProfSingleProcessPrivilege	2168	powershell.exe
Token: SeIncBasePriorityPrivilege	2168	powershell.exe
Token: SeCreatePagefilePrivilege	2168	powershell.exe
Token: SeBackupPrivilege	2168	powershell.exe
Token: SeRestorePrivilege	2168	powershell.exe
Token: SeShutdownPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeSystemEnvironmentPrivilege	2168	powershell.exe
Token: SeRemoteShutdownPrivilege	2168	powershell.exe
Token: SeUndockPrivilege	2168	powershell.exe
Token: SeManageVolumePrivilege	2168	powershell.exe
Token: 33	2168	powershell.exe
Token: 34	2168	powershell.exe
Token: 35	2168	powershell.exe
Token: 36	2168	powershell.exe
Token: SeIncreaseQuotaPrivilege	4760	powershell.exe
Token: SeSecurityPrivilege	4760	powershell.exe
Token: SeTakeOwnershipPrivilege	4760	powershell.exe
Token: SeLoadDriverPrivilege	4760	powershell.exe
Token: SeSystemProfilePrivilege	4760	powershell.exe
Token: SeSystemtimePrivilege	4760	powershell.exe
Token: SeProfSingleProcessPrivilege	4760	powershell.exe
Token: SeIncBasePriorityPrivilege	4760	powershell.exe
Token: SeCreatePagefilePrivilege	4760	powershell.exe
Token: SeBackupPrivilege	4760	powershell.exe
Token: SeRestorePrivilege	4760	powershell.exe
Token: SeShutdownPrivilege	4760	powershell.exe
Token: SeDebugPrivilege	4760	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe

Suspicious use of SendNotifyMessage 29 IoCs

pid	Process
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
5352	unMiner.exe
5352	unMiner.exe
5352	unMiner.exe
5352	unMiner.exe
5352	unMiner.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 4264	1544	msedge.exe	84
PID 1544 wrote to memory of 4264	1544	msedge.exe	84
PID 1544 wrote to memory of 1224	1544	msedge.exe	86
PID 1544 wrote to memory of 1224	1544	msedge.exe	86
PID 1544 wrote to memory of 1224	1544	msedge.exe	86
PID 1544 wrote to memory of 1224	1544	msedge.exe	86
PID 1544 wrote to memory of 1224	1544	msedge.exe	86
PID 1544 wrote to memory of 1224	1544	msedge.exe	86
PID 1544 wrote to memory of 1224	1544	msedge.exe	86
PID 1544 wrote to memory of 1224	1544	msedge.exe	86
PID 1544 wrote to memory of 1224	1544	msedge.exe	86
PID 1544 wrote to memory of 1224	1544	msedge.exe	86
PID 1544 wrote to memory of 1224	1544	msedge.exe	86
PID 1544 wrote to memory of 1224	1544	msedge.exe	86
PID 1544 wrote to memory of 1224	1544	msedge.exe	86
PID 1544 wrote to memory of 1224	1544	msedge.exe	86
PID 1544 wrote to memory of 1224	1544	msedge.exe	86
PID 1544 wrote to memory of 1224	1544	msedge.exe	86
PID 1544 wrote to memory of 1224	1544	msedge.exe	86
PID 1544 wrote to memory of 1224	1544	msedge.exe	86
PID 1544 wrote to memory of 1224	1544	msedge.exe	86
PID 1544 wrote to memory of 1224	1544	msedge.exe	86
PID 1544 wrote to memory of 1224	1544	msedge.exe	86
PID 1544 wrote to memory of 1224	1544	msedge.exe	86
PID 1544 wrote to memory of 1224	1544	msedge.exe	86
PID 1544 wrote to memory of 1224	1544	msedge.exe	86
PID 1544 wrote to memory of 1224	1544	msedge.exe	86
PID 1544 wrote to memory of 1224	1544	msedge.exe	86
PID 1544 wrote to memory of 1224	1544	msedge.exe	86
PID 1544 wrote to memory of 1224	1544	msedge.exe	86
PID 1544 wrote to memory of 1224	1544	msedge.exe	86
PID 1544 wrote to memory of 1224	1544	msedge.exe	86
PID 1544 wrote to memory of 1224	1544	msedge.exe	86
PID 1544 wrote to memory of 1224	1544	msedge.exe	86
PID 1544 wrote to memory of 1224	1544	msedge.exe	86
PID 1544 wrote to memory of 1224	1544	msedge.exe	86
PID 1544 wrote to memory of 1224	1544	msedge.exe	86
PID 1544 wrote to memory of 1224	1544	msedge.exe	86
PID 1544 wrote to memory of 1224	1544	msedge.exe	86
PID 1544 wrote to memory of 1224	1544	msedge.exe	86
PID 1544 wrote to memory of 1224	1544	msedge.exe	86
PID 1544 wrote to memory of 1224	1544	msedge.exe	86
PID 1544 wrote to memory of 3396	1544	msedge.exe	87
PID 1544 wrote to memory of 3396	1544	msedge.exe	87
PID 1544 wrote to memory of 1484	1544	msedge.exe	88
PID 1544 wrote to memory of 1484	1544	msedge.exe	88
PID 1544 wrote to memory of 1484	1544	msedge.exe	88
PID 1544 wrote to memory of 1484	1544	msedge.exe	88
PID 1544 wrote to memory of 1484	1544	msedge.exe	88
PID 1544 wrote to memory of 1484	1544	msedge.exe	88
PID 1544 wrote to memory of 1484	1544	msedge.exe	88
PID 1544 wrote to memory of 1484	1544	msedge.exe	88
PID 1544 wrote to memory of 1484	1544	msedge.exe	88
PID 1544 wrote to memory of 1484	1544	msedge.exe	88
PID 1544 wrote to memory of 1484	1544	msedge.exe	88
PID 1544 wrote to memory of 1484	1544	msedge.exe	88
PID 1544 wrote to memory of 1484	1544	msedge.exe	88
PID 1544 wrote to memory of 1484	1544	msedge.exe	88
PID 1544 wrote to memory of 1484	1544	msedge.exe	88
PID 1544 wrote to memory of 1484	1544	msedge.exe	88
PID 1544 wrote to memory of 1484	1544	msedge.exe	88
PID 1544 wrote to memory of 1484	1544	msedge.exe	88
PID 1544 wrote to memory of 1484	1544	msedge.exe	88
PID 1544 wrote to memory of 1484	1544	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.unmineable.download/unMiner.2.7.1-beta-mfi.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffff40046f8,0x7ffff4004708,0x7ffff4004718
  2⤵
  PID:4264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,15025354783058599922,5888236880737710716,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,15025354783058599922,5888236880737710716,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,15025354783058599922,5888236880737710716,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
  2⤵
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15025354783058599922,5888236880737710716,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:2672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15025354783058599922,5888236880737710716,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,15025354783058599922,5888236880737710716,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:8
  2⤵
  PID:2380
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,15025354783058599922,5888236880737710716,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15025354783058599922,5888236880737710716,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
  2⤵
  PID:3932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15025354783058599922,5888236880737710716,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,15025354783058599922,5888236880737710716,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3504 /prefetch:8
  2⤵
  PID:3300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15025354783058599922,5888236880737710716,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:1512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,15025354783058599922,5888236880737710716,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6208 /prefetch:8
  2⤵
  PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15025354783058599922,5888236880737710716,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
  2⤵
  PID:2596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15025354783058599922,5888236880737710716,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1
  2⤵
  PID:832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15025354783058599922,5888236880737710716,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:1
  2⤵
  PID:5584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15025354783058599922,5888236880737710716,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
  2⤵
  PID:5800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,15025354783058599922,5888236880737710716,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2748 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6068
- C:\Users\Admin\Downloads\unMiner.2.7.1-beta-mfi.exe
  "C:\Users\Admin\Downloads\unMiner.2.7.1-beta-mfi.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:532
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq unMiner.exe" | find "unMiner.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2276
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "USERNAME eq Admin" /FI "IMAGENAME eq unMiner.exe"
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4304
  - - C:\Windows\SysWOW64\find.exe
      find "unMiner.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3768

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1524

C:\Users\Admin\AppData\Local\Programs\unMiner\unMiner.exe
"C:\Users\Admin\AppData\Local\Programs\unMiner\unMiner.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SendNotifyMessage
PID:5352
- C:\Users\Admin\AppData\Local\Programs\unMiner\unMiner.exe
  "C:\Users\Admin\AppData\Local\Programs\unMiner\unMiner.exe" --type=gpu-process --field-trial-handle=1664,9790118445636917316,16455163008558421686,131072 --enable-features=WebComponentsV0Enabled --disable-features=SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1672 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5700
- C:\Users\Admin\AppData\Local\Programs\unMiner\unMiner.exe
  "C:\Users\Admin\AppData\Local\Programs\unMiner\unMiner.exe" --type=utility --field-trial-handle=1664,9790118445636917316,16455163008558421686,131072 --enable-features=WebComponentsV0Enabled --disable-features=SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2148 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  PID:2684
- C:\Users\Admin\AppData\Local\Programs\unMiner\unMiner.exe
  "C:\Users\Admin\AppData\Local\Programs\unMiner\unMiner.exe" --type=renderer --field-trial-handle=1664,9790118445636917316,16455163008558421686,131072 --enable-features=WebComponentsV0Enabled --disable-features=SpareRendererForSitePerProcess --lang=en-US --app-user-model-id=electron.app.unMiner --app-path="C:\Users\Admin\AppData\Local\Programs\unMiner\resources\app.asar" --node-integration --no-sandbox --no-zygote --preload="C:\Users\Admin\AppData\Local\Programs\unMiner\resources\app.asar\dist\electron\static\ws.js" --enable-remote-module --background-color=#fff --enable-spellcheck --enable-websql --disable-electron-site-instance-overrides --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2436 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:5900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "chcp"
    3⤵
    PID:4868
  - - C:\Windows\system32\chcp.com
      chcp
      4⤵
      PID:2132
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2168
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5280
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5236
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5820
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1272
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "reg query "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0" /v FeatureSet"
    3⤵
    PID:2276
  - - C:\Windows\system32\reg.exe
      reg query "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0" /v FeatureSet
      4⤵
      Checks processor information in registry
      PID:4568
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2248
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3796
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4892

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
06d16fea6ab505097d16fcaa32949d47

SHA1
0c1c719831fa41cd102d0d72d61c0f46ec5b8de8

SHA256
54e15de2bef9f651d7717e2a336ac6b2ea2b723e6f29d2b153d8fbbc89aef723

SHA512
03c00f1eebb51cec11703141ae9d9c3ac589f5495bc04d8a4b043714089a9d50bd3a520e4d72b4a4c99f5b9bf5f689bf2585fa5c7d4ddbe6f71cbba0172f593a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\6992c826-b2a9-48df-9d5a-a94bd7dd8cbd.tmp

Filesize
11KB

MD5
3f0f3fe0a0e0784b4bfebd8adb119e6e

SHA1
e81b23f31c26daefdb0bcbafe7bfc087bf0a0bd3

SHA256
e187eb8e6962e020b598ad43747fd2a9e3af639cc0ad3f81acef4cd6b599a9af

SHA512
38ac7b01d1f65dbb78499c21d989f4c1b90d69a71a37523478401c475ef9fa897d9ab42bde889b1ad568f1fb43fbe7eb6513cd2b283183c1c8afe1f74eb6e63c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b008261dda31857d68792b46af6dd6d

SHA1
e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3

SHA256
9ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da

SHA512
78853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0446fcdd21b016db1f468971fb82a488

SHA1
726b91562bb75f80981f381e3c69d7d832c87c9d

SHA256
62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222

SHA512
1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
191B

MD5
2e834006d2a6fbff5e99513d7acb3664

SHA1
8e41b7f132a75621148be32c8ea0942cf43cd9d6

SHA256
1a0ea0743776255202a6a969aed314208f59dd8984739c7c5fa8b91577a20d65

SHA512
e8d38781bf067b7f54fff81ce4a37a621f3c95fcef1ce7cf9d444ae5dab401ca60f1a76612cf347edb0e2dac9fac3b251c8db585bc63cc7fc8315ddd72fac3b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4b343167c19406a86cc0301dfd64f1fd

SHA1
cf5af736131c9f8c2a5c2b950b460d6ea5cd2d3f

SHA256
3575c481ea0bb1d59f5f3739b4ef2b70e7c6c0f27534963eb74caa800722a263

SHA512
6a67b7bdb1b76e48fa6093abb83ef1c2d8ee3cd8b64add34f9d594b62917e1ea60e46eec191b65ae41d2ca9ee852b05776312af3593a6d708d58cfc4fa8582e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8c554abcd1a3db261598218c8fa407c0

SHA1
b104d2cfd70ef328eba03cacda749e0cc648ebee

SHA256
2861cddda558bb6e6cf4449599402037b006020b3ee1ad0c106375f7a5c13a3b

SHA512
32ec5a72436f2718f4b100aef6ad61058b0ab555d6ed34a61b6c7481707b9d71148b18e3a007b128f262d6a9ea4cd75e4df09d571621457af911efae30f2c476

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d64b1e46858d6cad79105a3a142f5438

SHA1
0936037d5429d7c3d3934f8026d05f7d280af259

SHA256
823572177967106e7edfaaa9602c406975378c94bee435e3f19811ec89ac0622

SHA512
37658c0e135c4cb5102d12d548619986f38b107ce729ce2a00179e176d52ec24c1c5b5c327a25898a776f4929b3b8b61be7ba3a7a844f954a586fed7232b204d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\f6dd826d-ce3b-436f-8d51-176d163edef3.tmp

Filesize
11KB

MD5
0f7757870f58ecbc844911739daf96e1

SHA1
4e773a16fea6aba2a9d8b6aff2be75f1a97a457d

SHA256
82d74bba2c122f0f3acf85cea658325d992d49ed948d8c9920134cabed1355da

SHA512
920632ee200649a92744b130a6f2cc50c9682d6aee64cee7a9dde6809af58219bf77f1eb5cffecb233fa22d4680b0d25961116d6f449f0e7079e05d1226dcf80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
7a1e03fe1039bf494d77070f2c583626

SHA1
bb6b31d644873fea13cb3c37e6225670b5682c8b

SHA256
53bb6e31c2534c61d2bb23c0ef4d9550c1b9361610bd01ef1816a97297147ed2

SHA512
e45c36ab8a4ba0c84783b2ddb2c26a9ab66cd5d26f1f0999b1288656288b1f8f33922a92c05641e6dfad03fac708525a1a37815d8ce1088ed0c72217e2f82827

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
2f87410b0d834a14ceff69e18946d066

SHA1
f2ec80550202d493db61806693439a57b76634f3

SHA256
5422bc17b852ad463110de0db9b59ffa4219e065d3e2843618d6ebbd14273c65

SHA512
a313702f22450ceff0a1d7f890b0c16cf667dbcd668dbafa6dbecd0791236c0bc68e834d12113cc75352365c2a2b6cfcf30b6ef7c97ea53ed135da50de389db4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
28c65370f12e84b734af87ad491ea257

SHA1
402d3a8203115f1365d48fa72daf0a56e14d8a08

SHA256
4ea873fb3d77a2f8eefae82c943f621f16723516e181bde133568f8f0c91290c

SHA512
56eb34162b0a39da4aaf66aad35ef355a7709982b5060792e3b4849c36650725176e927815537ec58e7ddf0fb1763066b203d6b7f9d1b3dd2c8bc091c0c850cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
22d9cba0ce9797719f060f19b9ad3ca0

SHA1
fd9b0c54f48924d46317d8757bdc5cc5984c47ad

SHA256
e4f08da5cf2253dc32aec26d2550c133f214308181d19a2863ca056a1d420d9d

SHA512
8f819c5b8695c0601ce6d1490704c37a4ca72aeb7fa72ba8a64d27237a0393a6b894e7a81de33ed597b43bab048f6e7142beb77319af76141cdff62946b64959

Download Submit
C:\Users\Admin\AppData\Local\Programs\unMiner\chrome_100_percent.pak

Filesize
175KB

MD5
7c4728b2d58afdd97c4549c96b9561cc

SHA1
1e0d251eedd67e7021fc764b9188184617465c54

SHA256
419cfcc6dc5f38b2e0c970ebd4fad1ef55054579d5c0db2521d7ae494996aac3

SHA512
82d0931e4d1cf38f88050980f518cdacdc981c382771b1732bfbe69f601074a0e7378e27a7470c7dea4e287cb1617a5c038052908ed85134abcd5b6591b4e7df

Download Submit
C:\Users\Admin\AppData\Local\Programs\unMiner\chrome_200_percent.pak

Filesize
312KB

MD5
6af049ad6fd11ee90ad9db31c4e02082

SHA1
5d2f9a59a74dc584b5dd78aeb6de583e969e3eb7

SHA256
edecf8e1ac353bfdae534e42507e5a59973cb4cab76fbb1ff1a470363e725bc4

SHA512
c7fa6e1a57861e62b9b4d615a988c98d13cde8abc23eaed7c36c2ecb86409da4b65b1f579ca2f307e90eb4d08d14b07f7f41ccb8d8c165d6de67c09c16009715

Download Submit
C:\Users\Admin\AppData\Local\Programs\unMiner\d3dcompiler_47.dll

Filesize
4.3MB

MD5
fea40e5b591127ae3b065389d058a445

SHA1
621fa52fb488271c25c10c646d67e7ce5f42d4f8

SHA256
4b074a3976399dc735484f5d43d04b519b7bdee8ac719d9ab8ed6bd4e6be0345

SHA512
d2412b701d89e2762c72dd99a48283d601dd4311e3731d690cc2ab6cced20994fa67bf3fea4920291fc407cd946e20bdc85836e6786766a1b98a86febaa0e3d9

Download Submit
C:\Users\Admin\AppData\Local\Programs\unMiner\ffmpeg.dll

Filesize
2.6MB

MD5
761adc75db5d404a49c96e8d49f5f72c

SHA1
716a8a994af2a06b1f766e6a1364afbc27fafa8c

SHA256
75a0592cdcbc5331dfb9310c68ee82c634685d5b2edc6d214a0841d62c6fe51b

SHA512
056307a08103a1a6dc1a2fecda1e13727c65b30607258496cba9560c53e04dd4b0af22decd7a3483ff44fe8ad7d706b2e81b5d3c859a484cb6bc1de9dfffed23

Download Submit
C:\Users\Admin\AppData\Local\Programs\unMiner\icudtl.dat

Filesize
10.0MB

MD5
3f019441588332ac8b79a3a3901a5449

SHA1
c8930e95b78deef5b7730102acd39f03965d479a

SHA256
594637e10b8f5c97157413528f0cbf5bc65b4ab9e79f5fa34fe268092655ec57

SHA512
ee083ae5e93e70d5bbebe36ec482aa75c47d908df487a43db2b55ddd6b55c291606649175cf7907d6ab64fc81ead7275ec56e3193b631f8f78b10d2c775fd1a9

Download Submit
C:\Users\Admin\AppData\Local\Programs\unMiner\libEGL.dll

Filesize
371KB

MD5
baebc4ed339e7e98ced671de7838e710

SHA1
84ecf23527228d91f9e738ca77d0d165cf54614d

SHA256
f3418fe94c89490e2ce67c372ab31de9336bf39c9598ce2c722d1fd250f1118e

SHA512
c26b4536aef52b753990d523297dce4e4a25d59bbe1c23c665cd23462bc5ec85d0990f457fe8a205d4e8ea80926a37c9377a1f89e99e6e6480fc0cc70ea864f0

Download Submit
C:\Users\Admin\AppData\Local\Programs\unMiner\libGLESv2.dll

Filesize
7.5MB

MD5
345e4c29d1c751ca5683ff90efe91cbf

SHA1
7facc34e454b675472399c62bee6a0f527db42a5

SHA256
d08edbb774853ba5ac9e5590530bd16afcc0492c27f2aeb9ac2edf4b75977cf0

SHA512
6ec9a7754485fca279cd99dd73f407eaf720f3edf05a3e6c105a624f0ef64be0241abc3e62113a5d14a6e4766cb462ee19b60017d86483fb6a5fecd5e6cd903a

Download Submit
C:\Users\Admin\AppData\Local\Programs\unMiner\locales\en-US.pak

Filesize
79KB

MD5
98c8cfc3cb98ab34e06d4323b8bcb043

SHA1
2c0bda072161530b710fa0a1dfc3c23926184afe

SHA256
35adc5aeeebfe440e295b88d2a4089360ada33c353843b1f5438f4118501878b

SHA512
25edeca13b4a29f63bdc4f135eda1b1b8c72f3a58315f57895950bdc15f56b2af1aca42affe397716f5965437ece836f683265a33ec919b8b26056634612ed3c

Download Submit
C:\Users\Admin\AppData\Local\Programs\unMiner\resources.pak

Filesize
4.6MB

MD5
d9022282a7fbf3aa354559ab6a9c7926

SHA1
ff1f2b77d80848bc1a51e48c21a033eb57d8776c

SHA256
ddc85d749b19cbabae11a0b8f7114daf75900179a2147280dd0f9f8faee7d65c

SHA512
6b9ab157cf8e10d8a79ea2ad4e247210fe2a7fd75dab086eb55951d4e028af3060e1f42175be936c6b093abc2c3071c0fd1c45afee3c567a79e1b722fe5f5d97

Download Submit
C:\Users\Admin\AppData\Local\Programs\unMiner\resources\app.asar

Filesize
19.7MB

MD5
ad2f626dfb603a9329fff55133e0c397

SHA1
e58b2cb84d06b4aa0d7f51a04f35ddf6212afbab

SHA256
d9f768a910da20b6d0c09a7ecc6e31651c4d844f1c0f56482bb316e4061de72b

SHA512
f71c5b93e5461123c3d2946aa95000463c58c6b704dc452d597253513d6ba8482f90508350fb4b8a850cd0692a39e4664a8dc9d462fa1ca278c74d95f4d4a2c2

Download Submit
C:\Users\Admin\AppData\Local\Programs\unMiner\v8_context_snapshot.bin

Filesize
166KB

MD5
24a8ccb59d71f491e0ca72fc2b113955

SHA1
3715f364c55b8d8b2bb0ce9fe3328d00095a6cae

SHA256
9bb627f1c7c1e085f599a5e89a0481954b81d97024c7bbe0217b400369e63342

SHA512
0796d96c11295fff12a39556494bcac580c69839a8833390f8b3e4e339e7a0ba25267fe8fe1db9c5f489d325efbffe455b9ca3bf3a3fe55184ae630b9d77cffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p1h5ke53.pcb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b9e6814e-d9c4-49f7-9af9-b1f7663635a1.tmp.ico

Filesize
4KB

MD5
c77d51e37440c8152eaecfa7414279ec

SHA1
b2a96c470db78a5db21074e53d32f8a22c8d70cd

SHA256
8efd9f928ec28f7a101b246bbd5370af0a493451c2618ddeebf4e8aa787267d8

SHA512
a381347ccc977294c5f47743bc95fe6c834639df2eb879acf009b27eb6fbffe648bc717b078c93bd96470a73ac37464743221e9e879118860492cafd74515743

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy1B25.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy1B25.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy1B25.tmp\UAC.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy1B25.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy1B25.tmp\nsDialogs.dll

Filesize
9KB

MD5
466179e1c8ee8a1ff5e4427dbb6c4a01

SHA1
eb607467009074278e4bd50c7eab400e95ae48f7

SHA256
1e40211af65923c2f4fd02ce021458a7745d28e2f383835e3015e96575632172

SHA512
7508a29c722d45297bfb090c8eb49bd1560ef7d4b35413f16a8aed62d3b1030a93d001a09de98c2b9fea9acf062dc99a7278786f4ece222e7436b261d14ca817

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy1B25.tmp\nsExec.dll

Filesize
6KB

MD5
ec0504e6b8a11d5aad43b296beeb84b2

SHA1
91b5ce085130c8c7194d66b2439ec9e1c206497c

SHA256
5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962

SHA512
3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy1B25.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
C:\Users\Admin\AppData\Roaming\unmineable-miner-mfi\19130cf0-06fb-41aa-a6b9-e3607e69a959.tmp

Filesize
419B

MD5
00bc0d23ad461d3e7b8e80582e5fe356

SHA1
2c3b40403061b09b6fdbd1908370d43c47d93319

SHA256
ccc87856fcf21e1969ad043a833576c2ddb7ac3b16aa1bbd45c0785edf07f70f

SHA512
537e72b5761eb3a862bbb0d12a1aba88a93adcc3552565881b53a71497cc1267de7fc3d19ab2dd6eeeb9c65958ae1431951acd2313877f3df9cccb23ca40839c

Download Submit
C:\Users\Admin\AppData\Roaming\unmineable-miner-mfi\TransportSecurity~RFe58f3d1.TMP

Filesize
419B

MD5
b842dce88a6b1cd1e5f9eb66cfb5c949

SHA1
f73a5a579242c0eb88526e01e177020856b41cb4

SHA256
79c87aa9e747001c486c453d93db3b794a94f4936d3b55ae3034ada715de8a32

SHA512
168a6d72ca77cee0f6220048d85052881ae2a62b62d7e5c093eea68c29d84320da51fab98f8d524ea609fdf330a97be9df60fa6969f97d3c36faa8872f66ae6e

Download Submit
C:\Users\Admin\AppData\Roaming\unmineable-miner-mfi\settings.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\unmineable-miner-mfi\settings.json

Filesize
293B

MD5
1ae580ea0789fe261b0ffddff5db290e

SHA1
b0a59c88976bc8c7e17fe692f355a9118dfa1e2b

SHA256
b4313e0854299546fe310d4553fb37edd247ab1c194f534ebc77ca5a86995c83

SHA512
c4f39d217ebf686de318ff3f2b72608b9b19162192628bf58e319d2192f00bd963d4e82a9cb4b9be585f52d16cb6e51cbea44108dcb319b634611ff62972ee12

Download Submit
C:\Users\Admin\AppData\Roaming\unmineable-miner-mfi\settings.json

Filesize
339B

MD5
9819037300f845fcffe2cdedf7482d3c

SHA1
118e01444017dca4842e0f8b4aad4c84115f0c96

SHA256
2e5dc8da19f5f27f3edafbb901ed8136a847c6e3953d19eca6d1cfd97fb1843e

SHA512
e2278d80407225a2ae0b4118ca8dbcf12fdc2004feaa01ef946dba3e2194023345f64becafe1ae3d2f482b2d2ade152e096be8236509468c02bf7b0089175663

Download Submit
C:\Users\Admin\AppData\Roaming\unmineable-miner-mfi\settings.json

Filesize
445B

MD5
d1f39d9d2bab7182d9d92f8e5cbcfbed

SHA1
ce7137a6a33cdc4aab0c0c49e82dcb3a69f6d589

SHA256
5741cdaf0a348809aebd3159556dcb6cff8e04ad282e3932880a2a8b03d85c24

SHA512
482e4fcc7013e8995cca3132e72cebee1fc8596e1b586ed49e2c9958e109c2d814f0ebe7878319e2ac0be3e2f0de81e967737eccf2dfd55468c06c7b13742930

Download Submit
C:\Users\Admin\AppData\Roaming\unmineable-miner-mfi\settings.json

Filesize
551B

MD5
c2d4df293362fed89b7568121ca9c75e

SHA1
280f8185344f29ab4126571524325150be2b5083

SHA256
32e1569dbaa02c2094e3ac467692159f1028ae2025416ba4196f2c01b7270dec

SHA512
52194ac216b2ceca791797dd304187badd22f76e2e48f784113bab8948d74cac8641ad86e3bee6707063f358179b2a11b7b783089d20352bebf6e2b451d0a042

Download Submit
C:\Users\Admin\AppData\Roaming\unmineable-miner-mfi\settings.json

Filesize
672B

MD5
16b5b5bc587e485900449a9fd88d4a4e

SHA1
7202a345502ae389620a997c7d2aefb14f456612

SHA256
067bfe39e45a94a9f5f312c7520c77c7da1fe6ce3044696188d67f33fadfb52b

SHA512
2ecddc19159e1586471154e79879efe8006058c429959ac06fcccfe9ae318327c706031e0d37ef11deaad62ef8c19bcc4d4c2b195433bfb80b2bb1bea84bea73

Download Submit
C:\Users\Admin\AppData\Roaming\unmineable-miner-mfi\settings.json

Filesize
791B

MD5
f035e6aff7ae85f3009db4d835a8dce9

SHA1
229064f04ad38cb294b3e73477b617f0d7f4e09c

SHA256
80e4d1dd289301d77b7e14b1e01b29c675be3f8e109e1dc4dd42794e5645cb17

SHA512
c66cb10046e55fa1027f8fafeb29e476d649dd42af0a642aa0e8c428ea928c02fdbcfb99b78eba3ea57238651209ec067c5de01c2305ab5e539db6b01eb9860f

Download Submit
C:\Users\Admin\AppData\Roaming\unmineable-miner-mfi\settings.json

Filesize
893B

MD5
941ed3b18f932109976ad69b7ae4e8ae

SHA1
61c9f2d5eface8c2a287733024d42c72973710f9

SHA256
4aa005ab8be2b2259768f475aaa4211436e647edc79d94b8b4247984482168c6

SHA512
bac91f4be7891e8da0e70799bc1c3589eaff45ce28d3235b0158366704d197faed3d589aee52db02edd03c4d714b6b6a9cf6b1f92856d2c10683416a5ac3faef

Download Submit
C:\Users\Admin\AppData\Roaming\unmineable-miner-mfi\settings.json

Filesize
1012B

MD5
ca7604daa289762c924b3e00af0447ab

SHA1
1e75399ae95607a2b2a955813ad67ac6c5aefe0a

SHA256
acf125d538dfc2902396e9bf8c714e9c59076d0146d3fbf0942267bd2a723d20

SHA512
09774891fc881d7b210765d8bdd0006579f86182b0e28c7d495d76a1b77faec90eaadc3adc93c67cdafe4036590928a5a5e8026f51bedb14227607b56ef8c185

Download Submit
C:\Users\Admin\AppData\Roaming\unmineable-miner-mfi\settings.json

Filesize
1KB

MD5
8b45145c007b5b53f6d1014f7de37a3a

SHA1
442054fb1d72bdece12e46653df638366a2b2181

SHA256
8a16f3c1d94777d3382c7dac2ad72979ee8abdfe0cd200dbe437c49e53d1d683

SHA512
badaf86bbb5de8ff1c6b911794f1527cd8d248b6e528a7c49c8abddded732805e50eebf3fc35749b6bb25e9c8ff9a1b81aadf6559ababfe7785c8fb4da3e7acd

Download Submit
C:\Users\Admin\AppData\Roaming\unmineable-miner-mfi\settings.json

Filesize
1KB

MD5
7a1628e744acd6ce368f40bfb07f2b21

SHA1
4c0af5c3d1b7a3fce978a4813bc6fd228d711d42

SHA256
e99eefa3561c9c9af8048879ff210dab60b3a1169d02f1a50da5173c8f0bf4d4

SHA512
7062c15d562bc76ef3deea1fd719991d397ecfe3849c82f5006aeeca9db93c3d8ad7ecb8a267a6c17e87d10027965a7887c7accb2a684beb6d63acde2942a784

Download Submit
memory/1272-654-0x00000175B71D0000-0x00000175B7246000-memory.dmp

Filesize
472KB

Download
memory/1272-653-0x00000175B6D50000-0x00000175B6D94000-memory.dmp

Filesize
272KB

Download
memory/5700-468-0x0000017C1A710000-0x0000017C1A8B1000-memory.dmp

Filesize
1.6MB

Download
memory/5700-404-0x00007FF800E40000-0x00007FF800E41000-memory.dmp

Filesize
4KB

Download
memory/5700-469-0x0000017C1D1B0000-0x0000017C1D601000-memory.dmp

Filesize
4.3MB

Download
memory/5820-661-0x00000191B9D40000-0x00000191B9D6A000-memory.dmp

Filesize
168KB

Download
memory/5820-662-0x00000191B9D40000-0x00000191B9D64000-memory.dmp

Filesize
144KB

Download
memory/5820-594-0x00000191A17C0000-0x00000191A17E2000-memory.dmp

Filesize
136KB

Download